DOCSLIB.ORG

Vulnerability Summary for the Week of March 13 2017

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Vulnerability Summary for the Week of March 13 2017 Vulnerability Summary for the Week of March 13 2017 Please Note: • The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low. • The !" indentity number is the #ublicly $nown %& given to that #articular vulnerability. Therefore you can search the status of that #articular vulnerability using that %&. • The CVSS (Common Vulnerability Scoring 'ystem) score is a standard scoring system used to determine the severity of the vulnerability. High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity adobe ** flash+#layer ,dobe -lash Player versions ./.0.0.2.1 and 2017-03-14 10.0 CVE-2017-2997 BID (link is earlier have an e2#loitable buffer overflow 3 external) underflow vulnerability in the Primetime T!'&4 CONFIRM (link that su##orts customizing ad information. is external) 'uccessful e2#loitation could lead to arbitrary code e2ecution. adobe ** flash+#layer ,dobe -lash Player versions ./.0.0.2.1 and 2017-03-14 10.0 CVE-2017-2998 BID (link is earlier have an e2#loitable memory corru#tion external) vulnerability in the Primetime T!'&4 ,P% CONFIRM (link functionality related to timeline interactions. is external) 'uccessful e2#loitation could lead to arbitrary code e2ecution. adobe ** flash+#layer ,dobe -lash Player versions ./.0.0.2.1 and 2017-03-14 10.0 CVE-2017-2999 BID (link is earlier have an e2#loitable memory corru#tion external) vulnerability in the Primetime T!'&4 CONFIRM (link functionality related to hosting #laybac$ surface. is external) 'uccessful e2#loitation could lead to arbitrary code e2ecution. adobe ** flash+#layer ,dobe -lash Player versions ./.0.0.2.1 and 2017-03-14 10.0 CVE-2017-3001 BID (link is earlier have an e2#loitable use after free external) CONFIRM (link vulnerability related to garbage collection in the is external) ,ction'cri#t . !M. 'uccessful e2#loitation could lead to arbitrary code e2ecution. adobe ** flash+#layer ,dobe -lash Player versions ./.0.0.2.1 and 2017-03-14 10.0 CVE-2017-3002 BID (link is earlier have an e2#loitable use after free external) vulnerability in the ,ction'cri#t. Te2t-ield CONFIRM (link ob5ect related to the variable #roperty. is external) 'uccessful e2#loitation could lead to arbitrary code e2ecution. adobe ** flash+#layer ,dobe -lash Player versions ./.0.0.2.1 and 2017-03-14 10.0 CVE-2017-3003 BID (link is earlier have an e2#loitable use after free external) vulnerability related to an interaction between CONFIRM (link the #rivacy user interface and the ,ction'cri#t . is external) amera ob5ect. 'uccessful e2#loitation could lead to arbitrary code e2ecution. alienvault ** ossim The logchec$ function in session.inc in 2017-03-15 7.5 CVE-2016-7955 BUGTRAQ ,lien!ault 6''%M before 7.3.1, when an action (link is external) has been created, and 9'M before 7.3.1 allows MISC (link is remote attac$ers to bypass authentication and external) CONFIRM (link conse:uently obtain sensitive information, is external) modify the a##lication, or e2ecute arbitrary code as root via an ;,! <e#ort 'cheduler; HTTP 9ser* ,gent header. a#ache ** struts The =a$arta Multi#art #arser in ,#ache 'truts . 2017-03-10 10.0 CVE-2017-5638 MISC (link is ..8.x before ..3.3. and ..5.x before ..5.10.1 external) mishandles file u#load, which allows remote MISC (link is attac$ers to e2ecute arbitrary commands via a external) MISC (link is >cmd= string in a crafted ontent*Type HTTP external) header, as e2#loited in the wild in March .01@. BID (link is external) MISC (link is external) CONFIRM EXPLOIT-DB (link is external) CONFIRM CONFIRM MISC (link is external) MISC (link is external) MISC (link is external) MISC MISC (link is external) MISC (link is external) azure+de2 ** %n ,zure Data "2#ert 9ltimate ..2.1A, the 'MTP 2017-03-10 7.5 CVE-2017-6506 MISC (link is data+e2#ert+ultimate verification function suffers from a buffer external) overflow vulnerability, leading to remote code BID (link is e2ecution. The attac$ vector is a crafted 'MTP external) EXPLOIT-DB daemon that sends a long ..0 (a$a ;'ervice (link is external) ready") string. bitlbee ** bitlbee 9se*after*free vulnerability in bitlbee*lib#ur#le 2017-03-14 7.5 CVE-2016- 10188 before 8.5 allows remote servers to cause a MLIST (link is denial of service (crash) or #ossibly e2ecute external) arbitrary code by causing a file transfer MLIST (link is external) connection to e2#ire. BID (link is external) CONFIRM bitlbee ** bitlbee*lib#ur#le bitlbee*lib#ur#le before 8.5.1 allows remote 2017-03-14 7.5 CVE-2017-5668 MLIST (link is attac$ers to cause a denial of service (NULL external) #ointer dereference and crash) and #ossibly MLIST (link is e2ecute arbitrary code via a file transfer re:uest external) BID (link is for a contact that is not in the contact list. NOTE: external) this vulnerability e2ists because of an CONFIRM incom#lete fi2 for !"*.01A*101BC. CONFIRM (link is external) cambium+networ$s ** On ambium Networ$s cnPilot <.003.01 devices 2017-03-10 10.0 CVE-2017-5859 CONFIRM (link cn#ilot+r.00+series+firm before /.3, there is a vulnerability involving the is external) ware certificate of the device and its <', $eys, a$a <DN-1B8. embedthis ** goahead , command-in5ection vulnerability e2ists in a 2017-03-13 9.0 CVE-2017-5675 MISC (link is web a##lication on a custom*built EoAhead web external) server used on -oscam, !starcam, and multi#le MISC (link is white*label %P camera models. The mail-sending external) form in the mail.htm #age allows an attac$er to in5ect a command into the receiver1 field in the formF it will be e2ecuted with root #rivileges. f*secure ** -*'ecure 'oftware 9#dater ..20, as distributed in 2017-03-11 9.3 CVE-2017-6466 MISC software+u#dater several -*'ecure #roducts, downloads BID (link is installation #ac$ages over #lain htt# and does external) not #erform file integrity validation after download. Man*in*the*middle attac$ers can re#lace the file with their own e2ecutable which will be e2ecuted under the 'G'TEM account. Note that when 'oftware 9#dater is configured to install u#dates automatically, it chec$s if the downloaded file is digitally signed by default, but does not chec$ the author of the signature. Hhen running in manual mode (default), no signature chec$ is #erformed. imagemagic$ ** Memory lea$ in the %s6#tionMember function in 2017-03-14 7.8 CVE-2016- 10252 imagemagic$ Magic$ ore3option.c in %mageMagic$ before CONFIRM A.C.2*., as used in 6&<*PadEnc and other CONFIRM #roducts, allows attac$ers to trigger memory CONFIRM (link is external) consum#tion. imagemagic$ ** The gnu#lot delegate functionality in 2017-03-15 7.5 CVE-2016-5239 MISC imagemagic$ %mageMagic$ before A.9.4*0 and Era#hicsMagic$ MLIST (link is allows remote attac$ers to e2ecute arbitrary external) commands via uns#ecified vectors. BID (link is external) libgd ** libgd %nteger underflow in the +gdContributions,lloc 2017-03-15 7.5 CVE-2016- 10166 function in gd_inter#olation.c in the ED CONFIRM (link Era#hics Library (a$a libgd) before ..2.4 allows is external) remote attac$ers to have uns#ecified im#act via MLIST (link is external) vectors related to decrementing the u variable. MLIST (link is external) BID (link is external) CONFIRM (link is external) logbac$ ** logbac$ I6'.ch Logbac$ before 1.2.0 has a serialization 2017-03-13 7.5 CVE-2017-5929 CONFIRM (link vulnerability affecting the 'oc$et'erver and is external) 'erver'oc$et<eceiver com#onents. microsoft ** edge , remote code e2ecution vulnerability e2ists 2017-03-16 7.6 CVE-2017-0034 BID (link is when Microsoft Edge im#roperly accesses external) ob5ects in memory. The vulnerability could CONFIRM (link is external) corru#t memory in a way that enables an attac$er to e2ecute arbitrary code in the conte2t of the current user. ,n attac$er who successfully e2#loited the vulnerability could gain the same user rights as the current user. %f the current user is logged on with administrative user rights, an attac$er could ta$e control of an affected system. ,n attac$er could then install #rogramsF view, change, or delete dataF or create new accounts with full user rights. microsoft ** The scri#ting engine in Microsoft %nternet 2017-03-16 7.6 CVE-2017-0040 BID (link is internet+e2#lorer "2#lorer C through 11 allows remote attac$ers to external) e2ecute arbitrary code or cause a denial of CONFIRM (link service (memory corru#tion) via a crafted web is external) site, a$a ;'cri#ting Engine Memory orru#tion !ulnerability." This vulnerability is different from that described in !"*.01@*0180. microsoft ** Microsoft %nternet "2#lorer C through 11 allow 2017-03-16 7.6 CVE-2017-0149 BID (link is internet+e2#lorer remote attac$ers to e2ecute arbitrary code or external) cause a denial of service (memory corru#tion) via CONFIRM (link a crafted web site, a$a ;%nternet "2#lorer is external) Memory orru#tion !ulnerability." This vulnerability is different from those described in !"*.01@*001B and !"*.01@*008@. microsoft ** The 'MDv1 server in Microsoft Hindows !ista 2017-03-16 9.3 CVE-2017-0143 BID (link is server+message+bloc$ 'P.F Hindows 'erver .00B 'P. and <. 'P1F external) Hindows @ 'P1F Hindows B.1F Hindows 'erver CONFIRM (link .01. Eold and <.F Hindows <T B.1F and is external) Hindows 10 Eold, 1711, and 1A0@F and Hindows 'erver .01A allows remote attac$ers to e2ecute arbitrary code via crafted #ac$ets, a$a ;Hindows 'MD <emote ode "2ecution !ulnerability." This vulnerability is different from those described in !"*.01@*01//, !"*.01@*01/7, !"*.01@*01/A, and !"*.01@*01/B.
Load more

Recommended publications
  • A Review of Fuzzing Tools and Methods 1 Introduction
    A Review of Fuzzing Tools and Methods James Fell, [email protected] Originally published in PenTest Magazine on 10th March 2017 1 Introduction Identifying vulnerabilities in software has long been an important research problem in the field of information security. Over the last decade, improvements have been made to programming languages, compilers and software engineering methods aimed at reducing the number of vulnerabilities in software [26]. In addition, exploit mitigation features such as Data Execution Prevention (DEP) [65] and Address Space Layout Randomisation (ASLR) [66] have been added to operating systems aimed at making it more difficult to exploit the vulnerabilities that do exist. Nevertheless, it is fair to say that all software applications of any significant size and complexity are still likely to contain undetected vulnerabilities and it is also frequently possible for skilled attackers to bypass any defences that are implemented at the operating system level [6, 7, 12, 66]. There are many classes of vulnerabilities that occur in software [64]. Ultimately they are all caused by mistakes that are made by programmers. Some of the most common vulnerabilities in binaries are stack based and heap based buffer overflows, integer overflows, format string bugs, off-by-one vulnerabilities, double free and use-after-free bugs [5]. These can all lead to an attacker hijacking the path of execution and causing his own arbitrary code to be executed by the victim. In the case of software running with elevated privileges this can lead to the complete compromise of the host system on which it is running.
    [Show full text]
  • Software Vulnerabilities Principles, Exploitability, Detection and Mitigation
    Software vulnerabilities principles, exploitability, detection and mitigation Laurent Mounier and Marie-Laure Potet Verimag/Université Grenoble Alpes GDR Sécurité – Cyber in Saclay (Winter School in CyberSecurity) February 2021 Software vulnerabilities . are everywhere . and keep going . 2 / 35 Outline Software vulnerabilities (what & why ?) Programming languages (security) issues Exploiting a sofwtare vulnerability Software vulnerabilities mitigation Conclusion Example 1: password authentication Is this code “secure” ? boolean verify (char[] input, char[] passwd , byte len) { // No more than triesLeft attempts if (triesLeft < 0) return false ; // no authentication // Main comparison for (short i=0; i <= len; i++) if (input[i] != passwd[i]) { triesLeft-- ; return false ; // no authentication } // Comparison is successful triesLeft = maxTries ; return true ; // authentication is successful } functional property: verify(input; passwd; len) , input[0::len] = passwd[0::len] What do we want to protect ? Against what ? I confidentiality of passwd, information leakage ? I control-flow integrity of the code I no unexpected runtime behaviour, etc. 3 / 35 Example 2: make ‘python -c ’print "A"*5000’‘ run make with a long argument crash (in recent Ubuntu versions) Why do we need to bother about crashes (wrt. security) ? crash = consequence of an unexpected run-time error not trapped/foreseen by the programmer, nor by the compiler/interpreter ) some part of the execution: I may take place outside the program scope/semantics I but can be controled/exploited by an attacker (∼ “weird machine”) out of scope execution runtime error crash normal execution possibly exploitable ... security breach ! ,! may break all security properties ... from simple denial-of-service to arbitrary code execution Rk: may also happen silently (without any crash !) 4 / 35 Back to the context: computer system security what does security mean ? I a set of general security properties: CIA Confidentiality, Integrity, Availability (+ Non Repudiation + Anonymity + .
    [Show full text]
  • Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine
    Intrinsic Propensity for Vulnerability in Computers? Arbitrary Code Execution in the Universal Turing Machine Pontus Johnson KTH Royal Institute of Technology Stockholm, Sweden [email protected] Abstract and Weyuker in [4], “Turing’s construction of a universal computer in 1936 provided reason to believe that, at least in The universal Turing machine is generally considered to be principle, an all-purpose computer would be possible, and the simplest, most abstract model of a computer. This paper was thus an anticipation of the modern digital computer.” Or, reports on the discovery of an accidental arbitrary code execu- in the words of Stephen Wolfram [16], ‘what launched the tion vulnerability in Marvin Minsky’s 1967 implementation whole computer revolution is the remarkable fact that uni- of the universal Turing machine. By submitting crafted data, versal systems with fixed underlying rules can be built that the machine may be coerced into executing user-provided can in effect perform any possible computation.” Not only code. The article presents the discovered vulnerability in de- the universality, but also the simplicity of the universal Tur- tail and discusses its potential implications. To the best of our ing machine has attracted interest. In 1956, Claude Shannon knowledge, an arbitrary code execution vulnerability has not explored some minimal forms of the universal Turing ma- previously been reported for such a simple system. chine [13], and posed the challenge to find even smaller such machines. That exploration has continued to this day [16]. 1 Introduction A common strategy for understanding a problem is to re- duce it to its minimal form.
    [Show full text]
  • Security Threat Intelligence Report
    Security Threat Intelligence Report December 2020 In this issue COVID-19 vaccine manufacturers and supply chain targeted RansomEXX ransomware targeting Linux systems Botnet targets Linux servers, Linux IoT devices NSA top 25 vulnerabilities exploited by Chinese APT groups VMware zero-day vulnerability exploited in the wild Security Threat Intelligence Report About this report Message from Mark Hughes Fusing a range of public and proprietary information feeds, Cyber criminals are opportunists, and including DXC’s global network with COVID-19 vaccines shipping in of security operations centers and cyber intelligence services, multiple countries, attackers are targeting this report delivers an overview manufacturers and their supply chains in an of major incidents, insights into effort to monetize ransomware attacks at key trends and strategic threat awareness. the worst possible time and steal intellectual property and patient data. This month’s report also documents This report is a part of DXC Labs | Security, which provides insights the expanding attacks against Linux, Windows, and internet of and thought leadership to the things (IoT) devices. Also, the SolarWinds hack is top of mind for security industry. everyone. This is a rapidly evolving situation, and we will share Intelligence cutoff date: more details next month. For the most up to date information, November 30, 2020 refer to CISA guidance. Mark Hughes Senior Vice President Offerings & Strategic Partners DXC Technology Table of Threat Updates contents RansomEXX ransomware targeting
    [Show full text]
  • Check Point Threat Intelligence Bulletin
    November 2-8, 2020 YOUR CHECK POINT THREAT INTELLIGENCE REPORT TOP ATTACKS AND BREACHES Check Point Research has alerted against a wave of ransomware attacks targeting Israeli companies and corporations, using known ransomware families such as REvil and Ryuk, as well as a new family called ‘Pay2Key’. The ransomware is capable of rapid lateral movement within the company network. Check Point SandBlast Agent provides protection against these threats (Ransomware.Win32.Pay2Key; Ransomware.Win32.REvil) Luxottica, the world's largest eyewear company, has admitted it has been breached. The giant’s appointment scheduling application has been hacked, leading to the exposure of protected health information (PHI) for patients of eye care practices such as LensCrafters, Target Optical and EyeMed. Japanese game developer Capcom has suffered a breach leading to the shutdown of some its systems, possibly by the Ragnar Locker ransomware. Attackers claim that 1TB of sensitive data has been stolen. Check Point SandBlast Agent provides protection against this threat (Ransomware.Win32.Ragnar) The Italian liquor company Campari Group has been hit by the Ragnar Locker ransomware, leading to the theft of 2TB of unencrypted files. The attackers are demanding a $15 million ransom to retrieve the files. Check Point Research has uncovered an attack operation targeting the Sangoma and Asterisk VoIP phone systems at nearly 1,200 organizations. The attackers, most likely located in Gaza and the West Bank, target SIP servers to execute telecom fraud, sell phone number and gain access to the organizations’ VoIP servers. Check Point IPS provides protection against this threat (SIPVicious Security Scanner; Sangoma FreePBX Authentication Bypass (CVE- 2019-19006); Command Injection Over HTTP) North Korean surveillance campaign targeting the aerospace and defense sectors in Australia, Israel, Russia and India is spreading a new spyware called Torisma via fake job offers sent through social media.
    [Show full text]
  • Conti Ransomware: Evasive by Nature and How It Works
    BRAINTRACE THREAT ADVISORY REPORT APRIL 15, 2021 TABLE OF CONTENTS BACKGROUND ..................................................................................................................................................... 2 VULNERABILITIES PATCHED IN NETTLE'S SIGNATURE VERIFICATION ........................................................ 2 APPLE MAIL ZERO-CLICK VULNERABILITY ...................................................................................................... 2 FAKE NETFLIX APP CALLED FLIXONLINE LURING ANDROID USERS THROUGH WHATSAPP MESSAGES 3 CHARMING KITTEN APT GROUP TARGETING MEDICAL RESEARCHERS ...................................................... 4 GIGASET ANDROID UPDATE SERVER HACKED TO INSTALL MALWARE ON USERS' DEVICES .................. 5 'MORE_EGGS' MALWARE TARGETS PROFESSIONALS WITH LINKEDIN JOB OFFERS ................................ 6 SONICWALL EMAIL SECURITY VULNERABLE TO MALICIOUS HTTP REQUESTS .......................................... 7 CONTI RANSOMWARE: EVASIVE BY NATURE AND HOW IT WORKS. ......................................................... 8 REVIL RANSOMWARE NOW CHANGES PASSWORD TO AUTO-LOGIN IN SAFE MODE .............................. 9 NEW VULNERABILITY TARGETS POPULAR WINDOWS TIME SYNCH SOFTWARE ...................................... 9 RISING TIDE IN FIRMWARE CYBERATTACKS ................................................................................................. 10 UNPATCHED VULNERABILITY FOUND IN CISCO ROUTER MANAGEMENT INTERFACE ............................. 11 CRING RANSOMWARE
    [Show full text]
  • Automated Scanning Vulnerability Report
    Automated Scanning Vulnerability Report − Classified − Automated Scanning Vulnerability Report Performed by Beyond Security's Automated Scanning Host/s Tested: 192.168.4.122 Report Generated: 05 Jun 2007 13:31 Table of Contents Introduction Host Information Executive Summary Possible Vulnerabilities What Next? Introduction We have scanned your host/s 192.168.4.122 for 4345 known security holes. This scan took place on 5 Jun 2007 13:31 and took 0 hours and 5 minutes to complete. The 'Possible Vulnerabilities' section of this report lists security holes found during the scan, sorted by risk level. Note that some of these reported vulnerabilities could be 'false alarms' since the hole is never actually exploited during the scan. Some of what we found is purely informational; It will not help an attacker to gain access, but it will give him information about the local network or hosts. These results appear in the 'Low Risk / Intelligence Gathering' section. The last section of this report ('Security Tests') lists the security tests that were performed in this scan by category of vulnerability. 1/44 Automated Scanning Vulnerability Report Executive Summary Learn more about how vulnerabilities are classified Vulnerabilities by Host and Risk Level Total IP Address High Medium Low Vulnerabilities 192.168.4.122 113 33 60 20 Vulnerabilities By Risk Level Top Vulnerabilities By Host 2/44 Automated Scanning Vulnerability Report Vulnerabilities by Service and Risk Level Service Total High Risk Medium Risk Low Risk Vulnerabilities netbios−ns (137/udp) 1 0 0 1 microsoft−ds 101 33 58 10 (445/tcp) general/tcp 8 0 1 7 ntp (123/udp) 1 0 0 1 netbios−ssn 1 0 1 0 (139/tcp) general/icmp 1 0 0 1 Top Vulnerabilities By Service Top Vulnerable Services 3/44 Automated Scanning Vulnerability Report Possible Vulnerabilities High Medium Low Risk Factor: High A Total of 33 High Risk Vulnerability/ies was/were discovered.
    [Show full text]
  • Professional Mobile Espionage Attacks: Pegasus and Beyond
    #RSAC SESSION ID: MBS-R11 Professional Mobile Espionage Attacks: Pegasus and Beyond Andrew Blaich Max Bazaliy Staff Security Researcher Staff Security Researcher Lookout Lookout @ablaich @mbazaliy Video #RSAC What just happened? 3 #RSAC What just happened? “Lawful Intercept” 4 #RSAC The Target: Ahmed Mansoor 5 #RSAC Collaboration 6 #RSAC Citizen Lab: Pegasus Attribution C2 Infrastructure sms.webadv.co <-> mail1.nsogroup.com, nsoqa.com Linked to other targeted attacks in Mexico, Kenya Code identifiers Internal variables and function names Sophistication of software HackingTeam leak: marketing literature 7 #RSAC Pegasus Overview #RSAC What is Pegasus? Pegasus is espionage software Relies on jailbreaking a device to install itself The jailbreak is achieved via an exploit chain named Trident Pegasus can listen to all audio, video, text, and data communications coming into or leaving a phone 9 #RSAC Historical analysis Pegasus featured a non-public persistent remote jailbreak No/Minimal user interaction required 2011 public jailbreak “jailbreakme 3” is most similar December 2016 Luca Tedesco released a “jailbreakme” using Trident and Pangu. 10 #RSAC How does Pegasus operate on iOS? Stage 1 Stage 2 Stage 3 WebKit XNU Surveillance Spear-phish RCE exploitation + persistence Single use Safari UAF Kernel info leak + Re-jailbreak on CVE-2016-4657 CVE-2016-4655 reboot + Kernel UAF + Init. app hooks CVE-2016-4656 + Sync with C&C server = Jailbreak 11 #RSAC Exploit Chain - Trident CVE-2016-4657: Visiting a maliciously crafted website may lead to arbitrary
    [Show full text]
  • The Security Architecture of the Chromium Browser
    The Security Architecture of the Chromium Browser Adam Barth∗ Collin Jackson∗ UC Berkeley Stanford University Charles Reis∗ Google Chrome Team University of Washington Google Inc. ABSTRACT There have been a number of research proposals for mod- Most current web browsers employ a monolithic architec- ular browser architectures [8, 27, 5, 7] that contain multiple ture that combines \the user" and \the web" into a single protection domains. Like Chromium's architecture, these protection domain. An attacker who exploits an arbitrary proposals aim to provide security against an attacker who code execution vulnerability in such a browser can steal sen- can exploit an unpatched vulnerability. Unlike Chromium's sitive files or install malware. In this paper, we present the architecture, these proposals trade off compatibility with ex- security architecture of Chromium, the open-source browser isting web sites to provide architectural isolation between upon which Google Chrome is built. Chromium has two web sites or even individual pages. The browser's secu- modules in separate protection domains: a browser kernel, rity policy, known as the \same-origin policy," is complex which interacts with the operating system, and a rendering and can make such fine-grained isolation difficult to achieve engine, which runs with restricted privileges in a sandbox. without disrupting existing sites. Users, however, demand This architecture helps mitigate high-severity attacks with- compatibility because a web browser is only as useful as the out sacrificing compatibility with existing web sites. We sites that it can render. To be successful, a modular browser define a threat model for browser exploits and evaluate how architecture must support the entire web platform in addi- the architecture would have mitigated past vulnerabilities.
    [Show full text]
  • Hotfuzz: Discovering Algorithmic Denial-Of-Service Vulnerabilities Through Guided Micro-Fuzzing
    HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing William Blairy, Andrea Mambretti∗, Sajjad Arshadz, Michael Weissbacher∗, William Robertson∗, Engin Kirda∗, and Manuel Egeley yBoston University ∗zNortheastern University yfwdblair, [email protected], ∗fmbr, mw, wkr, [email protected], [email protected] Abstract—Fifteen billion devices run Java and many of them are being released to unauthorized principals (confidentiality vio- connected to the Internet. As this ecosystem continues to grow, lations). The third traditional security property, availability, is it remains an important task to discover any unknown security not exempt from this issue. However, denial-of-service (DoS) threats these devices face. Fuzz testing repeatedly runs software as a vulnerability class tends to be viewed as simplistic, noisy, on random inputs in order to trigger unexpected program and easy (in principle) to defend against. behaviors, such as crashes or timeouts, and has historically re- vealed serious security vulnerabilities. Contemporary fuzz testing This view, however, is simplistic, as availability vulnerabilities techniques focus on identifying memory corruption vulnerabilities and exploits against them can take sophisticated forms. Algo- that allow adversaries to achieve either remote code execution or rithmic Complexity (AC) vulnerabilities are one such form, information disclosure. Meanwhile, Algorithmic Complexity (AC) where a small adversarial input induces worst-case1 behavior vulnerabilities, which are a common attack vector for denial-of- in the processing of that input, resulting in a denial of service. service attacks, remain an understudied threat. While in the textbook example against a hash table an adver- In this paper, we present HotFuzz, a framework for automatically sary inserts values with colliding keys to degrade the complex- discovering AC vulnerabilities in Java libraries.
    [Show full text]
  • Softether VPN Server NDIS 5.X Windows Local Bridge Driver Local Privilege Escalation Vulnerability
    2019/07/09: SE201901: SoftEther VPN Server NDIS 5.x Windows Local Bridge Driver Local Privilege Escalation Vulnerability Published: 2019/07/09 Related: CVE-2019-11868 SoftEther VPN Security Advisory articles are published for high impact vulnerabilities (an arbitrary code execution or equivalent). Summary A vulnerability in the NDIS 5.x based Local Bridge module for SoftEther VPN 4.29 Build 9680 or older could allow the local Windows-logged-on attacker (who is already logged on to the same computer which run VPN servers) to realize a Windows local authenticated privilege escalation attacks or could result in BSODs. To exploit this vulnerability, an attacker must log on to the local Windows system which is the same computer which running the SoftEther VPN Server. An attacker could then run a specially crafted program that could exploit the vulnerability. This vulnerability affects only when the server computer is running the Local Bridge function or the SecureNAT function on Windows 2000, Windows XP, Windows Vista, Windows 7 and Windows 8.0 (not Windows 8.1). Same Windows Server family of these Windows versions could also be affected. Any systems with Windows 8.1 or Windows 10 (includes Windows Server 2012 R2, 2016, 2019), or Linux, FreeBSD, macOS or Solaris are not to be affected. This vulnerability affects only when: 1. A VPN system administrator shares a single Windows computer between the VPN server feature and local or remote login terminals for unprivileged users. (e.g. Terminal Service for the organization) or 2. A VPN system administrator allows attackers to execute any untrusted arbitrary programs in the local VPN server computer.
    [Show full text]
  • Foxes Among Us
    Foxes Among Us Foxit Reader Vulnerability Discovery and Exploitation Steven Seeley (mr_me) of Source Incite # whoami • Independent Security Researcher • ZDI platinum researcher for 2017, 2018 and 2019 • Sharing n-day writeup’s & exploit’s @ srcincite.io • Enjoys body building and practicing CRCA Wing Chun Kung Fu in México • Forever trying to learn Spanish! • ¡Me encanta México! Why target Foxit Reader? • PDF is a huge attack surface • Image rendering • JavaScript • Stream decoding • Foxit is taking vulnerability reports seriously • High user-base, the first alternative to Adobe Reader • Last public exploit was in 2010 - Affecting version 4.1.1 Why target Foxit Reader? ZERODIUM is currently acquiring zero-day exploits affecting the following products: Vulnerability != Exploit Platform and Target • Foxit Reader v9.0.1.1049 • FoxitReader.exe - SHA1: a01a5bde0699abda8294d73544a1ec6b4115fa68 • Latest version is 9.1.0.5096 • Windows 7 x86 v6.1.7601 (Fully patched) • Does/Will this work on Windows 10? • Probably, haven’t tested Agenda • Introduction to the bug classes 1. Typed Array Uninitialized Pointer Information Disclosure (CVE-2018-9948) • Vulnerability Discovery • Custom developed tools • Demo: JavaScript Bridge • Vulnerability Exploitation • Finding a suitable object • Leaking the vtable and calculating the base of FoxitReader Agenda 2. Text Annotations point Use-After-Free Remote Code Execution (CVE-2018-9958) • Vulnerability Discovery • Grammar based fuzzing • Vulnerability Exploitation • Heap Spray Leaking a TypedArray • Replacing the freed object • The ROP chain • Demo: Foxit Exploit • Conclusion What is an Uninitialized Pointer Vulnerability? Example: Foo *bar; bar->search('test'); The bar variable hasn’t been initialized yet, meaning it can contain data from a previous allocation. This can result in arbitrary execution of code via a vtable dispatch.
    [Show full text]