A logic issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.6.2, macOS Monterey 12.1, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, watchOS 8.3. A local user may be able to modify protected parts of the file system.

Released December 13, 2021

**Archive Utility**

Available for: macOS Catalina

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved state management.

CVE-2021-30950: @gorelics

**Bluetooth**

Available for: macOS Catalina

Impact: A malicious application may be able to disclose kernel memory

Description: A logic issue was addressed with improved validation.

CVE-2021-30931: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

**Bluetooth**

Available for: macOS Catalina

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved validation.

CVE-2021-30935: an anonymous researcher

**ColorSync**

Available for: macOS Catalina

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A memory corruption issue in the processing of ICC profiles was addressed with improved input validation.

CVE-2021-30942: Mateusz Jurczyk of Google Project Zero

**CoreAudio**

Available for: macOS Catalina

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-30958: JunDong Xie of Ant Security Light-Year Lab

**CoreAudio**

Available for: macOS Catalina

Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30959: JunDong Xie of Ant Security Light-Year Lab

CVE-2021-30961: an anonymous researcher

CVE-2021-30963: JunDong Xie of Ant Security Light-Year Lab

**Crash Reporter**

Available for: macOS Catalina

Impact: A local attacker may be able to elevate their privileges

Description: This issue was addressed with improved checks.

CVE-2021-30945: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**Graphics Drivers**

Available for: macOS Catalina

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2021-30977: Jack Dates of RET2 Systems, Inc.

**Help Viewer**

Available for: macOS Catalina

Impact: Processing a maliciously crafted URL may cause unexpected JavaScript execution from a file on disk

Description: A path handling issue was addressed with improved validation.

CVE-2021-30969: Zhipeng Huo (@R3dF09) and Yuebin Sun (@yuebinsun2020) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**ImageIO**

Available for: macOS Catalina

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2021-30939: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab, Mickey Jin (@patch1t) of Trend Micro

**Intel Graphics Driver**

Available for: macOS Catalina

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A buffer overflow was addressed with improved bounds checking.

CVE-2021-30981: an anonymous researcher, Liu Long of Ant Security Light-Year Lab

**IOUSBHostFamily**

Available for: macOS Catalina

Impact: A remote attacker may be able to cause unexpected application termination or heap corruption

Description: A race condition was addressed with improved locking.

CVE-2021-30982: Weiteng Chen, Zheng Zhang, and Zhiyun Qian of UC Riverside, and Yu Wang of Didi Research America

**Kernel**

Available for: macOS Catalina

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30927: Xinru Chi of Pangu Lab

CVE-2021-30980: Xinru Chi of Pangu Lab

**Kernel**

Available for: macOS Catalina

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption vulnerability was addressed with improved locking.

CVE-2021-30937: Sergei Glazunov of Google Project Zero

**Kernel**

Available for: macOS Catalina

Impact: A malicious application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2021-30949: Ian Beer of Google Project Zero

**LaunchServices**

Available for: macOS Catalina

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved validation.

CVE-2021-30990: Ron Masas of BreakPoint.sh

**LaunchServices**

Available for: macOS Catalina

Impact: A malicious application may bypass Gatekeeper checks

Description: A logic issue was addressed with improved state management.

CVE-2021-30976: chenyuwang (@mzzzz\_\_) and Kirin (@Pwnrin) of Tencent Security Xuanwu Lab

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2021-30929: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30979: Mickey Jin (@patch1t) of Trend Micro

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may disclose memory contents

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2021-30940: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

CVE-2021-30941: Rui Yang and Xingwei Lin of Ant Security Light-Year Lab

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2021-30973: Ye Zhang (@co0py\_Cat) of Baidu Security

**Model I/O**

Available for: macOS Catalina

Impact: Processing a maliciously crafted USD file may lead to unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2021-30971: Ye Zhang (@co0py\_Cat) of Baidu Security

**Preferences**

Available for: macOS Catalina

Impact: A malicious application may be able to elevate privileges

Description: A race condition was addressed with improved state handling.

CVE-2021-30995: Mickey Jin (@patch1t) of Trend Micro, Mickey Jin (@patch1t)

**Sandbox**

Available for: macOS Catalina

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: A validation issue related to hard link behavior was addressed with improved sandbox restrictions.

CVE-2021-30968: Csaba Fitzl (@theevilbit) of Offensive Security

**Script Editor**

Available for: macOS Catalina

Impact: A malicious OSAX scripting addition may bypass Gatekeeper checks and circumvent sandbox restrictions

Description: This issue was addressed by disabling execution of JavaScript when viewing a scripting dictionary.

CVE-2021-30975: Ryan Pickren (ryanpickren.com)

**TCC**

Available for: macOS Catalina

Impact: A local user may be able to modify protected parts of the file system

Description: A logic issue was addressed with improved state management.

CVE-2021-30767: @gorelics

**TCC**

Available for: macOS Catalina

Impact: A malicious application may be able to cause a denial of service to Endpoint Security clients

Description: A logic issue was addressed with improved state management.

CVE-2021-30965: Csaba Fitzl (@theevilbit) of Offensive Security

**Wi-Fi**

Available for: macOS Catalina

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: This issue was addressed with improved checks.

CVE-2021-30938: Xinru Chi of Pangu Lab

CVE-2021-30767: About the security content of Security Update 2021-008 Catalina

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

Use after free in web apps in Google Chrome prior to 96.0.4664.93 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

**Chrome Releases**

Release updates from the Chrome team

CVE-2021-4052: Stable Channel Update for Desktop

Out of bounds write in WebRTC in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via crafted WebRTC packets.

CVE-2021-4079: Stable Channel Update for Desktop

Inappropriate implementation in WebAuthentication in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2021-38022: 1248862 - chromium - An open-source project to help move the web forward.

Inappropriate implementation in referrer in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.

CVE-2021-38021: Stable Channel Update for Desktop

Use after free in loader in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2021-38005: 1241091 - chromium - An open-source project to help move the web forward.

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

Starting this past Friday we have seen a number of websites showing a fake ransomware infection. Google search results for “_**FOR RESTORE SEND 0.1 BITCOIN**_” were sitting at 6 last week and increased to 291 at the time of writing this. Upon visiting their website webmasters have been met with an alarming message:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/siteencrypted.png)

SITE ENCRYPTED

FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc

(create file on site /unlock .txt with transaction key inside)

The warning indicated that the website was hit with a ransomware attack. The files were reported to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin. While the price of Bitcoin is extremely volatile, at the time of writing this article that would clock in at a whopping $6,000+ USD

![](https://blog.sucuri.net/wp-content/uploads/2021/11/bitcoinexchange.png)

Not a negligible sum of money for an average website owner, to say the least! Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look.

**Past Cases of Website Ransomware**

This would certainly not be our first time seeing websites impacted by ransomware. Typically ransomware affects endpoint devices, sometimes entire businesses and institutions. In fact, as I type this the entire provincial health care system of Newfoundland has been brought to its knees with thousands of delayed surgeries due to a crippling suspected ransomware attack.

Starting at the beginning of 2016 we saw some examples of website files themselves being encrypted by attackers with a ransom being demanded, which we wrote about on our blog at the time. This was pretty short lived, however. Attackers always go after the money to maximise their profits. We can only presume that targeting websites wasn’t terribly profitable and was best for them to go after endpoints, businesses and organisations. It’s also much more common for website owners to have backups handy, rendering the entire attack moot.

**More than Meets the Eye**

The clock was ticking on the ransom notification: Seven days, ten hours, 21 minutes and 9 seconds to pay the ransom before the files would be encrypted and irretrievable forever. Tick, tock, tick, tock ⏰

However, when we began our investigation into the website it turned out that nothing was encrypted at all! Normally when ransomware attacks website files the extension is changed to _.lock_ or something similar, and the files have been rendered as unreadable, encrypted rubbish. Not so in this example!

So what was causing the frightening warning?

**Fake Ransomware Warning Generated by Plugin**

The solution to the source was actually quite simple: All we had to do was to query the file structure for the BitCoin account number. That led us to the following file:

./wp-content/plugins/directorist/directorist-base.php

Sure enough, the ransom warning was completely bogus. Nothing was encrypted at all! It was a simple HTML page generated by this bogus plugin and nothing more. Let’s take a look at this code and see what exactly it was doing.

Near the end of that file we can see that the malicious bit is just using some very basic HTML to generate the ransom message:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/bitcoinr.png)

_FOR RESTORE SEND 0.1 BITCOIN: 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc_

As well as some basic PHP to generate the countdown clock:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/countdown.png)

_All cases so far have defaulted to November 20th, 2021_

The desired date can be edited here to instill more panic into the request. Remember folks, rule number one about online scams like phishing is instilling a sense of _urgency_ to the victim!

**Removing the Infection**

Getting this infection cleared up is easy enough, all we had to do was remove the plugin from the wp-content/plugins directory. However, once we got the main website page back all of their pages and posts were leading to 404 Not Found responses.

The reason for this is the last snippet of the malicious plugin:

![](https://blog.sucuri.net/wp-content/uploads/2021/11/azze.png)

Here we see a basic SQL command which finds any posts and pages with the “**publish**” status and changes them to “**null**“. All the content was still in the database, just unable to be viewed! This can be reversed with an equally simple SQL command:

_UPDATE \`wp\_posts\` SET \`post\_status\` = 'publish' WHERE \`post\_status\` = 'null';_

This will publish any content in the database marked as _null._ If you have other content marked as such, it will re-publish that, but that is certainly better than losing all your website posts and pages.

We also see the plugin including the following file:

./wp-content/plugins/directorist/azz\_encrypt.php

However, so far we haven’t seen this file present in any of the infections. It’s possible that in other cases of this infection this file could contain functionality to encrypt the files, but so far we haven’t found a candidate with it present.

**Determining the Source**

In checking the access logs for the website it was easy enough to determine the IP address responsible. Our client was located in the southern United States, however we saw quite a few requests from a foreign IP address which was interacting with the directorist plugin using the plugin editor feature of wp-admin. This suggests that the legitimate plugin was already installed on the website and later tampered with by the attackers.

Interestingly, the very first request that we saw from the attacker IP address was from the wp-admin panel, suggesting that they had already established administrator access to the website before they began their shenanigans. Whether they had brute forced the admin password using another IP address or had acquired the already-compromised login from the black market is anybody’s guess.

**How to Protect your Site**

Once the plugin is removed and the nulled content in the database restored then tying up the loose ends is pretty straightforward!

*   Review admin users on the site, remove any bogus accounts and update/change all wp-admin passwords
*   Secure your wp-admin administrator page
*   Change other access point passwords (database, FTP, cPanel, etc)
*   Ideally, place your website behind a firewall
*   Don’t forget about reliable backups! Even if hackers manage to encrypt your whole site, it will be easy to restore it from the latest backup.

We recently published a detailed article on many of the different options that WordPress website owners have at their disposal to secure their admin page. Be sure to give it a read to make sure your website isn’t low hanging fruit for the bad guys! In particular, the _disallow\_file\_edit_ function would have helped prevent this attack!

If you are a website owner and are affected by this attack our remediation analysts can help remove the infection for you!

**UPDATE:** While the original point of this article was to mention this new malware infection and not locate its source we mentioned it may have been a compromised admin account. Upon further evaluation it was due to a cross-side request forgery vulnerability in the Directorist plugin which has since been patched. Thank you to Plugin Vulnerabilities for reading and paying close attention to our blog posts. Users of this plugin should update immediately!

CVE-2021-24981: Fake Ransomware Infection Spooks Website Owners

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

CVE-2021-44790: Apache HTTP Server 2.4 vulnerabilities

Cross Site Request Forgery (CSRF) vulnerability in Change-password.php in phpgurukul user management system in php using stored procedure V1.0, allows attackers to change the password to an arbitrary account.

**Project Name**

User Management System in PHP Stored Procedure

**Language Used**

PHP5.6, PHP7.x

**Database**

MySQL 5.x

**User Interface Design**

HTML, AJAX,JQUERY,JAVASCRIPT

**Web Browser**

Mozilla, Google Chrome, IE8, OPERA

**Software**

XAMPP / Wamp / Mamp/ Lamp (anyone)

Last Updated

02 July 2021

This project is developed in PHP using Stored Procedure.

A stored procedure is a set of SQL commands that have been compiled and stored on the database server.  
Once the stored procedure has been “stored”, client applications can execute the stored procedure over and over again without sending it to the database server again and without compiling it again.  
Stored procedures improve performance by reducing network traffic and CPU  load.  
**_Comparison with dynamic SQL_**

*   Remove overhead
*   Avoidance of network  traffic
*   Encapsulation of business  logic
*   Delegation of access-rights
*   Some protection from SQL injection attacks

**This project have two modules**

*   User Module
*   Admin Module

**User Modules**

*   User can signup
*   User can log in to the system.
*   User Password Recovery
*   After login user can edit his/her own profile.
*   Change password.

**Admin Modules**

*   Admin can log in to the system.
*   Admin Password Recovery.
*   After login admin can view the admin dashboard.
*   Manage all the user(Update and delete the user profile).
*   Change Password.

**Stored Procedure used in this Project**

**User module**

*   sp\_signup (used for user signup)
*   sp\_checkemailavailabilty (check the email available for registration or not)
*   sp\_userlogin (used for user login)
*   sp\_userpwdrecoveryvalidation (used for password recovery user validation)
*   sp\_userpwdrecoveryvalidation (if user details verified by the above-stored procedure then it will reset the user password)
*   sp\_userprofile (used to view user profile)
*   sp\_userupdateprofile (used to update the user profile details) **Note:** This procedure used in both module
*   sp\_useremailupdation (used to update user email id) **Note:** This procedure used in both module
*   sp\_usercurrentpwdvalidate (used to valid user current password  for change password)
*   sp\_userchangepwd (if the password is validated by the above-stored procedure then this stored procedure  used to change the user password)

**Admin module**

*   sp\_adminlogin (used for admin login)
*   sp\_adminpwdrecoveryvalidation (used for password recovery admin validation)
*   sp\_adminpasswordrecovery (if admin details verfied by above stored procedure then it will reset the admin password)
*   sp\_adminprofile (used to view admin profile details)
*   sp\_admindashboard (used for admin dashboard)
*   sp\_recent15users (used to view the 15 recent registered user at dashboard)
*   sp\_allregisteredusers (used to view all registered users)
*   sp\_userdeletion (used to delete user profile)
*   sp\_userupdateprofile (used to updat the user profile details)   **Note:** This procdure used in both module
*   sp\_useremailupdation (used to update user email id)   **Note:** This procdure used in both module
*   sp\_admincurrentpwdvalidate (used to valid admincurrent password  for change password)
*   sp\_adminchangepwd (if the password is validate by above stored procedure then this store used to change the admin password)

**How to run the User Management System in PHP Stored Procedure**

1.Download the zip file

2.Extract the file and copy ums-sp folder

3.Paste inside root directory(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

4.Open PHPMyAdmin (http://localhost/phpmyadmin)

5.Create a database with name umspsdb

6.Import regdb.sql file(given inside the zip package in SQL file folder)

7.Run the script http://localhost/ums-sp

**User Credential**  
**Username:** anujk@gmail.com  
**Password:** Test@123  
or Register a new user

**Admin Credential**  
**Username:** admin  
**Password:** Test@123

**View Demo———————————————————————–**

UMS in PHP using Stored Procedure

Size: 7.44 MB

Version: V1.0

![](https://secure.gravatar.com/avatar/7b336ec82044887afe61d64e1c96b5cf?s=128&d=mm&r=g)

Anuj Kumar

Hi! I am Anuj Kumar, a professional web developer with 5+ years of experience in this sector. I found PHPGurukul in September 2015. My keen interest in technology and sharing knowledge with others became the main reason for starting PHPGurukul. My basic aim is to offer all web development tutorials like PHP, PDO, jQuery, PHP oops, and MySQL, etc. Apart from the tutorials, we also offer you PHP Projects, and we have around 80+ PHP Projects for you.

Tag

#google