Posts

NETGEAR ProSAFE NMS MFileUploadController Vulnerability

/in /by

Overview:

  Netgear ProSAFE Network Management System NMS300 is a centralized and comprehensive management application for network administrators that enables them to discover, monitor, configure, and report on SNMP based enterprise-class network devices. The Netgear Network Management System NMS300 delivers insights into the network, including third-party devices and its web-based user interface makes it easier to monitor and administer an entire network.

  This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System 1.6.0.26. Authentication is not required to exploit this vulnerability. The specific flaw exists within the MFileUploadController class. The issue results from the lack of proper validation of a user-supplied path, prior to use in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-27274.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.6 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Attack Packet Overview:

  The Content-Type header line contains the following:

    • “multipart/form-data” – Data is in multiple parts. Defining separated parts by the boundary keyword.
    • “boundary=” – Separating keyword or sequence of characters.

  The Content-Disposition header line contains the following:

    • “form-data”
    • “name=” – name of form element being returned.
    • “filename=” – Suggested file name to be used if detached and stored in a separate file.

  

Technical Overview:

  A user with the “observer” privilege can manage the MIB config files via the “mib browser” page in the NMS300 web interface to upload a MIB config file. A request to the Request-URI “/lib-1.0/external/flash/MfileUpload.do” will be sent to the server to upload a MIB config file.

  The MIB file content is transferred in a multipart/form-data part within the HTTP message body, and the filename parameter within the Content-Disposition header specifies the name of the file. The uploaded file will be saved into the following directory:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/type_dir/sub_dir/filename/

  Where the “Install_Dir” is where the NMS300 is installed, and the “filename” is the filename parameter within the Content-Disposition header in the multipart/form-data part. The “type_dir” and “sub_dir” are derived from mapping the value of the type and sub request parameters to various sub-directory names. This mapping is specified in the file “resource.properties” which has the following contents:

  

  For example, if the type parameter value is “mib”, the “type_dir” is “WEB-INF/mibs/Customized/”; if the sub parameter value is “4”, the “sub-dir” is “Switch/”. Therefore, the nms300_mibpath for the uploaded MIB file in the above example is:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/WEB-INF/mibs/Customized/Switch/a.mib

  If type and sub parameters are omitted or contain empty value, the “type_dir” is assigned as the string “null” and the “sub_dir” is assigned as the empty string “” in the application. Therefore, the nms300_mibpath for the uploaded MIB file will be a string as below:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/nulla.mib

  An unrestricted file upload vulnerability exists in the NETGEAR Management System NMS300. The vulnerability is due to a failure to validate the file type of the uploaded file. When the server receives the HTTP POST request with Request-URI containing “/lib-1.0/external/flash/MfileUpload.do”, the method uploadFile() in MFileUploadController class is executed. This method retrieves the values from the type, sub, and filename parameters in the request and then uses them to build the nms300_mibpath for the uploaded MIB file. Then, the uploadFile() method writes the uploaded file content into the nms300_mibpath. Then, the uploadFile() will call the parseNewMIB() method of the MibLoader class to parse the uploaded MIB file. If the uploaded file is not in the format of a MIB config file, the
parseNewMIB() will throw exceptions and cause uploadFile() to delete this uploaded MIB file

  However, the uploadFile() does not sanitize the filename parameter for dangerous file extension type. Also, it does not validate the type and sub parameter. If type and sub parameters are omitted or contain empty value, an attacker can upload a malicious JSP file with the filename parameter like “poc.jsp” and then the file will be saved in a nms300_mibpath as below:

  /Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/nullpoc.jsp

  Because uploadFile() will delete the uploaded file if it is not a MIB config file, the attacker must try to pass this checking. The attacker can achieve it by embedding the malicious JSP code inside the comment lines of a normal MIB config file, as shown in the example below:

  

  Where the comment line starts with “–” and the JSP codes follows. This makes the uploaded JSP file kept on the server without being deleted. Later, due to the files under the directory “/Install_Dir/apache-tomcat-6.0.33/webapps/ROOT/” can be remotely accessed without any restriction via HTTP requests, the attacker can submit a subsequent request with an URL as below:

  hxxp://server-ip:8080/nullpoc.jsp

    and get the uploaded JSP file executed on the target server, which can cause arbitrary code execution.

  Note that, beginning from NMS300 version 1.5.0.14, authentication has already been required to access the URI “/lib-1.0/external/flash/MfileUpload.do”. Therefore, in general, an attacker must authenticate to the server to exploit this vulnerability. Unauthenticated attack can only be applied to servers older than version 1.5.0.14.

  A remote attacker could exploit the vulnerability by sending crafted HTTP requests to the target server. Successful exploitation would result in the code execution under the security context of SYSTEM.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing crafted parameters to upload a malicious file to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS 15572: NETGEAR ProSAFE MFileUploadController Arbitrary File Creation

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
    Vendor Advisory

Conti operator demands $20M from victim. Faces litigation backlash instead

/in /by

The SonicWall Capture Labs threat research team have recently been tracking Conti ransomware. It has been reported that Conti has been connected with over 400 cyberattacks against organizations around the world. In addition to encrypting files and holding them hostage for ransom, attackers attempt to increase chances of payout by threatening to publish sensitive data that is stolen from company networks. Such double-extortion schemes are a growing trend with ransomware.

 

Infection Cycle:

 

Conti ransomware is aimed at large company networks. The initial infection is handled manually by the attackers and would usually start with phishing attempts or firewall exploits. Once inside a network, a Cobalt Strike beacon is introduced onto the system to communicate with the attacker’s C2 server. Once the backdoors are established, the attackers propogate malware further within the network and begin to exfiltrate sensitive data that will be used later on for extortion.  After this, Conti malware is deployed.

 

Conti malware uses the following icon:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a .FEEDC extension.  A file named readme.txt is dropped into directories containing encrypted files.  It contains the following message:

 

 

https://contirecovery.top is down but the tOr link leads to the following page:

 

After uploading readme.txt to the tOr website, the following conversation can be seen between a prior victim and the operator.

 

 

As seen in the message above, the operator demands a staggering $20M for file decryption.

 

After a few days, the victim fights back with litigation:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Conti.RSM (Trojan)
  • GAV: Conti.RSM_2 (Trojan)
  • GAV: Conti.RSM_3 (Trojan)
  • GAV: Conti.RSM_4 (Trojan)
  • GAV: Cobaltstrike.A_1 (Trojan)
  • GAV: Cobaltstrike.A_2 (Trojan)
  • GAV: Cobaltstrike.A_3 (Trojan)
  • GAV: Cobaltstrike.A_4 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

F5 BIG-IP iControl remote command execution vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in F5’s BIG-IP iControl API.

BIG-IP

F5’s BIG-IP is a product family consisting of software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI for F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability | CVE-2021-22986
BIG-IP iControl is a REST API for BIG-IP, which is accessible over HTTPS on port 443/TCP via the following URL:

https://<host>/mgmt/tm/

BIG-IP iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. This vulnerability can only be exploited through the control pane. Exploitation can lead to complete system compromise. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to the vulnerable REST interface. Due to insufficient validation in login requests to the REST API the attacker is able to successfully bypass authentication .

After bypassing the authentication, a remote attacker can use multiple vectors to execute commands on the target
server as shown below:

The following JSON payload would execute the “id” command on the underlying operating system:

The following versions are vulnerable :

    • versions 16.0.x before 16.0.1.1
    • 15.1.x before 15.1.2.1
    • 14.1.x before 14.1.4
    • 13.1.x before 13.1.3.6
    • 12.1.x before 12.1.5.3
    • BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2

This vulnerability is patched . The vendor advisory is here 

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15471:F5 BIG-IP iControl REST Remote Command Execution 1
    • IPS 15472:F5 BIG-IP iControl REST Remote Command Execution 2
    • IPS 15473:F5 BIG-IP iControl REST Remote Command Execution 3

Threat Graph

Android banker with hardcoded financial targets

/in /by

SonicWall Threats Research Team received reports of an Android banker campaign that has a multitude of features and commands at its disposal. Samples we analyzed include hardcoded financial institutions whose presence is monitored and fake login pages are shown if these targeted apps are found running on the device.

Sample Details

  • MD5:  9d050ee9d306fa2228b3ddb1840bfb61
  • Application Name: OLX
  • Package Name: man.cube.ship

Infection Cycle

Among the permissions requested, the following are a few sensitive/dangerous ones:

  • android.permission.BIND_ACCESSIBILITY_SERVICE
  • android.permission.CALL_PHONE
  • android.permission.GET_TASKS
  • android.permission.READ_SMS
  • android.permission.REAL_GET_TASKS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_SETTINGS

 

Upon installation and execution, the malware does not show any screens or interface o any kind but continues to perform malicious actions in the background:

The Manifest.xml file points to a Main Activity class that gets invoked when the application runs, but this class is not see in the code base once decompiled:

This indicates that there is a possibility that a dex file containing the actual deobfuscated code is dropped when the application executes. We observe a file getting dropped in the app_DynamicOptDex folder on the device where the app gets installed. The file ZTpqTR.json is actually a DEX file that contains legible malicious code

Observations from the code

Interesting elements are present in a class file which can be considered as the configuration file. as it contains a number of hardcoded elements:

Server that the malware communicates with:

  • http://ro-37[.]in/myaccount/login[.]php

A number of domains marked as Gates:

  • http://analkarnavalbubenec[.]pw/3lfk3jGj/
  • http://karambga3j[.]net/3lfk3jGj/
  • http://lkrishtian1[.]com/3lfk3jGj/
  • http://lkrishtifaa[.]com/3lfk3jGj/

A list of financial applications that the malware targets along with what looks like fake login pages uploaded on a domain (which has been taken down as of writing this blog), complete file can be viewed here

 

The malware has capabilities to accept the following commands and execute the corresponding functionalities:

  • registration
  • send_sms
  • sms_contact
  • sms_contacts
  • get_push
  • tracker
  • move_sms_client
  • mard_mode – spelling mistake for hard mode
  • call_number
  • startes_access

 

Network activity

The malware communicated with the following domains during our analysis:

  • ro-27[.]in
  • lkrishtifaa[.]com

 

The following VirusTotal graph can be seen for this apk:

 

Banker Targets

The malware targets a number of financial institutions, notable targets include:

  • AlfaBank – Commercial bank in Russia
  • OpenBank – An online bank, headquartered in Madrid
  • Tinkoff – Russian bank based in Moscow
  • VTB24 – Leading universal bank of Russia
  • Mbank – Banking group in Poland
  • HomeCredit – An international non-bank financial institution headquartered in Netherlands

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.Banker.DR_1

 

Indicators of compromise (IOC):

  • 9d050ee9d306fa2228b3ddb1840bfb61

Multistage infostealer wants your Discord, Telegram, Steam Account Info

/in /by

The SonicWall Capture Labs Threat Research team has analyzed a multi-stage infostealer. If available on the victim’s machine, this Trojan steals various cryptocurrency data, credit card info, ftp server info and credentials on Discord, Telegram, Pidgin, Steam, NordVPN and Authy (2FA) accounts. It also steals the browser history and even takes a screenshot of the desktop.

Infection Cycle:

The malware infection starts with a malicious Microsoft Excel spreadsheet file that has an embedded visual basic (VBA) macro that when executed will download a Trojan downloader.

This downloader then drops a batch file which then runs a slew of commands.

It has the functionality to add a user to the active directory.

It also  invokes powershell to run a script which downloads the main infostealer Trojan. The powershell script is encoded that when decoded shows the download URL.

To ensure persistence, it adds the infostealer Trojan to startup.

All these components files are deleted after the main infostealer has been downloaded.

Once the main infostealer is executed it creates a directory under the %Temp% folder with a random name where it logs all stolen information.

It creates a sqlite file which has the information on credit card available on the system.

It saves a png file of the screenshot of the victim’s desktop.

It also creates a file which has the list of all recently visited websites and another file which has the list of the rest of stolen information on various cryptocurrencies, popular chat app accounts like Discord, Pidgin and Telegram, VPN and FTP servers, as well as account info on popular cloud-based gaming library, like Steam.

All these log files are then deleted once they have been sent out to remote server.

During analysis we noted that this “Collector Project” (which was one of the logs’ title) indicated that this is BETA BUILD v1.11 which might suggest that this has been an ongoing project for these cybercriminals and that we can expect to see this again and other variants in the future with more features and capabilities.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Panda.B (Trojan)
  • GAV: Panda.K (Trojan)
  • GAV: Panda.STL (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

Microsoft Security Bulletin Coverage for May 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2021. A list of issues reported, along with SonicWall coverage information is as follows:

CVE-2021-26419 Scripting Engine Memory Corruption Vulnerability
IPS 15554:Scripting Engine Memory Corruption Vulnerability (CVE-2021-26419)

CVE-2021-31166 HTTP Protocol Stack Remote Code Execution Vulnerability
IPS 15553:Windows HTTP Protocol Stack Remote Code Execution 3

CVE-2021-31170 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 180:Malformed-File exe.MP.180

CVE-2021-31181 Microsoft SharePoint Remote Code Execution Vulnerability
ASPY 181:Malformed-File exe.MP.181

CVE-2021-31188 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 182:Malformed-File exe.MP.182

Adobe Coverage:
CVE-2021-28550 Acrobat Reader Use After Free Vulnerability
ASPY 183:Malformed-File pdf.MP.473

CVE-2021-28560 Acrobat Reader Heap-based Buffer Overflow Vulnerability
ASPY 184:Malformed-File pdf.MP.474

The following vulnerabilities do not have exploits in the wild :

CVE-2020-24587 Windows Wireless Networking Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2020-24588 Windows Wireless Networking Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2020-26144 Windows Wireless Networking Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26418 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26421 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26422 Skype for Business and Lync Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-27068 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28455 Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28461 Dynamics Finance and Operations Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-28465 Web Media Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28474 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28476 Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-28478 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-28479 Windows CSC Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31165 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31167 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31168 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31169 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31171 Microsoft SharePoint Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31172 Microsoft SharePoint Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31173 Microsoft SharePoint Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31174 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31175 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31176 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31177 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31178 Microsoft Office Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31179 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31180 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31182 Microsoft Bluetooth Driver Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31184 Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31185 Windows Desktop Bridge Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-31186 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31187 Windows WalletService Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31190 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31191 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31193 Windows SSDP Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31194 OLE Automation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31195 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31198 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-31208 Windows Container Manager Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-31209 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-31211 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31213 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31214 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-31936 Microsoft Accessibility Insights for Web Information Disclosure Vulnerability
There are no known exploits in the wild.

Apache OFBiz, Vulnerability

/in /by

Overview:

  Apache OFBiz is an open source enterprise resource planning (ERP) system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. Apache OFBiz is a framework that provides a common data model and a set of business processes. Beyond the framework itself, Apache OFBiz offers the following functionality:

  • Accounting (agreements, invoicing, vendor management, general ledger)
  • Asset maintenance
  • Catalogue and product management
  • Facility and warehouse management system (WMS)
  • Manufacturing execution / manufacturing operations management (MES/MOM)
  • Order processing
  • Inventory management
  • Automated stock replenishment etc.
  • Content management system (CMS)
  • Human resources (HR)
  • People and group management
  • Project management sales force automation
  • Work effort management
  • Electronic point of sale (ePOS)
  • Electronic commerce (eCommerce) and scrum (development)

  An insecure deserialization vulnerability has been reported in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request.

  Successful exploitation would result in arbitrary code execution.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-30128

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to missing input validation for malicious payloads sent in the [wpv-noautop]”cus-obj” tag[/wpv-noautop] XML element when a HTTP request is sent to the [wpv-noautop]”/webtools/control/SOAPService”[/wpv-noautop] Request-URI and also due to the existence of the secure deserialization bypass in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop].

  The requests sent to this endpoint is initially handled by the Java class [wpv-noautop]”org.apache.ofbiz.webapp.control.RequestHandler”[/wpv-noautop] which determines the mapping for the URL. Next, the [wpv-noautop]invoke()[/wpv-noautop] method is called in the [wpv-noautop]”org.apache.ofbiz.webapp.event.SOAPEventHandler”[/wpv-noautop] class. This method then calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.service.engine.SoapSerializer”[/wpv-noautop] which calls the method [wpv-noautop]deserialize()[/wpv-noautop] in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop].

  The SOAP XML parsing is implemented in method [wpv-noautop]deserializeSingle()[/wpv-noautop] method in the Java class [wpv-noautop]”org.apache.ofbiz.entity.serialize.XmlSerializer”[/wpv-noautop]. If the tag name is [wpv-noautop]”cus-obj”[/wpv-noautop], the value of that XML element is stripped of all the space and colon [wpv-noautop]’:'[/wpv-noautop] characters in the method [wpv-noautop]fromHexString()[/wpv-noautop] also in the Java class [wpv-noautop]”org.apache.ofbiz.base.util.StringUtil”[/wpv-noautop] and the resulting byte array is passed to the method [wpv-noautop]getObject()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.UtilObject”[/wpv-noautop]. This method then calls the method [wpv-noautop]getObjectException()[/wpv-noautop] in the Java class [wpv-noautop]org.apache.ofbiz.base.util.UtilObject[/wpv-noautop] where the insecure deserialization can occur.

  Note, that the code in the [wpv-noautop]getObjectException()[/wpv-noautop] method utilizes custom class called [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] which extends Java standard library class ObjectInputStream. The Java class [wpv-noautop]”org.apache.ofbiz.base.util.SafeObjectInputStream”[/wpv-noautop] employs a whitelist of classes that are allowed to be deserialized. It allows deserialization of classes which contain the string [wpv-noautop]”java.”[/wpv-noautop].

  Also, the overloaded [wpv-noautop]resolveClass()[/wpv-noautop] method in this class calls the custom method [wpv-noautop]loadClass()[/wpv-noautop] in Java class [wpv-noautop]”org.apache.ofbiz.base.util.ObjectType”[/wpv-noautop]. The code in the method [wpv-noautop]loadClass()[/wpv-noautop] removes the name of the class to be loaded any string following and including the character ‘<'. This ensures that generic classes can be loaded. Additionally, the deserialization logic in JDK standard library class [wpv-noautop]ObjectStreamClass[/wpv-noautop] only checks the names of the classes before the deserialization by examining the name of the class after the last [wpv-noautop]'.'[/wpv-noautop] character (i.e., it does not check the entire class name before proceeding with the deserialization of the class). Therefore, an attacker can craft the serialized object with slightly altered class name that will be bypass the whitelist and JDK deserialization code that ensures the correct class is deserialized.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious HTTP request containing a crafted XML payload in the body of the HTTP request. Since OFBiz also uses a vulnerable versions of Apache Commons BeanUtils or ROME libraries, an attacker can craft malicious XML payload by employing the ysoserial gadget tool and by changing all the class names in the serialized object as described above.

  Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the user running the application.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends an HTTP request containing a maliciously crafted serialized object within the SOAP data to
the affected target. The vulnerability is triggered when the server deserializes the data.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS, over ports 8080/TCP, 8443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 14804 Apache OFBiz Insecure Deserialization 1
  • IPS: 14805 Apache OFBiz Insecure Deserialization 2
  • IPS: 15485 Apache OFBiz Insecure Deserialization 3
  • IPS: 15548 Apache OFBiz Insecure Deserialization 4
  • IPS: 15549 Apache OFBiz Insecure Deserialization 5

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking communication between Apache OFBiz and untrusted networks.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic.

The vendor has released the following advisory regarding this vulnerability:
https://ofbiz.apache.org/security.htm

Eaton's Intelligent Power Manager (IPM) Vulnerability

/in /by

Overview:

  Eaton’s Intelligent Power Manager (IPM) software provides the tools needed to monitor and manage power devices in your physical or virtual environment keeping devices up and running during a power or environmental event. This software solution ensures system uptime and data integrity by enabling remote monitoring, managing and controlling devices on the network.

  An arbitrary file deletion vulnerability has been reported in Eaton Intelligent Power Management and Eaton Intelligent Power Protector. The vulnerability is due to missing input validation in meta_driver_srv.js. A remote unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted packet. Successful exploitation of these vulnerabilities could allow attackers to delete arbitrary files on the target system.

  The main program mc2 contains compressed Javascript code which is relevant for understanding this vulnerability. The web interface can be accessed over HTTP or HTTPS on ports 4679 and 4680, respectively.

CVE Reference:

  Assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-23279

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H), based on the following metrics:;
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  An arbitrary file deletion vulnerability exists in Eaton Intelligent Power Manager. The vulnerability is due to missing authentication check and missing input validation in the HTTP requests sent to “/server/ meta_driver_srv.js” endpoint. When a user sends a HTTP request to this endpoint, the code in meta_driver_srv.js will parse the JSON data in the data request parameter.

  The code maintains the driverList list data structure in MetaDriverManager Javascript object that collects all driver IDs that are currently known to the application and can be found in the “configs/drivers/” directory. This directory maintains files where each file contains information about a driver ID and the file name is in the form of “X.drv”, where X is the driver ID.

  After parsing the JSON data in the data request parameter, the code will then check if any driver ID in the driverList data structure is or is not present in the JSON data. If it is not present, the code will delete the file in the “configs/ drivers” directory where the file name matches the driver ID that was not present in the JSON data. The code makes a call to function deleteDriver() in the MetaDriverManager Javascript file to do the file deletion. Afterwards, it will add the data for each driver ID found in the JSON data that is not present in the driverList data structure. Namely, it will create the new “.drv” file in the “configs/drivers” directory with the provided JSON data in the request.

  The problem with this code is the fact that it utilizes the driver ID keys in the provided JSON data to delete or create “.drv” file in the “configs/drivers” directory while not checking for directory traversal characters in the driver ID key. Therefore, the attacker can send the requests where the driver ID key in JSON data contains directory traversal characters.

*Note that the attacker will have to send two requests.

  • In the first request, the attacker will send a malicious request containing driver ID that is a path to the file that is to be deleted. While processing this first request, the code will proceed to overwrite that file with the data provided in the data request parameter. However, the overwritten content would be in JSON format and not fully controlled by the attacker.

  • The attacker then needs to send the second request where the driver ID, that was added when the first request was processed, is omitted from the request thereby initiating the code that will delete that file. By sending these two requests, the attacker can delete any file on the target system by employing directory traversal characters and the null character (%00). The null character is also needed to remove the trailing “.drv” extension from the maliciously crafted path.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends a malicious HTTP request to overwrite the contents of the file and then sends the second request to delete the same file. The vulnerability is triggered when the affected software processes the second request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 4679/TCP
    • HTTPS, over port 4680/TCP

Attack Request:

Attack Response:

Patched Software:

  Eaton has patched these security issues and new versions of the affected software are released. The latest versions can be downloaded from below location:
    • Eaton IPM v1.69 – Download | IPM | Eaton
    • Eaton IPP v1.68 – Download software | Power management | Eaton

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15540 Eaton Intelligent Power Manager Arbitrary File Deletion

Vendor Advisory:

cURL new addition to LOLBins

/in /by

The SonicWall Capture Labs Threat Research Team has observed a new Microsoft Excel sample, which uses curl.exe to download AVE Maria Remote Admin Tool. This sample launches curl.exe using XLM Macro.

cURL is a command-line tool for getting or sending data including files using URL syntax. cUrl is included by default in Windows 10 build 17063, or later.

Any country where the French language is spoken, or is the official language, may be the target of this campaign, given that the sheet name is “Feuil1” which means “Sheet1” in French.

Analysis:

Upon opening the file, the user is displayed instructions to enable content as shown below:

Fig-1: Excel File

If the user enables macro, the following code is executed:

Fig-2: Macro Sheet

The downloaded file remains under analysis, and initial investigations show that it belongs to the “AVE-Maria RAT” family.

File properties indicate that the sample was created on 20-Sep-2020 and modified on 27-Apr-2021 8:14 pm (UTC) as shown below.

Fig-3: Sample properties

Sonicwall Capture ATP detected the sample as soon as it was first observed in the wild ( 27-Apr-2021 9:01:05 GMT) as is evident from the sample properties and Capture Detection Report:

Fig-4: Capture Report

 

Indicators of Compromise:

SHA256:

  • 2e07eafbfb9f4700dbb3983d59d45939eb80f99807aee1c85e955d6f67991794 {Excel File}
  • 5bdc77c84e5ae4fd2c48746ad421b04fb8af9dca2b4d0e9e38906b777f976577 {Excel File}
  • 27b2fd40a9bf3ea07a45437c743cf9fdba97565231e4ae3ea90adf897e26b663 {Executable File}

Network Activity:

  • akmestarhfc[.]in/public/smartpc[.]exe
  • http://bitcoincoin[.]xyz/payment/xls[.]exe

Android banking trojan targets more than 450 apps

/in /by

SonicWall Capture Labs Threats Research team yet again observed malicious Android banking trojans that target a large number of financial apps. This time the malicious app is spreading by masquerading the Austrain PayLife bank app.

 

Sample Details:

 

Infection Cycle

Upon installation the application appears in the app drawer as follows:

Once executed, the application icon disappears from the app drawer giving the victim an impression that the application is no more present on the device. Next, it requests for Accessibility services permission from the victim:

 

Upon checking the AndroidManifest.xml file for the main activity, we see an entry for an activity that is not visible in the source code:

But on running the application on the device a few files are dropped in the folder app_DynamicOptDex. The sample we analyzed dropped the following interesting files:

  • AWrQyH.dex
  • AWrQyH.json

 

Within name.json file which is a .dex fiel in reality, we get the files containing malicious code including the main activity that was not visible earlier:

 

The malware is capable of accepting and executing the following commands:

  • Send_SMS
  • Flood_SMS
  • Download_SMS
  • Spam_on_contacts
  • Change_SMS_Manager
  • Run_App
  • StartKeyLogs
  • StopKeyLogs
  • StartPush
  • StopPush
  • Hide_Screen_Lock
  • Unlock_Hide_Screen
  • Admin
  • Profile
  • Start_clean_Push
  • Stop_clean_Push

 

Based on the commands and functionality, it appears that this malware is capable of carrying out a number of dangerous actions from the infected device:

  • Critical SMS related actions
  • Capture victim keystrokes
  • Send SMS messages to contacts, this may include the ability to spread the infection to people in contacts

 

The malware we analyzed communicates with a hardcoded server – autolycus.ug

 

During our analysis the malware communicated with the server by sending encrypted data at gate.php. However we did not receive any communication back from the server:

 

We observed the following VirusTotal graph for this domain:

 

The source code for this app contains a list of apps that are monitored by this malware, this list of around 455 apps contains a majority of financial apps. Few of these targeted apps are listed below, the complete list can be obtained here:

  1. ar.com.santander.rio.mbanking
  2. at.volksbank.volksbankmobile
  3. au.com.bankwest.mobile
  4. com.bancomer.mbanking
  5. com.bankaustria.android.olb
  6. com.bankofqueensland.boq
  7. com.bbva.mobile.pt
  8. com.CredemMobile
  9. com.db.pbc.DBPay
  10. com.desjardins.mobile

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.Banker.AL (Trojan)

 

Indicators of compromise (IOC’s):

  • 670e49e6cdb47f8e6121fc706b2c6886
  • 6fb48c0121f446c3010867f02e0b53ee
  • e030c8ba233ea0b3b50daafbe54605a6