AtRisk June 20, 2024 Vol. XXIV

Jump to:

Internet Storm Center Spotlight
Recent CVEs
Sponsors
Read More

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Handling BOM MIME Files

Published: 2024-06-19

Last Updated: 2024-06-19 09:23:22 UTC

by Didier Stevens (Version: 1)

A reader contacted me with an eml file (which turned out to be benign) that emldump.py could not parse correctly.

I've written several diary entries explaining how to analyse MIME/eml files with my emldump.py tool, back in the days when threat actors were discovering all kinds of obfuscation tricks that I tried to defeat in my emldump.py tool.

The output of emldump.py for a sample MIME/eml file looks like this ...

Red the full entry:

https://isc.sans.edu/diary/Handling+BOM+MIME+Files/31022/

New NetSupport Campaign Delivered Through MSIX Packages

Published: 2024-06-17

Last Updated: 2024-06-17 07:22:40 UTC

by Xavier Mertens (Version: 1)

It's amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport client preconfigured to phone home to an attacker's controlled manager. Remote support tools are really "cool" for attackers because they provide a perfect way to communicate with infected computers without the need to develop their own C2 infrastructure and protocol! If some are popular and often searched as evidence of compromise, like AnyDesk or TeamViewer), there are others, like NetSupport, that tend to remain below the radar. This one is available for free for 30 days (more than enough to launch a campaign) and provides all the expected features to interact with victims ...

Red the full entry:

https://isc.sans.edu/diary/New+NetSupport+Campaign+Delivered+Through+MSIX+Packages/31018/

Port 1801 Traffic: Microsoft Message Queue

Published: 2024-06-12

Last Updated: 2024-06-12 17:49:25 UTC

by Johannes Ullrich (Version: 1)

I planned a bit a more conclusive story here, but after running into issues decoding the packets and running out of time between looking at student papers, I figured I would leave it up to the audience ;-) Maybe someone here better understands the Microsoft Message Queue (MSMQ) protocol.

Yesterday's Microsoft patch Tuesday included a single critical vulnerability, a code execution vulnerability in MSMQ. I noted in the podcast that we see some "background hum" on port 1801, the port used by MSMQ ...

So I fired up some netcat listeners on port 1801, and after a short wait, this is what I got ...

Red the full entry:

https://isc.sans.edu/diary/Port+1801+Traffic+Microsoft+Message+Queue/31004/

Video Meta Data: DJI Drones (2024.06.16)

https://isc.sans.edu/diary/Video+Meta+Data+DJI+Drones/31014/

Overview of My Tools That Handle JSON Data (2024.06.15)

https://isc.sans.edu/diary/Overview+of+My+Tools+That+Handle+JSON+Data/31012/

The Art of JQ and Command-line Fu [Guest Diary] (2024.06.13)

https://isc.sans.edu/diary/The+Art+of+JQ+and+Commandline+Fu+Guest+Diary/31006/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

Product: Microsoft Windows Error Reporting Service

CVSS Score: 0

** KEV since 2024-06-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-26169

ISC Podcast: https://isc.sans.edu/podcastdetail/9022

Product: Google Android Pixel Firmware

CVSS Score: 7.8 AtRiskScore 40

** KEV since 2024-06-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32896

NVD References: https://source.android.com/security/bulletin/pixel/2024-06-01

Product: FOXMAN UNEM Server / API GatewayCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2012NVD References: https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=trueCVE-2024-2013 - FOXMAN-UN/UNEM server / API Gateway component exposes an authentication bypass vulnerability, granting attackers unauthorized interaction with services and post-authentication attack surface.Product: FOXMAN-UN/UNEM server / API GatewayCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-2013NVD References: https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=trueCVE-2024-30080 - Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityProduct: Microsoft Windows 10 1507CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30080NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080CVE-2024-30103 - Microsoft Outlook Remote Code Execution VulnerabilityProduct: Microsoft OutlookCVSS Score: 8.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30103ISC Podcast: https://isc.sans.edu/podcastdetail/9024NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30103CVE-2024-35213 - QNX SDP versions 6.6, 7.0, and 7.1 are vulnerable to improper input validation in the SGI Image Codec, potentially enabling a denial-of-service attack or code execution by an attacker.Product: QNX SDPCVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35213NVD References: https://support.blackberry.com/pkb/s/article/139914CVE-2024-37301 - Document Merge Service is vulnerable to remote code execution via server-side template injection in versions 6.5.1 and prior, allowing for full system takeover with no available patch or workaround.Product: Vendor Name: Fossun Document Merge Service CVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37301NVD References: - https://github.com/adfinis/document-merge-service/commit/a1edd39d33d1bdf75c31ea01c317547be90ca074- https://github.com/adfinis/document-merge-service/security/advisories/GHSA-v5gf-r78h-55q6CVE-2024-35225 - Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them, with versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 vulnerable to a reflected cross-site scripting (XSS) issue in the `/proxy` endpoint.Product: Jupyter Server ProxyCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35225NVD References: - https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328- https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22- https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxrCVE-2024-4898 - The InstaWP Connect plugin for WordPress allows unauthenticated attackers to edit site options and create administrator accounts.Product: InstaWP Connect Plugin for WordPressCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4898NVD References: - https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.38/includes/class-instawp-rest-api.php#L926- https://www.wordfence.com/threat-intel/vulnerabilities/id/92a00fb4-7b50-43fd-ac04-5d6e29336e9c?source=cveCVE-2024-37036 - Out of Bounds Write Vulnerability in Schneider Electric SAGE RTU products could allow for authentication bypass through out-of-bounds write when sending a malformed POST request with specific configuration parameters.Product: Schneider Electric SAGE RTU ProductsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37036NVD References: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-05.pdfCVE-2024-3922 - Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter, allowing unauthenticated attackers to extract sensitive information from the database.Product: WordPress Dokan Pro pluginCVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3922NVD References: - https://dokan.co/docs/wordpress/changelog/- https://www.wordfence.com/threat-intel/vulnerabilities/id/d9de41de-f2f7-4b16-8ec9-d30bbd3d8786?source=cveCVE-2024-34102 & CVE-2024-34108 - Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier contain an XXE vulnerability (CVE-2024-34102) and an improper input validation vulnerability (CVE-2024-34108).Product: Adobe CommerceCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34102NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34108NVD References: https://helpx.adobe.com/security/products/magento/apsb24-40.htmlCVE-2024-4371 - The CoDesigner WooCommerce Builder for Elementor plugin for WordPress is vulnerable to PHP Object Injection, allowing unauthenticated…

Product: Microsoft Windows 10 1507

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30080

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30080

Product: Microsoft Outlook

CVSS Score: 8.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30103

ISC Podcast: https://isc.sans.edu/podcastdetail/9024

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30103

Product: QNX SDP

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35213