Posts

WSO2 API Manager RCE Vulnerability

/in /by

Overview:

  WSO2 offers a platform of middleware products for agile integration, application programming interface (API) management, identity and access management, and smart analytics.

  A directory traversal vulnerability has been reported in WSO2 API Manager. The vulnerability is due to improper validation of file names.

  A remote attacker can exploit this vulnerability by sending a crafted POST request to the target server containing a crafted “filename” and/or “name” parameter. Successful exploitation of this vulnerability could result in a remote shell being written to a random location, leading to a remote code execution under the security context of the user running the vulnerable application.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-29464.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  When an HTTP request is made to the “/fileupload” endpoint, the execute() method of CarbonXml FileUpload ExecHandler is triggered, which iterates over the actions defined in the XML. If a match is found, the executeGeneric() method of the associated executor class is triggered. In the case of ToolsAnyFileUploadExecutor, the implementation of the parent class, AbstractFileUploadExecutor, is called. This method parses the parameters in the request by calling the parseRequest() method, and then uploads the file by calling the execute() method. The parseRequest() method reads names and values of the files included in the request using the multipart/form-data encoding. Later, the execute() method iterates over the files parsed, and for each file the File() method is called with the service upload directory and the name of the file parameter.

  However, the code fails to sanitize directory traversal patterns from the parameter name. This allows for arbitrary creation/writing of files outside of the service upload directory, which can lead to arbitrary file write and arbitrary code execution. For example, an attacker can upload an arbitrary JSP file to the webapps directory of the Tomcat server implementing the web-based interface. Then, this JSP file can be accessed via the web-based interface, which would lead to arbitrary Java code execution.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 9837 Web Application Suspicious File Upload 2

  • IPS: 15759 WSO2 Products Unrestricted File Upload

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Updating to a non-vulnerable version or by applying the vendor supplied patch.
    • Filtering traffic based on the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

VMware Workspace ONE Access & Identity Manager (vIDM) RCE Vulnerability

/in /by

Overview:

  VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products; contain a remote code execution vulnerability due to server-side template injection. A remote, unauthenticated attacker can exploit this vulnerability by sending crafted requests to the server. If the injection is successful, the attack (exploit) will result in a remote code execution (RCE) which could lead to information disclosure, addition or modification of data or denial-of-service conditions. VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-22954.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.8 (E:X/RL:X/RC:X), based on the following metrics:
    • The exploit code maturity level of this vulnerability is not defined.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is not defined.

  CVSS Calculator Metrics

Technical Overview:

  SSTI(server-side template injection) attacks can occur whenever user input is concatenated directly into a template, rather than being passed in as data. Moreover, attackers can manipulate the template engine by injecting arbitrary template directives.

  An attacker can execute commands and reverse shell payloads that could potentially result in Remote Code Execution; granting complete server control.

  The URL encoded string given as a parameter to the “deviceUdid” argument is:

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.
  • The target must have network connectivity to the attacker controlled server.

Triggering Conditions:

  Using the maliciously crafted request; the vulnerability is triggered after the target receives the request below.

  Vulnerable Versions:
    VMware Workspace ONE Access Appliance – 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
    VMware Identity Manager Appliance – 3.3.6, 3.3.5, 3.3.4, 3.3.3

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP,
    • SSL/TLS

  Client GET Request Below:

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2642 VMware Workspace ONE Access Server Side Template Injection 1
  • IPS: 2649 VMware Workspace ONE Access Server Side Template Injection 2
  • IPS: 2651 VMware Workspace ONE Access Server Side Template Injection 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

"TargetCompany" ransomware directed at Carone & Company Inc.

/in /by

The Sonicwall CaptureLabs threat research team has observed reports of ransomware which, in the Antivirus community, goes by the name TargetCompany.  The malware surfaced in June 2021.  The current variant that we have obtained is aimed at infecting a construction management company called Carone & Company.  Ransom payment and negotiation is initiated via a tOr site that is run by the attackers.

 

Infection Cycle:

 

Upon execution, files on the system are encrypted.  Each encrypted file is given a “.carone” file extension.

 

The following commandline prompt appears during the file encryption process:

 

A file named “How to decrypt files.txt” is dropped into each directory containing encrypted files.

 

“How to decrypt files.txt” contains the following message:

 

The malware executable is not packed.  It is written in C and is easy to decompile.  Decompilation reveals that the following file types are targeted for encryption:

 

The following registry entries are deleted if they are present:

 

 

After encryption of files in the local file system, files on any attached storage shares are targeted:

 

The tOr link from the ransom message leads to the following page:

 

 

After filling out the form with the ID and email address, we were contacted via email:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: TargetCompany.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for April 2022

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of April 2022. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2022-24474 Windows Win32k Elevation of Privilege Vulnerability
ASPY 315: Malformed-File exe.MP_249

CVE-2022-24481 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 316: Malformed-File exe.MP_250

CVE-2022-24491 Windows Network File System Remote Code Execution Vulnerability
IPS 81080: Malformed RPC Portmapper Request 2

CVE-2022-24497 Windows Network File System Remote Code Execution Vulnerability
IPS 81090: Malformed RPC Portmapper Request 3

CVE-2022-24521 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 310: Malformed-File exe.MP_244

CVE-2022-24542 Windows Win32k Elevation of Privilege Vulnerability
ASPY 317: Malformed-File exe.MP_251

CVE-2022-24546 Windows DWM Core Library Elevation of Privilege Vulnerability
ASPY 313: Malformed-File exe.MP_247

CVE-2022-24547 Windows Digital Media Receiver Elevation of Privilege Vulnerability
ASPY 312: Malformed-File exe.MP_246

CVE-2022-26809 Remote Procedure Call Runtime Remote Code Execution Vulnerability
IPS 15757:RPC Microsoft RPC Runtime Remote Code Execution (CVE-2022-26809)

CVE-2022-26904 Windows User Profile Service Elevation of Privilege Vulnerability
ASPY 314: Malformed-File exe.MP_248

CVE-2022-26914 Win32k Elevation of Privilege Vulnerability
ASPY 311: Malformed-File exe.MP_245

Adobe Coverage :
CVE-2022-28244 Acrobat Reader Arbitrary code execution
ASPY 318: Malformed-File pdf.MP_523
CVE-2022-27799 Acrobat Reader Arbitrary code execution
ASPY 319: Malformed-File pdf.MP_524
CVE-2022-24102 Acrobat Reader Arbitrary code execution
ASPY 320: Malformed-File pdf.MP_525

The following vulnerabilities do not have exploits in the wild :
CVE-2022-21983 Win32 Stream Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22008 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-22009 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23257 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23259 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-23268 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-23292 Microsoft Power BI Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24472 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24473 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24475 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24479 Connected User Experiences and Telemetry Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24482 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24483 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24484 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24485 Win32 File Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24486 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24487 Windows Local Security Authority (LSA) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24488 Windows Desktop Bridge Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24489 Cluster Client Failover (CCF) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24490 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24492 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24493 Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24494 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24495 Windows Direct Show – Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24496 Local Security Authority (LSA) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24498 Windows iSCSI Target Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24499 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24500 Windows SMB Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24513 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24523 Microsoft Edge (Chromium-based) Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-24527 Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24528 Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24530 Windows Installer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24532 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24533 Remote Desktop Protocol Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24534 Win32 Stream Enumeration Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24536 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24537 Windows Hyper-V Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24538 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24539 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-24540 Windows ALPC Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24541 Windows Server Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24543 Windows Upgrade Assistant Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24544 Windows Kerberos Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24545 Windows Kerberos Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-24548 Microsoft Defender Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-24549 Windows AppX Package Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24550 Windows Telephony Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-24765 GitHub: Uncontrolled search for the Git directory in Git for Windows
There are no known exploits in the wild.
CVE-2022-24767 GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account
There are no known exploits in the wild.
CVE-2022-26783 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26784 Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26785 Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26786 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26787 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26788 PowerShell Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26789 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26790 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26791 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26792 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26793 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26794 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26795 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26796 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26797 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26798 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26801 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26802 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26803 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26807 Windows Work Folder Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26808 Windows File Explorer Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26810 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26811 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26812 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26813 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26814 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26815 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26816 Windows DNS Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26817 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26818 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26819 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26820 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26821 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26822 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26823 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26824 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26825 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26826 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26827 Windows File Server Resource Management Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26828 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26829 Windows DNS Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26830 DiskUsage.exe Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26831 Windows LDAP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26832 .NET Framework Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26891 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26894 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26895 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26896 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26897 Azure Site Recovery Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26898 Azure Site Recovery Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26900 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26901 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26903 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26907 Azure SDK for .NET Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26908 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26909 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26910 Skype for Business and Lync Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2022-26911 Skype for Business Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26912 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26915 Windows Secure Channel Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2022-26916 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26917 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26918 Windows Fax Compose Form Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26919 Windows LDAP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2022-26920 Windows Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2022-26921 Visual Studio Code Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2022-26924 YARP Denial of Service Vulnerability
There are no known exploits in the wild.

D-Link DIR-806 Devices Command Injection

/in /by

D-Link Corporation is a multinational networking equipment manufacturing corporation headquartered in Taipei, Taiwan. D-Link’s products are geared towards the networking and communications market. Its business products include switches, surveillance network cameras, firewalls, iSCSI SANs and business wireless, while consumer products cover consumer wireless devices, broadband devices, and the Digital Home devices. DIR-806 is a wireless AC750 dual band router and access point

An issue was discovered in D-Link DIR-806 devices. There is command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.
While this vulnerability is a couple years old, SonicWall Capture Labs threat research team recently spotted attacks exploiting this vulnerability in the wild.

Command Injection Vulnerability
The goal of command injection attack is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user-supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

D-Link DIR-806 Devices Command Injection| CVE-2019-10891
A command injection vulnerability exists in D-Link routers.
Following are some exploits in the wild. The Home Network Administration Protocol(HNAP) allows querying and setting of configuration options on network devices . It is based on SOAP therefore an attacker can send HTTP POST messages with a special header Soapaction.

This header is used to download malicious payload(in this case it is wget.sh file) from an attacker controlled server. The attacker then executes the malicious script on the vulnerable device.

This vulnerability is patched.

SonicWall Capture Labs provides protection against this threat via following signatures:

    • IPS 15501:D-Link DIR-806 Devices Command Injection
    • IPS 13635:D-Link Devices HNAP SOAPAction-Header Command Injection

IoCs
dcf241331018349c57d5636cc4076676727364178bf75fd5fc4003969e866b2a
6182e41e66eac130893d600836e6957dd28ffeded793a2b71aebd6ec947ca358
47b396259c4b24091e7bedb876bbac6658768cd6b70826322388d1bb1de33f11
bba1631d1891c9d62bd1a48d5b064ba1b1e65563b237c7bff4afbd049f2c5fa1

Threat graph

A Github repository exists for AndroSpy spyware for Android

/in /by

SonicWall Threats Research team identified a version of AndroSpy in the wild. Interestingly, there exists a Github repository for this version of the malware. This repository was created a few months back and appears to be fairly active.

Sample specifics

  • MD5: 1749d7830b1593fbe9eec1946002dee7
  • Application Name: Critical Device Settings
  • Package Name: com.kernel32.criticalprocess

 

This app requests a number of dangerous permissions, few of them are listed below:

  • WRITE_EXTERNAL_STORAGE
  • READ_EXTERNAL_STORAGE
  • READ_CALL_LOG
  • WRITE_CALL_LOG
  • CAMERA
  • READ_SMS
  • ACCESS_FINE_LOCATION
  • RECORD_AUDIO
  • READ_CONTACTS
  • WRITE_CONTACTS
  • SEND_SMS
  • BIND_DEVICE_ADMIN
  • RECEIVE_SMS
  • WRITE_SMS
  • PROCESS_OUTGOING_CALLS
  • DELETE_PACKAGES
  • SYSTEM_ALERT_WINDOW
  • ACCESSIBILITYSERVICE

 

This version of AndroSpy boasts a number of functionalities, some of them are listed below:

  • Access camera
  • Access files
  • Live microphone
  • Keylogger
  • SMS manager
  • Shell terminal
  • Access contacts
  • Call Logs
  • Check installed apps
  • Live screen
  • Disable Google Play Protect

 

Similar threats

Searching for this app on Virustotal showed a number of related apps, some with different names and icons:

 

This indicates that this threat is being used and propagated with malicious intent. As mentioned earlier, the attacker server ad other configurations can be viewed under resources>res>values>strings

Additional observation

The github repository shows a BTC wallet address for donations towards this project:

 

Overall this is a spyware that is available on Github as a framework. This spyware is being used as legitimate application in some cases.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Androspy.GT

 

Indicators of Compromise:

  • 1749d7830b1593fbe9eec1946002dee7
  • 603b7c441289ff7a15d3a458add66f2d
  • 0e9d6812f7ed7f912fab2f74e143ea76
  • 4f48d7d1258d52db555e0aae4b5136d6
  • 93c0c8c706a219d4194110035898f36d

JAVA Spring Framework Spring4Shell RCE Vulnerability

/in /by

Overview:

  A Spring MVC (Model-View-Controller) or Spring WebFlux (Parallel version of Spring MVC which supports non-blocking reactive streams) application running on JDK (Java Development Kit) 9+ may be vulnerable to Remote Code Execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat (Apache Tomcat as the Servlet container) as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

  .ear files: An enterprise archive (EAR) file is a compressed file that contains the libraries, enterprise beans, and JAR files that the application requires for deployment.

  .jar files: The .jar files contain libraries, resources and accessories files like property files.

  .war files: The war file contains the web application that can be deployed on any servlet/jsp container. The .war file contains jsp, html, javascript and other files necessary for the development of web applications.


  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-22965.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.8 (E:X/RL:X/RC:X), based on the following metrics:
    • The exploit code maturity level of this vulnerability is not defined.
    • The remediation level of this vulnerability is not defined.
    • The report confidence level of this vulnerability is not defined.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability is caused by the getCachedIntrospectionResults method of the Spring framework wrongly exposing the class object when binding the member properties:

  Using the HTTP POST method below; you will access the member object properties, the binding process (bindRequestParameters) in the Spring framework implementation will call the getCachedIntrospectionResults method to get and set the object property in the cache. This class object can be remotely controlled by simply submitting a payload as shown:

  Modifying the Tomcat log configuration and remotely upload a JSP web shell (The Payload, with Headers):


  Sending Payload, Placing File called (tomcatwar.jsp) into the (webapps/ROOT) directory with Curl:

  Accessing the newly placed file called (tomcatwar.jsp) on the server (Reverse Shell):

Triggering the Problem:

  • JDK 9 or higher.
  • Apache Tomcat as the Servlet container.
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.
  • Packaged as WAR container.

Triggering Conditions:

  The attacker sends a maliciously crafted request to the vulnerable server. The vulnerability is triggered when the Tomcat log configuration (class.module.classLoader.resources.context.parent.pipeline.first) members (pattern, suffix, directory, prefix, and fileDateFormat) are manipulated and changed with the payload above.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2609 JAVA Spring Framework Command Injection (Spring4Shell)
  • IPS: 13431 JAVA Spring Framework Remote Code Execution (Spring4Shell) 2
  • IPS: 13432 JAVA Spring Framework Remote Code Execution (Spring4Shell) G-1
  • IPS: 13443 JAVA Spring Framework Remote Code Execution (Spring4Shell) G-2
  • IPS: 13444 JAVA Spring Framework Remote Code Execution (Spring4Shell) IOC

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Detecting and blocking malicious traffic using the signatures above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Ransomware not asking for payment but asks the victim to help the needy

/in /by

This week the Sonicwall Capture Labs Research team analyzed a ransomware sample that is rather unconventional. After encrypting the victim’s files, it does not demand payment but rather asks the victim to carry out certain tasks and submit a video and photo as proof and to post to social media the whole experience.

 

Infection cycle:

This ransomware arrives as a typical windows executable using the following icons and file properties.

Once execution, it spawns cmd exe to carry out most of its functionality.

It creates a hidden directory and drops all the related files in the /Users/Public/Windows/Ui folder.

Upon successful encryption of targeted files, it runs the batch file named “launch.bat” which launches the chrome browser in incognito mode which displays an html file with details on what to do to get your files back.

It is a rather long list of demands and the following screenshots show the entire html page as you scroll down the instructions on how to retrieve your encrypted files.

Traditional ransomware will encrypt the victim’s data and demand a ransom, typically in cryptocurrency, in exchange for decrypting the files. But Goodwill Ransomware asks the victims to carry out tasks to help the community and show kindness. Victims need to complete three tasks – provide clothes to the homeless, feed hungry children and pay for the hospital bill of someone in need, all while documenting the events in a form of videos and photos. Upon completing all three tasks, it also wants the victim to post the experience on their social media accounts.

 

Interestingly, it asks the victim to send the video, photos and link to social media post to an email address with “itorizin.in” domain. Itorizin appears to be a security company based in India and the affiliation to this ransomware is unclear.

This ransomware uses aes encryption and only encrypts pdf and txt files.

Encrypted files will have the .gdwill file extension.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV:Goodwill.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

OpenSSL Elliptic Curve Public Key Denial of Service

/in /by

Overview:

  A denial-of-service vulnerability has been reported in the OpenSSL library. The vulnerability is due to insufficient validation in BN_mod_sqrt() function.

  A remote attacker could exploit the vulnerability by sending crafted packets to an OpenSSL server or any application using OpenSSL libraries. Successful exploitation could result in denial of service conditions on the affected service.

  This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.
    • Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1).
    • Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m).
    • Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-0778.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.1 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C).

  Base 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P):
    • Access vector is NETWORK
    • Access complexity is LOW
    • Level of authentication required is NONE
    • Impact of this vulnerability on data confidentiality is NONE
    • Impact of this vulnerability on data integrity is NONE
    • Impact of this vulnerability on data availability is COMPLETE
  Temporal 3.7 (E:POC/RL:OF/RC:C):
    • The exploitability level of this vulnerability is PROOF OF CONCEPT
    • The remediation level of this vulnerability is OFFICIAL FIX
    • The report confidence level of this vulnerability is CONFIRMED

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability comes from BN_mod_sqrt() the interface function, which is used to calculate the modulo square root, and expects that the parameter p should be a prime number, but there is no check in the function, which may lead to an infinite loop inside. This function is used when parsing certificates in the following format:

  • When the certificate contains the elliptic curve public key in compressed format.
  • Certificates with explicit elliptic curve parameters whose base points are encoded in a compressed format.

  In short, this function is called when the point coordinates need to be decompressed when parsing the certificate. So the outside world can trigger an infinite loop by crafting a certificate with an illegal explicit curve parameter, causing a DoS attack.

Triggering the Problem:

  • Parsing certificates that contain elliptic curve public keys in compressed form.
  • Explicit elliptic curve parameters with a base point encoded in compressed form.
  • Crafting a certificate that has invalid explicit curve parameters.
  • Parsing crafted private keys as they can contain explicit elliptic curve parameters.

Triggering Conditions:

  • TLS clients consuming server certificates.
  • TLS servers consuming client certificates.
  • Hosting providers taking certificates or private keys from customers.
  • Certificate Authorities parsing certification requests from subscribers.
  • Anything else which parses ASN.1 elliptic curve parameters.
  • OpenSSL applications that use the BN_mod_sqrt() where you control the parameter values.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SSL/TLS, OpenSSL



SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15407 OpenSSL BN_mod_sqrt Function DoS 1
  • IPS: 15491 OpenSSL BN_mod_sqrt Function DoS 2
  • IPS: 15351 OpenSSL BN_mod_sqrt Function DoS 3
  • IPS: 15755 OpenSSL BN_mod_sqrt Function DoS 4

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Apply the IPS signature above.
    • Apply the vendor-supplied patch that eliminates this vulnerability.
    • Remove write permissions for untrusted users.
  The vendor has released the following code changes regarding this vulnerability:
  Vendor Code Change

Caddywiper hits Ukrainian networks. Wipes data and renders machines unbootable

/in /by

As the war between Russia and Ukraine rages on, the conflict has extended into the cyber domain.  In mid-February, the Security Service of Ukraine reported that the country was the target of an ongoing “wave of hybrid warfare” initiated by Russian malicious actors.  Caddywiper is one of at least three wiper malware families reported to have been detected on Ukrainian systems.  Unlike ransomware, which encrypts files and demands payment for file recovery, this malware indiscriminately wipes anything it can on the system as fast as possible and renders it unusable.

 

Infection Cycle:

 

The malware uses DsRoleGetPrimaryDomainInformation to check if the infected machine is a domain controller.  If it is, the malware exits without modifying the system.  Having this check enables the attackers to continue perusing the network in order to infect more machines:

 

During the wiper process, the malware is seen iterating through files on the system and replacing its contents with null bytes:

 

The physical drive is the final target and is overwritten with null bytes.  This renders the machine unbootable:

 

Critical system files are overwritten during the wiper process.  When this happens, it causes the machine to immediately shutdown and provide a shell prompt:

 

After reboot, the following message is displayed during the boot process.  The system is unable to boot:

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Caddywiper.A (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.