Critical Remote Code Execution vulnerability patched in MediaWiki, affecting WikiPedia

A Critical Remote Code Execution vulnerability has recently been patched the Mediawiki in its wiki Software.  Thousands of Wiki sites including WikiPedia have been impacted by this security bug.

Security researchers from Checkpoint identified this vulnerability(CVE-2014-1610) affecting all versions starting with version 1.8.  The websites are vulnerable only, if a specific non-default setting is enabled.

According to the security advisory, an attacker could have exploited this vulnerability to make file and system changes and gained complete control over the server.

Checkpoint said that an attacker could have injected malware code into every page WikiPedia.org which could have put millions of users' system at potential risk of malware infection.

Fortunately, Checkpoint immediately informed the WikiMedia foundation about the presence this security bug.  On 28th Jan., the foundation released patch for this bug.

The security advisory says that this is the third critical remote code execution vulnerability discovered in MediaWiki since 2006.

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.

PHP-CGI remote code execution vulnerability exploited to deliver Bitcoin Malware

A Two year old PHP CGI remote code execution vulnerability(CVE-2012-1823) is being exploited to install a Bitcoin malware in the web server, reports Symantec.

Symantec says they have noticed a substantial increase in the quantity of php code inclusion attacks against its Managed Security Services(MSS) customers.

Only Linux web servers running the outdated PHP version are said to be vulnerable to this exploit. As of Jan. 7, more than its Security Operations Center(SOC) customers have been affected by these exploit attempts.

PHP CGI Remote code execution exploit 

Vulnerable servers are targeted with an exploit code which disables the security_mode and enable other options needed for the exploit.  If they server is vulnerable, then the exploit downloads 'a' script that will install Bitcoin Miner.
 
"The role of Bitcoin mining in this scenario is to harness the victim’s computational resources to financially benefit the perpetrators." say researchers at Symantec.  "The victim systems in this situation have been wrongfully hijacked and pressed into service, which may cause slowdowns for legitimate users and resource issues for server owners.  "

Remote command execution vulnerability in Vodafone website

A group named as "HackerDesk" have identified a security vulnerability affecting one of the subdomains of Vodafone website.  "lbas.vodafone.com" is found to be vulnerable to Remote command Execution(CVE-2013-1965). 

"The Vulnerability alone may not hugely significant, but when put into the context of an tack it can have much greater consequences.  The vulnerability allows for some post exploitation techniques to be utilized, such as installing backdoors and JSP post-exploitation took kits.  This allows for more elaborate and complex attacks to occur." The researcher said.

"The true impact of the exploitation of this vulnerability when combined with post-exploitation tool kits could be full compromise of a system with the ability for that system to be used for onward compromise of connected hosts."

By sending a payload to the server, the researcher is able to execute any commands he wanted.  The results will return in a download file.



Researchers reported about the vulnerability to Vodafone and suggested to upgrade to the latest version of struts which contains the corrected OGNL and Xwork library. It appears Vodafone team took the subdomain offline to apply patches.

You can find the technical details in this document.

Remote Code Execution vulnerability in Ebay website

David Vieira-Kurz, a Security researcher from Germany, has discovered an interesting Remote Code execution vulnerability in the eBay website.

The 'q' parameter in the 'search' page of South Asian Ebay domain (sea.ebay.com/search/?q=david&catidd=1) is found to be vulnerable to remote code execution.

The researcher cleverly managed to pass the 'q' parameter as array with a command that successfully got executed.

Proof of concept provided by the researcher prints the information about the PHP running on the server:
  sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1

An attacker could have exploited this vulnerability to run OS commands and managed to compromise the entire server.  However, David reported about this vulnerability to eBay security team, the vulnerability has been fixed now.

He also discovered a SQL Injection vulnerability in the same domain last year.

The full technical details is available here.

Vulnerability in NVIDIA mental ray allows hackers to take control of render farms

A security vulnerability in Nvidia mental ray, a high performance 3D rendering software allows hackers to take control of an entire "render farm", says security researchers at ReVuln.

A Render farm is a cluster of specialized computers designed for rendering images, typically used for creating visual effects in films.  Render farms have high computational capability.

The mental ray is available as stand alone software and also embedded into popular software like AutoCAD, Autodesk 3ds Max, Autodesk Maya, Cinema 4D, Domus3D.

By just sending a malicious packet to the target machine, a hacker can load arbitrary DLLs on a victim's machine; Injecting malicious remote library allows attacker to take control of the entire render farm.


The mental ray version 3.11.1.10 is only affected by this vulnerability.

What will you do when you get access to a system that has huge computation capability? A hacker definitely attempt to use it for password cracking or Bitcoin Mining.

You can find the white paper here : http://revuln.com/files/ReVuln_Nvidia_mental_ray.pdf

OpenSSH fixes a critical code execution vulnerability

 

OpenSSH , a tool that provides encrypted communication sessions over a computer network using the SSH protocol, has patched a critical code execution vulnerability.

"A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange." The security advisory reads.

"If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations."

The vulnerability was identified by an OpenSSH developer Mark Friedl on November 7th.  The fix has immediately been issued.

The flaw is fixed in OpenSSH 6.4 version.  There is security patch available for those users who prefer to continue use OpenSSH 6.2 or 6.3.

Hacking the Hackers :Carberp Panel vulnerable to Remote Code Execution

Recent Carberp source code leak gave an opportunity for researchers to investigate the bootkit and other components of the Trojan.  While everyone are looking at the source code of malicious parts, a security researcher has shown an interest in investigating the Panels source code.

Steven K, a security researcher from France, who is running the xylibox blog, has discovered a two security vulnerabilities in the Carberp's Panel -  IP Spoofing and Remote Code Execution.

Remote Code Execution is one of the critical security bug that allows hackers to inject and execute commands in the vulnerable server.

Vulnerable code

Researcher found the "data" parameterer in the post request is vulnerable to Remote Code Execution vulnerability.  He has also made a Proof-of-concept code to exploit the vulnerability.

He successfully exploited the bug and compromised the Database Username, password and Auth Key.  The bug also allows you to run the "wget" command to download the backdoor.

The code apparently shows the cybercriminals who is behind the Carberp Trojan are not good in secure web application coding compared to Malware coding.

ZPanel security vulnerability allows hacker to reset the root password


A critical remote code execution vulnerability has been identified in ZPanel that allows hackers to reset  the root password and gain access to the server.

According to the forum post, the latest stable version 10.0.2 is also affected by this security flaw.  The user has also provided the steps to reproduce the vulnerability.


The security flaw exists in the ZPX HTPASSWD module because the module fails to sanitize the user input.  The flaw allows anyone with access to the page including admins, resellers, clients to inject  arbitrary shell commands into the server.

The vulnerability has been confirmed by ZPanel Head Developer & Project Leader ,Bobby Allen.  ZPanel Users are advised to disable the HTPASSWD module.

The team is currently testing the patched file which was committed to GitHub.  They are promised to issue a manual patch once the test is completed.