Posts Tagged ‘arbitrary code execution’
Monday, August 24, 2015 @ 04:08 PM gHale
Apple patched nine vulnerabilities when it released QuickTime 7.7.8 for Windows.
The update addresses a series of memory corruption issues that can lead to the unexpected termination of the application or arbitrary code execution, according to the Apple advisory.
Ryan Pentney and Richard Johnson of Cisco Talos, a researcher known as “WalkerFuz,” experts from Fortinet’s FortiGuard Labs, and Apple’s security team found the vulnerabilities.
The vulnerabilities found by Apple, WalkerFuz, and five of the six issues identified by Cisco also ended up patched August 13 in the OS X version of QuickTime 7.
The vulnerabilities reported by Talos researchers are denial-of-service (DoS) flaws that can end up exploited with the aid of specially crafted .MOV files, according to an advisory published by Cisco.
The security bugs are the result of an invalid URL atom size, invalid 3GPP stsd sample description entry size, invalid mhdv atom size, esds atom descriptor type length mismatch, mdat corruption, and tkhd atom matrix corruption.
“Several memory corruption vulnerabilities exist in Apple Quicktime and can manifest themselves due to improper handling of objects in memory. An adversary who crafts a specifically formatted .MOV file can cause Quicktime to terminate unexpectedly, creating a local denial of service condition,” Cisco’s Talos group said in a blog post.
Apple has had a difficult month, as earlier it patched over 100 vulnerabilities with the release of updates for OS X, OS X Server, iOS and Safari. Shortly after the updates released, an Italian researcher revealed the existence of a new local privilege escalation Zero Day vulnerability that affects all versions of OS X Yosemite.
Thursday, March 19, 2015 @ 03:03 PM gHale
Apple fixed security holes with the release of Safari 8.0.4, Safari 7.1.4, and Safari 6.2.4.
Sixteen memory corruption issues were in WebKit, the layout engine software component used by the browser for rendering web pages, according to a security advisory published by the company.
Apple did not disclose the details of the vulnerabilities, but the company has noted that visiting a malicious website set up to exploit these flaws can lead to unexpected application termination or arbitrary code execution. The issues ended up fixed through improved memory handling, Apple said.
Another vulnerability identified in WebKit and fixed in the latest versions of Safari was a user interface inconsistency (CVE-2015-1084) where an attacker could leverage it to misrepresent the URL.
“Inconsistent user interface may prevent users from discerning a phishing attack,” Apple wrote in the advisory. That problem ended up fixed in Safari 8.0.4, Safari 7.1.4, and Safari 6.2.4 through improved user interface consistency checks.
Apple’s own security team discovered a majority of the issues, while one of the holes ended up found by the Google Chrome Security Team.
Wednesday, March 19, 2014 @ 05:03 PM gHale
While it took just under two years, there is an update Sielco Sistemi Winlog multiple vulnerabilities first published in July, 2012.
Sielco Sistemi produced a new release that corrects all identified vulnerabilities in the application discovered by researchers Carlos Mario Penagos Hollmann of IOActive, Michael Messner, and Luigi Auriemma, according to a report on ICS-CERT. Hollmann and Auriemma tested the release to validate that it resolves the remotely exploitable vulnerabilities. Exploit code is publicly available for these vulnerabilities.
The following Sielco Sistemi products suffer from the issues:
• Winlog Pro SCADA, all versions prior to 2.07.18
• Winlog Lite SCADA, all versions prior to 2.07.18.
Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.
Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition/human-machine interface (SCADA/HMI) software and hardware products.
Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products deploy mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.
By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can end up exploited by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code.
CVE-2012-3815 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Unauthorized users can access and read files on the system that Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage.
CVE-2012-4353 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array could execute arbitrary code and cause a denial-of-service condition leading to a crash.
CVE-2012-4354 and CVE-2012-4355 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An input validation error when processing certain requests can end up exploited to disclose arbitrary files via directory traversal sequences sent in a specially crafted packet to TCP Port 46824.
CVE-2012-4356 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
By sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can end up exploited to reference an invalid memory location. This exploit could cause a crash of the system.
CVE-2012-4358 and CVE-2012-4359 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Some of the preceding vulnerability details came from a Secunia Advisory SA49395.
Exploits that target this vulnerability are publicly available and an attacker with a low-skill level would be able to exploit these vulnerabilities.
Sielco Sistemi created an update to fix these vulnerabilities. This update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.
Monday, March 17, 2014 @ 06:03 PM gHale
Shockwave Player just got an update from Adobe Systems in order to fix a critical vulnerability that could allow attackers to remotely take control of affected systems.
The vulnerability, identified as CVE-2014-0505, is the result of a memory corruption issue and can lead to arbitrary code execution. According to Adobe, the flaw ended up privately reported to the company and there are no reports of active exploits targeting it in the wild.
Adobe recommends users of Adobe Shockwave Player 220.127.116.11 and earlier versions to update to the newly released version 18.104.22.168, which is available for Windows and Mac, the company said Thursday.
The Shockwave Player update comes two days after Adobe released security patches for vulnerabilities in its more popular Flash Player product.
Shockwave Player installs a browser plug-in that’s needed to display interactive online content created with Adobe’s Director software. While it’s not as widespread as Flash Player, Shockwave Player is on over 450 million desktop computers according to Adobe, which makes it a potential target for hackers.
Wednesday, December 11, 2013 @ 05:12 PM gHale
Adobe patched holes in its Flash Player and Shockwave Player Tuesday, including one that already has an exploit chomping at the bit.
“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” the company said in a security advisory.
That CVE (Common Vulnerabilities and Exposures) ID refers to a type confusion vulnerability fixed in the new version of Flash Player. A memory corruption flaw tracked as CVE-2013-5332 also ended up fixed. If exploited successfully, both vulnerabilities can lead to arbitrary code execution allowing attackers to take control of the affected systems.
Some mitigation for this type of exploit exists since Flash 11.6, which introduced a click-to-play feature that requires users to confirm the playback of Flash content embedded in documents when opened in Microsoft Office versions older than Office 2010.
Tuesday’s update, though, moved the Windows and Macintosh versions of Flash Player to version 11.9.900.170, and the Linux version to 22.214.171.1242. The Flash Player versions bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically update through those browsers’ update mechanisms.
The two Flash Player vulnerabilities were also fixed in Adobe AIR, a runtime for rich Internet applications that has Flash support. The patches are included in Adobe AIR version 126.96.36.1990 for Windows, Mac and Android.
Adobe Shockwave Player version 188.8.131.52 for Windows and Mac also released Tuesday to resolve two different memory corruption vulnerabilities—CVE-2013-5333 and CVE-2013-5334—that could lead to arbitrary code execution. Shockwave Player is not as widespread as Flash Player, but Adobe said it is on over 450 million desktop computers, which makes it a big target for attackers.
Monday, September 23, 2013 @ 05:09 PM gHale
The Apple iOS 7 update came out with some fanfare, but more importantly it brought in 80 security fixes.
The update fixes problems that could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.
Some of what security experts were calling the bigger flaws Apple fixed included passcode bypass flaws, one (CVE-2013-0957) that could allow an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.
Another similar data privacy vulnerability was one that could allow an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.
Four Safari bugs, including a problem where the browser’s history was still visible even after it cleared, ended up fixed. There was also an issue in Safari with a memory corruption problem in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.
Apple also addressed vulnerabilities from last year with all of them fixing arbitrary code execution bugs in the libxml and libxslt libraries.
Tuesday, September 17, 2013 @ 05:09 PM gHale
Apple pushed out patches last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.
The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.
Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the system refuses any revoked package.
The update also resolved the previously reported sudo vulnerability. An attacker could gain root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, saw use before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” read the security document released with the patches Thursday.
10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is on tap for release at the end of October.
On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.
Monday, May 13, 2013 @ 10:05 AM gHale
Open source web server application developer NGINX released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw.
A stack-based buffer overflow can occur in worker processes when handling specially crafted requests – the overflow could end up exploited in such a way that it could lead to arbitrary code execution.
The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April’s release of the new stable version. A patch is also available for the flaw, which Greg MacManus of iSIGHT Partners Labs discovered.
The updated versions are available to download from the NGINX site.
Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is now a legacy version of NGINX.
Thursday, January 17, 2013 @ 08:01 PM gHale
Schneider Electric found issues with an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update utility (SESU), according to a report in ICS-CERT.
The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability. This remotely exploitable vulnerability first came to Schneider Electric from security researcher Arthur Gervais.
The following products and versions suffer from the issue:
• Unity Pro, V5.0 L, M, S, XL,
• Unity Pro, V6.0 L, M, S, XL,
• Unity Pro, V6.1 L, M, S, XL,
• Unity Pro, V0 L, M, S, XL, XLS,
• Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
• Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
• Web Gate Client Files V5.1.x,
• IDS V1.0, V2.0,
• PowerSuite 2.5,
• Smart Widget Acti 9 V184.108.40.206,
• Smart Widget H8035 V220.127.116.11,
• Smart Widget H8036 V18.104.22.168,
• Smart Widget PM201 V22.214.171.124,
• Smart Widget PM710 V126.96.36.199,
• Smart Widget PM750 V188.8.131.52,
• SoMachine V1.2.1,
• Spacail.pro V1.0.0.x, and
• SESU V1.0.x, V1.1.x
Successfully exploiting this vulnerability could result in arbitrary code execution.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products see use in energy, industry, and building automation worldwide.
Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.
CVE-2013-0655 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An attacker with a medium skill level would be able to exploit this vulnerability.
Schneider Electric has produced a customer notification that contains mitigations to resolve this vulnerability. In order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
1. The SESU server updated to the latest version. Currently, HTTP and HTTPS get support in parallel. HTTPS does ensure signed communication.
2. The new SESU client updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be available to customers for distribution via the SESU mechanism in January 2013.
3. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
4. While HTTP and HTTPS SESU client functionality both have support, in May the HTTP port of the SESU server will end up disabled. This means only HTTPS will get support during SESU client updates from that time forward, which mitigates this current vulnerability.