Posts

Buffalo routers path traversal vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Buffalo routers.

Buffalo company builds quality storage, networking, and other technology-related solutions. Their network attached storage (NAS) devices, many with scale-as-you-go options, are installed with pre-tested hard drives that eliminate the hassle of sourcing and testing drives, saving you time and money. Buffalo also builds Wireless Router which is a high speed, open source dual band solution, and is ideal for creating a high speed 11ac wireless home network. A path traversal vulnerability exists in web interface of certain firmware versions of these routers.

Vulnerability | CVE-2021-20090

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash sequences. A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication. Successful exploitation of this vulnerability could allow an attacker to access pages that would otherwise require authentication. An unauthenticated attacker could gain access to sensitive information, including valid request tokens, which could be used to make requests to alter router settings.

The vulnerability exists due to a list of folders which fall under a “bypass list” for authentication. One such folder is images . The exploit looks like this

The attacker is able to bypass authentication through path traversal. The attacker uses POST request to access and modify the configuration of the attacked device. The attacker then downloads and executes malicious script from attacker controlled server .

Following versions are vulnerable:

  • WSR-2533DHPL2 firmware version <= 1.02
  • WSR-2533DHP3 firmware version <= 1.24

The Vendor advisory is here.

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 15659:Buffalo Routers Configuration File Injection
      • GAV: Shell.LOL

Threat Graph

IoCs
212.192.241.87
054320be2622f7d62eb6d1b19ba119d0a81cb9336018d49d9f0647706442ae8f

Microsoft Security Bulletin Coverage for September 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 214:Malformed-File exe.MP_199

CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 221:Malformed-File exe.MP_203

CVE-2021-36975 Win32k Elevation of Privilege Vulnerability
ASPY 219:Malformed-File exe.MP_202

CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 215:Malformed-File exe.MP_200

CVE-2021-38639 Win32k Elevation of Privilege Vulnerability
ASPY 216:Malformed-File exe.MP_201

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability
GAV 25418:CVE-2021-40444_7
GAV 25417:CVE-2021-40444_6
GAV 25414:CVE-2021-40444_5
GAV 25413:CVE-2021-40444_4
GAV 25412:CVE-2021-40444_3
GAV 25390:CVE-2021-40444_2
GAV 25389:CVE-2021-40444_1
GAV 25387:CVE-2021-40444
GAV 25379:CVE-2021-40444.X
GAV 25378:CVE-2021-40444.AB
GAV 25377:CVE-2021-40444.C

Adobe Coverage:
CVE-2021-39836 Acrobat Reader Use After Free Vulnerability
ASPY 217:Malforned-File pdf.MP.490

CVE-2021-39843Acrobat Reader Out-of-bounds Write Vulnerability
ASPY 218:Malforned-File pdf.MP.491

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability
There are no known exploits in the wild.
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36961 Windows Installer Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38650 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability
There are no known exploits in the wild.
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability
There are no known exploits in the wild.

Atlassian Confluence and Data Center OGNL Injection Vulnerability

/in /by

Overview:

  Atlassian Confluence is a collaboration platform written in Java. Users can create content using spaces, pages, and blogs which other users can comment on and edit. It is written primarily in Java and runs on a bundled Apache Tomcat application server.

  An OGNL injection has been reported in the Webwork module of Atlassian Confluence Server and Data Center. The vulnerability is due to insufficient input validation leading to OGNL evaluation of user-supplied input.

  A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation can result in arbitrary code execution under the security context of the affected server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-26084.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.3 (E:F/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is functional.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Confluence uses the Webwork web application framework to map URLs to Java classes, creating what is known as an “action”. Action URLs end with the “.action” suffix and are defined in the xwork.xml file inside confluence “version”.jar (where “version” is the confluence version number) and in the atlassian-plugin.xml file within the JAR files of the included plugins. Each action entry contains at least a name attribute, defining the action name, a class attribute, defining the Java class implementing the action, and at least one result element which decides the Velocity template to render after the action is invoked based on the result of the action. Common return values from actions are “error”, “input”, and “success”, but any value may be used as long as there is a matching result element in the associated XWork XML. Action entries can contain a method attribute, which allows invocation of a specific method of the specified Java class. When no command is specified, the doDefault() method of the action class is called. The following is a sample action entry for the doenterpagevariables action:

  In the above example, the doEnter() method of the “com.atlassian.confluence.pages.actions.PageVariablesAction” class handles requests to “doenterpagevariables.action” and will return values such as “success”, “input”, or “error”, resulting in the appropriate velocity template being rendered.

  Confluence supports the use of Object Graph Navigational Language (OGNL) expressions to dynamically generate web page content from Velocity templates using the Webwork library. OGNL is a dynamic Expression Language (EL) with terse syntax for getting and setting properties of Java objects, list projections, and expressions. OGNL expressions contain strings combined together to form a navigation chain. The strings can be property names, method calls, array indices and so on. OGNL expressions are evaluated against the initial, or root context object supplied to the evaluator in the form of OGNL Context.

  The container object “com.opensymphony.webwork.views.jsp.ui.template.TemplateRenderingContext” is used to store objects needed to execute an Action. These objects include session identifiers, request parameters, spaceKey etc. TemplateRenderingContext also contains a com.opensymphony.xwork.util.OgnlValueStack object used to push and store objects against which dynamic Expression Languages (EL) are evaluated. When the EL compiler needs to resolve an expression, it searches down the stack starting with the latest object pushed into it. OGNL is the EL used by the Webwork library to render Velocity templates defined in Confluence, allowing access to Confluence objects exposed via the current context. For example, the $action variable returns the current Webwork action object.

  OGNL expressions in Velocity templates are parsed using the ognl.OgnlParser.expression() method. The expression is parsed into a series of tokens based on the input string. The ognl.JavaCharStream.readChar() method, called by the OGNL parser, evaluates Unicode escape characters in the form of “\uXXXX” where “XXXX” is the hexadecimal code of the Unicode character represented. Therefore, if an expression includes the character “\u0027”, the character is evaluated as a closing quote character (‘), escaping the context of evaluation as a string literal, allowing to append an arbitrary OGNL expression. If an OGNL expression is parsed in a Velocity template within single quotes and the expression’s value is obtained from user input without any sanitization, an arbitrary OGNL expression can be injected.

  An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. By including the “\u0027” character in user input, an attacker can escape the string literal and append an arbitrary OGNL expression.

  Before OGNL expressions are evaluated by Webwork, they are compared against a list of unsafe node types, and variables names in the “com.opensymphony.webwork.util.SafeExpressionUtil.containsUnsafeExpression()” method. However, arbitrary Java objects can be instantiated without using any of the unsafe elements listed. For example, the following expression, executing an OS command, would be accepted as a safe expression by this method:

  A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server. Successful exploitation can result in the execution of arbitrary code with the privileges of the server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  An attacker connects to a target server and submits an HTTP request containing a malicious parameter to a vulnerable XWork action. The vulnerability is triggered when the target server processes the XWork action, resulting in the processing of the malicious request parameter.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 8090/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15673 Atlassian Confluence Server Webwork OGNL injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Upgrading the product to a non-vulnerable version.
    • Filtering attack traffic using the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory

Lockbit 2.0, the ransomware behind the Accenture breach

/in /by

Lockbit ransomware has been around since 2019 but recently released an updated version called Lockbit 2.0. It is another ransomware-as-a-service (RaaS) which is a subscription based model allowing partners to use a full-featured already developed ransomware app ready to carry an attack. On their website, they boast their 2.0 version as being the fastest encryption software as well as the fastest upload of stolen data amongst myriads of many other popular ransomwares, all while highlighting the many features of this ransomware.

Recently, there were reports of targeted attacks with Accenture being the latest prominent victim of this ransomware. For non-payment, Lockbit has started leaking their data on their website to the public.

Infection cycle:

Upon execution of the ransomware, it disables all running security programs and any other means that could permit system recovery. It spawns a cmd exe to run the following commands:

  • vssadmin delete shadows /all /quiet
  • wmic SHADOWCOPY /nointeractive
  •  wmic shadowcopy delete
  •  wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
  •  wbadmin DELETE SYSTEMSTATEBACKUP
  •  wbadmin delete catalog -quiet
  •  wevtutil cl system
  •  wevtutil cl security
  •  wevtutil cl application
  •  bcdedit /set {default} recoveryenabled No

It then proceeds to encrypt the victim’s files. All encrypted files bear the lockbit icon and a .lockbit file extension.

It changes the wallpaper with instructions on how to recover the files as well as adding a text file in every directory where files have been encrypted.

On reboot, the victim can’t miss the ransom note because it also adds a run key in the registry which loads an hta file that has the same instructions on how to get the victim’s files back.

  • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Name: {2C5F9FCC-F266-43F6-BFD7-838DAE269E11}
  • Data: %Desktop%\Lockbit_Ransomware.hta

It then proceeds to delete itself and no copy of the ransomware nor its components is left in the victim machine.

On Lockbit’s website, there are quite a few victims whose data have already been leaked to the public while others still have some days left to submit payment before facing the same consequence.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Lockbit.RSM_2 (Trojan)
  • GAV: Lockbit.RSM_3 (Trojan)
  • GAV: Lockbit.RSM_4 (Trojan)

This threat is also detected by SonicWall Capture ATP with Real-Time Deep Memory Inspection (RTDMI) and the Capture Client endpoint solutions.

Centreon hostGroupDependency.php SQL Injection Vulnerability

/in /by

Overview:

  Centreon is an open source IT monitoring solution. Centreon open source solution is the foundation for the Centreon EMS software suite which offers additional licensed modules. Centreon open source solution includes integration tools for IT Operations Management production environment.

  An SQL Injection vulnerability has been reported in the Centreon Web Application. The vulnerability is due to incorrect input validation in hostGroupDependency.php.

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution against the database on the target server.

CVE Reference:

  This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is high.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.2 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  A user with admin privileges can manage the notification settings for a host group on the “Configuration”->”Notification”->”Host Groups” page in the Centreon web interface. When clicking a host group on the web page, a request will be submitted to the “/centreon/main.get.php” endpoint as shown in an example below:

  

  In the request above, the parameter “p” contains a topology_page number (e.g. 60408 in the above example) which is used by Centreon application to locate the correspondent PHP file to handle this request. The mappings of a topology_page number and its correspondent PHP file is defined in the insertTopology.sql. For the topology_page number 60408 in the “p” request parameter, the corresponding PHP file to handle this request is:

  

  The hostGroupDependency.php is relevant to the vulnerability in this report.

  An SQL injection vulnerability exists in the Centreon web application. The vulnerability is due to a lack of input validation on the dep_id request parameter in the hostGroupDependency.php. When receiving a request submitted to “main.get.php” endpoint, the main.get.php will check the “p” request parameter value. If the value is 60408, it will route the request to hostGroupDependency.php. The hostGroupDependency.php will read the dep_id request parameter value and then check the “o” request parameter value. If “o” parameter value is the character “c”, “w” or “a”, it will call formHostGroupDependency.php to process this request. In formHostGroupDependency.php, it will first check if the “o” parameter is “c” or “w” and if yes, it will construct a SQL statement by appending the dep_id parameter value. Then, it will execute the SQL statement to query the “dependency” table in the database.

  However, the formHostGroupDependency.php does not sanitize the dep_id parameter before appending it to the SQL statement. A malicious user is therefore able to directly manipulate the Centreon database by embedding arbitrary SQL commands within the dep_id parameter in the HTTP requests. For example, an attacker may utilize the “;” character (or its URL-encoded equivalent) in a HTTP request to terminate a SQL statement with a malicious create table command, as shown below:

  

  A remote, authenticated attacker could exploit this vulnerability by sending a maliciously crafted request to the server. A successful attack may result in arbitrary SQL command execution at the database on the target server, potentially leading to the execution of arbitrary code in the security context as root.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the request is processed by the target server.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15666 Centreon main.get.php SQL Injection
  • IPS: 15674 Centreon main.get.php SQL Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released an advisory regarding this vulnerability:
  Vendor Advisory

Nagios XI Configwizards Command Injection Vulnerability

/in /by

Overview:

  Nagios is an open source host, service and network monitoring program. The product’s functionality is implemented through a number of server-side programs primarily written in PHP with a backend database running MariaDB, a drop-in replacement for Musk. The majority of these programs can be accessed only after successful authentication is performed with the underlying webserver. Nagios XI is a paid version of Nagios which offers greater functionality and performance such as enhanced dashboards, graphs and backend database support compared with Nagios.

  A command injection vulnerability has been reported in Nagios XI. The vulnerability is due to insufficient input validation of the requests submitted to the Windowswmi.inc.php.

  A remote authenticated attacker can exploit this vulnerability by sending a crafted request to the server. Successful exploitation could result in arbitrary command execution with privileges of the web server on the target system.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-25296.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C).

  Base score is 7.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is low.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is low.
    • Impact of this vulnerability on data integrity is low.
    • Impact of this vulnerability on data availability is low.
  Temporal score is 6.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  Nagios XI facilitates the management of the tasks to monitor new devices, services, and applications via the Configuration Wizards feature. Configuration wizards includes a set of modules which make it easy for end-users to setup monitor tasks for various services or hosts on a user-friendly interface without needing to understand how Nagios XI works in the backend. Configuration wizards include several modules which are installed by default in Nagios XI installation. The “Windows WMI” module is one of these default modules and relevant to this report. The Configuration Wizards feature can be accessed via the Request-URI

    /url_root/config/monitoringwizard.php

  where url_root is the url root of the Nagios XI application.

  A command injection vulnerability exists in Nagios XI. When processing the requests submitted to the monitoringwizard.php endpoint, the monitoringwizard.php will check if the value of the wizard request parameter is “windowswmi”. If yes, it will call the function windowswmi_configwizard_func() in the windowswmi.inc.php to process the request. The windowswmi_configwizard_func() creates command-line strings which will invoke the program check_wmi_plus.pl to perform various monitoring tasks. The check_wmi_plus.pl provides several command-line arguments. One of them is the “forcetruncateoutput” argument, which limits the length of output printed by the check_wmi_plus.pl. The windowswmi_configwizard_func() will check if the plugin_output_len request parameter exists in the HTTP request. If yes, it will apply the plugin_output_len value to the construction of the check_wmi_plus.pl command-line string as its “forcetruncateoutput” argument, like the command-line string shown below:

    check_wmi_plus.pl ...... --forcetruncateoutput plugin_output_len

  where plugin_output_len is the value of the plugin_output_len request parameter.

  Then, windowswmi_configwizard_func() will run the constructed check_wmi_plus.pl command-line string by PHP exec() function.

  However, windowswmi_configwizard_func() does not sanitize the plugin_output_len parameter value before applying it to the command-line string. An attacker can include command injection characters in the value of the plugin_output_len parameter which are then included in the constructed command line string. This allows for the execution of arbitrary commands on the underlying system when windowswmi_configwizard_func() calls PHP exec() to run the command-line string.

  A remote, authenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary commands as the apache user.

Triggering the Problem:

  The target system must have the vulnerable product installed and running.
    • The attacker must have network connectivity to the affected ports.
    • The attacker must authenticate to the target system.

Triggering Conditions:

  The attacker authenticates and then sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP
    • HTTPS, over port 443/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15480 Nagios XI monitoringwizard.php Command Injection 1
  • IPS: 15668 Nagios XI monitoringwizard.php Command Injection 2

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
    • Upgrading the product to a non-vulnerable version.
  The vendor has released a patch (5.8.0) regarding this vulnerability:
  Vendor Advisory

Zeroshell command injection vulnerability

/in /by

SonicWall Capture Labs threat research team observed attacks exploiting vulnerability in Zeroshell.

Zeroshell is a small open-source Linux distribution for servers and embedded systems that aims to provide network services Its administration relies on a web-based graphical interface.

Zeroshell is a Linux based distribution  dedicated to the implementation of router and firewall appliances completely administrable via  web interface. Zeroshell is available for x86/x86-64 platforms and ARM based devices such as Raspberry Pi.

Zeroshell command injection vulnerability | CVE-2019-12725

The goal of command injection  attack  is the execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation

An unauthenticated command injection vulnerability exists in ZeroShell 3.9.0 in the  URL. As sudo is configured to execute bin without a password (NOPASSWD) it is possible to run root commands using the “checkpoint” tar options.

Some of the exploits found in the wild are :

As one can see the vulnerable  URL is set to NoAuthREQ and the attacker is able to inject and execute the commands to change the directory and download malicious script from the attacker controlled server.

 

SonicWall Capture Labs provides protection against this threat via following signatures:

      • IPS 2366: Zeroshell Remote Code Execution
      • GAV : Mirai.ELF_2

IoCs
5.206.227.228
c22dce4ab0b5a0b2d8e921652ecc3df116568c1afd7222747a8bb1a87a2cfc59
ebfa0aa59700e61bcf064fd439fb18b030237f14f286c6587981af1e68a8e477

Threat Graph

Nooa ransomware seeks out your crypto wallets and passwords

/in /by

The SonicWall Capture Labs threat research team has recently been tracking malware that does more than encrypt files and demand a ransom.  In the ransomware space there has been an increase in malware that also steals data from infected machines.  Some ransomware actors use this data to extort even more money from their victims.  These ransomware actors, however, are interested in stealing crypto wallets, browser cookies and passwords.

 

Infection Cycle:

 

Upon infection, the file encryption process starts immediately.  Files hosted on any attached external or network drives are also encypted.  Encrypted files are given a “.nooa” filename extension.

 

The following DNS requests are made by the malware:

  • api.2ip.ua
  • securebiz.org
  • astdg.top
  • prophefliloc.tumblr.com

 

The following files are downloaded onto the system:

 

  • C:\SystemID\PersonalID
  • %SYSTEMDRIVE%\_readme.txt
  • %SYSTEMDRIVE%\$WinREAgent\_readme.txt
  • %SYSTEMDRIVE%\$WinREAgent\Scratch\_readme.txt
  • %USERPROFILE%\_readme.txt
  • %APPDATA%\Roaming\Microsoft\Windows\Recent\_readme.lnk
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\4EQF0LUO\msvcp140[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\LHLB6AIE\nss3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\freebl3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\N5CLIG2L\softokn3[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\mozglue[1].dll
  • %APPDATA%\Local\Microsoft\Windows\INetCache\IE\VQ7BRAAE\vcruntime140[1].dll
  • %APPDATA%\Local\{rand}\build2.exe [Detected as: GAV: Conficker.gen (Worm)]

 

PersonalID contains an ID that is unique to each infection:

PLtnD1U6oAmgxgJ2nJik1mY9SwUQg07CiN0zSet1

 

_readme.txt contains the following message:

 

The malware downloads and runs build2.exe:

 

build2.exe reports the infection to a C&C server and receives data from it:

 

Decompression of the data above reveals the following message containing files targeted for exfiltration:

DESKTOP;%DESKTOP%\;*wallet*.*:*2fa*.*:*backup*.txt:*backup*.png:*backup*.jpg:*code*.txt:*code*.png:*code*.jpg:*password*.*:*auth*.txt:*auth*.png:*auth*.jpg:*crypto*.*:*key*.txt:*key*.png:*key*.jpg:*ledger*.*:*metamask*.*:*blockchain*.*:*bittrex*.*:*binance*.*:*coinbase*.*:*trezor*.*:*exodus*.*:*UTC--201*.*;300;true;movies:music:mp3;lnk;

 

build2.exe then searches the system for the filetypes and directories listed above.  This includes 2fa data, crypto wallets and browser cookies.  If such data is found, it is compressed and uploaded to the C&C server in zip format.  The malware also captures and sends system information and a screenshot of the desktop:

 

information.txt contains system information from the infected machine:

 

We reached out to the email addresses provided in the ransom message and received the following response:

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Waledac.gen.2 (Worm)
  • GAV: Conficker.gen (Worm)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for August 2021

/in /by

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of August 2021. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2021-26432 Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability
IPS 2045: Windows NFS Remote Code Execution (CVE-2021-26432)

CVE-2021-34480 Scripting Engine Memory Corruption Vulnerability
IPS 2044: Scripting Engine Memory Corruption Vulnerability (CVE-2021-34480)

CVE-2021-34535 Remote Desktop Client Remote Code Execution Vulnerability
ASPY 207: Malformed-File exe.MP.197

CVE-2021-36948 Windows Update Medic Service Elevation of Privilege Vulnerability
ASPY 208: Malformed-File exe.MP.198

The following vulnerabilities do not have exploits in the wild :
CVE-2021-26423 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26424 Windows TCP/IP Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-26425 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26426 Windows User Account Profile Picture Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26428 Azure Sphere Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-26429 Azure Sphere Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26430 Azure Sphere Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2021-26431 Windows Recovery Environment Agent Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-26433 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-33762 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34471 Microsoft Windows Defender Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34478 Microsoft Office Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34484 Windows User Profile Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34485 .NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34486 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34487 Windows Event Tracing Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34524 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34530 Windows Graphics Component Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34532 ASP.NET Core and Visual Studio Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-34533 Windows Graphics Component Font Parsing Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34534 Windows MSHTML Platform Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-34536 Storage Spaces Controller Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-34537 Windows Bluetooth Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36926 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36927 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36932 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36933 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36937 Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36938 Windows Cryptographic Primitives Library Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2021-36940 Microsoft SharePoint Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36941 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36942 Windows LSA Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2021-36943 Azure CycleCloud Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36945 Windows 10 Update Assistant Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2021-36946 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2021-36949 Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability
There are no known exploits in the wild.
CVE-2021-36950 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.

Advantech R-SeeNet ping.php Command Injection Vulnerability

/in /by

Overview:

  Advantech R-SeeNet is a monitoring application that runs on a server and its job is to collect information from the routers, store it, process it and present it to a network administrator. R-SeeNet consists of two parts: R-SeeNet server and R-SeeNet PHP web-based application. R-SeeNet server is the non-visible part responsible for querying the routers and gathering information. The application also stores the recorded information into a MySQL database. R-SeeNet PHP web-based application is responsible to show both individual statistics and also whole network status.

  A command injection vulnerability has been reported in Advantech R-SeeNet. The vulnerability is due to insufficient validation of the parameter in ping.php.

  A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target system. Successful exploitation could result in arbitrary command execution in the security context of web server on the target server.

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-21805.

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C).

  Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 9.4 (E:P/RL:U/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is unavailable.
    • The report confidence level of this vulnerability is confirmed.

Technical Overview:

  R-SeeNet web application server can send ping packets to other devices and get their status when receiving a request to the “ping.php” endpoint as below:

  

  Where the hostname parameter value contains the IP address or host name of a remote device.

  A command injection vulnerability exists in the Advantech R-SeeNet. When processing the request submitted to the ping.php endpoint, ping.php will first check if it is running on Windows platform. If not, it will construct a ping command-line string as below:

  ping -c 5 -s 64 -t 64 hostname

  Where the hostname is the value of the hostname request parameter. Then, it will use the PHP popen() function to execute the constructed ping command-line string and read its output.

  However, the ping.php does not sanitize the hostname parameter before using it to construct the ping commandline string. An attacker can submit a malicious command embedded in the value of the hostname parameter to the target server. The malicious command will then be appended to the constructed ping command line string. This could allow for the execution of arbitrary commands on the underlying system when ping.php calls PHP popen() to run the ping command-line string.

  A remote, unauthenticated attacker can exploit the vulnerability by sending crafted requests to the server. Successful exploitation could result in arbitrary command execution with web server privileges on the target server.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.

Triggering Conditions:

  The attacker sends an HTTP request containing maliciously crafted parameters to the target server. The vulnerability is triggered when the server processes the request.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP, over port 80/TCP

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 15657 Advantech R-SeeNet ping.php Command Injection 1

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Blocking the affected ports from external network access if they are not required.
    • Filtering traffic based on the signature above.
  The vendor has not released any advisory regarding this vulnerability.