Security and Privacy flaw in UC Browser leaks personally identifiable information


A visual summary of privacy and security issues presented by UC Browser. PC: Citizen Lab
A report has shown that a security and privacy flaw in a popular mobile web browser in India and China - Transmits users' personal and other information without encryption.

The report titled “A Chatty Squirrel: An Analysis of Privacy and Security Issues with UC Browser” has revealed that Chinese and English-language versions of UC Browser for Android, a mobile web browser which is owned by a China-based company Alibaba.com, allows any network operator or in-path actor on the network to get the user’s personally identifiable information like location, search details and mobile subscriber and device ids.

The application is using symmetric AES/CBC encryption for sending device IDs,location data, Wi-Fi Mac Address, SSID and other information rather than encryption. The key 'autonavi_amaploc' used for the encryption is Hard-coded in the application.

"The use of symmetric encryption with a hard-coded key means that anyone who knows the key can decrypt UC Browser (Chinese) traffic in transit. Moreover, key holders can also retroactively decrypt any historical data that they have collected or obtained." The report reads.

Personal identifiers like IMEI, IMSI, android id, build serial number is being transferred to Umeng (a mobile analytics service) in an unecrypted form.

The transmission of unencrypted search engine queries enables third parties to monitor searches. Sensitive personal information can be inferred from search results including health conditions like pregnancy, disease, mental and psychological conditions, marital relations, and medical information. Third parties can use it to develop, use, and sell user profiles and by corporate or government agents to modify or prevent access to certain search results.

“We informed our findings to Alibab on April 15, 2015 and we would publish this report on or after April 29, 2015. The company responded on April 19, 2015, indicating that Alibaba security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015,” the report said.

The report added that on May 19, 2015 they tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. However, the version does not appear to send location data insecurely to AMAP.

Security Explorations reveals several vulnerabilities in Google App Engine


Security Explorations, a Poland-based security firm, on May 15 disclosed technical details and Proof of Concept (PoC) codes for unconfirmed and unpatched vulnerabilities presence in Google App Engine for Java.

In October 2012, the company started its research on Google App Engine for Java however it could not continue it. Then, in October 2014, it resumed the project.

The company confirmed more than 30 vulnerabilities in December.

According to a report published on SecurityWeek, it had identified and reported a total of 41 issues to the authority concerned, but the Google said it internally fixed those flaws.

“That does not speak well about Google GAE engineers and their Java security skills in particular,” Adam Gowdiak, founder and CEO of Security Explorations, told SecurityWeek.

Till the date, Google has confirmed a total of 36 vulnerabilities. However, the Security Explorations confirmed that a few of them were still left unpatched.

Although, in Mid-March Security Exploration revealed 31 flaws which were later fixed by Google, Gowdiak, wrote in a mail that there are seven different vulnerabilities still exist in the Google service which he briefly discussed in his mail.

He said that the flaws have been reported to Google three weeks ago. However, he has not received confirmation from the Google officials. Nor, the authority concerned has not fixed any of them.

"It has been three weeks and we haven't heard any official confirmation or denial from Google with respect to Issues 37-41," Gowdiak wrote. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”

He added that it is easy to exploit the flaws by attackers. They could use the freely available cloud platform to run a malicious Java application. The app would then break out of the first sandboxing layer and execute code in the highly restricted native environment.

The hackers could use the restricted environment to attack lower-level assets and to retrieve sensitive information from Google servers.

Google had decided to award Security Explorations with $70,000 for disclosing the vulnerabilities. The total amount of $50,000 was already paid to the company on March 20.

Gowdiak said that now, Google might not give them remaining $20,000 as they have disclosed the unpatched and unconfirmed vulnerabilities. However, the company believes that rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.


“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” he said.

Venom Vulnerability allows hackers to escape from VM and hack Host Machine

 
CrowdStrike’s senior security researcher Jason Geffner disclosed the vulnerability in the virtual Floppy Drive Code used by many computer virtualization platforms.

Vulnerability VENOM, CVE-2015-3456, attacker can easily escape from the confines of virtual machine guest and exploit the code-execution access to the host. This may result in  elevated access to the host’s local network and adjacent systems.

By exploiting  the VENOM vulnerability one can get access to corporate intellectual property (IP), sensitive and personally identifiable information (PII), which will potentially affect thousands of organizations and millions of end user’s connectivity, storage, security, and privacy.

According to the researcher, the bug is in QEMU’s virtual Floppy Disk Controller (FDC), notably used in  Xen, KVM, and the native QEMU client. Whereas VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

“The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase“ wrote Jason Geffner in his blog post.

Cisco releases software updates to address serious flaws in TelePresence products

Cisco has released software updates to address several vulnerabilities that have been identified in its TelePresence products, which can be exploited by hackers to compromise a vulnerable system.

It has also urged its customers to update their TelePresence software. Similarly, they are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Cisco said in an advisory published on May 13 that the workarounds that mitigate the vulnerabilities, which have been identified by during its internal tests and product security reviews, are not available.

“The vulnerability in the web framework of multiple Cisco TelePresence products could allow an authenticated or remote attacker to inject arbitrary commands that are executed with the privileges of the root user,” Cisco said in its advisory.

“The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the affected parameter in a web page."

"Administrative privileges are required in order to access the affected parameter. A successful exploit could allow an attacker to execute system commands with the privileges of the root user,” the advisory added.

Cisco said that although, this is a serious vulnerability with a CVSS score of 9.0, it hasn’t found evidence that shows flaw has been leveraged for malicious purposes.

PHP Object Injection Vulnerability in Bomgar Remote Support Portal

A security vulnerability has been found in the Bomgar Remote Support Portal version 14.3.1 and earlier versions, which is the part of Bomgar's appliance-based remote support software,  deserialize untrusted data without verifying the validity of the resulting data.

The data can be exploited by both authenticated as well as unauthenticated attackers.

An unauthenticated attacker can inject arbitrary input at one point in vulnerable PHP file, while authenticated attacker can inject at multiple points.

To exploit this vulnerability, the attacker has to find the appropriate classes with beneficial  effects,  if there is no classes with beneficial effects, it is not exploitable.

"One way to exploit this vulnerability is by utilizing the Tracer class. It is used to write stack trace information to a log using a Logger instance, which wraps an instance of PEAR's Log class. By using a Log_file instance as an instance of Log, it is possible to write the arbitrary data to the arbitrary file." The researcher wrote in his blog post.

Update your Wordpress, Prevent Your website from Being Hacked

WordPress has come up with its 4.2.2 version in order to increase its users security. It has also urged people to update their sites immediately.

Samuel Sidler, researcher at WordPress.org, wrote that the new version is aimed to address two security issues.

The first one is the Genericons icon font package, used in themes and plugins, which contained an HTML file vulnerable to a cross-site scripting attack. 

On May 7 all affected themes and plugins including twenty fifteen default theme have been updated by the WordPress security team after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered.

Security researchers from Sucuri warned that the vulnerability is being exploited in the wild days before disclosure.

Robert Abela of Netsparker reported that in a bid to protect other Genericons usage, WordPress 4.2.2 scans the wp-content directory for this HTML file and removes it.

Secondly, WordPress versions 4.2 and previous versions are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. So, WordPress 4.2.2 includes a comprehensive fix for this issue according to a separate report by Rice Adu and Tong Shi.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2.

People just have to download WordPress 4.2.2 or venture over to Dashboard. Then click “Update Now” button. 

Sites that support automatic background updates have begun to update to WordPress 4.2.2.

Major vulnerability in medical equipment poses security risk


The Internet enabled PCA3 drug infusion pump manufactured by Hospira suffers from authorization vulnerabilities that can allow unauthenticated users to remotely access and modify pump configurations, drug libraries and software updates.

The Hospira Life care infusion pump, version 5.0 and prior runs "SW ver 412". It does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23. By attaching any device to the pump via Ethernet, one can easily extract the wireless encryption keys stored in plain text on the device and thus gain access to the keys Life critical network.

The attacker can then impact the pump configurations or medical libraries by conducting firmware updates, command execution, and drug library updates.  However, Hospira maintained that the Operation of the Life Care PCA Infusion pump required the physical presence of a clinician to manually program the dosage into the pump for administration.

Even if credentials are implemented on the Telnet port there are still web services which allow a remote attacker to carry out the remote modifications. Even if that was made secure there are additional services like FTP that are open with hard coded accounts. 

Billy Rios, the independent researcher who discovered these vulnerabilities has been co-ordinating with Hospira since May 2014. A new version has been developed by Hospira which mitigates these vulnerabilities and is under U.S. Food and Drug Administration (FDA) review.

In defense, ICS-CERT  has advised organizations to ensure closure of unused ports, use of VPN, detaching of the pump from insecure networks and use of good design practices with network segmentation.

Impact of the vulnerability varies depending on each organization, so individual organizations need to evaluate and secure themselves based on their operational environment.

Multiple vulnerabilities in TheCartPress WordPress plugin

Multiple vulnerabilities has been discovered in TheCartPress WordPress plugin by the High-Tech Bridge Security Research Lab.

The vulnerabilities can be exploited to execute arbitrary PHP code, disclose sensitive data, improper access control, and to perform Cross-Site Scripting attacks against users.

To exploit the local PHP File Inclusion vulnerability, an attacker needs to have administrator privileges on WordPress installation. PHP does not properly verify the URL before being used in  ‘include()’ function , and can be abused to include arbitrary local files via directory traversal sequences.

HTTP POST parameters are supplied by many users during the checkout process. These parameters are not being sanitized before being stored in the local database.  Which can be easily exploited by a non-authenticated attacker, they  may inject malicious HTML and JS code that will be stored in the application database, and made available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Due to broken authentication mechanism any non-authenticated user may browse orders of other users. They easily predict the order ID, enables them to steal all currently-existing orders.

The vulnerability can be reproduced by opening the  following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And full details of the orders can be viewed by opening the following URL
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Inputs  can be passed via the "search_by", "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email", "post_id" and "rel_type", and "post_type"  GET parameter. These are not properly verified before being returned to the user. An attacker can logged-in as  administrator to open a link, and execute arbitrary HTML and script code in browser in context of the vulnerable website.

Vulnerability in Realtek SDK leaves D-Link and TRENDnet routers vulnerable to Hackers

D-Link and TRENDnet's routers are vulnerable to remote code execution attacks due to a flaw in a component of the Realtek, Software Development Kit (SDK).

A content developer at HP Enterprise Security discovered the flaw.

Ricky Lawshae first informed about the flaw to HP’s Zero-Day Initiative (ZDI) in August 2014. Then in October, he reported for the last time about his findings to them.

However, the Realtek did not come up with a plan to solve the problem. As a result, the routers flaw has been disclosed.

The vulnerability (CVE-2014-8361) allows a remote, unauthenticated attacker to execute arbitrary code on affected systems with root privileges. ZDI has assigned the vulnerability a CVSS score of 10.

The security hole affects the Realtek SDK used for RTL81xx chipsets.

Although, the flaw on D-Link and TRENDnet routers has been discovered, it is not clear that how many small office and home (SOHO) routers are affected.

The researcher however said that those devices using the minigd binary from the Realtek SDK are likely to be vulnerable.

“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” ZDI officials wrote in an advisory published on Friday.

“Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it.”

Realtek still has not commented on the findings.

D-Link has released firmware updates that addresses the security vulnerabilities in affected D-Link devices.

It is said that the flaw, which was found on those wireless routers, are not unique or rare.

Earlier, researchers reported about the several vulnerabilities related to the ncc/ncc2 service used by devices from the vendors. Both D-Link and Trendnet released firmware updates to address the issues.

Last month, a researcher complained that D-Link had failed to properly patch those vulnerabilities related to the Home Network Administration Protocol (HNAP).

WordPress patches Stored XSS bug, Many versions affected

(PC- google images)
WordPress has issued a critical security update - WordPress Security Release 4.2.1, announced in an advisory by consultant Gary Pendergast, after millions of websites were at risk of a bug that allows attackers to take control of a system.

Pendergast read, “A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenter to compromise a site”. He added, "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those."

Discovered by Jouko Pynnönen of Finnish security company Klikki ; the critical, unpatched zero-day vulnerability, affecting WordPress’ comment mechanisms, is a stored cross-scripting (XSS) bug that allows a hacker to take over an entire website running the WordPress platform.

In a blog post, Klikki explained that if triggered by a logged-in administrator, under default settings, the attacker can leverage the vulnerability to execute arbitrary code on the server via the plug-in and theme editors. Alternately the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

The vulnerability is exploited by injecting JavaScript in the WordPress comment section, and then adding 64Kb of the text.

"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64kilobytes, so the comment has to be long”, Pynnönen said.

 "The truncation results in malformed HTML generated on the page.The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core”, added he. 

WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.

Similar to the one reported by Cedric Van Bockhaven in 2014, the only difference in this version is the use of excessively long comment for the same effect.  In both the cases, the injected JavaScript can’t be triggered in the administrative Dashboard so these exploits require getting around comment moderation e.g. by posting one harmless comment first.

Vulnerability in Wi-fi authentication component

A vulnerability in wpa_supplicant, used to authenticate clients on Wi-fi networks, could expose Android, BSD, Linux, and possibly Windows and Mac OS X system to attack.

The  vulnerability uses Service Set Identifier’s information to create or update P2P peer  entries. The valid length range of SSID is 0-32 octets, but on one of the code paths wpa_supplicant was not sufficiently verifying the payload length. This resulted in copying of  arbitrary data from an attacker to a fixed length buffer of 32 bytes.

The device  results in corrupted state in heap, unexpected program behavior due to corrupted P2P peer device information, denial of service due to wpa_supplicant process crash, exposure of memory contents during GO Negotiation, and potentially arbitrary code execution.

According to Jouni Malinen, maintainer of wpa_supplicant, “The vulnerability is easiest to exploit while the device has started an active P2P operation (e.g., has ongoing P2P_FIND or P2P_LISTEN control interface command in progress). However, it may be possible, though significantly more difficult, to trigger this even without any active P2P operation in progress.”

This issue was reported by the Google security team and hardware research group of Alibaba security team.

The users could merge the following commits to wpa_supplicant and rebuild it,  validate SSID element length before copying it (CVE-2015-1863) from http://w1.fi/security/2015-1/.  Update to  wpa_supplicant v2.5 or newer versions, once  they are available.

"No iOS Zone" - DoS vulnerability in iOS Devices

Skycure, a mobile threat defense solutions, witnessed  sudden crash of an iOS app while setting the router in a specific configuration and connecting the devices to it.

Elisha and Roy members of research team started to analyze the crashes further, and identified the source of the problem.  They found that by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. Then they created a script that exploits the bug over a network interface.

Parsing SSL certificate vulnerability affects the underlying iOS operating system, and with heavy use of devices exposed to the vulnerability, the operating system crashes. Under certain conditions, the  devices can be put  into a repeatable reboot cycle, rendering them useless.

For most of the people iOS app crash is simply a quality issue. They just install a different firmware and move on.

 But the victim’s device in an unusable state for as long as the attack impacts a device. Even if victims understand that the attack comes from a Wi-Fi network, they can’t disable the Wi-Fi interface in the repeated restart state as shown in the video.

The issues have been reported  to the Apple. To avoid this vulnerability exploit the users may take following steps.

1)Users should disconnect from the bad Wi-Fi network or change their location in case they experience continuous crashing or rebooting.
2)The latest iOS 8.3 update might have fixed a few of the mentioned threats–users are highly advised to upgrade to the latest version.
3)In general, users should avoid connecting to any suspicious “FREE” Wi-Fi network.

WordPress 4.1.2 version released, fixes critical security bugs


Wordpress 4.1.2 is the latest version of WordPress to be released to the public. A critical security release for all previous versions, WordPress 4.1.2 fixes as much as four other security issues.
The earlier versions of WordPress including version 4.1.1 were affected by a serious critical cross-scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams and Andrew Nacin of the WordPress security team.

Discovered by Michael Kapfer and Sebastian Kraemer of HSASec, files with invalid or unsafe names could be uploaded in version 4.1 and higher.

In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as a part of a social engineering attack. It was discovered by Jakub Zoczek.  

Some plugins were vulnerable to an SQL injection vulnerability. Four hardening changes, including better validation of post titles within the Dashboard were discovered by J.D.Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.

To download WordPress 4.1.2, the update can be updated automatically from the Dashboard and simply click “Update Now”. Sites that support automatic background updates are already updating to WordPress 4.1.2.

Researchers discover fingerprint flaw on Samsung Galaxy S5


Photo Courtesy: Mobilesyrup website
Despite the various efforts made to secure biometric information on Samsung Galaxy S5 by the Android phone makers, hackers can still take copies of fingerprint which is used to unlock the phone set, said researchers.

Tao Wei and Yulong Zhang, researchers at FireEye, a security firm, said that even though there is a separate secure enclave for the information on the phone, it is possible to grab the biometric data before it reaches that safe area which allows hackers to copy people’s fingerprints for further attacks.

Wei and Zhang, who conducted research on Galaxy S5 including other unnamed Android devices, will be presenting their findings at the RSA conference on April 24.

The researchers said that in order to clone the fingerprints, the hackers don’t have to break the protected zone where the data is stored. They just have to collect data from the device’s fingerprint sensor.

According to them, any hacker can easily clone fingerprints from the phone sets. They have to get user-level access and run a program as root. They wouldn’t need to go deeper on Samsung Galaxy S5 because the malware needs only system-level access.

And once the hackers break the operating system of the phone, they can easily read the fingerprint sensor. Then, the hackers get the data from which they can generate an image of fingerprint. After that, those hackers can do whatever they want.

After finding the flaw on the phone, the researchers had contacted Samsung. However, they did not get any updates or measures to fix the vulnerability from the company.

They said that it is better to update Android version in order to get protected from this vulnerability because it is not resident on Android 5.0 or later versions.

"Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” said a spokesperson for Samsung via email to Forbes.

Although, there are various security concerns about biometric, it is going to be the primary form of authentication on mobile phones.

It is said that Microsoft is testing out a range of biometric options for its upcoming Windows 10 operating system. 

However, Wei and Zhang said they only tested Android devices as of now.

They said that not all of the Android phones below 5.0 with fingerprint authentication were affected but this vulnerability is likely to spread among other phone companies as well.  Like HTC One Max, Motorola Atrix, Samsung Galaxy Note 4 and Edge, Galaxy S6, and Huawei Ascend Mate 7.

“We only tested a limited number of devices. While we expect the issue is more widespread, we are not sure,” the FireEye spokesperson said in an email to Forbes

Arris / Motorola Modems have multiple vulnerabilities and backdoor accounts


Security Researcher Joe Vennix has discovered multiple vulnerabilities in the 'ARRIS / Motorola SURFboard SBG6580' series Wi-Fi Cable Modem that could allow hackers to take control of the Web Interface.

One of the flaws(CVE-2015-0964) is a stored cross site scripting vulnerability in the firewall configuration page could allow an authenticated attacker to inject javascript code capable of performing any action available in the web interface.

The other vulnerability allows to perform a login action "on behalf of the victim's browser by an arbitrary website, without the user's knowledge."

And on top of this, it has pre-installed backdoor accounts.  Devices tested by the researcher had an account called "technician" with the password "yZgO8Bvj".

"Other accounts may be present as installed by service providers and resellers." Rapid7 post reads.  

Rapid7 has published a metasploit module that "takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.

The module also capable of stealing the information of all registered DHCP clients including IPs, hostnames and MAC addresses.

Security flaw in Hotel Wi-Fi could allow hackers to infect Guests' system with malware

A security company Cylance, discovered  a vulnerability in ANTlabs InnGate devices, after which they issued a public advisory on March 26 about its system vulnerability (CVE-2015-0932), which provide Wi-Fi access in hotels and convention centers and other places.

In its advisory ANTlabs warns, "An incorrect rsync configuration on certain models of our gateway products allows an external system to obtain unrestricted remote read/write file access.”

Researcher Brian Wallace wrote in a detailed blog post that “Remote access is obtained through an unauthenticated rsync daemon running on TCP 873. Once the attacker has connected to the rsync daemon, they are then able to read and write to the file system of the Linux based operating system without restriction.”

In his blog Brian Wallace explains that after gaining full read and write access, the attacker could upload a backdoored version  or add an user with root level access and a password known to the attacker. “Once this is done the endpoint is at the mercy of the attacker.”

According to Cylance researchers there are 277 vulnerable devices in 29 countries including the United States, Cuba, Australia and Italy, that could be directly exploited from the Internet.

The Darkhotel APT campaign that specifically targeted  executives via Wi-Fi networks at luxury hotels, was uncovered by Kaspersky Lab researchers last fall. The similar attack  could be leveraged by this vulnerability.

According to the blog post, “The DarkHotel campaign was carried out by an advanced threat actor with a large number of resources, CVE-2015-0932 is a very simple vulnerability with devastating impact. The severity of this issue is escalated by how little sophistication is required for an attacker to exploit it."

Wallace added, “Targets could be infected with malware using any method from modifying files being downloaded by the victim or by directly launching attacks against the now accessible systems. Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do.”

When InnGate devices  were integrated into Property Management Systems (PMS),a software application used to coordinate the operational functions, they  stores credentials to the PMS, and an attacker could potentially gain full access to the PMS.

By blocking the unauthenticated RSYNC process from internet access, a TCP-DENY on port 873 on the upstream network device from the affected InnGate device, the vulnerability can  be mitigated.

Web users exposed to "FREAK" attack

SSL/TLS breached

Newly discovered security vulnerability in the SSL/TLS protocol, dubbed as “FREAK” poses potential risks for millions of people surfing the web on Apple, Google and Microsoft browsers.

A whole range of browsers including Internet Explorer, chrome for Mac OS and Android , Apple browsers and about 12% of popular websites like  Bloomberg.com, kohls.com, mit.edu have been found to be vulnerable.

The flaw would allow a “man in the middle” attack which can downgrade security of connections between vulnerable clients/servers by tricking them into using low strength “export grade RSA” , thus rendering TLS security useless.

This 512 bit export grade mode of cryptography can then be easily cracked to compromise the privacy of users, by stealing passwords and other personal information. Larger attacks on the Web sites could be launched as well.

Computing power worth 100 dollars and seven hours is all that is required for a skilled code breaker to crack it.

The flaw was exposed by a team of researchers at INRIA and Microsoft Research who named it as “FREAK” for Factoring attack on RSA-EXPORT Keys.

The “export grade” RSA ciphers resulted from the 1980s policy of the US government which required US software makers to use weaker security in encryption programs which were shipped to other countries. It was meant to facilitate internet eavesdropping for intelligence agencies to monitor foreign traffic. These restrictions were lifted in the late 1990s, but the weaker encryption got wired into widely used software that percolated throughout the world and back into US.

Christopher Soghoian, principal technologist for the American Civil Liberties Union said, “You cannot have a secure and an insecure mode at the same time… What we’ve seen is that those flaws will ultimately impact all users.”

This reveals that a weaker crypto-policy ultimately exposes all parties to hackers and serves a strong argument against the recent requests of the US and European politicians to enable new set of backdoors in established systems.

Apple said its fix for both mobiles and computers will be available next week and Google said it has provided an update to device makers and wireless carriers.

For web server providers , the way ahead entails disabling support for all export cipher and known insecure ciphers.

A full list of vulnerable sites is available here.

PHP has fixed several vulnerabilities allowing remote code execution


The PHP development team has released new versions in order to fix three security vulnerabilities -one of them is said to be a critical one and leads to remote code execution.

The vulnerability identified as "CVE-2014-3669" can cause an integer overflow when parsing specially crafted serialized data with the unserialize ().The vulnerability is only a 32-bit system, but the danger is caused by the breach and that the serialized data often come from user-controlled channels.

In addition, the updates have been corrected errors associated with the introduction of a null byte in the library cURL, calling the damage dynamic memory during processing of the modified data as a function of exif_thumbnail () in image processing (CVE-2014-3670), as well as buffer overflow in the function mkgmtime () from the module XMLRPC (CVE-2014-3668).

These vulnerabilities were discovered by the Research lab of IT security company High-Tech Bridge.

The new versions 5.6.2,5.5.18 and 5.4.34 address these three vulnerabilities.

A Bug in Bug Tracker "Bugzilla" exposes Private Bugs


A critical vulnerability in the popular web-based Bug tracking tool "Bugzilla" allows hackers to view the details of any undisclosed vulnerabilities.

Bugzilla is an open source bug tracking program developed by Mozilla and being used by many large organizations including RedHat, Linux Kernel, Gnome, Apache.

Vulnerability researchers at Check Point Software Technologies reported the bug to Mozilla that allows anyone to register with email address of the targeted domain (for example, admin@mozilla.com) and bypass email validation.

Researcher exploited the vulnerability and managed to create administrator accounts for the Mozilla.org, Mozilla.com and Bugzilla.org.

Gervase Markham from Mozilla wrote a detailed technical post.  The attack method appears to be "HTTP Parameter Pollution(HPP)" technique.

OWASP Definition for HPP:
"Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values."
Patch:
Mozilla has released a security update that not only patches this privilege escalation vulnerability but also few other bugs including Cross Site scripting and Information Leak.

Everything you need to know about Bash Bug "ShellShock"


A new critical security vulnerability in the BASH shell, the command-line shell used in many Unix and Linux operating systems, leaves a large number of systems at security risk. The bug also affects Mac OS X.

CVE Number: CVE-2014-6271

Technical Details: 

Here is technical details of the vulnerability, posted by Florian Weimer in Seclists:

"Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes.  Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.

The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.  For example, an environment variable setting of

  VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.) "

Proof of Concept:
env e='() { Ignored; }; echo Vulnerable' bash -c "echo Hello"

Running the above command in Linux Terminal prints "vulnerable" and "Hello".So what exactly is happening here.

The 'env' command used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment.

Here, the utility is 'bash' that executes the 'echo hello' command - and the environment variable 'e' is imported into the 'bash' process.

The bash shell process the function definition "() { Ignored; };"and then executes the "echo vulnerable" command.

* You can use the above POC code to test whether your system is vulnerable or not.

Real world Attack Scenario:

CGI stores the HTTP headers in environment variables. Let's say the example.com is running a CGI application written in Bash script.

We can modify the HTTP headers such that it will exploit the shellshock vulnerability in the target server and executes our code.

POC:

curl -k http://example.com/cgi-bin/test -H "User-Agent: () { :;}; echo Hacked > /tmp/Hacked.txt"
Here, the curl is sending request to the target website with the User-Agent containing the exploit code.  This code will create a file "Hacked.txt" in the "/tmp" directory of the server.

Who should be worried?
An attacker needs to send a malicious environment variable to an application that interacting with the Internet and this application should have either written in Bash or execute bash script within the app. So, Normal Desktop users are likely not affected by this bug.

However, if you are admin of a website and running CGI app written in BASH or using Bash script, You should be worried.

Metasploit Module:

A Metasploit Module has been released that exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.

You can find the module here.

Malware:
Cyber Criminals are already started to exploit this vulnerability for the malicious purpose.  A malware(ELF format) named as 'Linux/Bash0day', found by @yinettesys.

"Cybercriminals exploit bash 0day to get the ELF malware into web servers. ELF scans routers IP and sends exploit busybox to hack routers and doing DDoS." Malware Must Die who analyzed the malware told EHN.

"If exploit busybox hits the target, they will try to gain shell /bin/sh & brute the default login/passwords commonly used by routers"


Strings contained in the Malware sample

At the time of writing, the detection ratio in Virustotal is 0/55.

You can find the malware sample and more details of the malware at KernelMode website.

Wormable:
Robert Graham of Errata Security says the bug is wormable.  He wrote a script that scans the Internet and finds the vulnerable machines. So far, he found nearly 3,000 vulnerable systems on port 80.

"Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems." Graham wrote in his blog post.

DHCP RCE Proof of Concept:
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/


ModSecurity Rules:
RedHat has posted several mod_security rules that helps to prevent the attack:

Request Header values:

SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

SERVER_PROTOCOL values:

SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST names:

SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST values:

SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

File names for uploads:

SecRule  FILES_NAMES "^\(\) {"  "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271  - Bash Attack'" 
Patch:
A Patch has been released which ensures that no code is allowed after the end of a Bash function.  If you try to run the exploit code after applying the patch, you will get the following error message:



Unfortunately, the patch is incomplete, it still can be bypassed.  There is a workaround here, but it is not advisable. "CVE-2014-7169" has been assigned for the incomplete fix.

If you think we missed any information, feel free to comment here, we will add it to the article.

---------------------------------

Additional details:
This details isn't for you if you already know how export functions,'env' commands work :

Bash Export function-definition feature: 



Defining a function in Bash script:

       hello(){ echo "Hello World";}

Calling function in Bash script:
   hello

Create a child bash process and call our user-defined function:
bash -c hello

It won't work, because the child bash process doesn't aware that there is user-defined function called "hello". So, what to do?! Let us add the 'hello' function to the environment variable with Export command:

export -f hello

This will export the 'hello' function to the child process.  Let's try to create the child bash process again:

bash -c hello

Now the function is called without a problem.


We can achieve the samething in a single line with 'env' command. Let me first explain what 'env' command does.



'env':


The 'env' command used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment.

Let's try to print environment variables with bash(creating child process):

bash -c printenv



The above command will print environment variables. Using 'env' command, you can pass a temporary environment variables to the child process:

env e="hello" bash -c printenv


Now, If you check the printed environment variables, you can find the "e='hello" in the result :)

Function passing with env command:

env hello='() { echo Hello World;};' bash -c hello