ISSSource White Papers

Posts Tagged ‘arbitrary code execution’

Wednesday, September 23, 2015 @ 02:09 PM gHale

Adobe updated Flash Player, fixing 23 vulnerabilities, including holes for information disclosure, security bypass, and arbitrary code execution.

The list of vulnerabilities patched with the release of Flash Player for Windows and Mac and Flash Player for Linux also includes memory leak, type confusion, use-after-free, buffer overflow, stack corruption, and other memory corruption issues.

Adobe Fixes Shockwave Holes
Adobe Patches ColdFusion Vulnerability
Adobe Issues Hotfix
Exploit Kit Uses Flash Vulnerabilities

“These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system,” Adobe said in its advisory.

The latest Flash Player also includes additional validation checks to ensure malicious content from vulnerable JSONP callback APIs ends up rejected, and improvements to a mitigation mechanism designed to provide protection against vector length corruptions.

Adobe said it has not found any evidence to suggest any active exploitation of these vulnerabilities.

Independent researchers other researchers from companies such as Google, Alibaba, Tencent, AddReality, and Qihoo360 reported the security holes.

Flash Player also ended up updated in Google Chrome, Microsoft Edge on Windows 10, Internet Explorer 10 and 11, and Adobe AIR.

Monday, August 24, 2015 @ 04:08 PM gHale

Apple patched nine vulnerabilities when it released QuickTime 7.7.8 for Windows.

The update addresses a series of memory corruption issues that can lead to the unexpected termination of the application or arbitrary code execution, according to the Apple advisory.

Apple Updates Slew of Products
Leveraging OS X Zero Day
Workaround for .NET Bug
Zero Day for Apple App Store, iTunes

Ryan Pentney and Richard Johnson of Cisco Talos, a researcher known as “WalkerFuz,” experts from Fortinet’s FortiGuard Labs, and Apple’s security team found the vulnerabilities.

The vulnerabilities found by Apple, WalkerFuz, and five of the six issues identified by Cisco also ended up patched August 13 in the OS X version of QuickTime 7.

The vulnerabilities reported by Talos researchers are denial-of-service (DoS) flaws that can end up exploited with the aid of specially crafted .MOV files, according to an advisory published by Cisco.

The security bugs are the result of an invalid URL atom size, invalid 3GPP stsd sample description entry size, invalid mhdv atom size, esds atom descriptor type length mismatch, mdat corruption, and tkhd atom matrix corruption.

“Several memory corruption vulnerabilities exist in Apple Quicktime and can manifest themselves due to improper handling of objects in memory. An adversary who crafts a specifically formatted .MOV file can cause Quicktime to terminate unexpectedly, creating a local denial of service condition,” Cisco’s Talos group said in a blog post.

Apple has had a difficult month, as earlier it patched over 100 vulnerabilities with the release of updates for OS X, OS X Server, iOS and Safari. Shortly after the updates released, an Italian researcher revealed the existence of a new local privilege escalation Zero Day vulnerability that affects all versions of OS X Yosemite.

Thursday, March 19, 2015 @ 03:03 PM gHale

Apple fixed security holes with the release of Safari 8.0.4, Safari 7.1.4, and Safari 6.2.4.

Sixteen memory corruption issues were in WebKit, the layout engine software component used by the browser for rendering web pages, according to a security advisory published by the company.

Tool Cracks Apple Device Passwords
Android, iOS Apps Vulnerable to FREAK
Apple Gets the FREAK Out
Phishers Target Apple Device Theft Victims

Apple did not disclose the details of the vulnerabilities, but the company has noted that visiting a malicious website set up to exploit these flaws can lead to unexpected application termination or arbitrary code execution. The issues ended up fixed through improved memory handling, Apple said.

Another vulnerability identified in WebKit and fixed in the latest versions of Safari was a user interface inconsistency (CVE-2015-1084) where an attacker could leverage it to misrepresent the URL.

“Inconsistent user interface may prevent users from discerning a phishing attack,” Apple wrote in the advisory. That problem ended up fixed in Safari 8.0.4, Safari 7.1.4, and Safari 6.2.4 through improved user interface consistency checks.

Apple’s own security team discovered a majority of the issues, while one of the holes ended up found by the Google Chrome Security Team.

Wednesday, March 19, 2014 @ 05:03 PM gHale

While it took just under two years, there is an update Sielco Sistemi Winlog multiple vulnerabilities first published in July, 2012.

Sielco Sistemi produced a new release that corrects all identified vulnerabilities in the application discovered by researchers Carlos Mario Penagos Hollmann of IOActive, Michael Messner, and Luigi Auriemma, according to a report on ICS-CERT. Hollmann and Auriemma tested the release to validate that it resolves the remotely exploitable vulnerabilities. Exploit code is publicly available for these vulnerabilities.

The following Sielco Sistemi products suffer from the issues:
• Winlog Pro SCADA, all versions prior to 2.07.18
• Winlog Lite SCADA, all versions prior to 2.07.18.

Siemens Patches SIMATIC S7-1500 Holes
SCADA File Parsing Vulnerability
Yokogawa Patches CENTUM CS 3000 Holes
Schneider OFS Buffer Overflow

Successful exploitation of these vulnerabilities could lead to a program crash, information leakage, or arbitrary code execution.

Sielco Sistemi is an Italy-based company that creates supervisory control and data acquisition/human-machine interface (SCADA/HMI) software and hardware products.

Winlog Lite SCADA is a demo version of the Winlog Pro SCADA/HMI system. Winlog Pro SCADA sees use across several sectors including manufacturing, public utilities, telecommunications, and others. Sielco Sistemi products deploy mainly in Italy, Turkey, Canada, U.S., Indonesia, and Spain.

By sending malicious specially crafted packets to Port 46824/TCP, an attacker can overflow a memory buffer on the target system. Errors in RunTime.exe and TCPIPS_Story.dll can end up exploited by these packets to cause the buffer overflow. The packets can also cause a boundary error in RunTime.exe causing the buffer overflow. This can allow the attacker to cause a denial-of-service condition leading to a crash or possible execution of arbitrary code.

CVE-2012-3815 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Unauthorized users can access and read files on the system that Winlog is running by causing an input validation error. An attacker can send a malicious specially formed packet to Port 46824/TCP to allow unauthorized access to the system, which may lead to information leakage.

CVE-2012-4353 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

By sending malicious specially crafted packets that point outside of the defined array, an attacker can cause a crash of the system. By using 32-bit operation coding, a file pointer outside the array could execute arbitrary code and cause a denial-of-service condition leading to a crash.

CVE-2012-4354 and CVE-2012-4355 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

An input validation error when processing certain requests can end up exploited to disclose arbitrary files via directory traversal sequences sent in a specially crafted packet to TCP Port 46824.

CVE-2012-4356 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

By sending a malicious specifically formed packet, unauthorized attackers are able to write outside of the existing buffer allocation. The error when allocating when processing these malicious packets can end up exploited to reference an invalid memory location. This exploit could cause a crash of the system.

CVE-2012-4358 and CVE-2012-4359 are the case numbers assigned to this vulnerability, which has a CVSS v2 base score of 9.3.

Some of the preceding vulnerability details came from a Secunia Advisory SA49395.

Exploits that target this vulnerability are publicly available and an attacker with a low-skill level would be able to exploit these vulnerabilities.

Sielco Sistemi created an update to fix these vulnerabilities. This update, Winlog Pro SCADA and Winlog Lite SCADA Version 2.07.18, is available for customer download.

Monday, March 17, 2014 @ 06:03 PM gHale

Shockwave Player just got an update from Adobe Systems in order to fix a critical vulnerability that could allow attackers to remotely take control of affected systems.

The vulnerability, identified as CVE-2014-0505, is the result of a memory corruption issue and can lead to arbitrary code execution. According to Adobe, the flaw ended up privately reported to the company and there are no reports of active exploits targeting it in the wild.

Adobe Updates Flash Player
Adobe Patches Shockwave
IE Leads Patch Tuesday Fixes
Exploit for Patched Flash Bug

Adobe recommends users of Adobe Shockwave Player and earlier versions to update to the newly released version, which is available for Windows and Mac, the company said Thursday.

The Shockwave Player update comes two days after Adobe released security patches for vulnerabilities in its more popular Flash Player product.

Shockwave Player installs a browser plug-in that’s needed to display interactive online content created with Adobe’s Director software. While it’s not as widespread as Flash Player, Shockwave Player is on over 450 million desktop computers according to Adobe, which makes it a potential target for hackers.

Wednesday, December 11, 2013 @ 05:12 PM gHale

Adobe patched holes in its Flash Player and Shockwave Player Tuesday, including one that already has an exploit chomping at the bit.

“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” the company said in a security advisory.

Adobe Fixes Flash Player, ColdFusion
Adobe Hack Bigger than Thought
Adobe Hacked, Source Code Leaked
Too Small for an Attack? Think Again

That CVE (Common Vulnerabilities and Exposures) ID refers to a type confusion vulnerability fixed in the new version of Flash Player. A memory corruption flaw tracked as CVE-2013-5332 also ended up fixed. If exploited successfully, both vulnerabilities can lead to arbitrary code execution allowing attackers to take control of the affected systems.

Some mitigation for this type of exploit exists since Flash 11.6, which introduced a click-to-play feature that requires users to confirm the playback of Flash content embedded in documents when opened in Microsoft Office versions older than Office 2010.

Tuesday’s update, though, moved the Windows and Macintosh versions of Flash Player to version 11.9.900.170, and the Linux version to The Flash Player versions bundled with Google Chrome, Internet Explorer 10 and Internet Explorer 11 will automatically update through those browsers’ update mechanisms.

The two Flash Player vulnerabilities were also fixed in Adobe AIR, a runtime for rich Internet applications that has Flash support. The patches are included in Adobe AIR version for Windows, Mac and Android.

Adobe Shockwave Player version for Windows and Mac also released Tuesday to resolve two different memory corruption vulnerabilities—CVE-2013-5333 and CVE-2013-5334—that could lead to arbitrary code execution. Shockwave Player is not as widespread as Flash Player, but Adobe said it is on over 450 million desktop computers, which makes it a big target for attackers.

Wednesday, October 23, 2013 @ 06:10 PM gHale

WellinTech produced a new version of KingView that mitigates ActiveX vulnerabilities, according to a report on ICS-CERT.

These remotely exploitable vulnerabilities, discovered by independent researcher “Blake,” have active exploits targeting them. “Blake” identified the vulnerabilities and released proof-of-concept (exploit) code without coordination with ICS CERT, the vendor, or any other coordinating entity.

Alstom Software Bug Patch Update
DNP3 Implementation Vulnerability
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability

The vulnerabilities are exploitable because the program does not properly sanitize user input, according to a previous report. KingView versions older than Version 6.53 suffer from the issue.

Successful exploitation of these vulnerabilities may allow an attacker to overwrite files and copy them from one location to another on the target machine.

WellinTech is a software development company specializing in automation and control. Beijing, China-based WellinTech has branches in the United States, Japan, Singapore, Europe, and Taiwan.

According to the WellinTech Web site, the KingView product is a Windows-based control, monitoring, and data collection application deployed across several industries including power, water, building automation, mining, and others.

WellinTech KingView contains a flaw in the SuperGrid.ocx ActiveX control that allows an attacker to traverse outside a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks.

This proof of concept will copy any arbitrary file from one location to a second location. It can also overwrite existing files. This vulnerability can inject files which, in turn, may allow arbitrary code execution.

CVE-2013-6127 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

WellinTech KingView contains a flaw in the KChartXY.ocx ActiveX control that allows an attacker to traverse outside a restricted path. The issue is due to the program not properly sanitizing user input. Proof of concept overwrites the win.ini file.

CVE-2013-6128 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.8.

An attacker with a medium skill would be able to exploit these vulnerabilities.

WellinTech provided the following links to download new versions of the affected files:
• SuperGrid.ocx Version number:65.30.30000.10002
• KChartXY.ocx Version number:65.30.30000.10002

It is also possible to correct the flaw by implementing the following workarounds:
• Set the kill-bit on the KChartXY ActiveX Control (CLSID A9A2011A-1E02-4242-AAE0-B239A6F88BAC).
• Set the kill-bit on the SuperGrid ActiveX Control (CLSID F494550F-A028-4817-A7B5-E5F2DCB4A47E).

Monday, September 23, 2013 @ 05:09 PM gHale

The Apple iOS 7 update came out with some fanfare, but more importantly it brought in 80 security fixes.

The update fixes problems that could lead to a denial of service attack or trigger unexpected application termination or arbitrary code execution on devices like an iPad, iPod Touch or iPhone running an out of date OS.

Patched Safari Bug under Attack
Text String Takes Bite Out of Apple
Still a Hack, but Wrong Person
‘Jekyll’ Test Attack Takes Over

Some of what security experts were calling the bigger flaws Apple fixed included passcode bypass flaws, one (CVE-2013-0957) that could allow an attacker to break an app in the third-party sandbox and determine the user’s passcode and a second (CVE-2013-5147) that exploited the way the iPhone handled calls to bypass the screen lock in iOS 6.1.

Another similar data privacy vulnerability was one that could allow an attacker to intercept user credentials by compromising a TrustWave certificate (CVE-2012-5134). TrustWave issued and subsequently revoked the faulty sub-CA certificate.

Four Safari bugs, including a problem where the browser’s history was still visible even after it cleared, ended up fixed. There was also an issue in Safari with a memory corruption problem in the way it handled XML files and a cross-site scripting flaw on sites that allow users to upload files.

Apple also addressed vulnerabilities from last year with all of them fixing arbitrary code execution bugs in the libxml and libxslt libraries.

Tuesday, September 17, 2013 @ 05:09 PM gHale

Apple pushed out patches last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.

The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.

Patched Safari Bug under Attack
Text String Takes Bite Out of Apple
Still a Hack, but Wrong Person
‘Jekyll’ Test Attack Takes Over

Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the system refuses any revoked package.

The update also resolved the previously reported sudo vulnerability. An attacker could gain root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, saw use before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” read the security document released with the patches Thursday.

Thursday also saw the release of Safari 5.1.10, Apple’s browser. A JavaScriptCore patch fixed multiple memory corruption issues, including one where if a user visited a maliciously crafted website, it could lead to an unexpected application termination or arbitrary code execution.

10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is on tap for release at the end of October.

On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.

Monday, May 13, 2013 @ 10:05 AM gHale

Open source web server application developer NGINX released an updated stable version 1.4.1 and development version 1.5.0 to fix a major security flaw.

A stack-based buffer overflow can occur in worker processes when handling specially crafted requests – the overflow could end up exploited in such a way that it could lead to arbitrary code execution.

Stealthy Server Malware Spreading
Multistage Attack Proves Fruitful
Apache Backdoor Leads to Blackhole
Firewall Hole Found, Patched

The flaw, now given an identity as CVE-2013-2028, appeared in NGINX 1.3.9, a development branch of the server released in November 2012, and appears to have persisted through development to still be present in April’s release of the new stable version. A patch is also available for the flaw, which Greg MacManus of iSIGHT Partners Labs discovered.

The updated versions are available to download from the NGINX site.

Given that 1.4.0 has only been available for a few weeks, many sites will likely be running the unaffected older stable branch of NGINX – 1.2 – originally published in April 2012, for which the most recent bug-fix release is version 1.2.8, published at the start of April. This is now a legacy version of NGINX.

Archived Entries