Category Archives: privilege escalation

Security Affairs: Expert found privilege escalation issue in LG Device Manager

Security expert discovered a privilege escalation flaw that could be exploited by attackers to elevate permissions to SYSTEM in the LG Device Manager application for LG laptops.

A security expert who goes online with the moniker Jackson T. has discovered the flaw, tracked as CVE-2019-8372, while analyzing the tool’s low-level hardware access (LHA) kernel-mode driver, which is associated with the LG Device Manager system service.

LG Device Manager flaw

The LHA kernel-mode driver (lha.sys/lha32.sys, v1.1.1703.1700) is associated with the LG Device Manager system service that loads the driver if it detects that the Product Name in the BIOS has one of the following substrings: T350, 10T370, 15U560, 15UD560, 14Z960, 14ZD960, 15Z960, 15ZD960, or Skylake Platform. This means that the driver loads with those associated models which happen to have the 6th-gen Intel Core processors (Skylake).

The researcher focused its analysis on the lha.sys and lha32.sys files shipped with version 1.1.1703.1700.

The vulnerability could allow an attacker who already has non-admin access to the targeted device to abuse the Device Manager app to escalate privileges to SYSTEM.

“This driver is used for Low-level Hardware Access (LHA) and includes IOCTL dispatch functions that can be used to read and write to arbitrary physical memory. When it is loaded, the device created by the driver is accessible to non-administrative users which could allow them to leverage those functions to elevate privileges,” the researcher explained.

The flaw was discovered on November 11 and Jackson reported it to LG on November 18.

LG provided the expert with an updated version of the driver for testing purposes a week after he notified the vendor. The researcher confirmed that the fix was correctly working. LG informed the expert on February 13 that a patch is being released.

The researcher developed proof-of-concept (PoC) exploits for Windows 7 and Windows 10, he also published a video PoC for the vulnerability.

Technical details about the issue are reported in a blog post published by the expert.

Pierluigi Paganini

(SecurityAffairs – LG Device Manager flaw, hacking)

The post Expert found privilege escalation issue in LG Device Manager appeared first on Security Affairs.



Security Affairs

Expert found privilege escalation issue in LG Device Manager

Security expert discovered a privilege escalation flaw that could be exploited by attackers to elevate permissions to SYSTEM in the LG Device Manager application for LG laptops.

A security expert who goes online with the moniker Jackson T. has discovered the flaw, tracked as CVE-2019-8372, while analyzing the tool’s low-level hardware access (LHA) kernel-mode driver, which is associated with the LG Device Manager system service.

LG Device Manager flaw

The LHA kernel-mode driver (lha.sys/lha32.sys, v1.1.1703.1700) is associated with the LG Device Manager system service that loads the driver if it detects that the Product Name in the BIOS has one of the following substrings: T350, 10T370, 15U560, 15UD560, 14Z960, 14ZD960, 15Z960, 15ZD960, or Skylake Platform. This means that the driver loads with those associated models which happen to have the 6th-gen Intel Core processors (Skylake).

The researcher focused its analysis on the lha.sys and lha32.sys files shipped with version 1.1.1703.1700.

The vulnerability could allow an attacker who already has non-admin access to the targeted device to abuse the Device Manager app to escalate privileges to SYSTEM.

“This driver is used for Low-level Hardware Access (LHA) and includes IOCTL dispatch functions that can be used to read and write to arbitrary physical memory. When it is loaded, the device created by the driver is accessible to non-administrative users which could allow them to leverage those functions to elevate privileges,” the researcher explained.

The flaw was discovered on November 11 and Jackson reported it to LG on November 18.

LG provided the expert with an updated version of the driver for testing purposes a week after he notified the vendor. The researcher confirmed that the fix was correctly working. LG informed the expert on February 13 that a patch is being released.

The researcher developed proof-of-concept (PoC) exploits for Windows 7 and Windows 10, he also published a video PoC for the vulnerability.

Technical details about the issue are reported in a blog post published by the expert.

Pierluigi Paganini

(SecurityAffairs – LG Device Manager flaw, hacking)

The post Expert found privilege escalation issue in LG Device Manager appeared first on Security Affairs.

Critical Vulnerabilities Addressed In Adobe February Patch Tuesday

In the February’s monthly scheduled updates, Adobe has once again fixed a number of security flaws. The Adobe February Patch

Critical Vulnerabilities Addressed In Adobe February Patch Tuesday on Latest Hacking News.

Ubuntu snapd flaw allows getting root access to the system.

Expert discovered a privilege escalation vulnerability in default installations of Ubuntu Linux that resides in the snapd API.

Security researcher Chris Moberly discovered a vulnerability in the REST API for Canonical’s snapd daemon that could allow attackers to gain root access on Linux machines.

Canonical, the makers of Ubuntu Linux, promotes their “Snap” packages to roll all application dependencies into a single binary (similar to Windows applications).

The Snap environment includes an “app store” where developers can contribute and maintain ready-to-go packages.

“Management of locally installed snaps and communication with this online store are partially handled by a systemd service called snapd.”

The flaw called ‘Dirty_Sock’ would affect affects several Linux servers, the expert successfully tested on Ubuntu and released PoCs to show how to elevate privileges.

“In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.” wrote the expert.

“Two working exploits are provided in the dirty_sock repository:

  1. dirty_sockv1: Uses the ‘create-user’ API to create a local user based on details queried from the Ubuntu SSO.
  2. dirty_sockv2: Sideloads a snap that contains an install-hook that generates a new local user.”

“Both are effective on default installations of Ubuntu.”

Canonical has already addressed the flaw, administrators need to install the snapd update to avoid the exploitation.

“Chris Moberly discovered that snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket.” reads the security advisory published by Canonical.

“A local attacker could use this to access privileged socket APIs and obtain administrator privileges. On Ubuntu systems with snaps installed, snapd typically will have already automatically refreshed itself to snapd 2.37.1 which is unaffected.”

Moberly discovered that the daemon leverages UNIX sockets to allow developers to communicate with it using a REST API.

This UNIX socket runs under the security context of the root user, so the expert investigated the possibility to elevate his privileges by abusing API methods.

The researcher discovered that it is possible to create a local user account using the daemon’s “POST /v2/create-user” API. This API command requires the program to have root permission to create a user.

The analysis of snapd connections allowed the expert to discover that if a user has root permissions, it uses a string composed of the calling pid, uid of the program connected to the socket, the socket path, and the remoteAdd (i.e. “pid=5127;uid=1000;socket=/run/snapd.socket;@”).

Where the @ substring represents the RemoteAddr of the socket, or the socket name that is used to connect to the snapd socket.

Moberly created a socket containing ;uid=0; in its name in a way to trick the parser to overwrite the uid when the string is analyzed.

snapd socket-via-remote-socket

Parsing a string containing the uid=0 is the last part will allow overwriting the previous uid and trick snapd into emulating a root user and allow a local user to be created.

The expert published the “dirty_sockv1” PoC code for this attack, but he pointed out that the attack required an Internet connection and the creation of an account on the Ubuntu SSO and uploading an SSH public key to your profile.

The expert also devised a Dirty_Sock version 2 that sees sideloads a malicious snap using the ‘POST /v2/snaps’ API instead.

dirty_sockv2 instead uses the ‘POST /v2/snaps’ API to sideload a snap containing a bash script that will add a local user. This works on systems that do not have the SSH service running. It also works on newer Ubuntu versions with no Internet connection at all.” continues the expert.

“HOWEVER, sideloading does require some core snap pieces to be there. If they are not there, this exploit may trigger an update of the snapd service.”

The Dirty_Sock version 2 requires no Internet connection or the use of SSH key.

Canonical fixed the issue with the release of the 2.37.1. version that implements a stricter parser that removes user-controlled variable.

Pierluigi Paganini

(SecurityAffairs – Snapd, Ubuntu)

The post Ubuntu snapd flaw allows getting root access to the system. appeared first on Security Affairs.

Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. Dubbed "Dirty_Sock" and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File

Sharing landscape pictures, cute animal photos or memes is quite common among smartphone users. That’s why images serve as one

Critical Remote Code Execution Vulnerability Affects Android Via .PNG Image File on Latest Hacking News.

Latest iOS 12.1.4 Update Patches 2 Zero-Day and FaceTime Bugs

Apple has finally released iOS 12.1.4 software update to patch the terrible Group FaceTime privacy bug that could have allowed an Apple user to call you via the FaceTime video chat service and hear or see you before you even pick up the call without your knowledge. The Facetime bug (CVE-2019-6223) was discovered by 14-year-old Grant Thompson of Catalina Foothills High School while he was

Critical Vulnerability Patched In Check Point ZoneAlarm Antivirus Software

Check Point Software Technologies has recently fixed a critical security vulnerability in their antivirus software ZoneAlarm. As pointed out by

Critical Vulnerability Patched In Check Point ZoneAlarm Antivirus Software on Latest Hacking News.

Cisco Patched Multiple Security Vulnerabilities In SD-WAN Solution

Cisco has recently rolled out fixes for multiple vulnerabilities found in its SD-WAN Solution. These include one critical and numerous

Cisco Patched Multiple Security Vulnerabilities In SD-WAN Solution on Latest Hacking News.

New Systemd Privilege Escalation Flaws Affect Most Linux Distributions

Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the "systemd-journald" service

Nuclear Pack loads a fileless CVE-2014-4113 Exploit



Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign
It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)
Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro