Peppermint Ticket Management before 0.2.4 allows remote attackers to read arbitrary files via a /api/v1/users/file/download?filepath=./../ POST request.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-46863: Vulnerability: Arbitrary File Download (unauthenticated) · Issue #108 · Peppermint-Lab/peppermint

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: google

Tags: dynamic search ads

Tags: python

Tags: pycharm

Tags: malware

Dynamically generated ads can be problematic when the content they are created from has been compromised.



(Read more...)




The post 'Accidental' malvertising via Dynamic Search Ads delivers malware frenzy appeared first on Malwarebytes Labs.

Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating one. Today, we look at a different scenario where, as strange as that may sound, malvertising was entirely accidental.

The reason this happened was due to the combination of two separate factors: a compromised website and Google Dynamic Search Ads.

Unbeknownst to the site owner, one of their ads was automatically created to promote a popular program for Python developers, and visible to people doing a Google search for it. Victims who clicked on the ad were taken to a hacked webpage with a link to download the application, which turned out to install over a dozen different pieces of malware instead.

**Compromised website promotes software crack**

While we identified the compromised ad before the website, we will first describe what happens from the point of view of the site owner to better understand what led to the ad creation in the first place.

This website is for a business that specializes in wedding planning and their portfolio includes testimonials from previous customers sharing their story and experience. Unfortunately, some of those pages have been injected with malware that spams malicious content into them.

In particular, it changes the page's title and creates an overlay that promotes a serial key for various software programs. For example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers:

**Malvertising via Dynamic Search Ad**

Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. While this feature is very handy for advertisers, it also comes with the unlikely but potential for abuse. Indeed, if someone is able to modify the website's content without the owner's knowledge, automated ads may be entirely misleading.

Circling back to where our investigation started, this is what we first saw when doing a Google search for 'pycharm'. The ad's headline is showing "JetBrains PyCharm Professional" while the content snippet has gathered a bunch of keywords related to the wedding business. Obviously, there is a discrepancy here between what the ad's title promotes (a program for developers) and the ad's description (wedding planning).

What happened here is Google Ads dynamically generated this ad from the hacked page, which makes the website owner an unintentional intermediary and victim paying for their own malicious ad.

**Fake serial leads to malware bonanza**

People searching for PyCharm may not take the time to read the ad's description, but instead will simply click on the headline. From there, they will be redirected to the compromised page showing the overlay with the link to download the serial key. While not everyone will proceed at this point, those who do will have an experience they aren't likely to forget:

Running this installer will result in a deluge of malware infections the like we have only seen on rare occasions, rendering the computer completely unusable:

Sometimes, an unexperienced criminal may want to monetize as many software loads as possible in order to earn a commission on each. Clearly this is not an elegant attack as the victim will be aware their computer has been loaded with unwanted programs.

Whatever the case may be, downloading cracks or serial keys is akin to walking across a mine field, and you typically only do it once.

**Summary**

This incident is not your typical malvertising case and in fact, it's unlikely that whoever hacked that website was even aware of this happening. Compromised sites can be monetized in many different ways and usually threat actors expect traffic to come from organic search results, not ads.

From an ad quality point of view, this would be difficult to detect in the sense that the ad has been paid for by a legitimate business and takes users to the correct destination. There is no malicious redirect to a fake domain that attempts to deceive users like we have seen before.

Google may be able to detect that the website has been compromised because it contains spam injections. If that is the case, Dynamic Search Ads may inadvertently promote malicious content.

We recommend users to practice safe browsing and always be cautious with sponsored content. Downloading cracked software has never been a good idea, but if you do, always make sure it is clean before you run it.

We have informed the wedding planner business that their website is currently compromised and leading to malicious content.

Malwarebytes already detected all the payloads with its anti-malware and heuristic engines:

**Indicators of Compromise**

Download URL for fake serial:

eplangocview\[.\]com/wp-download/File.7z

Subsequent malware download URLs:

roberthamilton\[.\]top/timeSync\[.\]exe  
109\[.\]107\[.\]182\[.\]2/race/bus50\[.\]exe  
171\[.\]22\[.\]28\[.\]226/download/Services\[.\]exe  
experiment\[.\]pw/setup294\[.\]exe  
medfioytrkdkcodlskeej\[.\]net/987123\[.\]exe  
171\[.\]22\[.\]28\[.\]226/download/WWW14\_64\[.\]exe  
185\[.\]172\[.\]128\[.\]69/newumma\[.\]exe  
194\[.\]169\[.\]175\[.\]233/setup\[.\]exe  
171\[.\]22\[.\]28\[.\]221/files/Ads\[.\]exe  
171\[.\]22\[.\]28\[.\]213/3\[.\]exe  
lakuiksong\[.\]known\[.\]co\[.\]ke/netTimer\[.\]exe  
stim\[.\]graspalace\[.\]com/order/tuc19\[.\]exe  
neuralshit\[.\]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7\[.\]exe  
pic\[.\]himanfast\[.\]com/order/tuc15\[.\]exe  
85\[.\]217\[.\]144\[.\]143/files/My2\[.\]exe  
galandskiyher5\[.\]com/downloads/toolspub1\[.\]exe  
gobr1on\[.\]top/build\[.\]exe  
flyawayaero\[.\]net/baf14778c246e15550645e30ba78ce1c\[.\]exe  
632432\[.\]space/385118/setup\[.\]exe  
yip\[.\]su/RNWPd\[.\]exe  
potatogoose\[.\]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c\[.\]exe  
185\[.\]216\[.\]71\[.\]26/download/k/KL\[.\]exe  
walkinglate\[.\]com/watchdog/watchdog\[.\]exe  
walkinglate\[.\]com/uninstall\[.\]exe

'Accidental' malvertising via Dynamic Search Ads delivers malware frenzy


When the isula cp command is used to copy files from a container to a host machine and the container is controlled by an attacker, the attacker can escape the container.



627 **add bind mount file lock**

已合并

zhongtao:20.03-lts-sp1 src-openEuler:openEuler-20.03-LTS-SP1

 zhongtao 创建于 2023-09-19 15:07

克隆/下载

HTTPS SSH

复制

下载 Email Patch 下载 Diff 文件

add bind mount file lock

相关issue：#I82QEQ:在链接 glibc库场景下，当nsswitch工具动态加载一个包含容器内容的chroot库时，代码注入可能会发生。

怎样手动合并此 Pull Request

git checkout openEuler-20.03-LTS-SP1

git pull https://gitee.com/taotao-sauce/src-iSulad.git 20.03-lts-sp1

git push origin openEuler-20.03-LTS-SP1

评论 30 提交 1 文件 2 代码问题 0

展开设置 折叠设置

审查

审查人员

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

测试

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

优先级

不指定

严重

主要

次要

不重要

标签

openeuler-cla/yes

ci\_successful

sig/iSulad

关联 Issue

I82QEQ

在链接 glibc库场景下，当nsswitch工具动态加载一个包含容器内容的chroot库时，代码注入可能会发生。

Pull Request 合并后将关闭上述关联 Issue

里程碑

未关联

参与者 （3）

CVE-2021-33638: add bind mount file lock · Pull Request !627 · src-openEuler/iSulad - Gitee.com

iSulad uses the lcr+lxc runtime (default) to run malicious images, which can cause DOS.



251 **set env to avoid invoke lxc binary directly**

已合并

jake:jikai/set\_lxc\_memfd\_rexec src-openEuler:openEuler-22.03-LTS

jake 创建于 2023-09-18 19:25

克隆/下载

HTTPS SSH

复制

下载 Email Patch 下载 Diff 文件

#I842X9:CVE-2021-33634:CVE-2021-33634

怎样手动合并此 Pull Request

git checkout openEuler-22.03-LTS

git pull https://gitee.com/jikai11/src-openEuler-lcr.git jikai/set\_lxc\_memfd\_rexec

git push origin openEuler-22.03-LTS

评论 21 提交 1 文件 2 代码问题 0

展开设置 折叠设置

审查

审查人员

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

测试

haomintsai

caihaomin

JingWoo

jingwoo

haozi007

duguhaotian

jingxiaolu

jingxiaolu

未设置

最少人数

0

优先级

不指定

严重

主要

次要

不重要

标签

openeuler-cla/yes

lgtm

ci\_successful

sig/iSulad

关联 Issue

I842X9

CVE-2021-33634

Pull Request 合并后将关闭上述关联 Issue

里程碑

未关联

参与者 （4）

CVE-2021-33634: set env to avoid invoke lxc binary directly · Pull Request !251 · src-openEuler/lcr - Gitee.com

Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.

CVE-2023-5838

Privilege Chaining in GitHub repository hestiacp/hestiacp prior to 1.8.9.

CVE-2023-5839

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.

CVE-2023-5840

Plus: Details emerge of a US government social media-scanning tool that flags “derogatory” speech, and researchers find vulnerabilities in the global mobile communications network.

As the Israel-Hamas war raged on this week and Israel expanded its ground invasion of the Gaza Strip, the territory's compromised internet infrastructure and access to connectivity went fully dark on Friday, leaving Palestinians without access to ground or mobile data connections. Meanwhile, researchers are bracing for the fallout if Hamas makes good on its threats to distribute hostage execution videos online. And TikTokkers are using a niche livestreaming feature and exploiting the Israeli-Hamas conflict to collect virtual gifts from viewers, a portion of which goes to the social media company as a fee.

As the worst mass shooting in Maine's history unfolded this week and the gunman remained at large, disinformation about the situation and the suspect flooded social media, adding to the already chaotic and horrific situation. Elon Musk, the owner of X (formerly Twitter) posted remarks earlier this month mocking Ukrainian president Vlodymr Zelensky that were met with a flood of support and enthusiasm from Russian trolls and accounts distributing pro-Russia propaganda.

The US federal foreign intelligence collection tool—a frequently abused surveillance authority—known as Section 702 is facing its demise at the end of the year despite being viewed as the “crown jewel” of US surveillance powers. So far, no members of Congress have introduced a bill to prevent its January 1 sunset. And the identity-management platform Okta suffered a breach that had implications for nearly 200 of its corporate clients and brought up memories of a similar hack the company suffered last year that also had knock-on effects for customers.

An EU government body has been pushing a controversial proposal with far-reaching privacy implications in an attempt to combat child sexual abuse material, but its most outspoken advocates recently added to the drama significantly by essentially launching an influence campaign to support its passage. The long-foreseen nightmare of using generative AI to create digital child abuse materials has arrived with a flood of images, some of which are completely fabricated while others depict real victims generated from old datasets.

We also went deep this week on a situation in which hackers say they can crack a locked USB drive that contains a massive 7,002 bitcoins, worth about $235 million—but the drive's owner hasn't let them try.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

A cryptominer that never seemed to generate very much cryptocurrency for its creators is part of a larger digital espionage campaign, according to researchers from security firm Kaspersky Lab. The platform, which they call StripedFly, has infected more than 1 million Windows and Linux targets globally since 2017. StripedFly is modular and has multiple components for compromising targets' devices and collecting different types of data, indicating that it was likely created as part of a well-funded state espionage program, not a cybercriminal enterprise. It also includes an update mechanism so attackers can distribute improvements and new functionality to the malware.

StripedFly can, among other things, steal access credentials from compromised devices; take screenshots; grab databases, sensitive files, videos, or other information of interest; and record live audio by compromising a target's microphone. Notably, StripedFly uses an innovative, custom Tor client to mask communication and exfiltration between the malware and its command-and-control servers. It also has a ransomware component that attackers have occasionally deployed. It infects targets initially using a customized version of the notorious EternalBlue exploit leaked from the US National Security Agency.

Documents reviewed by 404 Media shed new light on US Immigration and Customs Enforcement’s scanning and database tool for identifying “derogatory” online speech about the US. Dubbed Giant Oak Search Technology (GOST), it assists ICE agents in scanning social media posts. According to the documents, they then use the findings in immigration enforcement actions.

One of the documents shows a GOST catchphrase, “We see the people behind the data,” and a user guide from the documents says GOST is “capable of providing behavioral-based internet search capabilities.” ICE agents can search the system for specific names, addresses, email addresses, and countries of citizenship. The documents say that “potentially derogatory social media can be reviewed within the interface.”

The world’s telephony networks have often been built on legacy infrastructure and with a convoluted maze of interconnections. The system enables mobile data access across much of the world, but its complexity and the collision of new and archaic technologies can lead to vulnerabilities. This week, University of Toronto’s Citizen Lab published extensive research on the degree to which roaming arrangements between mobile providers contain security issues that can be exploited to track devices, and by extension the people who own them. The flaw comes from a lack of protection on the communications between cell towers as you, for instance, travel on a train, ride a motorcycle, or walk around town. The concern is that governments, criminals, or other snoops can manipulate the weaknesses in these handoff communications to track device locations. “These vulnerabilities are most often tied to the signaling messages that are sent between telecommunications networks which expose the phones to different modes of location disclosure,” Citizen Lab researchers wrote.

This Cryptomining Tool Is Stealing Secrets

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.

Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backend
Note: the vulnerability is about the information exposed in the logs not about accessing the logs.

This issue affects Apache Airflow Celery provider: from 3.3.0 through 3.4.0; Apache Airflow: from 1.10.0 through 2.6.3.

Users are recommended to upgrade Airflow Celery provider to version 3.4.1 and Apache Airlfow to version 2.7.0 which fixes the issue.



CVE-2023-46215: Remove sensitive information from Celery executor warning by hussein-awala · Pull Request #34954 · apache/airflow

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h.

\[CVE ID\] CVE-2023-46570 \[PRODUCT\] Radare2: Libre Reversing Framework for Unix Geeks \[AFFECTED VERSION\] radare2 5.8.9 and earlier version. \[PROBLEM TYPE\] global-buffer-overflow \[DESCRIPTION\] radare2 5.8.9 has global-buffer-overflow \[TECHNICAL DETAILS\] radare2 5.8.9 has global-buffer-overflow at /radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 in print\_insn32 r2 -A -q poc \[35mWARN:\[0m Relocs has not been applied. Please use \`-e bin.relocs.apply=true\` or \`-e bin.cache=true\` next time \[33mINFO:\[0m Analyze all flags starting with sym. and entry0 (aa) \[33mINFO:\[0m Analyze imports (af@@@i) \[35mWARN:\[0m set your favourite calling convention in \`e anal.cc=?\` ================================================================= ==3834323==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8504840958 at pc 0x7f8503865014 bp 0x7fffb6824670 sp 0x7fffb6824668 READ of size 8 at 0x7f8504840958 thread T0 #0 0x7f8503865013 in print\_insn32 /home/user/fuzzing\_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 #1 0x7f8503865013 in print\_insn\_nds32 /home/user/fuzzing\_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1276:3 #2 0x7f8503865882 in decode /home/user/fuzzing\_radare2/radare2/libr/arch/p/nds32/plugin.c:135:13 #3 0x7f8503362c85 in r\_arch\_decode /home/user/fuzzing\_radare2/radare2/libr/arch/arch.c:320:9 #4 0x7f8501a629cf in r\_anal\_op /home/user/fuzzing\_radare2/radare2/libr/anal/op.c:186:8 #5 0x7f8501a68433 in fcn\_recurse /home/user/fuzzing\_radare2/radare2/libr/anal/fcn.c:746:11 #6 0x7f8501a72172 in r\_anal\_function\_bb /home/user/fuzzing\_radare2/radare2/libr/anal/fcn.c:1558:9 #7 0x7f8501a72172 in r\_anal\_function /home/user/fuzzing\_radare2/radare2/libr/anal/fcn.c:1696:12 #8 0x7f85057b4fff in \_\_core\_anal\_fcn /home/user/fuzzing\_radare2/radare2/libr/core/canal.c:857:12 #9 0x7f85057b4008 in r\_core\_anal\_fcn /home/user/fuzzing\_radare2/radare2/libr/core/canal.c:2077:6 #10 0x7f85054e8561 in r\_core\_af /home/user/fuzzing\_radare2/radare2/libr/core/./cmd\_anal.inc.c:4341:2 #11 0x7f8505507c00 in r\_core\_anal\_all /home/user/fuzzing\_radare2/radare2/libr/core/./cmd\_anal.inc.c #12 0x7f8505621491 in cmd\_anal\_all /home/user/fuzzing\_radare2/radare2/libr/core/./cmd\_anal.inc.c:12932:4 #13 0x7f8505537429 in cmd\_anal /home/user/fuzzing\_radare2/radare2/libr/core/./cmd\_anal.inc.c:14267:8 #14 0x7f85063c3940 in perform\_analysis /home/user/fuzzing\_radare2/radare2/libr/main/radare2.c:499:2 #15 0x7f85063b931d in r\_main\_radare2 /home/user/fuzzing\_radare2/radare2/libr/main/radare2.c:1720:4 #16 0x5629af31552d in main /home/user/fuzzing\_radare2/radare2/binr/radare2/radare2.c:114:9 #17 0x7f8506029d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16 #18 0x7f8506029e3f in \_\_libc\_start\_main csu/../csu/libc-start.c:392:3 #19 0x5629af257444 in \_start (/home/user/fuzzing\_radare2/radare2/binr/radare2/radare2+0x1f444) (BuildId: 655cd64f4959101bcf192e77bc6bf062577e0708) 0x7f8504840958 is located 40 bytes to the left of global variable 'mnemonic\_mem' defined in 'p/nds32/nds32-dis.h:60:20' (0x7f8504840980) of size 344 0x7f8504840958 is located 8 bytes to the right of global variable 'mnemonic\_br2' defined in 'p/nds32/nds32-dis.h:103:20' (0x7f85048408e0) of size 112 SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/fuzzing\_radare2/radare2/libr/arch/p/nds32/nds32-dis.h:1219:33 in print\_insn32 Shadow bytes around the buggy address: 0x0ff1209000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1209000e0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0ff1209000f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900100: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 0x0ff120900110: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 =>0x0ff120900120: 00 00 00 00 00 00 00 00 00 00 f9\[f9\]f9 f9 f9 f9 0x0ff120900130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900150: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 0x0ff120900160: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff120900170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3834323==ABORTING \[Reporter\] Gandalf4a \[Solution\] Update Radare2 to 5.9.0 or newer version or lastst commit. \[References\] https://github.com/radareorg/radare2/ https://github.com/radareorg/radare2/issues/22334 https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2 \[Disclosure Timeline\] 2023-10-21 - Issue reported to vendor 2023-10-22 - Vendor responded and confirmed the issues 2023-10-22 - Vendor fix the issues 2023-10-27 - CVE Team RESERVED CVE-2023-46570 for this issue 2023-10-28 - Public Release

Tag

#git