Posts Tagged ‘arbitrary code execution’
Monday, May 13, 2013 @ 10:05 AM gHale
Open source web server application developer NGINX released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw.
A stack-based buffer overflow can occur in worker processes when handling specially crafted requests – the overflow could end up exploited in such a way that it could lead to arbitrary code execution.
The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April’s release of the new stable version. A patch is also available for the flaw, which Greg MacManus of iSIGHT Partners Labs discovered.
The updated versions are available to download from the NGINX site.
Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is now a legacy version of NGINX.
Thursday, January 17, 2013 @ 08:01 PM gHale
Schneider Electric found issues with an Authenticated Communication Risk vulnerability in the Schneider Electric Software Update utility (SESU), according to a report in ICS-CERT.
The SESU is a centralized update mechanism for updating Schneider Electric software on Windows PC. Schneider Electric has updated the SESU client as of January 2013, which adds the use of HTTPS to resolve this vulnerability. This remotely exploitable vulnerability first came to Schneider Electric from security researcher Arthur Gervais.
The following products and versions suffer from the issue:
• Unity Pro, V5.0 L, M, S, XL,
• Unity Pro, V6.0 L, M, S, XL,
• Unity Pro, V6.1 L, M, S, XL,
• Unity Pro, V0 L, M, S, XL, XLS,
• Vijeo Designer V6.0.x, V6.1.0.x, V5.0.0.x, V5.1.0.x,
• Vijeo Designer Opti V6.0.x, V5.1.0.x, V5.0.0.x,
• Web Gate Client Files V5.1.x,
• IDS V1.0, V2.0,
• PowerSuite 2.5,
• Smart Widget Acti 9 V184.108.40.206,
• Smart Widget H8035 V220.127.116.11,
• Smart Widget H8036 V18.104.22.168,
• Smart Widget PM201 V22.214.171.124,
• Smart Widget PM710 V126.96.36.199,
• Smart Widget PM750 V188.8.131.52,
• SoMachine V1.2.1,
• Spacail.pro V1.0.0.x, and
• SESU V1.0.x, V1.1.x
Successfully exploiting this vulnerability could result in arbitrary code execution.
Schneider Electric is a manufacturer and integrator of energy management equipment and software. According to Schneider Electric, their products see use in energy, industry, and building automation worldwide.
Schneider Electric software on the customer PC uses the SESU service as the mechanism of communication with the Schneider Electric central update server in order to receive periodic software updates. The SESU client on the customer PC does not check the authenticity of the origin. By redirecting messages to Port 80/TCP on an unauthorized source, an attacker could execute arbitrary code on a vulnerable system that could result in loss of availability, integrity, and confidentiality.
CVE-2013-0655 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An attacker with a medium skill level would be able to exploit this vulnerability.
Schneider Electric has produced a customer notification that contains mitigations to resolve this vulnerability. In order to resolve the vulnerability with the software server, Schneider Electric has taken the following actions:
1. The SESU server updated to the latest version. Currently, HTTP and HTTPS get support in parallel. HTTPS does ensure signed communication.
2. The new SESU client updated as of January 2013 to use HTTPS instead of HTTP. The new version of the SESU Client will be available to customers for distribution via the SESU mechanism in January 2013.
3. Customers can also use an updated software product CD that will contain the updated SESU client, when the CD becomes available. Contact your local support desk for details.
4. While HTTP and HTTPS SESU client functionality both have support, in May the HTTP port of the SESU server will end up disabled. This means only HTTPS will get support during SESU client updates from that time forward, which mitigates this current vulnerability.
Thursday, November 29, 2012 @ 04:11 PM gHale
There is an alert warning users of Samsung printers and some Dell printers manufactured by Samsung about the presence of a hardcoded account that could allow remote attackers to access an affected device with administrative privileges.
This privileged access could also change the device configuration, access sensitive information stored on it (credentials, network configuration, etc.), and even mount additional attacks through arbitrary code execution, according to a report on US-CERT.
The hardcoded account is present in all printers released before October 31, 2012. Samsung is not rushing out a patch saying it will come out “later this year.”
“As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location,” US-CERT said, especially because the hardcoded account remains active even if SNMP is disabled in the printer management utility.
Samsung said it is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP.
“We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability,” officials said in a statement.
Samsung will release updated firmware for all current models by November 30, with all other models receiving an update by the end of the year.
Wednesday, October 31, 2012 @ 08:10 AM gHale
Mozilla released a Firefox 16.0.2 update for its browser to close critical security holes.
The flaws center on the location object and the three problems, assigned CVE-2012-4194, CVE-2012-4195 and CVE-2012-4196, ended up fixed in the updates. The flaws also affect Thunderbird 16 to a more limited extent so a Thunderbird 16.0.2 update also released.
Enterprise ESR versions of the browser and email client also suffer from the problem; a 10.0.10 update for Firefox ESR and Thunderbird ESR also been released along with a 2.13.2 update of SeaMonkey.
Researcher Mariusz Mlynski discovered the true value of window.location could end up shadowed which could enable a cross site scripting (XSS) attack in conjunction with some plugins.
Mozilla security researcher moz_bug_r_a4 found using CheckURL on window.location could force a return to the wrong calling document, also enabling an XSS attack; there was also a possibility of arbitrary code execution via any add-on that interacted with page content.
In addition, Antoine Delignat-Lavaud of the PROSECCO research team at INRIA found it was possible to inject properties into the Location object, exposing it to cross-origin reading. Further details of the bugs were not immediately available.
Updates are available through Firefox and Thunderbird’s standard update mechanism and should deliver automatically to users.
To force an update, select the About window for the particular application which will then trigger a check and download of any pending update.
Friday, September 7, 2012 @ 04:09 PM gHale
RealFlex created in upgrade that solves the uncontrolled search path element vulnerability, or a DLL hijack, in its RealWinDemo application.
Independent researcher Carlos Mario Penagos Hollmann, who found the vulnerability, validated the fix resolves the issue.
The RealFlex products affected are:
• RealWinDemo 2.1.12 and prior,
• RealWin 2.1.12 and prior, and
• FlexView 3.1.85 and prior.
Successful exploitation of this vulnerability may lead to arbitrary code execution.
RealWinDemo is a Microsoft Windows-based human-machine interface/supervisory control and data acquisition (HMI/SCADA) software package that primarily sees use for customer demonstration purposes. It also sees use in small automation projects using standard protocols such as Modbus.
RealWin is primarily a demo product to generate sales of the RealFlex 6 SCADA product. RealWin is in production on projects in Nigeria, USA, India, Philippines, Saudi Arabia, and Mexico.
RealWinDemo uses an uncontrolled search path to find resources that could allow an unauthorized user to locate and exploit one or more locations. An unauthorized user could place a malicious DLL in a directory where it could load before the valid DLL. An attacker must have access to the host file system to exploit this vulnerability. If exploited, this vulnerability could allow execution of arbitrary code. CVE-2012-3004 is the number assigned to this vulnerability, which has a CVSS V2 base score of 6.2.
This vulnerability is not remotely exploitable and cannot undergo exploitation without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads a malicious realwin.dll or keyhook.dll file.
RealFlex has produced an updated version that resolves the issue. Customers may log in to download an updated version of the following products:
• RealWin 2.1.13,
• FlexView 3.1.86, and
• RealWinDemo 2.1.13.
Wednesday, August 1, 2012 @ 03:08 PM gHale
Sielco Sistemi created a new release that corrects all vulnerabilities in its Winlog application.
Researcher Carlos Mario Penagos Hollmann of IOActive, who found the vulnerabilities along with Michael Messner and Luigi Auriemma, tested the release to validate that it resolves the remotely exploitable vulnerabilities, according to a report on ICS-CERT.
Exploit code is publicly available for these vulnerabilities.
The following Sielco Sistemi products suffer from the issue: Winlog Pro SCADA, all versions prior to 2.07.18, and Winlog Lite SCADA, all versions prior to 2.07.18.
Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.
Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition (SCADA)/human-machine interface (HMI) software and hardware products.
Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products are mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.
By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can suffer an exploit by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
In addition, unauthorized users can access and read files on the system Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array can execute arbitrary code and cause a denial-of-service condition leading to a crash. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Also, by sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can suffer an exploit to reference an invalid memory location. This exploit could cause a crash of the system. CVE-2012-3815 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
An attacker with a low-skill level would be able to exploit these vulnerabilities.
Sielco Sistemi’s update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.
Monday, July 30, 2012 @ 03:07 PM gHale
Alongside the release of OS X 10.8 Mountain Lion, Apple published version 6.0 of its Safari web browser for OS X 10.7 Lion, adding a slew of security features to close holes.
This major update addresses more than 120 vulnerabilities found in the previous 5.x branch, Apple said. Among the holes closed are problems in the handling of feed:// URLs which could lead to cross-site scripting (XSS) attacks or users’ files being sent to a remote server. The fix also takes care of a bug in the autocomplete system used by Safari, which may have resulted in passwords automatically inserted even when a site specifies that it should not happen. They also cleared up an XSS issue caused by opening maliciously crafted files on certain pages.
The majority of the problems fixed in the update were in the WebKit browser engine used by Safari.
These include cross-site information disclosure bugs, site URL spoofing problems, cross-origin issues, problems related to iFrames and over 100 memory corruption bugs an attacker could exploit to cause, among other things, unexpected application termination or arbitrary code execution.
For an attack to be successful, a victim must first visit a specially crafted web site. Other WebKit-related bugs include the disclosure of memory contents, escapes from the browser’s sandbox, history session handling problems, and an HTTP header injection issue.
A full list of security fixes are on Apple’s security advisory. Users running Mac OS X 10.7.4 can upgrade to Safari 6 using the built-in Software update function. All users should upgrade as soon as possible, Apple said.
Tuesday, July 24, 2012 @ 07:07 PM gHale
Invensys created a patch to fix the uncontrolled search path element vulnerability, commonly referred to as a dll hijack, in its Wonderware InTouch application. If unpatched, the vulnerability could lead to arbitrary code execution.
Independent researcher Carlos Mario Penagos Hollmann, who discovered the vulnerability, validated that the upgrade resolves the hole, according to a report on ICS-CERT.
The following Invensys products contain the vulnerable dll:
• InTouch 2012 and all prior versions,
• Wonderware Application Server 2012 and prior versions,
• Wonderware Information Server 4.5 and prior versions,
• Foxboro Control Software 4.0 and all prior versions,
• InFusion CE/FE/SCADA 2.5 and all prior versions,
• InBatch 9.5 SP1 and all prior versions, and
• Wonderware Historian 10.0 SP1 and all prior versions.
“Invensys appreciates the professionalism of cyber researchers like Carlos Hollmann, who was instrumental in finding and responsibly disclosing this security vulnerability,” said Paul Forney, chief technologist, supervisory platform R&D, Invensys Operations Management. “Because of his coordinated response, and with his assistance, we were quickly able to validate our solution. Diligently addressing cyber security related issues remains a key focus for Invensys. We continue to collaborate responsibly with the community of independent researchers, ICS-CERT and other industry partners to strengthen our R&D processes, apply best practices and deliver highly secure products and solutions that protect the safety of our customers. We believe this organized, professional and collaborative approach will result in a much more secure critical infrastructure.”
The Invensys Wonderware InTouch HMI sees use in quite a few industries across the world, including manufacturing, energy, food and beverage, chemical, and water and wastewater.
The Information Server provides industrial information content including process graphics, trends, and reports. The Invensys Wonderware InTouch HMI Web Client provides access to these reports, analyses, and write back capabilities to processes.
InTouch uses an open or uncontrolled search path to find resources, which could allow an unauthorized user to easily locate and exploit one or more locations. An unauthorized user could place a malicious dll in a directory where it could load before the valid dll. An attacker must have access to the host file system to exploit this vulnerability. The exploit only triggers when a local user runs the vulnerable application and loads a malformed dll file.
CVE-2012-3005 is the number assigned to this vulnerability, which has a CVSS v2 Base Score of 6.6.
This vulnerability is not remotely exploitable; it needs user interaction. The exploit triggers when a local user runs the vulnerable application and loads a malformed dll file. An attacker with a moderate skill level would be able to exploit this vulnerability.
Invensys provided instructions and a link to the software download.
Install the Security Update using instructions provided in the ReadMe file. In general, the user should:
• Read the installation instructions provided with the patch,
• Shut down any of the affected software products,
• Install the update, and
• Restart the software.
Tuesday, July 3, 2012 @ 03:07 PM gHale
Patches are now available for the multiple vulnerabilities in WellinTech’s KingView and the single vulnerability in KingHistorian.
These vulnerabilities, found by independent researchers Carlos Mario Penagos Hollman and Dillon Beresford, are exploitable remotely.
The affected products and versions are the WellinTech KingView 6.53 and the WellinTech KingHistorian 3.0.
Successful exploitation of these vulnerabilities could lead to arbitrary code execution, information disclosure, and denial of service (DoS).
Beijing, China-based WellinTech is a software development company specializing in automation and control. WellinTech also has offices in the United States, Japan, Singapore, Europe, and Taiwan.
The KingView product is a Windows-based control, monitoring, and data collection application deployed across several industries, including power, water, building automation, mining, and other sectors. The KingHistorian product is a database that can be a stand-alone historian, which goes across several industries including water and power and other sectors.
For the KingView line if an attacker sends a specially crafted packet to Port 555/TCP, he could create a stack-based buffer overflow. This attack may allow the execution of arbitrary code. CVE-2012-1830 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
Also, by sending a specially crafted packet to Port 555/TCP, an attacker may create a heap-based buffer overflow in the KingView application. This attack may allow the execution of arbitrary code. CVE-2012-1831 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
By sending a specially crafted packet to either Port 2001/TCP or Port 2001/UDP, an attacker may read from an invalid memory location in the KingView application. This attack may allow the execution of arbitrary code. CVE-2012-1832 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
By sending a specially crafted GET request via HTTP on Port 8001/TCP, an attacker may access arbitrary information from the KingView application. CVE-2012-2560 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.
In the KingHistorian, if an attacker sends a specially crafted packet to Port 5678/TCP, he may create an invalid pointer write in the KingHistorian application. This attack may allow the execution of arbitrary code. CVE-2012-2559 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
An attacker requires a moderate skill level to exploit these vulnerabilities, of which there are no known mitigations.
WellinTech has developed patches to resolve these issues. Click here for the WellinTech advisory and the KingView product patch.
Click here for the WellinTech advisory and the KingHistorian product patch.