In Eclipse IDE versions < 2023-09 (4.29) some files with xml content are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch).


Skip to content

GitLab 

**XXE in eclipse IDE**

**Basic information**

**Project name:** org.eclipse.pde org.eclipse.jdt org.eclipse.platform org.eclipse.osgi

**Project id:** {id}

**What are the affected versions?**

probably all

**Details of the issue**

SonarLint reports many possible XXE attacks in eclipse IDE's sourcecode. for example: 

**Steps to reproduce**

Don't know. Probably manipulating development xml-files like "build.xml", "plugin.xml", "feature.xml", ".polyglot.feature.xml", ... which should be normally self contained and do not require access from external sources.

**Do you know any mitigations of the issue?**

https://rules.sonarsource.com/java/RSPEC-2755 recommends to replace "SAXParserFactory.newInstance();" with code that disables external access by properties see also https://cheatsheetseries.owasp.org/cheatsheets/XML\_External\_Entity\_Prevention\_Cheat\_Sheet.html

CVE-2023-4218: XXE in eclipse IDE (#8) · Issues · Eclipse Projects Security / vulnerability-reports · GitLab

Russia's most notorious military hackers successfully sabotaged Ukraine's power grid for the third time last year. And in this case, the blackout coincided with a physical attack.

The notorious unit of Russia's GRU military intelligence agency known as Sandworm remains the only team of hackers to have ever triggered blackouts with their cyberattacks, turning off the lights for hundreds of thousands of Ukrainian civilians not once, but twice within the past decade. Now it appears that in the midst of Russia's full-scale war in Ukraine, the group has achieved another dubious distinction in the history of cyberwar: It targeted civilians with a blackout attack at the same time missile strikes hit their city, an unprecedented and brutal combination of digital and physical warfare.

Cybersecurity firm Mandiant today revealed that Sandworm, a cybersecurity industry name for Unit 74455 of Russia's GRU spy agency, carried out a third successful power grid attack targeting a Ukrainian electric utility in October of last year, causing a blackout for an unknown number of Ukrainian civilians. In this case, unlike any previous hacker-induced blackouts, Mandiant says the cyberattack coincided with the start of a series of missile strikes targeting Ukrainian critical infrastructure across the country, which included victims in the same city as the utility where Sandworm triggered its power outage. Two days after the blackout, the hackers also used a piece of data-destroying "wiper" malware to erase the contents of computers across the utility's network, perhaps in an attempt to destroy evidence that could be used to analyze their intrusion.

Mandiant, which has worked closely with the Ukrainian government on digital defense and investigations of network breaches since the start of the Russian invasion in February of 2022, declined to name the targeted electric utility or the city where it was located. Nor would it offer information like the length of the resulting power loss or the number of civilians affected.

Mandiant does note in its report on the incident that as early as two weeks before the blackout, Sandworm's hackers appear to have already possessed all the access and capabilities necessary to hijack the industrial control system software that oversees the flow of power at the utility's electrical substations. Yet it appears to have waited to carry out the cyberattack until the day of Russia's missile strikes. While that timing may be coincidental, it more likely suggests coordinated cyber and physical attacks, perhaps designed to sow chaos ahead of those air strikes, complicate any defense against them, or add to their psychological effect on civilians.

"The cyber incident exacerbates the impact of the physical attack," says John Hultquist, Mandiant's head of threat intelligence, who has tracked Sandworm for nearly a decade and named the group in 2014. "Without seeing their actual orders, it's really hard on our side to make a determination of whether or not that was on purpose. I will say that this was carried out by a military actor and coincided with another military attack. If it was a coincidence, it was a terribly interesting coincidence."

Nimbler, Stealthier Cybersaboteurs

The Ukrainian government's cybersecurity agency, SSSCIP, declined to fully confirm Mandiant's findings in response to a request from WIRED, but it didn't dispute them. SSSCIP's deputy chair, Viktor Zhora, wrote in a statement that the agency responded to the breach last year, working with the victim to "minimize and localize the impact." In an investigation over the two days following the near-simultaneous blackout and missile strikes, he says, the agency confirmed that the hackers had found a "bridge" from the utility's IT network to its industrial control systems and planted malware there capable of manipulating the grid.

Mandiant's more detailed breakdown of the intrusion shows how the GRU's grid hacking has evolved over time to become far more stealthy and nimble. In this latest blackout attack, the group used a "living off the land" approach that has become more common among state-sponsored hackers seeking to avoid detection. Instead of deploying their own custom malware, they exploited the legitimate tools already present on the network to spread from machine to machine before finally running an automated script that used their access to the facility's industrial control system software, known as MicroSCADA, to cause the blackout.

In Sandworm's 2017 blackout that hit a transmission station north of the capital of Kyiv, by contrast, the hackers used a custom-built piece of malware known as Crash Override or Industroyer, capable of automatically sending commands over several protocols to open circuit-breakers. In another Sandworm power grid attack in 2022, which the Ukrainian government has described as a failed attempt to trigger a blackout, the group used a newer version of that malware known as Industroyer2.

Sandworm Hackers Caused Another Blackout in Ukraine—During a Missile Strike

Face recognition technology has been controversial for years. Cops in the UK are drastically increasing the amount they use it.

A Beyoncé gig, the coronation of King Charles, and the British Formula One Grand Prix all have one thing in common: Thousands of people at the events, which all took place earlier this year, had their faces scanned by police-operated face recognition tech.

Backed by the Conservative government, police forces across England and Wales are being told to rapidly expand their use of the highly controversial technology, which globally has led to false arrests, misidentifications, and lives derailed. Police have been told to double their use of face searches against databases by early next year—45 million passport photos could be opened up to searches—and police are increasingly working with stores to try to identify shoplifters. Simultaneously, more regional police forces are testing real-time systems in public places.

The rapid expansion of face recognition comes at a time when trust in policing levels are at record lows, following a series of high-profile scandals. Civil liberties groups, experts, and some lawmakers have called for bans on the use of face recognition technology, particularly in public places, saying it infringes on people’s privacy and human rights, and isn’t a “proportionate” way to find people suspected of committing crimes.

“In the democratic world, we are an outlier at the moment,” says Madeleine Stone, a senior advocacy officer with Big Brother Watch, a privacy-focused group that has called for a ban and “immediate stop” on live face recognition, a proposal backed by 65 UK lawmakers. The EU, which the UK left in 2016, may ban the real-time use of face recognition systems, and one of its highest courts has called the technology “highly intrusive.” Various US states have banned police from using the technology.

Cops in England and Wales can hunt for potential criminals using two main kinds of face recognition. First, there are live face recognition systems (LFR): These usually include cameras mounted on police vans that scan people’s faces as they walk by and check them against a “watchlist” of wanted people. The LFR technology is deployed for some big events and announced in advance by the police. Second, there’s retrospective face recognition (RFR), where images from CCTV, smartphones, and doorbell cameras can be fed into a system that tries to identify the person based on millions of existing photos. Police use of both systems is increasing.

Two police forces in England and Wales—London’s Metropolitan Police and South Wales Police—have embraced LFR, using the technology for multiple years. (Police in Scotland, where policing is overseen locally, don’t use live systems but are reportedly increasing their use of RFR). So far this year, the Met and South Wales Police have used LFR on 22 separate occasions, according to statistics published on their websites.

Across 13 deployments, an estimated 247,764 people have passed the Met’s cameras this year, including at the King’s coronation and a soccer match between Arsenal and Tottenham. In 2023 so far, the Met’s system has pinged 18 times when it has matched a person with someone on the predetermined watchlist. Twelve of those people have been arrested. South Wales Police has used LFR nine times this year, scanning an estimated 705,290 faces and arresting two people.

Researchers and academics have long shown face recognition technologies to be biased or less accurate for people of color, particularly Black people. In all of the LFR uses by the Met and South Wales police forces this year, their figures show, there have been no false alerts or misidentifications. In short, every time the system made a match, it was correct, according to the departments’ data. The data published by the police forces show the LFR systems they are using are set to an accuracy threshold of either 0.6 or 0.64. A study conducted by the National Physical Laboratory, a UK public sector research organization, recommended the threshold setting of 0.64 as a way to reduce biased and incorrect matches.

Pete Fussey, a professor at the University of Essex who previously audited the Met’s face recognition, says that the report shows the algorithms may still be discriminatory and biased, but setting the thresholds neutralizes the system entirely. “If you desensitize the system, then you'll get fewer matches and fewer of those will be wrong,” Fussey says. Big Brother Watch’s Stone says it “brings into question the necessity and proportionality of the whole endeavor if you’re having dozens of police officers standing around the street looking at iPads just to make one arrest.” Stone argues “it’s not a good use of time.”

A spokesperson for the Home Office, the government department responsible for policing in England and Wales, says it is “committed” to giving police the technology they need to help solve crimes. “Technology such as facial recognition helps the police quickly and accurately identify those wanted for serious crimes, as well as missing or vulnerable people,” the spokesperson says, claiming it “frees up police time and resources.” They point to a blog post about police use of face recognition technologies.

“Live facial recognition isn't just deployed on its own. It's in support of wider policing operations,” says detective chief inspector Jamie Townsend, who is the operational lead for the Met's face recognition. A policing operation may make 30 arrests in an area with face recognition contributing two or three of them, he says.

Townsend says that the biometric data of people isn’t stored when they are scanned by LFR cameras, and he considers the system to be “precision policing” as it allows for the identification of specific individuals. The Home Office’s blog post claims LFR has led to the arrest of sex offenders and someone wanted for possessing a knife. South Wales Police did not respond to WIRED’s request for comment at the time of writing.

Two other UK police forces have tried LFR in recent months, raising concerns about how the technology will be used going forward and who is put on the watchlists of people the systems are looking for. There are more than 30 police forces that have not used LFR, although the government has said it is “very supportive” of more forces using it.

Around 380,000 people had their faces scanned by Northamptonshire police over three days at the British Grand Prix in July, according to public records requests. No arrests were made. A Freedom of Information Act request from Big Brother Watch revealed the force had placed 790 people on the watchlist for the event while only 234 were wanted for arrest. “It was largely individuals who were not wanted for any criminal reasons, which leads us to believe that these were protesters who were being put on watchlists,” Stone says. The previous year’s British Grand Prix was disrupted by protesters.

A statement from Northamptonshire Police says the watchlist “included a range of offences from organized crime to aggravated trespass, which had the potential of leading to the death or serious injury of the public, racing drivers and staff, especially if there was a repeat of the 2022 track incursion. We were not targeting those taking part in lawful, peaceful protests.”

Police forces are also being encouraged to ramp up the use of after-the-fact, retrospective face recognition. All police forces across the UK have the ability to run searches for faces against the Police National Database, which has more than 16 million photos and includes millions of images that should have been deleted years ago. In 2022, according to data from freedom of information requests, there were 85,158 face searches—up 330 percent on the previous year. Policing minister Chris Philp said in October that he wants the number of searches to double by May 2024.

Fussey, the University of Essex professor, says retrospective face recognition is often thought to be more “benign” than live face recognition, but he doesn't believe it is the case. “The issues and harms and human rights implications are the same, whether it's live or retrospective,” he says, adding there is a lot of ambiguity around how the technology is being used.

In August 2020, the UK’s Court of Appeal ruled that South Wales Police’s use of LFR was unlawful. Since then, police forces using the technology say they have changed their procedures in response to the court decision, and the Home Office spokesperson says there is a “comprehensive legal framework in the UK” that requires police to use the technology only when it is “necessary, proportionate, and fair.”

Many disagree. A wide-ranging review from the Ada Lovelace Institute, a nonprofit, says there is “legal uncertainty” about the use of LFR. Another report by University of Cambridge academics, from the Minderoo Centre for Technology and Democracy, concluded that three examined police deployments of face recognition “failed to meet the minimum ethical and legal standards.”

“It’s wholly legitimate for police to use technology to keep the public safe,” says Fussey, who recently completed a report on proposals to change the oversight of biometrics in the UK. “The question is about how lawful and necessary it is,” he says. “At the moment, we’re in a situation where the legal basis isn’t clear. There’s no external oversight of how it’s used, how it’s authorized, who’s on the watchlist.”

Police Use of Face Recognition Is Sweeping the UK

Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system binary. This could lead to unauthorized access and potentially malicious actions on the host system.

**Note:**

An attacker must have access to the system running the vulnerable chromedriver library to exploit it. The success of exploitation also depends on the permissions and privileges of the process running chromedriver.

**chromedriver Command Injection vulnerability**

Moderate severity GitHub Reviewed Published Nov 9, 2023 to the GitHub Advisory Database • Updated Nov 9, 2023

GHSA-hm92-vgmw-qfmx: chromedriver Command Injection vulnerability

Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0 allows a remote attacker to execute arbitrary code via a crafted payload to the public_html/doc/index.html.

\- CVE ID

CVE-2023-46492

\- Name of affected product and versions

github.com/mldbai/mldb

version <= 2017.04.17.0

\- Problem type

Attacker can execute arbitrary javascript code in victim's browser by sending specifically crafted url that exploits DOM based XSS in container\_files/public\_html/doc/index.html.

\- Description

There is a DOM based XSS vulnerability in container\_files/public\_html/doc/index.html due to setting iframe src with unsanitized user input from location.hash.

CVE-2023-46492: gist:a75b618419d5afb137cd5a29e8156420

Users looking to download a popular PC utility may be tricked in this campaign where a threat actor has registered a website that copies content from a PC and Windows news portal.

The majority of malvertising campaigns delivering malicious utilities that we have tracked so far typically deceive victims with pages that are almost the exact replica of the software vendor being impersonated. For example, we have seen fake websites appearing like the real Webex, AnyDesk or KeePass home page.

In a new campaign, we observed a threat actor copying a legitimate Windows news portal (WindowsReport.com) to distribute a malicious installer for the popular processor tool CPU-Z.

This type of website is often visited by geeks and system administrators to read the latest computer reviews, learn some tips and download software utilities. The Windows Report was never compromised and is legitimate, but rather threat actors copied its content to trick users.

This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used to avoid detection. We have informed Google with the relevant details for takedown.

**Google ad and filtering**

The malicious ad is for CPU-Z, a popular utility for Windows users that want to troubleshoot their processor and other computer hardware details. The advertiser shows as Scott Cooper and is likely a compromised or fake identity.

One common technique used by threat actors to evade detection is to employ cloaking. Anyone clicking on the ad and who’s not the intended victim will see a standard blog with a number of articles.

We had previously identified another malicious ad using almost the same template.

**Redirect to Windows news site lookalike**

To show what happens when an actual victim clicks on the ad, here is the network traffic related to it as seen in the image below. This time, the corporatecomf\[.\]online website is no longer used to show a blog with articles but instead does a redirect (302 HTTP code) to another domain at workspace-app\[.\]online.

This domain uses content from the legitimate Windows portal WindowsReport.com and looks almost identical:

People who searched for CPU-Z and clicked the ad are now at the download page for the software, where they may wrongly assume that it is legitimate. The URL in the address bar does not match the real one, though.

There are several other domains hosted on the same IP address (74.119.192.188) also used in malvertising campaigns:

**Signed MSIX installer**

The payload is a digitally signed MSIX installer which contains a malicious PowerShell script, a loader known as FakeBat:

The script shows the malware command and control server as well as the remote payload (Redline stealer):

We are blocking the malvertising domains for all Malwarebytes customers:

ThreatDown, powered by Malwarebytes, already detected the final infostealer payload and we have added coverage for the its command and control servers as well.

It is possible the threat actor chose to create a decoy site looking like Windows Report because many software utilities are often downloaded from such portals instead of their official web page.

The download is also a signed MSI installer, which increases the chances for it to look legitimate from the operating system and antivirus software. These MSI loaders are quite common and allow threat actors to update the final payload by simply swapping a PowerShell script.

Software downloads have been a big target for the past year with criminals using a variety of tricks to deceive users and install malware. In an enterprise environment, it may be wise to verify a file’s checksum to ensure it has not been tampered with by comparing its SHA256 hash sum with what is posted on the vendor’s website.

**Indicators of Compromise**

Ad domains

argenferia\[.\]com  
realvnc\[.\]pro  
corporatecomf\[.\]online  
cilrix-corp\[.\]pro  
thecoopmodel\[.\]com  
winscp-apps\[.\]online  
wireshark-app\[.\]online  
cilrix-corporate\[.\]online  
workspace-app\[.\]online

Payload URLs

thecoopmodel\[.\]com/CPU-Z-x86.msix
kaotickontracting\[.\]info/account/hdr.jpg
ivcgroup\[.\]in/temp/Citrix-x64.msix
robo-claim\[.\]site/order/team.tar.gpg
argenferia\[.\]com/RealVNC-x64.msix

Payloads

55d3ed51c3d8f56ab305a40936b446f761021abfc55e5cc8234c98a2c93e99e1
9acbf1a5cd040c6dcecbe4e8e65044b380b7432f46c5fbf2ecdc97549487ca88
419e06194c01ca930ed5d7484222e6827fd24520e72bfe6892cfde95573ffa16
cf9589665615375d1ad22d3b84e97bb686616157f2092e2047adb1a7b378cc95

C2s

11234jkhfkujhs\[.\]site
11234jkhfkujhs\[.\]top
94.131.111\[.\]240
81.177.136\[.\]179

 Malvertiser copies PC news site to deliver infostealer 

An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_391B8 function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-47007: Digging/ASUS/RT-AX57/2/1.md at main · XYIYM/Digging

An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ipaddr field in the sub_6FC74 function.

CVE-2023-47006: Digging/ASUS/RT-AX57/1/1.md at main · XYIYM/Digging

An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the lan_ifname field in the sub_ln 2C318 function.

CVE-2023-47005: Digging/ASUS/RT-AX57/3/1.md at main · XYIYM/Digging

An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote attacker to execute arbitrary code via a crafted request to the ifname field in the sub_4CCE4 function.

Tag

#git