An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer “head” allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow.
Category Archives: Advisories
CVE-2012-2160
IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPP_TEMPLATE_FLAG parameter in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2012-2201
IBM WebSphere MQ 7.1 is vulnerable to a denial of service, caused by an error when handling user ids. A remote attacker could exploit this vulnerability to bypass the security configuration setup on a SVRCONN channel and flood the queue manager.
CVE-2011-4820
IBM Rational Asset Manager 7.5 could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability using the UID parameter to modify another user’s preferences.
BlackCat Uses Updated Infostealer Tools with File Corruption Capability
FortiGuard Labs is aware of a report the infamous BlackCat ransomware group has updated their infostealer tools. Dubbed Exmatter and Eamfo, the former is a data exfiltration tool which a newer version has a code for file corruption and the latter is a credential lifter for Veeam, which is backup software.Why is this Significant?This is significant because Blackcat is one of the active Ransomware-as-a-Service (RaaS) providers and their newly updated data exfiltration tool “Exmatter” is now capable of making processed files unusable.What is BlackCat?BlackCat, (also known as ALPHV and Noberus), is a relatively new Ransomware-as-a-Service (RaaS) and a ransomware variant with the same name. As a RaaS provider, it develops and offers various tools including ransomware, and recruits affiliates for corporate intrusions, encrypting files on the victim’s network and stealing confidential files from it for financial gain. BlackCat ransomware is written in the Rust programming language.FortiGuard Labs previously released Threat Signal on Blackcat. See the Appendix for a link to “Meet Blackcat: New Ransomware Written in Rust on the Block”. What is Exmatter?According to security vendor Symantec, Exmatter is a data exfiltration tool that was previously used by a BlackMatter ransomware affiliate. The tool is designed to steal various Microsoft Office files (Word, Excel and PowerPoint) as well as image, email and archive files. It supports FTP, SFTP and WebDav for file transfer of exfiltrated information. The newer version has code to corrupt files.What is Eamfo?Eamfo is a tool to steal credentials from Veeam backup software.What is the Status of Protection?FortiGuard Labs detects reported Exmatter and Eamfo tools with the following AV signatures:MSIL/Agent.DRB!trMSIL/Agent.DRB!tr.spyMSIL/Agent.7AAD!trW32/Crypt!trW32/PossibleThreatPossibleThreatPossibleThreat.PALLAS.HFortiGuard Labs has the following AV protection in place for known BlackCat ransomware:W32/Filecoder_BlackCat.A!tr.ransomW32/Ransom_Win32_BLACKCAT.YNCHH!tr.ransomW32/Ransom_Win32_BLACKCAT.YXCDU!tr.ransomW32/BlackCat.26B0!tr