Internet Storm Center Spotlight


INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files

Published: 2023-03-22

Last Updated: 2023-03-22 17:52:44 UTC

by Didier Stevens (Version: 1)

In today's Stormcast (https://isc.sans.edu/podcastdetail.html?podcastid=8420), Johannes discussed a privacy issue with Windows 11's snipping tool.

The issue is the following: if you use Windows 11's snipping tool to open an existing image, then modify the image to make it smaller (cropping for example), and then save the image again under the same name, then the file will not be truncated. The file will keep its original data after the beginning of the file has been overwritten with the new image.

I tested this with a PNG file on Windows 11, and could indeed reproduce the issue. The reason why this doesn't work on Windows 10, is that as far as I know, Windows 10's snipping tool can not open an existing file.

Read the full entry:

https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660/

Simple Shellcode Dissection

Published: 2023-03-16

Last Updated: 2023-03-16 06:41:02 UTC

by Xavier Mertens (Version: 1)

Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected?

I’ll explain with the help of a file I found in a phishing campaign. The filename is “Swift23544679066.xlsx" (SHA256:421d30c99381f9fe4295c8c33d7e7278b323821c793bbe2f45d6003536871347) and is still unknown on VirusTotal.

Read the full entry:

https://isc.sans.edu/diary/Simple+Shellcode+Dissection/29642/

Internet Storm Center Entries





String Obfuscation: Character Pair Reversal (2023.03.21)

https://isc.sans.edu/diary/String+Obfuscation+Character+Pair+Reversal/29654/


From Phishing Kit To Telegram... or Not! (2023.03.20)

https://isc.sans.edu/diary/From+Phishing+Kit+To+Telegram+or+Not/29650/


Old Backdoor, New Obfuscation (2023.03.18)

https://isc.sans.edu/diary/Old+Backdoor+New+Obfuscation/29646/

Recent CVEs




The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.



CVE-2023-23415 - Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23415

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8412

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415




CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability

CVSS Score: 9.8 

** KEV since 2023-03-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23397

ISC Podcast: https://isc.sans.edu/podcastdetail.html?podcastid=8412

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397




CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability

CVSS Score: 5.4 

** KEV since 2023-03-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24880

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880




CVE-2023-21708 - Remote Procedure Call Runtime Remote Code Execution Vulnerability

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21708

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708




CVE-2023-23392 - HTTP Protocol Stack Remote Code Execution Vulnerability

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-23392

MSFT Details: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23392




CVE-2023-27269 & CVE-2023-27501 - SAP NetWeaver Application Server for ABAP and ABAP Platform directory traversal flaws. The issues affects versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, and 791.

CVSS Score: 9.6 

NVD: 

- https://nvd.nist.gov/vuln/detail/CVE-2023-27269

- https://nvd.nist.gov/vuln/detail/CVE-2023-27501

NVD References: 

- https://launchpad.support.sap.com/#/notes/3294595

- https://launchpad.support.sap.com/#/notes/3294954

- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html




CVE-2023-1391 - SourceCodester Online Tours & Travels Management System 1.0 unrestricted upload vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1391




CVE-2023-1392 - SourceCodester Online Pizza Ordering System 1.0 unrestricted upload vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1392

NVD References: https://github.com/Fchen-xcu/Vulnerability-Set/blob/main/The%20online%20pizza%20ordering%20system%20has%20a%20file%20upload%20(RCE)%20vulnerability.pdf




CVE-2023-1394 -  SourceCodester Online Graduate Tracer System 1.0 SQL injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1394

NVD References: https://blog.csdn.net/Dwayne_Wade/article/details/129522869




CVE-2023-1379 - SourceCodester Friendly Island Pizza Website and Ordering System 1.0 SQL injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1379

NVD References: https://github.com/AureliusLia/bug_report/blob/main/vendors/Skynidnine/Friendly%20Island%20Pizza%20Website%20and%20Ordering%20System/SQLi-1.md




CVE-2023-1432 - SourceCodester Online Food Ordering System 2.0 improper access controls vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1432




CVE-2023-27074 - BP Monitoring Management System v1.0 SQL injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27074

NVD References: https://phpgurukul.com/bp-monitoring-management-system-using-php-and-mysql/




CVE-2022-39216 - Combodo iTop account takeover vulnerability. The issue is fixed in versions 2.7.8 and 3.0.2-1.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-39216

NVD References: 

- https://github.com/Combodo/iTop/commit/35a8b501c9e4e767ec4b36c2586f34d4ab66d229

- https://github.com/Combodo/iTop/commit/f10e9c2d64d0304777660a4f70f1e80850ea864b

- https://github.com/Combodo/iTop/security/advisories/GHSA-hggq-48p2-cmhm




CVE-2023-28343 - Altenergy Power Control Software C1.2.5 OS command injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28343

NVD References: 

- https://apsystems.com

- https://github.com/ahmedalroky/Disclosures/blob/main/apesystems/os_command_injection.md




CVE-2023-26511 - Propius MachineSelector versions 6.6.0 and 6.6.1 hard-coded admin credentials issue.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-26511

NVD References: https://www.propius.de/ms_security.html




CVE-2023-1327 -  Netgear RAX30 (AX2400), prior to version 1.0.6.74, authentication bypass vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1327

NVD References: 

- https://drupal9.tenable.com/security/research/tra-2023-10

- https://github.com/advisories/GHSA-pvxx-rv48-qw5m




CVE-2022-37337 - Netgear Orbi Router RBR750 4.6.8.5 command execution vulnerability.

CVSS Score: 9.1 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-37337

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1596




CVE-2023-27757 - PerfreeBlog v3.1.1 arbitrary file upload vulnerability in the /admin/user/uploadImg component.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27757

NVD References: https://github.com/perfree/PerfreeBlog/issues/13




CVE-2023-28371 - Stellarium directory traversal vulnerability affects versions through 1.2.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28371

NVD References: 

- https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7

- https://github.com/Stellarium/stellarium/commit/787a894897b7872ae96e6f5804a182210edd5c78

- https://github.com/Stellarium/stellarium/commit/eba61df3b38605befcb43687a4c0a159dbc0c5cb




CVE-2023-27239 - Tenda AX3 V16.03.12.11 stack overflow vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27239

NVD References: https://github.com/yjzy00001/CVE/blob/main/vuln/WifiGuestSet/readme.md




CVE-2023-27240 - Tenda AX3 V16.03.12.11 command injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27240

NVD References: https://github.com/yjzy00001/CVE/blob/main/vuln/rce/readme.md




CVE-2023-24726 - Art Gallery Management System v1.0  SQL injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24726

NVD References: 

- https://github.com/rahulpatwari/CVE/blob/main/CVE-2023-24726/CVE-2023-24726.txt

- https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/

- https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip




CVE-2023-1416 -  Simple Art Gallery 1.0 SQL injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1416

NVD References: 

- https://github.com/Songs-YZS/CveList/blob/main/SIMPLE%20ART%20GALLERY%20system%20has%20Sql%20injection%20vulnerabilities.pdf

- https://vuldb.com/?ctiid.223128

- https://vuldb.com/?id.223128




CVE-2020-27507 - The Kamailio SIP before 5.5.0 buffer overflow vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-27507

NVD References: 

- https://github.com/kamailio/kamailio/commit/ada3701d22b1fd579f06b4f54fa695fa988e685f

- https://github.com/kamailio/kamailio/issues/2503




CVE-2023-25344 - swig-templates (through 2.0.4) and swig (through 1.4.2) arbitrary code execution vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25344

NVD References: 

- https://github.com/node-swig/swig-templates/issues/89

- https://www.gem-love.com/2023/02/01/Swig%E6%A8%A1%E6%9D%BF%E5%BC%95%E6%93%8E0day%E6%8C%96%E6%8E%98-%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E5%92%8C%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96/




CVE-2023-24468 - Advanced Authentication broken access control vulnerability affects versions prior to 6.4.1.1 and 6.3.7.2.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-24468

NVD References: 

- https://www.netiq.com/documentation/advanced-authentication-63/advanced-authentication-releasenotes-6372/data/advanced-authentication-releasenotes-6372.html

- https://www.netiq.com/documentation/advanced-authentication-64/advanced-authentication-releasenotes-6411/data/advanced-authentication-releasenotes-6411.html




CVE-2023-25280 - D-Link DIR820LA1_FW105B03 OS Command injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-25280

NVD References: 

- https://github.com/migraine-sudo/D_Link_Vuln/tree/main/cmd%20Inject%20in%20pingV4Msg

- https://www.dlink.com/en/security-bulletin/




CVE-2023-27250 - Online Book Store Project v1.0 SQL Injection vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27250

NVD References: https://github.com/iknownt/bug_report/blob/main/vendors/itsourcecode.com/Online-Book-Store-Project/sql_injection.md




CVE-2020-19947 - Markdown Edit Cross Site Scripting vulnerability.

CVSS Score: 9.6 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-19947

NVD References: https://github.com/georgeOsdDev/markdown-edit/issues/12




CVE-2023-28100 -  Flatpak improper input validation weakness affects versions prior to 1.10.8, 1.12.8, 1.14.4, and 1.15.4.

CVSS Score: 10.0 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28100

NVD References: 

- https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9

- https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp

- https://marc.info/?l=oss-security&m=167879021709955&w=2




CVE-2023-0811 - Omron CJ1M improper access controls vulnerability affects v4.0 and prior.

CVSS Score: 9.1 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-0811

NVD References: 

- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01

- https://www.ia.omron.com/product/vulnerability/OMSR-2023-001_en.pdf




CVE-2023-1256 - AVEVA Plant SCADA and AVEVA Telemetry Server improper authorization vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1256

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04




CVE-2022-43604 - EIP Stack Group OpENer GetAttributeList out-of-bounds write vulnerability.

CVSS Score: 10.0 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43604

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1661




CVE-2022-43605 - EIP Stack Group OpENer SetAttributeList out-of-bounds write vulnerability. 

CVSS Score: 10.0 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-43605

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1662




CVE-2023-21456 - Galaxy Themes Service path traversal vulnerability affects Galaxy Themes Service prior to SMR Mar-2023 Release 1.

CVSS Score: 9.0 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-21456

NVD References: https://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=03




CVE-2023-1152 - Utarit Information Technologies Persolus SQL Injection vulnerability. in  allows SQL Injection. This issue affects Persolus before 2.03.93.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1152

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0154-2




CVE-2023-28115 - Snappy PHAR deserialization affects versions prior to 1.4.2.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28115

NVD References: 

- https://github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670

- https://github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6

- https://github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3

- https://github.com/KnpLabs/snappy/pull/469

- https://github.com/KnpLabs/snappy/releases/tag/v1.4.2

- https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc




CVE-2023-28424 - Soko SQL injection vulnerability affects versions prior to 1.0.2.

CVSS Score: 9.1 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28424

NVD References: 

- https://github.com/gentoo/soko/security/advisories/GHSA-gc2x-86p3-mxg2

- https://gitweb.gentoo.org/sites/soko.git/commit/?id=4fa6e4b619c0362728955b6ec56eab0e0cbf1e23




CVE-2023-27586 - CairoSVG server-side request forgery / denial of service vulnerability affects versions prior to 2.7.0.

CVSS Score: 9.9 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27586

NVD References: 

- https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255

- https://github.com/Kozea/CairoSVG/commit/33007d4af9195e2bfb2ff9af064c4c2d8e4b2b53

- https://github.com/Kozea/CairoSVG/releases/tag/2.7.0

- https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv




CVE-2023-27578 - Galaxy insufficient permission check vulnerabilities affects all supported versions prior to 22.01, 22.05, and 23.0.

CVSS Score: 9.1 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27578

NVD References: 

- https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch

- https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch

- https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch

- https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j




CVE-2023-1153 - Pacsrapor SQL injection vulnerability affects Pacsrapor versions prior to 1.22.

CVSS Score: 10.0 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-1153

NVD References: https://www.usom.gov.tr/bildirim/tr-23-0163




CVE-2023-27874 - IBM Aspera Faspex 4.4.2 XML external entity injection vulnerability affects versions prior to 4.4.2 PL3.

CVSS Score: 9.9 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27874

NVD References: 

- https://exchange.xforce.ibmcloud.com/vulnerabilities/249845

- https://www.ibm.com/support/pages/node/6964694




CVE-2023-27569 - PrestaShop eo_tags package SQL injection vulnerability affects versions prior to 1.3.0.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27569

NVD References: https://security.profileo.com/cve/eo_tags_2023-27569-27570/




CVE-2023-27570 - PrestaShop eo_tags package SQL injection vulnerability affects versions prior to 1.4.19 for PrestaShop allows SQL injection via a crafted _ga cookie.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27570

NVD References: https://security.profileo.com/cve/eo_tags_2023-27569-27570/




CVE-2023-27855 - Rockwell Automation's ThinManager ThinServer path traversal vulnerability.

CVSS Score: 9.8 

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-27855

NVD References: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640




The following vulnerabilities need a manual review:



CVE-2023-26360 - Adobe ColdFusion Improper Access Control Vulnerability allows remote code execution.

** KEV since 2023-03-15 **

     


      

CVE-2023-20860 - Security Bypass With Un-Prefixed Double Wildcard Pattern affects Spring Framework versions 6.0.0 to 6.0.6 and 5.3.0 to 5.3.25.

References: https://spring.io/security/cve-2023-20860




CVE-2023-20861 - Spring Expression DoS Vulnerability

References: https://spring.io/security/cve-2023-20861