Depending on who you are asking, there are 2 vulnerabilities when playing Folina, only one, or a week ago, according to Microsoft, there are no security issues. On the 27th of last month
.docx The file was uploaded to VirusTotal, and most of the tools there thought it was completely normal. It didn’t feel right [@nao_sec], Who raised the alarm on Twitter This suspicious file appears to have originated somewhere in Belarus, and it uses multiple tactics to run a malicious PowerShell script.
Interesting Moldok was submitted from Belarus. It uses Word’s external links to load HTML and then uses the “ms-msdt” scheme to run PowerShell code. https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
Não_sec (nao_sec) May 27, 2022
Strange documents have been noticed by the latter [Kevin Beaumont], Who chose the name Folina for weakness and gave some additional analysis. A word document can link to a remote template file and use that template file
ms-msdt: To turn on the URI
msdt.exe, A diagnostic tool. An argument flag sent to that tool may include arbitrary commands. Put together, this means that viewing an office file runs arbitrary code. This is even worse, since an Explorer preview can trigger a chain of vulnerabilities. Safe mode will not help you here.
Once the researchers knew what to look for, it turned out that it had been floating as a 0-day for more than a month. This has been reported to Microsoft and has been shut down as a security issue. Fortunately Microsoft received the memo, issued CVE-2022-30190 and recommended a mitigation:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f And if the 0 patch is your thing, there’s a free patch available, as well as an in-depth look at why the injection command is executed in their blog post.
Accidentally bug fixing
Your code review tooling sometimes gives false positives. The standard response is to ignore the false positives for a while, and then finally leave and change so that the code is clearly and unequivocally secure. But it was certainly a false positive, wasn’t it? [Paulino Calderon] There is a story about this. Spoiler: It wasn’t a false positive. CVE-2022-21404 Oracle’s Hellidon had a desalination bug, which was accidentally corrected by an engineer who simply wanted to stop his analysis tooling.
A controlled request and an open redirect
[Anton] This brings us to the story of the discovery of an error in Seedr, a video advertising service purchased by Mail.Ru. Here’s a useful tip, to look at companies with good bug bounties to acquire. Suddenly a code-base that has not been hacked by other researchers has just turned into a bounty opportunity. Seedr had just such a situation, and he quickly found an API endpoint that took a video string as an argument. The site will then load the video URL and parse its metadata. It was not widely open, and supported a few video sites, such as YouTube, Cobb, or Vimeo. The video string can be manipulated with Path Traversal and the like. It seems to be desegregating results, so if you can arbitrarily return results to one of those sites, you may be able to trigger a desegregation bug.
That idea tickled [Anton]Its memory, since an open redirect was found in Vimeo a few years ago. This gives him control over the desegregation routine and the ability to read a non-public file from the server. This was progress. The final key was a clever trick, writing some PHP code into the day’s logfile, then using the desiralization bug to execute that code. It was quite a journey, but quite an impressive chain.
GitHub Violation Update
As you may recall earlier this year, OAuth tokens were seized from Heroku and Travis CI. The Github security team is investigating, and has announced that those tokens were used to capture some data from NPM, including user database backups since 2015. It included the usernames, hashed passwords and email addresses of about 100,000 users. There was also some data about private packages, some of which seemed to capture the target of those private packages from companies. The attack chain was to use the OAuth token to access a private GitHub repo, which contains an AWS key. The source of the leaked information was the AWS bucket. Notification has been sent, and affected passwords have been reset.
Don’t use the tail (now)!
Since Tales does not store anything on the drive, a reboot should clean up any malicious. Although a sufficiently capable attacker can probably chain multiple vulnerabilities together and gain root access to Tell OS. Mounting a physical disk and making malicious changes is quite reasonable. Updates to Tails 5.1 are now expected anytime, and will fix the error
It’s not the most smooth or technical, but as far as privilege attacks increase, annoying-user-endlessly-sesame-sesame-he-donations are probably fairly effective. This is the idea behind ForceAdmin. It’s a bit worse than that, because it’s a really endless stream of UAC pop-ups, which prevents pop-ups from killing the process. It’s really bad, and it’s beautiful in its own way Enjoy!