SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 23ISSUE 43
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Malware Dropped Through a ZPAQ Archive
Published: 2023-11-01
Last Updated: 2023-11-01 06:33:33 UTC
by Xavier Mertens (Version: 1)
Did you ever seen ZPAQ archives? This morning, my honeypot captured a phishing attempt which lured the potential victim to open a "ZPAQ" archive. This is not a common file format. This could be used by the attacker to bypass classic security controles. What Wikiepadia says about ZPAQ:
ZPAQ is an open source command line archiver for Windows and Linux. It uses a journaling or append-only format which can be rolled back to an earlier state to retrieve older versions of files and directories. It supports fast incremental update by adding only files whose last-modified date has changed since the previous update. It compresses using deduplication and several algorithms (LZ77, BWT, and context mixing) depending on the data type and the selected compression level. To preserve forward and backward compatibility between versions as the compression algorithm is improved, it stores the decompression algorithm in the archive.
The file was called "Purchase Order pdf<dot>zpaq" (SHA256:1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6). The fact that the archive is using an "exotic" compress algorithm, the VT score is null! I tried the classic tools on a stock Windows operating systems, including 7Zip and no one was able to decompress the archive. This is a strange because it reduces the number of potential victims! On Windows, you can use PeaZip.
Read the full entry:
https://isc.sans.edu/diary/Malware+Dropped+Through+a+ZPAQ+Archive/30366/
Multiple Layers of Anti-Sandboxing Techniques
Published: 2023-10-31
Last Updated: 2023-10-31 14:51:53 UTC
by Xavier Mertens (Version: 1)
It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing)
Like all scripting languages running in the Windows eco-system, Python can call any Microsoft API call and there are useful to perform check at operating system. Here is what the scripts try to detect ...
Read the full entry:
https://isc.sans.edu/diary/Multiple+Layers+of+AntiSandboxing+Techniques/30362/
Flying under the Radar: The Privacy Impact of multicast DNS
Published: 2023-10-30
Last Updated: 2023-10-30 15:30:39 UTC
by Johannes Ullrich (Version: 1)
The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.
What is multicast DNS?
Typically, we think of DNS as a client-server protocol where our clients will connect to preconfigured resolvers. In this scenario, it is possible to register hostnames dynamically. Still, the setup is complex and requires configuring the DNS server to allow for these registrations. For a home user, this is complex, but you would still like to have the option to refer to systems by hostname instead of by IP address.
Multicast DNS solves two issues: It allows hosts to register their name and any services they offer and allows hosts connected to the same local network to find services offered by hosts on the network. Multicast DNS uses port 5353 and the multicast group 224.0.0.251 (IPv4) or ff02::fb (IPv6). These are link-local addresses, and the traffic is not routable. The main security feature of Multicast DNS is that the messages only reach local hosts on a (believed to be) trusted local network. There is no authentication or encryption of the messages as this would require some cryptographic key infrastructure. The protocol is supposed to be "plug and play."
Netbios and LLMNR have played roles like this in Windows, but even Windows has been moving to mDNS. While mDNS was originally developed by Apple as "Bonjour", it has now been adopted by Windows and Linux. Another similar protocol is SSDP (Simple Service Discovery Protocol). SSDP is often used next to mDNS. But SSDP never became an IETF standard, and no RFC describes it. Instead, the SSDP standard is now defined as part of Universal Plug and Play (UPNP) [upnp] ...
Read the full entry:
https://isc.sans.edu/diary/Flying+under+the+Radar+The+Privacy+Impact+of+multicast+DNS/30358/
Internet Storm Center Entries
Spam or Phishing? Looking for Credentials & Passwords (2023.10.29)
https://isc.sans.edu/diary/Spam+or+Phishing+Looking+for+Credentials+Passwords/30354/
Size Matters for Many Security Controls (2023.10.28)
https://isc.sans.edu/diary/Size+Matters+for+Many+Security+Controls/30352/
Adventures in Validating IPv4 Addresses (2023.10.26)
https://isc.sans.edu/diary/Adventures+in+Validating+IPv4+Addresses/30348/
Recent CVEs
CVE-2023-4966 - NetScaler ADC and NetScaler Gateway configured as a Gateway or AAA virtual server may reveal sensitive information.
CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability
CVE-2023-46747 - The BIG-IP system allows an attacker to execute arbitrary system commands by bypassing authentication through undisclosed requests.
CVE-2023-46748 - The BIG-IP Configuration utility is vulnerable to authenticated SQL injection, enabling an attacker to execute arbitrary system commands if they have network access through the management port or self IP addresses.
CVE-2023-34048 - vCenter Server has an out-of-bounds write vulnerability in its DCERPC protocol implementation, allowing a remote attacker to potentially execute code.
CVE-2023-22515 - Confluence Data Center and Server instances allowed external attackers to create unauthorized administrator accounts and access Confluence instances.
CVE-2023-22518 - Improper Authorization Vulnerability in Confluence Data Center and Server. Atlassian Cloud sites are not affected.
CVE-2023-20273 - Cisco IOS XE Software is vulnerable to command injection due to insufficient input validation, allowing an authenticated remote attacker to inject commands with root privileges.
CVE-2023-36745 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-26568, CVE-2023-26569, CVE-2023-26572, CVE-2023-26573, CVE-2023-26581 through CVE-2023-26584, CVE-2023-27254, CVE-2023-27255, CVE-2023-27260, CVE-2023-27262 - IDAttend’s IDWeb application 3.1.052 and earlier has multiple unauthenticated SQL injection vulnerabilities.
CVE-2023-30912 - A remote code execution issue exists in HPE OneView.
CVE-2023-31581 - Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.
CVE-2023-44794 - Dromara SaToken version 1.36.0 and earlier have a privilege escalation vulnerability through a crafted payload to the URL.
CVE-2023-37283 - Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
CVE-2023-39930 - PingFederate with PingID Radius PCV is vulnerable to a first-factor authentication bypass when a maliciously crafted RADIUS client request sends a MSCHAP authentication request.
CVE-2023-37908 - XWiki Rendering in versions prior to 14.10.4 and 15.0 RC1 allows for cross-site scripting through the injection of arbitrary HTML code via invalid attribute names, potentially leading to server-side code execution and impacting the confidentiality, integrity, and availability of the XWiki instance.
CVE-2023-37913 - XWiki Platform versions prior to 14.10.8 and 15.3-rc-1 allow an attacker to exploit a vulnerability by triggering the office converter with a specially crafted file name, leading to writing the attachment's content to an attacker-controlled location on the server, impacting the confidentiality, integrity, and availability of the installation.
CVE-2023-45134 - XWiki Platform is vulnerable to cross-site scripting, allowing an attacker to execute arbitrary actions with the rights of the user opening the malicious link.
CVE-2023-45135 - XWiki Platform allows remote code execution via a malicious title in the page creation action.
CVE-2023-45136 - XWiki Platform is vulnerable to a reflected cross-site scripting attack in the page creation form prior to versions 12.10.12 and 15.5-rc-1, allowing an attacker to execute arbitrary actions with user rights and potentially gain remote code execution and full access to the XWiki installation.
CVE-2023-45137 - XWiki Platform is vulnerable to cross-site scripting due to missing escaping in the error message displayed when creating a document that already exists.
CVE-2023-45554 - zzzCMS v.2.1.9 allows remote attackers to execute arbitrary code by altering the imageext parameter.
CVE-2023-46520 through CVE-2023-46523, CVE-2023-46525 through CVE-2023-46527, CVE-2023-46534 through CVE-2023-46539 - TP-LINK TL-WR886N V7.0_3.0.14_Build_221115_Rel.56908n.bin was discovered to contain multiple stack overflow vulnerabilities
CVE-2023-46554 through CVE-2023-46560, CVE-2023-46562 through CVE-2023-46564 - TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain multiple stack overflow vulnerabilities.
CVE-2023-46574 - TOTOLINK A3700R v.9.1.2u.6165_20211012 allows remote code execution via the FileName parameter of the UploadFirmwareFile function.
CVE-2023-5746 - Synology Camera Firmware versions before 1.0.5-0185 suffer from a vulnerability in the cgi component, enabling remote attackers to execute arbitrary code through externally-controlled format strings.
CVE-2023-46133 - CryptoES prior to version 2.1.0 has weakened PBKDF2, making it highly vulnerable to attacks due to its default use of SHA1 and single iteration count.
CVE-2023-46233 - Crypto-js prior to version 4.2.0 is vulnerable due to using a weak cryptographic hash algorithm and a low number of iterations, making it susceptible to password and signature attacks.
CVE-2023-30967 - Gotham Orbital-Simulator service prior to 0.692.0 allows unauthenticated users to read arbitrary files via a path traversal vulnerability.
CVE-2023-31422 - Kibana version 8.10.0 has a vulnerability where sensitive information is recorded in the logs, including authentication credentials, cookies, and authorization headers.
CVE-2023-45869 - ILIAS 7.25 (2023-09-12) allows users to remotely execute arbitrary OS commands when a highly privileged account accesses an XSS payload, compromising the system's integrity, confidentiality, and availability.
Product: ILIAS CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-45869NVD References: - https://rehmeinfosec.de/labor/cve-2023-45869- https://rehmeinfosec.de/report/358ad5f6-f712-4f74-a5ee-476efc856cbc/CVE-2023-42769 - Cookie session ID in this product is too short, enabling brute force attacks, leading to unauthorized session access, authentication bypass, and transmitter manipulation by remote attackers.Product: Sielco Radio Link and Analog FM TransmittersCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-42769NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-08CVE-2023-46661 - Sielco PolyEco1000 is vulnerable to an attacker escalating their privileges by modifying passwords in POST requests.Product: Sielco PolyEco1000CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46661NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07CVE-2023-5754 - Sielco PolyEco1000 has weak default administrative credentials, making the system vulnerable to remote password attacks and granting full control.Product: Sielco PolyEco1000CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5754NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07CVE-2023-46665 - Sielco PolyEco1000 allows attackers to gain unauthorized administrative access through an authentication bypass vulnerability.Product: Sielco PolyEco1000CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46665NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-07CVE-2023-5790 - SourceCodester File Manager App 1.0 is affected by a critical vulnerability in the file endpoint/add-file.php, allowing for unrestricted remote file uploads.Product: Remyandrade File Manager AppCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5790NVD References: - https://github.com/Yp1oneer/cve_hub/blob/main/File%20Manager%20App/Unrestricted%20File%20Upload.pdf- https://vuldb.com/?ctiid.243595- https://vuldb.com/?id.243595CVE-2023-5792 - SourceCodester Sticky Notes App 1.0 is prone to a critical remote SQL injection vulnerability (VDB-243598) via manipulation of the "note" parameter in the endpoint/delete-note.php file, which has been publicly disclosed and could be exploited.Product: Remyandrade Sticky Notes AppCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5792NVD References: - https://github.com/Yp1oneer/cve_hub/blob/main/Sticky%20Notes%20App/SQL%20Injection-1.pdf- https://vuldb.com/?ctiid.243598- https://vuldb.com/?id.243598CVE-2023-46435 - Sourcecodester Packers and Movers Management System v1.0 is vulnerable to SQL Injection via mpms/?p=services/view_service&id.Product: Oretnom23 Packers And Movers Management SystemCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-46435NVD References: https://github.com/kirra-max/bug_reports/blob/main/packers-and-movers-management-system-phpoop-free-source-code/SQL-1.mdCVE-2023-44267, CVE-2023-43737,CVE-2023-44268, CVE-2023-43738, CVE-2023-44162, CVE-2023-44375, CVE-2023-44376, CVE-2023-44377 - Online Art Gallery v1.0 multiple unauthenticated SQL Injection vulnerabilities.Product: Online Art Gallery v1.0CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44267NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43737NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44268NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-43738NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44162NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44375NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44376NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44377NVD References: https://fluidattacks.com/advisories/onoNVD References: https://https://projectworlds.in/CVE-2023-5820 - The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery, allowing unauthenticated attackers to upload arbitrary files by tricking a site administrator into performing a specific action.Product: WordPress Thumbnail Slider With Lightbox pluginCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5820NVD References: - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=1263536%40wp-responsive-slider-with-lightbox&new=1263536%40wp-responsive-slider-with-lightbox&sfp_email=&sfph_mail=- https://wordpress.org/plugins/wp-responsive-slider-with-lightbox- https://www.wordfence.com/threat-intel/vulnerabilities/id/e51e1cd2-6de9-4820-8bba-1c6b5053e2c1?source=cveCVE-2023-5807 - TRtek Software Education Portal allows SQL Injection before 3.2023.29.Product: TRtek Software Education PortalCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-5807NVD References: https://www.usom.gov.tr/bildirim/tr-23-0608CVE-2023-46604 - Apache ActiveMQ is vulnerable to Remote Code Execution through manipulation of serialized class types in the OpenWire protocol, allowing an attacker to run arbitrary shell commands on the broker.Product: Apache ActiveMQCVSS Score: 10.0NVD: h…
CVE-2023-42769 - Cookie session ID in this product is too short, enabling brute force attacks, leading to unauthorized session access, authentication bypass, and transmitter manipulation by remote attackers.
CVE-2023-46661 - Sielco PolyEco1000 is vulnerable to an attacker escalating their privileges by modifying passwords in POST requests.
CVE-2023-5754 - Sielco PolyEco1000 has weak default administrative credentials, making the system vulnerable to remote password attacks and granting full control.
CVE-2023-46665 - Sielco PolyEco1000 allows attackers to gain unauthorized administrative access through an authentication bypass vulnerability.
CVE-2023-5790 - SourceCodester File Manager App 1.0 is affected by a critical vulnerability in the file endpoint/add-file.php, allowing for unrestricted remote file uploads.
CVE-2023-5792 - SourceCodester Sticky Notes App 1.0 is prone to a critical remote SQL injection vulnerability (VDB-243598) via manipulation of the "note" parameter in the endpoint/delete-note.php file, which has been publicly disclosed and could be exploited.
CVE-2023-46435 - Sourcecodester Packers and Movers Management System v1.0 is vulnerable to SQL Injection via mpms/?p=services/view_service&id.
CVE-2023-44267, CVE-2023-43737,CVE-2023-44268, CVE-2023-43738, CVE-2023-44162, CVE-2023-44375, CVE-2023-44376, CVE-2023-44377 - Online Art Gallery v1.0 multiple unauthenticated SQL Injection vulnerabilities.
CVE-2023-5820 - The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery, allowing unauthenticated attackers to upload arbitrary files by tricking a site administrator into performing a specific action.
CVE-2023-5807 - TRtek Software Education Portal allows SQL Injection before 3.2023.29.
CVE-2023-46604 - Apache ActiveMQ is vulnerable to Remote Code Execution through manipulation of serialized class types in the OpenWire protocol, allowing an attacker to run arbitrary shell commands on the broker.
CVE-2023-46604 - announcement.txt
CVE-2023-46604-announcement.txt">https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt
CVE-2023-44480 - Leave Management System Project v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities due to unfiltered characters sent to the database in the 'setcasualleave' parameter of the admin/setleaves.php resource.
CVE-2023-46509 - An issue in Contec SolarView Compact v.6.0 and before allows an attacker to execute arbitrary code via the texteditor.php component.
CVE-2023-46569 - An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds32/nds32-dis.h.
CVE-2023-46570 - An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h.
CVE-2021-33635 - When malicious images are pulled by isula pull, attackers can execute arbitrary code.
CVE-2023-45797 - A Buffer overflow vulnerability in DreamSecurity MagicLine4NX versions 1.0.0.1 to 1.0.0.26 allows an attacker to remotely execute code.
CVE-2023-5199 - The PHP to Page plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in versions up to and including 0.3 via the 'php-to-page' shortcode, enabling authenticated attackers with subscriber-level permissions or higher to include local files and potentially execute code on the server.
CVE-2023-36263 - Prestashop is vulnerable to SQL Injection due to sensitive SQL calls in OpartlimitquantityAlertlimitModuleFrontController::displayAjaxPushAlertMessage() that can be exploited with a trivial http call.
CVE-2023-40050 - Chef Automate prior to and including version 4.10.29 allows remote code execution when a maliciously crafted profile is uploaded through API or user interface using InSpec check command.
CVE-2023-46248 - The Cody AI VSCode extension versions 0.10.0 through 0.14.0 allows arbitrary code execution if a user opens a malicious repository with the extension loaded.
CVE-2023-46249 - authentik, an open-source Identity Provider, allows an attacker to set the password of the default admin user without authentication in versions prior to 2023.8.4 and 2023.10.2.
Sponsors
Carahsoft
*********** Sponsored By Carahsoft ***********Looking Ahead to the National Cybersecurity Strategy Implementation Plan | Join Matt Bromiley and invited speakers on Wed, November 8 at 1:00pm ET for a better understanding of how organizations can prepare for the NCSIP, released by the White House in March 2023. | Join the conversation:
SANS
SANS 2023 ICS/OT Cybersecurity Survey: 2023’s Challenges and Tomorrow’s Defenses | Explore how critical infrastructure defenders across all sectors are adapting to new challenges and threats in ICS/OT security. Downloadable white paper also available. | Watch the replay and download now:
Expel
The results are in! Following the SANS 2023 Operational Security Maturity Survey, Dave Shackleford and Greg Notch will lead our upcoming survey results webcast on November 9 at 1:00pm ET to discuss the key findings from this survey and the frameworks, tools, and other techniques that organizations use to measure and assess their security programs. | Register now:
Fortinet, Inc.
Safeguard Your Business-Critical Web Apps and APIs with a WAF | Join Dave Shackleford and Srija Allam from Fortinet for this upcoming webcast on November 14 to discuss Fortinet's latest solution designed to protect applications from web application attacks, API attacks, malicious bots, and much more. | Register now: