Posts Tagged ‘arbitrary code execution’

Wednesday, March 19, 2014 @ 05:03 PM gHale

While it took just under two years, there is an update Sielco Sistemi Winlog multiple vulnerabilities first published in July, 2012.

Sielco Sistemi produced a new release that corrects all identified vulnerabilities in the application discovered by researchers Carlos Mario Penagos Hollmann of IOActive, Michael Messner, and Luigi Auriemma, according to a report on ICS-CERT. Hollmann and Auriemma tested the release to validate that it resolves the remotely exploitable vulnerabilities. Exploit code is publicly available for these vulnerabilities.

The following Sielco Sistemi products suffer from the issues:
• Winlog Pro SCADA, all versions prior to 2.07.18
• Winlog Lite SCADA, all versions prior to 2.07.18.

RELATED STORIES
Siemens Patches SIMATIC S7-1500 Holes
SCADA File Parsing Vulnerability
Yokogawa Patches CENTUM CS 3000 Holes
Schneider OFS Buffer Overflow

Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.

Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition/human-machine interface (SCADA/HMI) software and hardware products.

Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products deploy mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.

By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can end up exploited by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code.

CVE-2012-3815 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Unauthorized users can access and read files on the system that Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage.

CVE-2012-4353 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array could execute arbitrary code and cause a denial-of-service condition leading to a crash.

CVE-2012-4354 and CVE-2012-4355 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

An input validation error when processing certain requests can end up exploited to disclose arbitrary files via directory traversal sequences sent in a specially crafted packet to TCP Port 46824.

CVE-2012-4356 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

By sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can end up exploited to reference an invalid memory location. This exploit could cause a crash of the system.

CVE-2012-4358 and CVE-2012-4359 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Some of the preceding vulnerability details came from a Secunia Advisory SA49395.

Exploits that target this vulnerability are publicly available and an attacker with a low-skill level would be able to exploit these vulnerabilities.

Sielco Sistemi created an update to fix these vulnerabilities. This update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.

Monday, March 17, 2014 @ 06:03 PM gHale

Shockwave Player just got an update from Adobe Systems in order to fix a critical vulnerability that could allow attackers to remotely take control of affected systems.

The vulnerability, identified as CVE-2014-0505, is the result of a memory corruption issue and can lead to arbitrary code execution. According to Adobe, the flaw ended up privately reported to the company and there are no reports of active exploits targeting it in the wild.

RELATED STORIES
Adobe Updates Flash Player
Adobe Patches Shockwave
IE Leads Patch Tuesday Fixes
Exploit for Patched Flash Bug

Adobe recommends users of Adobe Shockwave Player 12.0.9.149 and earlier versions to update to the newly released version 12.1.0.150, which is available for Windows and Mac, the company said Thursday.

The Shockwave Player update comes two days after Adobe released security patches for vulnerabilities in its more popular Flash Player product.

Shockwave Player installs a browser plug-in that’s needed to display interactive online content created with Adobe’s Director software. While it’s not as widespread as Flash Player, Shockwave Player is on over 450 million desktop computers according to Adobe, which makes it a potential target for hackers.

Wednesday, December 11, 2013 @ 05:12 PM gHale

Adobe patched holes in its Flash Player and Shockwave Player Tuesday, including one that already has an exploit chomping at the bit.

“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” the company said in a security advisory.

RELATED STORIES
Adobe Fixes Flash Player, ColdFusion
Adobe Hack Bigger than Thought
Adobe Hacked, Source Code Leaked
Too Small for an Attack? Think Again

That CVE (Common Vulnerabilities and Exposures) ID refers to a type confusion vulnerability fixed in the new version of Flash Player. A memory corruption flaw tracked as CVE-2013-5332 also ended up fixed. If exploited successfully, both vulnerabilities can lead to arbitrary code execution allowing attackers to take control of the affected systems.

Some mitigation for this type of exploit exists since Flash 11.6, which introduced a click-to-play feature that requires users to confirm the playback of Flash content embedded in documents when opened in Microsoft Office versions older than Office 2010.

Tuesday’s update, though, moved the Windows and Macintosh versions of Flash Player to version 11.9.900.170, and the Linux version to 11.2.202.332. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically update through those browsers’ update mechanisms.

The two Flash Player vulnerabilities were also fixed in Adobe AIR, a runtime for rich Internet applications that has Flash support. The patches are included in Adobe AIR version 3.9.0.1380 for Windows, Mac and Android.

Adobe Shockwave Player version 12.0.7.148 for Windows and Mac also released Tuesday to resolve two different memory corruption vulnerabilities—CVE-2013-5333 and CVE-2013-5334—that could lead to arbitrary code execution. Shockwave Player is not as widespread as Flash Player, but Adobe said it is on over 450 million desktop computers, which makes it a big target for attackers.

Wednesday, October 23, 2013 @ 06:10 PM gHale

WellinTech produced a new version of KingView that mitigates ActiveX vulnerabilities, according to a report on ICS-CERT.

These remotely exploitable vulnerabilities, discovered by independent researcher “Blake,” have active exploits targeting them. “Blake” identified the vulnerabilities and released proof-of-concept (exploit) code without coordination with ICS CERT, the vendor, or any other coordinating entity.

RELATED STORIES
Alstom Software Bug Patch Update
DNP3 Implementation Vulnerability
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability

The vulnerabilities are exploitable because the program does not properly sanitize user input, according to a previous report. KingView versions older than Version 6.53 suffer from the issue.

Successful exploitation of these vulnerabilities may allow an attacker to overwrite files and copy them from one location to another on the target machine.

WellinTech is a software development company specializing in automation and control. Beijing, China-based WellinTech has branches in the United States, Japan, Singapore, Europe, and Taiwan.

According to the WellinTech Web site, the KingView product is a Windows-based control, monitoring, and data collection application deployed across several industries including power, water, building automation, mining, and others.

WellinTech KingView contains a flaw in the SuperGrid.ocx ActiveX control that allows an attacker to traverse outside a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks.

This proof of concept will copy any arbitrary file from one location to a second location. It can also overwrite existing files. This vulnerability can inject files which, in turn, may allow arbitrary code execution.

CVE-2013-6127 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

WellinTech KingView contains a flaw in the KChartXY.ocx ActiveX control that allows an attacker to traverse outside a restricted path. The issue is due to the program not properly sanitizing user input. Proof of concept overwrites the win.ini file.

CVE-2013-6128 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

An attacker with a medium skill would be able to exploit these vulnerabilities.

WellinTech provided the following links to download new versions of the affected files:
• SuperGrid.ocx Version number:65.30.30000.10002
• KChartXY.ocx Version number:65.30.30000.10002

It is also possible to correct the flaw by implementing the following workarounds:
• Set the kill-bit on the KChartXY ActiveX Control (CLSID A9A2011A-1E02-4242-AAE0-B239A6F88BAC).
• Set the kill-bit on the SuperGrid ActiveX Control (CLSID F494550F-A028-4817-A7B5-E5F2DCB4A47E).

Monday, September 23, 2013 @ 05:09 PM gHale

The Apple iOS 7 update came out with some fanfare, but more importantly it brought in 80 security fixes.

The update fixes problems that could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.

RELATED STORIES
Patched Safari Bug under Attack
Text String Takes Bite Out of Apple
Still a Hack, but Wrong Person
‘Jekyll’ Test Attack Takes Over

Some of what security experts were calling the bigger flaws Apple fixed included passcode bypass flaws, one (CVE-2013-0957) that could allow an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.

Another similar data privacy vulnerability was one that could allow an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.

Four Safari bugs, including a problem where the browser’s history was still visible even after it cleared, ended up fixed. There was also an issue in Safari with a memory corruption problem in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.

Apple also addressed vulnerabilities from last year with all of them fixing arbitrary code execution bugs in the libxml and libxslt libraries.

Tuesday, September 17, 2013 @ 05:09 PM gHale

Apple pushed out patches last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.

The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.

RELATED STORIES
Patched Safari Bug under Attack
Text String Takes Bite Out of Apple
Still a Hack, but Wrong Person
‘Jekyll’ Test Attack Takes Over

Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the system refuses any revoked package.

The update also resolved the previously reported sudo vulnerability. An attacker could gain root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, saw use before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” read the security document released with the patches Thursday.

Thursday also saw the release of Safari 5.1.10, Apple’s browser. A JavaScriptCore patch fixed multiple memory corruption issues, including one where if a user visited a maliciously crafted website, it could lead to an unexpected application termination or arbitrary code execution.

10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is on tap for release at the end of October.

On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.

Monday, May 13, 2013 @ 10:05 AM gHale

Open source web server application developer NGINX released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw.

A stack-based buffer overflow can occur in worker processes when handling specially crafted requests – the overflow could end up exploited in such a way that it could lead to arbitrary code execution.

RELATED STORIES
Stealthy Server Malware Spreading
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched

The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April’s release of the new stable version. A patch is also available for the flaw, which Greg MacManus of iSIGHT Partners Labs discovered.

The updated versions are available to download from the NGINX site.

Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is now a legacy version of NGINX.

Thursday, January 17, 2013 @ 08:01 PM gHale

Schneider Electric found issues with an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update utility (SESU), according to a report in ICS-CERT.

The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability. This remotely exploitable vulnerability first came to Schneider Electric from security researcher Arthur Gervais.

RELATED STORIES
Brute Force Tool Targets Siemens S7
Mitigations for CoDeSys Toolkit
SpecView Mitigates SCADA/HMI Bug
Mitigations for SIMATIC RF Manager

The following products and versions suffer from the issue:
• Unity Pro, V5.0 L, M, S, XL,
• Unity Pro, V6.0 L, M, S, XL,
• Unity Pro, V6.1 L, M, S, XL,
• Unity Pro, V0 L, M, S, XL, XLS,
• Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
• Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
• Web Gate Client Files V5.1.x,
• IDS V1.0, V2.0,
• PowerSuite 2.5,
• Smart Widget Acti 9 V1.0.0.0,
• Smart Widget H8035 V1.0.0.0,
• Smart Widget H8036 V1.0.0.0,
• Smart Widget PM201 V1.0.0.0,
• Smart Widget PM710 V1.0.0.0,
• Smart Widget PM750 V1.0.0.0,
• SoMachine V1.2.1,
• Spacail.pro V1.0.0.x, and
• SESU V1.0.x, V1.1.x

Successfully exploiting this vulnerability could result in arbitrary code execution.

Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products see use in energy, industry, and building automation worldwide.

Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.

CVE-2013-0655 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

An attacker with a medium skill level would be able to exploit this vulnerability.

Schneider Electric has produced a customer notification that contains mitigations to resolve this vulnerability. In order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
1. The SESU server updated to the latest version. Currently, HTTP and HTTPS get support in parallel. HTTPS does ensure signed communication.
2. The new SESU client updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be available to customers for distribution via the SESU mechanism in January 2013.
3. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
4. While HTTP and HTTPS SESU client functionality both have support, in May the HTTP port of the SESU server will end up disabled. This means only HTTPS will get support during SESU client updates from that time forward, which mitigates this current vulnerability.

Wednesday, October 31, 2012 @ 08:10 AM gHale

Mozilla released a Firefox 16.0.2 update for its browser to close critical security holes.

The flaws center on the location object and the three problems, assigned CVE-2012-4194, CVE-2012-4195 and CVE-2012-4196, ended up fixed in the updates. The flaws also affect Thunderbird 16 to a more limited extent so a Thunderbird 16.0.2 update also released.

RELATED STORIES
Firefox Beta Blocks Vulnerable Plugins
Firefox Re-release Fixes Holes
Firefox 16 Vulnerability
Mitigation, Update for PLC Hole

Enterprise ESR versions of the browser and email client also suffer from the problem; a 10.0.10 update for Firefox ESR and Thunderbird ESR also been released along with a 2.13.2 update of SeaMonkey.

Researcher Mariusz Mlynski discovered the true value of window.location could end up shadowed which could enable a cross site scripting (XSS) attack in conjunction with some plugins.

Mozilla security researcher moz_bug_r_a4 found using CheckURL on window.location could force a return to the wrong calling document, also enabling an XSS attack; there was also a possibility of arbitrary code execution via any add-on that interacted with page content.

In addition, Antoine Delignat-Lavaud of the PROSECCO research team at INRIA found it was possible to inject properties into the Location object, exposing it to cross-origin reading. Further details of the bugs were not immediately available.

Updates are available through Firefox and Thunderbird’s standard update mechanism and should deliver automatically to users.

To force an update, select the About window for the particular application which will then trigger a check and download of any pending update.

 
 
Archived Entries