PHP has fixed several vulnerabilities allowing remote code execution


The PHP development team has released new versions in order to fix three security vulnerabilities -one of them is said to be a critical one and leads to remote code execution.

The vulnerability identified as "CVE-2014-3669" can cause an integer overflow when parsing specially crafted serialized data with the unserialize ().The vulnerability is only a 32-bit system, but the danger is caused by the breach and that the serialized data often come from user-controlled channels.

In addition, the updates have been corrected errors associated with the introduction of a null byte in the library cURL, calling the damage dynamic memory during processing of the modified data as a function of exif_thumbnail () in image processing (CVE-2014-3670), as well as buffer overflow in the function mkgmtime () from the module XMLRPC (CVE-2014-3668).

These vulnerabilities were discovered by the Research lab of IT security company High-Tech Bridge.

The new versions 5.6.2,5.5.18 and 5.4.34 address these three vulnerabilities.

Critical SQL Injection vulnerability in Drupal 7.x

Security researchers from SektionEins have discovered a critical SQL Injection vulnerability in Drupal CMS that leaves a large number of websites that uses Drupal at risk.

Drupal introduced a database abstraction API in version 7.  The purpose of this API is to prevent SQL Injection attacks by sanitizing SQL Queries.

But, this API itself introduced a new and critical SQL Injection vulnerability.  The vulnerability enables attackers to run malicious SQL queries, PHP code on vulnerable websites.  A successful exploitation allows hackers to take complete control of the site.

This vulnerability can be exploited by a non-authenticated user and has been classified as "Highly Critical" one.

SektionEins didn't release the POC but released an advisory with technical details.

The vulnerability exists in the expandArguments function which is used for expanding arrays to handle SQL queries with "IN" Operator. 

The vulnerability affects Drupal core 7.x versions prior.  Users of 7.x versions are advised to update their CMS immediately.

You can also directly modify the "includes/database.inc" file to patch this vulnerability; Change the "foreach ($data as $i => $value) {"  with "foreach (array_values($data) as $i => $value) {"  in 739 line.

A proof of Concept has been released online that allows anyone to change the password of admin account.  So, better Hurry UP! Update your Drupal CMS.

One of the reddit user "fyukyuk" posted a HTTP post request that exploits this vulnerability.

The following python Code changes the admin password of vulnerable Drupal to 'admin' (Tested with Drupal versions 7.21,7.31).


Russian Hackers use Windows 0-Day exploit to hack NATO, Ukraine

Russian Hackers, dubbed the "sandworm team", have been found exploiting a previously unknown vulnerability in Microsoft's Windows Operating systems, reports iSight.

The group has used this zero-day exploit to hack computers used by NATO, Ukraine Government, European Telecommunications firms, Energy sectors and US academic organization.

The attack starts with a spear-phishing email containing a malicious power point document that exploits the vulnerability and infects victims machine with a malware.

"The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files."the report reads.

".. When handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources... This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands"

The vulnerability is reportedly affecting all versions of the windows operating systems from Vista SP1 to Windows 8.1.  It also affects Windows servers 2008 and 2012.

Kmart is the latest security breach victim

Kmart is the latest largest U.S. retailer to experience a data breach, confirmed that hackers had accessed certain debit and credit card numbers.

IT Security firm hired by the Kmart found the store payment data systems "were infected with a malware that was undetectable by current antivirus systems".

The company says no personal information, no debit card PIN numbers, no email addresses and no social security numbers were accessed in the security beach.

According to the investigation, the cyber criminals got into their systems in early September.  The company said it immediately removed the malware. 


A Bug in Bug Tracker "Bugzilla" exposes Private Bugs


A critical vulnerability in the popular web-based Bug tracking tool "Bugzilla" allows hackers to view the details of any undisclosed vulnerabilities.

Bugzilla is an open source bug tracking program developed by Mozilla and being used by many large organizations including RedHat, Linux Kernel, Gnome, Apache.

Vulnerability researchers at Check Point Software Technologies reported the bug to Mozilla that allows anyone to register with email address of the targeted domain (for example, admin@mozilla.com) and bypass email validation.

Researcher exploited the vulnerability and managed to create administrator accounts for the Mozilla.org, Mozilla.com and Bugzilla.org.

Gervase Markham from Mozilla wrote a detailed technical post.  The attack method appears to be "HTTP Parameter Pollution(HPP)" technique.

OWASP Definition for HPP:
"Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values."
Patch:
Mozilla has released a security update that not only patches this privilege escalation vulnerability but also few other bugs including Cross Site scripting and Information Leak.

Yahoo says ShellShock vulnerability is NOT the cause of the servers hack

Researcher Jonathan Hall says he found evidence that Romanian hackers used the recent "ShellShock" vulnerability to hack a number of high profile websites including Yahoo, WinZip.

Hall said he informed Yahoo, WinZip and FBI about the issue.

Yahoo earlier today said their servers were compromised by the ShellShock vulnerability.  But, Yahoo's Chief Information Security Officer Alex Stamos published a statement in Hacker News that the breach is not a result of 'Shell Shock'.

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers." Stamos wrote.

"These attackers had mutated their exploit, [and] this mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."

The company claimed hackers did not gain access to any user data and the affected servers are used to provide live streaming for its sports service that don't store user data.

In response, Hall said in his blog "The Yahoo! infiltration WAS from the 'Shellshock' vulnerability, and it did NOT originate on the sports servers / API’s".

Pakistan targets Indian Officials with FinFisher malware

WikiLeaks last month released a set of documents and copies of 'weaponized malware' developed by FinFisher company which is said to be used by Governments around the world to spy on journalists, political dissidents and others.

Cyber Security & Privacy Foundation(CSPF) has recently published a report providing few details that might be shed an “Indian Perspective” to leaked information.

CSPF noted that a screenshot containing targets list of a Pakistani customer has 16 Indian IP addresses and only 2 Pakistani IP Addresses, suggesting that limited “domestic” use.

"One of the Exe’s leaked by Wikileaks 'finfisher.2.zip' MD5:074919f13d07cd6ce92bb0738971afc7 when opened shows the image of 'khushab nuclear reactor ' in Pakistan." The report reads.

"This might have been used to target Indian Officers as they might be tempted to click on it and view the image".

You can find the full report here:
http://securityresearch.cysecurity.org/wp-content/uploads/2014/09/An-Indian-perspective_finspy.pdf

New Mac OS X Botnet uses Reddit's Search function to get CNC servers list


Security Researchers at Russian Antivirus company Dr.Web have published
details of a new botnet that targets Mac OS X.

What is very interesting is that this malware uses the search function of Reddit to acquire the Command and control(C&C) servers list from comments posted in a 'Mine Craft Server Lists' sub reddit.

The malware calculates MD5 hash of the current date and uses the first 8 bytes of the hash to search in reddit.  The result contains the Server IPs with port numbers.

The malware dubbed as 'iWorm' has reportedly infected more than 17,000 Mac computers - 4,610 of which are in the US.

The reddit account used by the cyber criminals appears to be removed.  However, it is not going to stop the bad guys from controlling their botnet, they either create a new account or use any other online services.

"Xsser mRAT", an Advanced iOS spyware targets Hong Kong protesters


Security researchers from Lacoon Mobile Security company identified an advanced iOS Trojan targeting protesters in Hong Kong.

The trojan dubbed as 'Xsser mRAT", is related to similar Android malware found last month targeting the protesters.

The android version of this malware is distributed via whatsapp messages disguised as an application to help coordinate Occupy Central protest.

"The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity." the company wrote.

The malware is capable of stealing text messages, contact list, call logs, location information, photos and other information.  It also steals passwords from the iOS keychains.

The good news is that the malware can run only if the user's device is jailbroken.  You can find lot more information and technical information in their blog post.

Apple releases Bash update addressing ShellShock vulnerability

Over the last few days we have seen headlines about the critical security bug in Bash shell that affects Unix, Linux and even Mac computers.

Apple previously noted that only few Mac users who runs the advanced Unix Services were actually affected by the shell shock vulnerability.  Others are not at risk to this bug.

Apple said they are working to quickly provide update to patch this problem.

As promoised, it has released OS X bash update for OS X Lion, Mountain Lion and Mavericks.

You can download the update from their support page:
http://support.apple.com/downloads/