微信打赏（Wechat Reward) Security Vulnerabilities

Possible frontrun on deposits on LiquidityPool

Lines of code https://github.com/code-423n4/2022-03-biconomy/blob/main/contracts/hyphen/LiquidityPool.sol#L175-L188 Vulnerability details Impact Rewards are given to a user for depositing either ERC20 tokens or their native token into the LiquidityPool. This reward is used to incentivize users to.....

Sending tokens close to the maximum will fail and user will lose tokens

Lines of code https://github.com/code-423n4/2022-03-biconomy/blob/04751283f85c9fc94fb644ff2b489ec339cd9ffc/contracts/hyphen/LiquidityPool.sol#L273 Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept When a user calls the deposit function the reward...

LiquidityFarming.withdraw permanently freezes any unpaidRewards left

Lines of code Vulnerability details Impact Remainder nft.unpaidRewards are lost and cannot be retrieved after LiquidityFarming.withdraw. I.e. it is not possible to extractRewards for unpaidRewards later if withdraw being called when balance wasn't sufficient to fulfil the full withdraw of the...

Reward and base token decimals difference isn't accounted for in LiquidityFarming

Lines of code Vulnerability details Impact Reward and base token decimals can differ, while this difference isn't accounted for in the reward amount calculations, which will lead to either missing rewards or sending the whole rewards balance to the first eligible user. For example: If reward is...

Reward calculations can be rendered to zero due to the lack of precision

Lines of code Vulnerability details Impact On a combination of high enough token value and low enough decimals there can be not enough precision to store reward amount, which can be permanently hid from a user as a result. I.e. on such a combination there will effectively be no rewards for some...

Exploit for Improper Authentication in Linux Linux Kernel

CVE-2022-0492 容器逃逸分析 [toc] 漏洞简介 漏洞编号: CVE-2022-0492...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Metabase

CVE-2021-41277...

Exploit for Improper Initialization in Linux Linux Kernel

CVE-2022-0847 Dirty Pipe linux内核提权分析 [toc]...

Exploit for Improper Initialization in Linux Linux Kernel

title: CVE-2022-0847(DirtyPipe本地提权)漏洞分析 date: 2022-03-08...

bEth Rewards May Be Depleted By Flashloans or Whales

Lines of code Vulnerability details Impact Rewards are dispersed to users as a percentage of the user's balance vs total balance (of bEth). Rewards are accumulated each time a user calls execute_decrease_balance(), execute_increase_balance() or execute_claim_rewards() as these functions will in...

[WP-H4] anchor_basset_reward pending yields can be stolen

Lines of code Vulnerability details For yield farming aggregators, if the pending yield on an underlying strategy can be harvested and cause a surge of rewards to all existing investors, especially if the harvest can be triggered permissionlessly. Then the attacker can amplify the attack using a...

bETH rewards can be timed

Lines of code Vulnerability details Impact The bETH reward contract allocates new rewards sent to the contract whenever update_global_index is called. It should be possible to time the transfer of the rewards to the contract and frontrun it with increasing one's token balance to capture more...

WordPress Video Conferencing with Zoom Plugin信息泄露漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL. WordPress Video Conferencing with Zoom Plugin version 3.8.17 previously contained an information disclosure.....

Rewards can be stolen from contract

Lines of code Vulnerability details It was observed that execute_claim_rewards/execute_decrease_balance/execute_increase_balance are missing to update the global index before calculating user rewards in anchor_basset_reward contract This can lead to serious consequences: execute_increase_balance...

Possible Wrong bAsset Rewards/Borrow limits Calculation

Lines of code Vulnerability details Impact During the code review, It has been observed that reward calculation has been done with execute_epoch_operations function. However, the config are stored in the storage. When the anc_purchase_factor is updated by the owner, the execute_epoch_operations is....

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

漏洞描述 Spring Cloud GateWay是Spring Cloud的⼀个全新项⽬，⽬标是取代Netflix...

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

-cve-2022-22947- cve-2022-22947 spring cloud gateway...

ZOHO ManageEngine Key Manager Plus信息泄露漏洞

ZOHO ManageEngine Key Manager Plus is a web-based SSH secret key management solution from ZOHO. The vulnerability is caused by the application not effectively protecting the stored SSL certificates and associated key pairs, which can be exploited by an attacker to obtain the stored SSL...

Apache containerd信息泄露漏洞

containerd is a container daemon from the Apache Foundation. The process is responsible for controlling the full cycle of containers on the host according to the RunC OCI specification. Apache containerd is vulnerable to an information disclosure vulnerability that could be exploited by an...

Home Owners Collection Management System信任管理问题漏洞

Home Owners Collection Management System, a homeowner collection management system, is vulnerable to a trust management issue stemming from Home Owners Collection Management System v1.0. System v1.0 was found to contain hard-coded credentials, which could be exploited by an attacker to escalate...

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

Spring-Cloud-Gateway-CVE-2022-22947 Spring Cloud...

Exploit for Expression Language Injection in Vmware Spring Cloud Gateway

Spring-Cloud-Gateway-CVE-2022-22947 Spring Cloud...

Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

Summary Actions Critical Infrastructure Organizations Should Implement to Immediately Strengthen Their Cyber Posture. • Patch all systems. Prioritize patching known exploited vulnerabilities. • Implement multi-factor authentication. • Use antivirus software. • Develop internal contact...

Sangfor VDI Client has an unspecified vulnerability

Sangfor VDI Client is a tool used by Sangfor to quickly build virtual desktops.A security vulnerability exists in Sangfor VDI Client, which can be exploited by attackers to discover the contents of username and password fields when reading process...

Stripe: CSRF token validation system is disabled on Stripe Dashboard

@rodolfomarianocy discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery (CSRF) protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victim’s Stripe.....

Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks

Summary Actions to Take Today to Protect Against Malicious Activity Search for indicators of compromise. Use antivirus software. Patch all systems. Prioritize patching known exploited vulnerabilities. Train users to recognize and report phishing attempts. Use multi-factor...

TWABDelegator allows easy circumvention of whale protection

Lines of code Vulnerability details In a recent interview, PoolTogether co-founder Leighton Cusack said: “Someone who had $1,000 right now into the USDC prize pool would have a 0.01% chance of winning a prize every week. That’s a less than 1% chance of winning a prize a year,” Cusack said. “With...

Dridex Malware Deploying Entropy Ransomware on Hacked Computers

Similarities have been unearthed between the Dridex general-purpose malware and a little-known ransomware strain called Entropy, suggesting that the operators are continuing to rebrand their extortion operations under a different name. "The similarities are in the software packer used to conceal...

Why ATO Attacks Are Attacks on Your Customers

Motivated by the continual surge in eCommerce, which according to UNCTAD has seen unprecedented growth during the COVID-19 pandemic, retailers are scrambling to adapt to a shift in consumer demand and create unique customer experiences that set them apart from the competition. The rise in online...

Metasploit Weekly Wrap-Up

Nagios XI web shell upload module New this week is a Nagios Web Shell Upload module from Rapid7' own Jake Baines, which exploits CVE-2021-37343. This module builds upon the existing Nagios XI scanner written by Erik Wynter. Versions of Nagios XI prior to 5.8.5 are vulnerable to a path traversal...

Exploit for Integer Overflow or Wraparound in Linux Linux Kernel

CVE-2022-0185 linux 内核提权(逃逸) [toc] 漏洞简介 漏洞编号:...

Stripe: CSRF token validation system is disabled on Stripe Dashboard

@d_sharad discovered that due to a code change deployed on 2/14/2022, Cross Site Request Forgery (CSRF) protection was disabled in the Stripe Dashboard. This could have allowed an attacker to trick a victim user to visit a malicious website and cause limited changes to the victim’s Stripe account.....

RewardDistributor._claim uses native token payable.transfer, which is usafe for smart contracts

Lines of code Vulnerability details Impact When reward.token is set to vault address and native token is used, it is sent out via payable.transfer call. This is unsafe as transfer has hard coded gas budget and can fail when the _account is a smart contract. Such transactions will fail for smart...

Jenkins Pipeline Groovy Plugin信息泄露漏洞

Jenkins is a Jenkins open source application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Pipeline Groovy Plugin 2648.va9433432b33c and earlier versions are vulnerable to an information disclosure...

RewardDistributor._claim() Will Always Revert if The Recipient is a Contract

Lines of code Vulnerability details Impact The _claim() function is called to claim a reward for a given _rewardIdentifier. The leaf node is calculated using the hashed _index, _account and _amount values and is verified to belong to the merkle tree. After setting the reward as claimed, the tokens....

[WP-H4] Input should be validated on-chain to avoid fund loss caused by admin's misinput

Lines of code Vulnerability details In the current design/implementation, the admin of BribeVault is a super privileged role of the system. However, the inputs of the admin to some of the most critical methods are not being validated properly....

Rewards can be claimed if merkle proof is known

Lines of code Vulnerability details Impact The README describes the following when a voting ends: Outside of the Hidden Hand contract scope, after the Tokemak CoRE round ends, proposal data is compiled and these two things happen: - The following is derived from the data: its hash (KECCAK-256) and....

Use of IERC20.transfer() instead of SafeERC20.safeTransfer()

Lines of code https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/BribeVault.sol#L296-L297 https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/ThecosomataETH.sol#L146...

Users Can Frontrun Calls to updateRewardsMetadata() And Claim Tokens Twice

Lines of code https://github.com/code-423n4/2022-02-redacted-cartel/blob/main/contracts/RewardDistributor.sol#L127-L209 Vulnerability details Impact The updateRewardsMetadata() function is called by the BribeVault contract by the admin role. The function will take a list of distributions which are....

[WP-H2] Improper control over the versions of distributions' metadata may lead to repeated claims of rewards

Lines of code Vulnerability details function updateRewardsMetadata(Common.Distribution[] calldata distributions) external onlyRole(DEFAULT_ADMIN_ROLE) { require(distributions.length > 0, "Invalid distributions"); IRewardDistributor(distributor).updateRewardsMetadata(distributions);...

[WP-H5] RewardDistributor.setBribeVault() can cause users who haven't claimed their native tokens yet can not claim the reward anymore

Lines of code Vulnerability details In the current implementation, RewardDistributor._claim() is using if (token != bribeVault) { (token is from rewards[_rewardIdentifier].token) to detect whether it's a ERC20 token or native token (ETH). However, this is not a trustworthy way to determine whether....

Jenkins HashiCorp Vault Plugin信息泄露漏洞

Jenkins is a Jenkins open source application. An open source automation server, Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins HashiCorp Vault Plugin 3.8.0 and earlier versions are vulnerable to an information disclosure vulnerability that...

Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology

Summary Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity: • Enforce multifactor authentication. • Enforce strong, unique passwords. • Enable M365 Unified Audit Logs. • Implement endpoint detection and response tools. From at least January 2020, through...

Metinfo SQL Injection Vulnerability (CNVD-2022-14805)

MetInfo is a content management system (CMS) developed using PHP and Mysql. A SQL injection vulnerability exists in Metinfo, which stems from the product's failure to secure the special characters in the doModify parameter in the language_general.class.php file. An attacker could exploit this...

Metinfo SQL Injection Vulnerability (CNVD-2022-14806)

MetInfo is a content management system (CMS) developed using PHP and Mysql. A SQL injection vulnerability exists in Metinfo, which stems from the product's failure to secure the special characters in the table_para parameter in the parameter_admin.class.php file. An attacker could exploit this...

Wazawaka Goes Waka Waka

In January, KrebsOnSecurity examined clues left behind by "Wazawaka," the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since "lost his mind" according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a...

Command Execution Vulnerability in Sunflower Personal Edition for Windows of Shanghai Beirui Information Technology Co.

Sunlogin is a free, all-in-one remote control management tool software that integrates remote control of computer phones, remote desktop connection, remote boot, remote management, and support for intranet penetration. Ltd. Sunlogin Personal Edition for Windows has a command execution...

"Zero-Days" Without Incident - Compromising Angular via Expired npm Publisher Email Domains

NOTE: If you’re just looking for the high level points, see the “The TL;DR Summary & High-Level Points” section of this post. Recently I took an interest in the npm registry due to it’s critical role in the security of managing packages for all of JavaScript and Node. After registering an account.....

Reentrancy

Lines of code https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/ConcurRewardPool.sol#L38 Vulnerability details Impact Potential Reentrancy Proof of Concept Reentrancy in ConcurRewardPool.claimRewards(address[])...

2021 Trends Show Increased Globalized Threat of Ransomware

Summary Immediate Actions You Can Take Now to Protect Against Ransomware: • Update your operating system and software. • Implement user training and phishing exercises to raise awareness about the risk of suspicious links and attachments. • If you use Remote Desktop Protocol (RDP), secure and...