Posts

CrushFTP Server-Side Template Injection (SSTI)

Overview

SonicWall Capture Labs threat research team became aware of a fully unauthenticated server-side template injection vulnerability within CrushFTP, assessed its impact, and developed mitigation measures. CrushFTP is an enterprise file transfer tool. Such tools have seen increased attention from attackers over the last several years. This vulnerability, CVE-2024-4040, has a CVSS score of 10.0 and has been reported to be exploited in the wild by CISA.  A PoC and vulnerability scanner script has been released on GitHub, making it relatively easy for attackers to leverage. Shodan indicates around 5,200 instances of exposure on the internet at the time of writing. CrushFTP has released an update to fix this vulnerability and anyone using this software should update to version 11.1 or newer.

Technical Overview

CrushFTP is designed to provide an anonymous or unprivileged session token for any unauthenticated request to any page with a “/WebInterface” prefix. This session token can then be used to access other API endpoints. The vulnerability exists due to an accessible endpoint – ServerSessionAJAX – that allows these tokens to access its API features. The ServerSessionAJAX API functions as a server-side templating engine by performing variable replacements. This API is susceptible to a server-side template injection vulnerability within the writeResponse function. If an attacker manages to insert data enclosed within %% or {} symbols in the argument, the server will execute and render the attacker-specified template. This results in arbitrary file read as root, authentication bypass for administrator account access, and can lead to theft of all files stored on the instance. To perform our analysis, we installed CrushFTP version 10.6 using a docker container hosted on docker hub.

Triggering the Vulnerability

In order to leverage and trigger this vulnerability, an attacker must first obtain an unprivileged session token by sending a basic GET request to any endpoint in “/WebInterface,” as seen in Figure 1.

Figure 1: Obtaining a session token

Using a session token, the attacker can attempt to access resources that should only be accessed by a fully authenticated account, such as an API implemented by ServerSessionAJAX. In Figure 2, we are trying to access an API feature we shouldn’t have permission to access — the zip function. Upon trying to access, an error appears instead of the expected “access denied” message.

Figure 2: Indication of unauthenticated access to API

Through this unauthenticated API, we can send legitimate template commands to obtain information about the server, which will be returned in the response. The code allows an extensive list of legitimate commands to be sent into the request. Figure 3 shows a small subset of the list from the code, including one that returns the working directory of where the application is running, which is crucial for exploitation.

Figure 3: change_vars_to_values_static function

Attempting to access this command via an unauthenticated request, as seen in Figure 4, proves an attacker can effectively leverage the SSTI. Notice that the working directory is returned in the server’s response when the “working_dir” template is provided.

Figure 4: Successful template injection

Exploitation

To exploit this vulnerability, an attacker can use this access to obtain an administrator login or session token. By examining the possible templates that can be leveraged within the “change_vars_to_values” function, we run across “INCLUDE” tags among many others, as seen in Figure 5.

Figure 5: Injectable Tags

As demonstrated in Figure 4, it is easy to obtain the working directory of the application. Within the application’s main directory, a file named sessions.obj contains all of the session data for the instance, including session tokens.  If an administrator is logged into the application, their token will be in this file. An attacker can exploit the SSTI vulnerability using <INCLUDE>, as seen in Figure 6, to have the file’s contents returned in the response.

Figure 6: SSTI using <INCLUDE>

Within the response, it is easy to locate a list of assigned session tokens. In Figure 7, the administrator token is highlighted in yellow. While an attacker may not know which token is dedicated to the administrator, trial and error will eventually allow them to utilize the correct token.

Figure 7: Output of SSTI including the sessions.obj file

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4396 CrushFTP Server-Side Template Injection
  • IPS:4400 CrushFTP Server-Side Template Injection 2
  • IPS:4402 CrushFTP Server-Side Template Injection 3

Remediation Recommendations

CrushFTP has released an update to fix this vulnerability, and anyone using this software is advised to update to version 11.1 or newer.

Relevant Links

 

Fake Windows Explorer Installs a Crypto Miner

Overview

This week the SonicWall Capture Labs threat research team came across a sample purporting to be Windows Explorer. At a glance, everything checks out – it uses the legitimate Windows Explorer icon and the file properties say Microsoft – but, once executed, it installs and runs a crypto miner.

Infection Cycle

The sample arrives as a Windows executable file using the following icon and bearing these file properties:

Figure 1: Malware installer’s file properties showing Windows Explorer from Microsoft

Upon execution, it drops malicious files in the /Windows/Fonts/ directory, including the main crypto miner file, a batch file containing malicious commands to start the mining process, and two registry files whose registry subkeys and values will later be inserted into the system registry using regedit.exe.

  • svchost.exe
  • 1.bat
  • server.reg
  • restart.reg

It then spawns the Windows command interpreter to execute the batch file.

Figure 2: Cmd is used to run 1.bat

Simultaneoulsy, it also runs the attrib command to set attributes of the entire %fonts% directory as a read-only (+r) and archive (+a).

Figure 3: The malicious Explorer.exe will run the attrib command to change attributes of the Fonts directory

Meanwhile, the 1.bat file contains the following commands:

Figure 3A: Commands

The command installs and runs a crypto miner using the specified mining pool address, port and xmr wallet. It then installs the contents of the two .reg files using regedit.exe. Next, it deletes these registry files and proceeds to change the attributes of several component files.

Figures 4 and 5 show the contents of the reg files which were imported into the system registry.

Figure 4: Contents of server.reg

Figure 5: Contents of restart.reg

Our static analysis revealed another mining configuration that uses a different mining pool address, port and xmr wallet which we did not observe being used during runtime.

Figure 6: Alternate mining pool address and xmr wallet that may be used by this malware

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Miner.XMR_1 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.

Android Remote Access Trojan Equipped to Harvest Credentials

Overview

The SonicWall Capture Labs threat research team has been regularly sharing information about malware targeting Android devices. We’ve encountered similar RAT samples before, but this one includes extra commands and phishing attacks designed to harvest credentials.

This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices. This malicious app uses any of the following icons:

 

Figure 1: The app icon used by the malware.

Figure 2: Installed malicious app

Infection Cycle

After the malicious app is installed on the victim’s device, it prompts the victim to enable two permissions:

  • Accessibility Service
  • Device Admin Permission

By requesting these permissions, the malicious app aims to gain control over the victim’s device, potentially allowing it to carry out harmful actions or steal sensitive information without the user’s awareness or consent.

Figure 3: Prompt for accessibility permission

Figure 4: Device admin activation

The malicious app establishes a connection with the Command-and-Control server to receive instructions and execute specific tasks accordingly.

Here are some of the commands received from the malware’s Command-and-Control (C&C) server:

Command Description
dmpsms Read Messages
dmpcall Read Call logs
dmpcon Device Contact list
getpackages Installed package name
changewall Change device wallpaper
toasttext Notification data
opweb Open URLs on web browser for phishing
vibratedev Vibrate device
sendsms Send messages
tont Turn on the camera flashlight
tofft Turn off the camera flashlight

 

The resource file contains the URL of the C&C server, but it was not active during the analysis.

Figure 5: C&C server

Here you see it receiving commands from the C&C server to access a specific URL in the browser to harvest credentials.

Figure 6: Browser to open specific URL

Some malicious HTML files related to well-known Android applications are in the ‘asset\website’ folder, as shown in the figure below:

Figure 7: Fraudulent HTML Pages

Figure 8: Instances of fraudulent HTML page -1.

Figure 9: Instances of fraudulent HTML page -2.

In these HTML files, the attacker prompts the victim to enter their user ID and password into the input fields.

Figure 10: Retrieves user input

After taking credentials using JavaScript, it collects and shares all the user information to the ‘showTt’ function.

Figure 11: Collect user credential

It retrieves all phone numbers stored on the victim’s device.

Figure 12: Fetching contact List

It attempts to change the device’s wallpaper to a specific resource if the ‘str’ parameter matches the decrypted value, such as 0, 1, or 2.

Figure 13: Changing the Device Wallpaper

It retrieves information about installed apps on the victim’s device.

Figure 14: Collecting installed package info

The below code snippet utilizes the “CameraManager” to toggle the flashlight of the victim’s device’s camera to either on or off.

Figure 15: Camera flashlight on-off

It sends a message to a number based on input received from the C&C server.

Figure 16: Sending a message from the victim’s device

We also noticed that certain malicious files have been recently uploaded to malware-sharing platforms like VirusTotal.

Figure 17: Latest sample found on VT

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOCs)

0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d

37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509

3df7c8074b6b1ab35db387b5cb9ea9c6fc2f23667d1a191787aabfbf2fb23173

6eb33f00d5e626bfd54889558c6d031c6cac8f180d3b0e39fbfa2c501b65f564

9b366eeeffd6c9b726299bc3cf96b2e673572971555719be9b9e4dcaad895162

a28e99cb8e79d4c2d19ccfda338d43f74bd1daa214f5add54c298b2bcfaac9c3

d09f2df6dc6f27a9df6e0e0995b91a5189622b1e53992474b2791bbd679f6987

d8413287ac20dabcf38bc2b5ecd65a37584d8066a364eede77c715ec63b7e0f1

ecf941c1cc85ee576f0d4ef761135d3e924dec67bc3f0051a43015924c53bfbb

f10072b712d1eed0f7e2290b47d39212918f3e1fd4deef00bf42ea3fe9809c41

GitLab XSS Via Autocomplete Results

Overview

The SonicWall Capture Labs threat research team became aware of a cross-site scripting vulnerability in GitLab, assessed its impact and developed mitigation measures. GitLab, an open-source code-sharing platform, published an advisory on this vulnerability affecting GitLab CE/EE in all versions starting from 16.7 to 16.8.6, 16.9 before 16.9.4 and 16.10 before 16.10.2. Identified as CVE-2024-2279, it allows remote threat actors to perform arbitrary actions on behalf of victims, earning a high CVSS score of 8.7. To mitigate this threat, GitLab users are strongly encouraged to upgrade their instances to the latest versions, as mentioned in the vendor advisory.

Technical Overview

This vulnerability arises due to a flaw in the input validation mechanism while displaying suggestions to the user using the feature called ‘autocomplete for issues reference’ in the rich text editor. Autocomplete characters are a handy way for users to enter field values into markdown fields swiftly. While creating and displaying an issue enforces the escape of the special characters, the same is missing when the user types the character “#” and the backend engine tries to autocomplete from the list of issues.

This enables an attacker with access to ‘issues’ in the project to create an ‘issue’ using a crafted payload in the title field, leading to stored cross-site scripting. The exploit payload triggers when a victim is trying to mention any issue in the textbox using the autocomplete character #, which leads to an automatic execution of arbitrary action specified in the payload. This could include actions such as requesting a resource from the attacker-controlled server.

An escape method from the Lodash library is used to address this vulnerability, as seen in the related diff between version 16.10.1 and 16.10.2 in Figure 1. This method replaces special characters like &, <, >, “, and ‘ with their corresponding HTML entities before adding them to the Document Object Model (DOM).

Figure 1: Utilization of the escape method to resolve the issue

Triggering the Vulnerability

Leveraging this XSS vulnerability requires the attacker to meet the prerequisites below.

  • The attacker must have network access to the target vulnerable system along with the rights to create the ‘issue’.
  • The attacker must create an issue with a malformed payload. For instance, Malicious issue <img src=”http[:]//<attacker_controlled_server>/x.svg”>. This payload will load images from the server if the vulnerability is present.
  • The victim must try to mention any issue using the autocomplete character #.

Exploitation

While the steps to trigger the vulnerability are straightforward, it can test the attacker’s patience since the exploitation requires the victim to try to mention any issue using the rich text editor, to be specific.

To begin with, the issue needs to be created with the crafted payload as seen in Figure 2. The attacker needs to host the x.svg image file at the server specified in the payload.

Figure 2: Malicious issue creation

The created issue will be listed as shown in Figure 3.

Figure 3: Issues list

When a user tries to refer to any issue by typing # in the rich text box, for instance, in the comment box of any other issue, the payload will be triggered. The exploitation can be verified by checking the access logs of the web server, where the access request on behalf of the victim can be seen, as shown in Figure 4.

Figure 4: Triggering XSS

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 4383 GitLab Autocomplete Results XSS
  • IPS: 4385 GitLab Autocomplete Results XSS 2

Remediation Recommendations

GitLab users are strongly encouraged to upgrade their instances to the latest versions as mentioned in the vendor advisory.

Relevant Links

Analysis of Native Process CLR Hosting Used by AgentTesla

Overview

SonicWall Capture Labs threat research team has observed fileless .Net managed code injection in a native 64-bit process.  Native code or unmanaged code refers to low-level compiled code such as C/C++.  Managed code refers to code that is written to target .NET and will not work without the CLR (Microsoft .NET engine) runtime libraries. The injected code belongs to AgentTesla malware.

Technical Analysis

The initial infection vector is a Word document that the client received as an email attachment. Upon opening this document, it will ask the user to enable a VBA macro. If enabled, this VBA macro downloads a 64-bit executable from the internet and executes it.

The downloaded binary is a 64-bit, Rust-compiled binary. We are focusing on the techniques used by this binary to inject the malicious AgentTesla payload into its own process memory using CLR Hosting.

The following are details of the 64-bit downloaded executable file.

MD5 : 4521162D45EFC83FA76C4B5C0D405265

SHA256 :  F00ED06A1D402ECF760EC92F3280EF6C09E76036854ABACADCAC9311706ED97D

URL from which 64-bit executable downloaded:

https[:]//New-Coder[.]cc/Users/signed_20240329011751156[.]exe

Disabling Event Tracing for Windows (ETW)

On execution of the Rust binary, it patches the “EtwEventWrite” API from NTDLL using the NtProtectVirtualMemory, WriteProcessMemory and FlushInstructionCache APIs.

Figure 1:  After the malware patches the “EtwEventWrite” API

This 64-bit malware process downloads an encoded shellcode from the following URL which contains the AgenetTesla payload.

URL of the shellcode:

https[:]//New-Coder[.]cc/Users/shellcodeAny_20240329011339585[.]bin

Next, the malware starts the execution of the downloaded shellcode using the “EnumSystemLocalesA” API by passing the address of the shellcode to the API as the callback function argument.

Figure 2: Moved shellcode from read-write memory to executable memory and starts its execution

The shellcode parses PEB and PEB_LDR_DATA to resolve the API dynamically. It will resolve the VirtualAlloc, VirtualFree, and RtlExitUserProcess APIs using an API hashing technique.

Next, the shellcode allocates read-write memory using the “VirtualAlloc” API and moves 0x3E3C0 bytes from the shellcode to the allocated memory.  These bytes are the encoded AgentTesla payload.

Figure 3: Moved shellcode data in read-write memory and starts decryption routine

As shown in Figure 3 above, the first 4bytes (DWORD) are the size of encoded data followed by encoded data.

Next, it proceeds to decrypt the payload. The shellcode uses a customized decryption routine where it performs single-byte XOR decryption in a loop, and for every iteration, it decrypts 0x10 bytes in the payload with a 0x10-byte encryption key. In a decryption loop, every time the malware uses a different encryption key derived from a combination of XOR and arithmetic operations. It decrypts the 0x3E184 bytes of the memory buffer to get the final payload.

Figure 4: Single-byte XOR decryption

Next, the shellcode reads the DLL name array, which contains the names of DLLs that are required for the malware to perform its operation. This array is “ole32;oleaut32;wininet;mscoree;shell32”.

The shellcode parses the PEB structure to check for the presence of the above-mentioned DLLs in the loaded modules list and loads the DLL using the “LoadLibraryA” API if they are not present.

Once the required DLLs are loaded into memory, it resolves a few more APIs such as “VirtualProtect”, “SafeArrayCreate”, “CLRCreateInstance” etc., using the API Hashing technique.

AMSI Bypass Using Memory Patching

Next, the shellcode patches the “AmsiScanBuffer” and “AmsiScanString” API, as shown below.

Figure 5: “AmsiScanBuffer” API after patching

Figure 6: “AmsiScanString” API after patching

Disabling Event Tracing (2nd time)

We have observed the second time patching in shellcode to disable Event Tracing, this might be to confirm the patching continues. It patches “EtwEventWrite” API with a single byte “0xCC” (return instruction).

Next, the shellcode starts CLR hosting.

These are the steps required to perform CLR Hosting, in order:

  • Create a CLR MetaHost instance:

ICLRMetaHost* pMetaHost = NULL;

CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)&pMetaHost);

  • Enumerate the installed runtimes:

pMetaHost->EnumerateInstalledRuntimes(&installedRuntimes);

Enumerate through runtimes and try to locate a specific dotnet version installed on the system.

One has to use “GetVersionString” method from the ICLRRuntimeInfo interface to find the supported .NET Framework version.  This .NET Framework version string will be passed to the GetRuntime API.

  • Get RuntimeInfo using “GetRuntime”:

ICLRRuntimeInfo* runtimeInfo = NULL;

pMetaHost->GetRuntime(sz_runtimeVersion, IID_ICLRRuntimeInfo, (LPVOID*)&runtimeInfo);

  • Get ICorRuntimeHost interface:

ICorRuntimeHost Interface allows more control over the managed runtime from the native code, It can be retrieved using ICLRRuntimeInfo::GetInterface

ICorRuntimeHost* pCorRuntimeHost =NULL;

runtimeInfo->GetInterface(CLSID_CorRuntimeHost,IID_ICorRuntimeHost,(LPVOID*)& pCorRuntimeHost);

  • Retrieve the default AppDomain for the current process:

ICorRuntimeHost interface allows retrieval of the default AppDomain for the current process.

IUnknown* appDomainThunk;

pCorRuntimeHost->GetDefaultDomain(&appDomainThunk);

_AppDomain* defaultAppDomain = NULL;

appDomainThunk->QueryInterface(IID_AppDomain, &defaultAppDomain);

  • Create SafeArray:

we must create SafeArray and copy the MSIL payload to this SafeArray since we can’t provide an unmanaged byte array to the “Load_3” method which loads the assembly into the app domain.

SAFEARRAYBOUND bounds[1];

bounds[0].cElements = sizeof (rawAssemblyByteArray);

bounds[0].lLbound = 0;

SAFEARRAY* safeArray = SafeArrayCreate(VT_UI1, 1, bounds);

SafeArrayLock(safeArray);

memcpy(safeArray->pvData, rawAssemblyByteArray, sizeof (rawAssemblyByteArray));

SafeArrayUnlock(safeArray);

  • Load the assembly to the AppDomain:

_AssemblyPtr  managedAssembly = NULL;

defaultAppDomain->Load_3(safeArray, &managedAssembly)

  • Find an entry point to the loaded assembly:

_MethodInfoPtr  pMethodInfo = NULL;

managedAssembly->get_EntryPoint(&pMethodInfo)

  • Call the entry point:

pMethodInfo->Invoke_3(VARIANT(), SafeArray_Pointer_To_Arguement , &VARIANT())

The second parameter for the “Invoke_3” function is the SafeArray pointer to the arguments that will be passed to the MSIL payload.

ShellCode Executing Managed Code from a Native Code Using CLR hosting

Next, the shellcode calls the “CLRCreateInstance” API from mscoree.dll. The CLRCreateInstance API returns the new CLR MetaHost instance which will be used by malware to prepare a runtime so it can execute the MSIL AgentTesla payload in memory.

We can see in the below figure that multiple GUIDs have been used while retrieving CLR Hosting Interfaces, for e.g., to retrieve “ICorRuntimeHost” interface, it passed “CLSID_CorRuntimeHost” ,  “IID_ICorRuntimeHost” as an argument to the “GetInterface” API.

Figure 7: GUID used while CLR hosting

Next, the shellcode retrieves the ICorRuntimeHost interface and starts the CLR.

Figure 8: Call to GetInterface API to retrieve the ICorRuntimeHost interface

Figure 9: Call start method from ICorRuntimeHost interface to start CLR

Next, the shellcode retrieves the default app domain for the current process, as shown below.

Figure 10: Retrieve the default AppDomain for the current process.

Next, the shellcode creates SafeArray using the “SafeArrayCreate“ API by passing an argument as the size of managed code which is 0x3CC00. This SafeArray does have a pointer to the buffer where malware copies the MSIL payload.

Figure 11: Create a SafeArray and copy AgentTesla payload to it

Once a SafeArray was created, it could be loaded into an AppDomain with the “Load_3” method, this “Load_3” method gives a pointer to an Assembly object.

Figure 12:  Calls “Load_3” method to load the SafeArray into AppDomain

Next, the shellcode zeros out the MSIL payload from the region where it got decrypted then it destroys the SafeArray using the “SafeArrayDestroy” API.

Finally, the shellcode retrieves the entry point for the assembly and calls the “Invoke_3” method to start the 32-bit MSIL AgentTesla process within the context of the 64-bit native process.

Figure 13: Starts the MSIL AgentTesla process

Figure 14: Browser folder enumerated by 64-bit process once the fileless managed code injection has been done

In Figure 14 above, it looks like the 64-bit process is enumerating the browser folder, but its AgentTesla malware started its execution within the .NET engine.

SonicWall Protections

SonicWall Capture Labs provides protection against analyzed 64-bit executable (4521162d45efc83fa76c4b5c0d405265) as GAV: MalAgent.QZ (Trojan).

This threat was also detected by SonicWall Capture ATP w/RTDMI.

The initial infection vector which is a Word document file has been detected by SonicWall Capture ATP w/RTDMI.

IOCs

Document file:

MD5 : D99020C900069E737B3F4AB8C6947375

SHA256 : A6562D8F34D4C25A94313EBBED1137514EED90B233A94A9125E087781C733B37

64-bit downloaded executable:

MD5 : 4521162D45EFC83FA76C4B5C0D405265

SHA256 : F00ED06A1D402ECF760EC92F3280EF6C09E76036854ABACADCAC9311706ED97D

Shellcode blob:

MD5 : CD485BF146E942EC6BB51351FA42B1FF

SHA256 : 02C03E2E8CA28849969AE9A8AAA7FDE8A8B918B5A29548840367F3ECAC543E2D

Injected AgentTesla Payload:

MD5 : 6999D02AA08B56EFE8B2DBBD6FDC9A78

SHA256 : 7B6867606027BFCA492F95E2197A3571D3332D59B65E1850CB20AA6854486B41

URLs used by malware:

https[:]//New-Coder[.]cc/Users/signed_20240329011751156[.]exe  (64-bit exe downloaded)

https[:]//New-Coder[.]cc/Users/shellcodeAny_20240329011339585[.]bin (shellcode downloaded)

HydraCrypt Ransomware Targets Brazil and Charges $5,000 for Decryption

Overview

The SonicWall Capture Labs threat research team has recently been tracking ransomware known as HydraCrypt. HydraCrypt originates from the CryptBoss ransomware family and was first seen in early 2016.  The sample that we analyzed demands $5,000 in Bitcoin for file retrieval, but no contact information is given to ensure this or to negotiate a price.  This variant of HydraCrypt is aimed at Brazil and claims to have successfully attacked many Brazilian firms.

The malware is written in .NET.  We can see the inner workings of the malware after decompilation. It first checks if an instance of itself is already running by looking for a mutex matching a specific pattern:

After passing the above check, the malware injects itself into svchost.exe and then proceeds to encrypt files:

Files on the system are encrypted.  Each encrypted file is given a random four-alphanumeric-character file extension.  After file encryption, a file called “read_it.txt” is dropped into directories containing encrypted files.  It contains the following message in Portuguese and is displayed on the desktop using Notepad:

The message roughly translates to:

” … :::: Legal warning :::: …

Due to numerous flaws in the company Infomach, you have suffered this ransomware attack.

We were indignantly indignant to all the customers of this company. For, as a company that supposedly sells security, has no security?

They live deceiving their customers, offering Pentest and delivering vulnerabilities scanner that solves nothing.

And another, besides selling cat by hare, like to entice the guys of IT. Giving goodies, taking to trips, paying dinners lunch anyway. If you are receiving this message, we suggest you look for a new Cyber security company most responsible.

This time our attack was very simple. Next time will lose everything: data, backup, and all your files will be leaked on the internet for everyone to download.

Infomach you are an amateur company that deceives your customers. Her owners is worth nothing. It is very rich selling dreams.

We did our homework, we studied all your steps to many, many years.

The price of the software is $ 5,000. Payment can be made only in bitcoin

 

Payment Information Amount: 0.08 BTC

Bitcoin Address: BC1QH2K3S6Z32V6787XN2QX4V655ZK5ZADP9ES4DTZ

Other customers who are exposed due to the incompetence of Infomach.

…. ”

A list of targeted directories can be seen in the code:

A list of targeted file extensions is also visible:

The malware takes several measures to disable system recovery:

An jpeg image is embedded in the malware file and is base64 encoded:

After being decoded and written to disk, it is set as the desktop wallpaper:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: HydraCrypt.RSM_1(Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Atlassian’s Confluence Server Unauthenticated Remote Code Execution

Overview

The SonicWall Capture Labs threat research team became aware of a noteworthy vulnerability—an Unauthenticated Template Injection —in Atlassian Confluence platforms, assessed its impact and developed mitigation measures for it. Atlassian’s Confluence Server and Data Center published an advisory on this vulnerability affecting multiple Confluence releases. Confluence is a web-based corporate wiki software. Atlassian wrote Confluence in the Java programming language and it is utilized for collaboration, project management, process and quality management, and knowledge management.

This vulnerability is identified as CVE-2023-22527 and was assigned a critical CVSS score of 10.0.  Considering the sizeable user base, low attack complexity and publicly available exploit code(s) including a Metasploit module, Confluence users are strongly encouraged to upgrade their instances to the latest versions with utmost priority. According to ShadowServer, around 11,000 Atlassian Confluence instances are publicly exposed, and adversaries are scanning for vulnerable instances.

As per the advisory, the affected Confluence Data Center and Server versions are 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3.

Technical Overview

This vulnerability allows threat actors to circumvent the authentication mechanism by sending a crafted request to the web server.

The primary condition that led to exploiting the vulnerability in Atlassian’s Confluence Server and Data Center is improper user input handling. As a result, attackers can leverage the injection of malicious templates without any authentication, leading to remote code execution. As Confluence is written in Java, OGNL expressions are associated with code. A specially crafted exploit that can inject an arbitrary OGNL object can execute Java code. When the application fails to validate and sanitize user input before using it in OGNL expressions, it may lead to an OGNL injection vulnerability. In OGNL injection attacks, nefarious actors input specially crafted strings containing OGNL expressions into user interfaces or input fields. When the application processes this input without proper validation, the injected OGNL expressions get executed within the application’s context. This can lead to various security issues, including authentication bypass, unauthorized access to sensitive data and remote code execution.

Triggering the Vulnerability

Within the Confluence server, it was observed that actual “views” are rendered using Velocity template files. To trigger the vulnerability, an attacker sends a POST request to “/template/aui/text-inline.vm”, demonstrating that including a .vm file helps get a hands-on unauthenticated attack surface to the Confluence instance. In this scenario, findValue is an OGNL expression that accepts a crafted string in $parameters that are not sanitized properly. As seen in Figure 2, using the OGNL expression #request[‘.KEY_velocity.struts2.context’].internalGet(‘ognl’) will grant access to the class  org.apache.struts2.views.jsp.ui.OgnlTool and calls the method Ognl.findValue(String, Object) method. Furthermore, in a comparison between the unpatched Confluence instance and the patched one, there is a .vm file named text-inline.vm. Figure 1 shows the text-inline.vm file code – the one that is deprecated in patched versions of Confluence.

Figure 1: text-inline.vm

Attackers can leverage this vm file to create a payload utilizing #parameters which pass arguments to the exec method, bypassing authentication and executing system commands.

Figure 2: CVE-2023-22527 OGNL payload

A crafted POST request sent to unpatched Confluence servers leads to OGNL template injection, which results in arbitrary command execution. By changing the payload parameter value, one can execute different commands remotely.

The attack request has the command id injected in the exec() function, as shown in Figure 3. Once this crafted request is sent, the response from the server includes the user id(uid), group id (gid), and groups from the Confluence server.

Figure 3: CVE-2023-22527 attack request

Exploiting the Vulnerability

The working PoC is an exploit tool for Confluence servers vulnerable to CVE-2023-22527. It leads to RCE in vulnerable instances of Confluence data centers and servers. Using this, an attacker can execute arbitrary code on a vulnerable instance.

Figure 4: CVE-2023-22527 PoC

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 2366 – Atlassian Confluence Data Center and Server SSTI
  • IPS: 4249 – Atlassian Confluence Data Center and Server SSTI 2

Remediation Recommendations

Considering the severe consequences of this vulnerability and the trending of unauthenticated nefarious activists trying to get Confluence Data Center & Confluence Server access using the exploit in the wild, users are strongly encouraged to upgrade their instances as published in the vendor advisory.

Relevant Links

Microsoft Security Bulletin Coverage for April 2024

Overview
Microsoft’s April 2024 Patch Tuesday has 147 vulnerabilities, 68 of which are Remote Code Execution (RCE) vulnerabilities. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for April 2024 and has produced coverage for 8 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE CVE Title Signature
CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability ASPY 558 Exploit-exe exe.MP_378
CVE-2024-26209 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability ASPY 557 Exploit-exe exe.MP_377
CVE-2024-26211 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability ASPY 560 Exploit-exe exe.MP_380
CVE-2024-26212 DHCP Server Service Denial of Service Vulnerability ASPY 559 Exploit-exe exe.MP_379
CVE-2024-26218 Windows Kernel Elevation of Privilege Vulnerability ASPY 561 Exploit-exe exe.MP_381
CVE-2024-26230 Windows Telephony Server Elevation of Privilege Vulnerability ASPY 555 Exploit-exe exe.MP_376
CVE-2024-26234 Proxy Driver Spoofing Vulnerability ASPY 554 Exploit-exe exe.MP_375
CVE-2024-26256 Windows Compressed Folders (zip) Remote Code Execution Vulnerability ASPY 556 Malformed-File zip.MP.2

Release Breakdown

The vulnerabilities can be classified into the following categories:

For April there are 142 critical, 3 Important and 2 moderate vulnerabilities.

2024 Patch Tuesday Monthly Comparison

Microsoft tracks vulnerabilities that are being actively exploited at the time of discovery and those that have been disclosed publicly before the Patch Tuesday release for each month. The above chart displays these metrics as seen each month.

Denial of Service Vulnerabilities 

CVE-2024-20685 Azure Private 5G Core Denial of Service Vulnerability
CVE-2024-26183 Windows Kerberos Denial of Service Vulnerability
CVE-2024-26212 DHCP Server Service Denial of Service Vulnerability
CVE-2024-26215 DHCP Server Service Denial of Service Vulnerability
CVE-2024-26219 HTTP.sys Denial of Service Vulnerability
CVE-2024-26254 Microsoft Virtual Machine Bus (VMBus) Denial of Service Vulnerability
CVE-2024-29064 Windows Hyper-V Denial of Service Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2024-20693 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-21324 Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2024-21424 Azure Compute Gallery Elevation of Privilege Vulnerability
CVE-2024-21447 Windows Authentication Elevation of Privilege Vulnerability
CVE-2024-26158 Microsoft Install Service Elevation of Privilege Vulnerability
CVE-2024-26211 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2024-26213 Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2024-26216 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
CVE-2024-26218 Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-26229 Windows CSC Service Elevation of Privilege Vulnerability
CVE-2024-26230 Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-26235 Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-26236 Windows Update Stack Elevation of Privilege Vulnerability
CVE-2024-26237 Windows Defender Credential Guard Elevation of Privilege Vulnerability
CVE-2024-26239 Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-26241 Win32k Elevation of Privilege Vulnerability
CVE-2024-26242 Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2024-26243 Windows USB Print Driver Elevation of Privilege Vulnerability
CVE-2024-26245 Windows SMB Elevation of Privilege Vulnerability
CVE-2024-26248 Windows Kerberos Elevation of Privilege Vulnerability
CVE-2024-28904 Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2024-28905 Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2024-28907 Microsoft Brokering File System Elevation of Privilege Vulnerability
CVE-2024-28917 Azure Arc-enabled Kubernetes Extension Cluster-Scope Elevation of Privilege Vulnerability
CVE-2024-29052 Windows Storage Elevation of Privilege Vulnerability
CVE-2024-29054 Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2024-29055 Microsoft Defender for IoT Elevation of Privilege Vulnerability
CVE-2024-29056 Windows Authentication Elevation of Privilege Vulnerability
CVE-2024-29989 Azure Monitor Agent Elevation of Privilege Vulnerability
CVE-2024-29990 Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
CVE-2024-29993 Azure CycleCloud Elevation of Privilege Vulnerability

Information Disclosure Vulnerabilities

CVE-2024-26172 Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2024-26207 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-26209 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
CVE-2024-26217 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-26220 Windows Mobile Hotspot Information Disclosure Vulnerability
CVE-2024-26226 Windows Distributed File System (DFS) Information Disclosure Vulnerability
CVE-2024-26255 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-28900 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-28901 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-28902 Windows Remote Access Connection Manager Information Disclosure Vulnerability
CVE-2024-29063 Azure AI Search Information Disclosure Vulnerability
CVE-2024-29992 Azure Identity Library for .NET Information Disclosure Vulnerability

 Remote Code Execution Vulnerabilities 

CVE-2024-20678 Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVE-2024-21322 Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-21323 Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-21409 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2024-26179 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-26193 Azure Migrate Remote Code Execution Vulnerability
CVE-2024-26195 DHCP Server Service Remote Code Execution Vulnerability
CVE-2024-26200 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-26202 DHCP Server Service Remote Code Execution Vulnerability
CVE-2024-26205 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability
CVE-2024-26208 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2024-26210 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26214 Microsoft WDAC SQL Server ODBC Driver Remote Code Execution Vulnerability
CVE-2024-26221 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26222 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26223 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26224 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26227 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26231 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26232 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2024-26233 Windows DNS Server Remote Code Execution Vulnerability
CVE-2024-26244 Microsoft WDAC OLE DB Provider for SQL Server Remote Code Execution Vulnerability
CVE-2024-26252 Windows rndismp6.sys Remote Code Execution Vulnerability
CVE-2024-26253 Windows rndismp6.sys Remote Code Execution Vulnerability
CVE-2024-26256 libarchive Remote Code Execution Vulnerability
CVE-2024-26257 Microsoft Excel Remote Code Execution Vulnerability
CVE-2024-28906 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28908 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28909 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28910 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28911 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28912 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28913 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28914 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28915 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28926 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28927 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28929 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28930 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28931 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28932 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28933 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28934 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28935 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28936 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28937 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28938 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28939 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28940 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28941 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28942 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28943 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28944 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-28945 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29043 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29044 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29045 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29046 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29047 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29048 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29050 Windows Cryptographic Services Remote Code Execution Vulnerability
CVE-2024-29053 Microsoft Defender for IoT Remote Code Execution Vulnerability
CVE-2024-29066 Windows Distributed File System (DFS) Remote Code Execution Vulnerability
CVE-2024-29982 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29983 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29984 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29985 Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability
CVE-2024-29988 SmartScreen Prompt Security Feature Bypass Vulnerability

 Security Feature Bypass Vulnerabilities 

CVE-2024-20665 BitLocker Security Feature Bypass Vulnerability
CVE-2024-20669 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-20688 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-20689 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26168 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26171 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26175 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26180 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26189 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26194 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26228 Windows Cryptographic Services Security Feature Bypass Vulnerability
CVE-2024-26240 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-26250 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28896 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28897 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28898 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28903 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28919 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28920 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28921 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28922 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28923 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28924 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-28925 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-29061 Secure Boot Security Feature Bypass Vulnerability
CVE-2024-29062 Secure Boot Security Feature Bypass Vulnerability

 Spoofing Vulnerabilities 

CVE-2024-20670 Outlook for Windows Spoofing Vulnerability
CVE-2024-26234 Proxy Driver Spoofing Vulnerability
CVE-2024-26251 Microsoft SharePoint Server Spoofing Vulnerability

Cryptominer Poses as Fake Java Utility

Overview

The SonicWall Capture Labs threat research team analyzed a malware purporting to be a Java utility. It arrives as an installer for Java Access Bridge, but ultimately installs the popular open-source cryptominer, XMRig.

Infection Cycle

The sample arrives as a Windows installer package (msi) file using the following file name:

  • JavaAccessBridge-64.msi

Figure 1: Malware installer’s file properties showing Java Access Bridge

Upon execution, a typical installation window pops up.

Figure 2: Fake Java Access Bridge installation window

Meanwhile, the following files are created in these directories:

  • /User/Public/Music/ContentStore.bat
  • /User/Public/Music/DMIDD11.tmp (certificate file)
  • /User/Public/Music/DMIDD12.tmp (certificate file)
  • /User/Public/Music/DMIDD13.tmp (certificate file)
  • /User/Public/Music/DMIDD14.tmp (certificate file)
  • /User/Public/Videos/JavaAccessBridge-64.exe (main XMRig executable)
  • /User/Public/Videos/config.json (miner config file)
  • /User/Public/Videos/WinRing0x64.sys (WinRing0 driver file used by XMRig)

The Windows command prompt utility is then spawned to execute the batch file name ContentStore.bat which runs the commands seen on the screenshot below.

Figure 3: Contents of the batch file ContentStore.bat

The .tmp files created are all certificate files as shown in the screenshot below.

Figure 4: DMIDD14.tmp contains a certificate

The main cryptominer file is then executed via the command line.

Figure 5: Initial execution of JavaAccessBridge-64.exe via the command line.

XMRig is ran using the configuration in the config.json file.

Figure 6: Configuration in the config.json file

Figure 7: XMRig window running in the background

We urge our users to only use official and reputable websites as their source for software downloads. Always be vigilant and cautious when installing software programs – particularly if you are not certain of the source.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Malagent.JAV (Trojan)
  • GAV: XMRig.XMR_4 (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.

Multiple Remote Code Execution Vulnerabilities in JumpServer

Overview

The SonicWall Capture Labs threat research team became aware of a couple of remote code execution vulnerabilities in JumpServer, assessed their impact and developed mitigation measures. JumpServer is an open-source bastion host and a professional operation and maintenance security audit system with a substantial presence in the China region. A bastion host is a specialized computer, intentionally exposed on a public network, designed to withstand attacks on a network named after a military fortification.

Identified as CVE-2024-29201 and CVE-2024-29202, JumpServer before version 3.10.7 allows low-privileged threat actors to execute arbitrary code within the Celery container with root privileges, earning a critical CVSS score of 9.9.

Technical Overview

CVE-2024-29201

This vulnerability arises due to a flaw in the input validation mechanism in JumpServer’s Ansible (An IT automation engine), which allows a threat actor with a low-privileged user account to execute arbitrary code in the context of a root user within one of its containers named ‘jms_celery’.

JumpServer enforces a mechanism to disallow the usage of a set of unsafe keywords to prevent users from running local injection commands while running a playbook job, as seen in Figure 1 (left). However, it can be circumvented using the Unicode representation of the character in place of the actual character, for instance, ‘\u0064’ instead of the character ‘d’. Figure 1 (right) illustrates an example of a malicious template that could exploit this vulnerability by running the command specified in the ‘shell’ field. It can be used to create a playbook job and then run a job to execute a specified command.

Figure 1: The set of defined unsafe keywords (left) and the playbook template to bypass validation (right).

CVE-2024-29202

This vulnerability allows the threat actor with a low-privileged user account to inject a malicious Jinja2 template in JumpServer’s Ansible that leads to the execution of arbitrary code within the ‘jms_celery’ container with root privileges. The malicious template, as seen in Figure 2 can be used to create a playbook job and then run the same to execute the desired command.

Figure 2: Malicious jinja2 template

Triggering the Vulnerability

Leveraging the vulnerabilities mentioned above requires the attacker to meet the following prerequisites:

  • The attacker must have network access to the target vulnerable system along with the low-privileged user account.
  • The attacker must have permission to access at least a single valid asset.
  • A playbook needs to be fabricated using any of the above templates from the ‘Job > Template > Playbook manage’ section.
  • A playbook job needs to be created from the ‘Job > Job list’ section, leveraging the playbook created in the previous step.
  • The created job needs to be run.

Exploitation

While steps to trigger the vulnerability look tricky, the exploitation is straightforward. Since the Celery container runs with the root privileges, it yields the threat actor database access and access to the sensitive information across all the managed assets, such as hosts, devices, database, cloud service, web and GPT. Additionally, considering the crucial functionality of the jump host, it can lead to the exposure and compromise of the private network. Achieving remote code execution by leveraging the discussed vulnerabilities is demonstrated in the video below.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS: 19849 JumpServer Ansible Playbook Input Validation Bypass
  • IPS: 19850 JumpServer Ansible Playbook Jinja2 Template Injection

Remediation Recommendations

Considering the pivotal position of a bastion host on a network, JumpServer users are strongly encouraged to upgrade their instances to the latest version (v3.10.7). If one cannot upgrade immediately, then the feature ‘Operation Center’ can be disabled temporarily by visiting System Settings > Features > Task Center.

Relevant Links