An arbitrary file upload vulnerability in the upload payment plugin of ShopXO v1.9.0 allows attackers to execute arbitrary code via uploading a crafted PHP file.
Category Archives: Advisories
CVE-2020-26008
The PluginsUpload function in application/service/PluginsAdminService.php of ShopXO v1.9.0 contains an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via uploading a crafted PHP file.
dotnet3.1-3.1.417-1.fc34
FEDORA-2022-d28042f559
Packages in this update:
dotnet3.1-3.1.417-1.fc34
Update description:
This is the March 2022 update for .NET Core 3.1: SDK 3.1.417 and Runtime 3.1.23
Release notes: https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.23/3.1.23.md
This includes fixes for CVE-2022-24464, CVE-2022-24512 and CVE-2020-8927
dotnet3.1-3.1.417-1.fc35
FEDORA-2022-5ecee47acb
Packages in this update:
dotnet3.1-3.1.417-1.fc35
Update description:
This is the March 2022 update for .NET Core 3.1: SDK 3.1.417 and Runtime 3.1.23
Release notes: https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.23/3.1.23.md
This includes fixes for CVE-2022-24464, CVE-2022-24512 and CVE-2020-8927
dotnet3.1-3.1.417-1.fc36
FEDORA-2022-9e046f579a
Packages in this update:
dotnet3.1-3.1.417-1.fc36
Update description:
This is the March 2022 update for .NET Core 3.1: SDK 3.1.417 and Runtime 3.1.23
Release notes: https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.23/3.1.23.md
This includes fixes for CVE-2022-24464, CVE-2022-24512 and CVE-2020-8927
New Rootkit Used by UNC2891 for ATM Money Heist
FortiGuard Labs is aware of a report that a threat actor known as UNC2891 used a previously unknown rootkit to capture banking card and PIN verification data from compromised ATM switch servers. The captured data was used to perform fraudulent transactions. Dubbed Caketap, the rootkit allows the threat actor to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker’s remote server.Why is this Significant?This is significant because the previously unknown Caketap rootkit deployed by the threat actor for Oracle Solaris systems provides stealth for the attacker’s activities and the data it steals can be used for unauthorized financial transactions. The attacks carried out by UNC2891 are financially motivated and could cause great financial damage to the targeted financial institutions. What is Caketap?Caketap is a kernel module rootkit used by UNC2891 on Oracle Solaris systems. The rootkit is used to hide network connections, processes, and files, and install several hooks into system functions to receive commands and configurations from the attacker’s remote server.The rootkit is capable of intercepting certain messages sent for the Payment Hardware Security Module (HSM) in order to disable proper banking card verification and return a valid response to approve fraudulent banking cards. It also examines PIN verification messages. If PIN verification messages are not for a fraudulent banking card, then Caketap does not disrupt valid verification but saves the messages. If Caketap detects PIN verification messages for fraudulent banking cards, it replays the previously saved valid messages for PIN verification bypass.Thales, an HSM vendor, describes the Payment Hardware Security Module (HSM) as “a hardened, tamper-resistant hardware device that is used primarily by the retail banking industry to provide high levels of protection for cryptographic keys and customer PINs used during the issuance of magnetic stripe and EMV chip cards (and their mobile application equivalents) and the subsequent processing of credit and debit card payment transactions”.What is UNC2891?UNC2891 is a threat actor whose main motivation is reportedly for financial gain and has been active for several years. The threat actor is known to not only have extensive knowledge on Oracle Solaris systems, but also Linux and Unix systems.What Other Tools does UNC2891 Use?The following tools are reported to have been used by the threat actor:SLAPSTICK – the Pluggable Authentication Module (PAM) based backdoorCustom version of TINYSHELL – backdoorSTEELHOUND – in-memory dropperSTEELCORGI – in-memory dropperSUN4ME – toolkits that contains tools to spy on network, host enumeration, exploit known vulnerabilities and wipe logsWINGHOOK – keylogger for Linux and Unix systemsWINGCRACK – utility that is used to decode and display the information collected by WINGHOOKBINBASH – ELF utility that executes a shell after the group ID and user ID are set to either “root” or specified valuesWIPERIGHT – ELF utility for Linux and Unix systems and is used to clear specific logsMIGLOGCLEANER – ELF utility for Linux and Unix systems that is used to wipe logs or remove certain strings from logsWhat is the Status of Coverage?FotriGuard Labs provide the following AV coverage:Linux/Agent.T!tr
CVE-2020-25176
Some commands used by the Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote, unauthenticated attacker to traverse an application’s directory, which could lead to remote code execution.
CVE-2020-25178
ISaGRAF Workbench communicates with Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x using TCP/IP. This communication protocol provides various file system operations, as well as the uploading of applications. Data is transferred over this protocol unencrypted, which could allow a remote unauthenticated attacker to upload, read, and delete files.
CVE-2020-25180
Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x includes the functionality of setting a password that is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the tiny encryption algorithm (TEA) on an entered or saved password. A remote, unauthenticated attacker could pass their own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.
CVE-2020-25182
Rockwell Automation ISaGRAF Runtime Versions 4.x and 5.x searches for and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects ISaGRAF Runtime when running on Microsoft Windows systems.