微信打赏（Wechat Reward) Security Vulnerabilities

SAP NetWeaver Application Server ABAP and ABAP Platform信息泄露漏洞

SAP NetWeaver Application Server is an application server from SAP, Germany.An information disclosure vulnerability exists in SAP NetWeaver Application Server ABAP and ABAP Platform, which can be exploited by attackers to read connection details stored in SAP The vulnerability can be exploited to.....

Coordinated vulnerability disclosure (CVD) for open source projects

As a vulnerability reporter, you play an important and valuable role in the open source ecosystem. In this guide, I will provide our recommended four-step process for vulnerability disclosure and make suggestions along the way to foster a positive experience. On top of the many tasks open source...

During stake or deposit, users would not be rewared the correct Concur token, when MasterChef has under-supply of it.

Lines of code Vulnerability details Impact During stake or deposit, users would not be transferred the correct Concur token, when MasterChef has under-supply of it. There is an assumption that MasterChef contract would own enough Concur tokens so as to distribute to users as reward, during deposit....

Same reward token in pools can break accounting

Lines of code Vulnerability details The ConvexStakingWrapper contract uses several reward pool tokens rewards[_pid][_index].token and it can be that the same token is used for different _pids. Indeed, the CVX/CRV tokens are always at index 0 and 1. The rewards will be distributed to the first pool....

[WP-H8] ConvexStakingWrapper.sol#_calcRewardIntegral Wrong implementation can disrupt rewards calculation and distribution

Lines of code Vulnerability details uint256 bal = IERC20(reward.token).balanceOf(address(this)); uint256 d_reward = bal - reward.remaining; // send 20 % of cvx / crv reward to treasury if (reward.token == cvx || reward.token == crv) { IERC20(reward.token).transfer(treasury,...

Reentrancy in ConcurRewardPool::claimRewards

Lines of code Vulnerability details Impact Any address that has nonzero reward for a token _tokens[i] is able to drain all contact token funds if the transfer function is reentrant (for example, ERC777 token). As _tokens[i] is an arbitrarily implemented, a reentrant transfer function can be...

ConvexStakingWrapper deposits and withdraws will frequently be disabled if a token that doesn't allow zero value transfers will be added as a reward one

Lines of code Vulnerability details Impact If deposits and withdraws are done frequently enough, the reward update operation they invoke will deal mostly with the case when there is nothing to add yet, i.e. reward.remaining match the reward token balance. If reward token doesn't allow for zero...

Wrong pools reward calculation. User will get smaller rewards (always)

Lines of code Vulnerability details Impact When adding new token pool for staking in MasterChef contract function add(address _token, uint _allocationPoints, uint16 _depositFee, uint _startBlock) All other, already added, pools should be updated but currently they are not. Instead, only...

Owner can lock tokens in MasterChef

Lines of code Vulnerability details Impact Owner can remove a depositor. Since only depositors can deposit and withdraw, the owner may add a contract to the whitelist, let users deposit in the contarct and remove the depositor from the whitelist. Depositor's reward cannot be withdrawn then. And...

Remaining reward balance is wrongly updated

Lines of code Vulnerability details The ConvexStakingWrapper.calcRewardIntegral function makes the d_reward = IERC20(reward.token).balanceOf(address(this)); - reward.remaining amount available for claiming. Then it updates the reward.remaining value to the balance _before the distribution....

Potential Re-entrancy Attack via ETH or ERC777 Token Transfer

Lines of code Vulnerability details Impact The CEI pattern is not being implemented properly in the claimRewards function of the ConcurRewardPool.sol. https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConcurRewardPool.sol#L37 function claimRewards(address[] calldata _tokens)...

Wrong reward token calculation in MasterChef contract

Lines of code Vulnerability details Impact When adding new token pool for staking in MasterChef contract function add(address _token, uint _allocationPoints, uint16 _depositFee, uint _startBlock) All other, already added, pools should be updated but currently they are not. Instead, only...

Unconstrained fee

Lines of code Vulnerability details Impact Token fee in MasterChef can be set to more than 100%, (for example by accident) causing all deposit calls to fail due to underflow on subtraction when reward is lowered by the fee, thus breaking essential mechanics. Note that after the fee has been set to....

Re-entrancy vulnerabilities

Lines of code Vulnerability details Impact Function claimRewards in ConcurRewardPool should be re-entrancy protected or first nullify the reward before sending it, otherwise, if any token contains a transfer callback hook, users can claim the same rewards multiple times, by re-entering the...

ConvexStakingWrapper._calcRewardIntegral() Has An Accounting Error When Updating reward.remaining

Lines of code Vulnerability details Impact The ConvexStakingWrapper.sol implementation makes several modifications to the original design. One of the key changes is the way rewards are distributed to stakers. A new ConcurRewardPool.sol contract is used to store rewards, allowing users to claim...

SourceCodester Simple Cold Storage Management System信息泄露漏洞

Sourcecodester Simple Cold Storage Management System is a web-based application used as a cold storage business website to provide their customers or potential customers with an easy-to-access platform to learn about their company. sourceCodester Simple Cold Storage Management System has a...

wmiexec-RegOut - Modify Version Of Impacket Wmiexec.Py, Get Output(Data,Response) From Registry, Don'T Need SMB Connection, Also Bypassing Antivirus-Software In Lateral Movement Like WMIHACKER

Modify version of impacket wmiexec.py,wmipersist.py. Got output(data,response) from registry, don't need SMB connection, but I'm in the bad code :( Specially Thanks to: @rootclay, wechat: _xiangshan Overview In original wmiexec.py, it get response from smb connection (port 445,139)....

Palo Alto Networks Cortex XDR信息泄露漏洞

Palo Alto Networks Cortex XDR is a security operations platform for remote endpoint-based detection from Palo Alto Networks Malaysia. A security vulnerability exists in the Palo Alto Networks Cortex XDR agent, which could be exploited by an attacker to read the contents of arbitrary files on the...

Checks missing while adding rewards

Handle csanuragjain Vulnerability details Impact Reward amount higher than contract reward balance can bring instability in the contract Proof of Concept In FarmingPools.sol contract check notifyRewardAmounts function Observe there is no check to see if added reward is higher than contract...

Tolerance is not enforced during a flash governance decision

Handle shw Vulnerability details Impact Most of the functions with a governanceApproved modifier call flashGoverner.enforceTolerance to ensure the provided parameters are restricted to some range of their original values. However, in the governanceApproved modifier,...

Trellix Launches Annual CTF Competition – Catmen Sanfrancisco!

Trellix Launches Annual CTF Competition – Catmen Sanfrancisco! By Trellix · February 1, 2022 This story was written by Steve Povolny. The Advanced Threat Research team, now with Trellix, is pleased to announce the return of our second annual Capture the Flag contest featuring 12 new challenges of.....

Stacking with 0 amount will reset rewarded without claiming any flan.

Handle Randyyy Vulnerability details Impact A user can stake their token by calling stake function, by supplying a token, however staking 0 amount token is allowed, staking 0 amount will reset the reward debt, without minting a single flan token, the function will treat as if the user do the...

Trellix Launches Annual CTF Competition – Catmen Sanfrancisco!

Trellix Launches Annual CTF Competition – Catmen Sanfrancisco! By Trellix · February 1, 2022 This story was written by Steve Povolny. The Advanced Threat Research team, now with Trellix, is pleased to announce the return of our second annual Capture the Flag contest featuring 12 new challenges of.....

Exploit for Incorrect Authorization in Polkit Project Polkit

CVE-2021-3560 PolKit条件竞争本地提权分析 [toc] 漏洞简介 漏洞编号:...

user won't be able to get his rewards in case of staking with amount = 0

Handle CertoraInc Vulnerability details Limbo.sol (stake() function) if a user has a pending reward and he call the stake function with amount = 0, he won't be able to get his reward (he won't get the reward, and the reward debt will cover the reward) that's happening because the reward...

ConvexStakingWrapper does not update rewards state before transferring tokens

Handle kenzo Vulnerability details ConvexStakingWrapper saves data for reward calculation in dedicated variables for each user, such as reward.reward_integral_for[account]. These variables are not updated when transferring wrapped staked tokens. (Please note that Convex's original...

Rewards distribution can be disrupted by a early user

Handle WatchPug Vulnerability details function _calcRewardIntegral( uint256 _index, address[2] memory _accounts, uint256[2] memory _balances, uint256 _supply, bool _isClaim ) internal { RewardType storage reward = rewards[_index]; uint256 rewardIntegral =...

Exploit for Out-of-bounds Write in Polkit Project Polkit

polkit-0.96-CVE-2021-4034 centos 7.x 已经有了 修复CVE-2021-4034...

Zerodium Spikes Payout for Outlook Zero-Days

Zerodium has jacked up its offering price for Microsoft Outlook zero-day exploits. Act fast if you have the goods and the moral equanimity, to make up to $400,000 for a zero-click, remote code-execution (RCE) exploit. “Zero-click” means that targets neither have to read a malicious email message...

Who Wrote the ALPHV/BlackCat Ransomware Strain?

In December 2021, researchers discovered a new ransomware-as-a-service named ALPHV (a.k.a. "BlackCat"), considered to be the first professional cybercrime group to create and use a ransomware strain written in the Rust programming language. In this post, we'll explore some of the clues left behind....

Exploit for Off-by-one Error in Sudo Project Sudo

CVE-2021-3156 [toc] 漏洞简介 漏洞编号: CVE-2021-3156...

Exploit for Out-of-bounds Write in Polkit Project Polkit

CVE-2021-4034 PolKit本地提权分析 [toc] 漏洞简介 漏洞编号:...

SherlockClaimManager: Incorrect amounts needed and paid for escalated claims

Handle GreyArt Vulnerability details Impact When escalating claims, the documentation states that the protocol agent is required to pay and stake a certain amount for the process. If the covered protocol is proven correct, then the amount specified by the claim will be paid out. They will also...

tokenBalanceOfAddress of nftOwner becomes permanently incorrect after arbRestake

Handle hyh Vulnerability details Impact Sucessfull arbRestake performs _redeemShares for arbRewardShares amount to extract the arbitrager reward. This effectively reduces shares accounted for an NFT, but leaves untouched the addressShares of an nftOwner. As a result the tokenBalanceOfAddress...

Reenterancy in _sendSherRewardsToOwner()

Handle kirk-baird Vulnerability details Impact This is a reentrancy vulnerability that would allow the attacker to drain the entire SHER balance of the contract. Note: this attack requires gaining control of execution sher.transfer() which will depend on the implementation of the SHER token....

The right ASM tools include understanding where the real risk lies

While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities where companies aren't looking (or maybe not prioritizing) and reaping the reward through bug bounty...

Possible Re-entrancy in _sendSherRewardsToOwner

Handle static Vulnerability details Vulnerability details Impact If the SHER token performs a callback, such as in ERC-777 tokens, when performing transfers, the _sendSherRewardsToOwner function can be run multiple times to extract more rewards than should be available for a single NFT. Proof of...

Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)

...

Affiliate Pro 1.7 - (Multiple) Cross Site Scripting Vulnerability

...

Google Android Automotive Os信息泄露漏洞

Google Android Automotive Os is an operating system and platform from Google (USA) that runs directly on in-car hardware. Google Android Automotive Os has a security vulnerability that stems from the DevicePickerFragment sending a new device pairing broadcast without any permission checks, so any.....

Don't be afraid of XXE vulnerabilities: understand the beast and how to detect them

Today XML External Entities (XXE) vulnerabilities are still ubiquitous, despite the fact that recommendations to protect against them have been an integral part of security standards for years. In this post, the first in a series of three blog posts, we will try to demystify XXE vulnerabilities...

Exploit for Deserialization of Untrusted Data in Apache Dubbo

CVE-2021-43297 漏洞描述 Dubbo Hessian-Lite...

At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates

The Russian government said today it arrested 14 people accused of working for "REvil," a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a...

Real Big Phish: Mobile Phishing & Managing User Fallibility

According to a recent survey from Ivanti, nearly three-quarters (74 percent) of IT professionals reported that their organizations have fallen victim to a phishing attack – and 40 percent of those happened in the last month alone. Increasingly, mobile phishing is the culprit. What’s more, nearly...

Who is the Network Access Broker ‘Wazawaka?’

In a great many ransomware attacks, the criminals who pillage the victim's network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman...

Changsha Mito Information Technology Co., Ltd. has a file upload vulnerability in MetInfo (CNVD-2022-08512)

MetInfo is an enterprise website building system developed in php MySQL. Changsha Mito Information Technology Co., Ltd MetInfo has a file upload vulnerability, which can be exploited by attackers to gain control of the...

Exploit for Missing Authorization in Gin-Vue-Admin Project Gin-Vue-Admin

Gin-Vue-admin垂直越权漏洞与代码分析-CVE-2022-21660 一、前言...

Metersphere has a command execution vulnerability

MeterSphere is a one-stop open source continuous testing platform covering test tracking, interface testing, performance testing, team collaboration and other functions, compatible with JMeter and other open source standards, effectively helping development and testing teams to make full use of...

Exploit for Improper Input Validation in Microsoft

NoPacScan NoPacScan is a CVE-2021-42287/CVE-2021-42278...

Wechat-php-sdk is affected by a Cross Site Scripting vulnerability.

Wechat-php-sdk v1.10.2 is affected by a Cross Site Scripting (XSS) vulnerability in...