ISSSource White Papers

Posts Tagged ‘exploits’

Friday, July 19, 2013 @ 05:07 PM gHale

Code and everything that goes with it for the “master key” vulnerability in Android is out in the public, so that means the bad guys are busy working on new exploits.

So far there have been a few sightings on some applications on Google Play that exploit the vulnerability, said researchers at Bitdefender. The apps are Rose Wedding Cake Game and Pirates Island Mahjong Free, both updated in mid-May.

New Android RAT Malware
Music App a Political Android Trojan
Android Master Key Open to Attack
Skype Android Vulnerability

However, in this case, the bug is not malicious.

“The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” said Bitdefender’s Bogdan Botezatu.

“In contrast, malicious exploitation of this flaw focuses on replacing application code,” he said.

While the apps are not malicious, the discovery does show applications leveraging the cryptographic signature vulnerability don’t raise any red flags when published on Google Play.

Google has already addressed the vulnerability and OEMs are working on it. However, because of Android’s fragmentation, it will take some time until the patch reaches end-users.

That’s why Android device owners should consider the alternatives. For instance, CyanogenMod users already have protection against the exploit.

Duo Security released an app called ReKey designed to address the vulnerability on rooted devices. In addition, Bitdefender and other security solutions providers have updated their mobile products for Android to make sure they detect applications that abuse the master key flaw.

Tuesday, May 21, 2013 @ 05:05 PM gHale

Google released Chrome 27, which includes a long list of security fixes for the browser, many of which are for high-risk vulnerabilities.

As a result of all the vulnerabilities, the company handed out more than $14,000 in rewards to researchers who reported bugs fixed in the latest iteration of Chrome.

Critical Holes Fixed in Firefox
IE 10 Tops at Malware Blocking
Mozilla Brings Infringement Suit
Apple Safari Vulnerability

Designed to provide incentives for security researchers to report vulnerabilities in Chrome and Chrome OS to the company privately rather than publicly disclosing them. Rewards can range from a few hundred dollars for minor flaws up to tens of thousands of dollars for especially severe issues.

None of the vulnerabilities addressed in Chrome 27 fit the latter description, with the highest payment being $3133.70 to Atte Kettunen for some memory safety issues. Chrome users should update their browsers as soon as possible to protect themselves against exploits.

Here are the bugs fixed in Chrome 27:
• High CVE-2013-2837: Use-after-free in SVG. Credit to Sławomir Błażek.
• Medium CVE-2013-2838: Out-of-bounds read in v8. Credit to Christian Holler.
• High CVE-2013-2839: Bad cast in clipboard handling. Credit to Jon of MWR InfoSecurity.
• High CVE-2013-2840: Use-after-free in media loader. Credit to Nils of MWR InfoSecurity.
• High CVE-2013-2841: Use-after-free in Pepper resource handling. Credit to Chamal de Silva.
• High CVE-2013-2842: Use-after-free in widget handling. Credit to Cyril Cattiaux.
• High CVE-2013-2843: Use-after-free in speech handling. Credit to Khalil Zhani.
• High CVE-2013-2844: Use-after-free in style resolution. Credit to Sachin Shinde (@cons0ul).
• High CVE-2013-2845: Memory safety issues in Web Audio. Credit to Atte Kettunen of OUSPG.
• High CVE-2013-2846: Use-after-free in media loader. Credit to Chamal de Silva.
• High CVE-2013-2847: Use-after-free race condition with workers. Credit to Collin Payne.
• Medium CVE-2013-2848: Possible data extraction with XSS Auditor. Credit to Egor Homakov.
• Low CVE-2013-2849: Possible XSS with drag+drop or copy+paste. Credit to Mario Heiderich.

Thursday, January 17, 2013 @ 03:01 PM gHale

As promised, Adobe released security patches for its ColdFusion application server on Tuesday, addressing four critical vulnerabilities actively exploited by attackers since the beginning of the New Year.

The company published a security advisory about the four vulnerabilities, identified as CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632, Jan. 4 and said at the time that it was aware of these flaws undergoing exploits against users.

Adobe Fixes Acrobat, Reader, Flash
Malware Targets Java HTTP Servers
Adobe Shockwave Vulnerabilities
Java, Flash Updates Slow

Two of the vulnerabilities allow attackers to bypass the normal authentication restrictions of a ColdFusion application server in order to gain administrative access. Another flaw allows unauthorized users to access restricted directories, while the fourth can result in information disclosure on a compromised ColdFusion server.

Adobe released hotfixes for ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0. The company recommends customers update their installations using the instructions provided in a help document for their respective product version.

Adobe classified these vulnerabilities as critical and assigned a priority rating of 1 — the highest available — to the released hotfixes.

Just last week, Adobe patched two vulnerabilities for Acrobat/Reader and Flash Player, while the company.

Wednesday, January 9, 2013 @ 05:01 PM gHale

Microsoft is facing a Zero Day with Internet Explorer and while they work to patch the issue, they developed a workaround. The problem is there is a workaround around the workaround.

Security researchers at Exodus Intelligence developed a bypass for the Fix It Microsoft released as a temporary mitigation.

More Victims in IE Zero Day
IE Zero Day
Google Bans Auto Install
Apache Malware Installs Zeus

Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.

IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792), but are currently facing exploits. Microsoft said the impact of the attacks seems limited; IE 9 and 10 are not vulnerable, Microsoft said.

Brandon Edwards, vice president of Intelligence at Exodus, said his firm’s researchers looked at the Fix It to determine how much of the vulnerability it prevented.

“Usually, there are multiple paths one can take to trigger or exploit a vulnerability,” Edwards said. “The Fix It did not prevent all those paths.”

The Fix It, according to Microsoft, is an appcompat shim that modifies in memory a particular function to always return NULL, resulting in a safe crash of the browser rather than allowing for remote code execution.

“It comes down to clearly understanding the root cause and ways the browser can get to the affected code,” Edwards said. “The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities.”

In the meantime, a handful of political, social and human rights sites in the U.S., Russia, China and Hong Kong remain infected and serving malware, for weeks in some cases, that exploits the IE Zero Day.

Microsoft is aware of the Exodus Intelligence exploit; researchers at Exodus said they will not disclose details of their exploit until Microsoft addresses the vulnerability.

Earlier this week, Exodus developed what it called a more advanced exploit of the IE vulnerability, which led them to look more closely at the Fix It. Unlike the original remote code injection exploit, this one does not require a heap spray to execute it.

Peter Vreugdenhil said they were able to take advantage of IE8’s support for HTML+TIME, which the company no longer supports in more current versions of the browser. The researchers were able to create an array with pointers to strings they controlled, he said, enabling them to control system calls without a heap spray.

Thursday, October 25, 2012 @ 04:10 PM gHale

Korenix mitigated the undocumented hard-coded root credentials in the firmware of its Korenix JetPort 5600 system application, according to a report on ICS-CERT.

The remotely exploitable vulnerability, released by Digital Bond’s Reid Wightman without coordination with ICS-CERT, the vendor, or any other coordinating entity, would allow attackers to exploit the product by using the hard-coded credential to log into the device with administrative privileges and gain access to the attached serial devices.

GE Mitigates Proficy Holes
SCADA Vulnerability Surfaces
WellinTech Patches Vulnerability
Mitigation, Update for PLC Hole

The Korenix JetPort is an industrial serial device server to control multiple serial devices over Ethernet. Korenix produced an upgraded firmware version that removes the accounts. This product sees use worldwide, primarily in the communications and information technology sectors. Exploits that target this vulnerability are publicly available. All versions of the JetPort 5600 series suffer from the issue.

Once an attacker gains access, it would be possible to read and write to the file system and reconfigure the device. Attackers may also have access to other serial devices attached to this product.

Taiwan-based Korenix, acquired by Beijer Electronics in 2010, has offices in several countries around the world, including the U.S., China, and Spain.

The JetPort 5600 series is a 4-port redundant serial device server that provides users with four serial interfaces. The device can control up to four serial devices over the Ethernet. Users can configure the device over HTTPS/SSH or by using the Korenix JetPort Commander software.

The affected products are industrial serial device servers used for SCADA systems. According to Korenix, they are in several sectors including the communications (50%) and information technology (50%) sectors.

An attacker can log into the device using the hard-coded credentials that grant administrative access. Administrative credentials allow users to change device settings and read and write to the file system. This could result in a loss of confidentiality, integrity, or availability. CVE-2012-4577 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

Korenix developed an upgraded version of firmware (v2.01) for the affected products. The upgraded firmware removes the root and guest accounts. Developers also removed the current version of OpenSSL (v0.9.8b). The v2.01 firmware cannot downgrade to v1.X.2 once upgraded. The Windows-based JetPort configuration tool, JetPort Commander, also upgraded to v3.0. The user can download the firmware upgrade from the Korenix software update Web site.

Monday, September 24, 2012 @ 03:09 PM gHale

Browser-related exploits, like recent ones for Internet Explorer and Java, are increasing along with renewed concerns around social media password security, a new survey found.

On top of that, there seems to be a disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.

Conficker Hits Prison System
Popular Malware for July
New Trojans Covering Tracks
Trojans Learn New Infection Path

There is a continuing trend for attackers to target individuals by directing them to a trusted URL or site injected with malicious code, according to the IBM X-Force 2012 Mid-Year Trend and Risk Report.

Through browser vulnerabilities, attackers are able to install malware on the target system. In addition, the growth of SQL injection, a technique used by attackers to access a database through a website, is keeping pace with the increased usage of cross-site scripting and directory traversal commands, the survey said.

IBM also noted attackers are no longer primarily attracted to the Windows universe. The user base for the Mac operating system continues to grow worldwide, so that system is also becoming a bigger target of advanced persistent threats (APTs) and exploits.

“We’ve seen an increase in the number of sophisticated and targeted attacks, specifically on Macs and exposed social network passwords,” said Clinton McFadden, senior operations manager for IBM X-Force research and development. “As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data.”

At the mid-year point in 2012, IBM sees an upward trend in overall vulnerabilities, with the possibility of an all-time high by year-end. Having said that, the survey shows a decline in true exploits, with only 9.7% of all publically disclosed vulnerabilities subjected to exploits.

That’s mainly due to improvements from the top ten vendors on patching vulnerabilities and a significant decrease in the area of portable document format (PDF) vulnerabilities. IBM said this area of improvement directly relates to the new technology of sandboxing provided by the Adobe Reader X release.

Sandboxing technology works by isolating an application from the rest of the system, so if compromised, the attacker code running within the application is limited in what it can do or access. Sandboxes are proving to be a successful investment from a security perspective, IBM noted. In the X-Force report, there was a significant drop in Adobe PDF vulnerability disclosures during the first half of 2012, which coincides nicely with the adoption of Adobe Reader X, the first version of Acrobat Reader released with sandboxing technology.

In terms of mobile security, the BYOD phenomenon continues to be the main game-changing transformation. Many companies are still in their infancy in adapting policies for allowing employees to connect their personal laptops or smartphones to the company network.

While there are reports of exotic mobile malware, most smartphone users are still most at risk of premium SMS scams, which automatically send text messages to premium phone numbers in a variety of different countries from installed applications.

There are multiple scam infection approaches for this, such as offering users an application that looks legitimate in an app store but only has malicious intent; presenting an application that is a clone of a real application with a different name and some malicious code; or hacking a real application to wrap it with malicious code. The latter is typically in an alternative app store.

Thursday, September 6, 2012 @ 06:09 PM gHale

It wasn’t that long ago when a report came out saying there was a “hard-coded” credentials and improper access controls vulnerability in the WAGO I/O System 758 product line.

This report came out without coordination with ICS-CERT or with the vendor. After further research, there is, in fact, a problem with improper authentication, but it is with a third-party vendor and not WAGO. The problem exists, but the company is different.

InduSoft Vulnerability Released
More Holes with RuggedCom
GarrettCom Patches Vulnerability
RuggedCom Private Key Vulnerability

The improper authentication vulnerability is in multiple WAGO products.

So now, ICS-CERT is coordinating this vulnerability with 3-S Smart Software Solutions, the third-party supplier.

WAGO confirmed its I/O System 758 products use default operating system credentials. These credentials ended up disclosed, but WAGO provided no information on how to change the default passwords. WAGO released a procedure with additional documentation on how to change the default operating system passwords in Models 758-874, 758-875, and 758-876. WAGO also released a best security practices document that makes recommendations on how to best secure its industrial control system (ICS) products.

These vulnerabilities are exploitable remotely and proof-of-concept (PoC) exploits are known to exist.

The following WAGO products suffer from the issue:
• I/O System 758, Model 758-870,
• I/O System 758, Model 758-874,
• I/O System 758, Model 758-875, and
• I/O System 758, Model 758-876.

Attackers are able to exploit these vulnerabilities by using the default credentials to gain unauthorized administrative access to the systems.

WAGO is an international company based in Germany and they operate production facilities in Germany, Switzerland, Poland, China, and India. WAGO maintains offices worldwide.

According to WAGO, its products deploy across several sectors including manufacturing, building automation, electric generation, transportation, and others.

The operating system software of the WAGO I/O System 758 product line uses three user accounts with default passwords and no method to change these passwords. An attacker could use the default password to gain administrative control through the Telnet service of the system leading to a loss of integrity, loss of confidentiality, or loss of availability. CVE-2012-3013 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

WAGO IPCs offer the 3-S Smart Software Solutions CoDeSys runtime to program the IPC similar to a programmable logic controller. The CoDeSys software allows unauthenticated connections to the server to run arbitrary commands. This could allow possible remote code execution. A separate advisory with a CVE number and CVSS score for this vulnerability will come out as more information becomes available.

WAGO developed a procedure for the I/O System 758, Models 758-874, 758-875, and 758-876 that allows users to change passwords for their default operating system accounts.

The WAGO Security Settings Application Note discusses changing the Web-based Management passwords as well as the Linux console passwords and list security recommendations for their customers.

This procedure does not provide instructions to change the default passwords on the I/O System 758, Model 758-870 as the company is not longer making it. WAGO released a cyber security notification to its customers that details the best security settings and practices for its ICS products.

Friday, August 17, 2012 @ 03:08 PM gHale

Nine of 13 consumer antivirus products tested failed to provide adequate protection against exploits targeting two recent critical Microsoft vulnerabilities, said NSS Labs.

Only 4 vendors – Avast, Kaspersky, McAfee and Trend Micro –blocked all attacks delivered over HTTP and HTTPS.

Whitelisting Defense Combat Ready
APT: Attackers get What They Want
Focused Effort: Securing Against APTs
Securing SCADA Systems from APTs

“This particular exploit test was a small part of a much more comprehensive endpoint security test underway at NSS Labs that will be published next month,” said Randy Abrams, research director at NSS Labs. “These results clearly demonstrate protection deficiencies for many vendors when their products are configured with default ‘out-of-the-box’ settings, which are what’s most commonly employed in the consumer market.”

“This test revealed that numerous vendors that protected against an exploit over HTTP failed to protect against the same exploit delivered via HTTPS,” said Bob Walder, chief research officer at NSS Labs. “Vendors who did not perform well might want to reconsider their default settings in this age of attacks against SSL and other protocols.”

“There are additional concerns for the enterprise,” Abrams adds. “Enterprises embracing the ‘bring your own device’ (BYOD) approach to workplace technology need to be aware of the ramifications the product selection choices their users make, as they impact the organization’s security posture and attack profile.”

NSS Labs is currently running in-depth consumer end point protection (EPP) group testing that will further test all 13 vendors in several key areas – exploits, evasions, performance and protection against live malware, drive-by attacks and phishing.

Reports featuring the results for each test area will release as testing wraps up.

Tested products include:
• Avast Internet Security 7
• AVG Internet Security 2012
• Avira Internet Security 2012
• CA Total Defense Internet Security Suite
• ESET Smart Security 5
• F-Secure Internet Security 2012
• Kaspersky Internet Security
• McAfee Internet Security 2012
• Microsoft Security Essentials
• Norman Security Suite Pro
• Norton Internet Security 2012
• Panda Internet Security 2012
• Trend Micro Titanium + Internet Security.

Tuesday, August 7, 2012 @ 06:08 PM gHale

As if it wasn’t already abundantly clear, XYSEC Labs security experts developed the Android Framework for Exploitation (AFE), an open source project meant to demonstrate the existence of security holes in the popular mobile operating system.

The framework can easily create malware and botnets, find vulnerabilities, use exploits, gain access to apps, steal sensitive data, and execute arbitrary commands on infected devices, said researchers Aditya Gupta and Subho Halder.

APT Targets Android
Apps Access Data Without Permission
Android OS: No Permissions Required
Platform-Specific Java Attack

“Most of the part of the framework has been built in Python, however there are other languages involved as well,” Gupta said.

“For the start, we have built some pre-defined templates, in which the malware services could be injected, and the apk would be built. We have kept in mind that, it should be easy to use. The user just needs to input his local IP, and the features he would like to have in his malware, and just build it. That’s it. No programming needed,” he said.

A wave of spam messages received by Android users started talk in the security community, many professional pointing the finger at the first-ever Android botnet.

It later turned out that it wasn’t the case, but with the Android Framework for Exploitation the experts want to demonstrate that an Android botnet is certainly possible.

AFE’s botnet module includes options that allow the malicious element to remain hidden from the victim, the capability of re-launching itself in case of a crash, and an automatic startup feature on device boot.

The project is open source because the experts want to allow other developers to pitch in their ideas and enhance AFE’s capabilities.

AFE is constantly undergoing improvement by Gupta and Halder, but after its public release in September, the experts are counting on the community’s support in making the framework as complex as possible.

Thursday, August 2, 2012 @ 05:08 PM gHale

Even though Windows and Mac remain well separated as platforms, there are a number of applications that run on both operating systems, including things such as Adobe Flash, Reader and Java.

Attackers and malware writers, like any other specialists, are focusing their skills in one discipline in order to maximize their chances for success.

Critical IE Attack Code Available
Microsoft FixIt For XML Hole
Attack: IE Zero Day
RTFs Fall Victim to APTs

Attackers, not wanting to waste any time on small target bases and looking to maximize their profits, are focusing their efforts on vulnerabilities in these applications.

Knowing that, Microsoft researchers analyzed a series of malware samples and exploits and found some attackers are beginning to target the same vulnerability across multiple platforms as a way to make the most out of their efforts.

Microsoft researchers looked at a specific set of vulnerabilities found in applications on Windows and Mac OS X and found some attackers are going after flaws from as far back as 2009 in Office documents, and 2010 in Flash and Java and Reader.

“This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole,” said Methusela Cebrian Ferrer of the Microsoft Malware Protection Center.

Microsoft’s investigation of the way attackers are using cross-platform vulnerabilities began about a year ago when the company’s researchers came across a backdoor aimed at Mac users. The malware disguised itself as a Google app on the infected machine and then initiated a remote connection to a command-and-control server.

“Once connected, the remote attacker may take advantage of the backdoor file management feature which allows it to upload, download and navigate through files and directory. For more detail, have a look at the Backdoor:MacOS_X/Olyx.A description in our encyclopedia,” Ferrer said.

Archived Entries