Posts

curl SOCKS5 Heap overflow Vulnerability

SonicWall Capture Labs Threat Research Team became aware of the threat, assessed its impact, and developed mitigation measures for the curl SOCKS5 heap buffer overflow vulnerability released this week.

Overview

Client URL, or curl, and its library version libcurl are one of the most popular and integrated command line tools for data transfer. They support a wide range of protocols such as HTTP, HTTPS, SMTP and FTP and enable the user to make requests to a URL while handling all standard components of requests such as cookies, authentication and proxies. On October 11, a high-severity heap-based buffer overflow vulnerability was publicly disclosed in curl versions 7.69.0 to, and including, 8.3.0. For an attacker to leverage this vulnerability, they would need to control the hostname being accessed by curl through a SOCKS5 proxy, and the server would need to respond “slowly.” Typical server latency is likely slow enough to trigger this vulnerability without needing a DoS attack or SOCKS server control. It is recommended that all instances of curl and libcurl be updated to version 8.40. Currently, it is suspected, yet not proven, that this flaw can lead to remote code execution. Due to the restraints required for exploitation, it is currently unclear what the likelihood of exploitation in the wild is at this time.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-38545.
The overall CVSS score is 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is none.
  • Impact of this vulnerability on data integrity is none.
  • Impact of this vulnerability on data availability is high.

Technical Overview

SOCKS5 is a proxy protocol for setting up network communication via a dedicated middle application. Tor uses the protocol and is often used to bypass internet restrictions or access blocked websites. When attempting to resolve a DNS name, SOCKS5 has two different resolvers: Either the client resolves the hostname locally and passes on the destination as a resolved address, or the client passes on the entire host name to the proxy and the proxy itself resolves the host remotely. Ultimately the curl vulnerability exists when a hostname larger than 255 bytes is attempted to be resolved by the local resolve mode. This can be seen from the source code in the image below. If the SOCKS5 server is delayed in its response, the curl state machine returns with the local resolver selected, but the next time the curl state machine is called, it has no knowledge of the hostname’s length. It now tries first to resolve the name using the remote resolver by building a protocol frame in a memory buffer assuming the name is less than 255 bytes and then copying the destination hostname to the too-small buffer. It\’s also important to consider the conditions which allow this code path to be taken. libcurl uses a variable named CURLOPT_BUFFERSIZE to determine how large to allocate the download buffer. By default, the curl tool sets CURLOPT_BUFFERSIZE to 100kB and is therefore not vulnerable. An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE or set it smaller than 65541.

Triggering the Vulnerability

To trigger this vulnerability, curl needs to access a long hostname through a SOCKS5 proxy. For testing, this can be set up through a locally running Python SOCKS5 proxy server. A single curl command (using version 7.74) can be sent to trigger a segmentation fault. Running the same setup with the addition of GDB monitoring curl, it is possible to see the backtrace and exact vulnerability conditions. This highlights that the vulnerability exists within the resolvers. A segmentation fault occurs when the contents of register $RDI are attempted to be resolved as a pointer. Consider the disassembly from GDB below at the point of the segmentation fault: By inspecting the value of $RDI, it is possible to see the heap buffer overflow has caused the register to be overwritten.

Exploitation

Currently, it hasn’t been proven that this vulnerability can be turned into a fully functional, weaponizable exploit; however, considering the nature of memory corruption, depending on compiled time and runtime migrations in place, it is likely that a weaponizable exploit is possible. One possible method of exploitation, as outlined by Daniel Stenberg, would be for an attacker to leverage an HTTP 30x redirect response over a SOCKS5 proxy. The response would contain a location header, which would include a malicious hostname that is longer than 16KB.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS 15927 : SOCKS5 Heap Buffer Overflow

Remediation Recommendations

To mitigate or eliminate the risk posed by this vulnerability, it is recommended to:

  • Upgrade curl to version 8.4.0 or
  • Apply the patch to your local version or
  • Do not use CURLPROXY_SOCKS5_HOSTNAME proxies type with curl

Relevant Links

Microsoft Security Bulletin Coverage for October 2023

Overview
Microsoft’s October 2023 Patch Tuesday has 104 vulnerabilities of which 45 are remote code execution. The vulnerabilities can be classified into following categories:

  • 26 Elevation of Privilege Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities
  • 45 Remote Code Execution Vulnerabilities
  • 12 Information Disclosure Vulnerabilities
  • 17 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerability

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2023 and as produced coverage for 7 of the reported vulnerabilities.

Vulnerabilities with detections
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 491: Exploit-exe exe.MP_341

CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability
ASPY 494: Exploit-exe exe.MP_344

CVE-2023-36731 Win32k Elevation of Privilege Vulnerability
ASPY 492: Exploit-exe exe.MP_342

CVE-2023-36743 Win32k Elevation of Privilege Vulnerability
ASPY 493: Exploit-exe exe.MP_343

CVE-2023-36776 Win32k Elevation of Privilege Vulnerability
ASPY 497: Exploit-exe exe.MP_347

CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability
ASPY 496: Exploit-exe exe.MP_346

CVE-2023-41772 Win32k Elevation of Privilege Vulnerability
ASPY 495: Exploit-exe exe.MP_345

Remote Code Execution Vulnerabilities 
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability
CVE-2023-36417 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability
CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability
CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36789 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability – SonicWALL is investigating this CVE.
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities 
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36585 Active Template Library Denial of Service Vulnerability
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability

Information Disclosure Vulnerabilities 
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability – SonicWALL is investigating this CVE.
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities 
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability
CVE-2023-36700 Microsoft Defender Security Feature Bypass Vulnerability

Spoofing Vulnerability 
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

JetBrains TeamCity Authentication Bypass Vulnerability

Overview

SonicWall Capture Labs Threat Research Team became aware of the threat, assessed its impact, and developed mitigation measures for JetBrains TeamCity Server.

JetBrains TeamCity, a robust continuous integration (CI) and continuous deployment (CD) server, hails from the creators of renowned tools IntelliJ IDEA and PyCharm. TeamCity offers a comprehensive suite of features that enable development teams to automate their build and deployment processes, adhere to agile practices, and extract detailed analytics. Its adaptability, rooted in its versatile plugin system and support for various version control systems, positions it as a top choice for many developers.

A critical vulnerability, allowing authentication bypass and leading to remote code execution (RCE), was identified in JetBrains TeamCity. Versions prior to 2023.05.4 are vulnerable due to a misconfiguration in the RequestInterceptors constructor. This flaw meant that any incoming HTTP request matching the wildcard path /**/RPC2 would bypass authentication.

Attackers can exploit this vulnerability by sending a single HTTP POST request to the server. Successful exploitation would enable unauthorized individuals to execute arbitrary code on the TeamCity server.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-42793.

The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.
Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

This configuration file buildServerSpringWeb.xml establishes interceptors, notably the calledOnceInterceptors bean, which manipulates incoming HTTP requests. This bean leads to the instantiation of the jetbrains.buildServer.controllers.interceptors.RequestInterceptors class, which features the wildcard path /**/RPC2. On instantiation, it integrates several beans, including the authorizedUserInterceptor, into its myInterceptors list.

The RequestInterceptors class is pivotal in handling HTTP requests via its preHandle method. If requestPreHandlingAllowed returns false, authentication checks are bypassed. However, if true, all interceptors in myInterceptors ensure authentication. The vulnerability emerges when requests match the wildcard path /**/RPC2, bypassing the typical authentication processes of the myInterceptors list.

To exploit this flaw, attackers target TeamCity’s REST API. Decompiling this library reveals the REST API’s method-to-URI mapping using the @Path annotation. This permits URIs ending with /RPC2, evading authentication. By zeroing in on the createToken method in the jetbrains.buildServer.server.rest.request.UserRequest class, attackers can forge requests, securing an Administrator authentication token, and granting wide-ranging access to the REST API.

Triggering the Vulnerability

  • The target must be running a JetBrains TeamCity version prior to 2023.05.4.
  • The attacker must have network access to the vulnerable software.
  • A valid HTTP POST request containing /**/RPC2 with a valid ID=’n’ URI.

Exploitation

As demonstrated in the video below, this vulnerability can be exploited using a single HTTP or HTTPS POST request. This request will ask the server to provide an authentication token for a specific user. Therefore, contained within the request, the attacker must specify a user for the token to be generated. This is done using the “id” parameter in the URI. While an attacker can specify any user, the user “id” of 1 will always be the Administrator user created during system installation and, therefore a prime candidate for an attacker to leverage. A successful POST request will return an XML token object named “RPC2“ containing a “value” parameter holding a valid authentication token.

SonicWall Protections

  • IPS:15923 JetBrains TeamCity Authentication Bypass

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:
  • Updating to version 2023.05.4 or newer of TeamCity.
  • Review JetBrains latest released security patch plugin.
  • Utilize up-to-date IPS signatures to filter network traffic.
  • Alternatively, consider taking the server offline.

Relevant Links

  • JetBrain Homepage
  • CVSS Calculator Metrics
  • Vendor Advisory
  • CVE Listing

phpPgAdmin Deserialization Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  phpPgAdmin is an open-source, web-based administration tool for managing PostgreSQL, an advanced, enterprise-class, and open-source relational database system. phpPgAdmin is written in PHP and provides a user-friendly interface that allows users to perform various database management tasks. Users can create, modify, and delete databases, tables, and records through this interface, making it a valuable tool for those who prefer a graphical user interface over command-line interaction.

  It has been reported that phpPgAdmin 7.14.4 and earlier versions have a deserialization vulnerability. Deserialization vulnerabilities occur when an application unsafely processes external input during the deserialization process, potentially leading to code execution, denial of service, or elevation of privileges. This vulnerability underscores the importance of using secure coding practices and regularly updating software to protect against known vulnerabilities.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-40619.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

  Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is high.
    • Impact of this vulnerability on data integrity is high.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 8.8 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept code.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The doEmpty function in the tables.php file is responsible for emptying tables in a database, and it is designed to handle both single and multiple table emptying operations. It works by taking user input from the $_REQUEST[‘ma’] or $_REQUEST[‘table’] global variables, which are populated by the client through HTTP GET or POST requests. When multiple tables are specified through $_REQUEST[‘ma’], the function iterates over each table, unserializes the user input, and performs the emptying operation on each specified table. The use of the unserialize function here is critical as it exposes a potential security vulnerability known as PHP Object Injection due to the way it handles serialized objects.

  

  PHP Object Injection vulnerabilities occur when user-supplied input is passed to the unserialize function, which can result in the instantiation of objects and the execution of the magic method __wakeup. In this specific case, the user could potentially pass a serialized object with a malicious __wakeup method to the $_REQUEST[‘ma’] variable, leading to the execution of arbitrary PHP code. This could allow an attacker to perform various malicious activities, such as executing system commands, creating, deleting, or modifying files, or even launching attacks against other systems. Consequently, the use of unserialize on user-supplied data in this function poses a severe security risk and could lead to a full server compromise if exploited successfully.

  To mitigate the risks associated with this vulnerability, it is crucial to avoid using the unserialize function on user-supplied input. Instead, alternative methods for handling user data, such as JSON encoding and decoding, should be employed. Additionally, input validation and sanitization should be implemented to ensure that only expected and safe data is processed by the application.

Triggering the Problem:

  • The target system must have the vulnerable product installed and running.
  • The attacker must have network connectivity to the affected ports.
  • The attacker must send malicious serialized payloads to the tables.php endpoint.
  • The query string parameter ‘ma’ is used to trigger the ‘unserialize’ function by injecting serialized data.

Triggering Conditions:

  The unserialize() deserialization vulnerability in PHP occurs when the unserialize() function is passed user input without adequate validation, consequently triggering magic methods like __wakeup() or __destruct() in an object-oriented context. These magic methods are invoked automatically during deserialization, providing an avenue for attackers to execute malicious code or carry out other harmful activities. The vulnerability underscores the importance of validating or sanitizing user input and avoiding the use of unserialize() with untrusted data, to prevent potential exploitation.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • HTTP
    • HTTPS

  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS:15919 phpPgAdmin Insecure Deserialization

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signature above.
  A Third Party has released the following advisory regarding this vulnerability:
  Third Party Advisory

Zyxel IKE Remote Command Execution

The SonicWall Capture Labs Threat Research team has observed attackers targeting vulnerable Zyxel devices by exploiting a  Zyxel IKE Remote Command Execution vulnerability.

Zyxel website provides the following description of their products:

“The Zyxel USG FLEX Series supports IPsec, SSL, and L2TP-based VPNs, making it an ideal solution for providing a secure network to access remote or home-based workers. Zero-configuration remote access removes complicated setup challenges making it easier for employees to establish VPN connections to the office without the need for IT support.

The Zyxel ZyWALL ATP series is an Advanced Threat Protection Firewall empowered by cloud intelligence leveling up network protection, especially in tackling unknown threats.

Improper error message handling in Zyxel ZyWALL/USG,VPN,USG FLEX and ATP firmware series could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.”

OS Remote Command Execution

Portswigger describes OS command injection as a web security flaw that permits a malicious actor to run arbitrary operating system (OS) commands on the server where an application is running. This causes OS remote command execution which in turn can potentially lead to a complete compromise of the application and its associated data. Furthermore, attackers frequently use OS command injection vulnerabilities as a stepping stone to compromise additional components of the hosting infrastructure. This is achieved by exploiting trust relationships to extend the attack to other systems within the organization.

Zyxel IKE Remote Command Execution | CVE-2023-28771
There is a command injection vulnerability in the Internet Key Exchange (IKE) packet decoder. This vulnerability can be exploited remotely over UDP port 500 on the WAN interface of several Zyxel devices. Importantly, these affected devices are vulnerable even in their default configuration, and if exploited, this vulnerability allows for command execution with root privileges.

Rapid 7 researchers identified that the vulnerability could be triggered during the decoding of an IKEv2 Notify payload. When an IKEv2 Notify message with a message-type of NO_PROPOSAL_CHOSEN is processed, the attacker can provide arbitrary commands in the Notification Data field. These commands will be executed with root privileges.

Let us look at an example of exploitation :

is a command injection attempt that tries to establish a reverse shell connection to the IP address on port 4444. If successful, it would open a shell on the target machine and potentially give the attacker control over it.

IOCs

Since the vulnerability exists within a logging function it is possible to monitor the log files to potentially understand if a compromise has occurred.   The log file /tmp/sdwan/vpndebug.log would display the message “[cgnat] 4th cgnat convert wrong” if the vulnerable code path was trigger.  It is important to note this would not confirm exploitation occurred, only that the vulnerable code path was triggered.

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15876 : Zyxel IKE Remote Command Execution
  • IPS 15898 : Zyxel IKE Remote Command Execution 2

Following Zyxel versions are vulnerable:
Affected series    Affected version
ATP                       V4.60 to V5.35
USG FLEX           V4.60 to V5.35
VPN                       V4.60 to V5.35
ZyWALL/USG     V4.60 to V4.73

Zyxel has issued a patch for this vulnerability.

Threat Graph

IPS 15898 signature hits in the past two weeks have maintained a consistent trend suggesting attackers are trying to exploit this vulnerability.

A look at the latest Snatch Ransomware

This week, the Sonicwall Capture Labs Research team analyzed the latest Snatch ransomware. Snatch operates as a ransomware-as-a-service (RaaS), a business model where the malware authors lease out the ransomware program to affiliates who then launch the attacks.

Infection Cycle:

The malware file  arrives as an executable  using a random name such as:

  • rljybc.exe

This ransomware is written in Go language and is apparent in the many references to Go packages in its strings.

go lang packages

Upon execution it creates multiple copies of the same batch file into the %temp% directory:

Simultaneously it also writes a randomly named file with a .dll extension that appears to be a library file.

But upon careful inspection, it actually was a log file of its execution showing files it had accessed and created.

The batch file created is used to run commands to delete shadow copies and to disable certain services that are related to Antivirus, back up software, database, email among many others.

It appends “.lqepjhgjczo” extension to all files it encrypts and adds the ransomware note to every directory in the system.

The ransom note only lists email addresses on how to reach the malware authors and no amount of ransom is mentioned. Presumably, this amount may vary depending on their victim and how disruptive the attack would cost a business or an organization.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Snatch.RSM_13  (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Microsoft Security Bulletin Coverage for September 2023

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2023. A list of issues reported, along with SonicWall coverage information, is as follows:

CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
ASPY 476: Exploit-exe exe.MP_338

CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability
ASPY 479:Exploit-py py.MP_3

CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 477:Exploit-exe exe.MP_339

CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability
ASPY 478:Exploit-exe exe.MP_340

CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
IPS 4033:Windows ICS Remote Code Execution (CVE-2023-38148)

CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability
IPS 4032:Windows DHCP Server Information Disclosure (CVE-2023-38152)

The following vulnerabilities are under investigation:
CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability
There are exploits in the wild; SonicWall is investigating this CVE.

The following vulnerabilities do not have exploits in the wild :
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36736 Microsoft Identity Linux Broker Arbitrary Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability
There are no known exploits in the wild.
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36762 Microsoft Word Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36770 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36771 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36772 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36773 3D Builder Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability
There are no known exploits in the wild.
CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability
There are no known exploits in the wild.
CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38155 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability
There are no known exploits in the wild.
CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability
There are no known exploits in the wild.
CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability
There are no known exploits in the wild.
CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass
There are no known exploits in the wild.
CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
There are no known exploits in the wild.
CVE-2023-41764 Microsoft Office Spoofing Vulnerability
There are no known exploits in the wild.

RZML ransomware exfiltrates files, cookies and clipboard data

The SonicWall Capture Labs threats research team has been tracking a recent family of ransomware called RZML.  This ransomware appeared in the wild over the last 7 days and appears to be a variant of the STOP/Djvu family.  The sample we analyzed is a dropper that downloads multiple modules.  In addition to encrypting files, which is standard practice for ransomware, it also steals files, clipboard and browser cookie data from the infected system.  File decryption costs $490 USD in bitcoin after a “50% discount”.  However, as we have seen with most ransomware today, exfiltrated files can be used later to apply additional pressure to pay up.

 

Infection Cycle:

 

Upon execution, the malware reports the infection to a C&C server which replies with a public key used for file encryption:

 

It also requests data on what file types to target for exfiltration:

 

It proceeds to download the ransomware module and names it build2.exe:

 

It downloads a clipboard grabber component and names it build3.exe:

 

It also downloads htdocs.zip which contains some utility dlls including an sqlite database module:

 

Files on the system are encrypted and given a .rzml extension.

 

The following files are added to the filesystem:

  • %USERPROFILE%\AppData\Roaming\Microsoft\Network\mstsca.exe [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build2.exe [Detected as: GAV: StopCrypt.RSM (Trojan)]
  • %USERPROFILE%\AppData\Local\2bbb528e-26aa-4e54-82c0-428df9bab7e7\build3.exe (copy of mstsca.exe) [Detected as: GAV: ClipBanker.RSM (Trojan)]
  • C:\SystemID\PersonalID.txt
  • %USERPROFILE%\AppData\Local\bowsakkdestx.txt
  • C:\ProgramData\55054064606124780548020057 (sqlite database)
  • _readme.txt (written to all directories with encrypted files)

 

The following registry entries are made:

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
  • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatability Assistant\Store {malware file}

 

PersonalID.txt contains the following data:

M5o7GW95xOUM45FRYk7SEflLRpNXVqiExQDcPCGh

 

bowsakkdestx.txt contains the public key that was downloaded earlier:

 

_readme.txt contains the following message:

 

When build3.exe is run, it uses the CreateMutex API function with “M5/610HP/STAGE2” as the parameter to check if it has been run previously:

 

If this mutex is not present, it proceeds to grab clipboard data:

 

 

The malware also steals browser cookies.  It stores this data in a sqlite database.  The following screenshot shows the database structure:

 

We visited chase.com and bankofamerica.com and can see that the cookies are stored in the database:

 

Targeted files, clipboard data and cookies stored in the sqlite database are uploaded to a remote server:

 

We reached out to the operator email addresses (support@freshmail.top, datarestorehelp@airmail.cc) stated in the ransom note and received the following reply:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: ClipBanker.RSM (Trojan)
  • GAV: StopCrypt.RSM (Trojan)

 

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Linux Kernel KSMBD NULL Pointer Dereference Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  KSMBD is an integral server component within the Linux kernel. Its primary function is to implement the SMBv3 protocol, which is essential for sharing files over a network. Operating in kernel space ensures that KSMBD offers efficient and seamless file sharing capabilities to users of the Linux operating system.

  Recently, a significant vulnerability has been identified in ksmbd. This vulnerability stems from a NULL pointer dereference issue, a critical flaw in the system’s architecture. The root cause of this vulnerability is the system’s inability to validate user-supplied data adequately, especially when processing compounded requests. Given the importance of ksmbd in the Linux Kernel, this vulnerability raises substantial security concerns.

  The vulnerability provides an avenue for remote attackers to compromise the system. By sending specifically crafted packets to the target, which is vulnerable, attackers can exploit this flaw. If they succeed in their exploitation attempt, the aftermath can be detrimental, leading to a denial of service. This means that the targeted system could be rendered inoperable, disrupting its functionality and potentially causing significant downtime.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-3866.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C).

  Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is unchanged.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 6.5 (E:U/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is unproven.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  A NULL pointer dereference vulnerability has been identified in the ksmbd kernel module when it processes compounded SMB2 requests. This issue arises because certain pointer validations can be overlooked during the processing of combined SMB2_NEGOTIATE, SMB2_SESSION_SETUP, or SMB2_ECHO requests.

  The internal function, __handle_ksmbd_work, manages these incoming SMB messages. This function invokes smb2_check_user_session() to ensure the SMB2 message contains a valid session ID for the intended operation, and smb2_get_ksmbd_tcon() to check if the SMB2 message has a valid tree ID. Notably, these validations always pass for the aforementioned SMB2 requests since they haven’t established a session.

  The vulnerability emerges when the function doesn’t account for these SMB2 requests being part of compounded requests. If the NextCommand field in any such SMB2 message isn’t set to zero, subsequent SMB2 requests sidestep the validation, potentially leading to a NULL pointer being used in session or tree dereferences.

Triggering the Problem:

  • The vulnerable system must be listening on the vulnerable SMB port, and accept incoming connections.
  • The attacker must have connectivity to the target system.

Triggering Conditions:

  The attacker establishes a connection with the targeted ksmbd server. Once this connection is in place, the server becomes susceptible to the aforementioned threat. The vulnerability is activated when the attacker transmits a compounded request loaded with malicious content to the server in question. It’s essential for server administrators to be aware of such vulnerabilities to ensure their systems are adequately protected and to monitor for any unusual connection requests.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • SMB/CIFS
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4022 Linux Kernel ksmbd NULL Pointer Dereference 1
  • IPS: 19332 Linux Kernel ksmbd NULL Pointer Dereference 2
  • IPS: 19333 Linux Kernel ksmbd NULL Pointer Dereference 3

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Configure the vulnerable product to allow access to trusted clients only.
    • Update to a non-vulnerable version of the product.
    • Filter attack traffic using the signatures above.
  The vendor has released the following commit regarding this vulnerability:
  Vendor Advisory

Rockwell Automation Integer Overflow Vulnerability

Overview:

  SonicWall Capture Labs Threat Research Team has observed the following threat:

  Rockwell Automation’s ThinManager is designed for managing thin clients, mobile devices, cameras, and industrial devices. Comprising both client and server components, the client facilitates device configuration while the server handles data transfer and client requests. To maintain data consistency across the system, ThinManager servers synchronize using messages sent via port TCP/2031. These messages, based on a proprietary protocol, are initiated with a Type value, with a notable emphasis on Type 13 messages.

  A significant vulnerability, specifically an integer overflow, has been identified in the Rockwell Automation ThinManager ThinServer. The root of this vulnerability is tied to the improper validation of input, particularly when processing Type 13 synchronization messages.

  This vulnerability is not merely a theoretical concern. In practical terms, a remote attacker, even without authentication, could harness this flaw. By dispatching a specially crafted request to the targeted server, they could exploit this vulnerability. If successful, the outcome could be severe, leading to a potential denial of service for the affected system.

  Vendor Homepage

CVE Reference:

  This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-2914.

  CVE Listing

Common Vulnerability Scoring System (CVSS):

  The overall CVSS score is 7.7 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C).

  Base score is 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), based on the following metrics:
    • Attack vector is network.
    • Attack complexity is low.
    • Privileges required is none.
    • User interaction is none.
    • Scope is changed.
    • Impact of this vulnerability on data confidentiality is none.
    • Impact of this vulnerability on data integrity is none.
    • Impact of this vulnerability on data availability is high.
  Temporal score is 7.7 (E:P/RL:O/RC:C), based on the following metrics:
    • The exploit code maturity level of this vulnerability is proof of concept.
    • The remediation level of this vulnerability is official fix.
    • The report confidence level of this vulnerability is confirmed.

  CVSS Calculator Metrics

Technical Overview:

  The vulnerability arises due to the unchecked value in the “Length of data” field. Specifically, this value is added to the current position pointer, which is set at 12 (0xC), without any prior verification.

  However, a problem emerges when a value exceeding 2,147,483,635 (0x7FFFFFF3) is inputted for the “Length of data” field. When combined with the current position pointer’s value, it leads to an overflow, converting the resultant value into a negative signed 4-byte integer. This altered “calcLength” value, now being negative, would successfully pass the condition that checks if “calcLength” is less than or equal to “remainLength”.

  This oversight is critical. As the aforementioned condition is met, the memcpy() function is subsequently invoked with an excessively large “Size” parameter. This can potentially trigger an out-of-bounds read error, culminating in the abrupt termination of the server.

Triggering the Problem:

  • The target must be running a vulnerable version of the software.
  • The attacker must have network access to the vulnerable software.

Triggering Conditions:

  The process begins when the attacker issues a request to establish a connection with the server. Once the server responds affirmatively to this request, a vulnerability is exposed. It is at this point that the attacker exploits the flaw by dispatching a Type 13 message containing an unusually expansive “Length of data” field. This action triggers the vulnerability, potentially compromising the system.

Attack Delivery:

  The following application protocols can be used to deliver an attack that exploits this vulnerability:
    • Rockwell Automation ThinManager ThinServer Synchronization Protocol

  Attack Packet:
  

SonicWall’s, (IPS) Intrusion Prevention System, provides protection against this threat:

  • IPS: 4020 Rockwell Automation ThinServer Integer Overflow

Remediation Details:

  The risks posed by this vulnerability can be mitigated or eliminated by:
    • Applying the vendor-supplied patch to eliminate this vulnerability.
    • Filtering traffic based on the signature above.
  The vendor has released the following advisory regarding this vulnerability:
  Vendor Advisory