Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file.

Buffer overflow in mg\_resolve\_from\_hosts\_file function (line 124) in mongoose/src/mg\_resolv.c in Mongoose 6.18, where sscanf copies data from p to alias without limiting the size of the copied data not to exceed the alias array size, which is 256. Note that p can be up to 1024 (minus the IP digits) and is copied from a tainted file. This bug can be triggered by a malformed hosts file that includes a hostname that is larger than 256.

One way to fix this bug is by adding the format width specifier

for (p = line + len; sscanf(p, "%**255**ss%n", alias, &len) == 1; p += len) {

CVE-2020-25887: Buffer overflow in mg_resolve_from_hosts_file function  · Issue #1140 · cesanta/mongoose

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.


**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-2905: fixed mqtt variable length header issue by robertc2000 · Pull Request #2274 · cesanta/mongoose

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges of org owner resulting in privilege escalation.


CVE-2023-4009: Ops Manager Server Changelog — MongoDB Ops Manager 5.0

REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.

CVE-2023-37361: Trustwave Security Advisories

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

CVE-2023-37650: Multiple Vulnerabilities in Cockpit CMS <= v2.5.2

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

**Mongoose Prototype Pollution vulnerability**

Critical severity GitHub Reviewed Published Jul 17, 2023 to the GitHub Advisory Database • Updated Jul 18, 2023

GHSA-9m93-w8w6-76hh: Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.

CVE-2023-3696

Roger Thomas Clark, also known as Variety Jones, will spend much of the rest of his life in prison for his key role in building the world’s first dark-web drug market.

Nearly ten years ago, the sprawling dark-web drug market known as the Silk Road was torn offline in a law enforcement operation coordinated by the FBI, whose agents arrested the black market's boss, Ross Ulbricht, in a San Francisco library. It would take two years for Ulbricht's second-in-command—an elusive figure known as Variety Jones—to be tracked down and arrested in Thailand. Today, a decade after the Silk Road's demise, Clark has been sentenced to join his former boss in federal prison.

In a Manhattan courtroom on Tuesday, Roger Thomas Clark—also known by his online handles including Variety Jones, Cimon, and Plural of Mongoose—was sentenced to 20 years behind bars for his role in building and running Silk Road. Clark, a 62-year-old Canadian national, will now likely spend much of the rest of his life incarcerated for helping to pioneer the anonymous, cryptocurrency-based model for online illegal sales of drugs and other contraband that still persists on the dark web today. The sentence is the maximum Clark faced in accordance with the plea agreement he made with prosecutors.

Clark “misguidedly turned his belief that drugs should be legal into material assistance for a criminal enterprise,” Judge Sidney Stein said in his sentencing statement. “These beliefs crossed over into patently illegal behavior.”

Stein added that Clark was “clear-eyed and intentional” in his work as Ulbricht's “right-hand man” in the Silk Road's operations. “The sentence must reflect the vast criminal enterprise of which he was a leader,” Stein said.

In his own statement, Clark said that his work on the Silk Road had always been motivated by his political belief that drugs should be legalized, and the hundreds of millions of dollars' worth of dark-web drug sales he helped to facilitate were safer than drug deals that took place in the physical world. He argued in his sentencing statement that the site helped reduce violence in the drug trade, and that the Silk Road's ratings and reviews prevented the sale of adulterated drugs that would have caused greater harm.

“I just kept preaching to myself ‘harm reduction.’ That's how I got to sleep at night,” Clark told the judge, standing before a sparse audience in the courtoom looking thin and gaunt in baggy khaki clothes. “I'm proud and ashamed at the same time.”

Clark was, as prosecutors noted in their memo arguing for the two-decade sentence, more than a lieutenant on the Silk Road. He served as the site's security consultant, PR adviser, and even a kind of executive coach and friend to the site's boss, Ulbricht. Clark, who Ulbricht initially encountered as a marijuana seeds dealer on the market, was “the biggest and strongest-willed character I had met through the site thus far,” Ulbricht wrote in his journal. 

“He has advised me on many technical aspect of what we are doing, helped me speed up the site and squeeze more out of my current servers," Ulbricht wrote. “He also has helped me better interact with the community around Silk Road, delivering proclamations, handling troublesome characters, running a sale, changing my name, devising rules, and on and on. He also helped me get my head straight regarding legal protection, cover stories, devising a will, finding a successor, and so on. He’s been a real mentor.”

Clark was pivotal in key moments of the Silk Road’s history—including a particularly dark incident when he and Ulbricht resorted to violence, which loomed large in Clark’s sentencing. Clark played a crucial role in convincing Ulbricht that it was necessary to commission the murder of one of his employees who he believed had betrayed him and stolen bitcoins from the market. “At what point in time do we decide we’ve had enough of someones shit and terminate them?” Clark wrote to Ulbricht at one point following the discovery of the theft, as recorded in chat logs that were recovered from Ulbricht's computer after his arrest. “We’re playing with big money with serious people, and that’s the world they live in.”

After Ulbricht agreed to have the staffer killed—in a bizarre turn, his death was instead faked by US federal agents investigating the Silk Road—Clark told Ulbricht that he had made the right move. "If you had balked, I would have seriously re-considered our relationship," he wrote. “We’re playing for keeps, this just drives it home. I’m perfectly comfortable with the decision, and I’ll sleep like a lamb tonight, and every night hereafter.”

Countering Clark's claims of interest in “harm reduction,” assistant US attorney Michael Neff pointed to those comments as evidence of Clark's “complete disregard for human life,” as he put it in Tuesday's sentencing hearing. For Clark, “the question of whether to end another man's life was simple and stress-free,” Neff told the judge in the prosecution's sentencing statement.

In his own remarks, Clark didn't comment on that murder-for-hire conversation—which he at one point claimed had been fabricated by Ulbricht but later conceded was real. Instead, he focused on his benevolent intentions in running the Silk Road, which he argued had saved thousands of lives through its prevention of overdoses from adulterated drugs. At the same time, he acknowledged that at least six people named by prosecutors had in fact overdosed and died from Silk Road narcotics.

“If the Silk Road hadn't existed, would those people be alive today? Probably yes,” Clark said. “Did we save thousands of lives? Yes, but we took some too.”

He compared his actions to the so-called “trolley problem” thought experiment in ethical philosophy, in which someone must choose which track a train will take when people are tied to both tracks. “It's not Philosophy 101 for me,” he told the judge. “I pulled the switch.”

Clark and his defense attorney also spent much of their sentencing statements describing the abysmal conditions of his detention over the past several years in Thailand and then a New York jail. His attorney told the court he was traumatized by witnessing torture and sexual assault in a Thai jail, was denied basic health care, and arrived in the US weighing just 93 pounds. At the Metropolitan Detention Center in Brooklyn, Clark described corruption and neglect, which led to his falling from his bunk while experiencing vertigo in 2021, breaking his pelvis, and being left to suffer overnight despite his pleas for help.

Judge Stein acknowledged those years of suffering and mistreatment but concluded that he was “not persuaded they afford a substantial reduction” in Clark's sentence.

Separately, Clark made strange new claims in his statement—without evidence—that he had spent $800,000 of Silk Road’s revenue to buy hacking tools that could be used to de-anonymize users of the dark web engaged in child sexual exploitation and had then provided those tools to the UK and US governments. One Bangkok-based hacker who Clark says sold him a hacking tool, who goes by the handle the Grugq, denied any such sale to WIRED. “I never sold such an exploit and certainly wouldn’t have sold it to him,” the Grugq writes. The judge didn’t appear to factor these unsubstantiated claims into Clark’s sentence, but suggested that he should provide his computer skills to the US government.

Clark's strange story of hacking pedophiles should perhaps be taken with a grain of salt given his long history of apparent misdirection. Prior to his extradition from Thailand, he made claims of a corrupt FBI agent hunting him and secret information he could provide to the Thai government, ostensibly in exchange for his release—claims which were never borne out or mentioned by his defense prior to sentencing.

In his chats with Ulbricht prior to the Silk Road takedown, too, Clark had a tendency to grandiose ideas. At one point he suggested ways that he might rescue Ulbricht from prison should he ever be identified and arrested. “One of the things i’d like us to look at investing in is a helicopter tour company … seriously, with the amount of $ we’re generating, I could hire a small country to come get you.” he wrote. “And remember that one day when your in the exercise yard, I’ll be the dude in the helicopter coming in low and fast, I promise.”

No such rescue operation ever appeared for Ulbricht. And no such salvation appears to be coming for Clark either.

“Everybody take a good look,” Clark said at one point during his sentencing statement, dramatically turning to the courtroom’s small audience. “This is probably the last time you see me before I get killed.”

Silk Road’s Second-in-Command, Variety Jones, Gets 20 Years in Prison

By Deeba Ahmed
The researchers believe that the SmugX attack is an extension of a previously discovered campaign linked to Mustang Panda.
This is a post from HackRead.com Read the original post: SmugX: Chinese Hackers Targeting Embassies in Europe

**The attack method of the SmugX campaign includes attackers using HTML smuggling to target victims.**

Check Point Research’s (CPR) cyber threat intelligence researchers have discovered a disturbing attack trend. According to CPR’s report published on July 3, 2023, Chinese threat actors have become increasingly interested in targeting European governments, embassies, and foreign local policy-making entities. Eastern Europe is among their preferred targets, with prime targets being Slovakia, the Czech Republic, and Hungary.

This newly discovered campaign is dubbed SmugX. Researchers claim that this campaign has been active since December 2022, but they believe that it is an extension of a previously discovered campaign linked to Mustang Panda and RedDelta. Interestingly, both groups are Chinese.

As far as the attack method is concerned, research revealed that in SmugX, attackers are using HTML smuggling to target European embassies. In this method, the modular PlugX malware implant is smuggled (hidden) inside HTML documents.

Hackers use this technique to trick web security systems and evade antivirus mechanisms or security defences. HTML smuggling exploits HTML features to conceal malicious data documents from automated content filters, including them as JavaScript blobs that reassemble on the targeted device.

It is worth noting that PluxX is a commonly used tool for HTML smuggling. Multiple Chinese threat actors have used this malware previously, such as the group that targeted the Vatican in 2020 or the one that targeted the Indonesian Intelligence Service in 2021. The malware was also used to target users in Mongolia, Ghana, Papua New Guinea, Nigeria, and Zimbabwe in a USB drive-based campaign.

CPR researchers agree that SmugX’s primary objective is to obtain sensitive data on the foreign policies of the targeted countries. This analysis is based on the lure samples posted to the malware repository on VirusTotal. The filenames of these samples were self-explanatory.

Researchers wrote that the names strongly suggested that the attackers wanted to target diplomats and government entities, whereas the content contained mainly diplomatic-related content related to China. The attack utilizes several .docx and .pdf files containing diplomatic content.

CPR researchers obtained a letter from the Serbian embassy in Budapest, a document revealing the Swedish Presidency of the Council of the European Union’s priorities, and an invitation from the Hungarian foreign ministry for a diplomatic conference.

The researchers also discovered an article about the two Chinese human rights lawyers who had received a ten-year sentence. Here are the titles of these documents:

*   202305 Indicative Planning RELEX
*   Draft Prague Process Action Plan\_SOM\_EN
*   2262\_3\_PrepCom\_Proposal\_next\_meeting\_26\_April
*   Comments FRANCE – EU-CELAC Summit – 4th May
*   China jails two human rights lawyers for Subversion

One of the phishing documents (left) – Targeted countries (right)

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” CPR researchers noted.

CPR is still investigating and monitoring SmugX activities and will share new details soon. Please continue to visit this platform for the latest updates on SmugX.

**RELATED ARTICLES**

1.  Killnet Hits European Parliament Website with DDoS Attack
2.  Research sector hit in new phishing attack using Google Drive
3.  Fake WHO Emails on COVID-19 Drop Nerbian RAT Across Europe
4.  European Spyware Vendor Offering Android & iOS Device Exploits
5.  Zimbra email platform flaw exploited to steal European govt emails

SmugX: Chinese Hackers Targeting Embassies in Europe

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus.



Tag

#mongo