By Habiba Rashid
A Barcelona-based company, a spyware vendor named Variston IT, is exploiting flaws under the guise of a custom cybersecurity solutions provider.
This is a post from HackRead.com Read the original post: Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

On 30th November, Google’s Threat Analysis Group (TAG) reported that a Barcelona-based company, actually a spyware vendor, named Variston IT has been exploiting n-day vulnerabilities in Chrome, Firefox, and **Microsoft Defender** under the guise of a custom cybersecurity solutions provider. 

In their detailed technical report, TAG explained that Variston IT had been using their exploitation framework called Heliconia to install spyware on the targeted devices. The researchers at Google received an anonymous submission to Chrome’s bug reporting program which brought to their attention the exploitation framework.

Heliconia actually contains three separate exploitation frameworks. One of them is used to compromise the Chrome renderer bug so that it can escape the walls of the app’s sandbox and run malware on the operating system.

Another one is used to deploy **malicious PDF documents** containing an exploit for Windows Defender (a built-in antivirus engine in the newer versions of Windows).  The last framework is for compromising Windows and Linux machines by using a set of Firefox exploits. 

A manifest file in the source code provides a product description (Image: Google)

In its **report**, the tech giant observed that the Heliconia exploit is successful against Firefox versions 64 to 68, which suggests that it was created and used as early as December 2018 when Firefox 64 first came out.

Google, Microsoft, and Mozilla fixed the vulnerabilities in 2021 and early 2022. They further stated that, although they had not detected active exploitation, it is likely that the vulnerabilities had been exploited before they could be fixed.

1.  **Google cracks down on sites with ties to hack-for-hire groups**
2.  **Israeli Spyware Vendor Use Chrome 0day to Target Journalists**
3.  **ISPs Helping Attackers Install Hermit Spyware on Smartphones**
4.  **Malware vendor returns with yet another nasty Android malware**
5.  **European Spyware Vendor Offer Android and iOS Device Exploits**

According to Google, **commercial spyware vendors** put advanced surveillance capabilities in the hands of governments who can then use them to spy on journalists, human rights activists, political opposition, and dissidents.

Therefore, there needs to be more transparency to ensure that companies adhere to their stated ethical standards in whom they make transactions with and whom they target with their products.

It is advised that users keep their Chrome and other software up-to-date with the security patches to ensure full protection against Heliconia.

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Spyware Vendor Variston Exploited Chrome, Firefox and Windows 0-days

IXPdata EasyInstall 6.6.14725 contains an access control issue.

%PDF-1.7 %���� 1 0 obj <>/Metadata 115 0 R/ViewerPreferences 116 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��X�o�6~7�����3�Mi( 4itX�5��T�v��V\*�I��~w�%׉��8?I������Hr���zu����\[�^�&Wo�ɗ�Q��$��0�SM� ��4�t���?��tr5�N.�+�����'B3\*-��P�����~�d\]��d�ߒ���tBf���������n�?�������u:�T��(�⟢Y��M���yce�+���.�����J�R-ϰVj.������5!��\]���/�nM"���^��mJ�4e����70���.�Q�ػx&�\]���)b�����&���,����\\�\[��g6�c΢��1�(�/�C=�s��n���~���ʙ�!�Ԙ�~���\\���i�qTc���jt�MV=A���Wu�����} ��P���>�/�jh<W}+��G�(�����D��5�k���6�=�E�{���DZ�潚�h�%:��٠�L5#��,��X�.9=��A��g��"�� �2n�T�|p%Y@g����J�3l�%�P��S����AgD΄�"����\*��� �TC�%a�ip\\ʇK�� �����R��U��Үt��s K��/-��H�I�c|���d���&w-m}ٰ=br�FJ��;�����\]�,{����ﮠX��l&ܵ��v�lڀ��\[xl�����T���u���p��)U'U\`�o�������|����@��0��� �\]v��j��v� F+��/���{ 'ib�A �0���s�uU��s�����(3Ti�4#x��G� ������^ݴЕz�G#��5�?��ݷ��Q����;���wr�N��85����v��l���׏y��%Vղ�\_�Bn�D��I�$���� �?�bW�~T������#��b��SD+#�^@��?++A�g ��FV�{XW�m;�\*jm�3ga3�J����N�mX1�K�������9��L�:r�i�ӯ}שiê�N�� �ٲ�z>�xF�.kjE{�\`�\]�k?�@�N�F/�ӄ �g�E��G��NK;�>ǒ�jF �PPf��އ��GH�yy���k<�}x\*�����p�o\]sx�2��3'�\*{�z'U!�eVX�5Y�۬O� x�P�A{d2�4yI�s���Ȍ�j�P�-2�R6Y��p���}�,�iX$��a���N�0j>)�!���\`��a������T"p �Z���S�ׇ!�8c��9���� endstream endobj 5 0 obj <> endobj 6 0 obj <> endobj 7 0 obj <> endobj 8 0 obj <> endobj 9 0 obj <>/ExtGState<>/XObject<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 841.92\] /Contents 10 0 R/Group<>/Tabs/S/StructParents 1>> endobj 10 0 obj <> stream x���n�6�݀�����0���h.�R�\[��f�-;Be+�����s��KEЉ-�X�I������)ް��ӏחL��oV�J6'���ٌ�\_^�����@2�����a�+y�"�N>��6����tr�N2�r᲻�t���,p�p\\x>w}v��}�o�\*�j����~{?�0�x������݇�� n�k:���J\`CH��VZ�mbKi�}����|c��\]+�}kɪ�dt�d�� B���h�H�R;E����� �\`��}�Z� ���A�l�Y����X�CR�8b�3�=(� Lm�Z=ß"��>i7.�l���۵ �uj�����6گ���~#=�@�k���-�� ��"n���|yƵj|D|��!<��G

CVE-2022-35120

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.
"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.

"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.

Variston, which has a bare-bones website, claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by \[law enforcement agencies\]," among other services.

The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.

Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.

Noise is designed to take advantage of a security flaw in the Chrome V8 engine JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called "chrome-sbx-gen" to enable the final payload (aka "agent") to be installed on targeted devices.

However, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.

Heliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.

Soft is a web framework that's engineered to deliver a decoy PDF document featuring an exploit for CVE-2021-42298, a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entailed the user visiting a malicious URL, which then served the weaponized PDF file.

The Files package – the third framework – contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 (CVE-2022-26485). However, it's suspected that the bug was likely abused since at least 2019.

Google TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there's no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.

The development arrives more than five months after the tech giant's cybersecurity division linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.

"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days

### Description
An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

### References
* https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
* https://github.com/advisories/GHSA-8x94-hmjh-97hq

**Sinatra vulnerable to Reflected File Download attack**

High severity GitHub Reviewed Published Nov 30, 2022 in sinatra/sinatra • Updated Nov 30, 2022

GHSA-2x8x-jmrp-phxw: Sinatra vulnerable to Reflected File Download attack

The Heliconia hacking tool exploited vulnerabilities in Chrome, Windows Defender, and Firefox, according to company security researchers.

The commercial spyware industry has increasingly come under fire for selling powerful surveillance tools to anyone who can pay, from governments to criminals around the world. Across the European Union, details of how spyware has been used to target activists, opposition leaders, lawyers, and journalists in multiple countries have recently touched off scandals and calls for reform. Today, Google's Threat Analysis Group announced action to block one such hacking tool that targeted desktop computers and was seemingly developed by a Spanish firm.

The exploitation framework, dubbed Heliconia, came to Google's attention after a series of anonymous submissions to the Chrome bug reporting program. The disclosures pointed to exploitable vulnerabilities in Chrome, Windows Defender, and Firefox that could be abused to deploy spyware on target devices, including Windows and Linux computers. The submission included source code from the Heliconia hacking framework and called the vulnerabilities Heliconia Noise, Heliconia Soft, and Files. Google says the evidence points to the Barcelona-based tech firm Variston IT as the developer of the hacking framework.

“The findings indicate that we have many small players within the spyware industry, but with strong capabilities related to zero days,” TAG researchers told WIRED, referring to unknown, unpatched vulnerabilities. 

Variston IT did not respond to a request for comment from WIRED. The company's director, Ralf Wegner, told TechCrunch that Variston was not given the opportunity to review Google’s research and could not validate it. He added that he “would be surprised if such item was found in the wild.” Google confirmed that the researchers did not contact Variston IT in advance of publication, as is the company's standard practice in these types of investigations. 

Google, Microsoft, and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google says it has not detected any current exploitation of the bugs. But evidence in the bug submissions indicates that the framework was likely being used to exploit the flaws starting in 2018 and 2019, long before they were patched. Heliconia Noise exploited a Chrome renderer vulnerability and a sandbox escape, while Heliconia Soft used a malicious PDF laced with a Windows Defender exploit, and Files deployed a group of Firefox exploits for Windows and Linux. TAG collaborated on the research with members of Google's Project Zero bug-hunting group and the Chrome V8 security team.

The fact that Google does not see current evidence of exploitation may mean that the Heliconia framework is now dormant, but it might also indicate that the hacking tool has evolved. “It could be there are other exploits, a new framework, their exploits didn’t cross our systems, or there are other layers now to protect their exploits,” TAG researchers told WIRED.

Ultimately, the group says its goal with this type of research is to shed light on the commercial spyware industry's methods, technical capabilities, and abuses. TAG created detections for Google's Safe Browsing service to warn about Heliconia-related sites and files, and the researchers emphasize that it's always important to keep software up to date.

“The growth of the spyware industry puts users at risk and makes the internet less safe,” TAG wrote in a blog post about the findings. “And while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups.”

Google Moves to Block Invasive Spanish Spyware Framework

Red Hat Security Advisory 2022-8680-01 - 389 Directory Server is an LDAP version 3 compliant server. The base packages include the Lightweight Directory Access Protocol server and command-line utilities for server administration.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: 389-ds:1.4 security update  
Advisory ID:       RHSA-2022:8680-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8680  
Issue date:        2022-11-29  
CVE Names:         CVE-2022-2850  
====================================================================  
1. Summary:

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise  
Linux 8.4 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The  
base packages include the Lightweight Directory Access Protocol (LDAP)  
server and command-line utilities for server administration.

Security Fix(es):

* 389-ds-base: SIGSEGV in sync_repl (CVE-2022-2850)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2118691 - CVE-2022-2850 389-ds-base: SIGSEGV in sync_repl

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.8.4):

Source:  
389-ds-base-1.4.3.16-24.module+el8.4.0+17207+46c15e64.src.rpm

aarch64:  
389-ds-base-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-debugsource-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-devel-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-legacy-tools-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-libs-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-libs-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-snmp-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm  
389-ds-base-snmp-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.aarch64.rpm

noarch:  
python3-lib389-1.4.3.16-24.module+el8.4.0+17207+46c15e64.noarch.rpm

ppc64le:  
389-ds-base-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-debugsource-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-devel-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-legacy-tools-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-libs-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-libs-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-snmp-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm  
389-ds-base-snmp-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.ppc64le.rpm

s390x:  
389-ds-base-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-debugsource-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-devel-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-legacy-tools-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-libs-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-libs-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-snmp-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm  
389-ds-base-snmp-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.s390x.rpm

x86_64:  
389-ds-base-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-debugsource-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-devel-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-legacy-tools-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-legacy-tools-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-libs-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-libs-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-snmp-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm  
389-ds-base-snmp-debuginfo-1.4.3.16-24.module+el8.4.0+17207+46c15e64.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-2850  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY4ZVq9zjgjWX9erEAQgN6w/9FgnFBwtvSCkPKVbDSE8QF3euT0AaeSkW  
FZG525zWkhudCbSrrKPdFqEjCfQ4Rg5r05DSB4YKrXNDgNskbjP6zz5RGe7JC1gm  
Wm8y2WbGb9XGkzNXkccFV0+ns70bKmNnzjijdGgo9BKouQl5/8k7xhpgB44xHIxn  
Qj4rclpCoob9MJfsCyNMtsKufDHgDOnB3h2uBNcuARcnH07FWFbYv4X849pK6hcW  
Izfek5N3urm3jfktJyj7lBoe1PKdTAps+VxSOuSFwLcHUejJOJo7hFsaNX+Gy0m/  
RHcINkOeRc83UDsV7qsw+A4v7THkAtW9tiu8r8ascVDzxcDZEFYG1IvJ86KJeu/V  
0zP4B61xSmF63g2s1U7Ua5mzi7RnYLyJCPlbyN4x6kzlUdJnrs92RSmU8Bt9ZqkS  
9fXmwkoHk2TO7qgSwd09T1bYzWgvFwOHKVkulcpOJezFye9q6hJnZroloZiGT3tK  
VZO1s/nL55KNGC0PVQANHSbj/hBKHXABgdhvZYjzUTNtr9KAo4GJLoTY8qfr9gSg  
eIkyQMDZaB//XgyIjGs4ZdsWN6HFa0uhm2FRwHMm1OJ4uy8WLYWogKoTFI+HH3Bz  
2Gn+83pAebqmvBh+RkXMjd7h5hrq5nKw+ym1FAam5BBzk6X/md8XSlPOves6beUw  
zVN0canYLeI=yNU6  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8680-01

The framework has ties back to a Spanish exploit broker called Variston IT, and offers a one-stop shop for compromising Chrome, Defender and Firefox.

Google's Threat Analysis Group (TAG) has discovered a cyberattack framework dubbed Heliconia, built to exploit zero-day and n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. It likely has connections to a gray-market spyware broker called Variston IT, which highlights how this shadowy segment is flourishing.

The Heliconia threat consists of three modules:

*   Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
*   Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
*   And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.

TAG became aware of the threat after receiving an anonymous submission to the Chrome bug reporting program. Upon further investigation, the Heliconia framework's source code was found to contain a script that points back to Variston IT, a Barcelona-headquartered entity that claims to provide "custom security solutions."

Commercial spyware is often sold by organizations claiming to be legitimate companies, for "use by law enforcement." However, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition and dissidents," according to a TAG posting on Wednesday.

Researchers noted that Variston IT is firmly in the middle of this proliferating market — a space that has seen sanctioning by the United States and others against organizations like the infamous NSO Group, creator of the Pegasus spyware.

"The commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe," TAG researchers added. "While surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups."

So far, none of the modules has been seen in current attacks in the wild, but TAG researchers noted that they've likely been deployed in the past, including using the exploits they contain as zero-days before they were fixed.

Google TAG Warns on Emerging Heliconia Exploit Framework for RCE

Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via resign, private message, manual log, time interval, attshift, and holiday. An authenticated administrator can read local files by exploiting XSS into a pdf generator when exporting data as a PDF

CVE-2022-38802

Zkteco BioTime < 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF

Employee can exploit XSS into local file read using PDF generator in Zkteco Biotime

Security Advisory

Topic: Employee can exploit XSS into local file read using PDF generator in Zkteco Biotime

Category: Zkteco Biotime

Module: webgui

Announced: 01-09-2022

Credits: Ahmed Kameran From https://technobase.krd/ -- https://twitter.com/hamoshwani

CVE ID: CVE-2022-38803

Affects: BioTime - < 8.5.3 Build:20200816.447

Corrected: BioTime - > 8.5.3 Build:20200816.447

1\. Background

BioTime 8.0 is a powerful web-based time and attendance management software that provides a stable connection to ZKTeco's

standalone push communication devices by Ethernet/Wi-Fi/GPRS/3G and working as a private cloud to

offer employee self-service by mobile application and web browser.

2\. Problem Description

A Cross-Site Scripting (XSS) vulnerabilities was found in

BioTime BioTime - < 8.5.3 Build:20200816.447 that could lead to local file read when an employee try to export injected payload using pdf

the pdf generator will simply execute the javascript code inside the injected payload that can lead to Local file read

Vulenrable models:

1- When requesting for leave

Parameter: reason

2- When requesting for overtime

Parameter: reason

3- When requesting for Manual log

Parameter: reason

3\. Impact

Due to the lack of proper encoding on the affected parameters susceptible to

XSS, arbitrary JavaScript could be executed by pdf generator's headless browser that could lead to local file read

4\. Solution

Users can upgrade to 8.5.4 or later.

Please find latest version from the Zkteco main website or they provide hardcopy of the software when you buy an Iface or any attendance devices make sure

You install versions higher than 8.5.3

Tag

#pdf