INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Angular-base64-update Demo Script Exploited (CVE-2024-42640)
Published: 2024-10-15.
Last Updated: 2024-10-15 15:08:01 UTC
by Johannes Ullrich (Version: 1)
Demo scripts left behind after installing applications or frameworks are an ongoing problem. After installation, removing any "demo" or "example" folders is usually best. A few days ago, Ravindu Wickramasinghe noticed that the Angular-base64-upload project is leaving behind a demo folder with a script allowing arbitrary file uploads without authentication [1]. Exploitation of the vulnerability is trivial. An attacker may use the file upload script to upload a web shell, and in response, the attacker will obtain remote command execution with all the privileges granted to the web server.
Sadly, the project is also no longer maintained. But a patch is not needed. Removing the vulnerable script (and likely the entire demo folder) should be an appropriate response.
Shortly after the blog post's publication, we detected exploit attempts in our web honeypot logs. On October 14th, we saw about 3,000 scans for ...
[1] https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
Read the complete entry:
https://isc.sans.edu/diary/Angularbase64update+Demo+Script+Exploited+CVE202442640/31354/
Phishing Page Delivered Through a Blob URL
Published: 2024-10-14.
Last Updated: 2024-10-14 07:37:44 UTC
by Xavier Mertens (Version: 1)
I receive a lot of spam in my catch-all mailboxes. If most of them are not interesting, some still attract my attention. Especially the one that I'll describe in this diary. The scenario is classic, an important document is pending delivery but... the victim needs to authenticate to get the precious! As you can see in the screenshot below, the phishing kit supports well-known service providers ...
But check carefully the URL: It starts with "blob:"! Usually, BLOBs are used to represent "Binary Large OBjects". In the context of a browser, an object URL[1] is a pseudo protocol to allow blob and file objects to be used as URL sources for things like images, download links for binary data, and so forth. It's part of the URL specification for handling binary data that needs to be referenced or accessed as an actual file, even if it doesn't exist as a physical file on a server.
In the context of this phishing kit, the attacker generated the landing page in a blob to remain stealthy. Let's have a look at the code ...
[1] https://en.wikipedia.org/wiki/Blob_URI_scheme
Read the complete entry:
https://isc.sans.edu/diary/Phishing+Page+Delivered+Through+a+Blob+URL/31350/