Real Player versions 16.0.3.51, Cloud 17.0.9.17, and 20.0.7.309 suffer from a DCP:// URI remote code execution vulnerability.

Real Player 16.0.3.51 / Cloud 17.0.9.17 / 20.0.7.309 DCP URI Remote Code Execution

Real Player versions 16.00.282, 16.0.3.51, Cloud 17.0.9.17, and 20.0.7.309 suffer from external::Import() arbitrary file download and directory traversal vulnerabilities that lead to remote code execution.

Real Player 16.00.282 / 16.0.3.51 / Cloud 17.0.9.17 / 20.0.7.309 Remote Code Execution

The G2 Control component in Real Player version 20.0.8.310 suffer from remote code execution vulnerability.

Real Player 20.0.8.310 G2 Control DoGoToURL() Remote Code Execution

Technique skirts web security controls

A security researcher has discovered a neat, albeit partially developed, technique to bypass CSP (Content Security Policy) controls using WordPress.

The hack, discovered by security researcher Paulos Yibelo, relies on abusing same origin method execution.

This technique uses JSON padding to call a function. That’s the sort of thing that might allow the compromise of a WordPress account but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t have as yet.

Catch up with the latest WordPress related security news

Yibelo told The Daily Swig that they have not gone as far as attempting the trick on live sites, restricting exploits to a test research site they themselves owned.

“I haven’t really attempted to because it requires a logged in WordPress user or admin to visit my website, so I install the plugin and have a HTML injection – which is illegal to do,” Yibelo explained, adding they hadn’t attempted to exploit the bug in the wild on bug bounty sites either.

The researcher added that they reported it to WordPress three months ago via HackerOne. After failing to get a reply, Yibelo went public with the findings through a technical blog post.

**Endpoint endgame**

Attacks are potentially possible in two scenarios: 1) websites that don’t use WordPress directly but have an endpoint of WordPress on the same-domain or subdomain, and 2) a website hosted on WordPress with a CSP header.

The potential impact is severe, as Yibelo’s blog post explains:

If an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full blown XSS that can be escalated to perform \[remote code execution\] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP.

The Daily Swig invited WordPress’s core development team to comment on the research. No word back, as yet, but we’ll update this story as and when we hear more.

Yibelo concluded: “I hope Wordpress fixes it so CSP stays relevant on sites that host a WordPress endpoint.”

Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks.

YOU MAY ALSO LIKE WordPress theme Jupiter patches critical security hole

Researcher goes public with WordPress CSP bypass hack

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now.
The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 for a zero-day remote code vulnerability, ‘Follina’, already being exploited in the wild via malicious Word documents.

_**Q: What exactly is Follina?**_

A: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

_**Q: But what does it mean, and is this a serious vulnerability?**_

A: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn’t require users to enable macros.

**_Q: What is Microsoft doing about it?_**

A: Microsoft has offered mitigation steps that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.

_**Q: Does Malwarebytes protect against Follina?**_

A: Yes, it does. Please see additional steps below based on your product to ensure you are protected.

**How to add protection with Malwarebytes**

We are working on releasing a new version of Anti-Exploit that won’t require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.

**Malwarebytes Premium (Consumer)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

**Malwarebytes Nebula (Enterprise)**

Follow the instructions below to add sdiagnhost.exe as a new protected application.

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim.
"Once the email is viewed, the attacker can silently take over the complete mail server without any further user interaction," SonarSource said in a report shared

A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim.

"Once the email is viewed, the attacker can silently take over the complete mail server without any further user interaction," SonarSource said in a report shared with The Hacker News. "The vulnerability exists in the default configuration and can be exploited with no knowledge of a targeted Horde instance."

The issue, which has been assigned the CVE identifier **CVE-2022-30287**, was reported to the vendor on February 2, 2022. The maintainers of the Horde Project did not immediately respond to a request for comment regarding the unresolved vulnerability.

At its core, the issue makes it possible for an authenticated user of a Horde instance to run malicious code on the underlying server by taking advantage of a quirk in how the client handles contact lists.

This can then be weaponized in connection with a cross-site request forgery (CSRF) attack to trigger the code execution remotely.

CSRF, also called session riding, happens when a web browser is tricked into executing a malicious action in an application to which a user is logged in. It exploits the trust a web application has in an authenticated user.

"As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability without further interaction of a victim: the only requirement is to have a victim open the malicious email."

The disclosure comes a little over three months after another nine-year-old bug in the software came to light, which could permit an adversary to gain complete access to email accounts by previewing an attachment. This issue has since been resolved as of March 2, 2022.

In light of the fact that Horde Webmail is no longer actively maintained since 2017 and dozens of security flaws have been reported in the productivity suite, users are recommended to switch to an alternative service.

"With so much trust being placed into webmail servers, they naturally become a highly

interesting target for attackers," the researchers said.

"If a sophisticated adversary could compromise a webmail server, they can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail

service."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email

CSRF exploit requires user to open malicious email

CSRF exploit requires user to open malicious email

A zero-day vulnerability in Horde Webmail enables attackers to take over the web server and pivot to compromising an organization’s other services, according to security researchers.

Documented by Swiss security firm Sonar (formerly SonarSource), the flaw’s abuse relies on an authenticated user of the targeted instance opening a malicious email sent by the attacker.

If they do so, they inadvertently trigger the exploit by executing arbitrary code on the underlying server.

**Abandonware**

A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.

Sonar researchers have therefore advised users to abandon Horde Webmail.

Catch up on the latest cybersecurity research

Johannes Dahse, head of R&D at Sonar, said that a Shodan search had revealed more than 3,000 exposed Horde instances worldwide.

“Furthermore, it is integrated into cPanel,” he told The Daily Swig. “As webmail software does not need to be exposed to the internet, we believe that there are even more, internal instances. These instances can still be exploited as long as the email server of an organization is exposed.”

Horde Webmail, which is part of the Horde groupware, provides a browser-based email client and a server that acts as a proxy to the organization’s email server.

By compromising webmail servers, attackers “can intercept every sent and received email, access password-reset links, sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service,” according to a Sonar blog post by Simon Scannell, vulnerability researcher at Sonar.

**CSRF**

The Horde Webmail vulnerability (CVE-2022-30287) can be abused with a single request, which brings cross-site request forgery (CSRF) into play. “As a result, an attacker can craft a malicious email and include an external image that when rendered exploits the CSRF vulnerability,” Scannell explained.

Worse still, the victim’s clear-text credentials are also leaked to the attacker, potentially giving the adversary access to additional services used by the target organization – as demonstrated in the proof-of-concept video below.

The vulnerability exists in Horde Webmail’s default configuration and potentially lends itself to mass-exploitation, Sonar warns.

It alerted maintainers to the issue on February 2 and disclosed the flaw today (June 1), having notified the maintainers on May 3 that the 90-day disclosure deadline had passed.

Nevertheless, on March 2 Horde released a fix for a separate issue reported previously by Sonar and acknowledged the latest vulnerability report, according to Sonar.

**Salutary lesson**

The researchers point towards a lesson offered by the vulnerability, noting that it exists in PHP code, which typically uses dynamic types.

“In this case, a security sensitive branch was entered if a user-controlled variable was of the type array,” Scannell said. “We highly discourage developers from making security decisions based on the type of a variable, as it is often easy to miss language-specific quirks.”

Sonar last year documented a chained exploit in another open source webmail platform, Zimbra, that allowed unauthenticated attackers to gain control of Zimbra servers.

YOU MIGHT ALSO LIKE Patch released for cross-domain cookie leakage flaw in Guzzle

Horde Webmail contains zero-day RCE bug with no patch on the horizon

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft has released a workaround for a zero-day flaw that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.

The remote control execution (RCE) flaw, tracked as CVE-2022-3019, is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company’s products and reports to Microsoft Support.

If successfully exploited, attackers can install programs, view, change or delete data, or create new accounts in the context allowed by the user’s rights, the company said.

“A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,” Microsoft explained in its guidance on the Microsoft Security Response Center. “An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.”

Microsoft’s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from Shadow Chaser Group noticed it on April 12 in a bachelor’s thesis from August 2020—with attackers apparently targeting Russian users–and reported to Microsoft on April 21, according to research firm Recorded Future’s The Record.

A Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said in a post on Twitter over the weekend, retweeting the original post about the vulnerability, also made on April 12, from @h2jazi.

When the flaw was reported, Microsoft didn’t consider it an issue. It’s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at  Japanese security vendor Nao Sec, who tweeted a fresh warning about it over the weekend, noting that it was being used to target users in Belarus.

In analysis over the weekend noted security researcher Kevin Beaumont dubbed the vulnerability “Follina,” explaining the zero-day code references the Italy-based area code of Follina – 0438.

****Current Workaround****

While no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This “prevents troubleshooters being launched as links including links throughout the operating system,” the company wrote in their advisory.

To do this, users must follow these steps: Run “:**Command Prompt** **as Administrator****“**; Back up the registry key by executing the command “reg export HKEY\_CLASSES\_ROOT\\ms-msdt _filename_“; and execute the command “reg delete HKEY\_CLASSES\_ROOT\\ms-msdt /f”.

“Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters,” the company said.

Moreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, “both of which prevent the current attack,” Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.

Microsoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.

****Significant Risk****

In the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.

One is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.

“Every organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,” Aviv Grafi, CTO and founder of security firm Votiro, wrote in an e-mail to Threatpost.

Another reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.

Since the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.

“What makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a ‘zero-click’ remote code execution technique used through MSDT,” Grafi concurred.

****Under Active Attack****

Claire Tills, senior research engineer for security firm Tenable, compared the flaw to last year’s zero-click MSHTML bug**,** tracked as CVE-2021-40444, which was pummeled by attackers, including the Ryuk ransomware gang.

“Given the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,” she wrote in an e-mail to Threatpost.

Indeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also tweeted that threat actors were using the flaw to target organizations in Tibet by impersonating the “Women Empowerments Desk” of the Central Tibetan Administration.

What’s more, the workaround that Microsoft currently offers itself has issues and won’t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is”not friendly for admins” because it involves “changes in the Registry of the end user’s endpoints.”

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.
"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in

An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.

"TA413 CN APT spotted \[in-the-wild\] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet.

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web\[.\]app."

TA413 is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox.

The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code.

Specifically, the attack makes it possible for threat actors to circumvent Protected View safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the Preview Pane in Windows File Explorer.

While the bug gained widespread attention last week, evidence points to the active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.

The company, however, did not deem it a security issue and closed the vulnerability submission report, citing reasons that the MSDT utility required a passkey provided by a support technician before it can execute payloads.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.

"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros," Malwarebytes' Jerome Segura noted.

Although there is no official patch available at this point, Microsoft has recommended disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been advised to turn off the Preview Pane in File Explorer.

"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely," Nikolas Cemerikic of Immersive Labs said.

"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability

"Follina" vulnerability in Microsoft Support Diagnostic Tool (MSDT) affects all currently supported Windows versions and can be triggered via specially crafted Office documents.

Attackers are actively exploiting an unpatched and easy-to-exploit flaw in the Microsoft Support Diagnostic Tool (MSDT) in Windows that allows for remote code execution from Office documents even when macros are disabled.

The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus, according to security researchers that have analyzed the issue.

Attackers can exploit the zero-day flaw — dubbed "Follina" — to remotely execute arbitrary code on Windows systems. Microsoft has warned of the issue giving attackers a way to "install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights." Researchers have reported observing attacks exploiting the flaw in India and Russia going back at least one month.

**Delayed Acknowledgement?**

Microsoft on Monday assigned the flaw a CVE identifier — CVE-2022-30190 — after apparently initially describing it as a non-security issue in April when crazyman, a security researcher with APT threat hunting group Shadow Chaser Group, first reported observing a public exploit of the vulnerability. Though the company's advisory described the flaw as being publicly known and actively exploited, it did not describe the issue as a zero-day threat.

In a May 30 blog post, Microsoft recommended that organizations disable the MSDT URL protocol to mitigate the issue and said it would provide more updates later without specifying when. Microsoft said the Protected View feature in Microsoft Office and the Application Guard for Office both would prevent attacks that try to exploit the flaw.

Microsoft did not respond to a Dark Reading query on whether it had initially described the issue as a non-security issue or when it might have first learned of the flaw. Instead, a spokeswoman pointed to Microsoft's Monday advisory as the only comment the company has on the issue at this time.

MSDT is a Windows support tool that collects and sends data from a user's system to Microsoft support staff so they can analyze and diagnose issues that a user might be encountering on their system. According to Microsoft, the vulnerability is triggered when an Office app like Word calls MSDT using the URL protocol. "An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application," the company noted.

**Multiple Exploits in the Wild**

Though the security researcher with the Shadow Chaser Group first notified Microsoft Security Response Center about the bug more than a month ago, the vuln only received broad attention over the weekend when a researcher spotted a malicious Word document attempting to exploit the issue. Security researcher Kevin Beaumont analyzed the document and found that it was using the remote template feature in Word to retrieve a HTML file from a remote Web server. The retrieved file in turn used the MS-MSDT URL protocol to load code for executing a PowerShell script. Beaumont discovered the document was executing code even with macros disabled. The security researcher found at least two other malicious Word documents in the wild attempting to exploit Follina going back to April.

Significantly, Beaumont and other researchers found that the attack technique allowed threat actors a way to bypass the "Protected View" mechanism in Office that alerts users about content downloaded from the Internet and requires an additional click from them to open. According to Malwarebytes, the warning can be bypassed simply by changing the document to a Rich Text Format (RTF) file. By doing so, code can run without the user even needed to open the document via the preview tab in Explorer, Malwarebytes said.

"RTF files are a special format that allows for documents to be previewed inside of Windows Explorer," says Jerome Segura, senior director of threat intelligence at Malwarebytes. "When that happens, Explorer will call out the msdt process which is being exploited without any warning or prompts," he says. In fact, the Preview pane is a risky feature because it enables zero-click attacks, Segura says. "We recommend users to disable it within Explorer as well as email clients like Outlook."

**Potentially Widespread Impact**

Johannes Ullrich, dean of research at the SANS Institute, says by itself the vulnerability in MSDT wouldn’t be a big deal. But the fact that it can be triggered via Microsoft Office is troubling. All that a user needs to do is to open a specially crafted Word document, or in some cases just previewing it to enable remote code execution, he says. This sets the stage for potentially widespread compromises especially considering that numerous exploits have been available in the wild for a month now.

"There are multiple scripts, examples and tutorials explaining how to exploit this vulnerability. Applying these techniques is easy, Ullrich says. He points to one malicious document to exploit Follina that SANS discovered recently, which purported to contain quotes for mobile phone prices from a reseller. The exploit worked though it appears to have been compiled by a relatively unskilled threat actor. "It appears to have been created by a novice attacker as it doesn't even remove some of the comments added to the malicious document," Ullrich says.  

He recommends that organizations immediately follow Microsoft's guidance and disable the MSDT URL protocol. "This will break the link between Office and the diagnostic tool," he says. Though the vulnerability in MSDT will still be present, it can no longer be triggered when opening a malicious document, he says. SANS recommends that organizations disable the Preview Pane in Windows Explorer.

Dray Agha, ThreatOps analyst at Huntress, which did a deep dive on the vulnerability, says attackers can use Follina to escalate privileges and travel across environments to create havoc. "Hackers can go from being a low-privilege user to an admin extremely easily," Agha says. "The vulnerability can be easily triggered by users simply choosing to “preview” a specifically crafted, maliciously supplied document. It’s that simple."

Tag

#rce