Posts

LockBit 3.0 'Black' targets large corps. Operator demands $9M for decryption

/in /by

LockBit 3.0, also known as LockBit Black, is a ransomware family that operates under the Ransomware-as-a-Service (RaaS) model, where the creators collaborate with affiliates who may not have the resources to create and deploy attacks. The LockBit ransomware family is known for its public presence, as it announced its services in July 2022 and even offered a bug bounty program and money to individuals who got the LockBit logo tattooed on their bodies. Despite the public attention, LockBit continues to be one of the most prevalent strains of ransomware and in September 2022, the builder for the ransomware was leaked and made available for download on GitHub.  During our analysis, we were able to engage in a direct conversation with the attacker who reveals a staggering $9M for file decryption.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.NegNiNNop” file extension.  File names are also obfuscated. eg. 4sk2dwe.NegNiNNoP.  After encryption, the following message is displayed on the desktop background:

 

The following files are added to the system:

  • C:\ProgramData\NegNiNNoP.bmp [seen above]
  • C:\ProgramData\NegNiNNoP.ico
  • C:\Users\NegNiNNoP.README.txt
  • C:\Users\All Users\NegNiNNoP.bmp
  • C:\Users\All Users\NegNiNNoP.ico
  • C:\Users\{user}\NegNiNNoP.README.txt

 

The following registry key is added:

  • HKEY_CLASSES_ROOT\NegNiNNoP\DefaultIcon @ “C:\ProgramData\NegNiNNoP.ico”

 

NegNiNNoP.ico contains the following image:

 

A file called NegNiNNop.README.txt is written to the desktop and to all folders where files were encrypted.  It contains the following message:

 

A tOr address is provided in the message and brings the victim to the following pages:

 

The operators take pride in their work and display a list of victims on their site.  This list is filled with various organizations from around the world:

 

In addition to requiring payment for data retrieval, the operators double down and threaten to leak sensitive data to the public if the ransom is not paid in time.  This double extortion method adds additional pressure to the victim in an effort to force them to pay the ransom.  Leaked sensitive data is publically available on the site for all to see:

 

 

During our analysis, no data was exfiltrated from the system.

 

On the victim page, a “support” chat box is presented.  This enables direct communication with the attackers.  Ransomware operators usually use this for negotiation with their victims and to provide additional pressure:

 

We had the following live conversation with an operator revealing a $9M decryption fee:

 

The link took us to the following pages.  However, the files referenced were not from our network:

 

This appears to be a bug on their end:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LockBit3.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Linux Kernel ksmbd Integer Underflow Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KSMBD stands for Kernel-based SMB Direct. It’s a Linux kernel module that provides the implementation of the SMBv3 protocol, allowing the Linux kernel to act as a server for SMB (Server Message Block) clients. SMB is a protocol used for sharing files, printers, and other resources between computers in a network.

  SMBv3 is the latest version of the protocol and provides several new features and improvements over previous versions, including better security features such as encryption, improved performance, and better support for large files and high-availability scenarios.

  KSMBD enables the Linux kernel to directly handle SMB requests, eliminating the need for a user-space daemon to translate the requests into kernel calls. This results in improved performance and lower overhead compared to traditional SMB implementations that rely on user-space daemons.

  A denial of service vulnerability has been reported for Linux kernel. This vulnerability is due to an integer underflow in the ksmbd_decode_ntlmssp_auth_blob function.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result in denial of service.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0210.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  NTLMSSP is a proprietary authentication protocol used in Microsoft Windows. It involves the exchange of a series of messages between the client and the server to establish the authenticity of the client. The messages are encoded using the ASN.1 (Abstract Syntax Notation One) standard and serialized using the DER (Distinguished Encoding Rules) format. Understanding the details of NTLMSSP authentication, as well as the encoding and serialization formats used, is important for understanding this vulnerability.

  There is an integer underflow exists in the ksmbd kernel module when handling SMB2 SESSION_SETUP messages. Specifically, the flaw exists due to failure of message validation when processing the NTLMSSP authentication messages. A vulnerable function ksmbd_decode_ntlmssp_auth_blob() is responsible for handling the NTLMSSP_AUTH message. It extracts the value from Length for NTLM Response field and store it into a local variable nt_len. Then, it uses the calculation result of nt_len – CIFS_ENCPWD_SIZE(16) as the argument blen of the function ksmbd_auth_ntlmv2(). The function ksmbd_auth_ntlmv2() allocates a kernel buffer using size of blen+CIFS_CRYPTO_KEY_SIZE(8) and operates two memory copies using the size of CIFS_CRYPTO_KEY_SIZE and blen respectively.

  However, the vulnerable function failed to validate if nt_len is smaller than CIFS_ENCPWD_SIZE(16) or not. A positive value under 16 will result in an integer underflow condition. To make the memory allocation success, the value need to be in the range of 8-15. For example, if the nt_len is 12, then blen would be -4 and the memory allocation size is 4, and the later memory copy with sizes of 8 and 0xFFFFFFFC (-4) both result in the memory overflowed.

Triggering the Problem:

  • The vulnerable system must be listening on the vulnerable SMB port, and accept incoming connections.
  • The attacker must have connectivity to the target system.
  • The attacker must know a valid SMB user name on the target system.

Triggering Conditions:

  The attacker connects to the target ksmbd server. The vulnerability is triggered when the attacker sends a crafted SMB2 SESSION_SETUP request with crafted Security Blob field.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3510 Linux Kernel ksmbd DoS 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signature above.
  The vendor has released the following commit regarding this vulnerability:
  Vendor Advisory

Berbew Backdoor Spotted In The Wild

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a sample of Berbew, a trojan that has been seen used in connection with Download.Ject and FormBook to steal user passwords for banking and other financial institutions. Berbew acts as both an infostealer and proxy to allow for command and control (C2) activities or routing of additional malware.

Analysis

Berbew has previously been reported as being a second-stage payload once the first stage has infiltrated a target and used an exploit; Download.Ject targeted Microsoft IIS services, FormBook is transmitted via phishing email attachments. Static analysis shows that the file is 56kb in size with a timestamp set in the year 2036.

 

 Figure 1: Future creation date

 

There are a variety of additional red flags in the form of file sections, in which each is a random alphanumeric string. Two of these are also self-modifying, a method that malware can use to change its own code. The second section (.E9Mdns0) is also making use of virtualized code which is a protective measure against analysis, but it’s empty before runtime meaning that data will be inserted during runtime. The last item to note is that the entry-point is set within section ‘.neYm’; this is atypical because the entry-point is generally in the first section of any program.

 

Figure 2: Items to note, 1) section names, 2) self-modifying sections, 3) virtualized code, 4) entry-point address

 

The strings show some additional context as to what the program can do. WININET.DLL is a networking library which appears will read from URL entries. It has the ability to read, write and search through registry entries using the ‘Reg’ values, as well as obtaining security settings on the system.

 

Figure 3: Berbew program strings

 

At runtime, the executable drops 934 files within ‘C:\Windows\SYSWOW64’ and executes between 23-25 in sequence. Of the files dropped, 467 are duplicates of the main executable, with the other half being DLL files. They have a naming scheme of six alphabetic characters and 32.exe, or eight alphabetic characters (this applies to both the .EXE and .DLL files). A hook is set up for capturing data using ‘DirectDrawCreateEx’, which allows for saving keyboard, mouse, clipboard, and screen activity.

 

Figure 4: Runtime sequence of dropped executables

 

In addition, there are also registry keys written for persistence:
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger
– HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

These will be triggered on restart to load one of the dropped DLL files and restart the program. The dropped DLL files are all identical to each other and only 7kb in size.

Figure 5: Detection of dropped DLL

 

When a financial website has been brought up, or during regular use, the system will bring up prompts to change passwords. This info is then relayed to one of the URLs in memory; however, no connections are made before data has been collected.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Berbew.F (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

IOCs

Sample 1
MD5: 7350C5C9F3020FB201AD2184453DBBAC
SHA1: C68E9514A58D803C65647191153F35BD742A7463
SHA256: BCC12EEF62B196293032ECB05804510474A276B9A12DD70248F55EFFD405474C
Size: 56kb

Sample 2
MD5: FE1AE2707A3D86E7EF8B921A77D571EB
SHA1: 01F484BA1B4B28555FD8DD959A428C94A652443D
SHA256: 73AE10E87168EA0F543C0CFE23B1BA71726AC597E52F06075432EFE30FDED843
Size: 7kb

Registry Keys

– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Web Event Logger
– HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
– HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

URLs

hxxp://adult-empire[.]com/index.php
hxxp://color-bank[.]ru/index.php
hxxp://crutop.nu
hxxp://crutop.nu/index.htm
hxxp://crutop.nu/index.php
hxxp://crutop.nuAWM
hxxp://crutop[.]ru/index.htm
hxxp://crutop[.]ru/index.php
hxxp://cvv[.]ru/index.htm
hxxp://cvv[.]ru/index.php
hxxp://devx.nm[.]ru/index.php
hxxp://fethard.biz/index.htm
hxxp://fethard.biz/index.php
hxxp://gaz-prom[.]ru/index.htm
hxxp://hackers.lv/index.php
hxxp://kadet[.]ru/index.htm
hxxp://kavkaz[.]ru/index.htm
hxxp://kidos-bank[.]ru/index.htm
hxxp://konfiskat.org/index.htm
hxxp://ldark.nm[.]ru/index.htm
hxxp://master-x
hxxp://parex-bank[.]ru/index.htm
hxxp://promo[.]ru/index.htm
hxxp://ros-neftbank[.]ru/index.php
hxxp://trojan[.]ru/index.php
hxxp://virus-list.com/index.php
hxxp://www.redline[.]ru/index.php

 

 

 

 

 

 

 

 

Zoho ManageEngine SAML Response RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  ManageEngine is a subsidiary of Zoho Corporation that provides IT management software for businesses. The company offers a range of products for network, systems, applications, security, and service desk management. ManageEngine’s solutions aim to help organizations simplify and automate their IT operations, allowing them to focus on their core business objectives.

  Apache Santuario is an open-source implementation of the XML Security specifications. It provides a library for securing XML documents, including signing and encryption, and offers a secure and stable XML security solution. Santuario is used by various software projects, including the Apache Axis2 Web services engine, to secure their XML communications. It is apart of the Apache Software Foundation and is governed by it’s open-source community.

  A remote code execution vulnerability has been reported in multiple Zoho ManageEngine products. The vulnerability is due to an outdated version of Apache Santuario in the impacted products allowing an attacker to execute XSLT in SAML response messages.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in arbitrary code execution under the security context of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-47966.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Before understanding this vulnerability it’s important to research the key technologies below:

    1. SAML SSO (Security Assertion Markup Language Single Sign-On)
    2. SAML 2.0
    3. XSLT (eXtensible Stylesheet Language Transformations)
    4. Apache Xalan

  SAML SSO is a protocol that allows users to authenticate to multiple web applications using a single set of credentials. This technology provides a secure and convenient way for users to access multiple web applications with a single login, which is managed by a central identity provider. SAML SSO eliminates the need for users to remember and manage multiple sets of login credentials, which can improve the user experience and reduce the risk of password-related security breaches.

  SAML 2.0 is the latest version of the SAML standard and includes a number of improvements over SAML 1.1, making it the dominant standard for SSO. SAML 2.0 provides greater security, improved encryption and signing, and a more flexible data format, making it well-suited to a wide range of use cases. This technology is widely adopted by organizations of all sizes and is supported by a large number of identity providers and service providers.

  XSLT is a language used to transform XML (eXtensible Markup Language) documents into other formats. XSLT is used to define a set of rules for transforming the structure and content of an XML document into a different format that can be more easily displayed or processed. This technology is commonly used in conjunction with XML to create dynamic, data-driven websites, generate reports, and transform XML data into other formats for data exchange between systems. XSLT provides a powerful way to manipulate and display XML data, making it an essential tool for many XML-based applications.

  Apache Xalan is an open-source implementation of the XSLT and XML Path Language (XPath) standards. It provides a library for transforming XML documents into other formats, such as HTML, plain text, or XML with a different structure. Apache Xalan is written in Java and is part of the Apache XML Project, which is maintained by the Apache Software Foundation. This technology is widely used in a variety of applications for transforming and processing XML data, including for generating reports, transforming data for data exchange between systems, and creating dynamic, data-driven websites. Apache Xalan provides a high-performance, flexible, and easy-to-use solution for transforming XML data.

  The vulnerability is due to the server processing user XSLT transformations received in SAML responses. When an identity provider authenticates a user through SAML SSO on Key Manager Plus, it will send a request to the endpoint “/saml2” on the server and will be processed by the function service().

  Before a transformation is executed, the function checkSecureValidation() is called. This function will check if secureValidation in the Transform object is set to “true” and if the “Algorithm” attribute of the “transform” XML element is set to “http://www.w3.org/TR/1999/REC-xslt-19991116” corresponding to an XSLT transformation. If both are true, the function will throw an exception, as XSLT transformation are forbidden when secureValidation is enabled. If the checkSecureValidation() function does not throw an exception, the functions t.performTransform() and transformSpi.enginePerformTransform() will be called to execute the transform.

  The function enginePerformTransform() will be called to execute the XSLT transformation. The function will call selectNode() to find the stylesheet XML element containing the transformation. The function TransformerFactor.newInstance() is called to create a TransformerFactory object. The function setFeature() is called on the TransformerFactory object with the parameters “http://javax.xml.XMLConstants/feature/secureprocessing” and “Boolean.TRUE” to enable secure processing in Apache Xalan where the XSLT will be executed. The function transform() will be called to execute the XSLT in the transform element. However, the version of Apache Xalan included in the impacted version KeyManager Plus is vulnerable to CVE-2014-0107. This vulnerability allows an attacker to bypass some restrictions imposed by secure processing on a TransformerFactory object by using certain attributes such as “content-handler” that can load arbitrary classes, possibly leading to arbitrary code execution.

  As secureValidation in the included version of Apache Santuario is set to false by default, and secure processing can be bypassed in the included version of Apache Xalan an attacker can send a crafted SAML response to the target containing an XML “Transform” element containing an arbitrary XSLT transformation.

Triggering the Problem:

  • The attacker must have network access to the target server.
  • The target must be running a vulnerable version of the software.
  • The target server must have SAML SSO enabled.

Triggering Conditions:

  The attacker sends a crafted SAML response to the target server. The vulnerability is triggered when the server validates the response and executes XSLT in a transformation in the XML.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTPS
    • HTTP

  Attacker Transform Payload, Executes Calc.:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3481 ManageEngine products xmlsec Remote Code Execution 1
  • IPS: 3491 ManageEngine products xmlsec Remote Code Execution 2
  • IPS: 18881 ManageEngine products xmlsec Remote Code Execution 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering traffic based on the signatures above.
    • Disabling SAML SSO if not needed.
    • Blocking the affected ports from external network access if they’re not required.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Magniber ransomware seen distributed via ISO disc image files

/in /by

This week, the Sonicwall Capture Labs Research team analyzed a ransomware called Magniber.  This ransomware has been around since 2017 as a successor to Cerber and initially only targeted a specific country when we first covered it in the past. It has since widened its target and adopted many forms from javascript to archive files and more recently to Microsoft software installer (msi) files and ISO image. What has not changed is that it still purports to be a software security update to lure victims to installing it.

Infection Cycle:

The ransomware installer arrives as a fake windows update in the form of an optical disc image or ISO.

Within the iso are two files that can use the following filenames:

  • 5G offer.LNK
  • 5G-installer. MSI

The LNK file is a windows shortcut file that serves as a pointer to load the MSI file using msiexe.exe

The windows installer file (MSI) uses the following file properties.

And once executed displays the following installation progress window. Note that the Knowledge base code (KB5023921) referenced is nonexistent and completely made up.

Upon execution, the first thing it does is to delete the Volume Shadow copies via the following command and then proceeds to encryption.

vssadmin.exe Delete Shadows /all /quiet

It changes the desktop background upon successful infection.

A readme.html present in all directories that have encrypted files show instructions on how to retrieve the victim’s files.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Magniber.RSM_1 (Trojan)
  • GAV: Magniber.RSM_2 (Trojan)
  • GAV: Magniber.RSM_3 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Adobe ColdFusion Heap Buffer Overflow Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Adobe ColdFusion is an application development platform by Adobe Systems. It is an IDE used to develop web applications and supports a full scripting language, ColdFusion Markup Language (CFML). Since ColdFusion MX 6.0, the server component runs within a Java Runtime Environment (JRE). The ColdFusion Administrator organizes information about all ColdFusion server database connections in a single location. ColdFusion provides a number of supplied drivers for connecting to multiple databases specifically the ODBC Socket.

  The ODBC Socket is the data source relevant to the understanding of this vulnerability. ODBC Socket is a type of database driver that allows applications to connect to a database using the Open Database Connectivity (ODBC) interface, but instead of connecting directly to the database, the driver connects to a server that acts as a bridge between the application and the database. The “socket,” receives the applications requests and translates them into the appropriate format for the database, and then sends the results back to the application. The use of a socket allows for greater flexibility and scalability, as the socket can be configured to connect to multiple databases, and can also be used to add security features such as encryption and authentication.

  A heap-based and stack-based buffer overflow vulnerability exists in Adobe ColdFusion ODBC Server component. This vulnerability is due the lack of proper validation of user-supplied data, which can result in a buffer overflow.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the target service. In the worst case, successful exploitation could result in arbitrary code execution with privileges of SYSTEM.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-35711.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  It’s important to have a good understanding of the General Inter-ORB Protocol (GIOP) and the Internet Inter-ORB Protocol (IIOP) before moving further into a vulnerability that utilizes them. These protocols are used for communication between objects in a distributed system, and are based on the Common Object Request Broker Architecture (CORBA) standard. Understanding the message format and structure, as well as the different types of messages that can be sent, is essential for properly implementing and utilizing these protocols. Additionally, knowing the specific endpoint or location on the network where IIOP traffic is being sent or received is important for proper routing and communication. Without a solid understanding of GIOP and IIOP, it may be difficult to properly implement and utilize the features and functionality provided by these protocols.

  When the component receives the GIOP packet, it first calls the function swsoc.exe+0xcd070() to check that Magic Bytes field is set to “GIOP”. Next, function swsoc.exe+0xcc620() is called, which checks if ServiceContext and the Principal fields are set to 0. This function also checks that Object Key is set to “IIOP:slx::” and Operation is set to “SSP”. Next, function swsoc.exe+0xd0160() is called that checks an unknown field in the request body. The opcodes are processed, one at a time, in a loop in the function swsoc.exe+0xcd910().

  In this loop, the vulnerable opcode 8 will be examined. If the opcode is encountered, the C library function memmove() will be called that uses the OpcodeDataSize field as the size parameter to move the bytes in the Data field to a heap buffer. By supplying an OpcodeDataSize value larger than 38, the vulnerable heap-buffer will be overrun.

Triggering the Problem:

  • The target host must have the vulnerable version of the software installed and running.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a crafted GIOP request message to the ODBC Server. The GIOP message contains an overly large OpcodeDataSize value.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • GIOP
    • IIOP
    • TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 3466 Adobe ColdFusion GIOP Heap Buffer Overflow

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Filtering network traffic using the signature above.
    • Blocking the affected ports from external network access if they are not required.
    • Updating to a non-vulnerable version of the product by applying the vendor provided patch.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Control Web Panel Remote Code Execution

/in /by

Control Web Panel(CWP) is a advanced Free and PRO web hosting panel that gives flexibility to effectively and efficiently manage your server and clients.
Control Web Panel 7 versions prior to 0.9.8.1147 suffer from an unauthenticated remote code execution vulnerability.

Remote Code Execution vulnerability
A remote code execution (RCE) vulnerability is a type of software vulnerability that allows an attacker to execute arbitrary code on a targeted system or device. This can be done by exploiting a flaw in the software or by injecting malicious code into the system via a network connection or other means. RCE vulnerabilities are considered to be particularly severe because they can allow an attacker to gain complete control over a targeted system or device.
Unauthenticated Remote Code Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary code on a target system or device without the need for any authentication or authorization. This means that the attacker does not need to provide any valid credentials or have any previous access to the system in order to exploit the vulnerability.

Control Web Panel Remote Code Execution | CVE-2022-44877
Unauthenticated RCE exists in Control Web Panel.
login/index.php in Control Web Panel( or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.

Following is an example of exploit :

Decoding base64 gives us following code :

The code is a command line that runs a Python script that creates a socket connection to an attacker controlled IP address and port number specified within the script. Once the connection is established, the script uses the os.dup2 function to redirect input, output, and error for the script to the socket.This allows the script to run a shell command, in this case “sh”, and receive input, output and error through the socket connection. The pty.spawn function is then used to spawn a new process in the connected shell.
The command “login=$(echo” is setting the variable “login” to the output of the command “echo”. Then, the Python script for creating a socket connection and spawning a shell is run. After that, the output of that command is piped to the command “base64 -d” which decodes the base64 encoded text, and then the final command “| bash” is used to execute the decoded output as a command in the bash shell.
Overall the attacker is trying to open a reverse shell connection to IP address and port specified in the Python script.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 18864:Control Web Panel 7 RCE

Control Web Panel has patched this vulnerability .

Threat Graph

GPcode ransomware leaves victims stranded

/in /by

The SonicWall Capture Labs threat reseach team have tracking a well established ransomware family known as GPcode.  GPcode ransomware is typically spread through email attachments or social engineering techniques, such as disguising the malware as a legitimate software update.  Once the malware is run on a victim’s machine, it encrypts files using a strong encryption algorithm, specifically RSA-1024 and AES-256, which makes it impossible to decrypt files without the decryption key.  GPcode has been active since 2005 and was nicknamed the “$20 ransomware”.  It is considered one of the first examples of ransomware and is still being seen in the wild today.  However, GPcode malware authors do not have a track record of providing decryption keys after a ransom is paid and in this case, they are uncontactable.

 

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.ENCODED” file extension.  The following image is displayed on the desktop background:

 

The following message is displayed using Notepad:

 

During runtime, the malware writes ntfs_system.bat and executes it:

 

ntfs_system.bat contains the following script.  This is used to delete the original malware file:

del "{malware file path}"
del %0

 

The malware can be seen writing the ransom note file to the desktop:

 

We tried reaching out to the email address provided in the ransom note but the email bounced:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Gpcode.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for January 2023

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-21552 Windows GDI Elevation of Privilege Vulnerability
ASPY 392: Malicious-exe exe.MP_294

CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
ASPY 393: Malicious-exe exe.MP_295

CVE-2023-21768 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ASPY 396: Malicious-exe exe.MP_296

Adobe Coverage:
CVE-2023-21604 Acrobat Reader Buffer Overflow
ASPY 397: Malformed-File pdf.MP_563

CVE-2023-21605 Acrobat Reader Buffer Overflow
ASPY 398: Malformed-File pdf.MP_564

CVE-2023-21581 Acrobat Reader Out-of-bounds Read
ASPY 399: Malformed-File pdf.MP_565

The following vulnerabilities do not have exploits in the wild :
CVE-2023-21524 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21525 Windows Encrypting File System (EFS) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21527 Windows iSCSI Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21531 Azure Service Fabric Container Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21532 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21535 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21536 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21538 .NET Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21539 Windows Authentication Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21540 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21541 Windows Task Scheduler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21542 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21547 Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21548 Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21549 Windows Workstation Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21550 Windows Cryptographic Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21551 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21555 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21556 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21557 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21558 Windows Error Reporting Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21559 Windows Cryptographic Services Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21560 Windows Boot Manager Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21561 Microsoft Cryptographic Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21563 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21675 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21676 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21677 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21678 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21679 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21680 Windows Win32k Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21681 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21682 Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21683 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21724 Microsoft DWM Core Library Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21725 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21726 Windows Credential Manager User Interface Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21727 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21728 Windows Netlogon Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21729 Remote Procedure Call Runtime Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21730 Windows Cryptographic Services Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21732 Microsoft ODBC Driver Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21733 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21734 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21735 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21736 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21737 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21738 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21739 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21741 Microsoft Office Visio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21742 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21743 Microsoft SharePoint Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21744 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21745 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21746 Windows NTLM Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21747 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21748 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21749 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21750 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21752 Windows Backup Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21753 Event Tracing for Windows Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21754 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21755 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21758 Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-21759 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-21760 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21761 Microsoft Exchange Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21762 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-21763 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21764 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21765 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21766 Windows Overlay Filter Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21767 Windows Overlay Filter Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21771 Windows Local Session Manager (LSM) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21772 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21773 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21774 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-21776 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-21779 Visual Studio Code Remote Code Execution
There are no known exploits in the wild.
CVE-2023-21780 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21781 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21782 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21783 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21784 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21785 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21786 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21787 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21788 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21789 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21790 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21791 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21792 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-21793 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.

daloRADIUS Web Management RCE

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.

  A remote code execution vulnerability has been reported for daloRADIUS. The vulnerability is due to improper sanitation on user controlled input during the update configuration process.

  A remote, authenticated attacker can exploit this vulnerability by initiating a POST request to the target server. Successful exploitation could result in the execution of arbitrary commands in the security context of the daloRADIUS service on the target server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0048.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A sanitation vulnerability exists in daloRADIUS, due to insufficient validation of the post request parameter “config_mail_smtp_fromemail”. An HTTP POST request is sent to /config_mail.php with a custom parameter assigned to “config_mail_smtp_fromemail”. The variables in $_REQUEST are provided to the script via the POST input mechanisms and therefore could be modified by the remote user and cannot be trusted:

  

  fwrite() writes the contents of data to the file stream pointed to by $fp and $var:

  

  Injected Data:

  

  Executed Code For “config-mail.php”:

  

  Attacker attains RCE, modifies server configuration, and elevates permissions (read, modify, delete, and add file).

Triggering the Problem:

  • The target must have the vulnerable software installed.
  • The attacker must have network connectivity to the target server.
  • The attacker must have access to “config_mail_smtp_fromemail” variable.

Triggering Conditions:

  The attacker sends an HTTP post request with a malicious “config_mail_smtp_fromemail” parameter. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  Example Post Request:
  
  Example Post Response:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 18863 daloRADIUS Mail Settings RCE

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product.
    • Filtering attack traffic using the signature above.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory