Developing a secure and feature rich hypervisor is no easy task. Recently, the open source Xen hypervisor was affected by two interesting vulnerabilities involving its x86 emulation code: XSA 110 and XSA 105. Both bugs show that the attack surface of hypervisors is often larger than expected. XSA 105 was originally reported by Andrei Lutas from BitDefender. The patch adds missing privilege checks to the emulation routines of several critical system instructions including LGDT and LIDT. The vulnerable code can be reached from unprivileged user code running inside hardware virtual machine (HVM) guests and can be used to escalate guest privileges. XSA 110 was reported by Jan Beulich from SUSE and concerns insufficient checks when emulating long jumps, calls or returns.
Recently we had the pleasure to take a look at GitHub’s Enterprise appliance. The appliance allows one to deploy the excellent GitHub web interface locally to host code on-site. Besides the well known interface, which is similar to the one hosted at github.com, the appliance ships with a separate interface called the management console, which is used for administrative tasks like the configuration of the appliance itself. This management interface is completely decoupled from the user interface.
During our assessment we focused on the management console where we found several vulnerabilities (others may have found them, too). On November 11, 2014 GitHub released a security advisory which included the most critical findings that have been fixed in GitHub Enterprise 2.0.0. Because the advisory doesn’t include any detailed information, we will discuss some of those vulnerabilities in detail.
The below post was originally written on February 9th as a little educational exercise & follow-up to my BinDiff post. (This research was actually triggered by a relative asking about that strange Fritz!Box vulnerability he heard about on the radio). Once we realized the full potential of the bug we decided against publishing the post and contacted several parties instead. Amongst others this contributed to the German BSI press release. Given the cat is out of the bag now anyway, we see no reason to hold it back. We will further take this as an opportunity to lay out our basic vulnerability disclosure principles in a future post. This topic will also be discussed in the panel “Ethics of Security Work & Research” at Troopers
Fritz!Box is series of DSL and WLAN routers produced by AVM. They are extremely popular in Germany and are the uncontested market leader for private DSL customers. Recently, a significant number of Fritz!Box owners became victim of an attack that resulted in calls to expensive international numbers. The newspaper “Der Westen” reported about a case where phone calls valued over 4200€ were initiated from a compromised Fritz!Box. Few days later AVM published a security update for a large number of Fritz!Box models and urged customers to apply the patch as soon as possible.
However, no further details about the vulnerability were published. This blog post describes our analysis of the vulnerability that we performed directly after the first updates were released.
We just got credits for a flaw we found in SAP Netweaver. The issue is a reflected Cross-Site Scripting (XSS). It can be triggered in the administrative interface for the Internet Communication Manager (ICM) and Web Dispatcher. This means that the targets for this XSS will definitely be users with administrative privileges. This makes it especially juicy for an attacker. Continue reading “XSS in SAP Netweaver”
During a recent research project we performed an in-depth security assessment of Microsoft’s virtualization technologies, including Hyper-V and Azure. While we already had experience in discovering security vulnerabilities in other virtual environments (e.g. here and here), this was our first research project on the Microsoft virtualization stack and we took care to use a structured evaluation strategy to cover all potential attack vectors.
Part of our research concentrated on the Hyper-V hypervisor itself and we discovered a critical vulnerability which can be exploited by an unprivileged virtual machine to crash the hypervisor and potentially compromise other virtual machines on the same physical host. This bug was recently patched, see MS13-092 and our corresponding post. Continue reading “Exploiting Hyper-V: How We Discovered MS13-092”
The root cause of the vulnerability is Rails handling of formatted parameters. In addition to standard GET and POST parameter formats, Rails can handle multiple different data encodings inside the body of POST requests. By default JSON and XML are supported. While support for JSON is widely used in production, the XML functionality does not seem to be known by many Rails developers.
XML parameter parsing
The code responsible for parsing these different data types is shown below:
# actionpack/lib/action_dispatch/middleware/params_parser.rb
....
DEFAULT_PARSERS = {
Mime::XML => : xml_simple,
Mime::JSON => :json
}
....
def parse_formatted_parameters(env)
...
when Proc
strategy.call(request.raw_post)
when : xml_simple, : xml_node
data = Hash.from_xml(request.raw_post) || {}
data.with_indifferent_access
when :yaml
YAML.load(request.raw_post)
when :json
data = ActiveSupport::JSON.decode(request.raw_post)
data = {:_json => data} unless data.is_a?(Hash)
data.with_indifferent_access
else
false
end
...
2 AFFECTED PRODUCTS
The following Products have been tested as vulnerable so far:
Cisco Unified Meetingplace with the following modules:
• MeetingPlace Agent 7.1.1.9
• MeetingPlace Audio Service 7.1.1.8
• MeetingPlace Gateway SIM 7.1.1.2
• MeetingPlace Replication Service 7.1.1.9
• MeetingPlace Master Service 7.1.1.8
• MeetingPlace Extension 7.1.1.8
• MeetingPlace Authentication Filter 7.1.1.8
3 DETAILS
The following parameters are affected:
http://$IP/mpweb/scripts/mpx.dll [POST Parameter wcRecurMtgID]
4 VULNERABILITY SCORING
The severity rating based on CVSS Version 2:
Base Vector: (AV:N / AC:L / Au:S / C:P / I:P / A:P)
CVSS Version 2 Score: 6.5
Severity: Low
As we are at the topic of Cisco’s Unified Communications Solution, there is a lot more in the queue to come up, just be patient a little longer, it’ll be worth it (-;
Microsoft takes this vulnerability quite serious and was acting fast. The Microsoft Security Response Center announced the availability of a fix last night in the MSRC Blog.
The fix will be available via Windows Update on friday, the 21st of september. So it’s time to get ready for this update ;-).
Actually a Windows Vulnerability (Microsoft Advisory 2757760) related to the Internet Explorer Version 7, 8 and 9 is in the news. Microsoft is aware of the problem, but there’s no patch available yet. We call this a 0-Day :-). Making the problem even worse, on monday reliable exploit code was released within the Metasploit project, so exploit code is already in the wild.
Disabling Active X and Active Scripting in the Internet Settings
But both of them have some impact: EMET must be deployed before any usage (btw. EMET can be configured via Group Policies) and disabling Active X and Active Scripting might break some business relevant web sites (that can be added to the “Trusted Sites” Zone, but might produce major operational effort).
There are more possible mitigating controls, so let’s just summarize some ideas:
Use of alternative browser: if you have it deployed already, go for it :-). Otherwise we have the same deployment issue as with EMET.
Sandboxing/Application Virtualization: It’s the same as with the alternate browser, of you have it, go for it, otherwise it will be a long term project. And be aware that also Application Virtualization won’t address all issues (see the ERNW Newsletter 32 for details).
No local admin rights: This doesn’t protect from exploiting the vulnerability, but at least reduces the impact. We strictly recommend to check the local administrator group and remove all users that don’t rely on it for fulfilling their business tasks. And btw. this topic is not new ;-), see also ERNW Newsletter 4, published in 2004!
Blocking communication for the clients at the corporate firewall: Be aware that this doesn’t really work. Modern exploit code is able to use the corporate proxy infrastructure including authentication to circumvent this control. Metasploit has exploit payloads for this.
Disabling/Blocking Flash content: While potentially not strictly required for exploitation, at least in some of the exploits currently observed in the wild Adobe Flash plays a major role. So like discussed in these Insinuator posts (1, 2 and 3), restricting the use of Adobe Flash would proactively prevent some known exploits from working. But the newly published Metasploit exploit doesn’t use Flash, so keep in mind that this mitigating control can only be used in addition to other ones.
So for a short term mitigation we recommend the following (especially for corporate environments)
Disabling Active X and Active Scripting via Group Policies
Disable/block Flash content
Remove unneeded local administrative privileges
If available use alternative browser or EMET
For long term mitigation (might also be feasible in small environments as short term mitigation):
Deploy EMET
Evaluate possibilities of application sandboxing/virtualization
Deploy alternative browser. Be aware that deploying a second browser might not be an option for big corporate environments (central management and supporting/maintaining additional software are the main reasons for this).
And finally DON’T PANIC ;-), start to address the problem in a professional way.
