Organizations are urged to update to the latest versions of FortiNAC to patch a flaw that allows unauthenticated attackers to write arbitrary files on the system.

Researchers have released details for how to exploit a critical remote code execution (RCE) bug in Fortinet's FortiNAC product, which allows an unauthenticated attacker to write arbitrary files on the system and achieve RCE as a root user.

Organizations use FortiNAC as a network access control solution to oversee and secure all digital assets connected to the enterprise network. The product can be used to manage a range of devices, including: corporate endpoints, Internet of Things (IoT), operational technology and industrial control systems (OT/ICS), and connected medical devices (IoMT), among others. The idea is to provide visibility, control, and automated response for everything that connects to the network, and as such, the device offers a golden opportunity for attackers to pivot and move deep into networks, enumerate environments, steal sensitive information, and more.

Researchers at Horizon3.ai released a blog post with a technical analysis of and proof of concept (POC) exploit for the vulnerability, tracked as CVE-2022-39952, and revealed and patched by Fortinet last week. They subsequently released the exploit code on GitHub.

Fortinet's Gwendal Guégniaud discovered the vulnerability, which earned a critical rating of 9.8 on the CVSS vulnerability-severity scale. The bug allows attackers to take external control of a file name or path vulnerability in the FortiNAC Web server, Fortinet said in its advisory, thus allowing unauthenticated arbitrary writes on the system.

Fortinet has patched in its affected product versions, with customers urged to update to FortiNAC version 9.4.1 or above, FortiNAC version 9.2.6 or above, FortiNAC version 9.1.8, or FortiNAC version 7.2.0 or above.

**How to Exploit the Fortinet FortiNAC Flaw**

While there are several ways for attackers to obtain RCE by exploiting arbitrary file write flaws, the researchers wrote what's called a "cron job to /etc/cron.d/" to take advantage of the vulnerability, they said.

The researchers extracted filesystems from both the vulnerable and patched versions of the product to examine the flaw, finding that Fortinet removed an offending file called /bsc/campusMgr/ui/ROOT/configWizard/keyUpload.jsp in the update that patches the bug. It turns out that file allowed an unauthenticated endpoint to parse requests that supply a file in the key parameter and then write it to /bsc/campusMgr/config.applianceKey, the researchers said.

To exploit this flaw, researchers successfully wrote the file and made a call that executes a bash script, which in turn can unzip the file that was just written. The unzip process "will allow placing files in any paths as long as they do not traverse above the current working directory," Horizon3.ai's chief attack engineer Zach Hanley wrote in the blog post. "Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written."

"Immediately, seeing this call on the attacker-controlled file gave us flashbacks to a few recent vulnerabilities we’ve looked at that have abused archive unpacking," he added.

Researchers used the aforementioned cron job — which entails using the code /etc/cron.d/payload — to weaponize the flaw. The job gets triggered every minute and initiates a reverse shell to the attacker. To do this, researchers created a zip archive that contains a file and specifies the path for extraction, and then sent the malicious zip file to the vulnerable endpoint in the key field, they said.

"Within a minute, we get a reverse shell as the root user," which then can allow for remote code to be executed, Hanley wrote.

**History of Attacker Interest**

Historically, attackers have had a tendency to pounce on Fortinet flaws — sometimes even before the company knows they exist. Since they offer a prime opportunity to gain a foothold on enterprise networks, it would be prudent for any organizations running affected versions of FortiNAC to update to the patched products ASAP. So far, neither Fortinet nor Horizon3.ai are aware of any instances of attackers taking advantage of the flaw, but now that the latter's proof of concept is released, with step-by-step details on how it can be exploited, this is likely to change. 

As recently as January, the researchers tied a sophisticated new backdoor dubbed BoldMove to a zero-day vulnerability that Fortinet discovered in multiple versions of its FortiOS and FortiProxy technologies in December. The flaw allowed an unauthenticated attacker to execute arbitrary code on affected systems. In the zero-day attack, a China-based threat actor engaged in cyber-espionage operations apparently had written the malware to run specifically on Fortinet's FortiGate firewalls even before the vulnerability was made public and patched, the researchers discovered.

In October, attackers also showed significant interest in a critical authentication bypass vulnerability in multiple versions of Fortinet's FortiOS, FortiProxy, and FortiSwitchManager technologies, particularly after exploit code for the flaw was released.

Exploit Code Released for Critical Fortinet RCE Bug

By Habiba Rashid
The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan.
This is a post from HackRead.com Read the original post: Android voice chat app with 5m installs leaked user chats

OyeTalk was leaking unencrypted data through unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services.

A popular Android voice chat app, OyeTalk, has leaked private user data, including their unencrypted chats, usernames, and cellphone International Mobile Equipment Identity (IMEI) numbers.

With over five million downloads on **Google Play**, the app has compromised the privacy of all its users while simultaneously exposing them to malicious threats.

OyeTalk on Android

OyeTalk was leaking data through unprotected access to **Firebase**, Google’s mobile application development platform that provides cloud-hosted database services.

The researchers warned that malicious actors could have deleted the dataset, resulting in a permanent loss of users’ private messages, if the leaked data had not been backed up. 

According to the Cyber News **blog post**, Despite being informed of the data spill, the app developers failed to close off public access to the database. Google’s security measures had to step in, since the spill got too big, to close off the database.

This isn’t all. The developers also carelessly left sensitive information hardcoded in the application’s client-side, including a Google API (application programming interface) key and links to Google storage buckets. The exploitation of this security practice in the past has resulted in data loss or a complete takeover of user data stored on open Firebase or other storage systems.

It turns out, this was not the first occurrence of a data leak affecting OyeTalk. The researchers found that the database had been discovered and marked as vulnerable by unknown actors, likely with no malicious intent. The database contained specific fingerprints used to mark open Firebases, known as “**Proof of Compromise**” (PoC) and Evidence of Compromise (EoC) or Indicator of Compromise (IOC).

**Repercussions**

The repercussions of a data leak like the one that occurred with the OyeTalk voice chat app can be severe and far-reaching. First and foremost, the personal information of users can be compromised, leaving them vulnerable to scams.

Furthermore, the leak of personal data can also have a negative impact on the reputation of the app and the company behind it. Users may lose trust in the app and its ability to protect their data, leading to a decline in its user base and revenue. This can also result in legal consequences for the company, as they may face lawsuits and fines for violating data privacy laws.

Overall, the OyeTalk data leak can have significant and lasting consequences for users, the app and its company, and society at large. It underscores the importance of robust data protection measures and responsible handling of personal information and highlights the need for ongoing vigilance in the face of ever-evolving **cybersecurity threats**.

1.  **23 Android apps leaked sensitive data of 100m users**
2.  **GoKeyboard App Spying on Millions of Android Users**
3.  **Dune! game app leaked personal data of Android users**
4.  **Login Details of Tech Giants Leaked in Data Center Hacks**
5.  **Iranian hackers drop RatMilad Android spyware in VPN app**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Android voice chat app with 5m installs leaked user chats

Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS.
The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation.
The two other vulnerabilities,

Endpoint Security / Software Update

Apple has revised the security advisories it released last month to include three new vulnerabilities impacting iOS, iPadOS, and macOS.

The first flaw is a race condition in the Crash Reporter component (CVE-2023-23520) that could enable a malicious actor to read arbitrary files as root. The iPhone maker said it addressed the issue with additional validation.

The two other vulnerabilities, credited to Trellix researcher Austin Emmitt, reside in the Foundation framework (CVE-2023-23530 and CVE-2023-23531) and could be weaponized to achieve code execution.

"An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges," Apple said, adding it patched the issues with "improved memory handling."

The medium to high-severity vulnerabilities have been patched in iOS 16.3, iPadOS 16.3, and macOS Ventura 13.2 that were shipped on January 23, 2023.

Trellix, in its own report on Tuesday, classified the two flaws as a "new class of bugs that allow bypassing code signing to execute arbitrary code in the context of several platform applications, leading to escalation of privileges and sandbox escape on both macOS and iOS."

The bugs also bypass mitigations Apple put in place to address zero-click exploits like FORCEDENTRY that was leveraged by Israeli mercenary spyware vendor NSO Group to deploy Pegasus on targets' devices.

As a result, a threat actor could exploit these vulnerabilities to break out of the sandbox and execute malicious code with elevated permissions, potentially granting access to calendar, address book, messages, location data, call history, camera, microphone, and photos.

Even more troublingly, the security defects could be abused to install arbitrary applications or even wipe the device. That said, exploitation of the flaws requires an attacker to have already obtained an initial foothold into it.

"The vulnerabilities above represent a significant breach of the security model of macOS and iOS which relies on individual applications having fine-grained access to the subset of resources they need and querying higher privileged services to get anything else," Emmitt said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Warns of 3 New Vulnerabilities Affecting iPhone, iPad, and Mac Devices

By Deeba Ahmed
The bugs allowed cybercriminals to bypass the iOS system's security protections and execute unauthorized code. 
This is a post from HackRead.com Read the original post: Apple Bug Could Allow Attackers Access to Photos and Messages

The findings are based on previous research from Google and Citizen Lab conducted in 2021 which discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to the Israeli NSO Group.

Apple devices and products are known for their advanced security mechanisms, particularly the iPhone and Macbook. However, the latest research reveals that even Apple products aren’t safe from the prying eyes of threat actors.

Researchers at the cybersecurity firm Trellix Advanced Research Center have disclosed details of a newly discovered privilege escalation bug class that, if exploited, could allow an attacker to sweep up call history, messages, and photos from the device.

According to researchers, the bugs allowed cybercriminals to bypass the iOS system’s security protections and execute unauthorized code. The security flaws were ranked as medium to high in terms of security.

Trellix’s vulnerability research director, Doug McKee, stated that although Apple has addressed the issue, the concern is that these vulnerabilities allow bypassing of Apple’s security model at a “fundamental level.”

Apple said the bugs weren’t exploited in the wild before being fixed.

**How Was the Bug Discovered?**

The findings are based on previous research from Google and Citizen Lab conducted in 2021. The organizations discovered a zero-click, zero-day iOS exploit dubbed “ForcedEntry,” linked to NSO Group.

This was a highly sophisticated exploit found on a Saudi activist’s iPhone and was used for installing Pegasus malware developed by the NSO Group. The same spyware was also found on the iPhones of nine State Department officials in the United States.

This exploit had two key features: first, it tricked the iPhone into opening a malicious PDF disguised as a GIF file. Secondly, it enabled attackers to evade the sandbox that Apple introduced to prevent apps from accessing data from other apps or other parts of the device.

This second feature of ForcedEntry was the basis of Trellix’s research from senior vulnerability researcher Austin Emmitt. A proof-of-concept was released to demonstrate how the bugs could be exploited.

**Vulnerabilities**

Emmitt discovered a new class of vulnerabilities revolving around the NSPredicate tool that filters code within Apple’s systems. This tool was first exploited in ForcedEntry, as the 2021 research revealed, and Apple introduced new measures to prevent this abuse.

However, the mitigation methods were insufficient, as Trellix researchers found that these methods could also be bypassed since bugs in the NSPredicate class were found in multiple places in macOS and iOS systems.

This includes the Springboard app, which manages the home screen on an iPhone and can access photos, location data, and the camera. After exploiting the bugs, the attacker could access places they could not otherwise invade. Attackers trying to exploit it need to gain an initial foothold into the device.

Vulnerabilities in NSPredicate were discovered in macOS 13.2 and iOS 16.3, and Apple patched them with software updates in January. The company also issued CVEs for these flaws—CVE-2023-23530 and CVE-2023-23531—and released new versions of macOS and iOS.

1.  Apple AirTags used as trojan for credential hacking
2.  iOS Devices Receive Vital Security Updates from Apple
3.  Charging cable remotely steals data from Apple devices
4.  55 Apple bugs risked iCloud account takeover, data theft
5.  Study: Android sends more data to Google than iOS to Apple

Apple Bug Could Allow Attackers Access to Photos and Messages

A lack of rate limiting on the password reset endpoint of Chamberlain myQ v5.222.0.32277 (on iOS) allows attackers to compromise user accounts via a bruteforce attack.

The Chamberlain Group LLC, the corporate parent company to LiftMaster, Chamberlain, Merlin and Grifco, is a global leader in access solutions and products. We design and engineer residential garage door openers, commercial door operators and gate entry systems. Read our story.

CVE-2023-24080: Chamberlain | Garage Door Openers, Remotes and Parts

To open the content, enter the password. If you don't have the link password, ask the person who shared the content with you.

Why do I have to do this?

The sharing link has a password set on it. You need to enter the password to access the content.

Checking...

CVE-2023-24080: Sharing Link Validation

*   22 January, 2023
*   No Comments

**Introduction**

A Brackish Security researcher recently uncovered a vulnerability affecting the myQ iOS application that allows an attacker to take over arbitrary user accounts. This issue was discovered in iOS application version 5.222.0.32277. No other versions were tested, but it is possible that multiple versions and platforms use the same APIs with vulnerable functionality. This issue affects millions of accounts and give attackers access to garage door openers, cameras, locks, and other devices that are controlled via the myQ application. The myQ iOS application has 1.2M ratings on the Apple App Store and is currently #13 in the free application charts.

A door, but we have the key

**A Simple Vulnerability**

The attacker needs prior knowledge of a victim’s email account, or as Brackish discovered, an attacker could make repeated requests to the following endpoint to determine if an account is present.

    POST /api/Account/ForgotPassword

If the account does not exist, a lengthy _Location_ response header containing the following will be returned.

    email=amltQGJyYWNraXNoLmlv

This is the base 64 encoded version of _jim@brackish.io_ – an account that does not exist. If the account exists, this parameter will not be present in the _Location_ response header.

Once a victim’s email is discovered, the account takeover is simple. At the heart of it is the lack of rate limiting on the following endpoint

    POST /api/Account/EmailValidation

Where the body of this request contains (amongst other parameters) the reset code that is emailed to the victim.

    Code=5308

302 response when reset code is hit after thousands of requests

The reset code is only four digits in length, and there is no rate limiting on this endpoint. An attacker is free to brute force this code and reset the victim’s password. This issue was reported to Chamberlain on 1/10/23.

**Fixed**

As of 1/20/23 (possibly earlier), a fix has been implemented via rate limiting on the server or in middleware. The application itself has not been updated. The fact that the fix was implemented in this fashion lends more credence to the speculation that every myQ account was affected by this vulnerability.

Rate limit response as seen in mobile application

**Conclusion**

Security of IoT devices is essential. As evidenced by the simplicity of this exploit, these applications and devices sometimes sit without eyes on them for long periods of time.

Also, kudos to the people at Chamberlain for responding and fixing the issue so quickly. It’s hard to stress enough how often we attempt to report highly impactful vulnerabilities and are completely ignored. I’m also a big fan of their myQ devices in general, so check them out!

Brackish Security recommends penetration testing and source code review of all software and IoT devices. Additionally, it is recommended that every company establish a Vulnerability Disclosure Program (VDP) or Bug Bounty Program (BBP). If you need a penetration test, or some assistance in establishing a VPD or BBP, please reach out to Brackish and Help Make the Bad Guys Salty!

CVE-2023-24080: Chamberlain myQ Account Takeover – Brackish Security

Multiple stored cross-site scripting (XSS) vulnerabilities in Redrock Software TutorTrac before v4.2.170210 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the reason and location fields of the visits listing page.

*   

TutorTrac is the complete management solution developed for the specific needs of learning, writing, tutoring, academic skills and other centers that support students in higher education. As a web-based application, TutorTrac provides on-demand access to essential tools, such as appointment scheduling, logging visits and activity reports. Record contact with students in any physical location or online environment. Find and schedule appointments with tutors based on specific subjects. Track the activity of specific populations of students, such as athletes or first-year students, to identify usage and support needs. Enter attendance for required sessions or workshops. Link activity to course enrollments and faculty. Supply powerful instruments to staff and deliver more services to students, yet simplify the management of your centers with TutorTrac.

**TutorTrac Features:**

*   **Web-Based Access**
    
*   **Customizable reports**
    
*   **Powerful Search**
    
*   **Campus Portal Support**
    
*   **Automation of Tasks**
    
*   **Custom Emails**
    
*   **Integration with Campus Colors & Logos**
    
*   **High-Level TLS Encryption**
    
*   **Multi-Person Study Table Help**
    

*   **Utilize ID card readers**
    
*   **Testing Center support**
    
*   **Center Specific Preferences**
    
*   **Self-Service Kiosks**
    
*   **Online Scheduling**
    
*   **Online Appointments**
    
*   **Workshop Enrollment & Management**
    
*   **Flag Students**
    

*   **CAS Integration**
    
*   **Surveys & Questionnaires**
    
*   **Supplemental Instruction**
    
*   **Custom Access Levels & Security**
    
*   **Text Notifications**
    
*   **Syncing to Calendars & Online Applications**
    
*   **Collaborative Writing Center Help**
    
*   **Reporting**

CVE-2023-24081: TutorTrac — Redrock Software Corporation

Security researchers found a class of flaws that, if exploited, would allow an attacker to access people’s messages, photos, and call history.

For years, Apple has hardened the security systems on iPhones and Macs. But no company is immune from such issues. Research reveals a new class of bugs that can affect Apple’s iPhone and Mac operating systems and if exploited could allow an attacker to sweep up your messages, photos, and call history.

Researchers from security firm Trellix’s Advanced Research Center are today publishing details of a bug that could allow criminal hackers to break out of Apple’s security protections and run their own unauthorized code. The team says the security flaws they found—which they rank as medium to high severity—bypass protections Apple had put in place to protect users.

“The key thing here is the vulnerabilities break Apple’s security model at a fundamental level,” says Doug McKee, director of vulnerability research at Trellix. McKee says that finding the new bug class means researchers and Apple will potentially be able to find more similar bugs and improve overall security protections. Apple has fixed the bugs the company found, and there is no evidence they were exploited.

Trellix’s findings build on previous work by Google and Citizen Lab, a University of Toronto research facility. In 2021, the two organizations discovered ForcedEntry, a zero-click, zero-day iOS exploit that was linked to Israeli spyware maker NSO Group. (The exploit, described as highly sophisticated, was found on the iPhone of a Saudi activist and used to install NSO’s Pegasus malware.)

Analysis of ForcedEntry showed it involved two key parts. The first tricked an iPhone into opening a malicious PDF that was disguised as a GIF. The second part allowed attackers to escape Apple’s sandbox, which keeps apps from accessing data stored by other apps and from accessing other parts of the device. Trellix’s research, by senior vulnerability researcher Austin Emmitt, focuses on that second part and ultimately used the flaws he found to bypass the sandbox.

Specifically, Emmitt found a class of vulnerabilities that revolve around NSPredicate, a tool that can filter code within Apple’s systems. NSPredicate was first abused in ForcedEntry, and as a result of that research in 2021, Apple introduced new ways to stop the abuse. However, those don’t appear to have been enough. “We discovered that these new mitigations could be bypassed,” Trellix says in a blog post outlining the details of its research.

McKee explains that the bugs within this new NSPredicate class existed in multiple places across macOS and iOS, including within Springboard, the app that manages the iPhone’s home screen and can access location data, photos, and the camera. Once the bugs are exploited, the attacker can access areas that are meant to be closed off. A proof-of-concept video published by Trellix shows how the vulnerabilities can be exploited. 

The new class of bugs “brings a lens to an area that people haven’t been researching before because they didn’t know it existed,” McKee says. “Especially with that backdrop of ForcedEntry because somebody at that sophistication level already was leveraging a bug in this class.”

Crucially, any attacker trying to exploit these bugs would require an initial foothold into someone’s device. They would need to have found a way in before being able to abuse the NSPredicate system. (The existence of a vulnerability doesn’t mean that it has been exploited.)

Apple patched the NSPredicate vulnerabilities Trellix found in its macOS 13.2 and iOS 16.3 software updates, which were released in January. Apple has also issued CVEs for the vulnerabilities that were discovered: CVE-2023-23530 and CVE-2023-23531. Since Apple addressed these vulnerabilities, it has also released newer versions of macOS and iOS. These included security fixes for a bug that was being exploited on people’s devices. Make sure you update your iPhone, iPad, and Mac each time a new version of the operating system becomes available.

A New Kind of Bug Spells Trouble for iOS and macOS Security

Livestatus Query Language (LQL) injection in the AuthUser HTTP query header of Tribe29's Checkmk <= 2.1.0p11, Checkmk <= 2.0.0p28, and all versions of Checkmk 1.6.0 (EOL) allows an attacker to perform direct queries to the application's core from localhost.

Component

Livestatus

Title

Fix command injection in livestatus query headers

Date

Aug 26, 2022

Checkmk Edition

Checkmk Raw (CRE)

Checkmk Version

2.2.0b1 2.1.0p12 2.0.0p29

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Prior to this Werk it was possible to inject livestatus commands in Checkmk's livestatus wrapper and python API. Attackers could add additional commands in the AuthUser query header using newline characters. This allowed running arbitrary livestatus commands, including external commands to the core.

The issue could only be exploited by attackers from localhost, where the tampered header could be injected in a request to graph data.

We thank Stefan Schiller (SonarSource) for reporting this issue.

**Affected Versions**: All currently supported versions are affected: 1.6, 2.0, and 2.1.

**Mitigations**: Immediate mitigations are not available.

**Indicators of Compromise**: Review the logs of Nagios / CMC for suspicious commands.

**Vulnerability Management**: We have rated the issue with a CVSS Score of 6.8 (Medium) with the following CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L. A CVE has been requested.

**Changes**: This Werk adds sanitization for the AuthUser header field.

To the list of all Werks

Tag

#ios