Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA).
"The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford,

Email Security / Data Security

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA).

"The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical write-up published Tuesday.

Play ransomware, which first surfaced in June 2022, has been revealed to adopt many tactics employed by other ransomware families such as Hive and Nokoyawa, the latter of which upgraded to Rust in September 2022.

The cybersecurity company's investigations into several Play ransomware intrusions found that initial access to the target environments was not achieved by directly exploiting CVE-2022-41040, but rather through the OWA endpoint.

Dubbed **OWASSRF**, the technique likely takes advantage of another critical flaw tracked as CVE-2022-41080 (CVSS score: 8.8) to achieve privilege escalation, followed by abusing CVE-2022-41082 for remote code execution.

It's worth noting that both CVE-2022-41040 and CVE-2022-41080 stem from a case of server-side request forgery (SSRF), which permits an attacker to access unauthorized internal resources, in this case the PowerShell remoting service.

CrowdStrike said the successful initial access enabled the adversary to drop legitimate Plink and AnyDesk executables to maintain persistent access as well as take steps to purge Windows Event Logs on infected servers to conceal the malicious activity.

All three vulnerabilities were addressed by Microsoft as part of its Patch Tuesday updates for November 2022. It's, however, unclear if CVE-2022-41080 was actively exploited as a zero-day alongside CVE-2022-41040 and CVE-2022-41082.

The Windows maker, for its part, has tagged CVE-2022-41080 with an "Exploitation More Likely" assessment, implying it's possible for an attacker to create exploit code that could be utilized to reliably weaponize the flaw.

CrowdStrike further noted that a proof-of-concept (PoC) Python script discovered and leaked by Huntress Labs researcher Dray Agha last week may have been put to use by the Play ransomware actors for initial access.

This is evidenced by the fact that the execution of the Python script made it possible to "replicate the logs generated in recent Play ransomware attacks."

"Organizations should apply the November 8, 2022 patches for Exchange to prevent exploitation since the URL rewrite mitigations for ProxyNotShell are not effective against this exploit method," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations

Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php.

•

Wildix Compatible Headsets - Jabra, Plantronics, EPOS Sennheiser, JPL, Axtel, Orosound

CVE-2022-47635: Changelogs - Documentation - Confluence

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450.

**Security Bulletin**

  

**Summary**

Security vulnerabilities have been addressed in IBM Cognos Analytics 11.2.4. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP6 where applicable. The following 3rd party components are used by IBM Cognos Analytics: Apache Calcite is a Java-based framework that provides a SQL query engine for processing queries in storage engines (CVE-2022-36364). Google Gson is a Java library that serializes Java objects to JSON and vice versa (CVE-2022-25647). Node.js Redis is a Redis client which provides methods to retrieve and store data (CVE-2021-29469). Faster-XML Jackson is a JSON to Java object conversion API (CVE-2022-42003, CVE-2022-42004). Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), Log Injection and Information Disclosure vulnerabilities have also been addressed (CVE-2022-38708, CVE-2022-43887, CVE-2022-43883, CVE-2022-39160).

**Vulnerability Details**

**CVEID:**   CVE-2022-36364  
**DESCRIPTION:**   Apache Calcite Avatica could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the JDBC driver. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base score: 9.8  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232360 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**   CVE-2022-38708  
**DESCRIPTION:**   IBM Cognos Analytics could be vulnerable to a Server-Side Request Forgery Attack (SSRF) attack by constucting URLs from user-controlled data . This could enable attackers to make arbitrary requests to the internal network or to the local file system.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234180 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:**   CVE-2022-43887  
**DESCRIPTION:**   IBM Cognos Analytics could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240450 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:**   CVE-2022-43883  
**DESCRIPTION:**   IBM Cognos Analytics could be vulnerable to a Log Injection attack by constructing URLs from user-controlled data. This could enable attackers to make arbitrary requests to the internal network or to the local file system.  
CVSS Base score: 6.5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240266 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

**CVEID:**   CVE-2022-25647  
**DESCRIPTION:**   Google Gson is vulnerable to a denial of service, caused by the deserialization of untrusted data. By using the writeReplace() method, a remote attacker could exploit this vulnerability to cause a denial of service.  
CVSS Base score: 7.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217225 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H)

**CVEID:**   CVE-2021-29469  
**DESCRIPTION:**   Node Redis redis module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service flaw in monitor mode. By sending specially-crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.  
CVSS Base score: 5.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200618 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-39160  
**DESCRIPTION:**   IBM Cognos Analytics is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 6.1  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235064 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:**   CVE-2022-42004  
**DESCRIPTION:**   FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in in the BeanDeserializer.\_deserializeFromArray function. By sending a specially-crafted request using deeply nested arrays, a local attacker could exploit this vulnerability to exhaust all available resources.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237660 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**   CVE-2022-42003  
**DESCRIPTION:**   FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the primitive value deserializers when the UNWRAP\_SINGLE\_VALUE\_ARRAYS feature is enabled. By sending a specially-crafted request using deep wrapper array nesting, a local attacker could exploit this vulnerability to exhaust all available resources.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/237662 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Cognos Analytics

11.2.x

IBM Cognos Analytics

11.1.x

**Remediation/Fixes**

IBM strongly recommends addressing the vulnerability now by upgrading.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

16 December 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSTSF6","label":"IBM Cognos Analytics"},"Component":"","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"11.2.1, 11.2.0, 11.1.7","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}\]

CVE-2022-43887: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022

Prizes offered to anyone who can bypass the library and capture the flag

Prizes offered to anyone who can bypass the library and capture the flag

A new open source library designed to thwart server-side request forgery (SSRF) attacks plugs a significant gap in Go developers’ armory, according to its architects.

Safeurl, a one-line drop-in replacement for Go’s native , validates incoming HTTP requests against allow and block lists, as well as defending against DNS rebinding attacks.

“All the heavy work of parsing, validating, and issuing requests is done by the library,” said Doyensec security engineers and Safeurl creators Viktor Chuchurski and Alessandro Cotto in a blog post.

“The library works out-of-the-box with minimal configuration, while providing developers the customizations and filtering options they might need. Instead of fighting to solve application security problems, developers should be free to focus on delivering quality features to their customers.”

**SafeCURL inspiration**

Chuchurski and Cotto said they wanted to give Go applications the same protection afforded to counterparts written in other languages through SafeCURL and (the identically named but differently capitalized) SafeURL.

“Our clients were asking for recommendations on a Go-specific solution to mitigate \[SSRF\] attacks,” the pair told The Daily Swig. “There was nothing built specifically for Go so we took on the challenge.”

Read more of the latest dev stack tech news and analysis

SSRF exploits involve inducing server-side applications into make requests to unintended locations.

“It is common for modern web applications to make HTTP requests, but a secure implementation can be quite difficult,” continued Chuchurski and Cotto.

“We hope our library will satisfy that need. It was designed with ease of use in mind and protects apps simply with its drop-in default settings.”

**Erring on the side of caution**

Safeurl blocks all traffic to private or reserved IP addresses by default, as prescribed by RFC1918.

“It’s easier (and safer) to explicitly set allowed destinations, as opposed to having to deal with updating a blocklist in today’s ever-expanding threat landscape,” explained the blog post.

The safeurl.Config can be used to customize the safeurl.Client to set , , , , , , , , , and .

The open source library allows configuration of HTTP redirects, cookie jar settings, and request timeouts.

DNS rebinding attacks, which exploit mismatches in DNS responses between two or more consecutive HTTP requests, are repelled by performing allow/block list validations on the IP address used to make the HTTP request via Go’s net/dialer package and the hook.

**Swag, gadgets up for grabs**

The researchers have created a Capture the Flag (CTF) challenge for Safeurl with “swag and some cool gadgets” on offer to anyone who succeeds.

“We’re confident in our code and the CTF is putting that confidence to the test,” said Chuchurski and Cotto. “It’s a simple web server with an SSRF vulnerability.

“The twist is that the point where the vulnerability is triggered is protected by the ‘safeurl’ library. If anyone is able to find a bypass, they'll find further instructions.”

YOU MIGHT ALSO LIKE Critical IP spoofing bug patched in Cacti

Safeurl HTTP library brings SSRF protection to Go applications

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

**Downloads****Current Production Release**

XML-RPC.NET 2.5.0 is the current production release.

xml-rpc.net.2.5.0.zip      documentation

New features, changes, and fixed issues:

*   Added <i8> to support 64-bit long integer values.
*   Added support for more ISO8601 date formats. AllowNonStandardDateTime flag is now deprecated. The following formats are now accepted by default, with the '-' and ':' separators being optional.
    *   yyyy-mm-ddThh:mm:ss
    *   yyyy-mm-ddThh:mm:ssZ
    *   yyyy-mm-ddThh:mm:ss�hh
    *   yyyy-mm-ddThh:mm:ss�hh:mmNote: the XML-RPC spec describes the format as 19980717T14:08:55.
*   Added AllowAutoRedirect property to IXmlRpcProxy. Default behaviour remains the same (property set to true).
*   Moved to Visual Studio 2008.
*   Discontinued support for .NET 1.0 and 1.1.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.

**Work in Progress**

This is a snapshot of work in progress.

xml-rpc.net.3.0.0.270-snapshot.zip      documentation

**Build 270**

*   More graceful handling of case where illegal XML characters are rejected during serialization and deserialization.
*   Added generic EndInvoke method to XmlRpcClientProtocol so return type can be used for deserialization.
*   Added support for cookie and response headers for Silverlight and Windows Phone.

**Build 266**

*   Support for easier logging of request and response XML.
*   Support for mapping .NET enums to/from XML-RPC string values using XmlRpcEnumMapping attribute.
*   Fixed problem with logging and decompression of response stream.
*   Fixed problem with return type in XmlRpcClientProtocol.EndInvoke.
*   Added unit testing for Silverlight build.
*   Switch to Silverlight 4 only in order to support credentials using ClientHttp stack.
*   Now throws XmlRpcUnsupportedTypeException when a type has an indexer property.

**Build 241**

*   Fixes problem with mapping <nil /> onto type Object.

**Build 238**

*   Support for <nil> XML-RPC extension.
*   Support for Silverlight 3 and 4.
*   Support for Windows Phone 7.
*   .NET enum types can be mapped to/from XML-RPC <i4> and <i8> values. (more)
*   New UseEmptyElementTags property on IXmlRpcProxy. If this is set to true full element tags will be generated, for example <string></string> instead of <string />. The default setting of false for this property results is consistent with previous releases. This new feature provides compatibility with servers implemented with XML-RPC libraries which don't support empty tags, such XMLRPC++.
*   New UseNagleAlgorithm property on IXmlRpcProxy. With its default value of false calls will be quicker where small XML-RPC requests are being sent.
*   Separate client and server assemblies � client assembly compatible with .NET Client Profile.
*   Changed directory structure within distribution zip file to avoid problem when opening the file in Windows Explorer.
*   Moved to Visual Studio 2010.
*   Fixed issues:
    *   Issue 55 : change XmlRpcProxyGen so that FileIOPermission is not required for calls to Create.
    *   Issue 56: Maintain XML-RPC struct member ordering in XmlRpcStruct after deserialization.
    *   Issue 65: When deserializing request, check that the number of parameters is consistent with the method signature.
    *   Issue 70: Allow structs/classes to have members or arrays of the same type as the parent type.
    *   Issue 74: Fixed case where if a proxy call is made with a ResponseEvent assigned, the call crashes with a "Stream Closed" error.
    *   Issue 77: Fixed exception when AllowStringFaultCode is set to true. Now string fault codes are handled as well as integer fault code by default.
    *   Issue 78: XmlRpcServiceInfo.GetXmlRpcType now handles case of NonSerializedAttribute on all types.
    *   Issue 83: Change to prevent internal server error when viewing auto-generated help on Mono based servers.
    *   Issue 86: XmlRpcDocWriter.WriteStruct now writes XmlRpcMember.Description.
    *   Issue 89: Workaround on XmlRpcListenerService for cases where closing the request stream was resulting in an InvalidOperationException.
*   Changes:
    *   Custom nullable types � XmlRpcBoolean, XmlRpcDateTime, XmlRpcDouble, XmlRpcInt � have been discontinued. Use the standard nullable types bool?, DateTime?, double?, int?.
    *   A server implementation now needs to reference the CookComputing.XmlRpcServer assembly in addition to the CookComputing.XmlRpc assembly.
    *   Default value for new UseNagleAlgorithm. By default it was previously always false.

**Older Releases****2.4.0**

xml-rpc.net.2.4.0.zip

New feature and fixed issues:

*   New StructParams property on XmlRpcMethodAttribute which provides supports for APIs which use a struct to provide named parameters to a method call. (more).
*   NonSerialized attribute can be applied to struct members to prevent them being serialized and deserialized. (more).
*   Fixed issues:
    *   Issue 25: NullReferenceException when struct member name is an empty string. Now throws XmlRpcInvalidXmlRpcException.
    *   Issue 26: Auto-Documentation does not work with HttpListener.
    *   Issue 27: XmlRpcListenerService.ProcessRequest may not close stream in case of exception.
    *   Issue 28: XmlRpcSerializer.GetStructName does not check for Properties.
    *   Issue 31: UseIntTag is being ignored.
    *   Issue 32: XmlRpcClientProtocol problem with response from void method.
    *   Issue 34: XmlRpcServerProtocol should be derived from MarshalByRefObject. The system.\* methods do not work with remoting object.
    *   Issue 35: UseEmptyParamsTag property on the proxy doesn�t work unless you are making asynchronous calls.
    *   Issue 36: Fixed SelectSingleNode and using statement in XmlRpcFaultException for Compact Framework version.
    *   Issue 38: Check of ParamArrayAttribute causes crash under Mono/Linux.
    *   Issue 40: Deserialization performance enhancement.

**2.3.2**

xml-rpc.net.2.3.2.zip

Changes:

*   Issue 22: XmlRpcTypeMismatchException thrown if an XML-RPC array is mistakenly mapped onto a .Net struct (was throwing MissingMethodException).
*   Issue 23: Fixes problem where XML-RPC string values containing just one or more spaces were deserialized as an empty .Net string value.
*   Issue 24: XmlRpcV2 assembly is now built with a strong name.

**2.3.1**

xml-rpc.net.2.3.1.zip

Changes:

*   Issue 20: Fixes problem where XML-RPC service implemented as HttpHandler returns 500 server error.
*   Issue 21: Fixes problem with StateNameServer sample which returns fault response because of duplicate XML-RPC method names.

**2.3.0**

xml-rpc.net.2.3.0.zip

New features and changes:

*   Issue 15: Support for accessing response headers and cookies. (more).
*   Issue 17: Support for not sending a params element if no method parameters. (more).
*   Changes:
    *   Issue 16: Content type set before writing to response stream (fixes Mono issue).
    *   Issue 18: Modified proxy code generation so that it verifies - prevents �Operation could destabilize the runtime" problem.
    *   Issue 19: XmlRpcListenerService now sets Content Length header and does not use chunked content by default.

**2.2.0**

xml-rpc.net.2.2.0.zip

New features and changes:

*   Support for using System.Net.HttpListener to implement an XML-RPC server. (more).
*   Allow client to configure that <string> tag is not used for string values. (more).
*   Server configuration using XmlRpcServiceAttribute. (more).
*   Client support for Accept-Encoding - gzip and deflate. (more).
*   Changes:
    *   Fixed null exception if acquiring request stream fails while logging.
    *   Fixed stack overflow in GetXmlRpcType if invalid types such as DBNull passed in.
    *   Fixed handling of params method parameter if it is first parameter of method.
    *   Improved error reporting when processing params parameters.
    *   Throw XmlRpcDupXmlRpcMethodNames if same XML-RPC name applied to two methods.
    *   Handle zero offset timezones when AllowNonStandardDateTime flag set.

**2.1.0**

xml-rpc.net.2.1.0.zip

New features and changes:

*   Add support for proxy interfaces with overloaded methods. (more).
*   Add support for the int?, bool?, double?, and DateTime? nullable types to represent struct member types (.NET 2.0 version). These can be used to support optional struct members of int, boolean, double, and dateTime.iso8601 types. (more).

**2.0.0**

xml-rpc.net.2.0.0.zip

New features and changes:

*   Add generic form of XmlRpcProxyGen.Create() to remove need to cast the result of Create to the relevant interface (v2 assembly only) (more).
*   Add support for XmlRpcNonStandard.AllowInvalidHttpContent to handle HTTP response content which has whitespace before the start of the XML-RPC response (more).
*   Switch from NAnt to MSBuild and now builds a .NET 2.0 assembly as well as a .NET 1.0 assembly. Note that the 1.0 assembly can be used on all versions of the .NET runtime and should be used where backwards compatibility is required. The 2.0 assembly contains enhancements which rely on features of .NET 2.0 such as generics and can only be used on the .NET 2.0 and later versions of the runtime (more).
*   Error handling
    *   Throws XmlRpcInvalidParametersException if the parameters array passed to XmlRpcClientProtocol.Invoke contains more parameters than are defined for the method being invoked.
    *   Throws XmlRpcInvalidXmlRpcException if a struct member is missing its name or value child element or if it has a duplicate name or value child element.
    *   Attempt to serialize type with one or more properties that cannot be serialized to an XML-RPC type now results in the correct exception being thrown: XmlRpcUnsupportedTypeException.
*   Samples:
    *   Modify samples to use IXmlRpcProxy interface.
    *   Fix threading issue in AsyncBettyApplication sample.

**1.0.0**

xml-rpc.net.1.0.0.zip

New features and changes:

*   IXmlRpcProxy interface to simplify setting proxy properties (more).
*   Expect100Continue property on XmlRpcClientProtocol to configure "Expect: 100-continue" header; default is header not sent (more).
    *   Note: default behavior in previous versions of XML-RPC.NET was to send this header.
*   Support for variable number of method parameters using params (more).
*   Configurable client support for server which don't comply with XML-RPC standard:
    *   UseIntTag proxy property to use <int> instead of <i4>.
    *   Support dateTime with all zeroes (e.g. eGroupWare).
    *   Support empty dateTime values.
    *   Support fault code returned as string.
    *   Support for non-standard dateTime formats
    *   Note: default is standard XML-RPC only. Existing code which relies on non-standard behaviour will need to configure the proxy NonStandard property (more).
*   Support for sending cookies with request (thanks to JC Bertin) (more).
*   Changes:
    *   Fix for when passing zero-length byte array as base64 value.
    *   Removed large switch statements to circumvent Microsoft .NET bug when running in version 2.0 of the .NET runtime with medium trust.
    *   Uses invariant DateTimeFormatInfo when parsing dateTime.iso8601 so parsing works in all locales
    *   Check for recursive data structures when serializing.
    *   Fix to allow XmlRpcStruct member to be set more than once.
    *   Prevent types which cannot be serialized from being added to XmlRpcStruct.
    *   Improved error handling for null values when serializing.
    *   Fix to XmlRpcServerFormatterSink suggested by Sean Rohead.
*   Sample code:
    *   Updates on sample blogging interfaces from Sam Schillace and Mikahosi.
    *   Sample code for accessing OpenDHT (thanks to Michel Foucault).

**0.9.2**

xml-rpc.net.0.9.2.zip

*   Fixed parsing struct containing an enum member.
*   Lock around generation of proxy type.
*   When generating proxy from interface now includes methods from base interfaces.
*   Added RequestEvent and ResponseEvent events to XmlRpcClientProtocol.
*   Added XmlRpcLogger class for ease of use of RequestEvent and ResponseEvent events.
*   Adding LoggingEample sample.
*   Support for XmlRpcMissingMapping attribute on properties.
*   Invalid struct elements ignored if mapping action is Ignore.
*   Fixed dateTime issue with Wareki calendar.
*   Fixed problem with serializing void return.
*   Modified call to DeserializeResponse in DeserializeMessage.
*   Handles case when server incorrectly returns fault code as a string.
*   XmlRpcStruct restricted to string keys.

**0.9.1**

xml-rpc.net.0.9.1.zip

*   Distribution includes version of library which runs on .NET Compact Framework.
*   DateTime parsing bug fixed (caused problems in particular with it-IT locale)
*   XmlRpcProxyGen caches generated assemblies to avoid leakage if XmlRpcProxyGen is called multiple times for the same interface.

**0.9.0**

xml-rpc.net.0.9.0.zip

*   XmlRpcServiceAttribute has a new AutoDocumentation property which allows automatic documentation to be switched off.
*   Handles XML-RPC response encodings other than UTF-8.
*   XmlRpcMemberAttribute fixed.
*   XmlRpcClientProtocol has new ProtocolVersion property to allow HTTP v1.0 to be specified.
*   XmlRpcClientProtocol has new KeepAlive property (default is true). With some servers it may be necessary to set this to false when running with the current beta of the 2.0 CLR, for example if you start seeing the "Underlying Connection Was Closed" exception or the second call on a proxy appears to hang.
*   Multi-dimensional arrays handled correctly.
*   dateTime parsing supports "yyyy-MM-ddTHH:mm:ss" to handle blog service providers which return invalid XML-RPC dateTime values in this format.
*   Includes Joe Bork's xmlrpcgen utility to generate source code for proxies.
*   Release runs on version 1.0 of CLR upwards.

**0.8.0**

xml-rpc.net.0.8.0.zip

*   optional struct members
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**0.7.1**

xml-rpc.net.0.7.1.zip

*   License change.
*   Fixed problem in XmlRpcServerFormatterSink.cs whereby an exception was thrown if the XML-RPC and .NET method names are different.

**0.7.0**

xml-rpc.net.0.7.0.zip

*   error reporting of parsing errors using parse stack
*   support for async proxy method generation
*   contiuning work on auto-generated documentation
*   params keywords used in XmlRpcClientProtocol.Invoke
*   server method can return void (return empty string in XML-RPC response)
*   proxy method can return void (return value in XML-RPC response discarded)
*   deserializer throws exception if an XML-RPC struct is missing one or more expected members
*   fixed irritating warning when compiling XmlRpcStruct
*   add version of BeginInvoke taking correct params as per docs
*   Close always called on WebResponse
*   fixed usage of XmlRpcClientProtocol Proxy property when used in VS designer (Drew Marsh)
*   fixed handling of response without Content-Length during async calls (Dmitry Jemerov)
*   fixed case when zero-length string in default string value is passed as <value/> (Drew Marsh)
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.6.0**

xml-rpc.net.0.6.0.zip

*   Fixed UserAgent property of XmlRpcClientProtocol.
*   Added Proxy property to XmlRpcClientProtocol.
*   Default for XML-RPC request XML document is no explicit encoding, i.e. implicitly UTF-8.
*   Added Encoding property to XmlRpcClientProtocol to set explicit encoding on XML-RPC request XML document
*   Can now use interface to define XML-RPC methods. For example can use same interface to implement both server and client. MathService changed to illustrate use of interface.
*   Added XmlRpcProxyGen class to dynamically create a proxy object from an interface, i.e. makes hand-coding of proxies unnecessary in most cases. bettyapp sample changed to illustrate this.
*   Fixed parsing of double type to be culture independent.
*   Fault response XML document now generated in same way as ordinary response, i.e. will be in same format and encoding.

**0.5.5**

xml-rpc.net.0.5.5.zip

*   Added ClientCertificates property to XmlRpcClientProtocol  
    
*   The zip file contains a bin directory containing:

*   **CookComputing.XmlRpc.dll**
*   **bettyapp.exe** (A WinForms application which calls the UserLand betty example server.)
*   **asyncbettyapp.exe** (Another WinForms app illustrating how to make async calls.)
*   **mathservice.exe** (A simple XML-RPC service.)
*   **mathapp.exe** (A WinForms application which calls MathService.)

**Limitations of Current Release  
**

*   Auto-documentation generation not fully implemented.
*   No tracing/logging functionality.

**0.5.4**

xml-rpc.net.0.5.4.zip

*   Added Headers property to XmlRpcClientProtocol.
*   Added XmlRpcMemberAttribute.
*   Modified deserialization of arrays to return more specific array type when all elements are of the same type.

**0.5.3**

xml-rpc.net.0.5.3.zip

*   Fixed problem with deserializing arrays.

**0.5.2**

xml-rpc.net.0.5.2.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.1**

xml-rpc.net.0.5.1.zip

*   Improved handling of XmlRpcFaultException in server formatter sink..

**0.5.0**

xml-rpc.net.0.5.0.zip

*   Interim release containing preliminary code for client and server NET Remoting formatter sinks.
*   A Remoting sample, with assemblies and config files.

**0.4.3**

xml-rpc.net.0.4.3.zip

*   Interim release containing bug fixes, mainly in the serialization/deserialization code.
*   Some restructuring in preparation for some major changes in the 0.5 series of releases.

**0.4.2**

xml-rpc.net.0.4.2.zip

*   Build for .NET RTM.
*   Added preliminary support for Introspection API.

**0.4.1**

xml-rpc.net.0.4.1.zip

*   Major changes to XmlRpcClientProtocol class to support async calls, working but coding not completed.
*   Extra sample - AsyncBettyApp - to illustrate async calls.

**0.4.0**

Initial release for .NET beta 2.

xml-rpc.net.0.4.0.zip

**0.3.0**

Initial release for .NET beta 1.

**Developers**

Lead Developer - Charles Cook.

CVE-2022-47514: XML-RPC.Net - Downloads

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 16 December 2022 at 17:43 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Our second web security roundup begins with news that a brace of network security flaws in products from Fortinet and Citrix have each come under active attack.

These attacks were respectively enabled by memory corruption vulnerabilities in the FortiOS SSL-VPN as well as a critical arbitrary code execution risk in Citrix ADC and Citrix Gateway (CVE-2022-27518). It’s unclear whether these assaults are linked, but their occurrence can still be said to underline the importance of patching SSL VPN devices, which have previously been vectors for pushing ransomware onto enterprise networks, among other attacks.

Uber this week suffered a data breach as a result of a cybersecurity incident at a third-party vendor, resulting in the exposure of employees’ personal information. The incident represents only the latest security breach to impact the ride-hailing app firm, which was previously faulted for the delayed disclosure of a 2016 breach that exposed the account records of customers and drivers. More recently, back in September, Uber’s internal IT systems were breached by a social engineering attack.

Over at Black Hat Europe, security researcher Nitesh Dhanjani discussed the impact of floor prices of non-fungible token (NFT) collections and how attacks focused on business dynamics have the potential to wreak havoc on marketplaces. Dhanjani also spoke about off-chain and on-chain sync algorithms, and how the disparities between the two blockchain-related environments can be abused.

I also attended the event for The Daily Swig, reporting on a keynote in which security researcher Daniel Cuthbert said the industry’s fixation on zero-day vulnerabilities was only a partial solution to making the internet fundamentally secure. We also covered some of the top hacking tools from the event.

Among other stories on The Daily Swig in recent days was an Akamai WAF bypass via Spring Boot, SQL injection payloads being smuggled past WAFs, and a crypto maintainer rejecting a bogus cryptocurrency ‘vulnerability’ submitted with the help of ChatGPT.

Here are some other web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   Apache CXF / Critical / SSRF (server-side request forgery) vulnerability in parsing the href attribute of XOP / Disclosed with patch, December 13
*   Grails Spring Security Core plugin / CVE-2022-41923 / Critical / “Vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint” / Disclosed with patch, November 22
*   Microsoft .NET / CVE-2022-41089 / Critical / “Malicious actor could cause a user to run arbitrary code as a result of parsing maliciously crafted xps files” / Disclosed with a patch, December 13
*   Ping / CVE-2022-23093 / Memory-handling vulnerability involving networking protocol implementation by FreeBSD prompted its developers to test their own software, which unearthed a flaw in OpenBSD’s implementation of Ping that dates back to software changes introduced 24 years ago
*   Planet eStream / Critical / Vulnerabilities in video platform geared towards online learning enable attackers to take over user accounts with administrative privileges and execute arbitrary JavaScript code, among other attacks / Vendor has released software updates

**Research and attack techniques**

*   A researcher documented how it’s possible to exploit misconfigurations in cross-origin resource sharing (CORS) – a mechanism to control access to restricted website resources from external domains – to run various attacks. CORS misconfiguration issues have historically been downplayed but can seemingly be exploited to bypass CSRF protections or run cross-site tracking (XST) attacks.
*   Lightspin uncovered a serious flaw in an AWS-hosted service that allows software developers to find and share public container images. Attackers could potentially delete all images in the AWS Elastic Container Registry (ECR) Public Gallery or update image contents to inject malicious code, prompting AWS to resolve the problem within a day of its disclosure.
*   A series of flaws in three popular applications that allows an Android device to be used as a remote keyboard and mouse were exposed by Synopsys Cybersecurity Research Center (CyRC) The authentication, authorization, and insecure communication flaws potentially opened up attacks including keystroke sniffing.
*   Supposedly ‘air-gapped’ networks without direct access to the internet often require DNS services in order to resolve a company’s internal DNS records – a weakness potential hackers might be able to exploit, as a blog post by Pentera explains.
*   SALT Labs used a LEGO\-run site as a testbed to illustrate the general risk posed by API security issues. Researchers uncovered a variety of API-related security issues in LEGO’s Brick Lane, including a potential vector to internal production data and systems or manipulating users into surrendering control of their accounts.

LEGO reportedly fixed a number of API security issues found by SALT Labs

**Bug bounty / vulnerability disclosure**

*   HackerOne revealed that cloud-based vulnerabilities account for a growing proportion of vulnerabilities reported by bug bounty hunters, now totalling 65,000 in 2022, a year-on-year rise of 21%.
*   A security researcher who discovered a means to achieve unauthorized access to resumes stored on LinkedIn may have been left underwhelmed by the $5,000 bounty he received for his find, given the potential impact of the issue on users of the Microsoft-owned business-focused social network. An Insecure Direct Object Reference (IDOR) security vulnerability, inadvertently introduced in October 2022, could have allowed recruiters and perhaps more unsavoury parties to download resumes without permission.
*   Swedish video surveillance giant Axis Communications has launched a private bug bounty program with Bugcrowd.

**New open source infosec/hacking tools**

*   Node Security Shield – a defensive tool that takes an allow-listing approach to protecting zero-day protection for NodeJS applications. The tool was inspired by the infamous Log4Shell vulnerability, a zero-day vulnerability in Log4j, a popular Java logging framework.
*   Invoke-DNSteal – allows pen testers to perform file transfers using the DNS protocol as a covert communications channel.
*   Kubeshark – API Traffic Viewer for Kubernetes, providing “deep visibility and monitoring of all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster”

**For devs**

*   Google has announced a free-of-charge scanner that allows open source developers to check their software projects for vulnerable dependencies. The tool – called OSV-Scanner – builds on Google’s work in developing an open source vulnerability database.
*   OWASP, best known for its ‘Top 10 Web Application Security Risks’ framework, is backing the creation of a similar scheme to index classes of security risks in the world of AppSec and DevSecOps. The Top 10 CI/CD Security Risks taxonomy aims to catalogue risks in the CI/CD pipeline. “Insufficient Flow Control Mechanisms” topped the nascent list.
*   The SHA-1 cryptographic algorithm, in use since 1995, has reached the end of its useful life, announced the National Institute of Standards and Technology (NIST), which says the federal government should phase out its use by 2030.
*   Research from Endor Labs found that the vast majority (95%) of all vulnerabilities are “found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects”.

**For fun**

ChatGPT – the artificial intelligence chat tool from OpenAI – is the hottest thing in infosec-focused social media circles just now. Rather than suggesting possible vulnerabilities in code we wondered what ChatGPT could conjure when asked to write lyrics for a song about SQL injection in the style of the late David Bowie.

The results were more than satisfactory:

In the realm of computers, where data flows like a stream  
There are those that seek to exploit and cause us all to scream  
They are the hackers, the codebreakers, the malicious ones  
And among their favorite trick is the art of SQL injection

Chorus:

SQL injection, SQL injection  
A dangerous game, a digital infection  
SQL injection, SQL injection  
Beware of the hackers and their devious invention

To paraphrase the great man himself, I still don’t know what I was waiting for... but it definitely wasn’t this.

RECOMMENDED Black Hat Europe 2022: A defendable internet is possible, but only with industry makeover

Deserialized web security roundup – Fortinet, Citrix bugs; another Uber breach; hacking NFTs at Black Hat 

Adobe Campaign version 7.3.1 (and earlier) and 8.3.9 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A low-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Security updates available for Adobe Campaign Classic | APSB22-58

**Summary**

Adobe has released security updates for Adobe Campaign Classic. This update addresses an important vulnerability that could result in privilege escalation.  
  

**Affected versions**

**Product**

**Affected version**

**Platform**

Adobe Campaign Classic  

ACC v7: 7.3.1 and below

ACC v8: 8.3.9 and below

Windows, Linux

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version:

**Product**

**Updated version**

**Platform**

**Priority rating**

**Availability**

Adobe Campaign Classic  

ACC v7: 7.3.2

ACC v8: 8.4.2

Windows and Linux

3

Release 7 Notes

Release 8 Notes

**Vulnerability Details**

Improper Input Validation (CWE-20)  

**Acknowledgments**

Adobe would like to thank **Felix Martel-Denis - Software Secured** for reporting this issue and for working with Adobe to help protect our customers.

CVE-2022-42343: Adobe Security Bulletin

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

CVE-2022-3590

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

**Apache CXF Server-Side Request Forgery vulnerability**

High severity GitHub Reviewed Published Dec 13, 2022 • Updated Dec 13, 2022

Tag

#ssrf