Posts

Ivanti Server-Side Request Forgery to Auth-Bypass

/0 Comments/in /by

Overview

Ivanti disclosed a couple more vulnerabilities — server-side request forgery (CVE-2024-21893) and a privilege escalation (CVE-2024-21888) vulnerability. This disclosure comes only a few weeks after confirming an exploit chain impacting Ivanti Connect Secure and Ivanti Policy Secure.  Ivanti has acknowledged that CVE-2024-21893 has impacted certain customers in targeted instances.

The SonicWall Capture Labs threat research team became aware of a server-side request forgery (SSRF) in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways affecting all supported versions, including 9.x and 22.x. We assessed its impact and developed mitigation measures for the vulnerability. Since the previously disclosed vulnerabilities (CVE-2023-46805 and CVE-2024-21887) are already being exploited in the wild and under the scrutiny of threat actors, this SSRF vulnerability – a bypass to the previous mitigation – demands immediate action by upgrading the instances to the latest versions. The official patches have been released by Ivanti for all the vulnerabilities.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-21893.

The CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is low.
• Impact of this vulnerability on data availability is none.

Technical Overview

This vulnerability, an SSRF in the Security Assertion Markup Language (SAML) component of Ivanti products, is essentially a bypass of the mitigation for the original exploit chain. The threat actors can leverage CVE-2024-21893 to execute the original exploit chain involving CVE-2023-46805 and CVE-2024-21887 by circumventing the fix.

To understand the root cause, it is important to check the SAML endpoints, which do not require authentication as the vulnerability details indicate the privilege requirement is none. It is worth noting that the endpoint /dana-ws/saml20.ws can be accessed without authentication by examining the web server code provided by rapid7 as seen in Figure 1.

Figure 1: Web Server Code indicating unauthenticated endpoints, source: rapid7

Another piece of code, as seen in Figure 2, defining the function doDispatchRequest reveals that the unauthenticated http POST request targeting SAML endpoints /dana-ws/saml.ws, /dana-ws/saml20.ws, and /dana-ws/samlecp.ws are being sent to a service saml-server by doDispatchRequest. This request contains SOAP-based SAML components which are processed by saml-server and further transformed into an XML object by the function SoapHandler. Interestingly, the XML processing is being carried out by an outdated version 3.0.2 of external library called xmltooling, which in this context is vulnerable to the SSRF via a crafted KeyInfo element as mentioned in the CVE-2023-36661 description. This flaw can be leveraged to post an unauthenticated HTTP request containing malformed XML data to exploit underlying SSRF vulnerability in xmltooling as a means to circumvent the mitigation.

Figure 2: Code to process SAML requests, source: rapid7

Triggering the Vulnerability

Triggering this SSRF vulnerability requires a SOAP envelope to be sent to a SAML endpoint, preferably /dana-ws/saml20.ws which does not need authentication. The envelope includes a signature element which will be processed by the vulnerable xmltooling library. Furthermore, the signature contains a KeyInfo element, which can be exploited to SSRF according to an advisory published by the vendor Shibboleth. Additionally, the child element RetrievalMethod of KeyInfo let us access a remote resource using an HTTP GET request by specifying a URI in an attribute called URI, allowing a threat actor to insert an attack vector to exploit SSRF. For instance, the sample request in Figure 3 below can be used to send a request on behalf of the appliance.

Figure 3: Sample request to trigger SSRF

Exploitation

The HTTP request illustrated in Figure 3 can be converted into the pre-auth RCE by leveraging the command injection vulnerability (CVE-2024-21887) from the original exploit chain. The endpoint /api/v1/license/keys-status is one of the vulnerable endpoints which allows an attacker to inject commands using a simple GET request as illustrated in our previous blog post. Since the request is going to be originated from the same appliance, we can use localhost as a target IP to avoid the need for authentication. The plain request will look like the request below to yield a reverse shell back to an attacker’s machine.

Figure 4: Request

The above line needs to be URI decoded to get processed by the web server and replaced with the “Target URI” in the request shown in Figure 3, making the final request with the RCE payload look like  Figure 5 below.

Figure 5: Request to trigger RCE using SSRF

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4266 Ivanti Connect Secure Server-Side Request Forgery
  • IPS:4268 Ivanti Connect Secure Server-Side Request Forgery 2

Remediation Recommendations

Considering the severe consequences of this vulnerability, the users of affected products are strongly encouraged to apply the patches as published in the vendor advisory.

Relevant Links

Jenkins CLI Data Leak Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of the Jenkins CLI (command-line-interface) arbitrary file read vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Jenkins is a Java-based automation tool that facilitates continuous integration/continuous delivery and deployment (CI/CD). Recently, an arbitrary file read vulnerability has been identified in Jenkins, specifically affecting its command-line interface (CLI). The flaw arises due to a feature in the Jenkins CLI command parser that improperly handles the ‘@’ character followed by a file path in an argument, resulting in disclosing the first few lines of the file. Consequently, a remote attacker without any privileges could potentially exploit this vulnerability by crafting a command that takes an arbitrary number of arguments and displays these back to the user. If exploited successfully, this vulnerability could grant the attacker unauthenticated access with no permissions (i.e. the default Jenkins install) and can leak the first couple of lines of arbitrary text files on a vulnerable Jenkins server.

Product Versions Impacted

  • Jenkins versions 2.441 and below
  • LTS 2.426.3 and below

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-23897.

As per NIST NVD CVE, CVE-2023-23897 is still undergoing analysis and therefore there has been no defined CVSS score for this vulnerability as of yet. Although, based on the proof of concept (PoC), some references could be made. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation.

Technical Overview

A severe flaw highlighted as an arbitrary file read vulnerability has been reported in Jenkins instances, attributed to how Jenkins CLI uses the args4j library to parse command arguments and options. args4j is a small Java class library that makes it easy to parse command line options/arguments in your CUI application. The CLI is enabled by default in all possible Jenkins deployments. Jenkins is widely deployed, with tens of thousands of public-facing installs, and the Jenkins advisory was clear that this vulnerability could lead to remote code execution. When a user supplies certain arguments to the CLI of the vulnerable Jenkins servers, it misinterprets those arguments, specifically those starting with ’@’,  and in the resulting output, some lines of the file are echo’d back as part of error messages. This leads to a data leak vulnerability from arbitrary file read to remote code execution on the Jenkins controller file system using the default character encoding of the Jenkins controller process. Surprisingly, attackers without Overall/Read permission can read the first few lines of files and those with full permissions can read entire files. The number of lines that can be read depends on available CLI commands.

This data leak vulnerability could also be used to read binary files with cryptographic keys. There are various Jenkins features such as the “Remember me” cookie, build logs and resource root URLs that may lead to remote code execution by exploiting this vulnerability.

Some Jenkins’ features make this vulnerability easier to exploit. As shown in the figure below, the “Allow users to sign up” option allows anyone with access to the Jenkins server to self-register an account. And the “Allow anonymous read access” option gives any random user the Overall/Read permission.

Figure 1: Jenkins Controller File System Security Permissions

Exploitation with CVE-2024-23897

Args4j is a Java class library that makes it easy to parse command line options/arguments in CLI applications using annotations, and it generates usage text easily. The command line interface can be accessed over SSH or with the Jenkins CLI client – a .jar file distributed with Jenkins. In the patched Jenkins version, this SSH service is disabled by default and requires added authentication to get read permissions from the administrator.

While exploiting this vulnerability, the crucial part is to know the version of the live Jenkins instance. A simple curl request to a Jenkins deployment readily discloses its version in a header named “X-Jenkins”. This makes it easy to determine whether the Jenkins server is susceptible to this specific vulnerability.

Figure 2: A simple curl request to Jenkins Server

In the vulnerable Jenkins versions, an unauthenticated user is allowed to read a few lines (three lines) that do not have Overall/Read permissions at all. Even with this limitation, an attacker can achieve remote code execution and can decrypt secret keys. Using a specific command with “jenkins-cli.jar”, an unauthenticated attacker can disclose sensitive information. Here are a few examples:

Figure 3: Examples

Figure 4: Exploiting CVE-2024-23897

PoCs have been made public and could be readily used by attackers to leverage vulnerable Jenkins servers. Multiple reports suggest that Jenkins is being exploited in the wild.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4251 Jenkins CLI Arbitrary File Read

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability
  • Utilizing up-to-date IPS signatures to filter network traffic
  • Configuring the vulnerable product to allow access to trusted clients only

According to the Jenkins advisory, Jenkins 2.442, LTS 2.426.3 disables the command parser feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents for CLI commands. In another workaround, Jenkins suggests restricting access to CLI until the patch is applied to live instances.

Relevant Links

Vendor Advisory

NIST NVD CVE

SECURITY-3314-3315

Packetstrom Security

Github

Medium

Blackwood APT Group Has a New DLL Loader

/0 Comments/in /by

Overview

This week, the SonicWall Capture Labs threat research team analyzed a sample tied to the Blackwood APT group. This is a DLL that, when loaded onto a victim’s computer, will escalate privileges and attempt to install a backdoor for communications monitoring and diversion. It has evasive capabilities and, as of this writing, is targeting companies and individuals in Japan and China.

Technical Overview

The sample is detected as a 32-bit DLL (Figure 1) with no packer or protector. It has minimal strings and no obvious obfuscation or encryption.

Figure 1: Sample detection

Strings show several API calls of concern, including GetCurrentProcessID, OpenProcess and VirtualAlloc – all of which are used to load malicious DLLs into memory. There are also two files listed: ‘333333333333333.txt’ and ‘Update.ini’, as shown in Figure 2.

Figure 2: Static string detection

The name of the file is shown as ‘agent.dll’ (Figure 3) and there is one anonymous export that is only shown as an ordinal value when looking at the file with multiple tools.

Figure 3: Original name and anonymous export

When dynamically analyzing the sample, it has multiple anti-analysis capabilities that prevent most of its function from being observed. It will look for debuggers, processor features and security settings in the registry (Figure 3). There are also locale checks that, when failed, will kill the process.

Figure 4: WMI registry keys being queried for security checks

The anonymous export at address 0x10001A70 is the file calling ‘Rundll32.exe’ for process injection, as shown in Figure 5.

Figure 5: Export address calls sub_10001990, which creates ‘rundll32.exe’

Controlling the program’s execution allows the check for a UAC bypass to be generated. The DLL will attempt to escalate privileges via CMSTPLUA interface[1]. The following strings are created, as shown in Figures 5 and 6:

  • Elevation:Administrator!new:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
  • Elevation:Administrator!new:{F885120E-3789-4FD9-865E-DC9B4A6412D2}

[1] https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d

Figures 6 (top) and 7 (bottom): A function creates GUIDs for privilege escalation

The two files that are listed within the strings are also referenced during runtime (Figure 7), but despite multiple attempts at controlling execution, the files were not observed on test systems.

Figure 8: Update.ini is referenced but never created

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

  • MalAgent.Blackwood

IOCs

  • 72B81424D6235F17B3FC393958481E0316C63CA7AB9907914B5A737BA1AD2374

Ivanti Authentication Bypass Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of the Ivanti Connect Secure and Policy Secure Gateway authentication bypass vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Ivanti Connect Secure, formerly known as Pulse Connect Secure, is an SSL VPN (Virtual Private Network) solution designed to enable remote and mobile users to access corporate networks securely from any web-enabled device. Recently, an authentication bypass vulnerability has been identified in both Ivanti Connect Secure and Ivanti Policy Secure Gateways. This security flaw arises from insufficient validation of HTTP request paths within the software. Consequently, a remote attacker could potentially exploit this vulnerability by crafting a malicious HTTP request directed at the target server. If exploited successfully, this vulnerability could grant the attacker unauthenticated access to otherwise secure, authenticated web endpoints, posing a significant security risk to affected systems.

Product Versions Impacted

The list below concisely summarizes the Common Platform Enumeration (CPE) entries for Ivanti’s Connect Secure and Policy Secure products. It encompasses a range of versions and revisions, highlighting the extensive variety within the product lineup. The versions impacted are as follows:

  • Ivanti Connect Secure:
    • Version 9.0: Base, – , r1 – r6, r2.1, r3 – r3.5, r4 – r4.1, r5.0, r6.0
    • Version 9.1: r1, r10 – r11.5, r12 – r12.1, r13 – r13.1, r14, r15 – r15.2, r16 – r16.1, r17 – r17.1, r18, r2 – r4.3, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: -, r1
    • Version 22.3: r1
    • Version 22.4: r1, r2.1
    • Version 22.5: r2.1
    • Version 22.6: -, r1, r2
  • Ivanti Policy Secure:
    • Version 9.0: Base, – , r1 – r4
    • Version 9.1: r1, r10 – r11, r12 – r13.1, r14, r15 – r16, r17 – r18, r2 – r4.2, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: r1, r3
    • Version 22.3: r1, r3
    • Version 22.4: r1, r2, r2.1
    • Version 22.5: r1, r2.1
    • Version 22.6: r1

Each entry is formatted as “Version: Revision(s)”, where “-” indicates the base version and specific revisions are listed thereafter.

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-46805 and CVE-2024-21887.

CVE-2023-46805 carries an overall CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity. The score’s detailed composition indicates the vulnerability’s attributes and potential repercussions. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation. Although the scope of the attack is unchanged, the vulnerability critically endangers data confidentiality, implying a significant risk of sensitive data exposure. However, its impact on data integrity is low, and it does not affect data availability, suggesting that unauthorized data disclosure is more likely than data alteration or service disruption.

Contrastingly, CVE-2024-21887 presents an even more critical threat, evidenced by its CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). While this vulnerability shares certain characteristics with CVE-2023-46805 — such as a network-based attack vector and low attack complexity — it differs notably in its requirement for high privileges, indicating it affects more protected or sensitive areas. Like its counterpart, it operates covertly without user interaction. However, this vulnerability’s scope is classified as changed, hinting at a broader, more systemic impact. Its high ratings across confidentiality, integrity and availability underscore its potential for extensive harm, allowing attackers not only to access and modify sensitive data but also to significantly disrupt dependent services or applications.

Technical Overview

An alarming authentication bypass vulnerability has been reported in Ivanti Connect Secure, attributed to superficial access checks on the unnormalized Request-URI in the web process. This flaw is notably present in Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure, where a specifically crafted request with a Request-URI beginning with vulnerable paths such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/” can evade standard authentication protocols. This vulnerability arises due to the web process’s reliance on a vulnerable function that conducts basic string comparisons against predefined prefixes, allowing requests that match these paths to bypass authentication checks. The exploit hinges on manipulating the Request-URI, incorporating parent reference segments (e.g., “../”) to pivot to endpoints normally safeguarded by authentication. However, the exploit’s scope is somewhat contained due to session checks and the limited distribution of the REST API, restricting accessible endpoints to those managed by the receiving WSGI (Web Server Gateway Interface) process.

Further probing into the system’s architecture revealed a critical loophole in a custom web server developed in C++, integral to managing all incoming HTTPS requests and closely associated with Perl-based CGI scripts and the REST API. Situated within the system’s binary structure at ics_disk1/root/home/bin/web, this server serves not only as a gateway for HTTPS requests but also plays a pivotal role in the REST API’s functionality. Acting as a proxy, the server directs requests to the API as necessary, focusing heavily on authentication enforcement. However, the authentication mechanism is compromised by the server’s flawed URI processing method, which employs a strncmp function for path validation. This function’s limitation to checking only a set number of initial characters in the path creates a significant security gap. By crafting a path (see Figure 1) that initiates with a vulnerable endpoint and appending additional characters, attackers can navigate around the authentication, gaining unauthorized access to sensitive resources and functions within the system. This discovery underscores the urgency for a comprehensive overhaul of the security measures, particularly the methods for URI path validation and processing.

Figure 1: Example GET Request Path

Triggering the Vulnerability

The vulnerability in Ivanti Connect Secure related to authentication bypass can be triggered under certain conditions. Here are four key scenarios or factors that can lead to the exploitation of this vulnerability:

  • Unnormalized Request-URIs: The vulnerability is exploited by sending a request with a Request-URI that starts with specific paths and has not been normalized, allowing the attacker to circumvent the expected URL structure and access controls.
  • Prefix Matching in URL Paths: The web process performs shallow checks by comparing the raw Request-URI against a list of vulnerable prefixes. If the Request-URI matches one of the known vulnerable paths, such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/”, the request is allowed to pass through without proper authentication.
  • Use of Directory Traversal Techniques: The attacker can employ directory traversal techniques using “../” notation in the Request-URI. This allows the attacker to pivot from the allowed prefix to another endpoint that normally requires authentication, effectively bypassing the access control checks.
  • Limited Endpoint Scope Due to Distributed REST API: While the vulnerability allows pivoting to different endpoints, the scope of accessible endpoints is limited to those implemented by the receiving WSGI process. However, this still poses a significant risk as it exposes certain endpoints of the REST API to unauthenticated access.

Exploitation with CVE-2024-21887

Developed with Flask, a Python-based, lightweight, and flexible web framework, a Flask application simplifies starting and scales up to complex commercial sites, providing an array of tools, libraries, and technologies. Despite its benefits, Flask applications can exhibit vulnerabilities, such as the command injection flaw in the License class of restservice/api/resources/license.py which manages requests for the /api/v1/license/keys-status endpoint. This vulnerability arises from the get method’s improper concatenation of command strings, especially when handling the node_name parameter, enabling attackers to execute arbitrary commands via subprocess.Popen.

Leveraging Flask’s automatic mapping of URL endpoints to function parameters, attackers can send crafted GET requests to redirect to vulnerable endpoints with command injection payloads, with URL encoding complicating the attack by allowing the transmission of intricate payloads. Although these vulnerabilities present substantial security risks, it is notable that vendor-supplied mitigations effectively counteract these exploits. Notably, this vulnerability allows attackers to achieve unauthenticated command injection by sending a GET request to the following URI path where CMD is any arbitrary Linux OS (Operating System) command, presenting a significant security concern.

Figure 2: URI path

Figure 3: Python Source Code for Arbitrary Linux OS Reverse Shell

Given the scenario of exploiting a command injection vulnerability (Figure 5) at the endpoint seen in Figure 4.

Figure 4: Endpoint

Figure 5: Reverse Shell URI Path

This one-liner Python command (Figure 5) is crafted to establish a reverse shell from the target server to the attacker’s machine. This command, when appended to the vulnerable endpoint, would be executed on the server due to the vulnerability. The Python script, starting with a semicolon to signify the end of a previous command, is a compact and potent snippet designed to create a socket connection back to the attacker’s machine (at IP address 192.168.2.200 and port 5555).

Once the connection is established, it spawns a shell and redirects the shell’s standard input, output and error streams to the socket, effectively tying the shell to the attacker’s console.

This provides the attacker with interactive control over the shell on the target machine. However, for this command to be successfully processed and interpreted by the web server and not get blocked by URL parsing mechanisms, it must be URL-encoded before being sent in the GET request to the vulnerable endpoint. URL encoding transforms potentially unsafe ASCII characters into a format that can be transmitted over the internet, ensuring the payload is delivered intact to the server for execution

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4234 Ivanti Connect Secure Authentication Bypass
  • IPS:19611 Ivanti Connect Secure Command Injection 1
  • IPS:19612 Ivanti Connect Secure Command Injection 2

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up to date IPS signatures to filter network traffic.
  • Configure the vulnerable product to allow access to trusted clients only.

Relevant Links

Vendor Advisory

NIST NVD CVE

Packetstrom Security

CWE-287

Related KB Article

NIST CVSS Calculator Score

Python Reverse Shells

GitLab Account Takeover

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of an account takeover via password reset vulnerability in GitLab, assessed its impact and developed mitigation measures for the vulnerability. GitLab, an open-source code-sharing platform, published an advisory on this vulnerability affecting GitLab CE/EE versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. Considering the substantial user base as well as the existence of public POC, not only it is expected to be exploited in the wild, but it will also presumably join CISA’s Known Exploited Vulnerabilities (KEV) catalog. Because of this, GitLab users are strongly encouraged to upgrade their instances to the latest versions as applicable.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-7028.

The CVSS score is 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability was introduced in version 16.1.0 when the enhancement in the password reset function was made that enabled users to reset their password using a secondary email address. The flaw in the implementation of this process lets the threat actors abuse the password reset functionality and deceive the application into sending the reset link to the attacker-controlled email address by leveraging the parameter pollution technique.

To remediate the issue, new versions are being released with a patch (as seen in the commit) that enforces the password reset instructions to be sent to the users’ secondary email only if it’s confirmed, unlike previous versions. The password reset page of the patched version of GitLab reflects the same message as well, as seen in Figure 1.

Figure 1: Reset password instructions in vulnerable vs patched version

Triggering the Vulnerability

The only prerequisite for this attack is that the threat actor knows the victim’s email address. Combine that with the low attack complexity, and that makes exploitation of this vulnerability very straightforward. Additionally, the attackers can make use of ‘admin@example.com’, which is the default registered email address for the user ‘root’, to gain the highest privilege available – provided the user has not deleted the pre-registered email. The attacker then needs to construct the post request using the legitimate email address of the victim and their own email address to receive a password reset link. The sample URL-decoded request data would look like this:

Figure 2: Sample URL

Exploitation

The malformed password reset request, as demonstrated in Figure 3, needs to be sent to acquire the password-reset link of the victim account to the attacker-controlled unverified mailbox which yields an attacker access to the victim account by resetting the password.

Figure 3: Sample attack request

Two-factor authentication (2FA) can lessen the risk to an extent by denying the threat actor account access, but the underlying risk of the password being reset by an unauthorized user will still be present.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4229 GitLab Password Reset Attempt Using Multiple Email IDs
  • IPS:4231 GitLab Password Reset Attempt Using Multiple Email IDs 2

Indicators of Compromise (IOC)

As mentioned in the vendor advisory, the users can access the following logs to check the potential attempts to exploit this vulnerability:

  • Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with value.email consisting of a JSON array with multiple email addresses as shown in below sample:{“method”:”POST”,”path”:”/users/password”,”format”:”html”,”controller”:”PasswordsController”,”action”:”create”,”status”:302,”location”:”http://gitlab.sw.local/users/sign_in”,”time”:”2024-01-16T09:53:16.121Z”,”params”:[{“key”:”authenticity_token”,”value”:”[FILTERED]”},{“key”:”user”,”value”:{“email”:[“victim@example.com”,”attacker@example.com”]}}],”correlation_id”:”08V0ZKAEAF9Q8QQ6X867DFS”,<truncated…>}
  • Whereas normally a sample log for the legitimate request would look like: {“method”:”POST”,”path”:”/users/password”,”format”:”html”,”controller”:”PasswordsController”,”action”:”create”,”status”:302,”location”:” http://gitlab.sw.local/users/sign_in”,”time”:”2024-01-17T14:25:38.840Z”,”params”:[{“key”:”authenticity_token”,”value”:”[FILTERED]”},{“key”:”user”,”value”:{“email”:”user@example.com”}}],”correlation_id”:”01X0ECS3P6ZEF55YRA7XNNH”,<truncated…>}
  • Check gitlab-rails/audit_json.log for entries with caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Remediation Recommendations

  • Enable Two-Factor Authentication (2FA), a silver bullet to deny unauthorized access, for all accounts.
  • GitLab released an update to address the issue, and it is highly recommended to update the application to version 16.7.2, 16.6.4, 16.5.6 or newer as appropriate. Notably, since this security fix has been backported to versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5, the users can choose to update the application to those versions as well.

Relevant Links

Infostealer Trojan with Remote Access and Ransomware Capabilities Seen in the Wild

/in /by

This week, the Sonicwall Capture Labs threat research team analyzed a full-featured infostealer and remote access trojan that also has ransomware functionality built in. This trojan is capable of terminating applications, logging keystrokes, opening web pages, connecting to a remote host, executing DDoS attacks and encrypting the victim’s data.

Infection Cycle:

The malware arrives as a portable executable using the following file name and icon:


Figure 1: Filename and icon used by the trojan

Upon execution, it creates a copy of itself in the temp directory named csrss.exe. It then spawns the legitimate Windows Task Scheduler and runs an schtasks command to ensure that this copy runs itself periodically.


Figure 2: Scheduled task added

It also adds a run key in the HKU hive:

  • HKU\Software\Microsoft\Windows\CurrentVersion\Run csrss %temp%\csrss.exe

During runtime, it intermittently connects to a remote host.


Figure 3: Malware seen connecting to a remote host

It also creates a log file in the user’s temp directory, which appears to be keystrokes of websites visited and processes executed.


Figure 4: Log file with all the keystrokes logged during runtime

Upon further analysis, this trojan appears to be capable of encrypting files using AES encryption using the RijndaelManaged class.


Figure 5: AES encryption function inside this trojan

It also has the ability to open and close arbitrary web pages, shutdown, logoff, or restart the machine, run PowerShell commands, and start a DDoS attack.


Figure 6: All the other malicious functionalities available within this trojan

This trojan also has the ability to capture screenshots of the victim’s machine.


Figure 7: Screen capturing functionality within the trojan

SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Malagent.XCL(Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2024

/in /by

Overview

Microsoft’s January 2024 Patch Tuesday has 48 vulnerabilities, 11 of which are Remote Code Execution. The vulnerabilities can be classified into the following categories:

  • 11 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 10 Elevation of Privilege Vulnerabilities
  • 6 Denial of Service Vulnerabilities
  • 7 Security Feature Bypass Vulnerabilities
  • 3 Spoofing Vulnerabilities

Figure 1: Vulnerabilities by category

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2024 and has produced coverage for 5 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE-2024-20653     Microsoft Common Log File System Elevation of Privilege Vulnerability

  • ASPY 523 Exploit-exe exe.MP_362

CVE-2024-20683     Win32k Elevation of Privilege Vulnerability

  • ASPY 524 Exploit-exe exe.MP_363

CVE-2024-20698     Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 525 Exploit-exe exe.MP_364

CVE-2024-21307     Remote Desktop Client Remote Code Execution Vulnerability

  • ASPY 521 Exploit-exe exe.MP_360

CVE-2024-21310     Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

  • ASPY 522 Exploit-exe exe.MP_361

Remote Code Execution Vulnerabilities

CVE-2024-20654     Microsoft ODBC Driver Remote Code Execution Vulnerability

CVE-2024-20655     Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability

CVE-2024-20676     Azure Storage Mover Remote Code Execution Vulnerability

CVE-2024-20677     Microsoft Office Remote Code Execution Vulnerability

CVE-2024-20682     Windows Cryptographic Services Remote Code Execution Vulnerability

CVE-2024-20696     Windows Libarchive Remote Code Execution Vulnerability

CVE-2024-20697     Windows Libarchive Remote Code Execution Vulnerability

CVE-2024-20700     Windows Hyper-V Remote Code Execution Vulnerability

CVE-2024-21307     Remote Desktop Client Remote Code Execution Vulnerability

CVE-2024-21318     Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2024-21325     Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2024-20653     Microsoft Common Log File System Elevation of Privilege Vulnerability

CVE-2024-20656     Visual Studio Elevation of Privilege Vulnerability

CVE-2024-20657     Windows Group Policy Elevation of Privilege Vulnerability

CVE-2024-20658     Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability

CVE-2024-20681     Windows Subsystem for Linux Elevation of Privilege Vulnerability

CVE-2024-20683     Win32k Elevation of Privilege Vulnerability

CVE-2024-20686     Win32k Elevation of Privilege Vulnerability

CVE-2024-20698     Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21309     Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

CVE-2024-21310     Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities

CVE-2024-20661     Microsoft Message Queuing Denial of Service Vulnerability

CVE-2024-20672     .NET Core and Visual Studio Denial of Service Vulnerability

CVE-2024-20687     Microsoft AllJoyn API Denial of Service Vulnerability

CVE-2024-20699     Windows Hyper-V Denial of Service Vulnerability

CVE-2024-21312     .NET Framework Denial of Service Vulnerability

CVE-2024-21319     Microsoft Identity Denial of Service vulnerability

Information Disclosure Vulnerabilities

CVE-2024-20660     Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2024-20662     Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability

CVE-2024-20663     Windows Message Queuing Client (MSMQC) Information Disclosure

CVE-2024-20664     Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2024-20680     Windows Message Queuing Client (MSMQC) Information Disclosure

CVE-2024-20691     Windows Themes Information Disclosure Vulnerability

CVE-2024-20692     Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

CVE-2024-20694     Windows CoreMessaging Information Disclosure Vulnerability

CVE-2024-21311     Windows Cryptographic Services Information Disclosure Vulnerability

CVE-2024-21313     Windows TCP/IP Information Disclosure Vulnerability

CVE-2024-21314     Microsoft Message Queuing Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2024-0056     Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

CVE-2024-0057     NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

CVE-2024-20652     Windows HTML Platforms Security Feature Bypass Vulnerability

CVE-2024-20666     BitLocker Security Feature Bypass Vulnerability

CVE-2024-20674     Windows Kerberos Security Feature Bypass Vulnerability

CVE-2024-21305     Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability

CVE-2024-21316     Windows Server Key Distribution Service Security Feature Bypass

Spoofing Vulnerabilities

CVE-2024-20690     Windows Nearby Sharing Spoofing Vulnerability

CVE-2024-21306     Microsoft Bluetooth Driver Spoofing Vulnerability

CVE-2024-21320     Windows Themes Spoofing Vulnerability

SMTP Smuggling

/in /by

Overview

The SonicWall Capture Labs threat research team has observed attackers targeting Simple Mail Transfer Protocol (SMTP) to send spoofed emails that can bypass traditional authentication mechanisms. A flaw tracked as three separate CVEs, CVE_2023_51764, CVE_2023_51765 and CVE_2023_51766, was found in some SMTP server configurations within Postfix. This issue may allow a remote attacker to break out of the email message data to "smuggle" SMTP commands and send spoofed emails that pass SPF checks.
SMTP smuggling is a serious threat that allows attackers to send fake emails from millions of domains like Microsoft, Amazon, PayPal, eBay, GitHub, Outlook, Office365, Tesla and Mastercard. Demonstrations showed that the emails could appear as if they came from ‘admin(at)outlook.com’, which gives insight into the severity of this attack. Vulnerable software versions include:

  • Postfix through 3.8.4
  • Sendmail through 8.14.7
  • Exim before 4.97.1

Organizations still running one of the vulnerable software versions should upgrade to the latest version with specific settings that reject unauthorized pipelining by default: "smtpd_forbid_unauth_pipelining = yes".

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2023-51764, CVE-2023-51765 and CVE-2023-51766.

The overall CVSS 3.1 score is 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Base score is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N), based on the following metrics:
  •Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is required.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is low.
  • Impact of this vulnerability on data integrity is low.
  • Impact of this vulnerability on data availability is high.
Temporal score is 3.9 (E:P/RL:O/RC:C), based on the following metrics:
  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

The exploitation technique wherein spoof emails are created and communicated by manipulating SMTP conversations is known as SMTP Smuggling. Basically, what happens is SMTP servers interpret the end-of-data sequences such as <CR><LF>.<CR><LF> improperly which additionally bypasses basic security checks such as sender policy framework (SPF) alignment. This simple exploitation technique bypassed email security and has proven effective against multiple free and open-source mail transfer agents, including Postfix (CVE-2023-51764), Sendmail (CVE-2023-51765) and Exim (CVE-2023-51766).

Postfix versions up to 3.8.4 allow SMTP Smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking options. Sendmail also allows SMTP Smuggling through at least version 8.14.7 in certain configurations. Similarly, Exim versions before 4.97.1 also allow SMTP Smuggling in certain PIPELINING/CHUNKING configurations.

Remote attackers can leverage this vulnerability to inject e-mail messages with a spoofed source address, allowing attackers to bypass SPF protection mechanisms. This occurs due to some mail clients supporting <LF>.<CR><LF> as end-of-data sequences while other popular e-mail servers do not.

The main issue within the mail transfer agents (MTAs) occurs when they are configured as outbound SMTP servers and have insufficient filtering techniques and interpret weird end-of-data sequences as legitimate.

According to RFC definitions, configuration standards for inbound as well as outbound mail servers are predefined.

Figure 1: RFC 5321, 5322, 2008

Exploitation

The exploitation technique lies in the end-of-data sequences. Different operating systems have a different interpretation of "a line by itself". A "." on a line by itself on Windows OS would be separated via two carriage return line feeds (<CR><LF>.<CR><LF> or \r\n.\r\n), while a "." on a line by itself on Linux OS would be separated with two line feeds (<LF>.<LF> or \n.\n).

Figure 2: Server responses on end-of-data sequence

MTAs can be configured as inbound SMTP servers as well as outbound SMTP servers. <CR><LF> (Carriage Return Line Feed, standard text delimiters) decides where the message data ends in messaging over SMTP. A special crafted email and manipulating end-of-data sequence used in email messaging leads to exploitation. A nefarious activist takes advantage of this technique to bypass email protection protocols such as SPF, DMAC and DKIM.
Consider the following example as shown in Figure 3 using non-vulnerable mail servers. Whenever <LF>.<LF> is supported as end-of-data sequence by the inbound SMTP server, only the first data, (“lorem ipsum”) will be part of the message data, otherwise, the message also includes the second data post end-of-data sequence, i.e., “This server is ignoring line feeds as end-of-data sequence!".

Figure 3: Email delivery with sequence to Non-Vulnerable SMTP servers

If SMTP pipelining is allowed on the vulnerable inbound SMTP servers, there is a higher chance of <LF>.<LF> being used as the end-of-data sequence and therefore the second message would be interpreted as SMTP command as shown in Figure 4. A malicious user takes advantage of this and manipulates various SMTP commands, spoofing millions of domains with fake sender addresses (e.g., admin(at)outlook.com)

Figure 4: Email delivery with LF sequence on Vulnerable SMTP servers

Some other examples of End-of-Data Sequences:

  • Interrupted end-of-data sequences: 
    <CR><LF>\x00.<CR><LF>
    <CR><LF>.\x00<CR><LF>
  • End-of-data sequences using incomplete CRLFs:
    <LF>.<LF>
    <CR><LF>.<CR>
    <CR>.<LF>
  • End-of-data sequences in the message header

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4207 – SMTP Smuggling Attack 1
  • IPS:4209 – SMTP Smuggling Attack 2
  • IPS:4217 – SMTP Smuggling Attack 3

Remediation Recommendations

To prevent attack variants by always disallowing <LF> without <CR),: utilize the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

Admins still running one of the vulnerable software versions should disconnect remote SMTP clients that send bare newlines but can allow local clients with non-standard SMTP implementations such as netcat, fax machines, or load balancer health checks by using the following options:

  • smtpd_forbid_bare_newline = yes
  • smtpd_forbid_bare_newline_exclusions = $mynetworks

Relevant Links

Image credit: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Uransomware encrypts and leaves victims stranded

/in /by

The Sonicwall Capture Labs threat research team has been tracking a new ransomware family known as Uransomware. This ransomware appears to be in early development. The sample we analyzed does not ask for payment for file retrieval and does not provide any instructions or operator contact information, typical for most ransomware. It is written in .NET and contains no obfuscation which makes it trivial to decompile and analyze.

Infection Cycle:

After disassembling the malware code we can see the intended program flow:



After encryption, the malware runs dle.bat to remove traces of itself:



The malware contains code to inject itself into other processes. However, this was not seen during our analysis. Instead, an embedded exe file is written to disk after being base64 decoded:



It writes the file to C:\Temp\uransomware20.exe and executes it:



This malware module spawns multiple copies of svchost.exe and encrypts files:



Files are encrypted then base64 encoded with the public key wrapped in an xml-like tag at the beginning of the file:



After file encryption, read_it.txt is written to all directories where files were encrypted. It contains the following text:



The names of encrypted files are given a .markus extension. After disassembling uransomware20.exe we can see a list of file extensions targeted for encryption:




We can also see a list of targeted directories:



It contains a function called spreadIt() which targets attached storage media and network drives:




It also contains functions to disabled system recovery and delete backups:



The malware contains another large array of base64 encoded bytes:



After decoding, this turns out to be a jpeg image file:



This image file is written to disk and displayed as the desktop background wallpaper:



SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Uransomware20.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

New Heracles Stealer in the Wild

/in /by

Overview

This week, the SonicWall Capture Labs threat research team analyzed a new sample of an infostealer dubbed ‘Heracles’, which has multiple evasion and persistence techniques. The malware is programmed to search for system credentials, installed programs and crypto currency wallets.

Technical Analysis

The file is detected as “Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe”, which translates to “Responsibilities of a senior technician on a TU-160 aircraft_vch_85927_D_Kaplunov.exe”. It is a .NET executable.

Figure 1: Sample Detection

When attempting to look at the file resources in DNSpy, the records are completely obfuscated.

Figure 2: Obfuscated (left) and deobfuscated data (right)

Once the file has been deobfuscated, it shows hundreds of classes and attributes. In a secondary check against the deobfuscated sample, two embedded files are found. The first is ‘DotNetZip.dll’, and the second is another .NET DLL file (“zx_8d21b2346df842017090f44c62fec926.dll”). The former is used for handling zip files in memory and is a legitimate application, while the latter is a secondary payload.

Figure 3: Payload detection

Looking at the payload sample, it shows the name “PDF_Reader” in its resource section. However, it has a number of domains listed related to cryptocurrency and dark web sites, including a .onion address.

Figure 4: Domains listed in the payload, which also mentions ‘Eazfuscator’, an obfuscation tool

Once runtime occurs, the main file will perform checks against CPU features using WMI using the following queries:

  • CreateInstanceEnum – root\cimv2 : Win32_Processor
  • ExecQuery – root\cimv2 : SELECT ProcessorId FROM Win32_Processor
  • ExecQuery – root\cimv2 : SELECT * FROM Win32_VideoController
  • ExecQuery – root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory

It will also check for VMWare and QEMU virtual environments specifically while running processes and debuggers to ensure it is running on a viable system. All errors are disabled via SetErrorMode to prevent the user/system from detecting activity. Files are dropped into the following locations for persistence and staging:

  • ~AppData\Roaming\\\Files\Local Settings\Temp
  • ~AppData\Roaming\\Files\Start Menu\Programs
  • ~AppData\Roaming\\Files\Start Menu\Programs\Windows Powershell
  • ~AppData\Roaming…\Files\Start Menu\Programs\System Tools\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Administrative Tools\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Maintenance\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessories\
  • ~AppData\Roaming…\Files\Start Menu\Programs\Startup\Accessibility\

The main sample creates copies of itself in the ‘Temp’ location as ‘.tmp’ files. In testing, these were presented as ‘wct3D66.tmp’ or similar. For all other locations, either ‘.ini’ or ‘.lnk’ files are created that will point back to one or more of the copies. Enumeration begins by going through the main directory and looking for Microsoft Office profiles, cryptocurrency wallets and clipboard data. The main wallets are: Electrum, Ethereum, Exodus, bytecoin and Zcash.

Figure 5: Wallet strings found during runtime

Data is staged in the same ‘Temp’ directory and is compressed via DotNetZip. While no network connections were made, the following IP addresses were found in memory:

208.95.112.1 (ip-api.com)
149.154.167.220 (api.telegram.org)
104.237.62.212 (api.ipify.org)
64.185.227.156 (api.ipify.org)
173.231.16.77 (api.ipify.org)

The telegram IP is used for communications, as it has been confirmed that there is a telegram group associated with this sample (‘https://t{.}me/rusvolcorp’) in other tests. Rusvolcorp is a Russian group fighting on behalf of Ukraine, but it is unknown whether this link is legitimate.

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

  • MalAgent.Heracles.A
  • MalAgent.Heracles.Payload

IOCs

  • 53d5c2574c7f70b7aa69243916acf6e43fe4258fbd015660032784e150b3b4fa (Обязанности старшего техника на самолете ТУ-160_вч_85927_Д_Каплунов.exe)

  • BAD79DB7BE7C9C4BFBA84BFE7B3254E215650A5532098DC7C4A787695D52A983 (PDF_Reader.dll)

URLs

  • xss.is
  • coinbase.com
  • antiscan.me
  • dyncheck.com
  • avcheck.net
  • dark2web.cc
  • blockchain.com
  • freewallet.org
  • btc.com
  • bhf.io
  • direct.yandex.ru
  • payeer.com
  • exploit.in
  • exploitinqx4sjro.onion