Posts

Parse Server DatabaseController RCE Vulnerability

/in /by

Overview:

  Parse platform, provides SDKs for various environments (Android, iOS, PHP, .NET, …) as well as managed cloud data storage. When creating mobile apps a lot of the development time goes into managing and scaling the data backend, and building out user authentication, push notifications, and/or social media integration. Parse SDKs and cloud storage allow mobile app developers to quickly build functionality and focus efforts on user facing features.

  Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js:
    • Parse Server uses MongoDB or PostgreSQL as a database.
    • You can deploy and run Parse Server on your own infrastructure.
    • You can develop and test your app locally using Node.

  A prototype pollution vulnerability has been reported in Parse Server. This vulnerability is due to improper input validation for the DatabaseController.

  A remote, unauthorized attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result, in the worst case, in remote code execution.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-24760.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A remote unauthenticated attacker uses this exploit to inject properties in Object.prototype, or modify existing ones. Successful exploitation could result in; denial of service as the software encounters objects with unexpected properties, or properties with unexpected values. In the worst case it could lead to the execution of arbitrary code on the target server.

  An attacker could for instance leverage the prototype pollution vulnerability to unlock a code path in the Node.js BSON module which evaluates arbitrary Javascript code. MongoDB uses the BSON format for storing data internally, and over the network. The name “BSON” is based on the term JSON and stands for “Binary JSON”. It is a binary form for representing simple or complex data structures, including associative arrays (also known as name-value pairs), integer indexed arrays, and a suite of fundamental scalar types. The BSON format also includes a Code data type to store Javascript code. You can store such an object in Parse Server by sending the following HTTP request:

  When the object is later retrieved from Parse Server via an HTTP GET request, it is deserialize by the function deserializeObject() in lib/bson/parser/deserializer.js from Node.js BSON module. When encountering a Code data type the function takes one of two code paths, depending on the value of the boolean options[‘evalFunctions’]. By default this property is undefined and the function returns a string containing the Javascript code; however if options[‘evalFunctions’] is true, the function evaluates the Javascript code and return its result. By polluting Parse Server and injecting the property Object.prototype.evalFunctions an attacker may unlock the second code path and gain code execution on the server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker first stores a crafted object in the target server. The attacker then updates the object using an update operator. The vulnerability is triggered when the target server processes the update request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2653 Parse Server Prototype Pollution RCE

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Mental health survey drops a Remote Access Trojan

/in /by

This week the Sonicwall Capture Labs Research team has come across a malicious document template which delivered a remote access Trojan to unsuspecting victims. It guises as a mental health survey which silently drops a RAT in the background.

 

Infection Cycle:

The file comes as a Microsoft Word template file with a dotm extension. Once opened in word it displays a seemingly benign survey on mental health.

It creates a file in the following directory:

  • /ProgramData/C0E2/RingBell.zip     [Detected as: Crimson.RAT]

It then executes the aforementioned file which performed malicious behaviors.

It spawns a legitimate application fondue.exe to perform the system reconnaissance.

Such as checking the computer name –

And finding out system languages –

And checks for numerous security settings if available in the system.

There was no network activity observed during the analysis however the Trojan has a hardcoded C&C server its strings.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.APT (Trojan)
  • GAV: Crimson.RAT (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

WSO2 API Manager RCE Vulnerability

/in /by

Overview:

  WSO2 offers a platform of middleware products for agile integration, application programming interface (API) management, identity and access management, and smart analytics.

  A directory traversal vulnerability has been reported in WSO2 API Manager. The vulnerability is due to improper validation of file names.

  A remote attacker can exploit this vulnerability by sending a crafted POST request to the target server containing a crafted “filename” and/or “name” parameter. Successful exploitation of this vulnerability could result in a remote shell being written to a random location, leading to a remote code execution under the security context of the user running the vulnerable application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-29464.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When an HTTP request is made to the “/fileupload” endpoint, the execute() method of CarbonXml FileUpload ExecHandler is triggered, which iterates over the actions defined in the XML. If a match is found, the executeGeneric() method of the associated executor class is triggered. In the case of ToolsAnyFileUploadExecutor, the implementation of the parent class, AbstractFileUploadExecutor, is called. This method parses the parameters in the request by calling the parseRequest() method, and then uploads the file by calling the execute() method. The parseRequest() method reads names and values of the files included in the request using the multipart/form-data encoding. Later, the execute() method iterates over the files parsed, and for each file the File() method is called with the service upload directory and the name of the file parameter.

  However, the code fails to sanitize directory traversal patterns from the parameter name. This allows for arbitrary creation/writing of files outside of the service upload directory, which can lead to arbitrary file write and arbitrary code execution. For example, an attacker can upload an arbitrary JSP file to the webapps directory of the Tomcat server implementing the web-based interface. Then, this JSP file can be accessed via the web-based interface, which would lead to arbitrary Java code execution.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 9837 Web Application Suspicious File Upload 2

  • IPS: 15759 WSO2 Products Unrestricted File Upload

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version or by applying the vendor supplied patch.
    • Filtering traffic based on the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

VMware Workspace ONE Access & Identity Manager (vIDM) RCE Vulnerability

/in /by

Overview:

  VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products; contain a remote code execution vulnerability due to server-side template injection. A remote, unauthenticated attacker can exploit this vulnerability by sending crafted requests to the server. If the injection is successful, the attack (exploit) will result in a remote code execution (RCE) which could lead to information disclosure, addition or modification of data or denial-of-service conditions. VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-22954.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.8 (E:X/RL:X/RC:X), based on the following metrics:
    • The exploit code maturity level of this vulnerability is not defined.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is not defined.

  CVSS Calculator Metrics

Technical Overview:

  SSTI(server-side template injection) attacks can occur whenever user input is concatenated directly into a template, rather than being passed in as data. Moreover, attackers can manipulate the template engine by injecting arbitrary template directives.

  An attacker can execute commands and reverse shell payloads that could potentially result in Remote Code Execution; granting complete server control.

  The URL encoded string given as a parameter to the “deviceUdid” argument is:

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.
  • The target must have network connectivity to the attacker controlled server.

Triggering Conditions:

  Using the maliciously crafted request; the vulnerability is triggered after the target receives the request below.

  Vulnerable Versions:
    VMware Workspace ONE Access Appliance – 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    VMware Identity Manager Appliance – 3.3.6, 3.3.5, 3.3.4, 3.3.3

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP,
    • SSL/TLS

  Client GET Request Below:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2642 VMware Workspace ONE Access Server Side Template Injection 1
  • IPS: 2649 VMware Workspace ONE Access Server Side Template Injection 2
  • IPS: 2651 VMware Workspace ONE Access Server Side Template Injection 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

"TargetCompany" ransomware directed at Carone & Company Inc.

/in /by

The Sonicwall CaptureLabs threat research team has observed reports of ransomware which, in the Antivirus community, goes by the name TargetCompany.  The malware surfaced in June 2021.  The current variant that we have obtained is aimed at infecting a construction management company called Carone & Company.  Ransom payment and negotiation is initiated via a tOr site that is run by the attackers.

 

Infection Cycle:

 

Upon execution, files on the system are encrypted.  Each encrypted file is given a “.carone” file extension.

 

The following commandline prompt appears during the file encryption process:

 

A file named “How to decrypt files.txt” is dropped into each directory containing encrypted files.

 

“How to decrypt files.txt” contains the following message:

 

The malware executable is not packed.  It is written in C and is easy to decompile.  Decompilation reveals that the following file types are targeted for encryption:

 

The following registry entries are deleted if they are present:

 

 

After encryption of files in the local file system, files on any attached storage shares are targeted:

 

The tOr link from the ransom message leads to the following page:

 

 

After filling out the form with the ID and email address, we were contacted via email:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: TargetCompany.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for April 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-24474 Windows Win32k Elevation of Privilege Vulnerability
ASPY 315: Malformed-File exe.MP_249

CVE-2022-24481 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 316: Malformed-File exe.MP_250

CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability
IPS 81080: Malformed RPC Portmapper Request 2

CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability
IPS 81090: Malformed RPC Portmapper Request 3

CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 310: Malformed-File exe.MP_244

CVE-2022-24542 Windows Win32k Elevation of Privilege Vulnerability
ASPY 317: Malformed-File exe.MP_251

CVE-2022-24546 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 313: Malformed-File exe.MP_247

CVE-2022-24547 Windows Digital Media Receiver Elevation of Privilege Vulnerability
ASPY 312: Malformed-File exe.MP_246

CVE-2022-26809 Remote Procedure Call Runtime Remote Code Execution Vulnerability
IPS 15757:RPC Microsoft RPC Runtime Remote Code Execution (CVE-2022-26809)

CVE-2022-26904 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 314: Malformed-File exe.MP_248

CVE-2022-26914 Win32k Elevation of Privilege Vulnerability
ASPY 311: Malformed-File exe.MP_245

Adobe Coverage :
CVE-2022-28244 Acrobat Reader Arbitrary code execution
ASPY 318: Malformed-File pdf.MP_523
CVE-2022-27799 Acrobat Reader Arbitrary code execution
ASPY 319: Malformed-File pdf.MP_524
CVE-2022-24102 Acrobat Reader Arbitrary code execution
ASPY 320: Malformed-File pdf.MP_525

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21983 Win32 Stream Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22009 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23268 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-23292 Microsoft Power BI Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24472 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24473 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24475 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24479 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24482 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24483 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24484 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24485 Win32 File Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24486 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24487 Windows Local Security Authority (LSA) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24488 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24489 Cluster Client Failover (CCF) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24490 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24492 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24493 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24494 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24495 Windows Direct Show – Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24496 Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24498 Windows iSCSI Target Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24499 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24513 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24523 Microsoft Edge (Chromium-based) Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24527 Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24528 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24530 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24532 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24533 Remote Desktop Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24534 Win32 Stream Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24536 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24538 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24539 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24540 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24543 Windows Upgrade Assistant Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24544 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24545 Windows Kerberos Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24548 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24549 Windows AppX Package Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24550 Windows Telephony Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24765 GitHub: Uncontrolled search for the Git directory in Git for Windows
There are no known exploits in the wild.
CVE-2022-24767 GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account
There are no known exploits in the wild.
CVE-2022-26783 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26784 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26785 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26786 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26787 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26788 PowerShell Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26789 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26790 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26791 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26792 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26793 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26794 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26795 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26796 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26797 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26798 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26801 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26802 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26803 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26807 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26808 Windows File Explorer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26810 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26811 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26812 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26813 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26814 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26815 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26816 Windows DNS Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26817 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26818 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26819 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26820 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26821 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26822 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26823 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26825 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26826 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26827 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26828 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26829 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26831 Windows LDAP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26832 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26891 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26894 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26895 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26896 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26897 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26898 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26900 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26901 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26903 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26907 Azure SDK for .NET Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26908 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26909 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26910 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-26911 Skype for Business Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26912 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26915 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26916 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26917 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26918 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26920 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26921 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26924 YARP Denial of Service Vulnerability
There are no known exploits in the wild.

D-Link DIR-806 Devices Command Injection

/in /by

D-Link Corporation is a multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan. D-Link’s products are geared towards the networking and communications market. Its business products include switches, surveillance network cameras, firewalls, iSCSI SANs and business wireless, while consumer products cover consumer wireless devices, broadband devices, and the Digital Home devices. DIR-806 is a wireless AC750 dual band router and access point

An issue was discovered in D-Link DIR-806 devices. There is command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
While this vulnerability is a couple years old, SonicWall Capture Labs threat research team recently spotted attacks exploiting this vulnerability in the wild.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

D-Link DIR-806 Devices Command Injection| CVE-2019-10891
A command injection vulnerability exists in D-Link routers.
Following are some exploits in the wild. The Home Network Administration Protocol(HNAP) allows querying and setting of configuration options on network devices . It is based on SOAP therefore an attacker can send HTTP POST messages with a special header Soapaction.

This header is used to download malicious payload(in this case it is wget.sh file) from an attacker controlled server. The attacker then executes the malicious script on the vulnerable device.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15501:D-Link DIR-806 Devices Command Injection
    • IPS 13635:D-Link Devices HNAP SOAPAction-Header Command Injection

IoCs
dcf241331018349c57d5636cc4076676727364178bf75fd5fc4003969e866b2a
6182e41e66eac130893d600836e6957dd28ffeded793a2b71aebd6ec947ca358
47b396259c4b24091e7bedb876bbac6658768cd6b70826322388d1bb1de33f11
bba1631d1891c9d62bd1a48d5b064ba1b1e65563b237c7bff4afbd049f2c5fa1

Threat graph

A Github repository exists for AndroSpy spyware for Android

/in /by

SonicWall Threats Research team identified a version of AndroSpy in the wild. Interestingly, there exists a Github repository for this version of the malware. This repository was created a few months back and appears to be fairly active.

Sample specifics

  • MD5: 1749d7830b1593fbe9eec1946002dee7
  • Application Name: Critical Device Settings
  • Package Name: com.kernel32.criticalprocess

 

This app requests a number of dangerous permissions, few of them are listed below:

  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE
  • READ_CALL_LOG
  • WRITE_CALL_LOG
  • CAMERA
  • READ_SMS
  • ACCESS_FINE_LOCATION
  • RECORD_AUDIO
  • READ_CONTACTS
  • WRITE_CONTACTS
  • SEND_SMS
  • BIND_DEVICE_ADMIN
  • RECEIVE_SMS
  • WRITE_SMS
  • PROCESS_OUTGOING_CALLS
  • DELETE_PACKAGES
  • SYSTEM_ALERT_WINDOW
  • ACCESSIBILITYSERVICE

 

This version of AndroSpy boasts a number of functionalities, some of them are listed below:

  • Access camera
  • Access files
  • Live microphone
  • Keylogger
  • SMS manager
  • Shell terminal
  • Access contacts
  • Call Logs
  • Check installed apps
  • Live screen
  • Disable Google Play Protect

 

Similar threats

Searching for this app on Virustotal showed a number of related apps, some with different names and icons:

 

This indicates that this threat is being used and propagated with malicious intent. As mentioned earlier, the attacker server ad other configurations can be viewed under resources>res>values>strings

Additional observation

The github repository shows a BTC wallet address for donations towards this project:

 

Overall this is a spyware that is available on Github as a framework. This spyware is being used as legitimate application in some cases.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androspy.GT

 

Indicators of Compromise:

  • 1749d7830b1593fbe9eec1946002dee7
  • 603b7c441289ff7a15d3a458add66f2d
  • 0e9d6812f7ed7f912fab2f74e143ea76
  • 4f48d7d1258d52db555e0aae4b5136d6
  • 93c0c8c706a219d4194110035898f36d

JAVA Spring Framework Spring4Shell RCE Vulnerability

/in /by

Overview:

  A Spring MVC (Model-View-Controller) or Spring WebFlux (Parallel version of Spring MVC which supports non-blocking reactive streams) application running on JDK (Java Development Kit) 9+ may be vulnerable to Remote Code Execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat (Apache Tomcat as the Servlet container) as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

  .ear files: An enterprise archive (EAR) file is a compressed file that contains the libraries, enterprise beans, and JAR files that the application requires for deployment.

  .jar files: The .jar files contain libraries, resources and accessories files like property files.

  .war files: The war file contains the web application that can be deployed on any servlet/jsp container. The .war file contains jsp, html, javascript and other files necessary for the development of web applications.


  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-22965.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.8 (E:X/RL:X/RC:X), based on the following metrics:
    • The exploit code maturity level of this vulnerability is not defined.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is not defined.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is caused by the getCachedIntrospectionResults method of the Spring framework wrongly exposing the class object when binding the member properties:

  Using the HTTP POST method below; you will access the member object properties, the binding process (bindRequestParameters) in the Spring framework implementation will call the getCachedIntrospectionResults method to get and set the object property in the cache. This class object can be remotely controlled by simply submitting a payload as shown:

  Modifying the Tomcat log configuration and remotely upload a JSP web shell (The Payload, with Headers):


  Sending Payload, Placing File called (tomcatwar.jsp) into the (webapps/ROOT) directory with Curl:

  Accessing the newly placed file called (tomcatwar.jsp) on the server (Reverse Shell):

Triggering the Problem:

  • JDK 9 or higher.
  • Apache Tomcat as the Servlet container.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
  • Packaged as WAR container.

Triggering Conditions:

  The attacker sends a maliciously crafted request to the vulnerable server. The vulnerability is triggered when the Tomcat log configuration (class.module.classLoader.resources.context.parent.pipeline.first) members (pattern, suffix, directory, prefix, and fileDateFormat) are manipulated and changed with the payload above.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2609 JAVA Spring Framework Command Injection (Spring4Shell)
  • IPS: 13431 JAVA Spring Framework Remote Code Execution (Spring4Shell) 2
  • IPS: 13432 JAVA Spring Framework Remote Code Execution (Spring4Shell) G-1
  • IPS: 13443 JAVA Spring Framework Remote Code Execution (Spring4Shell) G-2
  • IPS: 13444 JAVA Spring Framework Remote Code Execution (Spring4Shell) IOC

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Ransomware not asking for payment but asks the victim to help the needy

/in /by

This week the Sonicwall Capture Labs Research team analyzed a ransomware sample that is rather unconventional. After encrypting the victim’s files, it does not demand payment but rather asks the victim to carry out certain tasks and submit a video and photo as proof and to post to social media the whole experience.

 

Infection cycle:

This ransomware arrives as a typical windows executable using the following icons and file properties.

Once execution, it spawns cmd exe to carry out most of its functionality.

It creates a hidden directory and drops all the related files in the /Users/Public/Windows/Ui folder.

Upon successful encryption of targeted files, it runs the batch file named “launch.bat” which launches the chrome browser in incognito mode which displays an html file with details on what to do to get your files back.

It is a rather long list of demands and the following screenshots show the entire html page as you scroll down the instructions on how to retrieve your encrypted files.

Traditional ransomware will encrypt the victim’s data and demand a ransom, typically in cryptocurrency, in exchange for decrypting the files. But Goodwill Ransomware asks the victims to carry out tasks to help the community and show kindness. Victims need to complete three tasks – provide clothes to the homeless, feed hungry children and pay for the hospital bill of someone in need, all while documenting the events in a form of videos and photos. Upon completing all three tasks, it also wants the victim to post the experience on their social media accounts.

 

Interestingly, it asks the victim to send the video, photos and link to social media post to an email address with “itorizin.in” domain. Itorizin appears to be a security company based in India and the affiliation to this ransomware is unclear.

This ransomware uses aes encryption and only encrypts pdf and txt files.

Encrypted files will have the .gdwill file extension.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:Goodwill.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.