Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking

Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking

Mastodon is an open-source self-hosted social networking service company that is maintained as a non-profit. The platform is similar to Twitter, with a lot more features, and is privacy-focused.

It works as a federated model with contributors from all over the world, and its repository rests on GitHub.

Read moreBuilding cyber skills and roles from CyBOK foundations

Mastodon was launched in 2016 by its creator Eugen Rochko. However, it gained extreme popularity only after the acquisition of Twitter by Elon Musk in 2022. The platform has 1.8 million active users, as posted d by its creator.

Image: Eugen Rochko posting about 1.8 million active users

Critical “TootRoot” Vulnerability

As per reports, Mastodon has recently fixed five high, moderate, and critical severity vulnerabilities which posed a potential threat to the platform. Most critical one of them was called “TootRoot” in which threat actors can create a backdoor on the servers by sending crafted media files.

Read moreAccessibility as a cyber security priority

These media files cause the media processing code to create arbitrary files on any location on the server. This functionality can be exploited by threat actors to create a web shell on the server that acts as a backdoor. 

An Individual security researcher Kevin Beaumont investigated this vulnerability and posted about the severity of this vulnerability. This vulnerability has the CVE as CVE-2023-36460.

Kevin Beaumont about CVE-2023-36460

Other Vulnerability Patches

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

In addition to this, four other vulnerabilities were patched which include, 

Blind LDAP injection in login allows the attacker to leak arbitrary attributes from the LDAP database 

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

XSS through oEmbed preview cards 

Denial of Service through slow HTTP responses

Read moreS3 Ep135: Sysadmin by day, extortionist by night

Verified profile links can be formatted in a misleading way

Few of these were found during penetration testing by the Cure53 team. The penetration testing was initiated by Mozilla.

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

These vulnerabilities need to be fixed from the server side hence, individual users don’t have any action to perform other than check if the servers are patched to the latest version.

These vulnerabilities are fixed in the 3.5.9, 4.0.5, and 4.1.3 versions of Mastodon.

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

The post Critics Mastodon “TootRoot” Vulnerability Allows Server Hijacking appeared first on Cyber Security News.

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

   Read More 

Cyber Security News 

Related Posts

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws
Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month’s   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site 

Disinformation, crafted by AI. Influence operations in Russia’s hybrid war.
Disinformation, crafted by AI. Influence operations in Russia’s hybrid war.

Disinformation, crafted by AI. Influence operations in Russia’s hybrid war.

AI’s potential to tailor disinformation to individuals. Dealing with dissent, both hard- and anti-war. Cloudy, with a chance of cruise missiles and thermobaric blasts. And also famine. Cyberattacks support influence operations. Staging propaganda in Minecraft.   Read More 

The CyberWire 

AI-Based Brute-Forcing Attack Outperforming Probabilistic Model
AI-Based Brute-Forcing Attack Outperforming Probabilistic Model

AI-Based Brute-Forcing Attack Outperforming Probabilistic Model

[[{“value”:”

Web Vulnerability Assessment and Penetration Testing (Web VAPT) aims to identify vulnerabilities in web apps.

However, current wordlist-based methods are ineffective since directory brute-forcing attacks can establish reachable directories.

Offensive AI is the integration of AI technology to enhance cyber attacks. A new Language Model (LM) framework that the following researchers have proposed here for improving directory enumeration:- 

Alberto Castagnaro from Delft University of Technology

Mauro Conti from University of Padova

Luca Pajola from Spritz Matter Srl

The LM-based attack performed 969% better on average than traditional approaches in experiments on 1 million URLs from different domains.

AI-Based Brute-Forcing Attack

However, ethical hacking with permission is the same as hacking done with malicious intentions, and it helps to discover weaknesses before they are exploited. 

Japanese tech company NEC has developed a way of catching crooks by closely monitoring those using computer networks through the “NEC’s Cyber Attack Alert System.” 

Offensive AI involves blending AI’s flexibility and attack vectors, which enables sophisticated automated threats that analyze data rapidly and evade defenses.

The primary purpose of directory enumeration brute-force attacks is to find hidden files and directories on web servers by sending countless requests with URLs taken from wordlist, reads the report.

The objective is to discover sensitive information, admin interfaces, or the like that could be compromised for unauthorized access in case of misconfiguration. 

These kinds of attacks rely on tools such as DirBuster, wfuzz, and BurpSuite, which use various types of wordlists, such as general, backup-specific, and CMS, to generate URL payloads. 

Choosing the right wordlist is a vital factor in the attack’s success.

Free Webinar | Mastering WAAP/WAF ROI Analysis | Book Your Spot

Automated tools aid in brute-forcing, but selecting an appropriate wordlist specifically designed for targets can determine the number of vulnerabilities uncovered.

Traditional directory brute-forcing using wordlists is inefficient. This work explores probability-based, and Language Model approaches exploiting two key aspects:-

Prior knowledge from similar web apps is used to guide requests. Adaptive Decision-Making to dynamically generate URLs during the attack. 

Prediction of the next directory from our LM-based architecture (Source – Arxiv)

Two techniques are proposed: a Weighted Training Tree combining paths across multiple web apps with node weights indicating frequency and a Weighted Wordlist Tree pruned from a general wordlist based on the training data.

The probabilistic method uses a max heap ordered by the probabilities of words being valid subdirectories. This heap is computed on the fly by dividing the weight of each subdirectory by the total weights under that directory.

This uses personalized embeddings trained on corpora to generate URL platforms and avoid pitfalls in probabilistic models underpinning the weighted tree data structure.

So, instead of brute-forcing current directories, one may consider some ways to utilize prior knowledge while employing LM approaches grounded in probability theory.

On average, LM-based attacks outperformed brute force by 969%, while probabilistic models worked better for stealthy attacks when limited request budgets were accounted for.

Cross-lingual transfer may more effectively preserve contextuality when different languages transpose directory predictions.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.

The post AI-Based Brute-Forcing Attack Outperforming Probabilistic Model appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News