XPDF v4.04 was discovered to contain a stack overflow vulnerability via the Object::Copy class of object.cc files.

Post Reply

*   Print view

Advanced search

2 posts • Page **1** of **1**

H00K1998

**Posts:** 5

**Joined:** Sat Jun 04, 2022 8:14 am

**There seems to be a stack overflow vulnerability here, can you take a look, source code：Object::copy**

*   Quote

Post by **H00K1998** » Sat Jun 04, 2022 8:24 am

Hello, I seem to encounter a stack overflow vulnerability in the process of fuzz test (afl++), can you take a look

Enjoy:)

Attachments

poc-images.7z

(188.3 KiB) Downloaded 4 times

Top

derekn

**Posts:** 757

**Joined:** Wed Apr 05, 2017 6:57 pm

**Re: There seems to be a stack overflow vulnerability here, can you take a look, source code：Object::copy**

*   Quote

Post by **derekn** » Thu Jun 09, 2022 7:58 pm

That's due to an object loop in the PDF file. I'm planning to implement a more robust loop checker in Xpdf 5.

Top

Post Reply

*   Print view

Display: Sort by: Direction:

2 posts • Page **1** of **1**

Return to “Xpdf open source”

Jump to

*   XpdfReader
*   Xpdf open source

CVE-2022-33108: There seems to be a stack overflow vulnerability here, can you take a look, source code：Object::copy

The No cON Name 2022 call for papers has been announced. It will be held in Barcelona, Spain, from November 24th through the 26th, 2022.

    No cON Name 2022 - Barcelona*****************************************  Call For Papers        ******************************************https://www.noconname.org/call-for-papers/Exact place not disclosed until a few weeks before due celebration.     * INTRODUCTIONThe organization has  opened CFP proposals. No cON Name is the eldest Hackingand Security Conference in Span. Our goal is to get highly qualified requestsfor both, speaker opportunities, as well as workshops, to show in one of  themost  respected hacker conferences in  Barcelona and Spain, NcN (No cONName). We will cellebrate as the last edition, 2 tracks:     * Privacy and net neutrality Track. (November 24th)     * Cybersecurity Track (November 25-26th)We will be accepting exclusively technical  presentations, proof of concept for,private  investigations  and  solutions  for  professionals related  to the  ITsecurity scene. Under no circumstance we will be selecting any proposal which iscommercially targeted, our main goal is to share knowledge in a well-establishedcommunity.     * FORMAT & REQUIREMENTS   - Language: English ( We will choose almost 75% ) or Spanish   - Proposal file type: PDF. It must follow  documentations requirements, shown     in next paragraph, and filled in through the web site   - Please use the template provided for the presentations during the conference   - It's necessary to  deeply explain contents, as this document will allow the     organization to evaluate the proposal.   - CFP's attachment  requested is mandatory. One page  summary of the contents,     or the investigations that you want to show will help to demonstrate techni-     cally the findings/result of investigations (additional texts,  screenshots,     evidences, code, etc)     WE DON'T ACCEPT PROPOSALS PRESENTED IN SPAIN BEFORE THE NOCONNAME'S CONGRESS DATE.In the event  that the  proposal  is accepted, it must be submitted  before thedeadline (September 1st, detailed in the important dates section below):   - An  article (a  template  in doc, odt  format  is  attached.) that  will  be     delivered in the conferences notebook. MANDATORY   - Presentation and exhibition  material: september the 15th. All the material     that will be  presented to the organization  must be delivered, otherwise it     will be possible to  grant other applicants your place. You have to plan the     day of the event nimbly. MANDATORY     * CONTENTSWe will require the following info to review your CFP:DATA                         DESCRIPTIONPreferred contact method     Alias, email, twitter account, Facebook,etc.  Name & Surname*  Alias *  Email *  Phone nº *  Twitter id  City/Country of residence *Proposal  Proposal type *             Speaking presentation or Workshop presentation  Representing *              Individual or company name  Category *                  See: RELEVANT TOPICS  Length (minutes) *          Speaker (presentation): Between  20 or 45 minutes.                              Workshop (presentation + demo):  45 minutes                              or 1,5 hours.  Title of the paper *:       Presentation's / Workshops Title  Goal *                      State  your objectives  during your investigation,                              issues encountered, impact on the society including                              risks.  Benefits *                  List  the   benefits  your presentation  will  be                              providing to the security community, social impact,                              and perhaps solutions to the current issue.  Description *               Presentation's / Workshop's description  Speaker's Biography *       Brief bio of latest published papers, previous talk                              experience, your current interests.     * RELEVANT TOPICSThe areas of interest that have been proposed, not restricted to, are:   - Offensive security.   - Evading / In-depth research of Phishing / Malware.   - Security & exploiting SCADA / ICS.   - Internet privacy and net neutrality (EPIC).   - Honeypots / Honeynets.   - Web explorers' security.   - Hardware hacking.   -  New vulnerabilities and 0-day exploits.   - Healthcare sucurity / risks   - (in)Security in the automotive industry   - Software Testing/Fuzzing.   - Advanced Penetration testing techniques.   - Mobile Application Security-Threats and Exploits.   - Network and Router Hacking   - Mobile, Satellite, IP networks security   - SDR (Software defined radio)   - Hacking virtualized envirorments   - Computer/electronic forensics   - Bluetooth vulnerabilities.   - Videconference application vulnerabilities.   - Covid-19 App vulnerabilities     * DEADLINES   - CFP Requests closing: September 15th 2022.   - CFP Approval: September, 25th 2022.   - Materials presentation due: October, 1st  2022   - Conference's date: November, 24,25,26th 2022     * SENDING YOUR CFPAll requests must be submitted through our site at:   https://www.noconname.org/call-for-papers/Fill in the form  and upload necessary files and you are  all set (some parts of website are in sspanish)     - EVALUATION CRITERIA FOR PROPOSALSWe will be evaluating speaking  conference and workshop requests with the follo-wing score:   - Level  of  innovation  in  your  investigation / Sophistication  of the  40%     presentation   - Stating your key-points of your proposal without going deep into detail  20%   - Briefing quality of your draft (proof of concept in  briefing is highly  15%     appreciated)   - State  field where your investigation  was made, ie:hardware, software,  10%     industry.   - Your speaking reputation                                                 10%   - Relevant topic proposed by the No cON Name staff               5%

No cON Name 2022 Barcelona Call For Papers

Red Hat Security Advisory 2022-5236-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include privilege escalation and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:5236-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5236  
Issue date:        2022-06-28  
CVE Names:         CVE-2022-1729 CVE-2022-1966   
=====================================================================

1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux for Real Time (v. 7) - noarch, x86_64  
Red Hat Enterprise Linux for Real Time for NFV (v. 7) - noarch, x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: race condition in perf_event_open leads to privilege escalation  
(CVE-2022-1729)

* kernel: a use-after-free write in the netfilter subsystem can lead to  
privilege escalation to root (CVE-2022-1966)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update to the latest RHEL7.9.z15 source tree (BZ#2081074)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2086753 - CVE-2022-1729 kernel: race condition in perf_event_open leads to privilege escalation  
2092427 - CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root

6. Package List:

Red Hat Enterprise Linux for Real Time for NFV (v. 7):

Source:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.71.1.rt56.1212.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-kvm-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-kvm-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm

Red Hat Enterprise Linux for Real Time (v. 7):

Source:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.src.rpm

noarch:  
kernel-rt-doc-3.10.0-1160.71.1.rt56.1212.el7.noarch.rpm

x86_64:  
kernel-rt-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debug-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-debuginfo-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm  
kernel-rt-trace-devel-3.10.0-1160.71.1.rt56.1212.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1729  
https://access.redhat.com/security/cve/CVE-2022-1966  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrr1h9zjgjWX9erEAQgoug//X+2272c6fT57aJDp7fTx1jWR/C1btEgx  
1ntHeoWo63OEPOTEBBvzumm8Snc3ha3Si5rLUED4jFqrZF2x4tL5ysPdZVzmEhKb  
TbRs6qvO4DaC8DRiPDlCMRjTyr6LALFkukVZnNp27pdfIQaPAZT2rw5vqM9eBxaP  
ujhlJHF+UhxhjczV5maDObvtqv9tXw4aAcCSwLJ3G7DjIIjclYZVCZyQ2vutMR2v  
mdUcCYJ0FpT5AdgyqJAytVHBg3SuqocWECvcgo81v5OyVRpJSPISr8QJ9A7ArRmP  
Opgc9eGp0VUZST/YEn5moJohXQ3CP7A7plg9HUjo6wSqMjaoYuA6O55htGP4cMu0  
q2fnnrhQNDTqmMr3mdtnvJegzDbgkm4BiGUagpzu8KzCiDuQICWtKpD7yR5nWeeU  
8rCy4gG2umSyy3YIbYQBUw1dpDyQGZEx1rkCb7E9Q+dY6V+kfY9VOdayL9lwKjDB  
hiXCR4CJI7VhAUx8vBZJjjDKuZsPps/C/qgFnuAozXi9zseeCvi8oaqwAfFOlWN1  
9yJjElvhMj8/KZBK+sILO/mBjyTzZWrWseMkqgoULpmKwDjx5JsyOyfGiPbsEfnm  
IA1ytujJQbZLDODOIsx+9RqH20eMylVIzkVaNte1nBZoHJwY525CNMZmirnF9zHu  
SsJW0x6Eodc=  
=ZYzg  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5236-01

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.

@@ -298,6 +298,18 @@ public function \_\_construct(array $attributes = null)

$this\->setFontDir($rootDir . "/lib/fonts");

$this\->setFontCache($this\->getFontDir());

  

$ver = "";

$versionFile = realpath(\_\_DIR\_\_ . "/../VERSION");

if (file\_exists($versionFile) && ($version = trim(file\_get\_contents($versionFile))) !== false && $version !== '$Format:<%h>$') {

$ver = "/$version";

}

$this\->setHttpContext(\[

"http" => \[

"follow\_location" => false,

"user\_agent" => "Dompdf$ver https://github.com/dompdf/dompdf"

\]

\]);

  

if (null !== $attributes) {

$this\->set($attributes);

}

CVE-2022-0085: Add a default context · dompdf/dompdf@bb1ef65

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

‘Manual workaround’ kickstarts phased recovery after cybercrooks disrupt meal provision to vulnerable people

Deliveries of prepared meals to thousands of vulnerable people in England continue to be disrupted following a “sophisticated” cyber-attack on food distributor Apetito.

Apetito’s impacted UK arm delivers ready meals to hospitals, care homes, schools, childcare facilities, and the homes of vulnerable people across the west of England.

In an update (PDF) posted to its website yesterday (June 27), Paul Freeston, chair and CEO of Apetito UK and North America, reiterated that the firm would be unable to fulfill deliveries until and including Thursday June 30 following the cyber-attack over the weekend.

He advised customers with “deliveries on these days to make contingency plans”.

Freeston added that “a limited number of test deliveries from a manual system will be made tomorrow”, and if successful, “we hope to extend \[this system\] further this week”.

**Emergency procedures**

Freeston said on Sunday that the company had activated “emergency procedures” to ensure “most” customers of meals on wheels (home-delivered hot food) should still receive a meal – “although it may not be the meal they chose”.

Apetito subsidiary Wiltshire Farm Foods, which delivers frozen ready meals to the homes of mostly vulnerable people, usually seniors, managed to make “a limited number of local deliveries” yesterday using “a manual work-around system” that would “continue this week”.

Read more of the latest cyber-attack news

As expected, Monday’s Apetito deliveries to businesses, including other ‘meals-on-wheels’ operators, proceeded normally “as these orders were already picked” before systems were disrupted.

On the production front, “a significant but restricted” program was up and running as of yesterday.

Meal orders submitted by businesses after 7.30pm on Friday “should be assumed not to have been received”, said Freeston.

Wiltshire Farm Foods is apparently unable to take orders over the phone or via its website and app, with fulfilment new orders expected to resume from July 4.

**‘Designed to extort money’**

Apetito, announced on Sunday (June 26) that it shut down many IT systems following the cyber-attack, which was “designed to extort money from the company”.

The company said it was “building new hardware and software to replace the affected systems”, which did not include its UK Microsoft systems, while “email communication is fully functional”.

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

It was also “seeking to establish whether any personally identifiable information (PII) has been compromised” and would alert customers and the Information Commissioner’s Office (ICO) if necessary.

Freeston said he was confident that payment card data was not compromised since this data was not held on Apetito’s systems.

“Our crisis management team is meeting multiple times each day to review progress, direct resources and respond to emerging issues”, he continued, adding that Apetito would continue providing updates at least daily.

“I would like to thank our customers and other contacts who are being so supportive during this issue. Our team continue to work tirelessly on the recovery and I am very grateful for their amazing efforts.”

Apetito declined to comment further when contacted by The Daily Swig.

YOU MIGHT ALSO LIKE Statutory defense for ethical hacking under UK Computer Misuse Act tabled

Ready meal distributor Apetito restores ‘limited’ deliveries in UK following cyber-attack

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Researchers warn threat actors are using a novel remote code execution exploit to gain initial access to victim’s environments.

Ransomware groups are abusing unpatched versions of a Linux-based Mitel VoIP (Voice over Internet Protocol) application and using it as a springboard plant malware on targeted systems. The critical remote code execution (RCE) flaw, tracked as CVE-2022-29499, was first report by Crowdstrike in April as a zero-day vulnerability and is now patched.

Mitel is popularly known for providing business phone systems and unified communication as a service (UCaaS) to all forms of organizations. The Mitel focuses on VoIP technology allowing users to make phone calls using an internet connection instead of regular telephone lines.

According to Crowdstrike, the vulnerability affects the Mitel MiVoice appliances SA 100, SA 400 and Virtual SA. The MiVoice provides a simple interface to bring all communications and tools together.

****Bug Exploited to Plant Ransomware**  **

Researcher at Crowdstrike recently investigated a suspected ransomware attack. The team of researchers handled the intrusion quickly, but believe the involvement of the vulnerability (CVE-2022-29499) in the ransomware strike.

The Crowdstrike identifies the origin of malicious activity linked to an IP address associated with a Linux-based Mitel VoIP appliance. Further analysis led to the discovery of a novel remote code exploit.

“The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post.

The exploit involves two GET requests. The first one targets a “get\_url” parameter of a PHP file and the second one originates from the device itself.

“This first request was necessary because the actual vulnerable URL was restricted from receiving requests from external IP addresses,” the researcher explained.

The second request executes the command injection by performing an HTTP GET request to the attacker-controlled infrastructure and runs the stored command on the attacker’s server.

According to the researchers, the adversary uses the flaw to create an SSL-enabled reverse shell via the “mkfifo” command and “openssl\_client” to send outbound requests from the compromised network. The “mkfifo” command is used to create a special file specified by the file parameter and can be opened by multiple processes for reading or writing purposes.

Once the reverse shell was established, the attacker created a web shell named “pdf\_import.php”. The original content of the web shell was not recovered but the researchers identifies a log file that includes a POST request to the same IP address that the exploit originated from. The adversary also downloaded a tunneling tool called “Chisel” onto VoIP appliances to pivot further into the network without getting detected.

The Crowdstrike also identifies anti-forensic techniques performed by the threat actors to conceal the activity.

“Although the threat actor deleted all files from the VoIP device’s filesystem, CrowdStrike was able to recover forensic data from the device. This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett.

Mitel released a security advisory on April 19, 2022, for MiVoice Connect versions 19.2 SP3 and earlier. While no official patch has been released yet.

****Vulnerable Mitel Devices on Shodan****

The security researcher Kevin Beaumont shared a string “http.html\_hash:-1971546278” to search for vulnerable Mitel devices on the Shodan search engine in a Twitter thread.

According to Kevin, there are approximately 21,000 publicly accessible Mitel appliances worldwide, the majority of which are located in the United States, succeeded by the United Kingdom.

****Mitel Mitigation Recommendations** **

Crowdstrike recommends that organizations tighten defense mechanisms by performing threat modeling and identifying malicious activity. The researcher also advised segregating the critical assets and perimeter devices to restrict the access control in case perimeter devices are compromised.

“Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant,” Bennett explained.

Mitel VoIP Bug Exploited in Ransomware Attacks

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

RaaS model continues to be adopted by criminals looking to maximize their ROI, new study indicates

The number of new ransomware families and unique variants has fallen over the last year, according to new research from WithSecure.

The company, formerly known as F-Secure Business, says in its latest Ransomware Threat Update (PDF) that the number of new families and unique variants appearing each year peaked around 2017, but stayed relatively stable for most of the second half of the last decade.

Last year, though, saw a significant drop in the amount of new ransomware families discovered by the researchers.

The main reason, says the firm, appears to be a consolidation of efforts by attackers, who are increasingly exploiting off-the-shelf Ransomware-as-a-Service (RaaS) packages.

**RELATED** DBIR 2022: Ransomware surge increases global data breach woes

“These days, cybercriminals are often operating as organisations, and they want to maximise their ROI,” Paolo Palumbo, vice president of WithSecure’s Tactical Defense Unit, tells _The Daily Swig_.

“In this sense, they are focusing their resources on getting a foothold in a victim’s system, rather than developing their own ransomware. People often forget that this isn’t a game of who makes the best ransomware – it’s about getting money out of victims.”

**Rise of RaaS**

Importantly, Palumbo says that the fall in the number of ransomware families doesn’t necessarily imply a fall in the number of attackers.

“Like many other businesses, cybercriminals are taking advantage of specialist tech vendors who prepare readily-available platforms to conduct these types of scams and attacks,” he says.

“But we shouldn’t assume it makes the users of these systems incompetent or any less expert.”

Read more of the latest infosec research news

Ransomware was the most widespread threat type identified in 2021, accounting for nearly 17% of identified threats.

And WannaCry was the most prevalent ransomware family – by a considerable margin, accounting for more than half of non-generic ransomware detections.

This was followed by three RaaS families: GandCrab, REvil, and Phobos.

**Double extortion**

In terms of tactics, threat actors are increasingly finding new ways of extorting cash from victims, for example by stealing data before encryption and threatening to leak it, with Maze and REvil the most notable examples of what’s been dubbed ‘double extortion’.

Malicious Microsoft Office documents and downloads were the most commonly observed ransomware attack vectors in 2021, followed by exploiting vulnerabilities and accessing networks via exposed Remote Desktop Protocol (RDP) ports.

WithSecure points out that many of these vectors rely on unpatched vulnerabilities – particularly in internet-facing infrastructure – poor password hygiene, lack of multi-factor authentication to secure online accounts, and other weaknesses that organizations should be able to address.

Meanwhile, says Palumbo, governments have their part to play.

“The role of governments and agencies is extremely important and multi-faceted,” he says.

“They need to continue pushing the importance of cybersecurity education and hygiene for both individuals and organizations, making it more difficult for cybercriminals to take advantage and extort money.”

**DON’T MISS** Researchers crack MEGA’s ‘privacy by design’ storage, encryption

Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

A stored cross-site scripting (XSS) vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file.

A stored cross-site scripting (XSS) vulnerability exists in LightCMS that allows an user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.

    %PDF-1.4
    %1111
    1 0 obj
    <<
    /CreationDate (D:20210619104632+08'00')
    /Creator (xss)
    /Producer (PDF-XChange Core API SDK $7.0.324.2$)
    >>
    endobj
    2 0 obj
    <<
    /Metadata 3 0 R
    /Pages 4 0 R
    /Type /Catalog
    >>
    endobj
    3 0 obj
    <<
    /Length 2983
    /Subtype /XML
    /Type /Metadata
    >>
    stream
    <?xpacket begin="﻿" id="W5M0MpCehiHzreSzNTczkc9d"?>
    <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.5.0">
    	<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
    		<rdf:Description rdf:about=""
    				xmlns:dc="http://purl.org/dc/elements/1.1/"
    				xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
    				xmlns:xmp="http://ns.adobe.com/xap/1.0/"
    				xmlns:pdf="http://ns.adobe.com/pdf/1.3/">
    			<dc:format>application/pdf</dc:format>
    			<xmpMM:DocumentID>uuid:9c93bc08-8e4e-46cb-b28f-824c693821a4</xmpMM:DocumentID>
    			<xmpMM:InstanceID>uuid:2cd63bea-24ca-4ef8-a12c-015da3b28c96</xmpMM:InstanceID>
    			<xmp:CreateDate>2021-06-19T10:46:32+08:00</xmp:CreateDate>
    			<xmp:CreatorTool>迅捷PDF编辑器 7.0.324.2</xmp:CreatorTool>
    			<xmp:ModifyDate>2021-06-19T10:52:02+08:00</xmp:ModifyDate>
    			<pdf:Producer>PDF-XChange Core API SDK (7.0.324.2)</pdf:Producer>
    		</rdf:Description>
    	</rdf:RDF>
    </x:xmpmeta>

CVE-2022-33009: A stored cross-site scripting (XSS) vulnerability exists in LightCMS "contents" field · Issue #30 · eddy8/LightCMS

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the /config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM. This issue has been fixed in version 8.0. There are no known workarounds for this issue.

**Impact**

Incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if the  
/config/templates/pdf/ directory is accessible for remote users. This is not a default configuration of LAM.

**Patches**

The issue is fixed in version 8.0.

**Workarounds**

None

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/LDAPAccountManager/lam/issues
*   Email us on lam-public mailinglist

**Credits**

Arseniy Sharoglazov and Andrey Medov

CVE-2022-31086

ETH Zurich finds flaws in the firm’s cryptographic infrastructure

ETH Zurich finds flaws in the firm’s cryptographic infrastructure

MEGA claims that its storage service is private by design, but according to researchers, the technology is beset with “serious” security issues.

Based in New Zealand, MEGA is a cloud storage service and messaging platform that offers end-to-end encryption to more than 250 million users. MEGA also allows users to make audio and video calls.

The company calls itself a “zero-knowledge” encryption service built with “privacy by design”.

“All your data on MEGA is encrypted with a key derived from your password; in other words, your password is your main encryption key,” the organization says. “MEGA does not have access to your password or your data.”

However, according to the ETH Zurich University, based in Switzerland, in-depth testing of the platform has revealed “security holes that would allow the provider to decrypt and manipulate customer data”, despite its marketing claims to the contrary.

ETH Zurich cryptography researchers Matilda Backendal, Miro Haller, and Professor Kenneth Paterson analyzed MEGA’s source code and cryptographic architecture, uncovering a total of five vulnerabilities.

**Encryption cracked**

After recreating part of the MEGA platform and attempting to brute-force their own accounts, the team says they found that using one main key represents a “fundamental” weakness in the service.

A paper (PDF) describing the flaw says that the MEGA client derives an authentication key from a user’s password. This key is then used to encrypt other key material, files, and more.

A lack of integrity protection of ciphertexts containing keys breaks the confidentiality of the master key and overall encryption system, according to the researchers. This permits integrity attacks, RSA key and plaintext recovery attacks, and establishes an RSA decryption attack vector.

Catch up on the latest cloud security-related news

By hijacking only a session ID, it takes a maximum of 512 login attempts to break into a MEGA account.

“An additional manipulation of the MEGA software program on the computer of the victim can force their user account to constantly log in automatically,” the researchers said. “This shortens the time needed to fully reveal the key to just a few minutes.”

It then may be possible to compromise other keys used on the MEGA platform.

Potential post-attack vectors could include stealing user data or even uploading files – such as illegal or compromising images and video – locking up the account, and then blackmailing the targeted individual.

**MEGA response**

Paterson said the team reported its findings to MEGA on March 24 and proposed ways to resolve the security holes.

While MEGA apparently “decided to react in ways that are different than what we suggested,” according to the researcher, the initial attack vector on the RSA key has now been patched.

When approached for comment, MEGA pointed us toward a security advisory which says the first fix has been rolled out and additional patches are being developed.

According to MEGA, only customers that have logged into their account at least 512 times could be at risk – and this does not include resuming existing sessions.

Furthermore, the organization says that to take advantage of the cryptographic flaws, attackers would need to “gain control over the heart of MEGA’s server infrastructure or achieve a successful man\[ipulator\]-in-the-middle attack on the user’s TLS connection to MEGA”.

“The reported vulnerabilities would have required MEGA to become a bad actor against certain of its users, or otherwise could only be exploited if another party compromised MEGA’s API servers or TLS connections without being noticed,” the firm added.

The Daily Swig passed on this reaction to researchers at ETH Zurich who responded by saying MEGA had only resolved some of the security shortcomings that they had identified:

  

As detailed on the webpage of the paper \[1\], we contacted MEGA on March 24, 2022, to inform them of the vulnerabilities. They responded the same day and acknowledged the issues. They have been very open and communicative throughout. As part of our disclosure, we provided them with three sets of countermeasures, ranging from ‘immediate’ to ‘recommended’.

MEGA decided to go with a different patch, which protects against the first three out of our five attacks. You can read more about this in their blog post \[2\]. We continue to stand by our recommended countermeasures, which we believe would protect against our attacks (and others) in a more robust way than the fix that MEGA decided for.

YOU MIGHT ALSO LIKE Oracle patches ‘miracle exploit’ impacting Middleware Fusion, cloud services

Tag

#pdf