Plus: WikiLeaks’ website is falling apart, tax websites are sending your data to Facebook, and cops take down a big phone-number-spoofing operation.

Cybersecurity startup Corellium offered or sold its software to spyware and hacking-tool creators in multiple repressive countries, a WIRED investigation revealed this week. A previously unreported 507-page document, believed to have been prepared by Apple, details how Corellium offered a trial of its products to the controversial spyware firm NSO Group, to a cybersecurity company with ties to the UAE government, and to a firm in China that also has government links. In response, Corellium, which makes phone-virtualization software that can help find security bugs in iOS and Android, published a blog post detailing how it now vets potential customers.

As millions of people across the US celebrated Thanksgiving and attended parades, we looked at the US shortage of bomb-sniffing dogs. Experts say the pandemic has led to a drop in the supply of dogs in the country—85 to 90 percent of them come from overseas—and that the lack of trainer animals is fueling national security concerns.

In other national security news, US lawmakers are calling for stricter rules on autonomous vehicles (AVs), which are able to gather reams of real-time data about their environment. China is a chief concern. In a letter shared exclusively with WIRED, Republican congressman August Pfluger said, “AV technology has opened the door for a foreign nation to spy on American soil, as Chinese companies potentially transfer critical data to the People’s Republic of China.”

We also looked at how hidden data stored in PDF files helped researchers reveal names that had been redacted. Court filings, national security files, and responses to Freedom of Information Act requests have all exposed such information in this way. And we heard the cautionary tale of how one person lost $17,000 in crypto—and how you can avoid the same fate. 

Finally, we published part five of the series “The Hunt for the Dark Web’s Biggest Kingpin,” which chronicles the downfall of AlphaBay, the world’s largest dark-web marketplace. In this installment, investigators in Thailand swoop in on AlphaBay’s mastermind, Alexandre Cazes, and discover he had a fortune topping $20 million. 

But wait, there’s more! Each week, we highlight news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

Apple’s privacy policy for analytics services on its devices, which gather data about how you use its products, claims the information collected isn’t used to identify you. However, a new analysis of the tools, reported by Gizmodo, claims a permanent ID number within the service is “tied to your full name, phone number, birth date, email address and more.” This ID number is sent to Apple alongside the analytics data about how you use your device, researchers from the software company Mysk told the publication. 

The findings appear to contradict the company’s privacy promises. Apple did not answer Gizmodo’_s_ questions on the report. In recent years, Apple has pushed a pro-privacy stance, using it as an advantage over competitors, and it has run ads saying the data on people’s iPhones stays on their devices. However, experts have increasingly questioned some of Apple’s practices. (At the same time, Apple has been growing its advertising business.) In separate research published earlier in November, Mysk researchers claimed that Apple collects detailed information on people using its products through its own apps, even when they turn tracking off.

In June, the UK government approved the extradition of WikiLeaks founder Julian Assange to the United States. While Assange waits on an appeal in the case, the website he created is falling apart. At one point, WikiLeaks hosted more than 10 million leaked documents. However, according to an analysis by the Daily Dot, fewer than 3,000 of the files are now available. Aside from the drop-in documents, the website also has technical issues: It is frequently inaccessible, people have problems searching its content, and parts of its navigation have vanished. 

Meta’s Pixel, formerly known as the Facebook Pixel, is a snippet of code that websites can install to track their visitors. The tool is useful for advertisers. Millions of websites use the tracking tool, and the data is sent back to Meta. This week, The Markup revealed that major US tax websites are using the Pixel and sending financial information to Meta. Some of the data transferred includes names, email addresses, income information, and tax filing status. Some tax websites stopped using Meta’s Pixel following the report. A spokesperson for Meta, Dale Hogan, said that advertisers “should not send sensitive information” about people through its tools. 

And finally, in a major blow to scammers, an international police operation took down the iSpoof website, which let people disguise their phone numbers and show fake caller IDs when making phone calls. It’s estimated that people using iSpoof were contacting up to 20 people every minute of the day as they used false identities to try and trick people into handing over their money. One person was tricked out of £3 million ($3.6 million), reports say. The website now shows a notice saying it has been seized by the FBI and United States Secret Service. In total, 142 people were arrested in the operation, including the alleged administrator of the website, who was arrested in the UK. Police from the UK, US, Ukraine, France, Germany, and five other countries were involved.

Apple Tracks You More Than You Think

By Owais Sultan
This article will explain to you how to create ISO files from discs while mentioning 3 top ISO creators which are easy to understand and use;
This is a post from HackRead.com Read the original post: How to Create ISO Files from Discs – 3 Best Ways

An ISO file is a disk image of an optical disc. It is a single file that contains all the data from a CD, DVD, or Blu-ray disc. The data is stored in an uncompressed format. ISO files are used to create exact copies of optical discs. They are also used to distribute large amounts of data over the internet.

It is not difficult to answer this question “how to create ISO files from discs.” Numerous freeware tools help to create an ISO file from a DVD or disc. Using them will help you to back up DVDs, BDs, and CDs to your hard drive.

It is the best strategy to create and save ISO backups for your essential program installation. In addition, unlimited online backup services allow for a near-perfect disk backup plan.

A key feature of ISO images is that they are independent and perfectly demonstrate disk data. As they are the sole files, saving and managing them is easier than copying folders and files directly onto a disk.

Windows do not have a default system to make ISO image files, so you have to download a program/tool that does that. Luckily, numerous free tools are available to create ISO images easily, and some of them are given below;

**How to Create ISO Files from Discs – Best Methods**

**Method 1: DVDFab DVD Copy**

Compatibility: Windows, Mac

This top-list DVD copy software is the most prevailing program to compress any DVD and lossless backup. It restores a DVD to a blank disc while offering six different copy mode options. 

This free ISO creator lets users save their DVDs in ISO image format. It comes with a free trial for 30 days.

**Features **

*   It is the best ISO creator and DVD burner, which supports users to copy a DVD to their hard drive in ISO image format. You can also mount or burn a DVD, ISO file, or folder to any blank disc.
*   A DVD copy is also the best program to compress DVD-9 to DVD-5.
*   Moreover, it can copy DVD-9 to DVD-9, DVD-5 to DVD-5, and DVD-5 to DVD-9.
*   It is a free DVD burner that can read all DVDs without caring about their scratches and copy them in the same original quality.

**Method 2: ISO Workshop**

It is a freeware ISO creation desktop program for Windows computers. It will help you to make, copy, and burn ISO files and perform other operations related to ISO files.

ISO Workshop’s GUI will be attractive to users as it is clear and straightforward. It works best for Windows NT over 7 versions. The EXE file size for installation is lightweight at approximately 4 MB, making it a tool that can be used easily.

Its “extraction feature” will help you to extract the ISO content quickly. When you choose an ISO file from your system, it will automatically upload its content. It is best to convert multiple disk images to the ISO file format. It supports PDI, DMG, GI, B5I, ISO, CDI, MDF, IMG, BIN, NRG, and B6i formats. 

Upload the disk file and pull out the content to the required place to backup files. Tap on the top-right button to burn the ISO file. 

**Method 3: ISODisk**

ISODisk is freeware ISO-creating software. It supports making virtual CD/DVD drivers for over 20 drives. It also helps to make and mount an ISO image. Moreover, it offers direct access to ISO image files. 

It can automatically create an ISO image from CD/DVD-ROM. You can easily access the contents of a folder with Windows Explorer after making it a virtual disk.

This standalone program does not require any installation of additional software. Its simple functionality makes it best for beginners. There is a well-managed functions tab with its user guide.

The home dashboard puts all functions within reach. So it is fast to mount or create ISO files from CD-ROMs within 2-3 clicks. Besides being beginner-friendly, it offers advanced functions to the experts. But you cannot use it to compress or encode ISO files. 

The software installation will require you to have; windows computer, 64 MB memory, and 10 MD storage space.

Here is how to create ISO from DVD using DVD Copy software;

**How to use DVDFab DVD Copy?**

*   Install DVDFab 12, and select the required Copy option. Insert the DVD which you want to back up. You can also navigate it using the “Add button.” 

*   You can use the “Drag and Drop” if your required file is ISO. 
*   After choosing the copy mode, select the required output DVD size. It is also possible to set the volume label and other copy choices. 

*   At last, choose the final directory and click “Start Button” to start the DVD copy process. 

**FAQ****Can I mine the ISO file from the disc?**

Third-party software helps to create an ISO file from the physical disc. There are multiple ISO creators in the market. However, you must be very picky as most contain the virus. So we will recommend a DVD copy, ISO workshop, and ISO disk. A DVD copy is greater than others as it can work on any device and offer multiple other features than creating ISO files. 

**How much time is required to create an ISO image file?**

It is very easy to create an ISO image file using any third-party software; however, it may take 50-60 minutes. The time may vary according to the disc size and your device performance. 

**Conclusion**

All ISO creator tools mentioned in the list are freeware. They will never charge you if you use them for making disk backups, copying disks, or sharing them on any platform. However, you must ensure you downloaded them from a trustworthy or official website to avoid viruses. 

1.  Stellar Converter for OST for OST to PST Conversion
2.  The new Wondershare PDFelement with added features
3.  6 Best Ways to Make a Collaborative PowerPoint Presentation
4.  5 PDF Tricks You Should Know To Improve Document Productivity
5.  Google software shows how to remove watermarks from Stock photos

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

How to Create ISO Files from Discs – 3 Best Ways

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.

**Convert a webpage to an image or pdf using headless Chrome**

   

The package can convert a webpage to an image or pdf. The conversion is done behind the scenes by Puppeteer which controls a headless version of Google Chrome.

Here's a quick example:

use Spatie\\Browsershot\\Browsershot;

// an image will be saved
Browsershot::url('https://example.com')->save($pathToImage);

It will save a pdf if the path passed to the save method has a pdf extension.

// a pdf will be saved
Browsershot::url('https://example.com')->save('example.pdf');

You can also use an arbitrary html input, simply replace the url method with html:

Browsershot::html('<h1>Hello world!!</h1>')->save('example.pdf');

If your HTML input is already in a file locally use the :

Browsershot::htmlFromFilePath('/local/path/to/file.html')->save('example.pdf');

Browsershot also can get the body of an html page after JavaScript has been executed:

Browsershot::url('https://example.com')->bodyHtml(); // returns the html of the body

If you wish to retrieve an array list with all of the requests that the page triggered you can do so:

$requests = Browsershot::url('https://example.com')
    ->triggeredRequests();

foreach ($requests as $request) {
    $url = $request\['url'\]; //https://example.com/
}

**Support us**

Learn how to create a package like this one, by watching our premium video course:

We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.

**Documentation**

All documentation is available on our documentation site.

**Contributing**

Please see CONTRIBUTING for details.

**Security**

If you've found a bug regarding security please mail security@spatie.be instead of using the issue tracker.

**Alternatives**

If you're not able to install Node and Puppeteer, take a look at v2 of browsershot, which uses Chrome headless CLI to take a screenshot. v2 is not maintained anymore, but should work pretty well.

If using headless Chrome does not work for you take a look at at v1 of this package which uses the abandoned PhantomJS binary.

**Credits**

*   Freek Van der Herten
*   All Contributors

And a special thanks to Caneco for the logo ✨

**License**

The MIT License (MIT). Please see License File for more information.

CVE-2022-41706: GitHub - spatie/browsershot: Convert HTML to an image, PDF or string

Win32.Ransom.Conti ransomware fails to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/99e55ce93392068c970384ab24a0e13d.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnBackup media: infosec.exchange/@malvulnThreat: Win32.Ransom.ContiVulnerability: Crypto Logic FlawDescription: Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample, others variants are unknown as they were not yet tested.E.g. Test.exe.docxTest.exe.pdfTested successfully in a virtual machine environment.Family: ContiType: PE32MD5: 99e55ce93392068c970384ab24a0e13dVuln ID: MVID-2022-0662Disclosure: 11/25/2022Video PoC URL:https://www.youtube.com/watch?v=rjxCII_e6xQExploit/PoC:Create files with ".exe" within the filename.Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Win32.Ransom.Conti MVID-2022-0662 Cryptography Logic Flaw

Popular redaction tools don’t always work as promised, and new attacks can reveal hidden information, researchers say.

For years, if you wanted to protect sensitive text in a document, you could grab a pair of scissors or a scalpel and cut out the information. If this didn’t work, a chunky black marker pen would do the job. Now that most documents are digitized, securely redacting their contents has become harder. The majority of redactions—by government officials and courts—involve placing black boxes over text in PDFs. 

When this redaction is done incorrectly, people’s safety and national security can be put at risk. New research from a team at the University of Illinois looked at the most popular tools for redacting PDF documents and found many of them wanting. The findings, from researchers Maxwell Bland, Anushya Iyer, and Kirill Levchenko, say two of the most popular tools for redacting documents offer no protection to the underlying text at all, with the text accessible by copying and pasting it. Plus, a new attack method they devised makes it possible to extract secret details from the redacted text.

The flaws aren’t just theoretical. After examining millions of publicly available documents with blacked-out redactions—including from the US court system, the US Office of the Inspector General, and Freedom of Information Act requests—the researchers found thousands of documents that exposed people’s names and other sensitive details. “I’ve been in lots of discussions with the US court system, I provided them 710 different documents that were just trivial copy-paste style redactions,” says Bland, the paper’s lead author.

Officials usually redact sections of text in documents because those parts contain people’s personal information, or they decide the information shouldn’t be released to protect an organization’s interests. Court documents may redact names of confidential informants or whistleblowers; policy documents may redact information that could damage national security if it is made public.

During the new research, which has been published as a preprint, the team analyzed 11 popular redaction tools. They discovered that PDFzorro and PDFescape Online allowed full access to text that had allegedly been redacted. All they needed to do to access the text was copy and paste it. The researchers registered CVE numbers—used to catalog unique security vulnerabilities—for both of the issues.

PDFzorro did not respond to WIRED’s request for comment. When we tested the tool, it was possible to access PDFzorro redactions by highlighting them. However, if you click on an option to “lock” the PDF before you download it, the text can’t be accessed. Meanwhile, a customer service representative from PDFescape Online said the software has been recently acquired by a new company and they have “rolled out an update for PDFescape Online” that includes security fixes. “The mentioned redaction tool has been removed and will be reworked to be fully compliant,” they said. 

The Illinois research goes further than copy and paste. It also demonstrates a new way to attack PDF documents and use hidden fingerprints to reveal names that have been redacted. The team focused on names, Bland says, as they are commonly redacted and sensitive. It does not appear possible to unredact large blocks of text, the researchers say. To reveal people’s names, the team built a tool, dubbed Edact-Ray, that can “identify, break, and fix redaction information leaks.” 

“Even if you do the redaction, supposedly correctly, even if you remove the text, there’s a lot of latent information that is dependent on the content that was redacted, and even that can leak information,” Levchenko says. “If you redact a name in a PDF, if the attacker has any context—they know this is an American—they will be able to, with high probability, either recover that name or narrow it down to a very small list of candidates.”

Edact-Ray focuses on the size of glyphs (broadly, characters or letters) and their positioning. “It’s pretty clear to a lot of people that the letter ‘L’ is skinnier than a letter ‘M,’ and that if you redacted just the letter ‘L,’ then you might be able to tell it is different from a redaction with just the letter ‘M,’” Bland says. The tool is essentially able to automatically compare the size of the redaction and the position of the letters with a predefined “dictionary” of words to estimate what has been replaced.

The software is constructed by inferring how the original document was produced—for instance, in Microsoft Word—and then reverse engineering the specifics of the document. “That tells us about how the text was laid out,” Levchenko says. “Once we know that, we have a model for how that tool laid out the text and how and what information it deposited throughout the rest of the document.” From here, it is ultimately possible to simulate what the original text may have been and produce a series of potential, or likely, matches. During testing, the team was able to eliminate 80,000 guesses per second.

“We found, for example, that redacting a surname from a PDF generated by Microsoft Word set using 10-point Calibri leaves enough residual information to uniquely identify the name in 14 percent of all cases,” the team’s research paper concludes, adding that this is likely to be a “lower bound on the extent of vulnerable redactions.”

Daniel Lopresti, a professor of computer science at Lehigh University who has studied redaction techniques, says the research is impressive. It “presents a comprehensive study of redaction tools and the ways in which they can be broken, including exploiting nearly invisible aspects of a document’s typography,” says Lopresti, who was not involved with the research. “The picture it paints is scary; too often redaction is done badly.”

The vast majority of the organizations impacted by real-world redaction failures highlighted in the research—including the US Department of Justice, the US courts system, the Office of Inspector General, and Adobe—did not respond to WIRED’s request for comment. Bland and the research paper say that many of the organizations have engaged with the team’s research.

Microsoft did not address data being leaked from Word documents that are converted to PDFs. “Customers can save a document as a PDF, but it is the role of the redaction tool to censor or obscure information,” says Jeff Jones, senior director, Microsoft. Jones adds that people should “review” data and their files before converting them to a format that is going to be shared.

Meanwhile, Mike Lissner, executive director of the Free Law Project, a nonprofit that helps open up court data and provided access to legal documents for the research, says the organization has developed a system that can help identify badly redacted documents. “This works well, but by the time a document is published in a court’s filing system, the secret is out, so we’re working on tools that will integrate with document management systems that lawyers use,” Lissner says. 

Digital document redaction has proved challenging for years, with unnumbered examples of failures to properly secure sensitive information. Sometimes it is human error; other times, technical failings are at fault. “It’s hard to redact something as complicated as a PDF to completely remove the information,” Levchenko says. PDFs can contain text, images, tables, metadata, and more information.

Multiple high-profile redaction failures have exposed information that someone wanted to keep secret. These have involved mistakes in the redaction process, failure to properly protect the information, and the inclusion of enough details to allow people to decipher what the redactions were meant to be. 

For instance, in 1991 researchers used a “desktop computer” to reverse engineer the Dead Sea Scrolls to reveal their full text and open the documents up to more people. Back in 2008, details about secret wiretapping agreements between the US government and telecoms firms could be accessed using copy and paste. In 2016, Edward Snowden was revealed as the target of US spying following a failure to redact his personal details. In October 2020, journalists were able to decipher redactions in Ghislaine Maxwell’s court deposition. And in February 2021, the European Commission published a version of its Covid-19 contract for the AstraZeneca vaccine that it didn’t properly redact.

When it comes to effectively redacting documents and protecting people’s information, the Illinois researchers hope their work will highlight another way PDFs can be attacked and encourage the creators of software to include measures that prevent hidden information from being leaked. They say that for now the NSA’s guidelines for redacting documents are perhaps the best way to protect redactions. The guide says if you redact Word documents, you should change the content of the original document before redacting the resulting PDF. Change someone’s name to a row of “x” characters or the word “redacted,” just to be safe.

Redacted Documents Are Not as Secure as You Think

An issue was discovered in the Linux kernel through 6.0.9. drivers/char/xillybus/xillyusb.c has a race condition and use-after-free during physical removal of a USB device.

From: Hyunwoo Kim <imv4bel@gmail.com>
To: eli.billauer@gmail.com, arnd@arndb.de, gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org
Subject: \[PATCH\] char: xillybus: Fix use-after-free in xillyusb\_open()
Date: Sat, 22 Oct 2022 10:54:04 -0700	\[thread overview\]
Message-ID: <20221022175404.GA375335@ubuntu> (raw)

A race condition may occur if the user physically removes
the USB device while calling open() for this device node.

This is a race condition between the xillyusb\_open() function and
the xillyusb\_disconnect() function, which may eventually result in UAF.

So, add a mutex to the xillyusb\_open() and xillyusb\_disconnect()
functions to avoid race contidion.

Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
---
 drivers/char/xillybus/xillyusb.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/drivers/char/xillybus/xillyusb.c b/drivers/char/xillybus/xillyusb.c
index 39bcbfd908b4..d615f74dcf36 100644
--- a/drivers/char/xillybus/xillyusb.c
+++ b/drivers/char/xillybus/xillyusb.c
@@ -63,6 +63,7 @@ static const struct usb\_device\_id xillyusb\_table\[\] = {
 };
 
 MODULE\_DEVICE\_TABLE(usb, xillyusb\_table);
+static DEFINE\_MUTEX(disconnect\_mutex);
 
 struct xillyusb\_dev;
 
@@ -1237,9 +1238,13 @@ static int xillyusb\_open(struct inode \*inode, struct file \*filp)
 	int rc;
 	int index;
 
+	mutex\_lock(&disconnect\_mutex);
+
 	rc = xillybus\_find\_inode(inode, (void \*\*)&xdev, &index);
\-	if (rc)
+	if (rc) {
+		mutex\_unlock(&disconnect\_mutex);
 		return rc;
+	}
 
 	chan = &xdev->channels\[index\];
 	filp->private\_data = chan;
@@ -1379,6 +1384,8 @@ static int xillyusb\_open(struct inode \*inode, struct file \*filp)
 			request\_read\_anything(chan, OPCODE\_SET\_PUSH);
 	}
 
+	mutex\_unlock(&disconnect\_mutex);
+
 	return 0;
 
 unfifo:
@@ -1410,10 +1417,14 @@ static int xillyusb\_open(struct inode \*inode, struct file \*filp)
 
 	kref\_put(&xdev->kref, cleanup\_dev);
 
+	mutex\_unlock(&disconnect\_mutex);
+
 	return rc;
 
 unmutex\_fail:
 	mutex\_unlock(&chan->lock);
+	mutex\_unlock(&disconnect\_mutex);
+
 	return rc;
 }
 
@@ -1698,6 +1709,8 @@ static int xillyusb\_release(struct inode \*inode, struct file \*filp)
 	struct xillyusb\_dev \*xdev = chan->xdev;
 	int rc\_read = 0, rc\_write = 0;
 
+	mutex\_lock(&disconnect\_mutex);
+
 	if (filp->f\_mode & FMODE\_READ) {
 		struct xillyfifo \*in\_fifo = chan->in\_fifo;
 
@@ -1760,6 +1773,8 @@ static int xillyusb\_release(struct inode \*inode, struct file \*filp)
 
 	kref\_put(&xdev->kref, cleanup\_dev);
 
+	mutex\_unlock(&disconnect\_mutex);
+
 	return rc\_read ? rc\_read : rc\_write;
 }
 
@@ -2172,6 +2187,8 @@ static void xillyusb\_disconnect(struct usb\_interface \*interface)
 	int rc;
 	int i;
 
+	mutex\_lock(&disconnect\_mutex);
+
 	xillybus\_cleanup\_chrdev(xdev, &interface->dev);
 
 	/\*
@@ -2228,6 +2245,8 @@ static void xillyusb\_disconnect(struct usb\_interface \*interface)
 	xdev->dev = NULL;
 
 	kref\_put(&xdev->kref, cleanup\_dev);
+
+	mutex\_unlock(&disconnect\_mutex);
 }
 
 static struct usb\_driver xillyusb\_driver = {
-- 
2.25.1


Dear,


This race condition can occur in the flow of:
\`\`\`
                cpu0                                                cpu1
       1. xillyusb\_open()
          xillybus\_find\_inode()
          mutex\_lock(&unit\_mutex);
          unit = iter;
          mutex\_unlock(&unit\_mutex);
                                                             2. xillyusb\_disconnect()
                                                                xillybus\_cleanup\_chrdev()
                                                                mutex\_lock(&unit\_mutex);
                                                                kfree(unit);
                                                                mutex\_unlock(&unit\_mutex);
       3. \*private\_data = unit->private\_data;   // UAF

\`\`\`

Because the interval between 1 and 3 in xillyusb\_open() is very short, this race condition is usually rare.

However, if someone wants to trigger this UAF, they can use the technique presented in this paper:
https://www.usenix.org/system/files/sec21-lee-yoochan.pdf

This is a method to increase the execution time between No. 1 and No. 3 using the Reschedule IPI.
This means you will be able to trigger the UAF much more reliably.

Here is the KASAN log:
\`\`\`
\[   66.645661\] ==================================================================
\[   66.645678\] BUG: KASAN: use-after-free in xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645712\] Read of size 8 at addr ffff88811eb45f90 by task xillyusb\_test/2143

\[   66.645735\] CPU: 2 PID: 2143 Comm: xillyusb\_test Not tainted 6.1.0-rc1+ #10
\[   66.645752\] Hardware name: Gigabyte Technology Co., Ltd. B460MDS3H/B460M DS3H, BIOS F3 05/27/2020
\[   66.645762\] Call Trace:
\[   66.645772\]  <TASK>
\[   66.645783\]  dump\_stack\_lvl+0x49/0x63
\[   66.645808\]  print\_report+0x177/0x46e
\[   66.645828\]  ? kasan\_complete\_mode\_report\_info+0x7c/0x210
\[   66.645846\]  ? xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645871\]  kasan\_report+0xb0/0x140
\[   66.645891\]  ? xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645917\]  \_\_asan\_report\_load8\_noabort+0x14/0x20
\[   66.645932\]  xillybus\_find\_inode+0x2c6/0x2ea \[xillybus\_class\]
\[   66.645960\]  xillyusb\_open+0xa6/0x1030 \[xillyusb\]
\[   66.645990\]  ? endpoint\_alloc+0x6d0/0x6d0 \[xillyusb\]
\[   66.646014\]  ? \_\_kasan\_check\_write+0x14/0x20
\[   66.646028\]  ? \_raw\_spin\_lock+0x88/0xe0
\[   66.646044\]  ? try\_module\_get.part.0+0xb8/0x1a0
\[   66.646062\]  chrdev\_open+0x230/0x6d0
\[   66.646082\]  ? cdev\_device\_add+0x1f0/0x1f0
\[   66.646099\]  ? fsnotify\_perm.part.0+0x1d9/0x4e0
\[   66.646118\]  do\_dentry\_open+0x449/0x1000
\[   66.646132\]  ? inode\_permission+0x125/0x560
\[   66.646148\]  ? cdev\_device\_add+0x1f0/0x1f0
\[   66.646167\]  vfs\_open+0x9f/0xd0
\[   66.646181\]  path\_openat+0xd58/0x3eb0
\[   66.646199\]  ? kasan\_save\_alloc\_info+0x1e/0x30
\[   66.646212\]  ? \_\_kasan\_slab\_alloc+0x90/0xa0
\[   66.646229\]  ? kmem\_cache\_alloc+0x1f6/0x310
\[   66.646244\]  ? getname\_flags.part.0+0x52/0x490
\[   66.646260\]  ? getname+0x7a/0xb0
\[   66.646275\]  ? \_\_x64\_sys\_openat+0x128/0x210
\[   66.646288\]  ? do\_syscall\_64+0x59/0x90
\[   66.646306\]  ? path\_lookupat+0x660/0x660
\[   66.646328\]  do\_filp\_open+0x1b1/0x3e0
\[   66.646344\]  ? debug\_smp\_processor\_id+0x17/0x20
\[   66.646363\]  ? may\_open\_dev+0xd0/0xd0
\[   66.646378\]  ? getname\_flags.part.0+0x52/0x490
\[   66.646399\]  ? \_raw\_spin\_lock\_bh+0xe0/0xe0
\[   66.646422\]  do\_sys\_openat2+0x132/0x450
\[   66.646435\]  ? recalc\_sigpending+0x144/0x1c0
\[   66.646450\]  ? build\_open\_flags+0x450/0x450
\[   66.646465\]  ? sigprocmask+0x201/0x360
\[   66.646478\]  ? \_\_ia32\_sys\_ssetmask+0x1d0/0x1d0
\[   66.646495\]  \_\_x64\_sys\_openat+0x128/0x210
\[   66.646509\]  ? \_\_ia32\_compat\_sys\_open+0x1b0/0x1b0
\[   66.646526\]  ? debug\_smp\_processor\_id+0x17/0x20
\[   66.646545\]  do\_syscall\_64+0x59/0x90
\[   66.646560\]  ? syscall\_exit\_to\_user\_mode+0x26/0x50
\[   66.646578\]  ? do\_syscall\_64+0x69/0x90
\[   66.646593\]  ? debug\_smp\_processor\_id+0x17/0x20
\[   66.646610\]  ? fpregs\_assert\_state\_consistent+0x52/0xc0
\[   66.646630\]  ? exit\_to\_user\_mode\_prepare+0x49/0x1a0
\[   66.646644\]  ? syscall\_exit\_to\_user\_mode+0x26/0x50
\[   66.646662\]  ? do\_syscall\_64+0x69/0x90
\[   66.646675\]  ? exit\_to\_user\_mode\_prepare+0x16a/0x1a0
\[   66.646689\]  ? syscall\_exit\_to\_user\_mode+0x26/0x50
\[   66.646706\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd
\[   66.646722\] RIP: 0033:0x4534e4
\[   66.646736\] Code: 24 20 eb 8f 66 90 44 89 54 24 0c e8 d6 ab 02 00 44 8b 54 24 0c 44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 18 ac 02 00 8b 44
\[   66.646751\] RSP: 002b:00007f8130000140 EFLAGS: 00000293 ORIG\_RAX: 0000000000000101
\[   66.646771\] RAX: ffffffffffffffda RBX: 00007f8130000640 RCX: 00000000004534e4
\[   66.646784\] RDX: 0000000000000000 RSI: 00000000004b1008 RDI: 00000000ffffff9c
\[   66.646795\] RBP: 00000000004b1008 R08: 0000000000000000 R09: 00007ffc22c66baf
\[   66.646806\] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
\[   66.646817\] R13: 0000000000000000 R14: 000000000041b2a0 R15: 00007f812f800000
\[   66.646834\]  </TASK>

\[   66.646848\] Allocated by task 2115:
\[   66.646859\]  kasan\_save\_stack+0x26/0x50
\[   66.646875\]  kasan\_set\_track+0x25/0x40
\[   66.646888\]  kasan\_save\_alloc\_info+0x1e/0x30
\[   66.646898\]  \_\_kasan\_kmalloc+0xb4/0xc0
\[   66.646911\]  kmalloc\_trace+0x4a/0xb0
\[   66.646924\]  xillybus\_init\_chrdev+0xf2/0x815 \[xillybus\_class\]
\[   66.646944\]  xillyusb\_probe.cold+0xa61/0xadf \[xillyusb\]
\[   66.646966\]  usb\_probe\_interface+0x266/0x740
\[   66.646981\]  really\_probe+0x1fa/0xa80
\[   66.646993\]  \_\_driver\_probe\_device+0x2cb/0x490
\[   66.647005\]  driver\_probe\_device+0x4e/0x140
\[   66.647017\]  \_\_driver\_attach+0x1a3/0x520
\[   66.647028\]  bus\_for\_each\_dev+0x11e/0x1c0
\[   66.647039\]  driver\_attach+0x3d/0x60
\[   66.647050\]  bus\_add\_driver+0x449/0x5a0
\[   66.647061\]  driver\_register+0x219/0x390
\[   66.647073\]  usb\_register\_driver+0x228/0x400
\[   66.647084\]  0xffffffffc033202d
\[   66.647094\]  do\_one\_initcall+0x97/0x310
\[   66.647109\]  do\_init\_module+0x19a/0x630
\[   66.647120\]  load\_module+0x6ca4/0x7d90
\[   66.647131\]  \_\_do\_sys\_finit\_module+0x134/0x1d0
\[   66.647142\]  \_\_x64\_sys\_finit\_module+0x72/0xb0
\[   66.647153\]  do\_syscall\_64+0x59/0x90
\[   66.647164\]  entry\_SYSCALL\_64\_after\_hwframe+0x63/0xcd

\[   66.647182\] Freed by task 2089:
\[   66.647191\]  kasan\_save\_stack+0x26/0x50
\[   66.647205\]  kasan\_set\_track+0x25/0x40
\[   66.647218\]  kasan\_save\_free\_info+0x2e/0x50
\[   66.647228\]  \_\_\_\_kasan\_slab\_free+0x174/0x1e0
\[   66.647241\]  \_\_kasan\_slab\_free+0x12/0x20
\[   66.647255\]  slab\_free\_freelist\_hook+0xd0/0x1a0
\[   66.647267\]  \_\_kmem\_cache\_free+0x193/0x2c0
\[   66.647280\]  kfree+0x79/0x120
\[   66.647291\]  xillybus\_cleanup\_chrdev+0x3c1/0x570 \[xillybus\_class\]
\[   66.647311\]  xillyusb\_disconnect+0xfe/0x790 \[xillyusb\]
\[   66.647332\]  usb\_unbind\_interface+0x187/0x7c0
\[   66.647345\]  device\_remove+0x117/0x170
\[   66.647357\]  device\_release\_driver\_internal+0x418/0x660
\[   66.647369\]  device\_release\_driver+0x12/0x20
\[   66.647381\]  bus\_remove\_device+0x28f/0x540
\[   66.647392\]  device\_del+0x501/0xc30
\[   66.647407\]  usb\_disable\_device+0x2a5/0x660
\[   66.647418\]  usb\_disconnect.cold+0x1f9/0x620
\[   66.647431\]  hub\_event+0x16d3/0x3d20
\[   66.647446\]  process\_one\_work+0x778/0x11c0
\[   66.647459\]  worker\_thread+0x544/0x1180
\[   66.647471\]  kthread+0x280/0x320
\[   66.647481\]  ret\_from\_fork+0x1f/0x30

\[   66.647501\] Last potentially related work creation:
\[   66.647510\]  kasan\_save\_stack+0x26/0x50
\[   66.647524\]  \_\_kasan\_record\_aux\_stack+0xb6/0xd0
\[   66.647534\]  kasan\_record\_aux\_stack\_noalloc+0xb/0x20
\[   66.647544\]  kvfree\_call\_rcu+0xaf/0xa50
\[   66.647555\]  memcg\_reparent\_list\_lrus+0x477/0x790
\[   66.647566\]  mem\_cgroup\_css\_offline+0x1ea/0x310
\[   66.647579\]  css\_killed\_work\_fn+0xe4/0x380
\[   66.647590\]  process\_one\_work+0x778/0x11c0
\[   66.647602\]  worker\_thread+0x544/0x1180
\[   66.647614\]  kthread+0x280/0x320
\[   66.647623\]  ret\_from\_fork+0x1f/0x30

\[   66.647642\] The buggy address belongs to the object at ffff88811eb45f80
                which belongs to the cache kmalloc-64 of size 64
\[   66.647656\] The buggy address is located 16 bytes inside of
                64-byte region \[ffff88811eb45f80, ffff88811eb45fc0)

\[   66.647677\] The buggy address belongs to the physical page:
\[   66.647686\] page:000000009bdb1cfb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88811eb45a00 pfn:0x11eb45
\[   66.647701\] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
\[   66.647720\] raw: 0017ffffc0000200 ffffea000481fec8 ffffea0004544b48 ffff888100042640
\[   66.647731\] raw: ffff88811eb45a00 000000000020001e 00000001ffffffff 0000000000000000
\[   66.647738\] page dumped because: kasan: bad access detected

\[   66.647751\] Memory state around the buggy address:
\[   66.647760\]  ffff88811eb45e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
\[   66.647771\]  ffff88811eb45f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
\[   66.647781\] >ffff88811eb45f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
\[   66.647790\]                          ^
\[   66.647800\]  ffff88811eb46000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\[   66.647810\]  ffff88811eb46080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\[   66.647818\] ==================================================================
\[   66.647826\] Disabling lock debugging due to kernel taint
\`\`\`


Regards,
Hyunwoo Kim.

next             reply	other threads:\[~2022-10-22 17:54 UTC|newest\]

**Thread overview:** 4+ messages / expand\[flat|nested\]  mbox.gz  Atom feed  top
**2022-10-22 17:54 Hyunwoo Kim \[this message\]**
2022-10-23 14:19 \` \[PATCH\] char: xillybus: Fix use-after-free in xillyusb\_open() Eli Billauer
2022-10-23 14:26   \` Hyunwoo Kim
2022-10-24  7:10     \` Eli Billauer

**Reply instructions:**

You may reply publicly to this message via plain-text email
using any one of the following methods:

\* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting\_style#Interleaved\_style

\* Reply using the **\--to**, **\--cc**, and **\--in-reply-to**
  switches of git-send-email(1):

  git send-email \\
    --in-reply-to=20221022175404.GA375335@ubuntu \\
    --to=imv4bel@gmail.com \\
    --cc=arnd@arndb.de \\
    --cc=eli.billauer@gmail.com \\
    --cc=gregkh@linuxfoundation.org \\
    --cc=linux-kernel@vger.kernel.org \\
    /path/to/YOUR\_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

\* If your mail client supports setting the **In-Reply-To** header
  via mailto: links, try the mailto: link

Be sure your reply has a **Subject:** header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

CVE-2022-45888: [PATCH] char: xillybus: Fix use-after-free in xillyusb_open()

Ubuntu Security Notice 5736-1 - It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 22.10.

==========================================================================  
Ubuntu Security Notice USN-5736-1  
November 24, 2022

imagemagick vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in ImageMagick.

Software Description:  
- imagemagick: Image manipulation programs and library

Details:

It was discovered that ImageMagick incorrectly handled certain values  
when processing PDF files. If a user or automated system using ImageMagick  
were tricked into opening a specially crafted PDF file, an attacker could  
exploit this to cause a denial of service. This issue only affected Ubuntu  
14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2021-20224)

Zhang Xiaohui discovered that ImageMagick incorrectly handled certain  
values when processing image data. If a user or automated system using  
ImageMagick were tricked into opening a specially crafted image, an  
attacker could exploit this to cause a denial of service. This issue only  
affected Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2021-20241)

Zhang Xiaohui discovered that ImageMagick incorrectly handled certain  
values when processing image data. If a user or automated system using  
ImageMagick were tricked into opening a specially crafted image, an  
attacker could exploit this to cause a denial of service. This issue only  
affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 22.10.  
(CVE-2021-20243)

It was discovered that ImageMagick incorrectly handled certain values  
when processing visual effects based image files. By tricking a user into  
opening a specially crafted image file, an attacker could crash the  
application causing a denial of service. This issue only affected Ubuntu  
22.10. (CVE-2021-20244)

It was discovered that ImageMagick could be made to divide by zero when  
processing crafted file. By tricking a user into opening a specially  
crafted image file, an attacker could crash the application causing a  
denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20245)

It was discovered that ImageMagick incorrectly handled certain values  
when performing resampling operations. By tricking a user into opening  
a specially crafted image file, an attacker could crash the application  
causing a denial of service. This issue only affected Ubuntu 22.10.  
(CVE-2021-20246)

It was discovered that ImageMagick incorrectly handled certain values  
when processing visual effects based image files. By tricking a user into  
opening a specially crafted image file, an attacker could crash the  
application causing a denial of service. This issue only affected Ubuntu  
22.10. (CVE-2021-20309)

It was discovered that ImageMagick incorrectly handled certain values  
when processing thumbnail image data. By tricking a user into opening  
a specially crafted image file, an attacker could crash the application  
causing a denial of service. This issue only affected Ubuntu 22.10.  
(CVE-2021-20312)

It was discovered that ImageMagick incorrectly handled memory cleanup  
when performing certain cryptographic operations. Under certain conditions  
sensitive cryptographic information could be disclosed. This issue only  
affected Ubuntu 22.10. (CVE-2021-20313)

It was discovered that ImageMagick did not properly manage memory under  
certain circumstances. If a user were tricked into opening a specially  
crafted file using convert command, an attacker could possibly use this  
issue to cause ImageMagick to crash, resulting in a denial of service. This  
issue only affected Ubuntu 22.10. (CVE-2021-3574)

It was discovered that ImageMagick did not use the correct rights when  
specifically excluded by a module policy. An attacker could use this issue  
to read and write certain restricted files. This issue only affected  
Ubuntu 22.10. (CVE-2021-39212)

It was discovered that ImageMagick incorrectly handled certain values        
when processing specially crafted SVG files. By tricking a user into    
opening a specially crafted SVG file, an attacker could crash the          
application causing a denial of service. This issue only affected Ubuntu     
22.10. (CVE-2021-4219)

It was discovered that ImageMagick did not properly manage memory under      
certain circumstances. If a user were tricked into opening a specially       
crafted DICOM file, an attacker could possibly use this issue to cause  
ImageMagick to crash, resulting in a denial of service or leaking sensitive  
information. This issue only affected Ubuntu 22.10. (CVE-2022-1114)

It was discovered that ImageMagick incorrectly handled memory under  
certain circumstances. If a user were tricked into opening a specially  
crafted image file, an attacker could possibly exploit this issue to cause  
a denial of service or other unspecified impact. This issue only affected  
Ubuntu 22.10. (CVE-2022-28463)

It was discovered that ImageMagick incorrectly handled certain values.  
If a user were tricked into processing a specially crafted image file,  
an attacker could possibly exploit this issue to cause a denial of service  
or other unspecified impact. This issue only affected Ubuntu 14.04 ESM,  
Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2022-32545, CVE-2022-32546)

It was discovered that ImageMagick incorrectly handled memory under  
certain circumstances. If a user were tricked into processing a specially  
crafted image file, an attacker could possibly exploit this issue to cause  
a denial of service or other unspecified impact. This issue only affected  
Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2022-32547)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
  imagemagick                     8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  imagemagick-6-common            8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  imagemagick-6.q16               8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  imagemagick-6.q16hdri           8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  imagemagick-common              8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libimage-magick-perl            8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libimage-magick-q16-perl        8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagick++-6.q16-8             8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagick++-6.q16-dev           8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagick++-6.q16hdri-8         8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagick++-dev                 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-6-arch-config     8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-6-headers         8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-6.q16-6-extra     8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-6.q16-dev         8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-6.q16hdri-6       8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickcore-dev               8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickwand-6.q16-6           8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickwand-6.q16-dev         8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  libmagickwand-dev               8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  perlmagick                      8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1

Ubuntu 18.04 LTS:  
  imagemagick                     8:6.9.7.4+dfsg-16ubuntu6.14  
  imagemagick-6-common            8:6.9.7.4+dfsg-16ubuntu6.14  
  imagemagick-6.q16               8:6.9.7.4+dfsg-16ubuntu6.14  
  imagemagick-6.q16hdri           8:6.9.7.4+dfsg-16ubuntu6.14  
  imagemagick-common              8:6.9.7.4+dfsg-16ubuntu6.14  
  libimage-magick-perl            8:6.9.7.4+dfsg-16ubuntu6.14  
  libimage-magick-q16-perl        8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagick++-6.q16-7             8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagick++-6.q16-dev           8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagick++-6.q16hdri-7         8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagick++-dev                 8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-6-arch-config     8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-6-headers         8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-6.q16-3           8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-6.q16-3-extra     8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-6.q16-dev         8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-6.q16hdri-3       8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickcore-dev               8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickwand-6.q16-3           8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickwand-6.q16-dev         8:6.9.7.4+dfsg-16ubuntu6.14  
  libmagickwand-dev               8:6.9.7.4+dfsg-16ubuntu6.14  
  perlmagick                      8:6.9.7.4+dfsg-16ubuntu6.14

Ubuntu 16.04 ESM:  
  imagemagick                     8:6.8.9.9-7ubuntu5.16+esm5  
  imagemagick-6.q16               8:6.8.9.9-7ubuntu5.16+esm5  
  imagemagick-common              8:6.8.9.9-7ubuntu5.16+esm5  
  libimage-magick-perl            8:6.8.9.9-7ubuntu5.16+esm5  
  libimage-magick-q16-perl        8:6.8.9.9-7ubuntu5.16+esm5  
  libmagick++-6.q16-5v5           8:6.8.9.9-7ubuntu5.16+esm5  
  libmagick++-6.q16-dev           8:6.8.9.9-7ubuntu5.16+esm5  
  libmagick++-dev                 8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickcore-6-arch-config     8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickcore-6-headers         8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickcore-6.q16-2           8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickcore-6.q16-2-extra     8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickcore-6.q16-dev         8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickcore-dev               8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickwand-6.q16-2           8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickwand-6.q16-dev         8:6.8.9.9-7ubuntu5.16+esm5  
  libmagickwand-dev               8:6.8.9.9-7ubuntu5.16+esm5  
  perlmagick                      8:6.8.9.9-7ubuntu5.16+esm5

Ubuntu 14.04 ESM:  
  imagemagick                     8:6.7.7.10-6ubuntu3.13+esm3  
  imagemagick-common              8:6.7.7.10-6ubuntu3.13+esm3  
  libmagick++-dev                 8:6.7.7.10-6ubuntu3.13+esm3  
  libmagick++5                    8:6.7.7.10-6ubuntu3.13+esm3  
  libmagickcore-dev               8:6.7.7.10-6ubuntu3.13+esm3  
  libmagickcore5                  8:6.7.7.10-6ubuntu3.13+esm3  
  libmagickcore5-extra            8:6.7.7.10-6ubuntu3.13+esm3  
  libmagickwand-dev               8:6.7.7.10-6ubuntu3.13+esm3  
  libmagickwand5                  8:6.7.7.10-6ubuntu3.13+esm3  
  perlmagick                      8:6.7.7.10-6ubuntu3.13+esm3

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5736-1  
  CVE-2021-20224, CVE-2021-20241, CVE-2021-20243, CVE-2021-20244,  
  CVE-2021-20245, CVE-2021-20246, CVE-2021-20309, CVE-2021-20312,  
  CVE-2021-20313, CVE-2021-3574, CVE-2021-39212, CVE-2021-4219,  
  CVE-2022-1114, CVE-2022-28463, CVE-2022-32545, CVE-2022-32546,  
  CVE-2022-32547

Package Information:  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.11.60+dfsg-1.3ubuntu0.22.10.1  
  https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.14

Ubuntu Security Notice USN-5736-1

There is a broken access control vulnerability in the Maarch RM 2.8.3 solution. When accessing some specific document (pdf, email) from an archive, a preview is proposed by the application. This preview generates a URL including an md5 hash of the file accessed. The document's URL (https://{url}/tmp/{MD5 hash of the document}) is then accessible without authentication.

**Bienvenue chez Maarch****Nous sommes éditeurs de logiciels ouverts  
spécialisés dans la gestion documentaire****Maarch est un influenceur des usages du numérique  
car nous diffusons largement nos produits.**

**Nos Valeurs**

Depuis notre création en 2004, nous nous sommes fixé des lignes directrices fortes auxquelles nous n'avons jamais cessé de croire :

**Sécurité  
**Suivi des normes ISO 14641-1 et NF Z42-013 , assurance de la non-altération de l’ensemble des ressources.

**Tracabilité  
**Nos logiciels disposent de pistes d’audit fiables et opposables.

**Ouverture  
** Le code de nos logiciels est totalement ouvert, auditable et documenté.

**Innovation**  
Notre équipe R&D travaille au quotidien pour être à la pointe de la technologie.

**Libre & Open Source  
**Logiciels téléchargeables librement et déployés sous licence GNU/GPL v.3

**100 % France  
**Maarch est une entreprise française, du groupe Xelians, implantée en Ile-de-France.

Jean-Louis ERCOLANI  
Fondateur & Directeur Général

**Qui sommes-nous ?**

**Avec 30 employés, Maarch est **une entreprise française à taille humaine située à Nanterre, faisant partie du groupe XELIANS**.**

Depuis 2008, nous avons su faire l’unanimité et séduire de nombreuses **administrations publiques** ainsi que des **grands acteurs du secteur privé.**

L’équipe Maarch est donc composée de spécialistes de l’édition logicielle et de la gestion documentaire en **archivage électronique et gestion du courrier.**

**Nos produits à votre disposition**

Les solutions documentaires pour optimiser le fonctionnement de votre organisation

**Maarch Courrier  
**La solution de gestion de vos courriers professionnels : numérisez, partagez, rédondez, signez et classez.

**Maarch Parapheur**  
Le système de gestion des processus de signature électronique autonome, multimode et interopérable.

**Maarch RM**  
Le système d’archivage électronique pour conserver et exploiter vos ressources numériques en toute conformité.

**Nos services**

Nos équipes vous accompagnent pour faire de chaque projet un véritable succès.

**Support & maintenance**  
Maintenance corrective, évolutive, préventive, adaptative ou réglementaire…

**Intégration**  
Etude préalable  
Ateliers de conception  
Installations SaaS ou OnPremise  
Chaîne de numérisation  
Intégration au SI  
Personnalisation & paramétrage  
Assistance à la recette  
Assistance au démarrage

**Formations**  
Manuels de formation personnalisés  
Formations de formateurs ou d’utilisateurs finaux  
Formation des administrateurs techniques et fonctionnels

**Le code de nos logiciels est totalement ouvert, auditable et documenté.**

Maarch fait le choix du logiciel libre pour **placer l’utilisateur au centre de son processus de développement technico-fonctionnel.** Nous sommes intimement convaincus que la maîtrise parfaite d’un logiciel découle de son ouverture.

De cette façon, notre communauté d’utilisateurs est **totalement libre d’exécuter, de copier, de distribuer, d’étudier, de modifier et d’améliorer nos logiciels,** permettant le développement de fonctionnalités toujours plus proche des usages métiers.

Le caractère libre de nos logiciels est la cerise sur le gâteau : avant tout nous nous efforçons d’en faire les meilleurs dans leur domaine !

Nous utilisons des cookies sur notre site Web pour vous offrir l'expérience la plus pertinente en mémorisant vos préférences et vos visites répétées. En cliquant sur "Accepter tout", vous consentez à l'utilisation de TOUS les cookies. Cependant, vous pouvez visiter "Paramètres des cookies" pour fournir un consentement contrôlé.

CVE-2022-37774: Maarch – Sécurisez vos documents professionnels

Gentoo Linux Security Advisory 202211-11 - Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which could result in arbitrary code execution. Versions less than 9.56.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202211-11  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GPL Ghostscript: Multiple Vulnerabilities  
     Date: November 22, 2022  
     Bugs: #852944, #812509  
       ID: 202211-11

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been found in GPL Ghostscript, the worst  
of which could result in arbitrary code execution.

Background  
=========  
Ghostscript is an interpreter for the PostScript language and for PDF.

Affected packages  
================  
    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-text/ghostscript-gpl   < 9.56.1                    >= 9.56.1

Description  
==========  
Multiple vulnerabilities have been discovered in GPL Ghostscript. Please  
review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All GPL Ghostscript users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-text/ghostscript-gpl-9.56.1"

References  
=========  
[ 1 ] CVE-2021-3781  
      https://nvd.nist.gov/vuln/detail/CVE-2021-3781  
[ 2 ] CVE-2022-2085  
      https://nvd.nist.gov/vuln/detail/CVE-2022-2085

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202211-11

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202211-11

Luna Moth is relying solely on call-back phishing, as well as legitimate tools, to steal data and extract ransoms from victims of all stripes in an expanding cyberattack effort.

Researchers have spotted a threat actor that has managed to extort hundreds of thousands of dollars over the last few months from mostly small and midsize businesses — without using any encryption tools or malware.

Instead, the attacker — dubbed Luna Moth (aka the "Silent" ransomware group) has been using an array of legitimate tools and a technique dubbed "call-back phishing." The tactic is to steal sensitive data from victim organizations and use it as leverage to extort money from them.

**Targeted Attacks**

Most of the attacks so far have targeted smaller organizations in the legal industry; more recently, though, the adversary has begun going after larger companies in the retail sector as well, researchers from Palo Alto Network's Unit 42 said in a report Monday. The evolution of the attacks suggests the threat actor has become more efficient with its tactics and now presents a danger to businesses of all sizes, the security vendor warned.

"We are seeing this tactic successfully targeting all sizes of businesses — from large retailers to small/medium sized legal organization" says Kristopher Russo, senior threat researcher with Unit 42 at Palo Alto Networks. "Because social engineering targets individuals, the size of the company does not offer much protection."

Call-back phishing is a tactic that security researchers first observed the Conti ransomware group using more than a year ago in a campaign to install BazarLoader malware on victim systems.

**Call-Back Phishing**

The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom made for the recipient, originates from a legitimate email service, and involves some kind of a lure to get the user to initiate a phone call with the attacker.

In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contains an invoice — in the form of a PDF file — for a subscription service in the recipient's name. The attackers inform the victim the subscription will soon become active and get billed to the credit card number on file. The email provides a phone number to a purported call center — or sometimes multiple numbers — that users can call if they had questions about the invoice. Some of the invoices have logos of a well-known company on top of the page.

"This invoice even includes a unique tracking number used by the call center," Russo says. "So, when the victim calls the number to dispute the invoice, they look like a legitimate business."

The attackers then convince users who called to initiate a remote session with them using the Zoho Assist remote support tool. Once the victim is connected to the remote session, the attacker takes control of the victim's keyboard and mouse, enables access to the clipboard, and blanks out the user's screen, Unit 42 said.

After the attackers have accomplished that, their next step has been to install the legitimate Syncro remote support software for maintaining persistence on the victim's machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment.

In early attacks, the adversary installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems, but lately they appear to have whittled down their toolkit, Unit 42 said.

If a victim does not have administrative rights on their system, the attacker eschews any attempt to maintain persistence on it and instead goes straight to stealing data by leveraging WinSCP Portable.

"In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only exfiltrated what they could during the call," Unit 42 said in its report.

**Applying the Most Pressure**

The Luna Moth group has typically gone after data that, when leveraged, will apply the most pressure to the victim, Russo says. In targeting legal firms, the attacker appeared to have a good knowledge of the industry, knowing the kind of data that would likely cause the most harm in the wrong hands.

"In the cases that Unit 42 investigated, they targeted sensitive and confidential data of the law firm's clients," Russo explains. "The attacker reviewed the data they stole and included a sample of the most damaging data they stole in the extortion email."

In many attacks, the adversary called out the victim's largest clients by name and threatened to contact them if the victim organization did not pay the demanded ransom — which typically has ranged from 2 to 78 Bitcoin.

In the cases Unit 42 has investigated, the attackers did not move laterally once they had gained access to a victim's machine. "However, they do continue to monitor the compromised computer if the victim has admin credentials — even going so far as to call and taunt the victims if they detect remediation efforts," Russo says.

Sygnia, one of the first to report on Luna Moth's activities, described the group as likely surfacing in March. The security vendor said it had observed the threat actor using commercially available remote access tools such as Atera, Splashtop, and Syncro, as well as AnyDesk for persistence. Sygnia said its researchers had also observed the threat actor using other legitimate tools such as SoftPerfect network scanner for reconnaissance and SharpShares for network enumeration. The attacker's tactic has been to store the tools on compromised systems with names that spoof legitimate binaries, Sygnia said.

"The threat actor in this campaign specifically seeks to minimize their digital footprint to evade most technical security control," Russo says.

Because they have been relying entirely on social engineering and legitimate tools in the campaign, the attacks leave very few artifacts, Unit 42 said. Thus, "we recommend that organizations of all sizes conduct security awareness training for employees" to protect against the new threat, Russo says.

Tag

#pdf