Category Archives: vulnerability spotlight

Vulnerability Spotlight: Tinysvcmdns Multi-label DNS DoS Vulnerability

Overview

Talos is disclosing a single NULL pointer dereference vulnerability in the tinysvcmdns library. Tinysvcmdns is a tiny MDNS responder implementation for publishing services. This is essentially a mini and embedded version of Avahi or Bonjour. 

Details

Discovered by Claudio Bozzato, Yves Younan, Lilith Wyatt, and Aleksandar Nikolic of Cisco Talos.


TALOS-2017-0486 / CVE-2017-12130 is a NULL pointer dereference vulnerability in the tinysvcmdns library. The vulnerability lies in the way that tinysvcmdns parses labels in DNS requests. This issue results in a NULL pointer, which when dereferenced results in a denial of service. An attacker could trigger this vulnerability by sending a specially crafted DNS query. Full details of the vulnerability are available here.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 44986

Vulnerability Spotlight: VMWare VNC Vulnerabilities

Today, Talos is disclosing a pair of vulnerabilities in the VNC implementation used in VMWare's products that could result in code execution. VMWare implements VNC for its remote management, remote access, and automation purposes in VMWare products including Workstation, Player, and ESXi which share a common VMW VNC code base. The vulnerabilities manifest themselves in a way that would allow an attacker to initiate of VNC session causing the vulnerabilities to be triggered. Talos has coordinated with VMWare to ensure the issue was disclosed responsibly and patched by the vendor. Additionally, Talos has developed Snort signatures that can detect attempts to exploit these vulnerabilities.

These vulnerabilities were identified using the recently released Decept Proxy and Mutiny Fuzzers. By utilizing these tools fuzzing was quickly able to take place by generating VNC traffic, feeding it through the Decept Proxy, and finally fuzzing the resulting .fuzzer file via Mutiny. This all occurs without knowing anything about the VMWare specific protocol extensions. For more details about the Decept Proxy and Mutiny Fuzzers see our recent blog.

Vulnerability Details

Discovered by Lilith Wyatt <(^_^)> of Cisco Talos

TALOS-2017-0368

TALOS-2017-0368/CVE-2017-4933 is a code execution vulnerability residing in the remote management functionality of VMWare. Along with the standard VNC messages that all VNC server are required to support VMWare uses a custom and proprietary VNC extension that implements new VNC features and also reworks some standard ones. This vulnerability lies in one of these new features, VNWDynResolution, specifically in the VMWDynResolution request. This VMWDynResolution request is one of the few requests that causes the VNC server to read in a user-supplied data. The vulnerability resides in the way the VNC server handles this data and results in a heap corruption that can lead to code execution.  

For more technical details, please read our advisory here.

TALOS-2017-0369

TALOS-2017-0369/CVE-2017-4941 is a code execution vulnerability residing in the remote management functionality of VMWare. As specified in the RFB protocol all VNC servers have to support a standard set of VNC messages. It is in this set of message that the vulnerability resides. The relevant messages are VncPointerEvent, VncSetPixelFormat, and VncFrameBufferUpdateRequest. This bug involves asking the VNC server to create a frame buffer (i.e. screenshot) in memory, changing the image format of that buffer to non-Truecolor (i.e. palette-based), and then causing a cursor to be re-rendered upon that buffer. As is a type confusion in the image format of the frame buffer and the cursor, it triggers a chain of events that leads to a high value being written into the cursors PNG infoStuct eventually leading to a loop of reads and writes to the stack resulting in an overflow. 

For more technical details, please read our advisory here.

Coverage

Talos has developed the following Snort rules to detect attempts to exploit these vulnerabilities. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules: 43483-43486

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within libxls

Vulnerabilities discovered by Marcin Noga of Cisco Talos

Talos is releasing seven new vulnerabilities discovered within the libxls library: TALOS-2017-0403, TALOS-2017-0404, TALOS-2017-0426, TALOS-2017-0460, TALOS-2017-0461, TALOS-2017-0462, and TALOS-2017-0463. These vulnerabilities result in remote code execution using specially crafted XLS files.

Overview

libxls is a C library supported on Windows, Mac and Linux which can read Microsoft Excel File Format (XLS) files ranging from current versions of XLS files down to Excel 97 (BIFF8) formats. 
The library is used by the `readxl` package which can be installed in the R programming language via the CRAN repository. The library is also part of the ‘xls2csv’ tool. The library can also be used to successfully parse Microsoft XLS files.

Please note that the update is only available via svn currently.

Details

TALOS-2017-0403

An exploitable out-of-bounds write vulnerability exists in the  xls_mergedCells function of libxls 1.4  A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0404

An exploitable out-of-bounds write vulnerability exists in the read_MSAT function of libxls 1.4. 
A specially crafted XLS file can cause a memory corruption resulting in remote code execution. 
An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0426

An exploitable stack based buffer overflow vulnerability exists in the  xls_getfcell function of libxls 1.3.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.  

NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.

Full technical advisory is available here.

TALOS-2017-0460

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULBLANK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0461

An exploitable integer overflow vulnerability exists in the xls_preparseWorkSheet function of libxls 1.4 when handling a MULRK record. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0462

An exploitable integer overflow vulnerability exists in the xls_appendSST function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

Full technical advisory is available here.

TALOS-2017-0463

An exploitable out-of-bounds vulnerability exists in the xls_addCell function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability, this could be sent as part of a phishing campaign using email to compromise the victim’s machine.

NOTE: This vulnerability does not affect the readxl package that can be installed in the R programming language.

Full technical advisory is available here.

Product Website:

Coverage

The following Snort IDs have been released to detect these vulnerabilities: 44101-44102, 44092-44093, 44163-44164, 44520-45523, 44593-44594, 44589-44590