Breaking

Xen XSA 155: Double fetches in paravirtualized devices

As part of my research on the security of paravirtualized devices, I reported a number of vulnerabilities to the Xen security team, which were patched today. All of them are double fetch vulnerabilities affecting the different backend components used for paravirtualized devices. While the severity and impact of these bugs varies heavily and is dependent on a lot of external factors, I would recommend patching them as soon as possible. In the rest of this blog post I’ll give a short teaser about my research with¬†full details coming out in the first quarter of 2016 .

Continue reading “Xen XSA 155: Double fetches in paravirtualized devices”

Continue reading
Breaking

VMware did it again: vCenter Remote Code Execution

Yesterday 7Elements released the description of a Remote Code Execution vulnerability in VMware vCenter. The information came in at a good point as I’m at the moment drafting a follow-up blogpost for this one which will summarize some of our approaches to virtualization security. The vCenter¬†vulnerability¬†is both quite¬†critical and¬†particularly interesting in several¬†ways:

Continue reading “VMware did it again: vCenter Remote Code Execution”

Continue reading
Breaking

General Pr0ken Filesystem – Hacking IBM’s GPFS

This post is a short wrap-up of our Troopers talk about the research we did on IBM’s General Parallel File System. If you are interested in all the technical details take a look at our slides or the video recording. We will also give an updated version of this talk at the PHDays conference in Moscow next month.

The IBM General Parallel File System is a distributed file system used in large scale enterprise environments, high performance clusters as well as some of the worlds largest super computers. It is considered by many in the industry to be the most feature rich and production hardened distributed file system currently available. GPFS has a long and really interesting history, going back to the Tiger Shark file system created by IBM 1993.

Of course, this makes it an interesting target for security research. When looking at GPFS from an implementation point of view, the Linux version is made up of three different components: User space utilities and helper scripts, the mmfsd network daemon and multiple Linux kernel modules. We (Florian Grunow and me) spent some time analyzing the internals of these components and discovered critical vulnerabilities in all of them.

Continue reading “General Pr0ken Filesystem – Hacking IBM’s GPFS”

Continue reading
Breaking

XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]

During one of our latest web application code review projects I came across a vulnerability for which I think it is worth to speak about. It is an injection based attack against XML parsers which uses a rarely required feature called external entity expansion. The XML specification allows XML documents to define entities which reference resources external to the document and parsers typically support this feature by default. If an application parses XML input from untrusted sources and the parsing routine is not properly configured this can be exploited by an attacker with a so called XML external entity (XXE) injection. A successful XXE injection attack could allow an attacker to access the file system, cause a DoS attack or inject script code (e.g. Javascript to perform an XSS attack).
Continue reading “XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]”

Continue reading
Breaking

Revisiting Xen’s x86 Emulation: Xen XSA 123

In my last blog post, I gave an overview about recent vulnerabilities discovered in the x86 emulation layer of Xen. While both of the discussed vulnerabilities only allow for guest privilege escalation, the complexity of the involved code seemed to indicate that even more interesting bugs could be discovered. So I spent some time searching for memory corruption issues and discovered a very interesting bug that resulted in XSA 123 . This post gives an overview about the root cause of the bug and a short description of exploitation challenges. A follow-up post will describe possible exploitation strategies in more detail.

Continue reading “Revisiting Xen’s x86 Emulation: Xen XSA 123”

Continue reading
Breaking

The Dangers of x86 Emulation: Xen XSA 110 and 105

Xen Logo

Developing a secure and feature rich hypervisor is no easy task. Recently, the open source Xen hypervisor was affected by two interesting vulnerabilities involving its x86 emulation code: XSA 110 and XSA 105. Both bugs show that the attack surface of hypervisors is often larger than expected. XSA 105 was originally reported by Andrei Lutas from BitDefender. The patch adds missing privilege checks to the emulation routines of several critical system instructions including LGDT and LIDT. The vulnerable code can be reached from unprivileged user code running inside hardware virtual machine (HVM) guests and can be used to escalate guest privileges. XSA 110 was reported by Jan Beulich from SUSE and concerns insufficient checks when emulating long jumps, calls or returns.

Continue reading “The Dangers of x86 Emulation: Xen XSA 110 and 105”

Continue reading
Breaking

GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities

Recently we had the pleasure to take a look at GitHub’s Enterprise appliance. The appliance allows one to deploy the excellent GitHub web interface locally to host code on-site. Besides the well known interface, which is similar to the one hosted at github.com, the appliance ships with a separate interface called the management console, which is used for administrative tasks like the configuration of the appliance itself. This management interface is completely decoupled from the user interface.

During our assessment we focused on the management console where we found several vulnerabilities (others may have found them, too). On November 11, 2014 GitHub released a security advisory which included the most critical findings that have been fixed in GitHub Enterprise 2.0.0. Because the advisory doesn’t include any detailed information, we will discuss some of those vulnerabilities¬†in detail.

Continue reading “GitHub Enterprise 2.0.0 Fixes Multiple Vulnerabilities”

Continue reading
Breaking

How to Own a Router – Fritz!Box AVM Vulnerability Analysis

The below post was originally written on February 9th as a little educational exercise & follow-up to my BinDiff post. (This research was actually triggered by a relative asking about that strange Fritz!Box vulnerability he heard about on the radio). Once we realized the full potential of the bug we decided against publishing the post and contacted several parties instead. Amongst others this contributed to the German BSI press release. Given the cat is out of the bag now anyway, we see no reason to hold it back. We will further take this as an opportunity to lay out our basic vulnerability disclosure principles in a future post. This topic will also be discussed in the panel “Ethics of Security Work & Research” at Troopers

Fritz!Box

Fritz!Box is series of DSL and WLAN routers produced by AVM. They are extremely popular in Germany and are the uncontested market leader for private DSL customers. Recently, a significant number of Fritz!Box owners became victim of an attack that resulted in calls to expensive international numbers. The newspaper ‚ÄúDer Westen‚ÄĚ reported about a case where phone calls valued over 4200‚ā¨ were initiated from a compromised Fritz!Box.¬† Few days later AVM published a security update for a large number of Fritz!Box models and urged customers to apply the patch as soon as possible.

However, no further details about the vulnerability were published. This blog post describes our analysis of the vulnerability that we performed directly after the first updates were released.

Continue reading “How to Own a Router – Fritz!Box AVM Vulnerability Analysis”

Continue reading