Security Leftovers

posted by Roy Schestowitz on Nov 02, 2022

• High-severity OpenSSL vulnerabilities fixed (CVE-2022-3602, CVE-2022-3786) [Ed: Still no apologies for prior exaggeration]

  Version 3.0.7 of the popular OpenSSL cryptographic library is out, with fixes for CVE-2022-3602 and CVE-2022-3786, two high-severity buffer overflow vulnerabilities in the punycode decoder that could lead to crashes (i.e., denial of service) or potentially remote code execution.

• Inside Raccoon Stealer V2 [Ed: Windows TCO]

  Raccoon Stealer is back on the news again. US officials arrested Mark Sokolovsky, one of the malware actors behind this program. In July 2022, after several months of the shutdown, a Raccoon Stealer V2 went viral. Last week, the Department of Justice's press release stated that the malware collected 50 million credentials.

• These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites

  A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.

  The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.

  According to Malwarebytes, the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware.

• Malware on the Google Play store leads to harmful phishing sites

  A family of malicious apps from developer Mobile apps Group are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads.

• Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software

  Following responsible disclosure on August 22, 2022, the four vulnerabilities have been patched in Checkmk version 2.1.0p12 released on September 15, 2022.

• Project Zero: Gregor Samsa: Exploiting Java's XML Signature Verification

  Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard. OpenJDK fixed the discussed issue in July 2022. The Apache BCEL project used by Xalan-J, the origin of the vulnerable code, released a patch in September 2022.

  While the vulnerability discussed in this post has been patched , vendors and users should expect further vulnerabilities in SAML.

  From a security researcher's perspective, this vulnerability is an example of an integer truncation issue in a memory-safe language, with an exploit that feels very much like a memory corruption. While less common than the typical memory safety issues of C or C++ codebases, weird machines still exist in memory safe languages and will keep us busy even after we move into a bright memory safe future.

  Before diving into the vulnerability and its exploit, I’m going to give a quick overview of XML signatures and SAML. What makes XML signatures such an interesting target and why should we care about them?