Use after free in WebRTC Perf in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-1133

Inappropriate implementation in Web Cursor in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who had compromised the renderer process to obscure the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2022-1138

Inappropriate implementation in Resource Timing in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CVE-2022-1146

Heap buffer overflow in WebUI in Google Chrome prior to 100.0.4896.60 allowed a remote attacker who convinced a user to engage in specific user interaction to potentially exploit heap corruption via specific input into DevTools.

CVE-2022-1142

Type confusion in V8 in Google Chrome prior to 100.0.4896.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2022-1134

PrestaShop 1.6.0.10 through 1.7.x before 1.7.8.2 allows remote attackers to execute arbitrary code, aka a "previously unknown vulnerability chain" related to SQL injection, as exploited in the wild in July 2022.

Attackers have found a way to use a security vulnerability to carry out arbitrary code execution in servers running PrestaShop websites. For details, please read the entire article.

**What’s happening**

The maintainer team has been made aware that malicious actors are exploiting a combination of known and unknown security vulnerabilities to inject malicious code in PrestaShop websites, allowing them to execute arbitrary instructions, and potentially steal customer’s payment information.

While investigating this attack, we found a previously unknown vulnerability chain that we are fixing. At the moment, however, we cannot be sure that it’s the only way for them to perform the attack. To the best of our understanding, this issue seems to concern shops based on versions 1.6.0.10 or greater, subject to SQL injection vulnerabilities. Versions 1.7.8.2 and greater are not vulnerable unless they are running a module or custom code which itself includes an SQL injection vulnerability. Note that versions 2.0.0~2.1.0 of the Wishlist (blockwishlist) module are vulnerable.

**How the attack works**

The attack requires the shop to be vulnerable to SQL injection exploits. To the best of our knowledge, the latest version of PrestaShop and its modules are free from these vulnerabilities. We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.

According to our conversations with shop owners and developers, the recurring modus operandi looks like this:

1.  The attacker submits a POST request to the endpoint vulnerable to SQL injection.
2.  After approximately one second, the attacker submits a GET request to the homepage, with no parameters. This results in a PHP file called blm.php being created at the root of the shop’s directory.
3.  The attacker now submits a GET request to the new file that was created, blm.php, allowing them to execute arbitrary instructions.

After the attackers successfully gained control of a shop, they injected a fake payment form on the front-office checkout page. In this scenario, shop customers might enter their credit card information on the fake form, and unknowingly send it to the attackers.

While this seems to be the common pattern, attackers might be using a different one, by placing a different file name, modifying other parts of the software, planting malicious code elsewhere, or even erasing their tracks once the attack has been successful.

**What to do to keep your shop safe**

First of all, make sure that your shop and all your modules are updated to their latest version. This should prevent your shop from being exposed to known and actively exploited SQL injection vulnerabilities.

According to our current understanding of the exploit, attackers might be using MySQL Smarty cache storage features as part of the attack vector. This feature is rarely used and is disabled by default, but it can be enabled remotely by the attacker. Until a patch has been published, we recommend physically disabling this feature in PrestaShop’s code in order to break the attack chain.

To do so, locate the file config/smarty.config.inc.php on your PrestaShop install, and remove lines 43-46 (PrestaShop 1.7) or 40-43 (PrestaShop 1.6):

    if (Configuration::get('PS_SMARTY_CACHING_TYPE') == 'mysql') {
        include _PS_CLASS_DIR_.'Smarty/SmartyCacheResourceMysql.php';
        $smarty->caching_type = 'mysql';
    }
    

**How to tell if you have been affected**

Consider looking at your server’s access log for the attack pattern explained above. This is an example shared by a community member:

    - [14/Jul/2022:16:20:56 +0200] "POST /modules/XXX/XXX.php HTTP/1.1" 200 82772 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14"
     
    - [14/Jul/2022:16:20:57 +0200] "GET / HTTP/1.1" 200 63011 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
     
    - [14/Jul/2022:16:20:58 +0200] "POST /blm.php HTTP/1.1" 200 82696 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0"
    

(Note: the vulnerable module’s path has been modified for security reasons)

Be aware that not finding this pattern on your logs doesn’t necessarily mean that your shop has not been affected by the attack: the complexity of the exploit means that there are several ways of performing it, and attackers might also try and hide their tracks.

Consider contacting a specialist to perform a full audit of your site and make sure that no file has been modified nor any malicious code has been added.

**Additional information**

A patch version is currently being tested, and should be released soon.

We would like to take the opportunity to stress out once more the importance of keeping your system updated to prevent such attacks. This means regularly updating both your PrestaShop software and its modules, as well as your server environment.

CVE-2022-36408: Major Security Vulnerability on PrestaShop Websites

Candiru attackers breached a news agency employee website to target journalists with DevilsTongue spyware, researchers say.

A zero-day vulnerability in Google Chrome was used by the established spyware group Candiru to compromise users in the Middle East — specifically journalists in Lebanon.

Avast researchers said attackers compromised a website used by news agency employees in Lebanon, and injected code. That code identified specific, targeted users and routed them to an exploit server. From there, the attackers collect a set of about 50 data points, including language, device type, time zone, and much more, to verify that they have the intended target.

At the very end of the exploit chain, the attackers drop DevilsTongue spyware, the team noted.

"Based on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware vendor of many names, most commonly known as Candiru," the Avast researchers explained.

The original vulnerability (CVE-2022-2294), discovered by the same Avast team, was the result of a memory corruption flaw in WebRTC. Google issued a patch on July 4.

"The vulnerabilities discovered here are definitely serious, particularly because of how far-reaching they are in terms of the number of products affected — most modern desktop browsers, mobile browsers, and any other products using the affected components of WebRTC," James Sebree, senior staff research engineer with Tenable, said via email. "If successfully exploited, an attacker could potentially execute their own malicious code on a given victim's computer and install malware, spy on the victim, steal information, or perform any other number of nefarious deeds."

But, Sebree added, the original heap overflow flaw is complicated to exploit and won't likely result in widespread, generalized attacks.

"It's likely that any attacks utilizing this vulnerability are highly targeted," Sebree explained. "While it's unlikely that we will see generalized attacks exploiting this vulnerability, the chances are not zero, and organizations must patch accordingly."

Candiru (aka Sourgum, Grindavik, Saito Tech, and Taveta) allegedly sells the DevilsTongue surveillance malware to governments around the world. The Israeli company was founded by engineers who left NSO Group, maker of the infamous Pegasus spyware.

The US Commerce Department added Candiru to its "Entity List" last year, effectively banning trade with the company. The list is used to restrict those deemed to pose a risk to US national security or foreign policy.

Google Chrome Zero-Day Weaponized to Spy on Journalists

Use after free in New Tab Page in Google Chrome prior to 99.0.4844.74 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific user interactions.

CVE-2022-0980

By Deeba Ahmed
The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims…
This is a post from HackRead.com Read the original post: Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

****The spyware vendor Candiru used the Chrome zero-day in March 2022 to target journalists and other unsuspected victims in Palestine, Turkey, and Yemen and Lebanese journalists.****

Antivirus firm Avast has identified a serious flaw in the Chrome browser. According to Avast’s report, the Chrome browser vulnerability, which Google patched earlier this month, is tracked as CVE-2022-2294.

The vulnerability is linked to Candiru aka Saito Tech, an Israel-based spyware vendor that offers governments hacking-for-hire services. It is worth noting that the flaw was identified by Avast and disclosed to Google on 1st July 2022, and a fix was released on 4th July with Chrome 103.

**Vulnerability Details**

Avast reported that someone exploited the zero-day flaw already to spy on Lebanese journalists. Like NSO Group’s Pegasus Spyware, Candiru’s spyware is also used by law enforcement agencies and governments to confront crime and terrorism.

However, as per Avast’s research, Candiru’s spyware was used to target political dissidents, journalists, and critics of authoritarian and repressive regimes. The US Commerce Department sanctioned Candiru for its involvement in anti-US activities.

**Who Were the Targets?**

According to Avast, Candiru used the Chrome zero-day in March 2022 to target people in Palestine, Turkey, and Yemen and Lebanese journalists. In Lebanon, Candiru also compromised a news agency website.

The screenshot shared by Avast shows the malicious code injected into the compromised website stylishblockcom

Avast malware researcher Jan Vojtěšek stated that it is currently unclear why the attackers targeted people in the Middle East, particularly journalists. However, the company is sure that its primary objective was to spy on them and collect sensitive data and information. Such an attack is a blatant violation of freedom of speech and press freedom.

**How Was Zero-Day Exploited?**

As per the Avast report, the attacker planted the Chrome zero-day exploit on the Lebanese news agency website to collect 50 data points from the target’s browser, which includes timezone, language, screen information, browser plugins, device type, and device memory.

Hence, the attacker ensured their target’s device was fully compromised before delivering the spyware payload, which Avast claims matches a Windows-based malware DevilsTongue and Microsoft uncovered it in a previous attack involving Candiru.

It is worth noting that this is government-grade spyware capable of stealing messages, call logs, and photos from the victim’s phone, as well as tracking their location in real-time. Users must quickly update the Chrome browser to stay protected. Separate patches have been released by Apple Safari and Microsoft Edge as these use WebRTC.

Your Chrome browser is likely one of the most important pieces of software on your computer. It’s where you do all your online work, so keeping it up-to-date is essential for your security and productivity. Here’s how to update Chrome on Windows, Mac, and Linux:

**Windows:** Open Chrome and go to the menu in the top right corner. Click “Help” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Mac:** Open Chrome and go to the menu in the top left corner. Click “Chrome” and then “About Google Chrome.” If there’s an update available, you’ll be able to download it from there.

**Linux:** Open a terminal window and type “sudo apt update && sudo apt upgrade google-chrome-stable.

**More Chrome and Spyware News**

1.  5 Ways to Protect Your Privacy on Google Chrome
2.  Predator Spyware Using Zero-day to Target Android Devices
3.  iPhones of 9 State Dept officials hijacked by NSO Pegasus spyware
4.  Pakistani Android users hit by spyware campaign with malicious apps
5.  ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

The Better PDF Exporter add-on 10.0.0 for Atlassian Jira is prone to stored XSS via a crafted description to the PDF Templates overview page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ﻿Advisory ID: SYSS-2022-038 Product: Better PDF Exporter for Jira Manufacturer: Midori Global Consulting Kft. Affected Version(s): 10.0.0 Tested Version(s): 9.6.0 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Open Manufacturer Notification: 2022-05-27 Solution Date: - Public Disclosure: 2022-07-22 CVE Reference: CVE-2022-36131 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Better PDF Exporter is an add-on for Jira to export Jira artifacts to PDF files. The manufacturer describes the product as follows (see \[1\]): "Better PDF Exporter exports Jira issues to PDF documents to share, print, email, archive and report issues in the standard business document file format." Due to insufficient input validation of user-provided input, Better PDF Exporter is vulnerable to cross-site scripting attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'PDF Templates' overview is prone to a stored cross-site scripting attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the web browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The 'PDF Template' view in the administration back end can be exploited for an attack. After entering the attack vector "" in the description field of a PDF template, the following request is sent to the server: POST /rest/com.midori.jira.plugin.pdfview/1.0/pdf-resource/30 HTTP/2 Host: \[REDACTED\] Cookie: Content-Length: 153 Sec-Ch-Ua:"Not A;Brand";v="99","Google Chrome";v="101" Accept: \*/\* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Origin: \[REDACTED\] Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: \[REDACTED\]/secure/update-pdf-resource.jspa?id=30 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 name=Pentest.pdf&description=%3cscript%3ealert('SySS\_PXSS\_PoC')%3b%3c %2fscript%3e&content=content By calling the 'PDF Template' overview page through the URL "https://\[REDACTED\]/secure/pdf-resources.jspa", the payload is loaded and executed. The payload is listed in the following response: ... Pentest.pdf

Tag

#chrome