MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.

**UPDATE**

**\[07.06.2022\]** We've been informed by MELAG that a new version has been released, to address the vulnerabilities detailed below. We've checked the update and can confirm the following updates for the identified vulnerabilities:

*   User Enumeration \[fixed\]
*   Authentication Bypass \[fixed\]
*   Path Traversal \[fixed¹\]
*   Storage of Cleartext Passwords \[still vulnerable²\]
*   Weak File Permissions \[partially fixed³\]
*   High System Privileges \[unchanged\]

¹Path Traversal: We found a bypass using junctions. However, the current implementation does not allow a normal user to create junctions. ²Storage of Cleartext Passwords: We found that the FTP server config and passwords are encrypted, but a static key was used for that. We were able to write a generic decryptor to bypass the encryption implementation. ³Weak File Permissions: FULL control granted to _Everyone_ has been changed to READ/WRITE control to _Authenticated Users_, which is slightly more secure, but still allows attacks from unprivileged, local users.

**Intro**

During an engagement in early 2021 my colleague nv1t and myself stumbled across an FTP server with a banner that we've never seen before, which said MELAG FTP SERVER along with a version number.

As this banner was unknown to us and the existence of an FTP server at the specific network location itself seemed a little odd (since we did not expect to see an FTP server on the external network of this client), we decided to take a look into what this piece of software is and what we could find about it. Querying Google for the presented Banner, we found the source of this FTP Server and the company that had developed this with the first hit. Searching for known vulnerabilities, however, did not reveal any results. Luckily for us though the vendor did offer this exact FTP Server in the same version as we found it in our client's network for download.

We downloaded the FTP Server, set up a testing environment, began to dissect it and found 6x high impact vulnerabilities.

**Summary and Mitigation Advice**

In the following sections we will describe an attack chain that allows an attacker to escalate from an unauthenticated network position to gain authenticated host access, which could further be exploited to compromise and control the targeted host system running the vulnerable FTP server. This attack can as well be conducted from the internet against publicly accessible MELAG FTP server instances. After a long and fruitless disclosure process (see the following timeline) we decided to disclose our findings publicly, to allow affected organizations and companies to be aware of the vulnerabilities and protect themselves against attacks.

To mitigate exploitation of these attack we advise to disconnect MELAG FTP servers from untrusted (public) networks, **especially from the public internet.** While writing this blog post, the vendor has so far not provided any software update to mitigate the identified vulnerabilities, therefore the only mitigation against exploitation is preventing network level access to this FTP server.

The vulnerabiliy research detailed in the following sections has been conducted by my colleague nv1t and myself, as part of our role at SSE, during the aftermath of a client engagement.

**Timeline**

*   27.05.2021: Initial Mail to MELAG informing about the found vulnerabilities
*   07.06.2021: Response from MELAG, details and report were handed over to MELAG
*   08.06.2021: Confirmation of Report received from MELAG
*   12.07.2021: 1st Update request from SSE to MELAG, asking if there are any questions on the report or update plans - no response
*   12.08.2021: 2nd Update request from SSE to MELAG, auto response indicating absence of contact - no further response
*   20.09.2021: 3rd Update request from SSE to MELAG - no response
*   20.09.2021: CVE Request to MITRE for 6x identified vulnerabilities, confirmation of submission by MITRE
*   06.12.2021: 1st Update request from SSE to MITRE, asking if there is any update on the process - no response
*   18.02.2022: 2nd Update request from SSE to MITRE - no response
*   04.04.2022: Vulnerability information submitted to CERT-Bund (BSI) - Confirmation of submission by CERT-Bund
*   25.04.2022: 1st Update request from SSE to CERT-Bund (BSI) - Response on 26.04.2022
*   25.04.2022: Informed MELAG and CERT-Bund (BSI) that this blog post will be published during the next two weeks. - Response on 26.04.2022
*   26.04.2022: CERT-Bund (BSI) confirmed the vulnerabilities and will contact MELAG - No statement from MELAG as of 05.05.2022.
*   05.05.2022: Public Disclosure, up to this point the software has not been updated and MELAG has not responded.
*   30.05.2022: MELAG informed us that an updated version (2.2.0.5) has been released to fix the addressed issues.
*   07.06.2022: We informed MELAG about the insufficient fix to encrypt user passwords and other data using static encryption keys.

**Vulnerabilities**

In the following sections the identified vulnerabilities will be described. Please note that these vulnerabilities will be described **in order of a potential exploitation chain**, not in order of their rated risk.

In total we identified the following 6 vulnerabilities:

*   User Enumeration
*   Authentication Bypass
*   Path Traversal
*   Storage of Cleartext Passwords
*   Weak File Permissions
*   High System Privileges

The FTP Server was found to be written in .NET, which allowed us to decompile and analyze the source code. dnSpy was used for this purpose. Snippets of this source code will be shown in the following sections to highlight the vulnerable code functions.

**User Enumeration**

As an entry point into the application, we found a user enumeration vulnerability that allows an attacker to identify whether a given username is a registered FTP user or not. As with all user enumeration vulnerabilities, the vulnerability presents itself by returning different server response for valid and invalid usernames. The FTP protocol defines the command USER to submit the username used for logon, which is vulnerable to user enumeration, as shown below:

User Enumeration Vulnerability

This vulnerability could easily be exploited using a brute-force style approach using an automated network scanner, such as hydra or by building a custom enumeration script.

As an example: Using a naive python-based network scanner the 10.000 name samples from SecLists could be tested in about 3mins on a local network.

User Enumeration Exploitation

This user enumeration vulnerability within the USER command function can also be found in the application .NET code, as shown below:

Source code: USER Command

**Authentication Bypass**

Given a valid username we digged deeper into what happens within the implementation of the USER command in case a valid username was submitted, which is shown below:

The important bit here is that the RefUserAccount attribute of the cc (ClientConnection) variable is set to the account that matches the given username if the identified account is active. To get a better picture of what this means the server UI, which comes with the installation of the FTP server, is shown below:

This interface shows the identified user "ftpuser" along with a checked "active" box, showing that this FTP user is currently active and allowed to log in.

The interesting takeaway from the code snippet above is that the RefUserAccount attribute has been set for the connection, although no password has been specified yet. So far only the USER command has been sent to submit the username. This gets interesting when inspecting other command implementations, for example the implementation of the LIST command that is shown below (snippet):

Source code: LIST Command

This source code snippet shows the implementation of the FTP LIST command, which can be used to list the contents of the current directory. As highlighted above this command used the RefUserAccount attribute of the connection to resolve a user's base directory. The only requirement to make the highlighted call successful is that the RefUserAccount attribute is set, which has been previously set by submitting a valid username. What's missing is any form of authentication verification, as no password has been provided for this user so far. Looking at this code we were curious if any FTP functions could be called by only submitting a username, but no password. Testing this theory resulted in the following output:

FTP List Command Without a Password

The server response shows a "Login failed", however the dir command seems to imply that the command was successful, although no output was received (We'll go into the details of this behaviour at the end of this section...). This result let us into trying this manually and opening up a data connection ourselves (using the FTP passive mode).

Using the FTP PORT command we were able to specify our own endpoint for the passive FTP mode and successfully retrieved the directory listing of the user ftpuser without specifying any password for this user. Looking through the rest of the code, we were interested if this flaw is only present in the implementation of the LIST command. We found that this flaw was present in all implemented FTP commands, which also allowed us to read the file "myfile.txt" that has been identified earlier using the FTP RETR command:

Now that we proved that this vulnerability can be exploited, let's investigate why the dir command did not returned any output when used from within the ftp command line tool. The reason for this is that the ftp command line tool - like many other ftp clients - will always send a password with the PASS command to the ftp server, even when this password is empty. In other words: Every ftp client expects the server to process a USER command followed by a PASS command. Looking at the source code of the MELAG FTP server for the PASS command, we can find the following snippet:

Source code: PASS command

If the refUserAccount variable is set - which it is in our case, as we send a valid username with the USER command, but the password does not match with the password of the associated user, then cc.RefUserAccount will be set to null. Looking at the source code for the LIST command, which is was is triggered when the command dir is sent through the used ftp client, we'll see that a response with the status code of _150 FileStatusOK_ is send back to the client (which we also saw earlier) and then the cc.List is called to handle the directory listing with the first argument of cc.RefUserAccount.BaseDirectory.

Source code: LIST command (revisited)

Since the cc.RefUserAccount is null, BaseDirectory is called on null, which causes an error and the termination of the command. We'll add another annotation to this at the end of the blog post.

**Path Travesal**

So far we were able to "authenticate" to the FTP server by only using a valid and active username and reading a user's base directory indluding all files therein. Our tour through the code and the various implemented FTP commands also revealed that the application is vulnerable to path traversal attacks, which we found within the implementation of the CWD command.

This source code snippet shows the ChangeDir command that is called when submitting the CWD <PATH> command. The supplied sub-path of the CWD command is passed as the 2nd argument ("subDir") to the ChangeDir function. As highlighted above no sanity checks are performed to ensure the user is actually supplying a "sub directory", which allows an attacker to traverse through the entire host system, as shown below.

Consequently, this allows to read arbitrary files of the host system, as long as the user who is running the FTP server has the permission to read these files (which we'll later see could be all files). A proof of concept is shown below:

Proof of concept: Reading C:\\Windows\\win.ini

**Storage of Cleartext Passwords**

Being able to read through all files (that the user running the FTP server has permission to read) allowed us to look for potentially interesting configuration files that ship with this FTP server...and we found one.

The FTP server stores configurations in an XML file called "config.dat", which is stored under %ProgramData%\ProgramData\MELAG Medizintechnik GmbH & Co. KG\FTP-Server\config.dat. Looking into this file we found - among other configuration settings - ftp user accounts with their respective password stored in plaintext:

Although so far we did not need to know the ftp user's password to run any of the above attacks it's certainly not good having these passwords stored in plaintext on disk.

**Weak File Permissions**

So far we had to specify that combining the authentication bypass and the path traversal attacks allows an attacker to read arbitrary files (and directories) on the target host, only if the user running the FTP Server had sufficient (host-level) permissions to read those files. We found this caveat does not apply to the sensitive config.dat file, which stores ftp user credentials in plain-text, as the default installation of the FTP server allows Everyone **full control** over this file

This would also allow a local attacker on the host system to compromise all FTP users and their files, as an attacker can read (and change) all FTP users credentials and thereby login as any user.

**High System Privileges**

Lastly to weaken the "we can only read/write files that the user running the FTP server has permissions to read/write"-disclaimer even more we found that when installing the FTP server, the administrator is prompted with the following installation choices.

If the user chooses to install the FTP server "as Windows application" the server is installed like any other application and can be started by any user. If the user on the other hand chooses to install the FTP server "as Windows service", a service is created that runs the "NT Authority\\SYSTEM" user, which has the highest system privileges.

FTP Server running as System

A compromised MELAG FTP Server running as "SYSTEM" could then be used to compromise the entire host system.

**Further Annotations**

When describing the "Authentication Bypass" vulnerability, we found that the default Linux ftp command line client does not allow us to exploit the identified vulnerability. During our research we figured that many ftp clients, including Python's default ftplib, behave in the same manner of sending the PASS command right after the USER command, disallowing a user to step in without a password being send. During our analysis we patched the default Python ftplib to serve our needs, but for this blog post we figured it's worth noting that the "manual" approach, going through the protocol step-by-step, can also be fruitful.

Another interesting, but not exploitable (at least as far as we know) twist worth mentioning can be found in the following screenshot that was previously shown in the "Authentication Bypass" section:

As mentioned earlier this code does not check for an authenticated user session, but for our exploit a valid username was required. This requirement is only made necessary, due to the fact that in .NET calling an attribute of a null object causes a run-time exception. If .NET would evaluate a call on null to an empty string, we could have exploited this FTP server even without a valid username...

**Conclusion**

During our research we found several vulnerabilities within the MELAG FTP Server in version 2.2.0.4, which allows an attacker to chain some of these vulnerabilities to escalate privileges from an unauthenticated network position to the highest system privileges on a target host.

We think that these vulnerabilities are pretty severe, especially given that these vulnerabilities can be chained and that this vulnerable FTP server is - due to the market position of the vendor - likely to be found within companies of the medical business sector, such as hospitals, medical practices and so on.

We would have preferred to close all of these vulnerabilities with the vendor, but sadly we didn't receive any response, even after almost a year after we handed in our report describing all of the presented issues. However, we still are and always will be happy to support the mitigation process against the shown attacks.

CVE-2021-41639: Advisory and Exploitation: The MELAG FTP Server

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.
Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware's functionality to be extended or altered at will. It's not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide "law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years." More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

"Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable," Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It's suspected that the actors worked in collaboration with the targets' internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

"We believe this is the reason why most of the applications masqueraded as mobile carrier applications," the researchers said. "When ISP involvement is not possible, applications are masqueraded as messaging applications."

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

"As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too," Google Project Zero's Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

"This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need," the researchers noted. "Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs."

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it's tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What's more, Google TAG raised concerns that vendors like RCS Lab are "stockpiling zero-day vulnerabilities in secret" and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, "raising the specter that their stockpiles can be released publicly without warning."

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG said.

"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.

Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.

TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan government against domestic targets, and identified by Lookout research.

“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.

All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.

“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.

****Collaborating with ISPs****

One lure employed by threat actors is to work with the target’s ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.

Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.

“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,” Beer wrote.

Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.

In other cases when they can’t work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.

****iOS Campaign Revealed****

While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.

They also released details of the host of vulnerabilities—two of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. In fact, Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.

The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.

The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed;
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet;
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste;
*   CVE-2020-9907 internally referred to as AveCesare; and
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.

****Broader Implications****

The emergence of Hermit spyware shows how threat actors—often working as state-sponsored entities—are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.

Indeed, while use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” Google TAG researchers wrote.

The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.

In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they said.

Google Warns Spyware Being Deployed Against Android, iOS Users

A vulnerability classified as problematic was found in Google Analytics Dashboard Plugin 2.1.1. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. The attack can be launched remotely.

CVE-2017-20092

Hidden Talents : He was a competitive swimmer for many years.
Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet.
5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Hidden Talents** : He was a competitive swimmer for many years.

**Instrument of Choice** : His fingers were made for the keyboard, but he used to play the trumpet.

**5 pieces of entertainment for the rest of his life** : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Favorite non-profit** : RSPCA

**How he takes his tea** : Through his mouth

**Superpower** : Doesn’t suffer from hangovers

The first thing you should know about Callum Carney is that he doesn’t like talking about himself. Shy? Not necessarily. Quick witted and charming? Yes. However, Callum is best understood through his actions, rather than his words. Callum is just 23 years old and a budding security research prodigy. At a young age he has achieved great success finding bugs in organizations like Microsoft, Spotify, and Google. While he would never toot his own horn, Callum has made monumental contributions in protecting the cloud and has quickly gained a reputation with plenty of accolades to show for it.

Callum was a young, inquisitive boy with a high interest in computers when his Habbo account was hacked. Someone stole his coins, and he was left irritated, but curious as to how it happened (he fully admits this was his fault since his password was Callum123). This little seed of injustice would grow within him as his passion for computers expanded too. Throughout his school years, he recalls spending more time fixing other people’s computers than learning in the classroom.

Early on he stumbled upon a live stream demonstrating Cross-Site Scripting (XSS) which piqued his interest. His hacking aspirations became a reality at the first sight of a pop-up alert on screen saying, “You’ve been hacked!!!”

> **From that moment I was hooked. I’ve never actually been able to come off this rush. Security research is addictive.**

One time in a college computer class Callum was tinkering around on his laptop during a lesson. Bored, but still as curious as ever, Callum began trying to hack the lesson websites domain. He ended up finding a devastating bug and reported it under the guise of anonymity in hopes of avoiding an awkward encounter down the road. However, he forgot to update the shared URL which ended up exposing _he_ was a student at the college. At this point he was just 16. As he put it, there are bound to be small mistakes when you’re starting out, right? Unbeknownst to him, the company hosting the affected website was a subsidiary of the college. Their team replied asking for him to meet to discuss his findings. After much deliberation (even with his mother) and fears of great repercussions, he accepted the meeting. To his good fortune, he was not arrested (ethical hacking is still a gray area in the UK). Instead, the company had the foresight to take a risk. They offered him a position within the company and Callum has been a part of their team for six years now!

When he isn’t working his day job, Callum moonlights as a security researcher. This is where his work speaks for itself. As a multi-year Microsoft Most Valuable Researcher (MVR) Callum’s reputation cannot be ignored. Whilst he didn’t set out to hunt for vulnerabilities for big tech, he is proud of his impact.

> **I see the whole community and what this space is, as the last line of defense. Inside large companies there are a lot of processes, and smart people who develop them. It’s up to us to check and make sure there is nothing left over. And it’s our job to find it. I see it as the last line for cyber security.**

When it comes to guiding the next generation of researchers, Callum strongly believes this field is for anybody, and there is no better time to get in on the action than right now.

> **The number of resources available to learn about security is always growing. In my opinion it’s great to learn by reading previously disclosed issues and getting hands-on with applications in the real world by finding vulnerabilities to report in organizations that have defined security policies.**

Callum stressed not to get demotivated if you aren’t successful immediately. Rather, he suggested that whatever you’re testing is made by humans and humans make mistakes. Keep on pushing, but don’t get burned out. Some of his favorite bugs to find are the ones where the general user is none the wiser. Take for example the time he was robbed of his coins as a kid playing Habbo. He would have liked to be the person who figured out you could steal from others, fix it, and the user would have no clue there was even a threat. The same concept applies to his larger bug bounties.

> **Stop doubting what you’re doing or coming up with reasons not to do something. Give it a go.**

Despite not caring to share too many words about himself, he is quite witty, and quick with comebacks which brings out a sort of endearing quality about who he is deep down. Fellow researcher Wouter (@wtm\_offensi) is happy to tell us what he thinks of Callum. “_Callum and I met in person for the first time about four years ago. This was at an invite-only bug bounty event where he gave an impressive talk about some of his bug hunting findings and experiences. During that event and the events that followed in the years after, I got to know Callum as a young yet skilled researcher who is not only great fun to be around (who doesn’t like a good sense of British humor) but also knows when to work hard to deliver high impact bugs that get the job done. After working together and sharing our insights at some undisclosed hacking event we kept in touch online to share ideas on some of our findings. Sharing information with other researchers is not always the easiest thing to do, since most of us rely on bugs as a (main) source of income, yet Callum is always willing to help think things over as a sparring partner. Nowadays we occasionally collaborate on research related to Azure, to help each other forward and make the hunt for bugs more fun. Callum always seems to be able to find targets that are exciting to work on, e.g., potential targets. I’m a big fan of the man himself and his work_.”

Like WTM, we are huge fans of Callum (@callum\_infosec) and we cannot thank him enough for his amazing research and partnership with MSRC! Thank you for your contributions that help secure Microsoft customers.

A Man of Action: Meet Callum Carney

The spyware has been used to target people in Italy, Kazakhstan, and Syria, researchers at Google and Lookout have found.

In hearings this week, the notorious spyware vendor NSO group told European legislators that at least five EU countries have used its powerful Pegasus surveillance malware. But as ever more comes to light about the reality of how NSO's products have been abused around the world, researchers are also working to raise awareness that the surveillance-for-hire industry goes far beyond one company. On Thursday, Google's Threat Analysis Group and Project Zero vulnerability analysis team published findings about the iOS version of a spyware product attributed to the Italian developer RCS Labs.

Google researchers say they detected victims of the spyware in Italy and Kazakhstan on both Android and iOS devices. Last week, the security firm Lookout published findings about the Android version of the spyware, which it calls “Hermit” and also attributes to RCS Labs. Lookout notes that Italian officials used a version of the spyware during a 2019 anti-corruption probe. In addition to victims located in Italy and Kazakhstan, Lookout also found data indicating that an unidentified entity used the spyware for targeting in northeastern Syria.

“Google has been tracking the activities of commercial spyware vendors for years, and in that time we have seen the industry rapidly expand from a few vendors to an entire ecosystem,” TAG security engineer Clement Lecigne tells WIRED. “These vendors are enabling the proliferation of dangerous hacking tools, arming governments that would not be able to develop these capabilities in-house. But there is little or no transparency into this industry, that's why it's critical to share information about these vendors and their capabilities.”

TAG says it currently tracks more than 30 spyware makers that offer an array of technical capabilities and levels of sophistication to government-backed clients.

In their analysis of the iOS version, Google researchers found that attackers distributed the iOS spyware using a fake app meant to look like the My Vodafone app from the popular international mobile carrier. In both Android and iOS attacks, attackers may have simply tricked targets into downloading what appeared to be a messaging app by distributing a malicious link for victims to click. But in some particularly dramatic cases of iOS targeting, Google found that attackers may have been working with local ISPs to cut off a specific user's mobile data connection, send them a malicious download link over SMS, and convince them to install the fake My Vodafone app over Wi-Fi with the promise that this would restore their cell service.

Attackers were able to distribute the malicious app because RCS Labs had registered with Apple's Enterprise Developer Program, apparently through a shell company called 3-1 Mobile SRL, to obtain a certificate that allows them to sideload apps without going through Apple's typical AppStore review process.

Apple tells WIRED that all of the known accounts and certificates associated with the spyware campaign have been revoked. 

“Enterprise certificates are meant only for internal use by a company, and are not intended for general app distribution, as they can be used to circumvent App Store and iOS protections,” the company wrote in an October report about sideloading. “Despite the program’s tight controls and limited scale, bad actors have found unauthorized ways of accessing it, for instance by purchasing enterprise certificates on the black market.”

Project Zero member Ian Beer conducted a technical analysis of the exploits used in the RCS Labs iOS malware. He notes that the spyware uses a total of six exploits to gain access to surveil a victim's device. While five are known and publicly circulating exploits for older iOS versions, the sixth was an unknown vulnerability at the time it was discovered. (Apple patched that vulnerability in December.) That exploit took advantage of structural changes in how data flows across Apple's new generations of “coprocessors” as the company, and the industry overall, moves toward the all-in-one “system-on-a-chip” design.

The exploit isn't unprecedented in its sophistication, but Google researchers note that the RCS Labs spyware reflects a broader trend in which the surveillance-for-hire industry combines existing hacking techniques and exploits with more novel elements to gain the upper hand. 

“The commercial surveillance industry benefits from and reuses research from the jailbreaking community. In this case, three out of six of the exploits are from public jailbreak exploits,” TAG member Benoit Sevens says. “We also see other surveillance vendors reusing techniques and infection vectors initially used and discovered by cyber crime groups. And like other attackers, surveillance vendors are not only using sophisticated exploits but are using social engineering attacks to lure their victims in.”

The research shows that while not all actors are as successful or well known as a company like NSO Group, many small and midsize players together in a burgeoning industry are creating real risk for internet users worldwide.

Google Warns of New Spyware Targeting iOS and Android Users

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

0 selected

anno...@golang.org

Jun 10

Go 1.19 Beta 1 is released

Hello gophers, We have just released go1.19beta1, a beta version of Go 1.19. It is cut from the

unread,

Go 1.19 Beta 1 is released

Hello gophers, We have just released go1.19beta1, a beta version of Go 1.19. It is cut from the

Jun 10

Dmitri Shuralyov

Jun 1

\[security\] Go 1.18.3 and Go 1.17.11 are released

Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These

unread,

\[security\] Go 1.18.3 and Go 1.17.11 are released

Hello gophers, We have just released Go versions 1.18.3 and 1.17.11, minor point releases. These

Jun 1

Heschi Kreinick

May 10

\[security\] Go 1.18.2 and Go 1.17.10 are released

Hello gophers, We have just released Go versions 1.18.2 and 1.17.10, minor point releases. These

unread,

\[security\] Go 1.18.2 and Go 1.17.10 are released

Hello gophers, We have just released Go versions 1.18.2 and 1.17.10, minor point releases. These

May 10

Dmitri Shuralyov

Apr 13

\[security\] Go 1.18.1 and Go 1.17.9 are released

Hello gophers, We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor

unread,

\[security\] Go 1.18.1 and Go 1.17.9 are released

Hello gophers, We have just released Go versions 1.18.1 and 1.17.9, minor point releases. These minor

Apr 13

Julie Qiu, Carlos Amedee2

Apr 7

\[security\] Go 1.18.1 and Go 1.17.9 pre-announcement

Hello gophers, Due to an issue with release tooling, this release is now planned for Tuesday, April

unread,

\[security\] Go 1.18.1 and Go 1.17.9 pre-announcement

Hello gophers, Due to an issue with release tooling, this release is now planned for Tuesday, April

Apr 7

Heschi Kreinick

Mar 15

Go 1.18 is released

Hello gophers, We just released Go 1.18 To find out what has changed in Go 1.18, read the release

unread,

Go 1.18 is released

Hello gophers, We just released Go 1.18 To find out what has changed in Go 1.18, read the release

Mar 15

Filippo Valsorda

Mar 15

An update of golang.org/x/crypto/ssh might be necessary

Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements

unread,

An update of golang.org/x/crypto/ssh might be necessary

Hello gophers, Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements

Mar 15

Carlos Amedee

Mar 3

\[security\] Go 1.17.8 and Go 1.16.15 are released

Hello gophers, We have just released Go versions 1.17.8 and 1.16.15, minor point releases. These

unread,

\[security\] Go 1.17.8 and Go 1.16.15 are released

Hello gophers, We have just released Go versions 1.17.8 and 1.16.15, minor point releases. These

Mar 3

Dmitri Shuralyov

Feb 17

Go 1.18 Release Candidate 1 is released

Hello gophers, We have just released go1.18rc1, a release candidate version of Go 1.18. It is cut

unread,

Go 1.18 Release Candidate 1 is released

Hello gophers, We have just released go1.18rc1, a release candidate version of Go 1.18. It is cut

Feb 17

Cherry Mui

Feb 11

\[security\] Go 1.17.7 and Go 1.16.14 are released

Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases. These

unread,

\[security\] Go 1.17.7 and Go 1.16.14 are released

Hello gophers, We have just released Go versions 1.17.7 and 1.16.14, minor point releases. These

Feb 11

Alex Rakoczy

Jan 31

Go 1.18 Beta 2 is released

Hello gophers, We have just released go1.18beta2, a beta version of Go 1.18. It is cut from the

unread,

Go 1.18 Beta 2 is released

Hello gophers, We have just released go1.18beta2, a beta version of Go 1.18. It is cut from the

Jan 31

Roland Shoemaker

Jan 27

Most certificates managed by autocert require manual renewal

Hello gophers, The Let's Encrypt certificate authority is revoking all certificates issued with

unread,

Most certificates managed by autocert require manual renewal

Hello gophers, The Let's Encrypt certificate authority is revoking all certificates issued with

Jan 27

Carlos Amedee

Jan 6

Go 1.17.6 and Go 1.16.13 are released

Hello gophers, We have just released Go versions 1.17.6 and 1.16.13, minor point releases. View the

unread,

Go 1.17.6 and Go 1.16.13 are released

Hello gophers, We have just released Go versions 1.17.6 and 1.16.13, minor point releases. View the

Jan 6

Cherry Mui

12/14/21

Go 1.18 Beta 1 is released

Hello gophers, We have just released go1.18beta1, a beta version of Go 1.18. It is cut from the

unread,

Go 1.18 Beta 1 is released

Hello gophers, We have just released go1.18beta1, a beta version of Go 1.18. It is cut from the

12/14/21

Alex Rakoczy

12/9/21

\[security\] Go 1.17.5 and Go 1.16.12 are released

Hello gophers, We have just released Go versions 1.17.5 and 1.16.12, minor point releases. These

unread,

\[security\] Go 1.17.5 and Go 1.16.12 are released

Hello gophers, We have just released Go versions 1.17.5 and 1.16.12, minor point releases. These

12/9/21

Michael Knyszek

12/3/21

Go 1.17.4 and Go 1.16.11 are released

Hello gophers, We have just released Go versions 1.17.4 and 1.16.11, minor point releases. View the

unread,

Go 1.17.4 and Go 1.16.11 are released

Hello gophers, We have just released Go versions 1.17.4 and 1.16.11, minor point releases. View the

12/3/21

Roland Shoemaker

12/2/21

\[security\] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a

unread,

\[security\] Vulnerability in golang.org/x/crypto/ssh

Hello gophers, Version v0.0.0-20211202192323-5770296d904e of golang.org/x/crypto fixes a

12/2/21

Roland Shoemaker

11/29/21

\[security\] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.

unread,

\[security\] golang.org/x/crypto/ssh fix pre-announcement

Hello gophers, We plan to issue a security fix for the golang.org/x/crypto/ssh package in the golang.

11/29/21

Than McIntosh

11/4/21

\[security\] Go 1.17.3 and Go 1.16.10 are released

Hi gophers, We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor

unread,

\[security\] Go 1.17.3 and Go 1.16.10 are released

Hi gophers, We have just released Go versions 1.17.3 and 1.16.10, minor point releases. These minor

11/4/21

Michael Knyszek

10/8/21

\[security\] Go 1.17.2 and Go 1.16.9 are released

Hello gophers, We have just released Go versions 1.17.2 and 1.16.9, minor point releases. These minor

unread,

\[security\] Go 1.17.2 and Go 1.16.9 are released

Hello gophers, We have just released Go versions 1.17.2 and 1.16.9, minor point releases. These minor

10/8/21

Roland Shoemaker

10/4/21

\[security\] Go 1.17.2 and Go 1.16.9 pre-announcement

Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor

unread,

\[security\] Go 1.17.2 and Go 1.16.9 pre-announcement

Hello gophers, We plan to issue Go 1.17.2 and Go 1.16.9 on Thursday, October 7. These are minor

10/4/21

Than McIntosh

9/9/21

\[security\] Go 1.17.1 and Go 1.16.8 are released

Hello gophers, We have just released Go versions 1.17.1 and 1.16.8 minor point releases. These minor

unread,

\[security\] Go 1.17.1 and Go 1.16.8 are released

Hello gophers, We have just released Go versions 1.17.1 and 1.16.8 minor point releases. These minor

9/9/21

Michael Knyszek

8/16/21

Go 1.17 is released

Hello gophers, We just released Go 1.17 To find out what has changed in Go 1.17, read the release

unread,

Go 1.17 is released

Hello gophers, We just released Go 1.17 To find out what has changed in Go 1.17, read the release

8/16/21

Alex Rakoczy

8/5/21

Go 1.16.7 and Go 1.15.15 are released

Hello gophers, We have just released Go versions 1.16.7 and 1.15.15, minor point releases. These

unread,

Go 1.16.7 and Go 1.15.15 are released

Hello gophers, We have just released Go versions 1.16.7 and 1.15.15, minor point releases. These

8/5/21

Alex Rakoczy

8/2/21

Go 1.17 Release Candidate 2 is released

Hello gophers, We have just released go1.17rc2, a release candidate version of Go 1.17. It is cut

unread,

Go 1.17 Release Candidate 2 is released

Hello gophers, We have just released go1.17rc2, a release candidate version of Go 1.17. It is cut

8/2/21

Cherry Mui

7/13/21

Go 1.17 Release Candidate 1 is released

Hello gophers, We have just released go1.17rc1, a release candidate version of Go 1.17. It is cut

unread,

Go 1.17 Release Candidate 1 is released

Hello gophers, We have just released go1.17rc1, a release candidate version of Go 1.17. It is cut

7/13/21

Dmitri Shuralyov

7/13/21

\[security\] Go 1.16.6 and Go 1.15.14 are released

Hello gophers, We have just released Go versions 1.16.6 and 1.15.14, minor point releases. These

unread,

\[security\] Go 1.16.6 and Go 1.15.14 are released

Hello gophers, We have just released Go versions 1.16.6 and 1.15.14, minor point releases. These

7/13/21

Filippo Valsorda

7/7/21

\[security\] Go 1.16.6 and Go 1.15.14 pre-announcement

Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases

unread,

\[security\] Go 1.16.6 and Go 1.15.14 pre-announcement

Hello gophers, We plan to issue Go 1.16.6 and Go 1.15.14 on Monday, July 12. These are minor releases

7/7/21

Dmitri Shuralyov

6/10/21

Go 1.17 Beta 1 is released

Hello gophers, We have just released go1.17beta1, a beta version of Go 1.17. It is cut from the

unread,

Go 1.17 Beta 1 is released

Hello gophers, We have just released go1.17beta1, a beta version of Go 1.17. It is cut from the

6/10/21

David Chase

6/4/21

Go 1.16.5 and Go 1.15.13 are released

Hello gophers, We have just released Go versions 1.16.5 and 1.15.13, minor point releases. These

unread,

Go 1.16.5 and Go 1.15.13 are released

Hello gophers, We have just released Go versions 1.16.5 and 1.15.13, minor point releases. These

6/4/21

CVE-2022-29526: golang-announce - Google Groups

Algo Communication Products Ltd. 8373 IP Zone Paging Adapter Firmware 1.7.6 allows attackers to perform a directory traversal via a web request sent to /fm-data.lua.

Hey All,

Been awhile, like usual :)

We will be talking about a CVE related to firmware running on one of these devices in this blog. Other devices by Algo running identical firmware seem impacted as well.

I am here today to write about a vulnerability I recently discovered during a security assessment and how it spawned into my first CVE. Getting a CVE to my name is something I’ve wanted to accomplish for several years. I got close a few times, and once I even found what I thought was a “Zero day” in a Fortinet Firewall just to find out it was reported and patched just weeks before I found it. So close!

While I will be transparent in saying that this vulnerability is far from the most mind blowing or exciting vulnerability in recent times. I will also say I’m proud to have reported it through the CVE reporting process and was reserved CVE-2022–31395 by doing so. The final step in locking the CVE in is to point MITRE to a publication about the vulnerability. As you can maybe imagine, that is a large part of why I am writing this article. I did attempt to contact the manufacture to ask if they knew about this vulnerability. They simply told me the firmware in question was outdated and to update it. That however didn’t tell me if this was a known vulnerability so I asked if they had any specific CVE’s known to exist against the outdated firmware version I was working with. They said they did not have that information so I moved on to reporting to MITRE. As I sent the details to MITRE I was like:

I just want a CVE with my name on it!!!

I didn’t hear anything for several days from MITRE so I pinged them for an updated and was told they are experiencing a high volume of reported CVE’s and are working through them in a priority order. A few weeks passed and finally I saw a glorious email arrive. It stated that I should use CVE-2022–31395 to craft a public reference for the vulnerability in question, at which point the CVE should be official and no longer just “reserved”.

Without further ado… I present to you the Directory Traversal vulnerability I found and reported. The vulnerability affects at least: **ALGO COMMUNICATION PRODUCTS LTD 8373 IP Zone Paging Adapter Control Panel, Firmware 1.7.6**. Other ALGO products containing the same firmware likely contain the same vulnerability as I have also confirmed the **1.7.6 Firmware on Algos’ “8201 SIP PoE Intercom Control Panel”** contains the same vulnerability). I have not yet confirmed if other, newer firmwares are vulnerable at this time. In addition, the support team at Algo said the best way to know would be to update to their newest firmware and try the attack again. However, I do not have administrative privileges to this device as it belongs to a client of mine, so I am not able to update it and will have to wait if to see if my client decides to do so. I will report back if I find that newer versions are impacted.

Lets’ get into some of the details about this vulnerability! First, it is worth noting that this is an authenticated attack. The part of the application that is vulnerable is only accessible once authenticated. These devices appear to come pre-configured with a default password of “algo” with no username. In fact, I am saved a Google search for default password when initially analyzing the interface as it’s clearly stated right in the web interface itself.

I know it’s not a secret… but it feels like a bad idea to have the default password printed next to the login feature.

Lucky for me, the device I was analyzing still had its’ default password configured so I was able to access administrative functions of this IP Zone Paging Adapter. A function that quickly stood out to me was called “File Manager” which for obvious reasons (to people in offensive security) is immediately a place I start to analyze deeper as a pentester and bug hunter.

My first move, is to attempt to download any of the files I am presented with here and to see what that HTTP request looks like using BurpSuite Professional… P.S. if you don’t use BurpSuite Pro…. well I am just sad to hear that, it’s an incredibly valuable tool and is priced super well in the lower hundreds per year ($300–400ish if I’m remembering correctly). Anyways… this is what I saw when reviewing the download request.

In this example, I’m downloading the “user.conf” file.

A natural change to attempt to make before resubmitting the request is, of course, to replace the file in the HTTP request that we want to fetch from the server with a directory traversal payload to see if we can “break out” of the file directory the application intends for us to browse and reach the “_passwd_” file in the “_/etc/_” directory of the underlying Linux OS.

Yehaw!

I was thrilled to see the output of the _passwd_ file! Next, I thought to also grab the “_shadow_” file in the same directory (/_etc/_) which should contain hashed passwords for users! It is possible for us to maybe even crack the hash(es) if we can get them from the file.

Well, this is certainly awesome. I have the hashed password for the _root_ account. This means I can possibly “jailbreak” or “root” the device if I can accomplish two things.

1.  Crack the root password with Hashcat (my preferred hash cracking tool) or another password-hash cracking tool.
2.  Find a way to execute code as root. My two theories on how to accomplish this was either to find a way to enable SSH (since it doesn’t seem to be enabled on my target at least), or to leverage the directory traversal vulnerability while UPLOADING (instead of downloading as seen above). Perhaps I could drop a web shell or drop/overwrite a config file to get me further access.

I like Hashtcat for the GPU acceleration and the “Rules” engine that modifies a given wordlist on the fly! One or two of my first blog posts on https://n0ur5blog.wordpress.com/ (my old blog) talked a whole bunch about Hashcat!

Boom — Hash cracked! Now that I see the clear-text password for the root account, I notice it matches the default password we used to log in to the web interface. I wonder if the web interface just uses whatever the root password is set to, and if changing the web interface password would change the root password. Regardless, I now have one last challenge and that is to turn this into some form of code execution via the methods I mentioned above!

As of the time of this writing I have not successfully executed code as the root user, but have confirmed I can upload files to outside the web root directory and even overwrite files already in place on the system! I am left with the following items to continue my research on this vulnerability.

*   What other hardware and/or firmware versions are vulnerable to this? I have come across some other Algo devices containing default passwords for log-in that didn’t even have the “File Manager” feature. The few I came across did have much newer firmware but also were different hardware from those that I’ve confirmed vulnerable so far. So I assume “File Manager” was either removed in newer firmware versions OR some hardware they produce simply doesn’t have or need the File Manager.
*   How can I use unrestricted file upload, combined with directory traversal to enable SSH or achieve some other form of remote code execution via ROOT. The web server seems serve “lua” files, so I assume if I can figure out the file structure/location of the web server root directory, I could possibly drop a web shell on it that would enable the remote code execution I’m looking for via web browser.
*   Testing if changing the web interface password also changes the root password by grabbing the shadow file again after changing the password to see if the hash changed. If not, we can assume a large number of Algo devices ship with the root password of “_algo_”.
*   Create a python or bash script for this exploit once I discover the full extent of the items above!

Well folks, that is all for now! Hopefully my next blog post is about another CVE I get, but if not I’m sure whatever it is will be something fun and interesting! Hope this was a fun read!

Cheers!

N0ur5

CVE-2022-31395: Achievement Unlocked: CVE-2022–31395 - N0ur5 - Medium

Red Hat Security Advisory 2022-5029-01 - This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security updates. Issues addressed include denial of service and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat build of Eclipse Vert.x 4.2.7 security update  
Advisory ID:       RHSA-2022:5029-01  
Product:           Red Hat OpenShift Application Runtimes  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5029  
Issue date:        2022-06-23  
CVE Names:         CVE-2020-36518 CVE-2022-25647  
====================================================================  
1. Summary:

An update is now available for Red Hat build of Eclipse Vert.x.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability. For  
more information, see the CVE pages listed in the References section.

2. Description:

This release of Red Hat build of Eclipse Vert.x 4.2.7 GA includes security  
updates. For more information, see the release notes listed in the  
References section.

Security Fix(es):

* jackson-databind: denial of service via a large depth of nested objects  
(CVE-2020-36518)

* com.google.code.gson-gson: Deserialization of Untrusted Data in  
com.google.code.gson-gson (CVE-2022-25647)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgements, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including  
all applications, configuration files, databases and database settings, and  
so on.

The References section of this erratum contains a download link for the  
update. You must be logged in to download the update.

4. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects  
2080850 - CVE-2022-25647 com.google.code.gson-gson: Deserialization of Untrusted Data in com.google.code.gson-gson

5. References:

https://access.redhat.com/security/cve/CVE-2020-36518  
https://access.redhat.com/security/cve/CVE-2022-25647  
https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&productÊtRhoar.eclipse.vertx&version=4.2.7  
https://access.redhat.com/documentation/en-us/red_hat_build_of_eclipse_vert.x/4.2/html/release_notes_for_eclipse_vert.x_4.2/index

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYrRWD9zjgjWX9erEAQhySBAAlXKnG1+57IQ9cKGQWzpLWKFWJVqsyrGb  
hI/qVXa3T2DnslKYD061oBjY6FEBYwVqOrZLkv+9bSuW5CqdworRqzW+ozpPUJw4  
1IKqO//OXQ/2UAB9FSKjhcyIB/d6af3urm47rtbeplt8WBF3fh4+Zo+sVxpTRbhX  
Kmy+z7YIEKkstR5AQR05mt9KHjpKkj4p2xMwtz3p+VJ0sff0O6gSMdA3oPKoSbms  
b43OhcBeiO5eqXryTgtIauRC2tzOk1lGryfDoWI24x4RFPhgK9r67Vv8r6j6psFi  
6mBcJvzCpynJSnVOR75KQl9E3t7yuIJR14M6p+PndlcrncMg7S7nlhVvRgdun+Dj  
JuL5Kd8QDqu/UQiqLYCpCoZUkyDpg3ztVgR84Y0AFWMH7Q4o+K/dlWBwE1ejrxx0  
klurqysi86Ra0UKwk5zzfvNi/r/Cm/7xdMliNrx8pozuZiFK4nW4y9a6Uvu7AH8v  
nA4cC5zeM9DWFntZiCn3bfigSRcTdZlfhnvk6Csgzu/HhYR9p2QGnY76ZSgaVq45  
ptqT37TDFHFhJSKhR7GLxwrVogT5HjrHV3OMpH2P7p/pO7MkKJovDY+YG5xk1TB8  
gdBYMYiSGhlIRrdIeoLGIkqcOs0cEP86+UO1yeYjvIssG6dArotiSJt3LTN/mLzf  
LEg430ARk3s=qurb  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5029-01

Malicious invoices coming from the accounting software's legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.

Cyberattackers are hiding behind the QuickBooks brand to disguise their malicious activity, researchers are warning. The effort is a "double-spear" approach that packs a one-two punch: Stealing phone numbers and making off with cash via bogus credit-card payments.

The popular accounting software allows customers to sign up for cloud accounts, from which they can send out requests for payment, invoices, and statements, all coming from the quickbooks.intuit.com domain. According to an analysis from Avanan, cybercrooks are taking advantage of this to send out malicious versions of QuickBooks documents — and email security filters, having determined that the address isn't spooked and comes from an "allowed" domain, pass the messages right on to inboxes.

The campaign started in May, researchers noted in a blog post on Thursday. The email body spoofs brands like Norton or Microsoft 365 (formerly Office 365) and often claim that the targets owe monetary damages. The offensive casts a wide net, targeting companies across all industry segments, according to the firm.

"It presents an invoice and encourages you to call if you think there are any questions," Avanan researchers noted in their analysis. "When calling the number provided, they will ask for credit-card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesn't correlate with a real one."

Once the end user calls to see what’s going on, the hackers then harvest the phone number, allowing them to use it for follow-on attacks via text message or WhatsApp. They also receive the credit-card payment, so the campaign is two-pronged in terms of victim pain.

"On this one, we're dealing with a fairly sophisticated level as hackers have found a way to know that this attack will work and to do a double spear, gaining money and credentials," Jeremy Fuchs, cybersecurity research analyst at Avanan, tells Dark Reading.

He adds, "Like any social-engineering scam, the likeliness of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and it's an invoice for what looks like a legitimate company, it might catch some users off-guard."

**Phishing, Cloaked in Legitimacy**

Using the legitimacy of cloud domains to reach the inbox is not a new approach, of course. But particularly as many businesses continue to support remote workers with cloud services and software-as-a-service apps, the approach has been cresting as these channels are less protected than traditional email gambits.

"With regards to broader trends that this falls into, we've seen hackers utilize legitimate sites for illegitimate purposes," Fuchs says. "Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, we've seen an uptick in hackers grabbing money and harvesting phone numbers for future attacks."

While other cloud services like Evernote, Dropbox, Microsoft, DHL, and many more have been abused in this fashion by phishers, nefarious types have leveraged Google in particular over the past few months.

For instance, in January, a threat actor used the comments function in Google Docs to dupe targets into clicking malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.

"Organizations can't block Google, so Google-related domains are allowed to come into the inbox," according to Avanan. "These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote."

To guard against attacks like these, Avanan recommends the following:

*   Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges.
*   Implement advanced security that looks at more than one indicator to determine in an email is clean or not.
*   Encourage users to ask IT if they are unsure about the legitimacy of an email.

Tag

#google