Posts

OpenLDAP slapd Integer Underflow Vulnerability

/in /by

Overview:

  OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP) service. On a default installation, the OpenLDAP server uses TCP port 389 for communication. The OpenLDAP server has a modular architecture where the OpenLDAP server daemon, slapd, can be configured as a frontend, a backend or as an overlay. A frontend server typically listens on a TCP port and manages connections. Backend servers can either store the Directory data using one of various available engines (e.g. back-bdb for using BerkeleyDB, backldif for using LDIF text files), or act as a proxy server for other data storage systems (e.g. back-ldap for proxying to other LDAP servers, back-sql for talking to arbitrary SQL databases, back-passwd to use Unix system passwd and group data), or as a dynamic backend that generates data on the fly.

  A denial-of-service vulnerabilities has been reported in the slapd of OpenLDAP. The vulnerability is due to improper input validation in controls in LDAP search requests.

  A remote attacker can exploit the vulnerability by sending a crafted query to the target OpenLDAP server. Successful exploitation could cause integer underflow which leads to denial of service condition.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2020-36221, dated 2021-01-25.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 4.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C).

  Base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 4.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An integer underflow vulnerability exists in the OpenLDAP daemon, slapd. When slapd receives an incoming SearchRequest message including a valuesReturnFilter control with attributeCertificateExactMatch assertion, it calls a function serialNumberAndIssuerSerialPretty() to normalize the string value in matchValue. Before the normalization, it will call a function serialNumberAndIssuerSerialCheck() to validate the syntax of the string. According to the implementation, a valid syntax of the string should be like follows:

  The order of the serialNumber and issuer does not matter for the validation. The validations include checking minimum length of the assertionValue or matchValue, the first and last characters are “{” and “}”, the existence of key words such as “issuer” and “serialNumber” etc. However, the validation of “{” and “}” logic is mistakenly implemented as follows:

  Therefore, if the assertionValue or matchValue only starts with “{” or ends with “}” will bypass the validation. Also, the vulnerable function has an internal variable of type “unsigned long” to record the remaining length of the assertionValue or matchValue for validation. During the process of the validation, the variable will be decreased until 0. Since the vulnerable function does not validate that the last character is “}”, it failed to decrement the variable correctly. When the last character of the assertionValue or matchValue is ‘”‘, there is a chance that the length variable will be decremented beyond zero which effectively translates to a large positive value for an unsigned long integer (integer underflow). Then, the variable will be used in a loop as the upper bound for the loop counter, leading to an out-of-bound read violation.

  Note that the filter part of a LDAP SearchRequest message can be used to reproduce this vulnerability too, since it also has an extensibleMatch field with the type of MatchingRuleAssertion. If the MatchingRuleId is set with OID “2.5.13.45”, the time string in the matchValue field will be parsed by the vulnerable function serialNumberAndIssuerSerialCheck() too.

  A remote attacker can exploit this vulnerability by sending a crafted SearchRequest message with a Filter that contains an crafted matchValue. Successful exploitation will result in the slapd process terminating abnormally.

Triggering the Problem:

  The server must have the vulnerable product installed and running.

  • The attacker must be able to send an LDAP SearchRequest to the target.

Triggering Conditions:

  The attacker sends a crafted SearchRequest. The server will processes this request, the vulnerability is triggered.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • LDAP, over port 389/TCP
    • LDAPS, over port 636/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2084 OpenLDAP slapd serialNumberAndIssuerCheck Integer Underflow 1

  • IPS: 2093 OpenLDAP slapd serialNumberAndIssuerCheck Integer Underflow 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering attack traffic using the signatures above.
    • Allowing only trusted authenticated users to Bind to the server.
    • Applying the vendor provided patch.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

AtomSilo hits large Brazilian company in $1M double extortion scheme

/in /by

The SonicWall Capture Labs threat research team has observed a continued increase in ransomware used in double extortion schemes.  The operators of ransomware known as AtomSilo have recently infiltrated a Brazilian pharmaceutical company.  The malware installed has encrypted their files and obtained 900GB of very sensitive scientific data and even immigration and contact information of its employees.  A $500,000 ransom is offered for 48 hours.  After this, the ransom is increased to $1M in Bitcoin.  Failure to pay will result in the sensitive data being released to the public.

 

Infection Cycle:

 

Upon infection of the ransomware component, files on the system are encrypted.  Each encrypted file is given a “.ATOMSILO” file extension.

After encryption, the following message is brought up on the infected machine’s desktop:

 

The following files are dropped on to the system:

  • README-FILE-{machine name}-{random 10 digit number}.hta (in directories with encrypted files)

 

The tOr web address (http://mhdehvkomeabau7gsetnsrhkfign4jgnx3wajth5yb5h6kvzbd72wlqd.onion) leads to the following page that is hosted by the operators:

 

The “LIST LEAK” button shows a company that is in the process of being extorted by the operators:

 

The “GO TO POST” button brings up a page that shows a summary of the data that has been obtained by the attackers:

 

This page is very long and contains samples of the sensitive data that has been obtained:

 

The leak also includes company financial data and employee contact information:

 

We reached out to the email address (arvato@atomsilo.com) provided in the ransom note and received the following response:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AtomSilo.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

Buffalo routers path traversal vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Buffalo routers.

Buffalo company builds quality storage, networking, and other technology-related solutions. Their network attached storage (NAS) devices, many with scale-as-you-go options, are installed with pre-tested hard drives that eliminate the hassle of sourcing and testing drives, saving you time and money. Buffalo also builds Wireless Router which is a high speed, open source dual band solution, and is ideal for creating a high speed 11ac wireless home network. A path traversal vulnerability exists in web interface of certain firmware versions of these routers.

Vulnerability | CVE-2021-20090

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences. A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.

The vulnerability exists due to a list of folders which fall under a “bypass list” for authentication. One such folder is images . The exploit looks like this

The attacker is able to bypass authentication through path traversal. The attacker uses POST request to access and modify the configuration of the attacked device. The attacker then downloads and executes malicious script from attacker controlled server .

Following versions are vulnerable:

  • WSR-2533DHPL2 firmware version <= 1.02
  • WSR-2533DHP3 firmware version <= 1.24

The Vendor advisory is here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15659:Buffalo Routers Configuration File Injection
      • GAV: Shell.LOL

Threat Graph

IoCs
212.192.241.87
054320be2622f7d62eb6d1b19ba119d0a81cb9336018d49d9f0647706442ae8f

Microsoft Security Bulletin Coverage for September 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 214:Malformed-File exe.MP_199

CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 221:Malformed-File exe.MP_203

CVE-2021-36975 Win32k Elevation of Privilege Vulnerability
ASPY 219:Malformed-File exe.MP_202

CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 215:Malformed-File exe.MP_200

CVE-2021-38639 Win32k Elevation of Privilege Vulnerability
ASPY 216:Malformed-File exe.MP_201

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability
GAV 25418:CVE-2021-40444_7
GAV 25417:CVE-2021-40444_6
GAV 25414:CVE-2021-40444_5
GAV 25413:CVE-2021-40444_4
GAV 25412:CVE-2021-40444_3
GAV 25390:CVE-2021-40444_2
GAV 25389:CVE-2021-40444_1
GAV 25387:CVE-2021-40444
GAV 25379:CVE-2021-40444.X
GAV 25378:CVE-2021-40444.AB
GAV 25377:CVE-2021-40444.C

Adobe Coverage:
CVE-2021-39836 Acrobat Reader Use After Free Vulnerability
ASPY 217:Malforned-File pdf.MP.490

CVE-2021-39843Acrobat Reader Out-of-bounds Write Vulnerability
ASPY 218:Malforned-File pdf.MP.491

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36961 Windows Installer Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38650 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability
There are no known exploits in the wild.

Atlassian Confluence and Data Center OGNL Injection Vulnerability

/in /by

Overview:

  Atlassian Confluence is a collaboration platform written in Java. Users can create content using spaces, pages, and blogs which other users can comment on and edit. It is written primarily in Java and runs on a bundled Apache Tomcat application server.

  An OGNL injection has been reported in the Webwork module of Atlassian Confluence Server and Data Center. The vulnerability is due to insufficient input validation leading to OGNL evaluation of user-supplied input.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26084.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Confluence uses the Webwork web application framework to map URLs to Java classes, creating what is known as an “action”. Action URLs end with the “.action” suffix and are defined in the xwork.xml file inside confluence “version”.jar (where “version” is the confluence version number) and in the atlassian-plugin.xml file within the JAR files of the included plugins. Each action entry contains at least a name attribute, defining the action name, a class attribute, defining the Java class implementing the action, and at least one result element which decides the Velocity template to render after the action is invoked based on the result of the action. Common return values from actions are “error”, “input”, and “success”, but any value may be used as long as there is a matching result element in the associated XWork XML. Action entries can contain a method attribute, which allows invocation of a specific method of the specified Java class. When no command is specified, the doDefault() method of the action class is called. The following is a sample action entry for the doenterpagevariables action:

  In the above example, the doEnter() method of the “com.atlassian.confluence.pages.actions.PageVariablesAction” class handles requests to “doenterpagevariables.action” and will return values such as “success”, “input”, or “error”, resulting in the appropriate velocity template being rendered.

  Confluence supports the use of Object Graph Navigational Language (OGNL) expressions to dynamically generate web page content from Velocity templates using the Webwork library. OGNL is a dynamic Expression Language (EL) with terse syntax for getting and setting properties of Java objects, list projections, and expressions. OGNL expressions contain strings combined together to form a navigation chain. The strings can be property names, method calls, array indices and so on. OGNL expressions are evaluated against the initial, or root context object supplied to the evaluator in the form of OGNL Context.

  The container object “com.opensymphony.webwork.views.jsp.ui.template.TemplateRenderingContext” is used to store objects needed to execute an Action. These objects include session identifiers, request parameters, spaceKey etc. TemplateRenderingContext also contains a com.opensymphony.xwork.util.OgnlValueStack object used to push and store objects against which dynamic Expression Languages (EL) are evaluated. When the EL compiler needs to resolve an expression, it searches down the stack starting with the latest object pushed into it. OGNL is the EL used by the Webwork library to render Velocity templates defined in Confluence, allowing access to Confluence objects exposed via the current context. For example, the $action variable returns the current Webwork action object.

  OGNL expressions in Velocity templates are parsed using the ognl.OgnlParser.expression() method. The expression is parsed into a series of tokens based on the input string. The ognl.JavaCharStream.readChar() method, called by the OGNL parser, evaluates Unicode escape characters in the form of “\uXXXX” where “XXXX” is the hexadecimal code of the Unicode character represented. Therefore, if an expression includes the character “\u0027”, the character is evaluated as a closing quote character (‘), escaping the context of evaluation as a string literal, allowing to append an arbitrary OGNL expression. If an OGNL expression is parsed in a Velocity template within single quotes and the expression’s value is obtained from user input without any sanitization, an arbitrary OGNL expression can be injected.

  An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. By including the “\u0027” character in user input, an attacker can escape the string literal and append an arbitrary OGNL expression.

  Before OGNL expressions are evaluated by Webwork, they are compared against a list of unsafe node types, and variables names in the “com.opensymphony.webwork.util.SafeExpressionUtil.containsUnsafeExpression()” method. However, arbitrary Java objects can be instantiated without using any of the unsafe elements listed. For example, the following expression, executing an OS command, would be accepted as a safe expression by this method:

  A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server. Successful exploitation can result in the execution of arbitrary code with the privileges of the server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  An attacker connects to a target server and submits an HTTP request containing a malicious parameter to a vulnerable XWork action. The vulnerability is triggered when the target server processes the XWork action, resulting in the processing of the malicious request parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8090/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15673 Atlassian Confluence Server Webwork OGNL injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Lockbit 2.0, the ransomware behind the Accenture breach

/in /by

Lockbit ransomware has been around since 2019 but recently released an updated version called Lockbit 2.0. It is another ransomware-as-a-service (RaaS) which is a subscription based model allowing partners to use a full-featured already developed ransomware app ready to carry an attack. On their website, they boast their 2.0 version as being the fastest encryption software as well as the fastest upload of stolen data amongst myriads of many other popular ransomwares, all while highlighting the many features of this ransomware.

Recently, there were reports of targeted attacks with Accenture being the latest prominent victim of this ransomware. For non-payment, Lockbit has started leaking their data on their website to the public.

Infection cycle:

Upon execution of the ransomware, it disables all running security programs and any other means that could permit system recovery. It spawns a cmd exe to run the following commands:

  • vssadmin delete shadows /all /quiet
  • wmic SHADOWCOPY /nointeractive
  •  wmic shadowcopy delete
  •  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  •  wbadmin DELETE SYSTEMSTATEBACKUP
  •  wbadmin delete catalog -quiet
  •  wevtutil cl system
  •  wevtutil cl security
  •  wevtutil cl application
  •  bcdedit /set {default} recoveryenabled No

It then proceeds to encrypt the victim’s files. All encrypted files bear the lockbit icon and a .lockbit file extension.

It changes the wallpaper with instructions on how to recover the files as well as adding a text file in every directory where files have been encrypted.

On reboot, the victim can’t miss the ransom note because it also adds a run key in the registry which loads an hta file that has the same instructions on how to get the victim’s files back.

  • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Name: {2C5F9FCC-F266-43F6-BFD7-838DAE269E11}
  • Data: %Desktop%\Lockbit_Ransomware.hta

It then proceeds to delete itself and no copy of the ransomware nor its components is left in the victim machine.

On Lockbit’s website, there are quite a few victims whose data have already been leaked to the public while others still have some days left to submit payment before facing the same consequence.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Lockbit.RSM_2 (Trojan)
  • GAV: Lockbit.RSM_3 (Trojan)
  • GAV: Lockbit.RSM_4 (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Centreon hostGroupDependency.php SQL Injection Vulnerability

/in /by

Overview:

  Centreon is an open source IT monitoring solution. Centreon open source solution is the foundation for the Centreon EMS software suite which offers additional licensed modules. Centreon open source solution includes integration tools for IT Operations Management production environment.

  An SQL Injection vulnerability has been reported in the Centreon Web Application. The vulnerability is due to incorrect input validation in hostGroupDependency.php.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

CVE Reference:

  This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is high.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.2 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  A user with admin privileges can manage the notification settings for a host group on the “Configuration”->”Notification”->”Host Groups” page in the Centreon web interface. When clicking a host group on the web page, a request will be submitted to the “/centreon/main.get.php” endpoint as shown in an example below:

  

  In the request above, the parameter “p” contains a topology_page number (e.g. 60408 in the above example) which is used by Centreon application to locate the correspondent PHP file to handle this request. The mappings of a topology_page number and its correspondent PHP file is defined in the insertTopology.sql. For the topology_page number 60408 in the “p” request parameter, the corresponding PHP file to handle this request is:

  

  The hostGroupDependency.php is relevant to the vulnerability in this report.

  An SQL injection vulnerability exists in the Centreon web application. The vulnerability is due to a lack of input validation on the dep_id request parameter in the hostGroupDependency.php. When receiving a request submitted to “main.get.php” endpoint, the main.get.php will check the “p” request parameter value. If the value is 60408, it will route the request to hostGroupDependency.php. The hostGroupDependency.php will read the dep_id request parameter value and then check the “o” request parameter value. If “o” parameter value is the character “c”, “w” or “a”, it will call formHostGroupDependency.php to process this request. In formHostGroupDependency.php, it will first check if the “o” parameter is “c” or “w” and if yes, it will construct a SQL statement by appending the dep_id parameter value. Then, it will execute the SQL statement to query the “dependency” table in the database.

  However, the formHostGroupDependency.php does not sanitize the dep_id parameter before appending it to the SQL statement. A malicious user is therefore able to directly manipulate the Centreon database by embedding arbitrary SQL commands within the dep_id parameter in the HTTP requests. For example, an attacker may utilize the “;” character (or its URL-encoded equivalent) in a HTTP request to terminate a SQL statement with a malicious create table command, as shown below:

  

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution at the database on the target server, potentially leading to the execution of arbitrary code in the security context as root.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the request is processed by the target server.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15666 Centreon main.get.php SQL Injection
  • IPS: 15674 Centreon main.get.php SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released an advisory regarding this vulnerability:
  Vendor Advisory

Nagios XI Configwizards Command Injection Vulnerability

/in /by

Overview:

  Nagios is an open source host, service and network monitoring program. The product’s functionality is implemented through a number of server-side programs primarily written in PHP with a backend database running MariaDB, a drop-in replacement for Musk. The majority of these programs can be accessed only after successful authentication is performed with the underlying webserver. Nagios XI is a paid version of Nagios which offers greater functionality and performance such as enhanced dashboards, graphs and backend database support compared with Nagios.

  A command injection vulnerability has been reported in Nagios XI. The vulnerability is due to insufficient input validation of the requests submitted to the Windowswmi.inc.php.

  A remote authenticated attacker can exploit this vulnerability by sending a crafted request to the server. Successful exploitation could result in arbitrary command execution with privileges of the web server on the target system.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-25296.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Nagios XI facilitates the management of the tasks to monitor new devices, services, and applications via the Configuration Wizards feature. Configuration wizards includes a set of modules which make it easy for end-users to setup monitor tasks for various services or hosts on a user-friendly interface without needing to understand how Nagios XI works in the backend. Configuration wizards include several modules which are installed by default in Nagios XI installation. The “Windows WMI” module is one of these default modules and relevant to this report. The Configuration Wizards feature can be accessed via the Request-URI

    /url_root/config/monitoringwizard.php

  where url_root is the url root of the Nagios XI application.

  A command injection vulnerability exists in Nagios XI. When processing the requests submitted to the monitoringwizard.php endpoint, the monitoringwizard.php will check if the value of the wizard request parameter is “windowswmi”. If yes, it will call the function windowswmi_configwizard_func() in the windowswmi.inc.php to process the request. The windowswmi_configwizard_func() creates command-line strings which will invoke the program check_wmi_plus.pl to perform various monitoring tasks. The check_wmi_plus.pl provides several command-line arguments. One of them is the “forcetruncateoutput” argument, which limits the length of output printed by the check_wmi_plus.pl. The windowswmi_configwizard_func() will check if the plugin_output_len request parameter exists in the HTTP request. If yes, it will apply the plugin_output_len value to the construction of the check_wmi_plus.pl command-line string as its “forcetruncateoutput” argument, like the command-line string shown below:

    check_wmi_plus.pl ...... --forcetruncateoutput plugin_output_len

  where plugin_output_len is the value of the plugin_output_len request parameter.

  Then, windowswmi_configwizard_func() will run the constructed check_wmi_plus.pl command-line string by PHP exec() function.

  However, windowswmi_configwizard_func() does not sanitize the plugin_output_len parameter value before applying it to the command-line string. An attacker can include command injection characters in the value of the plugin_output_len parameter which are then included in the constructed command line string. This allows for the execution of arbitrary commands on the underlying system when windowswmi_configwizard_func() calls PHP exec() to run the command-line string.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary commands as the apache user.

Triggering the Problem:

  The target system must have the vulnerable product installed and running.
    • The attacker must have network connectivity to the affected ports.
    • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15480 Nagios XI monitoringwizard.php Command Injection 1
  • IPS: 15668 Nagios XI monitoringwizard.php Command Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released a patch (5.8.0) regarding this vulnerability:
  Vendor Advisory

Zeroshell command injection vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Zeroshell.

Zeroshell is a small open-source Linux distribution for servers and embedded systems that aims to provide network services Its administration relies on a web-based graphical interface.

Zeroshell is a Linux based distribution  dedicated to the implementation of router and firewall appliances completely administrable via  web interface. Zeroshell is available for x86/x86-64 platforms and ARM based devices such as Raspberry Pi.

Zeroshell command injection vulnerability | CVE-2019-12725

The goal of command injection  attack  is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

An unauthenticated command injection vulnerability exists in ZeroShell 3.9.0 in the  URL. As sudo is configured to execute bin without a password (NOPASSWD) it is possible to run root commands using the “checkpoint” tar options.

Some of the exploits found in the wild are :

As one can see the vulnerable  URL is set to NoAuthREQ and the attacker is able to inject and execute the commands to change the directory and download malicious script from the attacker controlled server.

 

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 2366: Zeroshell Remote Code Execution
      • GAV : Mirai.ELF_2

IoCs
5.206.227.228
c22dce4ab0b5a0b2d8e921652ecc3df116568c1afd7222747a8bb1a87a2cfc59
ebfa0aa59700e61bcf064fd439fb18b030237f14f286c6587981af1e68a8e477

Threat Graph

Nooa ransomware seeks out your crypto wallets and passwords

/in /by

The SonicWall Capture Labs threat research team has recently been tracking malware that does more than encrypt files and demand a ransom.  In the ransomware space there has been an increase in malware that also steals data from infected machines.  Some ransomware actors use this data to extort even more money from their victims.  These ransomware actors, however, are interested in stealing crypto wallets, browser cookies and passwords.

 

Infection Cycle:

 

Upon infection, the file encryption process starts immediately.  Files hosted on any attached external or network drives are also encypted.  Encrypted files are given a “.nooa” filename extension.

 

The following DNS requests are made by the malware:

  • api.2ip.ua
  • securebiz.org
  • astdg.top
  • prophefliloc.tumblr.com

 

The following files are downloaded onto the system:

 

  • C:\SystemID\PersonalID
  • %SYSTEMDRIVE%\_readme.txt
  • %SYSTEMDRIVE%\$WinREAgent\_readme.txt
  • %SYSTEMDRIVE%\$WinREAgent\Scratch\_readme.txt
  • %USERPROFILE%\_readme.txt
  • %APPDATA%\Roaming\Microsoft\Windows\Recent\_readme.lnk
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\4EQF0LUO\msvcp140[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\LHLB6AIE\nss3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\freebl3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\softokn3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\mozglue[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\vcruntime140[1].dll
  • %APPDATA%\Local\{rand}\build2.exe [Detected as: GAV: Conficker.gen (Worm)]

 

PersonalID contains an ID that is unique to each infection:

PLtnD1U6oAmgxgJ2nJik1mY9SwUQg07CiN0zSet1

 

_readme.txt contains the following message:

 

The malware downloads and runs build2.exe:

 

build2.exe reports the infection to a C&C server and receives data from it:

 

Decompression of the data above reveals the following message containing files targeted for exfiltration:

DESKTOP;%DESKTOP%\;*wallet*.*:*2fa*.*:*backup*.txt:*backup*.png:*backup*.jpg:*code*.txt:*code*.png:*code*.jpg:*password*.*:*auth*.txt:*auth*.png:*auth*.jpg:*crypto*.*:*key*.txt:*key*.png:*key*.jpg:*ledger*.*:*metamask*.*:*blockchain*.*:*bittrex*.*:*binance*.*:*coinbase*.*:*trezor*.*:*exodus*.*:*UTC--201*.*;300;true;movies:music:mp3;lnk;

 

build2.exe then searches the system for the filetypes and directories listed above.  This includes 2fa data, crypto wallets and browser cookies.  If such data is found, it is compressed and uploaded to the C&C server in zip format.  The malware also captures and sends system information and a screenshot of the desktop:

 

information.txt contains system information from the infected machine:

 

We reached out to the email addresses provided in the ransom message and received the following response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Waledac.gen.2 (Worm)
  • GAV: Conficker.gen (Worm)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.