Misc
by Oliver Matula

QEMU, Unicorn, Zelos, and AFL

I should start by telling you that this post does not contain anything fundamentally new. Hence, if you already know the tools mentioned in the title, this post may probably not be for you. However, if you are not too familiar with these tools and want to understand a little bit more on how they work together, you should keep on reading.

First, let us get a high-level overview of the different tools. We begin with QEMU. QEMU is a piece of software to emulate hardware such as processors. Imagine, for example, that you are running an operating system such as Linux or Windows on a x86-64 machine and that you would like to analyze a binary that has been compiled for an ARM or MIPS processor. Of course, you can use static analysis on the binary, but if you want to find out more about the runtime behavior, well, it would be good to have a corresponding runtime environment. Continue reading “QEMU, Unicorn, Zelos, and AFL”

Continue reading
Misc
by Fabian Ullrich

Security Advisories for Ivanti DSM Suite

From the end of 2019 on, we reported two critical vulnerabilities in the Ivanti DSM Suite to the vendor. The following CVE IDs were assigned to the issues (but note that they have a status of RESERVED, i.e. titles and descriptions may change in the future):

  • CVE-2020-12441: Denial-of-Service (DoS) in Ivanti Service Manager HEAT Remote Control 7.4
  • CVE-2020-13793: Unsafe storage of AD credentials in Ivanti DSM netinst 5.1

The vulnerabilities have meanwhile been fixed and an updated software version can be downloaded here. Continue reading “Security Advisories for Ivanti DSM Suite”

Continue reading
Breaking
by Julian Suleder

Medical Device Security: HL7v2 Injections in Patient Monitors

Digital networking is already widespread in many areas of life. In the healthcare industry, a clear trend towards networked devices is noticeable, so that the number of high-tech medical devices in hospitals is steadily increasing.

In this blog post, we want to elucidate a vulnerability we identified during the security assessment of a patient monitor. The device sends HL7 v2.x messages, such as observation results to HL7 v2.x capable electronic medical record (EMR) systems. A user with malicious intent can tamper these messages. As HL7 v2.x is a common medical communication standard, we also want to present how this kind of vulnerability may be mitigated. The assessment was part of the BSI project ManiMed, which we would like to present in the following section.

Continue reading “Medical Device Security: HL7v2 Injections in Patient Monitors”

Continue reading
Breaking
by Jan Ruge

CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag

Nowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any
nearby unauthenticated device. Bluetooth packets are processed by the Bluetooth chip (also called a controller), and then passed to the host (Android, Linux, etc.). Both, the firmware on the chip and the host Bluetooth subsystem, are a target for Remote Code Execution (RCE) attacks.

One feature that is available on most classic Bluetooth implementations is answering over Bluetooth pings. Everything an attacker needs to know is the device’s Bluetooth address. Even if the target is not discoverable, it typically accepts connections if it gets addressed. For example, an attacker can run l2ping, which establishes an L2CAP connection and sends echo requests to the remote target.

In the following, we describe a Bluetooth zero-click short-distance RCE exploit against Android 9, which got assigned CVE-2020-0022 . We go through all steps required to establish a remote shell on a Samsung Galaxy S10e, which was working on an up-to-date Android 9 when reporting the issue on November 3 2019. The initial flaw used for this exploit is still present in Android 10, but we utilize an additional bug in Bionic (Android’s libc implementation), which makes exploitation way easier. The bug was finally fixed in the security patch from 1.2.2020 in A-143894715. Here is a demo of the full proof of concept:

Continue reading “CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag”

Continue reading
Misc
by Kevin Kelpen

VMware NSX-T Distributed Firewall can be bypassed by default

We recently came across an issue when playing around with VMware NSX-T which not anyone might be aware of when getting started with it. Because many of our customers start with transitioning to NSX-T, we want to share this with you. In short, the Distributed Firewall (DFW) of NSX-T can be easily bypassed in the default configuration because it only works effectively if at the same time, the SpoofGuard feature is enabled on all logical switch ports which is not the case by default.

Continue reading “VMware NSX-T Distributed Firewall can be bypassed by default”

Continue reading
Breaking, Building
by Malte Heinzelmann

DNS exfiltration case study

Lately, we came across a remote code execution in a Tomcat web service by utilizing Expression Language. The vulnerable POST body field expected a number. When sending ${1+2} instead, the web site included a Java error message about a failed conversion to java.lang.Long from java.lang.String with value "3".

From that error message we learned a couple of things:

  • The application uses Java
  • We are able to execute EL expressions
  • Output from the EL engine is always returned as String

Whenever you are able to execute code within a Java Context, the most interesting part is to check whether we can get a Runtime object and execute arbitrary OS commands.

Sending ${Runtime.getRuntime()} resolves to java.lang.Runtime@de30bb. Great, so we can use Runtime.exec(String cmd) to execute arbitrary code? Continue reading “DNS exfiltration case study”

Continue reading
Events
by Rachelle Boissard

TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10

Attackers are everywhere. They are now on the cloud too! Attacking the most popular cloud provider – AWS, requires the knowledge of how different services are setup, what defences do we need to bypass, what service attributes can be abused, where can information be leaked, how do I escalate privileges, what about monitoring solutions that may be present in the environment and so on! We try to answer these questions in our intense, hands-on scenario driven training on attacking and subsequently defending against the attacks on AWS.

As an attacker or defender, if you have ever asked any of the following questions, this training is for you:

  • Is there a process to attacking the cloud or do we go after the services as and when they are discovered?
  • Is SSRF the only vulnerability to access the metadata service on EC2?
  • How do I use stolen AWS secret keys to attack further?
  • How do I hide cover my tracks in AWS environment?
  • If I can’t see a service due to security group, can I still attack it?
  • How do I create better wordlists to discover and exploit S3 buckets that have uncommon names?
  • Can I impersonate other users within AWS?
  • Is there a way to extract secrets from AWS Lambda?
  • How do I prevent credential compromise in AWS?
  • How can I be sure there is no attacker already within my cloud infrastructure?
  • How do I enumerate and move between accounts that are part of AWS organisations?

Continue reading “TROOPERS20 Training Teaser: Attack And Defence In AWS: Chaining Vulnerabilities To Go Beyond The OWASP Top 10”

Continue reading