Posts Tagged ‘exploit’
Monday, May 20, 2013 @ 06:05 PM gHale
An exploit released that proves that normal, logged-in users can gain root access to the Linux kernel via an incorrectly fixed declared pointer.
It all started back in April, when Linux kernel developers fixed an incorrectly declared pointer in the Linux kernel. The problem is, in their rush to fix the issue, they apparently overlooked the potential security implications of the bug, since fact it is possible to gain access to almost any memory area using a suitable event_id.
After realizing the problem, the developers declared the bug as an official security hole (CVE-2013-2094) after the exploit released that proves that normal, logged-in users can gain root access this way.
The bug affects any kernel version between 2.6.37 and 3.8.9 compiled using the PERF_EVENTS option; apparently, this is the case with many distributions. Which exact distributions suffer from the issue will soon become clear when the relevant security updates release. Linux security expert Brad Spengler released a detailed exploit analysis.
Meanwhile, the Ubuntu Security Team closed the vulnerability with updates to Ubuntu 13.04, 12.10, 12.04 LTS and in the Hardware Enablement Kernel for Ubuntu 12.04 LTS based on the Ubuntu 12.10 kernel. The developers caution users that due to ABI changes in the kernel update, all third party modules installed with these kernels have to undergo recompiling and reinstallation. Users who use the linux-restricted-modules package will have to update this package as well, which will happen automatically on systems that include the standard kernel meta packages.
Red Hat said Red Hat Enterprise Linux (RHEL) 4 and 5 do not suffer from the problem. RHEL 6 and Red Hat Enterprise MRG 2, however, do and until the company releases updates that fix the issue, Red Hat recommends mitigating the security risks and gives instructions how to do so on a page on its customer portal web site.
The Debian developers are also working to fix the problem. At the time of writing, Debian stable (Wheezy) and testing (Jessie) are both vulnerable to the exploit, Debian unstable (Sid) is not vulnerable. The fixed kernel package is available in the security update repository for Wheezy, however, and should have an update in the main distribution repository soon.
Tuesday, March 5, 2013 @ 04:03 PM gHale
There are five vulnerabilities in Java SE 7 Update 15 which, when combined, can achieve a complete sandbox bypass.
The new flaws, identified as “issue 56” through “issue 60,” ended up found by researchers at Security Explorations while they were trying to collect new evidence to prove to Oracle “issue 54” is a security hole.
“Two of the issues found (59 and 60) could be potentially affecting Java SE 6 (we haven’t checked this due to Java SE 6 EOL status), but since all of the issues need to be combined together to gain a successful Java SE security compromise, we treat it as affecting Java SE 7 only,” said Adam Gowdiak, chief executive of Security Explorations.
“The attack breaks a couple of security checks introduced to Java SE by Oracle over the recent months (Issues 57 and 58). It also exploits code fragments that were missing proper security checks corresponding to the very mirror code (Issue 59 and 60). Finally, it demonstrates a difference between the JVM specification and its implementation (Issue 56).”
Gowdiak said similar to other vulnerabilities they’ve found, the Reflection API is the component that undergoes exploitation in the attack.
Oracle has the complete details of the newly-discovered flaws, along with a proof-of-concept.
Wednesday, February 13, 2013 @ 11:02 PM gHale
Mitigation details are available for a buffer overflow vulnerability that impacts the WellinTech KingView KingMess application, according to a ICS-CERT report.
WellinTech produced and released a patch on November 15, 2012, that mitigates this vulnerability. Researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive, who found the hole, validated the patch fixes the vulnerability. Exploitation of this vulnerability could allow loss of confidentiality and integrity.
The following KingView versions suffer from the remotely exploitable vulnerability:
• KingView 6.52 (kingMess.exe 65.20.2003.10300)
• KingView 6.53 (kingMess.exe 65.20.2003.10400)
• KingView 6.55 (kingMess.exe 65.50.2011.18049)
Successful exploitation of this vulnerability will allow an attacker to execute arbitrary code as the running user. This vulnerability could impact multiple sectors, including power, water, and manufacturing.
WellinTech is a China-based company that maintains offices in several countries around the world, including the U.S., Japan, Singapore, Taiwan, and Europe.
The affected product, KingView, is a Web-based SCADA application for Windows-based control, monitoring, and data collection. According to WellinTech, KingView is in several sectors and sees use in power, manufacturing, water and wastewater, building automation, mining, environmental protection, metallurgy, and others.
The KingMess application in KingView has a memory corruption vulnerability where the application handles exception information incorrectly. An attacker could send a specially crafted packet to KingView, and the KingMess application would handle the packet incorrectly, causing a memory buffer overflow. This could allow the attacker to execute arbitrary code as the currently running user, which would affect confidentiality, integrity, and availability.
CVE-2012-4711 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
No known public exploits specifically target this vulnerability. An attacker with a high skill level would be able to exploit this vulnerability.
WellinTech recommends all customers using KingView 6.52, 6.53, or 6.55 download the patch for their version of KingView that mitigates this vulnerability.
Wednesday, January 16, 2013 @ 02:01 PM gHale
Knowing users fail to update their installations, cybercriminals will always jump at the chance to take advantage of the vulnerabilities and that is why a 5-year-long cyber espionage campaign at one point was using an old Java exploit to push malware.
This revelation came out after Kaspersky Labs earlier this week unveiled the espionage program dubbed operation Red October that was tracking and following governments and other orgranizations.
‘Security Incident’ at Algeria Gas Field
India: Cyber Attacks Widespread
DHS: Infrastructure Attacks on Rise
Grid Vulnerable to Attack
Agencies Join in Security Plan
Security Legislation a Must: NSA Chief
Kaspersky experts have said the cybercriminals are leveraging vulnerabilities in Microsoft Word and Excel to push malware onto their victims’ computers.
However, according to Seculert, back in February 2012, they relied on an older Java vulnerability (CVE-2011-3544).
“In this vector, the attackers sent an email with an embedded link to a specially crafted PHP web page. This webpage exploited a vulnerability in Java, and in the background downloaded and executed the malware automatically,” the Seculert researchers said.
Oracle patched the security hole abused by this exploit back in October 2011, but the attackers utilized it in February 2012. This shows cybercriminals often make use of known vulnerabilities, knowing that users fail to update their installations.
Monday, January 14, 2013 @ 02:01 PM gHale
More exploits continue to take advantage of the newly found Java 7 Zero Day exploit as variants of the Reveton ransomware are starting to surface, security researchers said.
Not to lose out on an opportunity, malware developers are jumping at the chance to take advantage of this vulnerability as it is already in a few exploit kits including Blackhole, Cool, Nuclear Pack and Redkit, said researchers at Trend Micro.
The Cool Exploit Kit features the ransomware attacks, researchers said.
Trend Micro said it updated its products to detect the webpages that load the exploit code, and also the payloads they serve.
Security experts said the best way for users to protect themselves against the threat is by disabling or completely removing Java.
US-CERT also issued an advisory to warn users about the vulnerability and they also recommend disabling Java until a proper patch comes out.
Thursday, January 10, 2013 @ 04:01 PM gHale
If it is the start of a new year, then what says Happy New Year more than another Microsoft patch Tuesday as the software giant fixed two critical vulnerabilities and five important vulnerabilities.
The first critical vulnerability, MS13-001, is a flaw in the Windows 7/Windows Server 2008 R2 print spooler service that if exploited could lead to remote code execution.
MS13-002 is the other critical flaw and affects Microsoft XML Core Services. This vulnerability also could lead to remote code execution if someone using Internet Explorer is enticed to surf to a malicious web page. This affects all currently released versions of Windows, including RT.
The five important patches include:
• MS13-003 – Elevation of privilege in Microsoft System Center Operations Manager 2007/R2
• MS13-004 – Elevation of privilege in Microsoft .NET Framework 3.5/3.5.1/4/4.5 on all MS OSs
• MS13-005 – Elevation of privilege in Microsoft Windows Vista/Server 2008/7/Server 2008 R2/8/Server 2012/RT
• MS13-006 – Security feature bypass in Microsoft Windows Vista/Server 2008/7/Server 2008 R2/8/Server 2012/RT
• MS13-007 – Denial of Service in Microsoft .NET Framework on Windows XP/Server 2003/Vista/Server 2008/7/Server 2008 R2/8/Server 2012
Microsoft also released an updated Flash Player for Internet Explorer 10 on Windows 8/Server 2012/RT to address CVE-2013-0630.
None of the patches included the Internet Explorer Zero Day that released two weeks ago.
Wednesday, January 9, 2013 @ 06:01 PM gHale
Nvidia cleared up a Zero Day after officials released a new driver for its graphics cards that includes a security update in the Nvidia Display Driver Service that came to light on Christmas day.
UK researcher Peter Winter-Smith posted vulnerability details and an exploit to Pastebin describing a stack buffer overflow vulnerability in the service, as well as his exploit, which bypassed DEP and ASLR on Windows machines.
Winter-Smith said the issue was not severe given the conditions under which an attacker would have to carry out the exploit.
“I have had a quick look at the patch and it does indeed appear to address the issue and it does so by entirely removing the endpoint over which the vulnerability could be exploited (the listening named pipe instance),” Winter-Smith said. “So for this particular Nvidia service, this issue should have been completely addressed. If there were other similar weaknesses within the service which could be exploited in the same fashion, these should have also been addressed by the fix.”
An attacker would only be able to successfully exploit the vulnerability if he or she was on a machine in the same domain and firewall rules were severely relaxed, or file sharing turned on. With local access, an attacker could elevate their privileges to root, or if the above conditions were met, could gain remote access from the same domain.
“The service listens on a named pipe (\pipe\nsvr) which has a NULL DACL configured, which should mean that any logged on user or remote user in a domain context (Windows firewall/file sharing permitting) should be able to exploit this vulnerability,” Winter-Smith wrote on Pastebin. The details and exploit have since deleted from his Pastebin post. “The buffer overflow occurs as a result of a bad memmove operation.”
Memmove operations copy data from a source location to a memory destination. Winter-Smith said the service copies data unchecked; an attacker would be able to control the source location as well as the number of bytes copied into the response buffer; an attacker would be able to leak data from the stack by overflowing it.
Tuesday, January 8, 2013 @ 05:01 PM gHale
A cross-site scripting (XSS) proof-of-concept exploit potentially puts 400 million Yahoo Mail users at risk of having their accounts taken over, one security researcher said.
In a video posted on YouTube, Shahin Ramezany showed an exploit for what he said is a document object model-based cross-site scripting vulnerability that affects Yahoo Mail users on all current browsers.
Using a maliciously crafted link, a pen-testing platform, Chrome browser add-on, and a touch of social engineering, Ramezany takes complete control of a dummy Yahoo Mail account in less than five minutes.
In the video, Ramezany sends an email with a malicious link embedded in it from one Yahoo Mail account he has open in Chrome to another account that he has setup in a separate Internet Explorer 10 browser. Before switching to his IE browser, Ramezany copies and pastes the malicious url into his Chrome address bar and gets a ‘404 Not Found’ message. He then switches over to IE, opens the email, and clicks the link, which, in turn, opens a new IE Window. Ramezany quickly minimizes the new window, so it is impossible to say for certain what happens there.
He then goes back to Chrome and enters the malicious link into the address bar there again. This time, instead of seeing a 404-page, Ramezany gets several lines of URL cookie text, which he copies and decodes in a penetration-testing platform called Burp Suite.
Finally, he takes part of the decoded script and plugs it into the “edit this cookie” Chrome browser add-on, refreshes the page, and, just like that, ends up logged into Chrome to the Yahoo account to which he sent the malicious email in the first place.
Ramezany plans to post the proof-of-concept on his site, Abysssec.com after Yahoo patches the vulnerability.
Monday, December 3, 2012 @ 02:12 PM gHale
While it is mainly a financial malware platform, Shylock is an interesting program that continues to evolve in order to bypass new defensive technologies put in place by financial institutions and enterprises.
While analyzing a recent Shylock dropper researchers at security software provider Trusteer noticed a new trick it uses to evade detection. Namely, it can identify and avoid remote desktop environments.
Suspected malware samples end up collected for analysis and often go into isolated machines in an operations center. Rather than sitting in front of a rack of physical machines in a lab, researchers use remote desktop connections to study malware from their offices. That is the weakness Shylock exploits.
This latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other “lab” environments. When executed from a remote desktop session the return code will be different and Shylock won’t install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.
The dropper dynamically loads Winscard.dll and calls the function SCardForgetReaderGroupA(0, 0). The malware proceeds as expected only if the return value is either 0×80100011 (SCARD_E_INVALID_VALUE) or 0×2 (ERROR_FILE_NOT_FOUND). Trusteer noticed when the dropper executes locally the return value is 0×80100011, but when it executes from a remote desktop session the return value is 0×80100004 (SCARD_E_INVALID_PARAMETER).
Trusteer has found a number of malware strains that utilize different approaches to identify specific execution environments in order to take appropriate evasive actions.
“Trusteer solutions are not affected by anti-VM/anti-research techniques employed by malware. That is because we use real-time application protection to monitor for suspected malware behavior in the endpoint device’s memory. This approach prevents malware from compromising applications, including the browser, and stealing data like user credentials. It is also immune to Malware evasion techniques designed to identify remote desktop and virtual machine environments,” said George Tubin, senior security strategist at Trusteer.