Search This Blog

Showing posts with label Buffer Overflow. Show all posts

Broadcom WiFi Chipset Driver Defect Takes Its Toll On OSs, IoTs, Phones and Other Devices.




Reportedly, the flaws in the Broadcom WiFi chipset drivers are causing a lot of trouble for phones and operating systems that are exposed to it.


This means, attackers could be allowed to execute arbitrary code and initiate DOS. (Denial of Service)

As reported by an intern of a reputed lab, the Broadcom drivers and the open source “brcmfmac” driver possess several vulnerabilities.

As it turns out, the Broadcom drivers are susceptible to “two heap buffer overflows.” Whereas, the ‘brcmfmac’ drivers are susceptible to frame validation bypass as well as heap buffer overflow.

Per the Common Weakness Enumeration database, the heap buffer overflows could cause the software to run in an infinite loop, system crashes, along with execution of arbitrary code.


These above activities are evidently beyond the security policies and security services.

The aforementioned Broadcom WiFi chips are insidiously used by almost everyone without their knowing it. From a laptop through the IoT devices to the smart TVs all the devices have these chip drivers.


As these chips are enormously prevalent, they comprise of an even more enormous target range. Any simple vulnerability or flaw found in them could be a matter of serious risk.

The Broadcom WiFi chipset drivers could be easily exploited by the unauthenticated attackers by way of sending malicious “WiFi packets”.

These packets would later on help in initiating the arbitrary code execution. All the attacks would simply lead to Denial of Service.

In the list of the risks that stand to vulnerable devices, Denial of Service attacks and arbitrary code execution are on the top. These flaws were found also in Linux kernel and the firmware of Broadcom chips.

According to the source note, the four brcmfmac and Broadcom wl drivers vulnerability is of the sort, CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

·       CVE-2019-9503: When the driver receives the firmware event frame from the remote source, it gets discarded and isn’t processed. When the same is done from the host the appropriate handler is called. This validation could be bypassed if the bus used is a USB.

·       CVE-2019-9500: A malicious event frame could be constructed to trigger a heap buffer overflow.



·       CVE-2019-9501: The vendor is supplied with the information with data larger than 32 bytes and  a heap buffer overflow is triggered in “wlc_wpa_sup_eapol”

·       CVE-2019-9502: when the vendor information data length is larger than 164 bytes a heap buffer overflow is triggered in “wlc_wpa_plumb_gtk”

If the wl driver’s used with SoftMAC chipsets the vulnerabilities are triggered in the host’s kernel whereas, when used with FullMAC chipset, they are triggered in chipset’s firmware.

There are approximately over 160 vendors that stand vulnerable to Broadcom WiFi chipsets within their devices.

Two of Broadcom’s vulnerabilities were patched which were found in the open source brcmfmac Linux kernel.

CVE-2019-8564 vulnerability had been patched by Apple as a part of their security update, a day before the developer revealed the vulnerabilities.

Buffer Overflow vulnerability in Acunetix scanner allows to hack the noobs who attack your website

Danor Cohen, a Security researcher who recently discovered the 'WinRAR file spoofing vulnerability', has discovered one more zero day vulnerability.  This time it is Buffer Overflow vulnerability in one of the popular web application vulnerability scanner 'Acunetix'.

There is a feature in Acunetix that allows to scan the additional domains or subdomains detected during the scan.

"It learns about the external related domains from the external sources that appear at the scanned website, for example: "<a href=http://externalSource.com/ ></a>"

Danor found that if the 'external' source url's length is larger than 268Bytes, the Acunetix vulnerability scanner will get crashed.

For Ex:
 <A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAA...........AAAAA”>

Researcher managed to exploit this vulnerability and successfully launched an executable file(calc.exe). By modifiying the code, one can infect the computers of newbies with a malware who attempt to scan their websites.

More technical details are available at his blog post.

Here is Proof of concept video:


*Update*:
Acunetix says this vulnerability affects only the illegitimate(cracked) copies of Acunetix WVS.

"The blogger seems to have managed to pull his exploit by using a cracked version of v8. The cracked version, probably required the replacement of the official executable with a vulnerable one." Acunetix says.

"Once again we want to re-assure all users of legitimate installations of Acunetix WVS that they are in no danger, and are not affected by this at all"

GOM Media Player v. 2.1.37 vulnerable to Buffer Overflow Attack

Security Researcher Ucha Gobejishvili (longrifle0x),Vulnerability Lab, discovered Buffer overflow vulnerability in the GOM Media player application. Version 2.1.37 found to be vulnerable to this attack.

Buffer overflow:
         An app is said to be vulnerable to when it allows attackers to store the the data in a buffer beyond the size allocated for it. By successfully exploiting the vulnerability, an attacker can run an arbitrary code.
Researcher claimed the vulnerability can exploited by local and remote attackers. Researcher estimated this vulnerability risk as high.

POC:
1) Download & open the software client
2) Click open ==> Url..
3) Put vulnerability code
4) now you will see result

The video that demonstrate the vulnerability:

Microsoft office 2007 Excel.xlb Vulnerable to Buffer Overflow Attack


This Metasploit module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack-based buffer overflow. This results in arbitrary code execution under the context of the user.

Discovered by :
Aniway
Abyssec
sinn3r
juan vazquez

Reference taken from :
CVE 2011-0105
OSVDB 71765
MSB MS11-021

Platform : windows
Targets :
Win XP sp3 ( Vista and 7 will try to repair the file )
Microsoft Office excel 2007 on Windows XP
Microsoft Office excel 2007 SP2 on Windows XP




source:
snypter