CVE-2018-6460
published 2018-01-31CVE-2018-6460: Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including…
PriorityP260high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
11.18%
95.4th percentile
Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to localhost port 895 targeting /status.js, particularly those containing the JSONP callback parameter 'func=$_APPLOG.Rfunc', which is the exploitation payload for this information disclosure vulnerability. ↗
- →Detect browser-side exploitation attempts via JavaScript that dynamically inject a <script> tag with src pointing to http://127.0.0.1:895/status.js — indicative of a cross-origin JSONP data exfiltration attack against Hotspot Shield. ↗
- ·The vulnerable endpoint is only reachable via localhost (127.0.0.1:895), meaning exploitation requires the attacker to deliver malicious JavaScript to the victim's browser (e.g., via a malicious webpage), rather than direct remote network access. ↗
- ·The attack leverages JSONP (unauthenticated, no CORS restriction) to exfiltrate data; detection on the network layer alone may be insufficient since the request originates from the local browser. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Unit42
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
blogs_unit42·2021-08-17
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
## Executive Summary
Organizations are facing an increase in obfuscation behavior from on-site and remote employees attempting to bypass proxy servers to hide their online activities or exfiltrate data without detection. For example, an employee might use the “incognito” mode, download a personal virtual private network (VPN) or the Tor browser, or bypass the corporate VPN. In those cases, the information security team (InfoSec) needs complete network visibility to determine if that employee is solely guarding their own privacy, masking behavior that breaks organization policies or attempting to cover an attack.
Personal VPN services promise to enable secure, encrypted tunnels for user traffic. They provide services that prevent others from seeing through these tunnels by encrypting the
Unit42
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
blogs_unit42·2021-08-17
Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
Threat Research Center
Threat Research
Cybercrime
## Personal VPN and Its Evasions: Risk Factors and How to Maintain Network Visibility
Saeed Abbasi
Kirti Parekh
Published: August 16, 2021
Cybercrime
Threat Research
Data exfiltration
Insider threats
VPN
## Executive Summary
Organizations are facing an increase in obfuscation behavior from on-site and remote employees attempting to bypass proxy servers to hide their online activities or exfiltrate data without detection. For example, an employee might use the “incognito” mode, download a personal virtual private network (VPN) or the Tor browser, or bypass the corporate VPN. In those cases, the information security team (InfoSec) needs complete network visibility to determine if that employee is solely guarding their own pri
2018-01-31
Published