ATI Update ATI-2022-24

New Protocols & Applications (2)

Name Category Info
Google Search Oct22 Social Networking/Search Google Search is a search engine provided by Google. Google Search offers a convenient way to search for text across the world wide web content indexed by Google.
iCloud Nov 2022 Data Transfer/File Sharing iCloud is a cloud service from Apple Inc..

New Superflows (17)

Name Category Tags Info
Facebook Apr 18 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of the Facebook website as of April 2018 over HTTP/2. All of the available actions for this flow are exercised.
Giphy Bandwidth Sep22 - HTTP/2 Voice/Video/Media Social Networking/Search
HTTP/2
Simulates the use of the GIPHY application as of September 2022 over HTTP/2, where a user searches for a GIF, and creates and uploads a new GIF.
Google Search Oct22 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of the Google Search as of October 2022 over HTTP/2, where a user opens the homepage, initiates a search, and then browses the image and news results.
Google Search Oct22 Social Networking/Search HTTP/2 Simulates the use of the Google Search as of October 2022 where a user opens the homepage, initiates a search, and then browses the image and news results.
Google Search Get Images Oct22 Social Networking/Search HTTP/2 Simulates the use of the Google Search as of October 2022 where a user opens the homepage, initiates a search, and then browses the image results.
iCloud Nov 2022 Data Transfer/File Sharing SimulatedTLS iCloud is a cloud service from Apple Inc. which enables users to sync their data to the cloud, including mail, contacts, calendars, photos, notes and files.
Instagram Apr 18 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of the Instagram website as of April 2018 over HTTP/2, which includes signing in, photo viewing and commenting, as well as sharing a photo before logging out.
Netflix July 2017 - HTTP/2 Voice/Video/Media HTTP/2 Simulates the use of Netflix application as of 2017 over HTTP/2, which includes login to Netflix, search for a movie, view detail information about the movie, start playing it and then pause and resume it. After a short time this is followed by logging out.
Pinterest Sep22 - HTTP/2 Social Networking/Search Cloud
HTTP/2
Simulates the use of the Pinterest app as of September 2022 over HTTP/2. The user opens the app, logs in, browses through posts, searches with a keyword, uploads an image and logs out.
Reddit Account Management Feb18 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of Reddit web application as of February 2022 over HTTP/2, where a user signs into the application, loads the profile, accesses the setting and messages and logs out from the application.
Reddit Browse Content Feb18 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of Reddit web application as of February 2022 over HTTP/2, where a user loads the main page, signs into the application, accesses the posts, creates a comment, searches the posts, subscribes to the subreddit, accesses the gifts page and signs out from the application.
Snapchat Web Bandwidth Oct22 - HTTP/2 Voice/Video/Media Social Networking/Search
Chat/IM
HTTP/2
Simulates the use of the Snapchat application as of September 2022 over HTTP/2, where a user sends a text message and a "snap" message.
TikTok Mar 20 - HTTP/2 Social Networking/Search Voice/Video/Media
HTTP/2
Simulates the use of TikTok application as of March 2020 over HTTP/2, where a user logs into the TikTok application, loads the homepage, checks the inbox, browses video category, comments to a video, watches a video, uploads a video, browses the music library, posts a video, watches a live stream, chats in the live stream, browses through gifts, checks balance and quits the live stream.
Twitter Apr22 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of the Twitter as of April 2022 over HTTP/2, where a user gets in the sign in page, signs into the Twitter website, browses his feed, posts a tweet, follows an account and signs out.
Wattpad Bandwidth Jul22 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of the Wattpad application as of July 2022 over HTTP/2, where a user opens the website, searches for a writer, reads a book, and writes and publishes their own book.
Wordpress Bandwidth Jul22 - HTTP/2 Social Networking/Search HTTP/2 Simulates the use of the WordPress application as of July 2022 over HTTP/2, where a user opens the website, writes a blog post, adds a page to their site, and stars and comments on a post.
Youtube Dec18 - HTTP/2 Voice/Video/Media HTTP/2 Simulates the use of Youtube site as of December 2018 over HTTP/2. The user performs the following actions signs in, searches a video, plays the video, pauses it, likes it, unlikes it, adds the video to a playlist, subscribes to a channel, unsubscribes, accesses Subscriptions, accesses Playlists, removes video from the playlist, accesses Trending, accesses History, signs out.

New Application Profiles (3)

Name Info
Sandvine 2022 APAC Downstream Simulates the downstream traffic generated by the top 10 applications reported in the Sandvine Global Internet Phenomena Report January 2022 for APAC region.
Sandvine 2022 APAC Downstream - HTTP/2 Simulates the downstream traffic generated by the top 10 applications reported in the Sandvine Global Internet Phenomena Report January 2022 over HTTP/2 for APAC region.
Sandvine 2022 Global Social - HTTP/2 Simulates the downstream traffic generated by the top 10 social media applications over HTTP/2 reported in the Sandvine Global Internet Phenomena Report January 2022. Here the weights are extrapolated from the GLOBAL APP TRAFFIC SHARE table present in the report.

New Strikes (8)

CVSS ID References Category Info
9.0 E22-9s2f1 CVE-2020-10199CVSSCVSSv3CWE-94URL Exploits This strike exploits an Expression Language injection vulnerability in Sonatype Nexus Repository Manager. The vulnerability is due to insufficient input validation on memberNames JSON parameter. A remote, authenticated attacker can exploit this vulnerability by authenticating with the server and then sending a crafted request to the target server. Successful exploitation results in the execution of arbitrary code in the security context of the target application. *NOTE: While running this strike in OneArm mode, the strike executes calc.exe on the target server.
7.2 E22-elax1 CVE-2022-34713CVSSCVSSv3CWE-22URL Exploits This strike exploits a directory traversal vulnerability in Microsoft Windows Support Diagnostic Tool. The vulnerability is due to improper validation of .diagcab files. A remote attacker could exploit this vulnerability by enticing a user into opening a crafted .diagcab file. Successful exploitation could allow the attacker to execute arbitrary code under the context of the user.
6.8 E22-1e2p1 CVE-2022-0289CVSSCVSSv3CWE-416GOOGLE-2251URL Exploits This strike exploits a vulnerability in Google Chrome. Specifically, javascript can be crafted in such a way that when Safe Browsing flags a page the user visits and the DOM is processed a frame belonging to WebContents can be removed without notifying the object causing a Use After Free condition to occur. When this happens a denial of service condition, or potentially remote code execution, may occur.
6.8 E22-1e361 CVE-2022-0306CVSSCVSSv3CWE-787GOOGLE-2250URL Exploits This strike exploits a vulnerability in Google Chrome. Specifically, the RequestThumbnail function does not properly validate the page_index parameter, which is used as an index within the pages_ vector. Javascript can be crafted in such a way that when getThumbnail messages are called from an embedding page a buffer overflow will happen. When this happens a denial of service condition, or potentially remote code execution, may occur.
6.8 E22-1esw1 CVE-2022-1232CVSSCVSSv3CWE-843GOOGLE-2280URL Exploits This strike exploits a vulnerability in Google Chrome. Specifically, javascript can be crafted in such a way that when an Object replaces a property store an interceptor is encountered that causes memory corruption. When this happens a denial of service condition, or potentially remote code execution, may occur.
6.8 E22-1g5y1 CVE-2022-2998CVSSCVSSv3CWE-416GOOGLE-2300URL Exploits This strike exploits a vulnerability in Google Chrome. Specifically, LinkToTextMenuObserver holds a pointer to a RenderFrameHost object, but does not properly observe when FrameHost destruction events occur. Because of this, if an attacker manages to craft javascript in such a way that will destroy the frame host at the right time, a use after free condition can occur in LinkToTextMenuObserver::CompleteWithError. When this happens a denial of service condition, or potentially remote code execution, may occur.
6.8 E22-eeuo1 CVE-2022-26352CVSSCVSSv3CWE-22URL Exploits This strike exploits a Directory Traversal vulnerability in dotCMS. The vulnerability is due to insufficient validation of the names of files uploaded through the dotCMS content API. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could result in writing a file outside of the expected document root, possibly leading to, in the worst case, arbitrary code execution under the security context of the web server process. *NOTE: While running this strike in OneArm mode, a file named "poc.jsp" is created on the server.
4.0 E22-ecgl1 CVE-2022-23253CVSSCVSSv3CWE-476URLURL Denial This strike exploits a denial of service vulnerability in Microsoft Windows VPN component. The vulnerability is due to improper handling of PPTP packets. A remote, unauthenticated attacker could exploit these vulnerabilities by sending the same Incoming-Call-Connected packet twice. Successful exploitation results in a denial of service condition on the target system.

Enhancements

Component Info
Apps HTTP/2 tag was added to Reddit Browse Content Feb 18, Reddit Account Management Feb 18 and TikTok Mar 20 superflows.
Evasions Behavior change for one-arm strikes. Users can now set SSL::EnableOnAllTCP=true or SSL::EnableOnAllHTTP=true in order to run a strike in one-arm mode with TLS enabled. Note: Enabling TLS works only if SSL::DisableDefaultStrikeSSL=false. In the past this was possible just for strikes having default_over_ssl keyword.
Evasions SELF::URI now overrides HTTP request path if set.
NewEvasion Added new evasion Global::IgnoreDirection. If this is enabled file transfer strikes which have S2C(Server to Client) direction can be used in One-Arm mode for file upload.
NewEvasion Added new evasion: FILEUPLOAD::MultipartPost. This evasion changes the behavior when the following options are selected: Global::RevertMalwarePost=True and HTTP:TransportMethods=Post and (FILETRANSFER::TransferMethod=HTTP or MALWARE::TransferMethod=HTTP) . In this case if our newly added evasion is used then the file upload will be done via multipart upload.
NewEvasion Added new evasion options for selecting custom authentication type in HTTP. When HTTP::AuthenticationType is set to User-specified custom auth then HTTP::Auth is used as the content of the Authorization header. Note: HTTP::AuthenticationType option "User-specified authentication" gets renamed into "User-specified username and password".
NewEvasion Added new evasion options HTTP::ExtraFormDataName and HTTP::ExtraFormDataContent which add an additional multipart in addition to the file being uploaded. Note: This two evasion options are used only if Global::ReverMalwarePost=true and FILETRANSFER::MultipartPost=true and HTTP::HTTPTransportMethods=POST and (FILETRANSFER::TransferMethod=HTTP or MALWARE::TransferMethod=POST).
NewEvasion Added new evasion option FILETRANSFER::StrikeNameAsFileName. When enabled, the files being transfer will have the name replaced with the the name of the strike and the strike id concatenated. More precisely the file name will be ${StrikeName}_${StrikeId}.${extension}
NewEvasion Added new evasion Global::OneArmSleep for specifying a sleep period(measured in milliseconds) before the next file is transferred. Available only for HTTP file transfer currently.
NewStrikeList Added new strikelist 'CISA Alert (AA22-279A) Top CVEs Actively Exploited By PRC State-Sponsored Cyber Actors'.