Posts Tagged ‘arbitrary code execution’
Wednesday, March 19, 2014 @ 05:03 PM gHale
While it took just under two years, there is an update Sielco Sistemi Winlog multiple vulnerabilities first published in July, 2012.
Sielco Sistemi produced a new release that corrects all identified vulnerabilities in the application discovered by researchers Carlos Mario Penagos Hollmann of IOActive, Michael Messner, and Luigi Auriemma, according to a report on ICS-CERT. Hollmann and Auriemma tested the release to validate that it resolves the remotely exploitable vulnerabilities. Exploit code is publicly available for these vulnerabilities.
The following Sielco Sistemi products suffer from the issues:
• Winlog Pro SCADA, all versions prior to 2.07.18
• Winlog Lite SCADA, all versions prior to 2.07.18.
Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.
Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition/human-machine interface (SCADA/HMI) software and hardware products.
Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products deploy mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.
By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can end up exploited by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code.
CVE-2012-3815 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Unauthorized users can access and read files on the system that Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage.
CVE-2012-4353 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array could execute arbitrary code and cause a denial-of-service condition leading to a crash.
CVE-2012-4354 and CVE-2012-4355 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An input validation error when processing certain requests can end up exploited to disclose arbitrary files via directory traversal sequences sent in a specially crafted packet to TCP Port 46824.
CVE-2012-4356 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
By sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can end up exploited to reference an invalid memory location. This exploit could cause a crash of the system.
CVE-2012-4358 and CVE-2012-4359 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Some of the preceding vulnerability details came from a Secunia Advisory SA49395.
Exploits that target this vulnerability are publicly available and an attacker with a low-skill level would be able to exploit these vulnerabilities.
Sielco Sistemi created an update to fix these vulnerabilities. This update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.
Monday, March 17, 2014 @ 06:03 PM gHale
Shockwave Player just got an update from Adobe Systems in order to fix a critical vulnerability that could allow attackers to remotely take control of affected systems.
The vulnerability, identified as CVE-2014-0505, is the result of a memory corruption issue and can lead to arbitrary code execution. According to Adobe, the flaw ended up privately reported to the company and there are no reports of active exploits targeting it in the wild.
Adobe recommends users of Adobe Shockwave Player 184.108.40.206 and earlier versions to update to the newly released version 220.127.116.11, which is available for Windows and Mac, the company said Thursday.
The Shockwave Player update comes two days after Adobe released security patches for vulnerabilities in its more popular Flash Player product.
Shockwave Player installs a browser plug-in that’s needed to display interactive online content created with Adobe’s Director software. While it’s not as widespread as Flash Player, Shockwave Player is on over 450 million desktop computers according to Adobe, which makes it a potential target for hackers.
Wednesday, December 11, 2013 @ 05:12 PM gHale
Adobe patched holes in its Flash Player and Shockwave Player Tuesday, including one that already has an exploit chomping at the bit.
“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” the company said in a security advisory.
That CVE (Common Vulnerabilities and Exposures) ID refers to a type confusion vulnerability fixed in the new version of Flash Player. A memory corruption flaw tracked as CVE-2013-5332 also ended up fixed. If exploited successfully, both vulnerabilities can lead to arbitrary code execution allowing attackers to take control of the affected systems.
Some mitigation for this type of exploit exists since Flash 11.6, which introduced a click-to-play feature that requires users to confirm the playback of Flash content embedded in documents when opened in Microsoft Office versions older than Office 2010.
Tuesday’s update, though, moved the Windows and Macintosh versions of Flash Player to version 11.9.900.170, and the Linux version to 18.104.22.1682. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically update through those browsers’ update mechanisms.
The two Flash Player vulnerabilities were also fixed in Adobe AIR, a runtime for rich Internet applications that has Flash support. The patches are included in Adobe AIR version 22.214.171.1240 for Windows, Mac and Android.
Adobe Shockwave Player version 126.96.36.199 for Windows and Mac also released Tuesday to resolve two different memory corruption vulnerabilities—CVE-2013-5333 and CVE-2013-5334—that could lead to arbitrary code execution. Shockwave Player is not as widespread as Flash Player, but Adobe said it is on over 450 million desktop computers, which makes it a big target for attackers.
Monday, September 23, 2013 @ 05:09 PM gHale
The Apple iOS 7 update came out with some fanfare, but more importantly it brought in 80 security fixes.
The update fixes problems that could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.
Some of what security experts were calling the bigger flaws Apple fixed included passcode bypass flaws, one (CVE-2013-0957) that could allow an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.
Another similar data privacy vulnerability was one that could allow an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.
Four Safari bugs, including a problem where the browser’s history was still visible even after it cleared, ended up fixed. There was also an issue in Safari with a memory corruption problem in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.
Apple also addressed vulnerabilities from last year with all of them fixing arbitrary code execution bugs in the libxml and libxslt libraries.
Tuesday, September 17, 2013 @ 05:09 PM gHale
Apple pushed out patches last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.
The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.
Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the system refuses any revoked package.
The update also resolved the previously reported sudo vulnerability. An attacker could gain root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, saw use before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” read the security document released with the patches Thursday.
10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is on tap for release at the end of October.
On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.
Monday, May 13, 2013 @ 10:05 AM gHale
Open source web server application developer NGINX released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw.
A stack-based buffer overflow can occur in worker processes when handling specially crafted requests – the overflow could end up exploited in such a way that it could lead to arbitrary code execution.
The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April’s release of the new stable version. A patch is also available for the flaw, which Greg MacManus of iSIGHT Partners Labs discovered.
The updated versions are available to download from the NGINX site.
Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is now a legacy version of NGINX.
Thursday, January 17, 2013 @ 08:01 PM gHale
Schneider Electric found issues with an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update utility (SESU), according to a report in ICS-CERT.
The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability. This remotely exploitable vulnerability first came to Schneider Electric from security researcher Arthur Gervais.
The following products and versions suffer from the issue:
• Unity Pro, V5.0 L, M, S, XL,
• Unity Pro, V6.0 L, M, S, XL,
• Unity Pro, V6.1 L, M, S, XL,
• Unity Pro, V0 L, M, S, XL, XLS,
• Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
• Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
• Web Gate Client Files V5.1.x,
• IDS V1.0, V2.0,
• PowerSuite 2.5,
• Smart Widget Acti 9 V188.8.131.52,
• Smart Widget H8035 V184.108.40.206,
• Smart Widget H8036 V220.127.116.11,
• Smart Widget PM201 V18.104.22.168,
• Smart Widget PM710 V22.214.171.124,
• Smart Widget PM750 V126.96.36.199,
• SoMachine V1.2.1,
• Spacail.pro V1.0.0.x, and
• SESU V1.0.x, V1.1.x
Successfully exploiting this vulnerability could result in arbitrary code execution.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products see use in energy, industry, and building automation worldwide.
Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.
CVE-2013-0655 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An attacker with a medium skill level would be able to exploit this vulnerability.
Schneider Electric has produced a customer notification that contains mitigations to resolve this vulnerability. In order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
1. The SESU server updated to the latest version. Currently, HTTP and HTTPS get support in parallel. HTTPS does ensure signed communication.
2. The new SESU client updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be available to customers for distribution via the SESU mechanism in January 2013.
3. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
4. While HTTP and HTTPS SESU client functionality both have support, in May the HTTP port of the SESU server will end up disabled. This means only HTTPS will get support during SESU client updates from that time forward, which mitigates this current vulnerability.
Thursday, November 29, 2012 @ 04:11 PM gHale
There is an alert warning users of Samsung printers and some Dell printers manufactured by Samsung about the presence of a hardcoded account that could allow remote attackers to access an affected device with administrative privileges.
This privileged access could also change the device configuration, access sensitive information stored on it (credentials, network configuration, etc.), and even mount additional attacks through arbitrary code execution, according to a report on US-CERT.
The hardcoded account is present in all printers released before October 31, 2012. Samsung is not rushing out a patch saying it will come out “later this year.”
“As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location,” US-CERT said, especially because the hardcoded account remains active even if SNMP is disabled in the printer management utility.
Samsung said it is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP.
“We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability,” officials said in a statement.
Samsung will release updated firmware for all current models by November 30, with all other models receiving an update by the end of the year.
Wednesday, October 31, 2012 @ 08:10 AM gHale
Mozilla released a Firefox 16.0.2 update for its browser to close critical security holes.
The flaws center on the location object and the three problems, assigned CVE-2012-4194, CVE-2012-4195 and CVE-2012-4196, ended up fixed in the updates. The flaws also affect Thunderbird 16 to a more limited extent so a Thunderbird 16.0.2 update also released.
Enterprise ESR versions of the browser and email client also suffer from the problem; a 10.0.10 update for Firefox ESR and Thunderbird ESR also been released along with a 2.13.2 update of SeaMonkey.
Researcher Mariusz Mlynski discovered the true value of window.location could end up shadowed which could enable a cross site scripting (XSS) attack in conjunction with some plugins.
Mozilla security researcher moz_bug_r_a4 found using CheckURL on window.location could force a return to the wrong calling document, also enabling an XSS attack; there was also a possibility of arbitrary code execution via any add-on that interacted with page content.
In addition, Antoine Delignat-Lavaud of the PROSECCO research team at INRIA found it was possible to inject properties into the Location object, exposing it to cross-origin reading. Further details of the bugs were not immediately available.
Updates are available through Firefox and Thunderbird’s standard update mechanism and should deliver automatically to users.
To force an update, select the About window for the particular application which will then trigger a check and download of any pending update.