SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files
Published: 2023-03-22
Last Updated: 2023-03-22 17:52:44 UTC
by Didier Stevens (Version: 1)
In today's Stormcast (https://isc.sans.edu/podcastdetail.html?podcastid=8420), Johannes discussed a privacy issue with Windows 11's snipping tool.
The issue is the following: if you use Windows 11's snipping tool to open an existing image, then modify the image to make it smaller (cropping for example), and then save the image again under the same name, then the file will not be truncated. The file will keep its original data after the beginning of the file has been overwritten with the new image.
I tested this with a PNG file on Windows 11, and could indeed reproduce the issue. The reason why this doesn't work on Windows 10, is that as far as I know, Windows 10's snipping tool can not open an existing file.
Read the full entry:
https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660/
Simple Shellcode Dissection
Published: 2023-03-16
Last Updated: 2023-03-16 06:41:02 UTC
by Xavier Mertens (Version: 1)
Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected?
I’ll explain with the help of a file I found in a phishing campaign. The filename is “Swift23544679066.xlsx" (SHA256:421d30c99381f9fe4295c8c33d7e7278b323821c793bbe2f45d6003536871347) and is still unknown on VirusTotal.
Read the full entry:
https://isc.sans.edu/diary/Simple+Shellcode+Dissection/29642/
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution VulnerabilityCVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23415ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8412MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415CVE-2023-23397 - Microsoft Outlook Elevation of Privilege VulnerabilityCVSS Score: 9.8 ** KEV since 2023-03-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23397ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8412MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397CVE-2023-24880 - Windows SmartScreen Security Feature Bypass VulnerabilityCVSS Score: 5.4 ** KEV since 2023-03-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24880MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880CVE-2023-21708 - Remote Procedure Call Runtime Remote Code Execution VulnerabilityCVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21708MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution VulnerabilityCVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23392MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392CVE-2023-27269 & CVE-2023-27501 - SAP NetWeaver Application Server for ABAP and ABAP Platform directory traversal flaws. The issues affects versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791.CVSS Score: 9.6 NVD: - https://nvd.nist.gov/vuln/detail/CVE-2023-27269- https://nvd.nist.gov/vuln/detail/CVE-2023-27501NVD References: - https://launchpad.support.sap.com/#/notes/3294595- https://launchpad.support.sap.com/#/notes/3294954- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlCVE-2023-1391 - SourceCodester Online Tours & Travels Management System 1.0 unrestricted upload vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1391CVE-2023-1392 - SourceCodester Online Pizza Ordering System 1.0 unrestricted upload vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1392NVD References: https://github.com/Fchen-xcu/Vulnerability-Set/blob/main/The%20online%20pizza%20ordering%20system%20has%20a%20file%20upload%20(RCE)%20vulnerability.pdfCVE-2023-1394 - SourceCodester Online Graduate Tracer System 1.0 SQL injection vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1394NVD References: https://blog.csdn.net/Dwayne_Wade/article/details/129522869CVE-2023-1379 - SourceCodester Friendly Island Pizza Website and Ordering System 1.0 SQL injection vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1379NVD References: https://github.com/AureliusLia/bug_report/blob/main/vendors/Skynidnine/Friendly%20Island%20Pizza%20Website%20and%20Ordering%20System/SQLi-1.mdCVE-2023-1432 - SourceCodester Online Food Ordering System 2.0 improper access controls vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1432CVE-2023-27074 - BP Monitoring Management System v1.0 SQL injection vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27074NVD References: https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/CVE-2022-39216 - Combodo iTop account takeover vulnerability. The issue is fixed in versions 2.7.8 and 3.0.2-1.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39216NVD References: - https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229- https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b- https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhmCVE-2023-28343 - Altenergy Power Control Software C1.2.5 OS command injection vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28343NVD References: - https://apsystems.com- https://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.mdCVE-2023-26511 - Propius MachineSelector versions 6.6.0 and 6.6.1 hard-coded admin credentials issue.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26511NVD References: https://www.propius.de/ms_security.htmlCVE-2023-1327 - Netgear RAX30 (AX2400), prior to version 1.0.6.74, authentication bypass vulnerability.CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1327NVD References: - https://drupal9.tenable.com/security/research/tra-2023-10- https://github.com/advisories/GHSA-pvxx-rv48-qw5mCVE-2022-37337 - Netgear Orbi Router RBR750 4.6.8.5 comma…
*********** Sponsored By Devo Technology, Inc. ***********Trying to decide which SIEM is right for you? Download the 2023 Buyer’s Guide to Next-Gen SIEM to compare Splunk, Microsoft Sentinel, Google Chronicle, and Devo. Evaluate these platforms across six key categories: deployment models, integrated capabilities, how well they play with other technologies, platform architecture, data enrichment, and impact on analyst workflow and productivity.Download now:
Upcoming webcast on Tuesday, April 4th at 12:30pm ET | SOC Visibility Triad, Why You Need NDR Alongside EDR - Join us as we demo popular EDR tools and give analyst workflow examples and use cases. | Register now:
Join Chris Crowley on Wednesday, April 5th at 10:30am ET for this upcoming whitepaper discussion - Managed Detection and Response: Optimizing External Expertise | Register now:
Upcoming Webcast on Thursday, April 13th at 1:00pm ET with SANS Instructor, Stephen Mathezer | A SANS First Look at Zero Trust-based Access Management and Remote Access for OT-IT-Cloud | Register now: