Getting RCE via Worst Fit 🤦

If you watched the Black Hat talk from Orange Tsai and Splitline last week in London, you might have found yourself shocked to see that a code snippet like the one below can lead to RCE.

Why can this be hacked? 🤔

Well, because you can inject double quotes... But can you? Not really, because 'subprocess.run()' would handle them securely. What you can do instead though is inject the odd fullwidth quotation mark: ＂

This shouldn't be a problem because surely shells wouldn't interpret this, right?

Wrong. Since Windows historically stores a lot of things, like cmdlines, environment variables, etc., in both ANSI and UTF-16, we run into a problem... How can you represent a value in ANSI if that value doesn't actually exist in the character set?

Meet "Best Fit". Which converts certain UTF-16 characters to similar-looking ANSI characters (such as converting a ∞ to an 8. Or converting a ¥ to a backslash. Or converting a ＂to a normal double quote).

This means that you can pwn this code snippet by injecting something like:

＂ --use-askpass=calc ＂

This pops calculator.

If you want to play around a bit with this, you may want to check out this PoC that I've created: https://lnkd.in/dBgeFscq

Also, you may want to check out https://worst[.]fit/ which tracks a list of Windows binaries vulnerable to this attack.

The worst part? Microsoft says this isn't a Windows vulnerability while open-source library maintainers say it is. So who is gonna fix it? 🤷‍♂️

Ref: Florian Walter
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🔍 Serbia's #Spyware Scandal: A Deep Dive into the NoviSpy Affair

https://undercodenews.com/serbias-spyware-scandal-a-deep-dive-into-the-novispy-affair/

@Undercode_News

🔴 ColdFusion Improper Access Control (#CVE-2024-20767) - HIGH

https://dailycve.com/coldfusion-improper-access-control-cve-2024-20767-high/

@DailyCVE

🔴 #Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (#CVE-2024-XXXX) (Critical)

https://dailycve.com/windows-kernel-mode-driver-elevation-of-privilege-vulnerability-cve-2024-xxxx-critical/

@Daily_CVE

Winnti Group's Glutton: A Multi-Layered PHP Backdoor with a Twist

https://undercodenews.com/winnti-groups-glutton-a-multi-layered-php-backdoor-with-a-twist/

@Undercode_News

Farewell, Dragon! #SpaceX Cargo Ship Departs Space Station

https://undercodenews.com/farewell-dragon-spacex-cargo-ship-departs-space-station/

@Undercode_News

Dragon Departs the International Space Station: Witness Its Undocking Live on #NASA+!

https://undercodenews.com/dragon-departs-the-international-space-station-witness-its-undocking-live-on-nasa/

@Undercode_News

🚨 Internet-Exposed HMIs: A Growing Threat to Water and Wastewater Systems

https://undercodenews.com/internet-exposed-hmis-a-growing-threat-to-water-and-wastewater-systems/

@Undercode_News

🦑 𝟏𝟎 𝐁𝐥𝐮𝐞 𝐓𝐞𝐚𝐦 𝐓𝐫𝐚𝐢𝐧𝐢𝐧𝐠 𝐅𝐑𝐄𝐄 𝐂𝐨𝐮𝐫𝐬𝐞𝐬

1- Cybersecurity for Students: lnkd.in/g4YmXP9J
2- SOC Fundamentals: lnkd.in/gVfUGNR3
3- Phishing Email Analysis: lnkd.in/giQWrn3a
4- Detecting Web Attacks: lnkd.in/gUTFXRzM
5- Malware Traffic Analysis with Wireshark: lnkd.in/g5Ze-iwU
6- Linux for Blue Team: lnkd.in/gvpWMdea
7-Building a Malware Analysis Lab: lnkd.in/gGXunp4q
8-📊 Splunk for SOC: lnkd.in/gkZMam_n
9-🔐 Introduction to Cryptology: lnkd.in/g3jbE84W
10-💼 Job Hunting: lnkd.in/g9MeH9P7

Ref: Mohamed Hamdi
@UndercodeCommunity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🚨 Rhode Island's RIBridges System Compromised in #Ransomware Attack

https://undercodenews.com/rhode-islands-ribridges-system-compromised-in-ransomware-attack/

@Undercode_News

🛡️ Agile Business, Agile Security: How #AI and Zero Trust Work Together

https://undercodenews.com/agile-business-agile-security-how-ai-and-zero-trust-work-together/

@Undercode_News

🖥️ Beware Graphic Designers: Malicious Ads Targeting You with Fake #Software

https://undercodenews.com/beware-graphic-designers-malicious-ads-targeting-you-with-fake-software/

@Undercode_News

🚨 Iranian Cyberweapon Targets Critical Infrastructure: Decoding the IOCONTROL Threat

https://undercodenews.com/iranian-cyberweapon-targets-critical-infrastructure-decoding-the-iocontrol-threat/

@Undercode_News

🔧 GOWATT MagSafe Dock: A Sleek and Functional Charging Solution

https://undercodenews.com/gowatt-magsafe-dock-a-sleek-and-functional-charging-solution/

@Undercode_News

⚡️ #iOS 183 Beta Released: What's New?

https://undercodenews.com/ios-183-beta-released-whats-new/

@Undercode_News

⚡️ #Apple Releases Beta 1 for visionOS 23, tvOS 183, watchOS 113, and More

https://undercodenews.com/apple-releases-beta-1-for-visionos-23-tvos-183-watchos-113-and-more/

@Undercode_News

🦑Free For You :)) Android SSL Pinning Bypass using Noxer🚨

Automate your Android penetration testing lab setup using Nox Emulator. Noxer is a powerful Python script designed for automating Android penetration testing tasks within the Nox Player emulator. It simplifies setup, enhances stability, manages Frida Server, removes unwanted bloatware, integrates BurpSuite certificates, and much more!

>> DOWNLOAD <<

Clone this repository to your local machine.

git clone https://github.com/AggressiveUser/noxer.git

Navigate to the project directory.

cd noxer

Install the dependencies from the requirements.txt file using pip.

pip install -r requirements.txt

You are now set to run the NOXER script.

python noxer.py

#Android Enterprise: A Catalyst for Modern Workplaces

https://undercodenews.com/android-enterprise-a-catalyst-for-modern-workplaces/

@Undercode_News