Search This Blog

Showing posts with label Remote Code Execution. Show all posts

Chrome Zero-Day Attack; Google Advises to Update Immediately!




Chrome releases its latest version and the researchers request all the users to immediately update their versions of the famous browser.

The latest version is 72.0.3626.121 and was released in the very beginning of March 2019.

All that needs to be done to upgrade the older version is, type the specific URL chrome://settings/help which will inform the user what version is currently on.

All these alarm signs are blaring because of a recent zero-day security vulnerability that has emerged.

CVE-2019-5786 has been identified as the vulnerability and Google says it’s aware of it and hence is warning off its users.

A vulnerability happens to be a bug which corrupts the software in a way which reduces security. Whereas, an exploit is just a way of using the vulnerability to get past the security provisions.

All the vulnerabilities pose a threat to the system even if it means producing thousands of unwanted messages.

All exploits emerge from vulnerabilities but all vulnerabilities are not a fruit of exploits.

If made to work the malicious way, vulnerabilities could be forced to do a lot more than just creating error messages.

Zero-day is a vulnerability that the cyber-cons found a way to misuse before the researchers could find an appropriate solution for it.

Meaning that a Zero-day is an attack of which even the best researchers can’t find the solutions.

These attacks are usually found out weeks or even months later they start functioning on the network.

The bug is trying to be fixed by Google and restrictions are being retained until the bug exists.

The vulnerability includes a memory mismanagement bug in a part of Chrome by the name of “FileReader”.

This “FileReader” aids the web developers in springing up menus and dialogs.

The attacker could take control of a lot when it comes to this particular bug. It’s not just restricted to reading from files and goes far as “Remote Code Execution”.

Meaning, any malware could be implanted onto the victim’s system without any warning, pop-up or dialog.

All that could be done to save your system is keeping systems up-to-date at all times.

Also, always keep checking for updates and patches to fix vulnerabilities.

Malware Alert: Mirai Alias Miori Is Being Dispensed Via RCE Exploits




To add on to the latest list of raging malware, the cyber-cons decided on changing names of some older ones.

Malware Mirai, is now being dispensed by the name of Miori, by way of malicious remote code execution exploits.


The Mirai Malware has a really solid history of wreaking havoc by executing DDOS (Distributed Denial of Service) attacks on various platforms among IoT devices.


The botnet in question has previously executed some truly jeopardizing DDOS attacks and has been the culprit for computer fraud and abuse.


The malware would need to function equally well on different architectures in order to run on cross-platforms.


Now, Miori can easily exploit internet connected devices by abusing their vulnerabilities. The smart devices are always on the radar for this malware.


The above-mentioned malware is being dispensed through Remote Code Execution vulnerability in the PHP structure of the name ThinkPHP. The exploit especially has targeted, versions previous to 5.0.23 and 5.1.31.


 The security researchers who are on to the malware, have alluded that the rate of infection is increasing in the case of ThinkPHP RCE in smart devices.


Numerous other Mirai malware which exploit the ThinkPHP RCE vulnerability are also being dispensed.


Researchers also confirmed that a Linux device was made to perform the DDOS attack because of the infection dispensed via other connected devices as the default credentials got reset through a telnet.


Reportedly, Miori is merely a subdivision which the cyber-cons use to fabricate vulnerable devices via Thinkpad RCE.


The malware variant could be downloaded from the following command and control server. Hxxp://144[.]202[.]49[.]126/php


Once the malware is executed a console gets generated which switches the Telnet on, to brute force other IP addresses.


On the port 42352 (TCP/UDP) the C&C server keeps a check to receive further commands.


The configuration table, of the Miori malware was de-crypted by researchers, which was instated in its binary strings.


The username passwords and other credentials which were used by the malware were also found out by the researchers as they were fairly easy to speculate.


A scrutinized look resulted in the discovery of two URLs that were employed by the two variants of Mirai, namely APEP and IZIH9. Both were employing the same string  anti-obfuscation procedure as Miarai and Miori.


APEP also spreads by exploiting CVE-2017-17215 which encompasses of one other RCE vulnerability which can seriously affect router devices.

Critical Remote Code Execution vulnerability patched in MediaWiki, affecting WikiPedia

A Critical Remote Code Execution vulnerability has recently been patched the Mediawiki in its wiki Software.  Thousands of Wiki sites including WikiPedia have been impacted by this security bug.

Security researchers from Checkpoint identified this vulnerability(CVE-2014-1610) affecting all versions starting with version 1.8.  The websites are vulnerable only, if a specific non-default setting is enabled.

According to the security advisory, an attacker could have exploited this vulnerability to make file and system changes and gained complete control over the server.

Checkpoint said that an attacker could have injected malware code into every page WikiPedia.org which could have put millions of users' system at potential risk of malware infection.

Fortunately, Checkpoint immediately informed the WikiMedia foundation about the presence this security bug.  On 28th Jan., the foundation released patch for this bug.

The security advisory says that this is the third critical remote code execution vulnerability discovered in MediaWiki since 2006.

Ebrahim Hegazy discovered PHP Code Injection Vulnerability in Yahoo

PHP Code Injection vulnerability

 A Web application penetration tester, Ebrahim Hegazy, has discovered a critical remote PHP code injection vulnerability in the Yahoo website that could allowed hackers to inject and execute any php code on the Yahoo server.

The vulnerability exists in the Taiwan sub-domain of the Yahoo "
http://tw.user.mall.yahoo.com/rating/list?sid=[CODE_Injection]".  The 'sid' parameter allows to inject PHP code.

According to his blog post, the sid parameter might have been directly passed to an eval() function that results in the code Injection.

In his demo, Ebrahim showed how he to get the directories list and process list by injecting the following code:
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“dir”))}
http://tw.user.mall.yahoo.com/rating/list?sid=${@print(system(“ps”))}

He also found out that Yahoo server is using an outdated kernel which is vulnerable to "Local Privilege escalation" vulnerability.

Yahoo immediately fixed the issue after getting the notification from the researcher.  However, he is still waiting for the Bug bounty reward for the bug.  Google pays $20,000 for such kind of vulnerabilities. Yahoo sets the maximum bounty amount as "$15,000".  Let us see how much bounty Yahoo offers for this vulnerability.

POC Video:


Last month, German Security researcher David Vieira-Kurz discovered similar remote code execution vulnerability in the Ebay website.

PHP-CGI remote code execution vulnerability exploited to deliver Bitcoin Malware

A Two year old PHP CGI remote code execution vulnerability(CVE-2012-1823) is being exploited to install a Bitcoin malware in the web server, reports Symantec.

Symantec says they have noticed a substantial increase in the quantity of php code inclusion attacks against its Managed Security Services(MSS) customers.

Only Linux web servers running the outdated PHP version are said to be vulnerable to this exploit. As of Jan. 7, more than its Security Operations Center(SOC) customers have been affected by these exploit attempts.

PHP CGI Remote code execution exploit 

Vulnerable servers are targeted with an exploit code which disables the security_mode and enable other options needed for the exploit.  If they server is vulnerable, then the exploit downloads 'a' script that will install Bitcoin Miner.
 
"The role of Bitcoin mining in this scenario is to harness the victim’s computational resources to financially benefit the perpetrators." say researchers at Symantec.  "The victim systems in this situation have been wrongfully hijacked and pressed into service, which may cause slowdowns for legitimate users and resource issues for server owners.  "

Remote command execution vulnerability in Vodafone website

A group named as "HackerDesk" have identified a security vulnerability affecting one of the subdomains of Vodafone website.  "lbas.vodafone.com" is found to be vulnerable to Remote command Execution(CVE-2013-1965). 

"The Vulnerability alone may not hugely significant, but when put into the context of an tack it can have much greater consequences.  The vulnerability allows for some post exploitation techniques to be utilized, such as installing backdoors and JSP post-exploitation took kits.  This allows for more elaborate and complex attacks to occur." The researcher said.

"The true impact of the exploitation of this vulnerability when combined with post-exploitation tool kits could be full compromise of a system with the ability for that system to be used for onward compromise of connected hosts."

By sending a payload to the server, the researcher is able to execute any commands he wanted.  The results will return in a download file.



Researchers reported about the vulnerability to Vodafone and suggested to upgrade to the latest version of struts which contains the corrected OGNL and Xwork library. It appears Vodafone team took the subdomain offline to apply patches.

You can find the technical details in this document.

Remote Code Execution vulnerability in Ebay website

David Vieira-Kurz, a Security researcher from Germany, has discovered an interesting Remote Code execution vulnerability in the eBay website.

The 'q' parameter in the 'search' page of South Asian Ebay domain (sea.ebay.com/search/?q=david&catidd=1) is found to be vulnerable to remote code execution.

The researcher cleverly managed to pass the 'q' parameter as array with a command that successfully got executed.

Proof of concept provided by the researcher prints the information about the PHP running on the server:
  sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1

An attacker could have exploited this vulnerability to run OS commands and managed to compromise the entire server.  However, David reported about this vulnerability to eBay security team, the vulnerability has been fixed now.

He also discovered a SQL Injection vulnerability in the same domain last year.

The full technical details is available here.

Vulnerability in NVIDIA mental ray allows hackers to take control of render farms

A security vulnerability in Nvidia mental ray, a high performance 3D rendering software allows hackers to take control of an entire "render farm", says security researchers at ReVuln.

A Render farm is a cluster of specialized computers designed for rendering images, typically used for creating visual effects in films.  Render farms have high computational capability.

The mental ray is available as stand alone software and also embedded into popular software like AutoCAD, Autodesk 3ds Max, Autodesk Maya, Cinema 4D, Domus3D.

By just sending a malicious packet to the target machine, a hacker can load arbitrary DLLs on a victim's machine; Injecting malicious remote library allows attacker to take control of the entire render farm.


The mental ray version 3.11.1.10 is only affected by this vulnerability.

What will you do when you get access to a system that has huge computation capability? A hacker definitely attempt to use it for password cracking or Bitcoin Mining.

You can find the white paper here : http://revuln.com/files/ReVuln_Nvidia_mental_ray.pdf

OpenSSH fixes a critical code execution vulnerability

 

OpenSSH , a tool that provides encrypted communication sessions over a computer network using the SSH protocol, has patched a critical code execution vulnerability.

"A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange." The security advisory reads.

"If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations."

The vulnerability was identified by an OpenSSH developer Mark Friedl on November 7th.  The fix has immediately been issued.

The flaw is fixed in OpenSSH 6.4 version.  There is security patch available for those users who prefer to continue use OpenSSH 6.2 or 6.3.

Hacking the Hackers :Carberp Panel vulnerable to Remote Code Execution

Recent Carberp source code leak gave an opportunity for researchers to investigate the bootkit and other components of the Trojan.  While everyone are looking at the source code of malicious parts, a security researcher has shown an interest in investigating the Panels source code.

Steven K, a security researcher from France, who is running the xylibox blog, has discovered a two security vulnerabilities in the Carberp's Panel -  IP Spoofing and Remote Code Execution.

Remote Code Execution is one of the critical security bug that allows hackers to inject and execute commands in the vulnerable server.

Vulnerable code

Researcher found the "data" parameterer in the post request is vulnerable to Remote Code Execution vulnerability.  He has also made a Proof-of-concept code to exploit the vulnerability.

He successfully exploited the bug and compromised the Database Username, password and Auth Key.  The bug also allows you to run the "wget" command to download the backdoor.

The code apparently shows the cybercriminals who is behind the Carberp Trojan are not good in secure web application coding compared to Malware coding.

ZPanel security vulnerability allows hacker to reset the root password


A critical remote code execution vulnerability has been identified in ZPanel that allows hackers to reset  the root password and gain access to the server.

According to the forum post, the latest stable version 10.0.2 is also affected by this security flaw.  The user has also provided the steps to reproduce the vulnerability.


The security flaw exists in the ZPX HTPASSWD module because the module fails to sanitize the user input.  The flaw allows anyone with access to the page including admins, resellers, clients to inject  arbitrary shell commands into the server.

The vulnerability has been confirmed by ZPanel Head Developer & Project Leader ,Bobby Allen.  ZPanel Users are advised to disable the HTPASSWD module.

The team is currently testing the patched file which was committed to GitHub.  They are promised to issue a manual patch once the test is completed.