Category Archives: rce

Critical RCE affects older Diebold Nixdorf ATMs

Automated teller machine vendor Diebold Nixdorf has released security updates to address a remote code execution vulnerability in older ATMs.

Diebold Nixdorf discovered a remote code execution vulnerability in older ATMs and is urging its customers in installing security updates it has released to address the flaw.

The vulnerability affects older Opteva model ATMs, Diebold Nixdorf will start notifying the customers next week.

The group of security researchers NightSt0rm published technical details about the vulnerability in a blog post on Medium. The experts explained that had access to an ATM of Diebold vendor and started analyzing the machine a simple PC running Windows OS and exposing some services implemented by the ATM provider. The focused their analysis on the Spiservice service listening on post 8043.

“Look at the output of command, there is a service (Spiservice) which running on port 8043. The SpiService.exe is associated with XFS, the Extension for Financial Services DLL library (MSXFS.dll) that is specifically used by ATMs.” reads the post published by the experts. “The library provides a special API for the communication with the ATM’s PIN pad and the cash dispenser.”

The ATM tested by the expert is running Aglis XFS for Opteva version 4.1.61.1. Attempting to connect to the service via a web browser, experts noticed it calls many libraries, including a library called VDMXFS.dll.

According to Diebold Nixdorf, this service only runs on Opteva version 4.x software, successive versions are not affected.

The application use RemotingConfiguration.Configure and accepts “server.config” as a parameter used to load config. Analyzing the file, the experts discovered that the program uses the .NET Remoting technique. This technique allows different applications to communicate with each other. 

The researchers created two applications to remotely interact with the application and captured the network traffic, with this trick they found the application HTTP SOAP protocol used for the communication.

The ATM maker released Agilis XFS for Opteva – BulkCashRec (BCRM) version 4.1.22 that doesn’t expose the service’s configuration online.

The experts pointed out that this attack could be prevented by properly configuring the terminal-based firewall that is included in the older version of Opteve ATMs. the good news is that the firewall is enabled by default, this means that only ATM owners that disabled it are at risk.

The NightSt0rm team attempted to report the issue to Diebold Nixdorf but did not receive a reply.

At the time, there is not news of attacks in the wild that exploited this RCE flaw.

Pierluigi Paganini

(SecurityAffairs – Diebold Nixdorf, ATM)

The post Critical RCE affects older Diebold Nixdorf ATMs appeared first on Security Affairs.

PoC Exploits for CVE-2019-0708 wormable Windows flaw released online

Several security experts have developed PoC exploits for wormable Windows RDS flaw tracked as CVE-2019-0708 and dubbed BlueKeep.

Experts have developed several proof-of-concept (PoC) exploits for the recently patched Windows Remote Desktop Services (RDS) vulnerability tracked as CVE-2019-0708 and dubbed BlueKeep.

One of the PoC exploits could be used for remote code execution on vulnerable systems.

Microsoft Patch Tuesday updates for May 2019 address nearly 80 vulnerabilities, including a Windows zero-day flaw and an RDS vulnerability that can be exploited to carry out WannaCry-like attack.

The issue is a remote code execution flaw in Remote Desktop Services (RDS) that it can be exploited by an unauthenticated attacker by connecting to the targeted system via the RDP and sending specially crafted requests.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

The vulnerability doesn’t affect Windows 8 and Windows 10, anyway previous versions are exposed to the risk of cyber attacks.

Microsoft also advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this vulnerability.

The issue poses a serious risk to organizations and industrial environments due to the presence of a large number of systems that could be reached via RDS.

Not all the exploits publicly released by the experts are fully working, come of them are able to trigger the vulnerability by don’t cause abny problem

Experts at the SANS Institute observed two partial exploits that are publicly available.

“Several security vendors stated publicly that they developed exploits internally that will at least trigger a denial of service condition (blue screen). Currently, there are at least two public partial exploits.” reads the blog post published by the SANS Institute, “One triggers the “vulnerable path” without triggering a blue screen or causing any other damage. It can be adjusted to play with the “channel” parameter to create normal and exploit traffic. The second one also triggers the vulnerability without any intended ill effect. The second exploit has been made available in the form of a stand-alone vulnerability scanner.”

Anyway, some researchers have created exploits to remotely execute code on vulnerable systems.

CVE-2019-0708 exploit code

Chaouki Bekrar, the founder of zero-day broker firm Zerodium, explained that the flaw can be exploited remotely by an unauthenticated user to gain access to a device with SYSTEM privileges.

Researchers at McAfee developed a PoC exploit that could be exploited to get remote code execution.

Experts believe that it just a matter of time before we will see threat actors exploiting the flaw in the wild.

“Right now, it is only a matter of time until someone publishes a working exploit or a malware author starts selling one on the underground markets. Should that happen, it will probably become very popular among less skilled cybercriminals and also a lucrative asset for its originator,” reads the post published by ESET.

BlueKeep will also show if organizations around the world learned a lesson after the large 2017 outbreaks and improved their security posture and patching routines.”


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2019-0708 )

The post PoC Exploits for CVE-2019-0708 wormable Windows flaw released online appeared first on Security Affairs.

Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder

Adobe Patch Tuesday updates for May 2019 address a critical flaw in Flash Player and more than 80 vulnerabilities in Acrobat products.

Adobe Patch Tuesday updates for May 2019 address a total of 84 vulnerabilities in Acrobat and Acrobat Reader products for Windows and macOS.

The tech company addressed many critical vulnerabilities in its products, including heap overflow, buffer error, double free, use-after-free, type confusion, and out-of-bounds write issues that can be exploited to execute arbitrary code on vulnerable systems.

The list of vulnerabilities addressed by Adobe also includes several out-of-bounds read issues that can lead to information disclosure.

The good news is that none of the vulnerabilities patched by Adobe Patch Tuesday updates for May 2019 has been exploited in attacks in the wild.
According to the priority ratings assigned by Adobe to the flaws, the risk of exploitation in the near future is low.

Adobe fixed a critical use-after-free vulnerability in Flash Player that can be exploited to execute arbitrary code in the context of the targeted user.

The issue tracked as CVE-2019-7837 affects Windows, macOS, Linux, and Chrome OS versions of the popular software. The vulnerability was reported to Adobe by an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).

Adobe also fixed a critical file parsing vulnerability that can lead to remote code execution.

Adobe Patch Tuesday

Adobe also released Media Encoder version 13.1 that addresses two security vulnerabilities, a critical issue tracked as CVE-2019-7842 that can leads to remote code execution and an information disclosure flaw.

Pierluigi Paganini

(SecurityAffairs – Adobe, Adobe Patch Tuesday updates May 19)

The post Adobe patches over 80 flaws in Flash, Acrobat Reader, and Media Encoder appeared first on Security Affairs.

Thrangrycat flaw could allow compromising millions of Cisco devices

Security firm Red Balloon discovered a severe vulnerability dubbed Thrangrycat, in Cisco products that could be exploited to an implant persistent backdoor in many devices.

Experts at Red Balloon Security disclosed two vulnerabilities in Cisco products. The first issue dubbed Thrangrycat, and tracked as CVE-2019-1649, affects multiple Cisco products that support Trust Anchor module (TAm).

could be exploited by an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second vulnerability, tracked as
CVE-2019-1862, is a remote command injection issue that affects Cisco IOS XE version 16 and that could allow remote attackers to execute code as root.

By chaining the flaws an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.

A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component.” reads the advisory published by Cisco. “This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality. “

The Trust Anchor module (TAm) is a hardware-based component the allows to check that Cisco hardware is authentic and also implements additional security services.

Cisco Secure Boot helps ensure that the code running on Cisco hardware platforms is authentic and unmodified, it is available in Cisco devices since 2013.

The researchers discovered that an attacker with root privileges can make a persistent modification to the Trust Anchor module via FPGA bitstream modification and load a malicious bootloader.

“An attacker with root privileges on the device can modify the contents of the FPGA anchor bitstream, which is stored unprotected in flash memory.” reads the analysis published by the experts.

“Elements of this bitstream can be modified to disable critical functionality in the TAm. Successful modification of the bitstream is persistent, and the Trust Anchor will be disabled in subsequent boot sequences. It is also possible to lock out any software updates to the TAm’s bitstream.”

Thrangrycat flaw Cisco devices

Cisco classified the flaw as high severity, it received a CVSS Score Base 6.7 because the exploitation of the flaw requires root privileges. Anyway, Red Balloon pointed out that attackers could also exploit the Thrangrycat vulnerability remotely by chaining it together with other vulnerabilities that could allow them to gain root access or, at least, execute commands as root.

“An attacker with elevated privileges and access to the underlying operating system that is running on the affected device could exploit this vulnerability by writing a modified firmware image to the FPGA.” continues the advisory published by Cisco. “A successful exploit could either cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image. “

Summarizing, the attackers first exploit the RCE vulnerability (CVE-2019-1862) in the web-based user interface of Cisco’s IOS that allows a logged-in administrator to remotely execute arbitrary commands on the underlying Linux shell with root privileges.

Then, once gained root access, the attacker can remotely bypass Trust Anchor module (TAm) on a targeted device triggering the Thrangrycat vulnerability and install a malicious backdoor.

The flaws are very concerning because they reside in the hardware and cannot be addressed with a software patch.

“Since the flaws reside within the hardware design, it is unlikely that any software security patch will fully resolve the fundamental security vulnerability.” concludes the advisory published by Red Balloon.

The experts successfully tested the flaw against Cisco ASR 1001-X routers, but hundreds of millions of Cisco units featuring an FPGA-based TAm implementation are vulnerable.

Red Balloon experts reported the flaws to Cisco in November 2018 and publicly disclosed some details to the public after Cisco released firmware patches to address the vulnerabilities.

The good news is that Cisco in not aware of attacks in the wild exploiting the two vulnerabilities.

Pierluigi Paganini

(SecurityAffairs – Thrangrycat, Cisco)

The post Thrangrycat flaw could allow compromising millions of Cisco devices appeared first on Security Affairs.