Security News

"Hack the Planet"

Daily Dave - 20 May, 2021 - 05:10

Posted by Dave Aitel via Dailydave on May 20

[image: image.png]

Ok ya'll - you're letting me down. There's a thousand ways you and your
friends can use 10k to improve the world - engineering a solution nobody
would pay for because it's not something you can put at a booth at RSAC.

EVERYONE ON THIS LIST needs to either submit for a grant, or find someone
who will submit for a grant. You're telling me not one of those
superhackers at Microsoft and Google can find a...

Backdoor.Win32.RMFdoor.c / Authentication Bypass RCE

Full Disclosure - 18 May, 2021 - 22:12

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/5e2e6ca532c20ee6a59861d936df7076.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.RMFdoor.c
Vulnerability: Authentication Bypass RCE
Description: The malware listens on TCP ports 21, 14920. Attackers who can
reach infected systems can logon using any username/password combination.
Intruders may then upload...

Backdoor.Win32.Psychward.ds / Weak Hardcoded Password

Full Disclosure - 18 May, 2021 - 22:12

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/9e22514c9b0e74c7fcb07b7c091f6123.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Psychward.ds
Vulnerability: Weak Hardcoded Password
Description: The malware listens on TCP port 9878 and requires a password
for remote user access. However, the backdoors password "nivag" is weak and
hardcoded in...

Backdoor.Win32.Psychward.c / Unauthenticated Remote Command Execution

Full Disclosure - 18 May, 2021 - 22:12

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/f60a8d71a822e0e485f22ada8f26c31e.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Psychward.c
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP port 33777. Remote attackers who
can reach infected systems can execute commands made available by the
backdoor.
Type: PE32...

Defense in depth -- the Microsoft way (part 77): access without access permission

Full Disclosure - 18 May, 2021 - 12:33

Posted by Stefan Kanthak on May 18

Hi @ll,

the following is a substantially shortened version of
<https://skanthak.homepage.t-online.de/quirks.html#quirk15> and
<https://skanthak.homepage.t-online.de/quirks.html#quirk16>

Windows NT supports access control for (almost) all its objects,
<https://technet.microsoft.com/en-us/library/cc781716.aspx>
"How Security Descriptors and Access Control Lists Work" and
<...

Backdoor.Win32.Delf.aez / Unauthenticated Remote Command Execution

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/be4a6274679ca966a1d99140db54c25a.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Delf.aez
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on several TCP ports and accepts
unauthenticated commands on port 53187 and 53184. Commands are in Polish
E.g. Wylogowuj translated is...

Backdoor.Win32.DarkMoon.a / Insecure Transit

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/7361fe3620fb6e18467c8e15e224b0b8_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.DarkMoon.a
Vulnerability: Insecure Transit
Description: Dark Moon v1 client by Shukisnike, sends cleartext passwords
over the network. The malwares traffic uses a caret '^' symbol surrounding
the password, making it easy...

Backdoor.Win32.DarkMoon.a / Weak Hardcoded Password

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/7361fe3620fb6e18467c8e15e224b0b8.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.DarkMoon.a
Vulnerability: Weak Hardcoded Password
Description: Dark Moon v1 client by Shukisnike listens on TCP ports 80,
28888 and stores a weak hardcoded plaintext password within the executable.
Password "fucktheworld"...

Backdoor.Win32.Antilam.14.d / Unauthenticated Remote Command Execution

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/a53351e8fa0cb4f7db3d0250387a0e4f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Antilam.14.d
Vulnerability: Unauthenticated Remote Command Execution
Description: The malware listens on TCP ports 47891, 29559. Third party
attackers who can reach infected systems can execute commands made
available by the...

Backdoor.Win32.Agent.oda / Remote Stack Buffer Overflow (UDP)

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/380ff48c4a28ac25f5efb630883eeb17.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.oda
Vulnerability: Remote Stack Buffer Overflow (UDP)
Description: The malware drops an executable named "aspimgr.exe" under
SysWOW64 dir, which listens on TCP port 80 and UDP port 53. Third-party
attackers who can...

Backdoor.Win32.Danton.43 / MITM Port Bounce Scan

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/85f7ef2b6b8da9adb7723a13b91ac1c7_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Danton.43
Vulnerability: MITM Port Bounce Scan
Description: The backdoor FTP server listens on TCP port 6974, hardcoding
weak plaintext credentials within the executable. Third-party adversaries
who successfully logon can abuse...

Backdoor.Win32.Danton.43 / Weak Hardcoded Credentials RCE

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/85f7ef2b6b8da9adb7723a13b91ac1c7.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Danton.43
Vulnerability: Weak Hardcoded Credentials RCE
Description: The malware listens on TCP port 6974 and stores several pairs
of weak hardcoded credentials in plaintext within the executable. First
username / password...

Backdoor.Win32.Agent.lyw / Remote Stack Buffer Overflow (UDP)

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/4de6f4104a5fc2185164747a6fcf20ce.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.lyw
Vulnerability: Remote Stack Buffer Overflow (UDP)
Description: The malware drops an executable named "aspimgr.exe" under
SysWOW64 dir, which listens on TCP port 80 and UDP port 53. Third-party
attackers who can...

Backdoor.Win32.Agent.cy / Denial of Service

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/e85a1028a52fcc723353a236ada54fee_C.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.cy
Vulnerability: Denial of Service
Description: The malware listens on TCP port 1111, drops an executable
named "Spoolsw.exe" under SysWOW64 that runs with SYSTEM integrity.
Authenticated intruders can send a 64...

Backdoor.Win32.Agent.cy / Insecure Transit

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/e85a1028a52fcc723353a236ada54fee_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.cy
Vulnerability: Insecure Transit
Description: The malware listens on TCP port 1111, drops an executable
named "Spoolsw.exe" under SysWOW64 that runs with SYSTEM integrity. The
malware passes logon credentials in...

Backdoor.Win32.Agent.cy / Weak Hardcoded Credentials

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/e85a1028a52fcc723353a236ada54fee.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Agent.cy
Vulnerability: Weak Hardcoded Credentials
Description: The malware listens on TCP port 1111, drops an executable
named "Spoolsw.exe" under SysWOW64 dir that runs with SYSTEM integrity. The
password...

Backdoor.Win32.Delf.abb / Insecure Transit

Full Disclosure - 18 May, 2021 - 12:33

Posted by malvuln on May 18

Discovery / credits: Malvuln - malvuln.com (c) 2021
Original source:
https://malvuln.com/advisory/2910c3bea6732d5ed81a7c44d4354136.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Delf.abb
Vulnerability: Insecure Transit
Description: The malware listens on TCP ports 1988 and 2111 but message
exchange takes place on port 1988. The backdoor uses unencrypted plaintext
socket communication allowing anyone who can...

NiceHash Miner Excavator API Cross-Site Request Forgery

Full Disclosure - 18 May, 2021 - 12:24

Posted by Harry Sintonen via Fulldisclosure on May 18

NiceHash Miner Excavator API Cross-Site Request Forgery
=======================================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/nicehash-miner-excavator-api-csrf.txt

Overview
--------

NiceHash Miner Excavator plugin contains a vulnerability that enables any external
web site to send commands to the local miner instance, and to redirect the mined
coins to arbitrary mining...

(u)rxvt terminal (+bash) remoteish code execution 0day

Full Disclosure - 18 May, 2021 - 12:23

Posted by def on May 18

#!/usr/bin/env python
# Title: rxvt (remote) code execution over scp with $SHELL=/bin/bash (0day)
# Version: rxvt 2.7.10, rxvt-unicode 9.22
# Author: def <def () huumeet info>
# Date: 2021-05-16
# CVE: N/A
#
#------------------------------------------------------------------------------
# (U)RXVT VULNERABILITY
#
# In rxvt-based terminals, ANSI escape sequence ESC G Q (\eGQ, \033GQ, \x1bGQ)
# queries the availability of graphics and the...

[CFP]: 2nd Joint Workshop on CPS&IoT Security and Privacy (CPSIoTSec 2021)

Full Disclosure - 18 May, 2021 - 12:20

Posted by Call For Papers CPSIOTSEC21 on May 18

---------------------------------------------------------------------------------------------------------------
C a l l F o r P a p e r s

2nd Joint Workshop on CPS&IoT Security and Privacy (CPSIoTSec 2021)

Seoul, South Korea, November 15 (Monday), 2021

URL: https://cpsiotsec.github.io

co-located with the ACM Conference on Computer and Communications
Security (ACM CCS 2021)...
Syndicate content