CVE-2024-24809 (two different path traversals) and CVE-2024-31214 (unrestricted file upload) is a bug chain affecting Traccar (fleet tracking/GPS software). We think this is a high value exploit chain because it could create a pivot into a mid-size+ business, and there are more than 10,000 Traccar servers visible on Censys.
Public exploits for this chain are restricted to Linux OS that allow the " character in filenames with /etc/cron.d (so Red Hat-based systems). Debian-based will ignore files in /etc/cron.d that have . or " characters. That greatly diminishes the value of the exploit chain. However, the team developed an additional exploit that works on all Linux variants by using /etc/udev/rules.d/. All told, for this bug chain, the team developed a version scanner, two unique exploits, four network signatures, a vulnerable docker image, and Censys/GreyNoise/Shodan queries.
There was a lot of hype this last week from infosecurity about four vulnerabilities that D-Link said they won't fix:
NVD, unfortunately, has listed three of these as "Unauthenticated RCE", so the team was asked to investigate. The team not only found that all of these are authenticated vulnerabilities, but they are duplicates of older CVE. Additionally, those old CVE have known (authenticated) proof of concept exploits. The breakdown goes like this:
Given the nature of these vulnerabilities, we do not plan to create any detection artifacts or exploits. We thought this information would be useful though.
The team added an exploit, pcap, and signatures for a remote code execution (PHP object injection) in the GiveWP plugin for WordPress. At the time of disclosure, Wordfence noted "over 100,000 active installations." GiveWP allows for the creation of donation forms in WordPress; donation forms are commonly found on public websites. The exploit spawns a reverse shell that connects back to the attacker. Given the amount of attention this vulnerability has received, we anticipate that it will eventually be added to VulnCheck KEV.
Now tracking a cluster of IPs associated with a SLOW#TEMPEST phishing campaign. They are utilizing a software called DayBreak that we are now also tracking, which is a Chinese "breach attack simulation" tool that has a C2 component.