Ubuntu Security Notice 6921-1 - Benedict SchlÃ¼ter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde discovered that an untrusted hypervisor could inject malicious #VC interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw is known as WeSee. A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6921-1July 29, 2024linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia,linux-oem-6.8, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-nvidia: Linux kernel for NVIDIA systems- linux-oem-6.8: Linux kernel for OEM systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shindediscovered that an untrusted hypervisor could inject malicious #VCinterrupts and compromise the security guarantees of AMD SEV-SNP. This flawis known as WeSee. A local attacker in control of the hypervisor could usethis to expose sensitive information or possibly execute arbitrary code inthe trusted execution environment. (CVE-2024-25742)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - DMA engine subsystem;  - HID subsystem;  - I2C subsystem;  - PHY drivers;  - TTY drivers;  - IPv4 networking;(CVE-2024-35990, CVE-2024-35997, CVE-2024-35992, CVE-2024-35984,CVE-2024-36008, CVE-2024-36016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1007-gke      6.8.0-1007.10  linux-image-6.8.0-1008-raspi    6.8.0-1008.8  linux-image-6.8.0-1009-ibm      6.8.0-1009.9  linux-image-6.8.0-1009-oem      6.8.0-1009.9  linux-image-6.8.0-1010-nvidia   6.8.0-1010.10  linux-image-6.8.0-1010-nvidia-64k  6.8.0-1010.10  linux-image-6.8.0-1011-gcp      6.8.0-1011.12  linux-image-6.8.0-1012-aws      6.8.0-1012.13  linux-image-6.8.0-39-generic    6.8.0-39.39  linux-image-6.8.0-39-generic-64k  6.8.0-39.39  linux-image-aws                 6.8.0-1012.13  linux-image-gcp                 6.8.0-1011.12  linux-image-generic             6.8.0-39.39  linux-image-generic-64k         6.8.0-39.39  linux-image-generic-64k-hwe-24.04  6.8.0-39.39  linux-image-generic-hwe-24.04   6.8.0-39.39  linux-image-generic-lpae        6.8.0-39.39  linux-image-gke                 6.8.0-1007.10  linux-image-ibm                 6.8.0-1009.9  linux-image-ibm-classic         6.8.0-1009.9  linux-image-ibm-lts-24.04       6.8.0-1009.9  linux-image-kvm                 6.8.0-39.39  linux-image-nvidia              6.8.0-1010.10  linux-image-nvidia-64k          6.8.0-1010.10  linux-image-oem-24.04           6.8.0-1009.9  linux-image-oem-24.04a          6.8.0-1009.9  linux-image-raspi               6.8.0-1008.8  linux-image-virtual             6.8.0-39.39  linux-image-virtual-hwe-24.04   6.8.0-39.39After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6921-1  CVE-2024-25742, CVE-2024-35984, CVE-2024-35990, CVE-2024-35992,  CVE-2024-35997, CVE-2024-36008, CVE-2024-36016Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-39.39  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1012.13  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1011.12  https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1007.10  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1009.9  https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1010.10  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1009.9  https://launchpad.net/ubuntu/+source/linux-raspi/6.8.0-1008.8

Ubuntu Security Notice USN-6921-1

Ubuntu Security Notice 6923-1 - Benedict SchlÃ¼ter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde discovered that an untrusted hypervisor could inject malicious #VC interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw is known as WeSee. A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-6923-1July 29, 2024linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15,linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm,linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oraclevulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-intel-iotg-5.15: Linux kernel for Intel IoT platforms- linux-lowlatency-hwe-5.15: Linux low latency kernelDetails:Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shindediscovered that an untrusted hypervisor could inject malicious #VCinterrupts and compromise the security guarantees of AMD SEV-SNP. This flawis known as WeSee. A local attacker in control of the hypervisor could usethis to expose sensitive information or possibly execute arbitrary code inthe trusted execution environment. (CVE-2024-25742)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - TTY drivers;  - SMB network file system;  - Netfilter;  - Bluetooth subsystem;(CVE-2024-26886, CVE-2024-26952, CVE-2023-52752, CVE-2024-27017,CVE-2024-36016)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1049-gkeop   5.15.0-1049.56  linux-image-5.15.0-1061-intel-iotg  5.15.0-1061.67  linux-image-5.15.0-1061-nvidia  5.15.0-1061.62  linux-image-5.15.0-1061-nvidia-lowlatency  5.15.0-1061.62  linux-image-5.15.0-1063-gke     5.15.0-1063.69  linux-image-5.15.0-1063-kvm     5.15.0-1063.68  linux-image-5.15.0-1064-oracle  5.15.0-1064.70  linux-image-5.15.0-1065-gcp     5.15.0-1065.73  linux-image-5.15.0-1066-aws     5.15.0-1066.72  linux-image-5.15.0-117-generic  5.15.0-117.127  linux-image-5.15.0-117-generic-64k  5.15.0-117.127  linux-image-5.15.0-117-generic-lpae  5.15.0-117.127  linux-image-5.15.0-117-lowlatency  5.15.0-117.127  linux-image-5.15.0-117-lowlatency-64k  5.15.0-117.127  linux-image-aws-lts-22.04       5.15.0.1066.66  linux-image-gcp-lts-22.04       5.15.0.1065.61  linux-image-generic             5.15.0.117.117  linux-image-generic-64k         5.15.0.117.117  linux-image-generic-lpae        5.15.0.117.117  linux-image-gke                 5.15.0.1063.62  linux-image-gke-5.15            5.15.0.1063.62  linux-image-gkeop               5.15.0.1049.48  linux-image-gkeop-5.15          5.15.0.1049.48  linux-image-intel-iotg          5.15.0.1061.61  linux-image-kvm                 5.15.0.1063.59  linux-image-lowlatency          5.15.0.117.107  linux-image-lowlatency-64k      5.15.0.117.107  linux-image-nvidia              5.15.0.1061.61  linux-image-nvidia-lowlatency   5.15.0.1061.61  linux-image-oracle-lts-22.04    5.15.0.1064.60  linux-image-virtual             5.15.0.117.117Ubuntu 20.04 LTS  linux-image-5.15.0-1049-gkeop   5.15.0-1049.56~20.04.1  linux-image-5.15.0-1061-intel-iotg  5.15.0-1061.67~20.04.1  linux-image-5.15.0-117-generic  5.15.0-117.127~20.04.1  linux-image-5.15.0-117-generic-64k  5.15.0-117.127~20.04.1  linux-image-5.15.0-117-generic-lpae  5.15.0-117.127~20.04.1  linux-image-5.15.0-117-lowlatency  5.15.0-117.127~20.04.1  linux-image-5.15.0-117-lowlatency-64k  5.15.0-117.127~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.117.127~20.04.1  linux-image-generic-hwe-20.04   5.15.0.117.127~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.117.127~20.04.1  linux-image-gkeop-5.15          5.15.0.1049.56~20.04.1  linux-image-intel               5.15.0.1061.67~20.04.1  linux-image-intel-iotg          5.15.0.1061.67~20.04.1  linux-image-lowlatency-64k-hwe-20.04  5.15.0.117.127~20.04.1  linux-image-lowlatency-hwe-20.04  5.15.0.117.127~20.04.1  linux-image-oem-20.04           5.15.0.117.127~20.04.1  linux-image-oem-20.04b          5.15.0.117.127~20.04.1  linux-image-oem-20.04c          5.15.0.117.127~20.04.1  linux-image-oem-20.04d          5.15.0.117.127~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.117.127~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-6923-1  CVE-2023-52752, CVE-2024-25742, CVE-2024-26886, CVE-2024-26952,  CVE-2024-27017, CVE-2024-36016Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-117.127  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1066.72  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1065.73  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1063.69  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1049.56  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1061.67  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1063.68  https://launchpad.net/ubuntu/+source/linux-lowlatency/5.15.0-117.127  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1061.62  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1064.70  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1049.56~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-117.127~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1061.67~20.04.1  https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-5.15/5.15.0-117.127~20.04.1

Ubuntu Security Notice USN-6923-1

Telegram for Android suffers from a use-after-free vulnerability in Connection::onReceivedData.

    Telegram for Android: Use-after-free in Connection::onReceivedDataReporting this in collaboration with Mitch, who found crashes indicating this issue and brought it to my attention.Related to https://bugs.chromium.org/p/project-zero/issues/detail?id=2505; there's another issue which I overlooked when reviewing the fix. If we look more closely at `Connection::onReceivedData`, there's another possibility that can invalidate `buffer`.```void Connection::onReceivedData(NativeByteBuffer *buffer) {  AES_ctr128_encrypt(buffer->bytes(), buffer->bytes(), buffer->limit(), &decryptKey, decryptIv, decryptCount, &decryptNum);    // snip...  NativeByteBuffer *reuseLater = nullptr;  while (buffer->hasRemaining()) {    // snip...    uint32_t old = buffer->limit();    buffer->limit(buffer->position() + currentPacketLength);    ConnectionsManager::getInstance(currentDatacenter->instanceNum).onConnectionDataReceived(this, buffer, currentPacketLength);    buffer->position(buffer->limit());  // <-- Use here    buffer->limit(old);    // snip...```We can see the call to `ConnectionsManager::onConnectionDataReceived`, and it should be the case that buffer etc. remain valid past this call. If we look at the implementation, we can see that (at least in the case where we aren't using a proxy) we call `connection->reconnect()````void ConnectionsManager::onConnectionDataReceived(Connection *connection, NativeByteBuffer *data, uint32_t length) {  bool error = false;  if (length <= 24 + 32) {    int32_t code = data->readInt32(&error);    if (code == 0) {      // snip...    } else {      Datacenter *datacenter = connection->getDatacenter();      if (LOGS_ENABLED) DEBUG_W(\"mtproto error = %d\", code);      if (code == -444 && connection->getConnectionType() == ConnectionTypeGeneric && !proxyAddress.empty() && !proxySecret.empty()) {        // snip...      } else if (code == -404 && (datacenter->isCdnDatacenter || PFS_ENABLED)) {        // snip...      } else {        connection->reconnect();      }    }    return;  }  // snip...````Connection::reconnect` calls down into `Connection::suspendConnection`, which releases `restOfTheData`, which may alias `buffer`.```void Connection::suspendConnection(bool idle) {  reconnectTimer->stop();  waitForReconnectTimer = false;  if (connectionState == TcpConnectionStageIdle || connectionState == TcpConnectionStageSuspended) {    return;  }  if (LOGS_ENABLED) DEBUG_D(\"connection(%p, account%u, dc%u, type %d) suspend\", this, currentDatacenter->instanceNum, currentDatacenter->getDatacenterId(), connectionType);  connectionState = idle ? TcpConnectionStageIdle : TcpConnectionStageSuspended;  dropConnection();  ConnectionsManager::getInstance(currentDatacenter->instanceNum).onConnectionClosed(this, 0);  firstPacketSent = false;  if (restOfTheData != nullptr) {    restOfTheData->reuse();  // <-- Free here    restOfTheData = nullptr;  }  lastPacketLength = 0;  connectionToken = 0;  wasConnected = false;}This will then lead to a use-after-free on buffer after returning from `ConnectionsManager::onConnectionDataReceived`.Crashes with a matching stack trace have been observed, so it is definitely possible for this to occur - since the simplest case requires that the client be connected directly to the datacenter instead of through a proxy, I haven't attempted to reproduce the issue yet. It is however possible to reach `connection->reconnect()` in multiple ways inside `ConnectionsManager::onConnectionDataReceived`, so it's very likely that this is also reachable in a similar way to issue 2505.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2024-07-23.Found by: markbrand@google.com

Telegram For Android Connection::onReceivedData Use-After-Free

Pharmacy Management System version 1.0 suffers from an ignored default credential vulnerability.

**Pharmacy Management System 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Pharmacy Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 59f44c9b7f06be4efb67d80c7c07d536ce29ef1457664c97c77dea0949148078

Download | Favorite | View

**Pharmacy Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Pharmacy Management System v1.0 Insecure Settings Vulnerability                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/user/257130/activity                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruanwitness000webhostappcom/admin/?page=clientsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Pharmacy Management System 1.0 Insecure Settings

Online Payment Hub System version 1.0 suffers from an ignored default credential vulnerability.

**Online Payment Hub System 1.0 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Online Payment Hub System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 30a6b1cbf6e4c838b1c70e5f65c51d228a564e5d1e6f1bc286e2c364b4ee5cda

Download | Favorite | View

**Online Payment Hub System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : Online Payment Hub System v1.0 Insecure Settings Vulnerability                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://scriptmafia.org                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yoruban-witness.000webhostappcom/admin/?page=clientsGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Online Payment Hub System 1.0 Insecure Settings

Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

**Innue Business Live Chat 2.5 Insecure Settings**

Posted Jul 29, 2024

Authored by indoushka

Innue Business Live Chat version 2.5 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 69cf2bb9bb7d7ff376d99fe228145e43a3757fab2416d6aff6f75b372ddf2d3a

Download | Favorite | View

**Innue Business Live Chat 2.5 Insecure Settings**

    ====================================================================================================================================| # Title     : innue business live chat v2.5 Insecure Settings Vulnerability                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/business-live-chat-software.php                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = admin[+] https://www/127.0.0.1/vmi1941086contaboservernet/loginGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,161)
*   Arbitrary (16,833)
*   BBS (2,859)
*   Bypass (1,853)
*   CGI (1,033)
*   Code Execution (7,780)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (25,014)
*   Encryption (2,389)
*   Exploit (53,083)
*   File Inclusion (4,257)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,876)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,179)
*   Local (14,782)
*   Magazine (586)
*   Overflow (13,153)
*   Perl (1,435)
*   PHP (5,220)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,630)
*   Remote (31,618)
*   Root (3,625)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,023)
*   Shell (3,272)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,589)
*   TCP (2,440)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,911)
*   Web (9,949)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,236)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,556)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,418)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,700)
*   UNIX (9,431)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Innue Business Live Chat 2.5 Insecure Settings

An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.

Source: Richard Levine via Alamy Stock Photo

Critical API security flaws have put millions of users at risk for account takeover, by using a modern authentication standard to resurrect a longtime vulnerability. The bugs were found in the Hotjar service, which tracks and records Web user activity, and in the code of the popular Business Insider global news website.

That's according to API security firm Salt Security's Salt Labs, which found that by pairing manipulation of the OAuth standard with cross-site scripting (XSS) flaws in the two sites, attackers can potentially expose sensitive data and conduct malicious activity acting as legitimate users of more than a million websites.

Hotjar, a tool that complements Google Analytics by recording user activity to analyze behavior, serves more than a million websites, including well-known brands such as Adobe, Microsoft, Panasonic, Columbia, RyanAir, Decathlon, T-Mobile, and Nintendo.

"Due to the nature of the Hotjar solution, the data it collects can include a vast volume of personal and sensitive data, such as names, emails, addresses, private messages, bank details, and even credentials under certain circumstances," according to a Salt Labs blog post on the research.

A separate but just as dangerous vulnerability found on the Business Insider website can meanwhile be exploited to perform an cross-site scripting (XSS) attack and take over accounts on that site, which has millions of global users.

More worrisome, the same combination of problems is likely widespread and lurking on whole swathes of the Internet, the researchers warned.

**A Modern Authentication Standard Meets an Old Flaw**

OAuth is a relatively new standard increasingly being used for seamless cross-website authentication, familiar to many as the engine behind the "log in with Facebook" or "log in with Google" functionality included in many websites. The standard drives the mechanism responsible for the authentication handoff between the sites, allowing user data to be shared between them. It's been known to be misconfigured upon implementation in ways that create serious vulnerabilities that span numerous sites.

XSS, meanwhile, is one of the most oft-exploited and oldest Web vulnerabilities. It allows an attacker to inject malicious code into a legitimate Web page or application in order to execute scripts in a website visitor's browser for data theft and more.

An attacker who successfully exploits an attack vector that combines the two "will gain the same permissions and functionality as the victim, and therefore, the risk will be parallel to what can actually be done by a normal system user," Yaniv Balmas, vice president of research at Salt, tells Dark Reading.

Salt Labs discovered the vulnerability on the Business Insider site on March 20 and immediately informed the company, which fixed the flaws by March 30. The Hotjar flaw was discovered on April 17, and, upon disclosure, mitigated two days later.

However, Salt researchers believe that flaws that allow attackers to exploit this combo of OAuth and XSS are likely lurking undetected on other sites, thus exposing millions of unsuspecting users to potential account takeover.

"We strongly believe this is a very common issue, and most chances are that many other online services suffer from the same issue," Balmas says.

**Hotjar Attack**

Given that XSS has been around so long, most websites have built-in protections against attacks that exploit this vulnerability. Salt researchers were able to get around them using OAuth in two separate instances on both Hotjar and the Business Insider website.

On the former, the researchers manipulated the social login aspect of Hotjar, which redirects to Google to receive a secret token through OAuth to complete authentication on Hotjar. That token is a URL that contains secret code, which is something that JavaScript code can read, creating an XSS flaw.

"To combine XSS with this new social-login feature and achieve working exploitation, we use a JavaScript code that starts a new OAuth login flow in a new window and then reads the token from that window," according to the post. "With this method, the JavaScript code opens a new tab to Google, and Google automatically redirects the user back to \[the Hotjar site\] with the OAuth code in the URL."

The code reads the URL from the new tab and extracts the OAuth credentials from it. Once the attackers have a victim's code, they can start a new login flow in Hotjar, replacing their code with the victim code and leading to a full account takeover and thus potential exposure of all the personal data collected by Hotjar.

**Exploiting Mobile Logins**

The researchers also managed to exploit the social sign-in feature integrated into the code of the Business Insider website, specifically through mobile authentication, which opens a new Web browser to authenticate the user. After the user completes the authentication on the Web, they are then redirected to an endpoint with their credentials as parameters that are sent from the Web to the mobile site.

"This endpoint, created only to support authentication using the mobile application, is vulnerable to XSS," according to the post. Thus, if an attacker can read the credentials from the URL, they can achieve account takeover.

"What we need to do is write JavaScript code that starts a login flow, wait for the token to be visible in the URL, and then read that URL," according to the post. "If a victim clicks on that link, their credentials will be passed to a malicious domain."

Though the flaws specifically found on Hotjar and Business Insider have been mitigated, the potential for exploit on other sites means site administrators need to be careful in how they implement OAuth, lest it be used in similar attack scenarios, Balmas says.

"As always, when implementing any new technology, many things need to be considered, including, of course, security," he says. "A solid implementation that considers all possible options should be secure and will not allow an attacker an opportunity to abuse this attack vector."

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

This year's conference will be a treasure trove of insights for cybersecurity professionals.

Meny Har, CEO & Co-Founder, Opus Security

July 29, 2024

3 Min Read

Source: Anton Gvozdikov via Alamy Stock Photo

COMMENTARY

As always, Black Hat USA 2024 promises to be a treasure trove of insights for cybersecurity professionals. The artificial intelligence craze notwithstanding, vulnerability remediation continues to be the core focus for all sizes of organizations seeking to make security more efficient. Understandably, this year's conference promises a variety of approaches, case studies, and informative discussions on this topic. Here are the seven most illuminating sessions we suggest you attend, for insights on discovering, prioritizing, and patching vulnerabilities: 

**Breaching AWS Accounts Through Shadow Resources**

Speakers: Yakir Kadkoda, Michael Katchinskiy, Ofek Itach   
Date: Wednesday, Aug. 7, 10:20 a.m.-11 a.m.   
Tracks: Cloud security, enterprise security

Did you know that six critical vulnerabilities in Amazon Web Services (AWS) have the potential to lead to severe breaches, including remote code execution and information disclosure? This session dives into a methodology for discovering these vulnerabilities, and the speakers will introduce a new open source tool for researching service internal API calls. This session is essential for understanding and mitigating complex cloud vulnerabilities. 

**Predict, Prioritize, Patch: How Microsoft Harnesses LLMs for Security Response**

Speaker: Bill Demirkapi   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: AI, ML & data science, application security: defense

Joining this session will help you understand more about how Microsoft leverages large language models (LLMs) to streamline security response workflows. Hear about practical applications of LLMs for deriving vulnerability information, predicting report severity, and generating root causes from crash dumps. This is a seminal session for organizations looking to enhance their vulnerability management with AI. 

**Self-Hosted GitHub CI/CD Runners: Continuous Integration, Continuous Destruction**

Speakers: Adnan Khan, John Stawinski   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: Enterprise security, application security: offense

This technical deep dive addresses the security risks associated with self-hosted CI/CD runners, highlighting critical vulnerabilities discovered in GitHub and other platforms. Attendees will learn how to defend against pipeline poisoning and privilege escalation attacks, which are vital for securing the software development life cycle. 

**The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)**

Speaker: Liv Matan   
Date: Wednesday, Aug. 7, 1:30 p.m.-2:10 p.m.   
Tracks: Cloud security, application security: offense

Explore how a single faulty command in Google Cloud Platform (GCP) led to a critical RCE vulnerability, affecting millions of servers. This session will provide insights into the complexity of cloud services and present tools for uncovering hidden APIs used by cloud providers. Security leaders managing cloud security in their organizations and seeking to understand cloud service vulnerabilities will find this talk invaluable. 

**Will We Survive the Transitive Vulnerability Locusts?**

Speakers: Eyal Paz, Liad Cohen   
Date: Thursday, Aug. 8, 2:30 p.m.-3 p.m.   
Tracks: Application security: defense, exploit development & vulnerability discovery

Learn about the risk of transitive dependencies in software projects, with speakers clearly demonstrating how these vulnerabilities can be exploited. Attendees will learn practical strategies for mitigating these risks and prioritizing vulnerabilities in their threat model, which is crucial for secure software development. 

**Break the Wall From Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls**

Speakers: Qi Wang, Jianjun Chen, Run Guo, Chao Zhang, Haixin Duan   
Date: Thursday, Aug. 8, 2:30 p.m.-3 p.m.   
Tracks: Application security: offense, cloud security

Discover how protocol-level evasion vulnerabilities in WAFs can be exploited to bypass security measures. This session introduces WAF Manis, a novel testing framework that uncovered 311 evasion cases and could be extremely useful for those looking to strengthen their Web application defenses against sophisticated attacks. 

**Are Your Backups Still Immutable, Even Though You Can't Access Them?**

Speakers: Ryan Kane, Rushank Shetty   
Date: Thursday, Aug. 8, 3:20 p.m.-4 p.m.   
Tracks: Enterprise security, application security: offense

This session explores the security of immutable backups, highlighting how attackers can target the infrastructure hosting backup data. Learn the processes, failures, and successes in testing immutable backups, crucial for ensuring data resilience against ransomware attacks.

These sessions and many others on vulnerability remediation are a testament to the growing importance of building a culture of proactive security, by addressing the constantly evolving attack surfaces and staying vigilant. Ensuring that you have a robust vulnerability remediation process is a critical and vital security checkpoint in your organization's security posture. 

**About the Author(s)**

CEO & Co-Founder, Opus Security

Meny Har is the CEO and co-founder of Opus Security, a cloud-native security remediation platform, helping security teams orchestrate remediation processes from start to fix. Before founding Opus, he was part of the founding team and vice president of product with the cloud-native SOAR platform Siemplify, which was acquired by Google Cloud in January 2022. Meny has more than 15 years of cybersecurity experience, with a proven track record of building, validating, and scaling successful products.

7 Sessions Not to Miss at Black Hat USA 2024

Infostealer malware is swiping millions of passwords, cookies, and search histories. It’s a gold mine for hackers—and a disaster for anyone who becomes a target.

For the past two months, cybercriminals have advertised for sale hundreds of millions of customer records from major companies like Ticketmaster, Santander Bank, and AT&T. And while massive data breaches have been a fact of life for more than a decade now, these recent examples are significant, because they are all connected. Each victim company was a customer of the cloud data storage firm Snowflake and was compromised not through a sophisticated hack, but because attackers had login credentials for each victim company’s Snowflake accounts—a data-stealing spree that impacted at least 165 Snowflake customers.

Attackers didn’t grab this trove of logins by directly breaching Snowflake or through a targeted supply chain attack. Instead, they found the credentials in a hodgepodge of stolen data grabbed haphazardly by “infostealer” malware.

After years of operation, infostealers are having a moment. The malware, which often finds its way onto people’s machines through downloads of pirated software, can steal usernames and passwords, cookies, search history, financial information, and more from web browsers. This data collected by infostealers is increasingly being used by all kinds of hackers to compromise companies—and cybersecurity experts warn of more high-profile data breaches to come.

“We’ve seen nation-states leverage infostealers, we’ve seen criminals leverage infostealers, and we’ve seen teenage hacking crews leverage infostealers,” says Charles Carmakal, chief technology officer of Google-owned cybersecurity firm Mandiant. Russia’s APT29 hackers and cybercriminal gangs such as Lapsus$ and Scattered Spider are among the many hackers using infostealers. Just days after the global CrowdStrike outage, hackers created a new infostealer in an attempt to capitalize on the chaos.

Infostealers are defined less by their technical capabilities and more by their role in the malicious hacker ecosystem. Of course, to minimally qualify, they must be designed to steal information. But what separates infostealers from spyware or other malware used in espionage or targeted data breaches is that infostealers are spread opportunistically and indiscriminately. They grab data from the browsers of whatever computers they end up infecting. Then the attackers who run them compile and organize this chaotic and largely random assemblage of data—often on a marketplace or in a public forum like a Telegram channel. It is only then that infostealer operators or their customers comb their haul for valuable credentials and access tokens amidst the massive amount of junk. Ian Gray, director of analysis and research at the security firm Flashpoint, says there are likely hundreds of variants of infostealers in circulation.

There are some account access tokens that would have obvious value for many types of cybercriminals. If a data dump included working login credentials for a corporate employee’s enterprise accounts, a ransomware gang, business email compromise scammer, or state-backed actor could use the access as a jumping off point to launch their attacks. But in addition to selling these prized details, infostealer operators maximize the value of the data they collect simply by making their stolen data available. Platforms like Genesis Market, which was taken down by law enforcement last year, and Russian Market, organize infostealer logs and even make them somewhat searchable so hackers who are looking to target more niche organizations or those who don’t have financial motivations can potentially find exactly what they need.

These platforms take cues in how they are designed and marketed from legitimate information and ecommerce services. Many markets and forums charge a subscription fee to access the platform and then have different pricing structures for data depending on how valuable it might be. Currently, Gray says, Russian Market has so much stolen data available from infostealers that it has been charging a low flat rate, typically no more than $10, for any subset of data users want to download.

“Organizations have become very good with their security, and people have also gotten more savvy, so they're not the best targets now,” for traditional tailored attacks, Gray says. “So attackers need something that’s less targeted and more based on what they can make use of. Infostealers are modular and often sold on a subscription basis, and that evolution probably aligns with the rise of modern subscription services like video streaming.”

Infostealers have been especially effective with the rise of remote work and hybrid work, as companies adapt to allowing employees to access work services from personal devices and personal accounts from work devices. This creates opportunities for infostealers to randomly compromise individuals on, say, their home computers but still end up with corporate access credentials because the person was logged into some of their work systems as well. It also makes it easier for infostealing malware to get around corporate protections, even on enterprise devices, if employees are able to have their personal email or social media accounts open.

“I started paying attention to this once it became an enterprise problem,” Mandiant’s Carmakal says. “And particularly around 2020, because I started seeing more intrusions of enterprises first starting from compromises of home computers—through phishing of people's Yahoo accounts, Gmail accounts, and Hotmail accounts that were totally unrelated to any enterprise targeting, but to me look very opportunistic.”

Victoria Kivilevich, director of threat research at security firm KELA, says that in some instances criminals can use cybercrime markets to search for the domain of potential targets and see if any credentials are available. Kivilevich says the sale of infostealer data can be considered as the “supply chain” for various types of cyberattacks, including ransomware operators looking for the details of potential victims, those involved in business email compromise, and even initial access brokers who can sell the details along again to other cybercriminals.

On various cybercrime marketplaces and Telegram, Kivilevich says, there have been more than 7,000 compromised credentials linked to Snowflake accounts being shared. In one instance, a criminal has been touting access to 41 companies from the education sector; another cybercriminal claims to be selling access to US companies with revenues between $50 million and $8 billion, according to Kivilevich’s analysis.

“I don’t think there was one company that came to us and had zero accounts compromised by infostealer malware,” Kivilevich says of the threat that infostealer logs provide to businesses, with KELA saying infostealer-related activity jumped in 2023. Irina Nesterovsky, KELA's chief research officer, says millions of credentials have been collected by infostealing malware in recent years. “This is a real threat,” Nesterovsky says.

Carmakal says there are multiple steps companies and individuals can take to protect themselves from the threat of infostealers and their aftereffects, including using antivirus or EDR products to detect malicious activity. Companies should be strict on enforcing multifactor authentication across their users, he says. “We try to encourage people to not synchronize passwords on their corporate devices with their personal devices,” Carmakal adds.

The use of infostealers has been working so well that it is all but inevitable that cybercriminals will look to replicate the success of compromise sprees like Snowflake and get creative about other enterprise software services that they can use as entry points for access to an array of different customer companies. Carmakal warns that he expects to see this result in more breaches in the coming months. “There’s no ambiguity about this,” he says. “Threat actors will start hunting for infostealer logs, and looking for other SaaS providers, similar to Snowflake, where they log in and steal data, and then extort those companies.”

How Infostealers Pillaged the World’s Passwords

A list of topics we covered in the week of July 22 to July 28 of 2024

July 26, 2024 - Meta has taken down a whopping number of Instagram accounts directly involved in sextortion and more accounts aimed at training scammers

July 25, 2024 - After the July Microsoft update some systems boot into a BitLocker Recovery screen. How can you find the key you need?

July 24, 2024 - Prepay wireless provider TracFone has been slapped on the wrist to the tune of $16 million for insufficient customer data protection

July 23, 2024 - Google has taken a new turn in the approach to eliminating third-party cookies. This time it's back to the Privacy Sandbox

July 22, 2024 - Data from the Heritage Foundation containing at least half a million passwords and usernames are available online

Tag

#google