Posts Tagged ‘exploit’

Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Wednesday, July 19th, 2017
internet-of-the-things-hacking

Security researchers have discovered a critical remotely exploitable vulnerability in an open-source software development library used by major manufacturers of the Internet-of-Thing devices that eventually left millions of devices vulnerable to hacking.

The vulnerability (CVE-2017-9765), discovered by researchers at the IoT-focused security firm Senrio, resides in the software development library called gSOAP toolkit (Simple Object Access Protocol) — an advanced C/C++ auto-coding tool for developing XML Web services and XML application.

Dubbed “Devil’s Ivy,” the stack buffer overflow vulnerability allows a remote attacker to crash the SOAP WebServices daemon and could be exploited to execute arbitrary code on the vulnerable devices.

The Devil’s Ivy vulnerability was discovered by researchers while analysing an Internet-connected security camera manufactured by Axis Communications.

“When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed,” researchers say.

“Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.”

Axis confirmed the vulnerability that exists in almost all of its 250 camera models (you can find the complete list of affected camera models here) and has quickly released patched firmware updates on July 6th to address the vulnerability, prompting partners and customers to upgrade as soon as possible.

However, researchers believe that their exploit would work on internet-connected devices from other vendors as well, as the affected software is used by Canon, Siemens, Cisco, Hitachi, and many others.

Axis immediately informed Genivia, the company that maintains gSOAP, about the vulnerability and Genivia released a patch on June 21, 2017.

The company also reached out to electronics industry consortium ONVIF to ensure all of its members, including Canon, Cisco, and Siemens, those who make use of gSOAP become aware of the issue and can develop patches to fix the security hole.

Internet of Things (IoT) devices has always been the weakest link and, therefore, an easy entry for hackers to get into secured networks. So it is always advisable to keep your Internet-connected devices updated and away from the public Internet.

Source: Remotely Exploitable Flaw Puts Millions of Internet-Connected Devices at Risk

Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Wednesday, July 19th, 2017
Cisco-WebEx-Remote-Command-Execution

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world.  The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.  Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows,” Cisco confirmed in an advisory released today.

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

 Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability.  Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

 

Source: Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

Tuesday, August 4th, 2015

Summary: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. Cisco has released software updates that address this vulnerability. There are no workarounds to mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150730-asr1k

Vulnerable Products: All Cisco ASR 1000 Series Aggregation Services Routers models are affected by this vulnerability when running an affected version of Cisco IOS XE Software. This vulnerability does not depend on any specific combination of ESP and Route Processor (RP) installed on the chassis. Any combination of ESP and RP is affected. Products Confirmed Not Vulnerable

Details: A vulnerability in the code handling the reassembly of fragmented IP version 4 (IPv4) or IP version 6 (IPv6) packets of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause a crash of the Embedded Services Processor (ESP) processing the packet. The vulnerability is due to improper processing of crafted, fragmented packets. An attacker could exploit this vulnerability by sending a crafted sequence of fragmented packets. An exploit could allow the attacker to cause a reload of the affected platform. This vulnerability can be triggered by IPv4 or IPv6 crafted, fragmented packets destined to the device itself. It cannot be triggered by transit traffic. This vulnerability could be repeatedly exploited to cause an extended DoS condition. This vulnerability is documented in Cisco bug ID CSCtd72617 (registered customers only), and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-4291.

Vulnerability Scoring Details Cisco has scored the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd72617

– Cisco IOS XE Software Fragmented Packet Denial of Service Vulnerability Calculate the environmental score of CSCtd72617 CVSS Base Score – 7.8 Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact Network Low None None None Complete CVSS Temporal Score – 6.4 Exploitability Remediation Level Report Confidence Functional Official-Fix Confirmed

Impact

Successful exploitation of this vulnerability may cause a crash of the ESP processing the packet, resulting in a DoS condition. Repeated exploitation could result in an extended DoS condition.

Software Versions and Fixes When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Alerts archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. This vulnerability has been fixed in the following Cisco IOS XE Software versions:

Cisco IOS XE Software Train First Fixed Release 2.1 Vulnerable;

migrate to 2.5.1 or later.

(1) 2.2 Vulnerable; migrate to 2.5.1 or later.

(1) 2.3 Vulnerable; migrate to 2.5.1 or later.

(1) 2.4 2.4.3 (1) 2.5 2.5.1 (1)

Source: Cisco ASR 1000 Series Aggregation Services Routers Fragmented Packet Denial of Service Vulnerability

Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Tuesday, August 4th, 2015

Hackers have their hands on something of your concern. A severe zero-day vulnerability in the latest, fully patched version of Apple’s Mac OS X is reportedly being exploited in the wild by the hackers. The vulnerability could allow attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite) operating system, without requiring victims to enter system passwords, a new report says. The zero-day bug came over a week after security researcher Stefan Esser discovered a privilege escalation zero-day vulnerability in the latest version of Apple’s OS X Yosemite that caused due to environment variable DYLD_PRINT_TO_FILE and dynamic linker dyld, new error-logging features added to the operating system. The developers failed to implement standard safeguards that are needed while adding support for new environment variables to the OS X dynamic linker dyld, allowing hackers to create or modify files with root privileges that can fit anywhere in the Mac OS X file system. OS X Zero-Day Exploit in the Wild Now, security researchers from anti-malware firm Malwarebytes spotted a malicious installer in the wild that was exploiting the zero-day vulnerability to infect Macs with different types of adware including VSearch, MacKeeper and Genieo.

The issue actually resides in a hidden Unix file – Sudoers – which is actually a list of files as to which software are allowed to get root permissions on a computer. However, a modification to the Sudoers allowed the installer to gain root level permissions without the need of password from an administrator. The issue was discovered by Adam Thomas while testing a new adware installer. “The script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed,” Malwarebytes researchers explains in a blog post. “Part of the script involves deleting itself when it’s finished.” “The real meat of the script, though, involves modifying the Sudoers file.

The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.” No Way Out for Mac Users The zero-day flaw affects both the current stable Mac version OS X 10.10 (build 10.10.4) and the recent Beta build OS X 10.10.5 (Yosemite). Good news for Mac users who are running Mac OS X 10.11 El Capitan Beta builds, as it appears that they are not affected by the zero-day flaw. Until Apple patches this critical issue, you don’t have any good options to prevent a skilled hacker from installing malware on your Mac systems, beyond using a patch created by Esser himself, which can be downloaded from here. No doubt, Esser is a respected security researcher, but installing a patch from a third party developer can be a risky. Therefore, we advise you to fully investigate the patch before installing.

Source: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

Tuesday, August 4th, 2015

A recently disclosed vulnerability in Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers, makes it possible for lone-wolf attackers to bring down huge swaths of the Internet, a security researcher has warned.The flaw, which involves the way that Bind handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that’s trivial to create. Vulnerable servers, in turn, will promptly crash. There are no indications that the vulnerability is being actively exploited in the wild, and the bug wasn’t disclosed until a fix was in place. Still, the critical vulnerability underscores the fragility of Bind, which despite its three decades in use and unwieldy code remains the staple for the Internet’s domain name system.Rob Graham, CEO of penetration testing firm Errata Security, reviewed some of the Bind source code and the advisory that Bind developers issued earlier this week and made this sobering assessment:BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.Normally, denial-of-service bugs receive low-severity ratings, but when they’re present in servers that form the Internet’s very core, the risks are much higher. Graham regularly scans almost the entire Internet to get an estimate of how many servers remain affected by the Heartbleed vulnerability in OpenSSL and other major software weaknesses. He said Bind’s code base still isn’t as bloated as that of OpenSSL, but it’s much slower than it should be despite being written using C and C++. The result: Bind has all the security weaknesses that come with those programming languages without the speed that often justifies their use anyway.Graham concluded:The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.

Source: Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

600TB MongoDB Database ‘accidentally’ exposed on the Internet

Monday, July 27th, 2015

This huge MongoDB database isn’t exposed due to a flaw in its latest version of the software, but due to the use of out-of-date and unpatched versions of the platform that fail to bind to localhost.

While investigating NoSQL databases, Matherly focused on MongoDB that is growing in popularity.

“It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015,” Matherly wrote in a blog post.

The security issue was first reported as a critical vulnerability back in February of 2012 by Roman Shtylman, but it took MongoDB developers a bit more than two years to rectify this security flaw.

Affected, outdated versions of MongoDB database do not have a ‘bind_ip 127.0.0.1′ option set in the mongodb.conf, potentially leaving users’ server vulnerable if they are not aware of this setting.

According to Shtylman, “The default should be to lockdown as much as possible and only expose if the user requests it.”

Affected Versions

Earlier instances of version 2.6 appeared to have been affected, significantly putting users of MongoDB database version 2.4.9 and 2.4.10, followed by 2.6.7, at risk.

Majority of publicly exposed MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services more buggy than datacenter hosting.

“My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software,” Matherly said.

Affected users are recommended to immediately switch to the latest versions as soon as possible.

This isn’t first time when MongoDB instances are exposed to the Internet, back in February German researchers found nearly 40,000 MongoDB instances openly available on the Internet.

via 600TB MongoDB Database ‘accidentally’ exposed on the Internet.

WARNING! Android phones can be hacked with a simple text

Monday, July 27th, 2015

The problem stems from the way Android phones analyze incoming text messages. Even before you open a message, the phone automatically processes incoming media files — including pictures, audio or video. That means a malware-laden file can start infecting the phone as soon as it’s received, according Zimperium, a cybersecurity company that specializes in mobile devices.

If this sounds familiar, that’s because this Android flaw is somewhat like the recent Apple text hack.

But in that case, a text message with just the right characters could freeze an iPhone or force it to restart. This Android flaw is worse, because a hacker could gain complete control of the phone: wiping the device, accessing apps or secretly turning on the camera.

In a statement to CNNMoney, Google (GOOGLTech30) acknowledged the flaw. It assured that Android has ways of limiting a hacker’s access to separate apps and phone functions. Yet hackers have been able to overcome these limitations in the past.

The bug affects any phone using Android software made in the last five years, according to Zimperium. That includes devices running Android’s Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat and Lollipop iterations (Google names its Android versions alphabetically after desserts).

android text

Zimperium said it warned Google about the flaw on April 9 and even provided a fix. The company claims Google responded the very next day, assuring a patch would be shared with customers in the future.

Typically, in these situations, companies are given a 90-day grace period to issue a fix. It’s a rule even Google abides by when it finds flaws in others’ software.

But it’s been 109 days, and a fix still isn’t largely available. That’s why Zimperium is now going public with the news.

The issue now is how quickly Google will manage to fix this for everybody. While Apple can push out updates to all iPhones, Google can’t.

Google is notorious for having a fractured distribution system. Several entities stand in between Google and its users, and they routinely slow down the release of new software. There’s phone carriers — like AT&T (TTech30) and Verizon (VZTech30) — and makers of physical devices — likeSamsung (SSNLF) — all of which need to work together to issue software updates.

Google told CNNMoney it already sent a fix to its “partners.” However, it’s unclear if any of them have started pushing that out to users themselves.

For that very reason, Google recently put its own Nexus phones first in line to receive updates.

This could be a test case that shows why it’s so important to receive updates quickly.

Chris Wysopal is a longtime hacker and now an executive at cybersecurity firm Veracode. He called this Android’s version of Heartbleed, the devastating bug that put millions of computer networks at serious risk last year.

“I’m interested to see if Google comes up with a way to update devices remotely,” he said. “Unless they can do that, we have a big disaster on our hands.”

 

Android phones can be hacked with a simple text – Jul. 27, 2015.

rpp0/aggr-inject · GitHub

Thursday, July 2nd, 2015

aggr-inject is a proof-of-concept implementation of the A-MPDU subframe injection attack, which allows an attacker to inject raw Wi-Fi frames into unencrypted networks remotely. The PoC exploits a vulnerability in the 802.11n frame aggregation mechanism and can be performed against almost any modern Wi-Fi chipset, given that the target is connected to an open network. Results from this research were published in a paper and presented at the ACM WiSec 2015 security conference.

https://github.com/rpp0/aggr-inject

Google discloses three severe vulnerabilities in Apple OS X – CNET

Friday, January 23rd, 2015

Google’s Project Zero security team revealed the existence this week of three vulnerabilities with high severity that have yet to be fixed in Apple’s OS X operating system.

Although each of the flaws requires an attacker to have access to a targeted Mac, they could all contribute to a successful attempt to elevate privilege levels and take over a machine.

The first flaw, “OS X networkd “effective_audit_token” XPC type confusion sandbox escape,” involves circumvention of commands in the network system and may be mitigated in OS X Yosemite, but there is no clear explanation of whether this is the case. The second vulnerability documents “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator.” The third one, “OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice.” includes an exploit related to OS X’s kernel structure.

Each vulnerability, as with any disclosed by the Project Zero team, includes a proof-of-concept exploit.

The vulnerabilities were reported to Apple back in October but the flaws have not been fixed. After 90 days, details of vulnerabilities found by Project Zero are automatically released to the public — which is what happened this week.

Project Zero, which Google officially launched in mid-2014, tasks researchers with uncovering any software flaws that have the potential of leading to targeted attacks on people’s computers.

On Apple’s product security page, the company states: “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

This isn’t the first time Google’s Project Zero has published vulnerabilities that are yet to be fixed. In the past several weeks, the tech giant’s security team has published information about three separate, unpatched security flaws in Microsoft’s Windows operating system.

via Google discloses three severe vulnerabilities in Apple OS X – CNET.

InfoSec Alert: Flash 0-Day Exploit Used by Angler Exploit Kit – Browsers Targeted

Thursday, January 22nd, 2015

The “Angler” exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatched Flash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

via InfoSec Handlers Diary Blog – Flash 0-Day Exploit Used by Angler Exploit Kit.