Aggregator

A vulnerability has been found in SourceCodester Yoga Class Registration System 1.0 and classified as critical. This vulnerability affects unknown code of the file /classes/Users.php?f=save of the component Add User Handler. The manipulation leads to improper authorization. This vulnerability was named CVE-2024-7851. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. This affects the function cgi_create_album of the file /cgi-bin/photocenter_mgr.cgi. The manipulation of the argument current_path leads to buffer overflow. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is uniquely identified as CVE-2024-7849. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.

Along with 30,000+ of my closest friends, HYAS participated in both the Black Hat 2024 cyber security conference and others last week in Las Vegas.  There have been a lot of articles published on the main themes, focus, and top keywords of BlackHat 2024; Chris Needs, the VP of Product Management at HYAS, published a HYAS view on the conference, so I didn’t see a reason to publish yet another one.

Instead, let me talk more about what I think is vitally important but didn’t see. While everyone is talking about AI, both the applications of it and risk from it, ransomware and the latest techniques to detect and stop it, cloud security and other related topics, I unfortunately saw very little about a topic I am passionate about  – cyber resiliency.  The White House and the US Government are talking about it, other foreign governments are talking about it, key clients around the world are deploying it, why isn’t it a more obvious, front-and-center conversation?

Yes, Crowdstrike had a key message on the walk to the business hall about how we all need more resiliency, but even still it was not a major focus of their marketing messages at their booth. And I do need to give a special shout-out to World Wide Technology who does have people openly talking about this topic.  

Nevertheless, we continue to talk too much in general about stopping attacks at the four walls and “preventing breaches.”  It’s time to admit that attackers will continue to innovate and adapt their techniques and tactics, that the attack surface will constantly be changing and updating, that people will always be susceptible to deception and social engineering.  That doesn’t mean we give up – we clearly need to continue to focus on training employees to be observant and aware; we clearly need to do our best to protect organizations and their assets by keeping criminals out through the deployment of existing and new software solutions.  But we also need to recognize that it’s likely never going to be enough. A complete cyber security approach includes the acknowledgement and recognition that one needs to prepare for the eventual breach.  If we assume that a bad actor is already inside the network – what visibility exists to detect this and stop it, what controls will be able to prevent the attack from rapidly expanding and causing damage?

While some bad actors are laying low inside organizations for months, increasingly there are reports of data exfiltration and damage within hours of the initial breach.  Despite the ever-increasing dollars poured into keeping criminals out of the network and detecting their attempts to break in, they still are – who is talking about this and, more importantly, who is doing something about it?

There are many ways to achieve cyber resilience – one of them is through the deployment of Protective DNS. That’s just one of the reasons it’s recommended by CISA and the NSA, it’s a recommended part of a SASE architecture, and is being asked about in cyber insurance attestation questionnaires.  Furthermore, when it’s integrated into other components, like integrated directly into your EDR or XDR solution, the combination is more powerful than either component by itself and combines the ability to stop the criminal on the way in with an assurance you can still stop them in time if they break through.

At HYAS we tested this hypothesis, and simulated attacks and traffic to 492 malicious domains in real actual use from recent campaigns.  While EDR and XDR solutions in general excel at detecting errant behavior on the device or at the point of entry, HYAS Protect protective DNS excels at detecting the beaconing behavior and outbound communication to adversary infrastructure, the telltale signs or “digital exhaust” of a breach.

(HYAS internal study and results; EDR/XDR vendors anonymized)

We as an industry need to be talking more about this – the integration of various solutions to form a more complete and resilient approach.  Yes, there is obvious competition and not every vendor can or wants to integrate with every other vendor.  But only through the right partner integrations can we collectively add value to the end customer and client; only through the right integrations will we develop more complete solutions vs point products; only in this way will we actually be able to turn the tide or at least hold back the onslaught of attacks a bit, and change the game on the criminals.  

This is what we need to be talking about more as an industry.  And this is, what I fear, was unfortunately lacking this year at BlackHat.

Ready to step up your defensive game? We'd love to connect with you to transform your cybersecurity strategy from reactive to proactive.

The post A Gap in the Armor: What Was Missing from Black Hat 2024 appeared first on Security Boulevard.

166 Olympics-related domains displayed signs of DNS abuse like keyword stuffing and typosquatting

A vulnerability, which was classified as problematic, has been found in Cookie Notice & Compliance for GDPR CCPA Plugin up to 2.4.17.1 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2022-3399. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic was found in Custom Field for WP Job Manager Plugin up to 1.2 on WordPress. Affected by this vulnerability is an unknown functionality of the component Shortcode Handler. The manipulation leads to improper control of resource identifiers. This vulnerability is known as CVE-2023-7049. The attack can be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Relevanssi Plugin up to 4.22.2 on WordPress. Affected is an unknown function. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2024-7630. The attack can only be initiated within the local network. There is no exploit available.

A vulnerability was found in Theme My Login Plugin up to 7.1.7 on WordPress. It has been rated as problematic. This issue affects some unknown processing of the component Setting Handler. The manipulation leads to cross-site request forgery. The identification of this vulnerability is CVE-2024-7422. The attack may be initiated remotely. There is no exploit available.

今日暂未更新资讯~
更多最新文章，请访问SecWiki

Authors:(1) Amin Mekacher, City University of London, Department of Mathematics, London EC1V 0HB,

Authors:(1) Amin Mekacher, City University of London, Department of Mathematics, London EC1V 0HB,

Authors:(1) Amin Mekacher, City University of London, Department of Mathematics, London EC1V 0HB,

Authors:(1) Amin Mekacher, City University of London, Department of Mathematics, London EC1V 0HB,

Authors:(1) Amin Mekacher, City University of London, Department of Mathematics, London EC1V 0HB,

Zero Day Initiative threat researchers discovered CVE

Zero Day Initiative threat researchers discovered CVE-2024-38213, a simple and effective way to bypass Windows mark-of-the-web protections leading to remote code execution.

In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations. This DarkGate campaign was an update from a previous campaign  in which the DarkGate operators were exploiting a zero-day vulnerability, CVE-2024-21412, which we disclosed to Microsoft earlier this year.

The investigation into this campaign directly influenced further vulnerability research into Windows Defender SmartScreen and how files originating from WebDAV shares are handled during copy-and-paste operations. As a result, we discovered and reported CVE-2024-38213 to Microsoft, which they patched in June. This exploit, which we've named copy2pwn, results in a file from a WebDAV share being copied locally without Mark-of-the-Web protections.

What is Web-based Distributed Authoring and Versioning (WebDAV)?

Web-based Distributed Authoring and Versioning (WebDAV) is an extension to the Hypertext Transfer Protocol (HTTP). It provides added functionality to HTTP, including features such as authoring, sharing, and versioning.

Since WebDAV is based on HTTP, WebDAV shares can be accessed through a web browser using the HTTP protocol, for example, at http://10.37.129.2/example_webdav_folder/somefile. When a file is downloaded from a WebDAV share using a browser such as Microsoft Edge or Google Chrome, it is treated the same as any other file downloaded from the web. As expected, the local copy of the file is marked with the Mark-of-the-Web.

On Windows, users can also access and mount WebDAV shares via UNC paths, such as \\10.37.129.2@80\example_webdav_folder. A user can browse to a path of this form using Windows Explorer. This functions in a similar manner to accessing SMB shares through Windows. When accessing files in this manner, they are handled directly by the Windows operating system and not by the browser.

Threat Actors and WebDAV Shares

Recently, we’ve seen an increase in threat actors hosting payloads on WebDAV shares. This activity has led to the discovery of numerous vulnerabilities abused as zero-days clustered around accessing malicious payloads from WebDAV shares. These include vulnerabilities such as CVE-2023-36025 and, more recently, CVE-2024-21412, with an additional fix from Microsoft in the form of CVE-2024-29988. These vulnerabilities center around Mark-of-the-Web bypasses and evading built-in Microsoft protections such as Windows Defender SmartScreen.

As mentioned, WebDAV shares accessed through Windows Explorer are handled by the Windows operating system as opposed to a browser.  Many threat actors are aware of the implications of this with regard to Mark-of-the-Web. During our threat-hunting investigations, we uncovered many threat actors deploying an easy method utilizing the Windows search protocol to open WebDAV searches through Windows Explorer.

Figure 1 – Search query logic that opens a WebDAV share through Windows Explorer

When accessed with a web browser, this prompts the user to open the WebDAV share in Windows Explorer.

Figure 2 – Microsoft Edge prompts users to open the WebDAV share in Windows Explorer

Using the logic from Figure 1, threat actors can exercise a high degree of control over what the end user sees on the WebDAV share. This is done by crafting a specific Windows search query that only displays those files the threat actor wants the user to see. Furthermore, by utilizing certain file types such as Internet Shortcut (.url) or Shortcut (.lnk), the threat actor may change the file icon to make it appear as if the malicious file is a completely different type. This lures the user into inadvertently executing scripts or binaries.

Figure 3 – The Windows Explorer window is crafted to only display poc.lnk.zip

Under normal circumstances, files served over WebDAV would receive the Mark-of-the-Web and Windows Defender SmartScreen protections. However, there are a cluster of vulnerabilities mentioned above, and possibly more, that can be used for evasion.

The Importance of Mark-of-the-Web (MotW) Protections

When a user downloads a file from an untrusted source such as the web, Windows adds the Mark-of-the-Web to the local copy of the file. The Mark-of-the-Web consists of an NTFS Alternate Data Stream (ADS) with the name Zone.Identifier. Within this stream is the text ZoneId=3, indicating that the file originated from an untrusted source.

Figure 4 – ZoneId=3 is applied to files that originate from an untrusted source

The presence of the Mark-of-the-Web triggers additional security checks and prompts when opening the file. This helps reduce the risk of executing untrusted content.

Figure 5 – A security prompt shown due to the presence of the Mark-of-the-Web

The Mark-of-the-Web is also needed for the functioning of other key protection mechanisms:

·      Windows Defender SmartScreen, which examines files based on reputation and signature
·      Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.

Figure 6 – A Windows Defender SmartScreen prompt

Unfortunately, threat actors have discovered that Windows does not always handle or properly apply the Mark-of-the-Web to files served over WebDAV. Historically, Windows has treated WebDAV shares more akin to SMB shares, as opposed to HTTP web servers. This can be quite dangerous.

Bypassing Mark-of-the-Web Protections with CVE-2024-38213

Before the release of the Microsoft June security patch, files copied and pasted from WebDAV shares did not receive the Mark-of-the-Web designations. This meant that users might copy and paste files from a WebDAV share to their desktop, and those files could subsequently be opened without the protections of Windows Defender SmartScreen or Microsoft Office Protected View. In particular, this means that there would be no reputation or signature checks on executables.

Copy and paste operations are ubiquitous so Windows users need to ensure that they are fully protected from clipboard hijacking, pastejacking , and copy2pwn attacks, especially in light of recent threat actor activity leveraging WebDAV shares for payload deployment.

Conclusion

The Zero Day Initiative Threat Hunting Team constantly monitors for new and emerging zero-day threats. During our analysis of existing and previous threat actors and APT activities, we often discover new tactics, techniques, procedures, and hidden zero-day vulnerabilities.

This case emphasizes the integration of ZDI threat hunting with proactive vulnerability research within the ZDI program. By combining threat research with the Zero Day Initiative's core vulnerability research program, the ZDI Threat Hunting Team can develop new adversarial models and simulate new attack strategies as they might occur in the real world. This integration enables us to protect and defend customers from potentially hidden attack methods and chains before threat actors can incorporate them into their attack strategies.

We’ll be back with more findings as we have them. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

“General Motors has engaged in egregious business practices that violated Texans’ privacy … in unth

KP♡TX PII: “General Motors has engaged in egregious business practices that violated Texans’ pri­vacy … in unthinkable ways,” rants state attorney general Ken Paxton (pictured).

The post Don’t Mess With Texas Privacy: AG Sues GM for $18 BILLION appeared first on Security Boulevard.

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- --------------------------------------------------