Recently, an SPIP vulnerability was disclosed, without a CVE, that affects one of the default installed plugins (porte_plume). SPIP installs saw widespread exploitation last year with CVE-2023-27372, so we figured this one would likely get abused too. VulnCheck CNA assigned CVE-2024-7954 and the team developed an exploit, version scanner, network signatures, pcap, and Shodan/Censys queries.
The team added an exploit, pcap, and signatures for an SQL injection in Fortra's FileCatalyst Workflow product. Managed file transfer (MFT) products have been popular targets in recent years, having led to a number of high-profile compromises, so the team tries to track these closely. The exploit creates an administrator account with user-supplied credentials. The team constructed the exploit from first principles (code analysis), leading to a minimal exploit that exploits an endpoint that hasn't been used by any public exploit.
This vulnerability is a little bit off the beaten path, but the team was reviewing Qualy's 21Nails Exim advisory from a few years back (there are 3 million Exim servers online right now, so just getting a grasp on what might be lurking out there), and we noticed a reference to chaining one of the authenticated exploits with this bypass discovered and reported by well-known researcher Orange Tsai.
The bypass affects deployments with the SPA authenticator enabled. The remote attacker can control a pointer addition which allows them to bypass authentication by rolling a param passed to a memcmp up to another stack address. The team delivered vulnerable docker containers (aarch64 and amd64), an expliot, version scanner (that also filters the specific configuration), PCAP, and suricata rule along with Shodan and Censys queries.
Added tracking for Aurora Stealer, an infostealer written in Golang that was highly prevalent in 2023. The code originally available for sale on the Darkweb is available on Github.