Category: Breaking

Breaking, Misc
by Jan Ruge

Attack llvmpipe Graphics Driver from Chromium

In this post, we are discussing a bug we came across in Mesas llvmpipe Gallium3D graphics driver. This bug was accessible through Chromium’s WebGL implementation and can provide control of the program counter (pc) within Chromium’s GPU process if llvmpipe is used. Llvmpipe is a software rasterizer that is used on Linux if no hardware acceleration (graphics card) is available. This is a pretty rare edge case as llvmpipe has no widespread use. An estimate by Google is that approx 0.06% of the Chromium users are affected by this. However, as this is a simple but valid Chromium bug, we want to give you a quick walkthrough. The issue is tracked as CVE-2021-21153 and was fixed in February 2020.

Continue reading “Attack llvmpipe Graphics Driver from Chromium”

Continue reading
Breaking, Misc
by Dennis Heinze

fpicker: Fuzzing with Frida

Introduction

In this post, I will introduce fpicker. Fpicker is a Frida-based coverage-guided, mostly in-process, blackbox fuzzing suite. Its most significant feature is the AFL++ proxy mode which enables blackbox in-process fuzzing with AFL++ on platforms supported by Frida. In practice, this means that fpicker enables fuzzing binary-only targets with AFL++ on potentially any system that is supported by Frida. For example, it allows fuzzing a user-space application on the iOS operating system, such as the Bluetooth daemon bluetoothd – which was part of the original motivation to implement fpicker.
Continue reading “fpicker: Fuzzing with Frida”

Continue reading
Breaking
by Julian Suleder

ManiMed: Hamilton Medical AG – HAMILTON-T1 Ventilator Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: Hamilton Medical AG – HAMILTON-T1 Ventilator Vulnerabilities”

Continue reading
Breaking
by Julian Suleder

ManiMed: B. Braun Melsungen AG – Space System Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: B. Braun Melsungen AG – Space System Vulnerabilities”

Continue reading
Breaking
by Julian Suleder

ManiMed: Innokas Yhtymä Oy – VC150 Patient Monitor Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: Innokas Yhtymä Oy – VC150 Patient Monitor Vulnerabilities”

Continue reading
Breaking
by Julian Suleder

ManiMed: Philips Medizin Systeme Böblingen GmbH – IntelliVue System Vulnerabilities

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: Philips Medizin Systeme Böblingen GmbH – IntelliVue System Vulnerabilities”

Continue reading
Breaking
by Julian Suleder

ManiMed: Market Analysis

Manipulating Medical Devices

The Federal Office for Information Security (BSI) aims to sensitize manufacturers and the public regarding security risks of networked medical devices in Germany. In response to the often fatal security reports and press releases of networked medical devices, the BSI initiated the project Manipulation of Medical Devices (ManiMed) in 2019. In this project, a security analysis of selected products is carried out through security assessments followed by Coordinated Vulnerability Diclosure (CVD) processes. The project report was published on December 31, 2020, and can be accessed on the BSI website [1].

Continue reading “ManiMed: Market Analysis”

Continue reading
Breaking, Misc
by Tillmann Oßwald

Root Cause Analysis of a Heap-Based Buffer Overflow in GNU Readline

In the last blog post, we discussed how fuzzers determine the uniqueness of a crash. In this blog post, we discuss how we can manually triage a crash and determine the root cause. As an example, we use a heap-based buffer overflow I found in GNU readline 8.1 rc2, which has been fixed in the newest release. We use GDB and rr for time-travel debugging to determine the root cause of the bug.

Continue reading “Root Cause Analysis of a Heap-Based Buffer Overflow in GNU Readline”

Continue reading
Breaking
by Kevin Kelpen

VMware NSX-T MITM Vulnerability (CVE-2020-3993)

NSX-T is a Software-Defined-Networking (SDN) solution of VMware which, as its basic functionality, supports spanning logical networks across VMs on distributed ESXi and KVM hypervisors. The central controller of the SDN is the NSX-T Manager Cluster which is responsible for deploying the network configurations to the hypervisor hosts.

This summer, I looked into the mechanism which is used to add new KVM hypervisor nodes to the SDN via the NSX-T Manager. By tracing what happens on the KVM host, I discovered that the KVM hypervisor got instructed to download the NSX-T software packages from the NSX-T Manager via unencrypted HTTP and install them without any verification. This enables a Man-in-the-Middle (MITM) attacker on the network path to replace the downloaded packages with malicious ones and compromise the KVM hosts.

After disclosing this issue to VMware, they developed fixes and published the vulnerability in VMSA-2020-0023 assigning a CVSSv3 base score of 7.5.

Continue reading “VMware NSX-T MITM Vulnerability (CVE-2020-3993)”

Continue reading