Threat hunters can help build defenses as they work with offensive security teams to identify potential threats and build stronger threat barriers.

Over the last few years, an influx of high-profile industry security issues (PDF) have placed offensive tactics among the top priorities for corporations to help mitigate the risk of a potential attack. With many companies opting to continue remote and hybrid working environments, potential security risks cannot go ignored or be left to chance, and an emphasis on developing greater defensive security tactics, working in tandem with offensive security teams, is essential for identifying behaviors of potential threats and building stronger barriers against evolving challengers.

Threat hunting, in particular, has emerged as a must-have security component for companies. It encompasses the tasks of identifying patterns of threat behaviors and hunting for anomalies and changes occurring in an environment based on suspicious activity — with the goal of building defenses to combat threats.

But what makes a successful threat-hunting program? The reality is that identifying suspicious activity may not be as straightforward as it seems. It requires a comprehensive approach with proactive manual detection, constant communication between teams, and an investment in the right people to bring the process to life.

**Hunting for the Right Skills**

Threat hunting requires a human touch to thoroughly review suspicious patterns and scour the environment for threats that haven't yet been identified by a company's existing security tooling and processes. It's a heavily strategic game of cat and mouse to find potential adversaries and advanced persistent threats (APTs), predict their next move, and stop them in their tracks.

A successful threat hunter needs to have a thorough understanding of their environment, the known threats their team has faced, and the ability to problem-solve and think critically about hidden avenues adversaries could take to gain access. In a way, this is the ultimate detective work, and it becomes the building blocks for designing better defensive protocols. Investing in the right people on the team and fostering a culture of open communication is essential.

To receive leads or hunt ideas, Adobe's threat-hunting team has created a messaging bot app that security teams, such as the security operations center or incident response, can use to have seamless collaboration with the hunt team. Once hunts are completed, hunt reports are shared with the cross-functional security teams and relevant stakeholders to improve the existing security posture of the organization.

The hunt team works hand-in-hand with the detection function to help improve current methods and input new data based on emerging tactics used by adversaries. They also collaborate closely with the team responsible for central operational security data to help identify gaps, misconfigurations, and bolster enrichments to help security teams utilize that data more effectively.

However, while threat hunting tends to mainly rely on manual processes, automated processes and machine learning can certainly aid in the hunting effort. Aggregated data analytics can help to quickly find anomalies in data patterns within a company's network, shortening the time teams need to spend combing through data.

At Adobe, we are building multiple UEBA (user and entity behavior analytics) pipelines using machine learning and advanced data analytics to review large volumes of log data and help us spot anomalies that indicate a user's or entity's behavior change. These anomalies are turned into hunt leads (or alerts) after further enrichment and correlation for human review and escalation when needed.

**Stopping Adversaries in their Tracks**

With the right team in place, security teams can begin mapping out their plan of attack and strategy to identify APTs:

*   Rally behind a hypothesis of how adversaries could potentially gain access to the network
*   Create a clear goal for the program (e.g., reducing time adversaries spend in the network, reduce the number of high-impact threats, etc.)
*   Analyze data for anomalies and work cross-team to build new, improved defenses

Not all threat-hunting campaigns will be equally successful, so it's just as important to create a plan for tailoring threat-hunting programs as your company collects more insights on current data trends and adversaries. Be honest with your teams about what's working, what isn't, and new ways to leverage machine learning and other tools to support your goals.

When combined with offensive tactics, threat hunting is a valuable addition to your security efforts. It should be viewed as an ever-evolving strategic approach to identify potential issues, and an essential component of a successful, comprehensive security program.

The Makings of a Successful Threat-Hunting Program

kkFileView v4.0.0 was discovered to contain an arbitrary file deletion vulnerability via the fileName parameter at /controller/FileController.java.

问题描述Description

kkFileview v4.0.0存在任意文件删除漏洞，可能导致系统任意文件被删除。

kkFileview v4.0.0 has an arbitrary file deletion vulnerability, which may lead to arbitrary file being deleted.

漏洞位置vulerable code location

src/main/java/cn/keking/web/controller/FileController.java文件78行，fileName参数用户可控，由于只截取"/"后面的内容作为文件名，导致可以利用“.."来实现目录遍历，导致任意文件删除漏洞。

The vulnerability code is located at line 78 in src/main/java/cn/keking/web/controller/FileController.java, the fileName parameter can be controlled by user. and it fetch the content after "/" as fileName, which leads to we can use ".." to achieve directory traverse that result in arbitrary file deletion.

@RequestMapping(value = "deleteFile", method = RequestMethod.GET)  
public String deleteFile(String fileName) throws JsonProcessingException {  
if (fileName.contains("/")) {  
fileName = fileName.substring(fileName.lastIndexOf("/") + 1);  
}  
File file = new File(fileDir + demoPath + fileName);  
logger.info("删除文件：{}", file.getAbsolutePath());  
if (file.exists() && !file.delete()) {  
logger.error("删除文件【{}】失败，请检查目录权限！",file.getPath());  
}  
return new ObjectMapper().writeValueAsString(ReturnResponse.success());  
}

漏洞证明PoC  
/deleteFile?fileName=demo%2F..\\calc.pdf  
get请求此uri会删除\\kkFileView-master\\server\\src\\main\\file目录中的calc.pdf（原本只能删除\\kkFileView-master\\server\\src\\main\\file\\demo目录下的文件)

POC  
/deleteFile?fileName=demo%2F..\\calc.pdf  
request this uri by HTTP GET method will delete \\kkFileView-master\\server\\src\\main\\file\\calc.pdf (which logically should delete \\kkFileView-master\\server\\src\\main\\file\\demo\\calc.pdf)

免责声明：请勿使用漏洞在他人部署的服务上进行测试、攻击，否则所有法律责任自行承担。

CVE-2022-36593: kkFileView arbitrary file deletion vulnerability · Issue #370 · kekingcn/kkFileView

### Impact
Possible ReDoS with lib input of `{{` and with many repetitions of `{{|`.

### Patches
Patched in all versions above `0.2.5`

### Workarounds
No known work arounds.

### References
- OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)
- Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).
- Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).
- James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).
- Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).
- Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).




**Polynomial regular expression used on uncontrolled data in nitrado.js**

High severity GitHub Reviewed Published Aug 31, 2022 in cainthebest/nitrado.js • Updated Aug 31, 2022

GHSA-vqc4-v8hc-h2jg: Polynomial regular expression used on uncontrolled data in nitrado.js

XPDF v4.0.4 was discovered to contain a segmentation violation via the component /xpdf/AcroForm.cc:538.

ycdxsb

**Posts:** 2

**Joined:** Wed Jul 13, 2022 2:09 am

**segmemtation fault at xpdf-4.04/xpdf/AcroForm.cc:538**

version:4.04  
reproduce: pdftotext poc.pdf

Code: Select all

    pwndbg> bt
    #0  0x000055555561d7c9 in gAtomicIncrement (counter=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at /root/xpdf-4.04/goo/GMutex.h:67
    #1  0x000055555561d832 in Dict::incRef (this=0x5555557d1960) at /root/xpdf-4.04/xpdf/Dict.h:40
    #2  0x000055555568a4d5 in Object::copy (this=0x5555557b7bc8, obj=0x7fffff7ff1b0) at /root/xpdf-4.04/xpdf/Object.cc:93
    #3  0x00005555556b2f47 in XRef::fetch (this=0x5555557b74e0, num=233, gen=0, obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/XRef.cc:1212
    #4  0x000055555568a575 in Object::fetch (this=0x5555557cfaf8, xref=0x5555557b74e0, obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/Object.cc:116
    #5  0x000055555561d6b1 in Dict::lookup (this=0x5555557cebb0, key=0x5555556dd841 "Parent", obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/Dict.cc:125
    #6  0x000055555568b126 in Object::dictLookup (this=0x7fffff7ff1c0, key=0x5555556dd841 "Parent", obj=0x7fffff7ff1b0, recursion=0) at /root/xpdf-4.04/xpdf/Object.h:267
    #7  0x00005555555fad06 in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff250) at /root/xpdf-4.04/xpdf/AcroForm.cc:538
    #8  0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff2d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #9  0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff350) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #10 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff3d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #11 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff450) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #12 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff4d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #13 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff550) at /root/xpdf-4.04/xpdf/AcroForm.cc:548
    #14 0x00005555555fad9b in AcroForm::scanField (this=0x5555557b6b60, fieldRef=0x7fffff7ff5d0) at /root/xpdf-4.04/xpdf/AcroForm.cc:548

Attachments

poc.pdf.zip

(30.31 KiB) Downloaded 44 times

CVE-2022-36561: segmemtation fault at xpdf-4.04/xpdf/AcroForm.cc:538 - forum.xpdfreader.com

res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.

Asterisk Project Security Advisory - AST-2021-006

 

**Product**

Asterisk

**Summary**

Crash when negotiating T.38 with a zero port

**Nature of Advisory**

Remote Crash

**Susceptibility**

Remote Authenticated Sessions

**Severity**

Minor

**Exploits Known**

No

**Reported On**

February 20, 2021

**Reported By**

Gregory Massel

**Posted On**

March 4, 2021

**Last Updated On**

March 4, 2021

**Advisory Contact**

bford AT sangoma DOT com

**CVE Name**

CVE-2019-15297

 

**Description**

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint responds with a m=image line and zero port, a crash will occur in Asterisk. This is a reoccurrence of AST-2019-004.

**Modules Affected**

res\_pjsip\_t38.c

 

**Resolution**

If T.38 faxing is not required then setting “t38\_udptl” on the endpoint to “no” disables this functionality. This option is “no” by default.

If T.38 faxing is required, then Asterisk should be upgraded to a fixed version.

  

**Affected Versions**

**Product**

**Release Series**

Asterisk Open Source

16.x

16.16.1

Asterisk Open Source

17.x

17.9.2

Asterisk Open Source

18.x

18.2.1

Certified Asterisk

16.x

16.8-cert6

 

**Corrected In**

**Product**

**Release**

Asterisk Open Source

16.16.2, 17.9.3, 18.2.2

Certified Asterisk

16.8-cert7

 

**Patches**

**Patch URL**

**Revision**

https://downloads.digium.com/pub/security/AST-2021-006-16.diff

Asterisk 16

https://downloads.digium.com/pub/security/AST-2021-006-17.diff

Asterisk 17

https://downloads.digium.com/pub/security/AST-2021-006-18.diff

Asterisk 18

https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff

Certified Asterisk 16.8

 

**Links**

https://issues.asterisk.org/jira/browse/ASTERISK-29203

https://downloads.asterisk.org/pub/security/AST-2021-006.html

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-006.pdf and https://downloads.digium.com/pub/security/AST-2021-006.html

  

**Revision History**

**Date**

**Editor**

**Revisions Made**

February 25, 2021

Ben Ford

Initial revision

March 4, 2021

Ben Ford

Added ‘posted on’ date

Asterisk Project Security Advisory - AST-2021-006  
Copyright © 02/25/2021 Digium, Inc. All Rights Reserved.  
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.

CVE-2021-46837: AST-2021-006

Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc.

*   CVE-2018-7173: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-7174: fixed in 4.01 \[XRef.cc\]
    
*   CVE-2018-7175: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-7452: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-7453: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2018-7454: fixed in 4.01 \[XFAForm.cc\]
    
*   CVE-2018-7455: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8100: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8101: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8102: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-8103: fixed in 4.01 \[JBIG2Stream.cc\]
    
*   CVE-2018-8104: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8105: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8106: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-8107: fixed in 4.01 \[JPXStream.cc\]
    
*   CVE-2018-11033: fixed in 4.00
    
*   CVE-2018-16368: fixed in 4.01 \[Splash.cc\]
    
*   CVE-2018-16369: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2018-18454: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18455: fixed in 4.01 \[GfxState.cc\]
    
*   CVE-2018-18456: fixed in 4.01 \[Gfx.cc\]
    
*   CVE-2018-18457: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18458: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18459: fixed in 4.01 \[Stream.cc\]
    
*   CVE-2018-18650: reporting an out-of-memory errors is the proper response
    
*   CVE-2018-18651: fixed in 4.01 \[Catalog.cc\]
    
*   CVE-2019-9587: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2019-9588: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2019-9589: fixed in 4.02 \[PSOutputDev.cc\]
    
*   CVE-2019-9877: fixed in 4.02 \[Lexer.cc\]
    
*   CVE-2019-10020 / CVE-2019-10024 / CVE-2019-10025: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-12360: fixed in 4.02 \[FoFiTrueType.cc\]
    
*   CVE-2019-12493: fixed in 4.02 \[GfxState.cc\]
    
*   CVE-2019-12515: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-12957: fixed in 4.02 \[FoFiType1C.cc\]
    
*   CVE-2019-12958: fixed in 4.02 \[FoFiType1C.cc\]
    
*   CVE-2019-13281: fixed in 4.02 \[Stream.cc\]
    
*   CVE-2019-13282: fixed in 4.02 \[Function.cc\]
    
*   CVE-2019-13283: fixed in 4.02 \[FoFiType1.cc\]
    
*   CVE-2019-13286: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-13287: fixed in 4.02 \[Gfx.cc\]
    
*   CVE-2019-13288: fixed in 4.02
    
*   CVE-2019-13289: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-13291: fixed in 4.02 \[Stream.cc\]
    
*   CVE-2019-14288 / CVE-2019-14289: fixed in 4.02 \[JBIG2Stream.cc\]
    
*   CVE-2019-14290 / CVE-2019-14291 / CVE-2019-14292 / CVE-2019-14293: fixed in 4.02 \[GfxState.cc\]
    
*   CVE-2019-14294: fixed in 4.02 \[JPXStream.cc, JPXStream.h\]
    
*   CVE-2019-15860: old bug in 2.00, no longer relevant
    
*   CVE-2019-16088: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2020-25725: fixed in 4.03 \[SplashOutputDev.cc\]
    
*   CVE-2020-35376: fixed in 4.03 \[FoFiType1C.cc\]
    
*   CVE-2022-24106: fixed in 4.04 \[Stream.cc\]
    
*   CVE-2022-24107: fixed in 4.04 \[JPXStream.cc\]
    
*   CVE-2022-30524: will be fixed in 4.05 \[TextOutputDev.cc\]
    
*   CVE-2022-33108: loop in PDF objects; will be fixed in 5.00
    
*   CVE-2022-38171: fixed in 4.04 \[JBIG2Stream.cc\]

CVE-2022-24107: Xpdf Security Fixes

CVE-2022-24107

Poppler prior to and including 22.08.0 contains an integer overflow in the JBIG2 decoder (JBIG2Stream::readTextRegionSeg() in JBIGStream.cc). Processing a specially crafted PDF file or JBIG2 image could lead to a crash or the execution of arbitrary code. This is similar to the vulnerability described by CVE-2022-38171 in Xpdf.

CVE-2022-38784: Poppler

Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.

**Hytec Inter HWL-2511-SS vulnerabilities.****Product Description:  
**

The HWL-2511-SS device from Hytec Inter is an industrial LTE router that can be used for remote data transmission such as collecting sensor data and checking surveillance camera images.

**Affected Products:**

All Hytec Inter HWL-2511-SS devices from version 1.05 and under.  

**Vulnerability Summary:**

*   Vulnerability 1 - Unauthenticated Remote Command Injection.  
    A vulnerability in the implementation of the ping command can allow an unauthenticated, remote attacker to perform a command injection attack. This vulnerability is due to insufficient validation of a process argument in the binary file /www/cgi-bin/popen.cgi. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
    
*   Vulnerability 2 - SSH CLI Command Injection.  
    A vulnerability in the implementation of the CLI (command line interface) can allow a local attacker with low privilege to perform a command injection attack. This vulnerability is due to insufficient validation of a process argument in the binary file /usr/sbin/clishell. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
    
*   Vulnerability 3 - Use of weak Hard-coded Cryptographic Key.  
    By default the HWL-2511-SS devices have a built-in weak SHA512crypt hash for the root account that can be recovered after a brute-force attack. This vulnerability can allow an external attacker to SSH the device or login to the web administration interface.
    

**Reproduction Steps:****1\. Unauthenticated Remote Command Injection.**

The endpoint /cgi-bin/popen.cgi can be called remotely without user authentication as there is no cookie verification Cookie: mgs=UUID to check if the request is legitimate. The second problem is that the GET parameter command can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the /etc/shadow file.  

**2\. SSH CLI Command Injection.**

When a user login to SSH a custom binary file with limited commands is loaded /usr/sbin/clishell. In the example below we show how it is possible via the traceroute command to use a command injection payload and escape the custom CLI binary to spawn a real shell.  

**3\. Use of weak Hard-coded Cryptographic Key.**

After extracting the firmware image and then reverse engineering it, we found that the file /etc/shadow has a built-in SHA512crypt hash for the root user and only took us a few minutes to recover it by a brute-force attack..  

**Recommendation Fixes / Remediation:**

*   Vulnerability 1 and 2: Strengthen validation rules by checking if input contains only alphanumeric characters, no other syntax or whitespace, a whitelist of permitted values is also recommended. Please see the following link for more details: https://cwe.mitre.org/data/definitions/78.html  
    
*   Vulnerability 3: Need to generate a different password for each device. During the manufacturing process, set a randomly generated password, unique for each device (e.g. print the password on a sticker for local access). Risk: Since passwords are shared among devices, an attacker able to crack the passwords once (e.g. with physical access to the device) can access all reachable devices. Please see the following link for more details: https://cwe.mitre.org/data/definitions/1188.html

**Vulnerable Devices Found:**

As of 8Aug2022, there were 77 Hytec Inter HWL-2511-SS LTE router devices exposed to the internet and were affected by the vulnerabilities discovered.

**Reference:**

https://hytec.co.jp/eng/products/our-brand/hwl-2511-ss.html  
https://hytec.co.jp/eng/wordpress/wp-content/uploads/2019/09/hwl-2511-ss-ds.3.0.pdf

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-36555: hytec-HWL-2511-SS.md

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 3.0.1 does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting.

Tag

#pdf