May 17, 2012

You are here: Home / Archives for Vulnerability

Eight Year Old PHP / Apache mod_cgi Vulnerability Disclosed

May 4, 2012 By

(LiveHacking.Com) – Due to a bug in PHP’s bug tracking system, a privately disclosed security vulnerability in the way PHP handles query string parameters when it is running in CGI mode, was marked as public. As a result the PHP project has released PHP 5.3.12 and PHP 5.4.2 to fix the problem, however there are reports that these releases are buggy and don’t fully resolve the problem.

The initial details of the generic PHP-CGI remote code execution bug were posted on the eindbazen.net website. They discovered that the query string ‘?-s’ results in the “-s” command line argument being passed to PHP, resulting in source code disclosure. Further investigation showed that the command-line switches -s, -d or -c are passed to the php-cgi binary, which can also be exploited to obtain arbitrary code execution.

To test if your site is vulnerable try the following:

http://www.yourdomain.com/index.php?-s

According to the release information: “A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable. If you are using Apache mod_cgi to run PHP you may be vulnerable.”

The official fix in PHP 5.3.12 and PHP 5.4.2 contain a bug which makes the fix trivial to bypass, it is therefore recommended that system admins mitigate this problem by adding the following Apache mod_rewrite rule:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]

The bug was originally discovered in January and was used to pwn the Nullcon Hackim 2012 scoreboard. The PHP team were contacted but after a couple of weeks little seemed to be happening. US-CERT was contacted who acknowledged the receipt of vulnerability in February. By May US-CERT notified eindbazen.net that the PHP team was testing a patch. However on May 3rd the bug reported was mistakenly marked as public and picked up on reddit /r/netsec /r/opensource and /r/technology. US-CERT have now published a Vulnerability Note.

It is anticipated that a new PHP update, with a revised fix, will be released soon.

Filed Under: Apache, News, Security, Vulnerability Tagged With: , , ,

RuggedCom to Fix Hard-coded Backdoor Within the Next Few Weeks

May 2, 2012 By

(LiveHacking.Com) – It has been revealed that the RuggedCom Rugged Operating System (ROS), which is used in RuggedCom’s network infrastructure devices, contains a hard-coded user account with a computable password based on the device’s MAC address. The backdoor “factory” account cannot be manually disabled leaving the device open for hackers to gain complete administrative control of any affected device. The revelation was made on the Full Disclosure mailing list along with a simple Perl script to calculate the password when the MAC address is given.

According to a security advisory published by RuggedCom in response to the disclosure: “The secure shell (ssh) and web access (https) do not have the backdoor access as of ROS version 3.3 and above, however telnet, remote shell (rsh) and serial console do have the backdoor access in these versions. Earlier versions of the ROS software (prior to v3.3) have the backdoor access within all these services (ssh, https, telnet, rsh and the serial console).”

The company, which was bought by Siemens in March, will release a new version of ROS in “the next few weeks”. The new version will remove the factory account and disable telnet and rsh by default. Updates will be made available for ROS v3.7, 3.8, 3.9, and 3.10. Any installations using a version of ROS before v3.7 need to upgrade.

The most alarming aspect of this backdoor access is the lack of response by RuggedCom. According to the disclosure, the company was told in April 2011 that the backdoor had been uncovered and the password was computable. In June 2011 they verbally acknowledged the existence of the of backdoor and then ceased all communication. In February 2012 US-CERT was notified.

RuggedCom equipment, which is marketed as having “industrial strength” and designed for “mission-critical applications in harsh environments”, is installed in traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites.

Filed Under: News, Security, Vulnerability Tagged With: ,

Google Fixes High Priority Security Vulnerabilities with new Release of Chrome

May 1, 2012 By

(LiveHacking.Com) – Google has released Chrome 18.0.1025.168 on Windows, Mac and Linux to fix several High priority security bugs. Under Google’s ranking scheme a vulnerability is of ‘High’ severity when it could let an attacker read or modify confidential data belonging to other web sites or execute arbitrary code within the confines of the sandbox. Google also rate vulnerabilities that interfere with browser security features (e.g. that can disrupt the location bar and lock icon) are also high severity.

This release fixes five security vulnerabilities of which three are rated as High. All the High rated vulnerabilities are related to use after free conditions which are often used as the starting point of an exploit to execute arbitrary code on the victim’s computer. One of the vulnerabilities was found by security researcher miaubiz who received $1000 under the Chromium Vulnerability Rewards Program.

The full list of fixes is as follows:

  • [106413] High CVE-2011-3078: Use after free in floats handling. Credit to Google Chrome Security Team (Marty Barbella) and independent later discovery by miaubiz.
  • [117110] High CVE-2012-1521: Use after free in xml parser. Credit to Google Chrome Security Team (SkyLined) and independent later discovery by  wushi of team509 reported through iDefense VCP (V-874rcfpq7z).
  • [117627] Medium CVE-2011-3079: IPC validation failure. Credit to PinkiePie.
  • [121726] Medium CVE-2011-3080: Race condition in sandbox IPC. Credit to Willem Pinckaers of Matasano.
  • [$1000] [121899] High CVE-2011-3081: Use after free in floats handling. Credit to miaubiz.

Note that the referenced bugs may be kept private by Google  until a majority of Chrome users are up to date with the fix.


Filed Under: Chrome, Chrome, Google, Vulnerability Tagged With: , ,

Details of Zero Day Oracle Vulnerability Published After Patch Misunderstanding

April 30, 2012 By

(LiveHacking.Com) – The details of a zero day (0day) vulnerability in Oracle’s Database product have been published when the researcher, who originally found the problem, mistakenly believed that Oracle told him it had been fixed.

Almost two weeks ago Oracle released 88 security patches for a whole range of its products including Oracle Database 10g and 11g. Included in the security advisories published Joxean Koret was credited by Oracle for work submitted under the “Security-In-Depth” program. The relevant vulnerability was submitted to Oracle in 2008 and has taken Oracle four years to fix. Joxean contacted Oracle to be double sure that the vulnerability was fixed. The reply from Oracle said the vulnerability “was fixed in future releases of the product”. Since he was credited in the security advisories for the patch and Oracle said it was fixed, Joxean went ahead and published his own advisory explaining the vulnerability and a proof of concept.

However it turns out that Oracle didn’t fix the problem and in fact has no intention of fixing the problem in released versions of Oracle Database but will only release a fix in the next version of the product. The reason Oracle give for this is that “the fix is very complex and it is extremely risky to backport” and that there are concerns over regression. According to Joxean this means that “there is no patch at all for this vulnerability and Oracle refuses to write a patch for any existing versions, even for Oracle 11g R2. All versions are vulnerable and will remain vulnerable”.

The bug, which is now known as the TNS Poison Vulnerability, exists in all versions of Oracle Database since 1999 (Oracle 8i) and includes the latest one (Oracle 11g). The vulnerability is in the TNS Listener, which is responsible of for connection establishment. To exploit the vulnerability no privilege is needed, just network access to the TNS Listener.

Since Oracle 8i the database has supported a load balancing feature known as “remote registration” where a remote network listener is used to forward client requests to the actual database server responsible for handling requests for a given database. The problem is that using a man in the middle attack it is possible to trick the database into accepting commands from another rogue listener. This is possible because new requests to register a remote listener, that has already been registered with the database server, are seen as requests from a a cluster from a node after a fail over. The result is that the attacker has full access to the database.

Ironically, Joxean wrote concerning the patch from Oracle: “I didn’t test it myself and, to be honest, I’m very tired of the Oracle world so I did not test it myself. I would not be surprised if the patch doesn’t correctly/completely fix the vulnerability.” And how right he was!

Filed Under: News, Security, Vulnerability Tagged With: , ,

Mozilla Fixes Critical Security Vulnerabilities and Adds Silent Updating to Firefox

April 25, 2012 By

(LiveHacking.Com) – The Mozilla Foundation has released a new version of its popular web browser. Firefox 12 brings some new features including silent updates and fixes several critical security vulnerabilities. The biggest change for Windows Vista and Windows 7 users is the addition of silent updates which means that the UAC (User Account Control) pop-up won’t appear when Firefox upgrades from one release to another. To by-pass the UAC, which is first appeared in Windows Vista, Mozilla have added a standalone update service to apply the updates in the background. During the installation of Firefox 12 the user will be asked to give their explicit permission to install the update service, but they will not be prompted again for any subsequent releases.

Google’s Chrome also offers silent updates but rather than use a special Windows service, Chrome is installed in the user’s folder within Windows which doesn’t require UAC permission. However the downside to Google’s approach is that Chrome needs to be installed independently for every user on a PC which can be an administrative headache for those who have multiple user accounts for example on a shared family PC.

The functionality to relaunch and complete the update entirely in the background is scheduled for Firefox 13 or Firefox 14 this summer.

Mozilla 12 also fixes 7 Critical level security vulnerabilities, one of which only applies to Firefox Mobile.

  • MFSA 2012-31 Off-by-one error in OpenType Sanitizer
  • MFSA 2012-30 Crash with WebGL content using textImage2D
  • MFSA 2012-25 Potential memory corruption during font rendering using cairo-dwrite
  • MFSA 2012-23 Invalid frees causes heap corruption in gfxImageSurface
  • MFSA 2012-22 use-after-free in IDBKeyRange
  • MFSA 2012-21 Multiple security flaws fixed in FreeType v2.4.9 (Firefox Mobile only)
  • MFSA 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)
Along with these seven Critical bugs, Mozilla also fixed four High level security vulnerabilities and three Moderate ones. In total three cross-site scripting (XSS) vulnerabilities were fixed, one of which only applied Windows Vista and Windows 7 with hardware acceleration disabled.
The FreeType vulnerabilities in Firefox mobile were discovered by the Google Security Team using the Address Sanitizer tool. Some of the bugs cause memory corruption and exploitable crashes with certain fonts and font parsing. Firefox Mobile has been upgraded to FreeType version 2.4.9 which addresses these issues. Desktop Firefox does not use Freetype for fonts and was not affected.
More details about the changes can be found in the release notes. Firefox 12 is available for Windows, Mac OS X and Linux from the Firefox home page.
Filed Under: Firefox, Firefox, Mozilla, News, Vulnerability Tagged With: ,

Flashback Still a Problem, Large Number of Macs Still Infected

April 23, 2012 By

(LiveHacking.Com) – According to new figures released by Dr Web, over half a million Macs are still infected with the Flashback Trojan. The number of infected Macs rose to over 650,000 on April 4th and has remained consistent since even though Apple has released patches to fix the vulnerability used by the trojan. These numbers are in stark contrast to figures released by Symantec who say that “currently, it appears that the number of infected computers has tapered off, but remains around the 140,000 mark.”

Computerworld spoke with Symantec who have now revised their outlook and are agreeing with Dr. Web’s analysis. “We’ve been talking with them about the discrepancies in our numbers and theirs,” said Liam O Murchu, manager of operations at Symantec’s security response center, in an interview. “We now believe that their analysis is accurate, and that it explains the discrepancies.” To count the number of infections Symantec uses sinkholes and according to a blog update, these “sinkholes are receiving limited infection counts for” Flashback.

Flashback is spreading due to a Java concurrency vulnerability (CVE-20120-0507) which was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable. Apple finally fixed the vulnerability in early April, but by then the trojan had started to spread rapidly.

The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The Flashback trojan, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011.

Here at LiveHacking we urge Mac users to to install the Java updates and afterwards scan your system to check if it has been infected. Apple have released a Flashback Removal tool.

Filed Under: Apple, Java, Malware, Vulnerability Tagged With: , , , ,

Security Update for WordPress 3.3

April 20, 2012 By

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Filed Under: News, Open Source, Security, Uncategorized, Vulnerability, WordPress Tagged With: , ,

Oracle Releases 88 New Security Fixes

April 18, 2012 By

(LiveHacking.Com) – Oracle has released a massive security update to fix 88 security vulnerabilities many of which are remote code execution issues that can be exploited without user authentication. The update affects a whole range of Oracle products including Oracle Database 10g and 11g, Oracle JDeveloper, Oracle PeopleSoft Enterprise, Solaris and MySQL.

Oracle Database
Among the patches are six security fixes for the Oracle Database Server. Three of these vulnerabilities may be remotely exploitable without authentication (meaning that can be exploited over a network without the need for a username and password). One of these fixes is applicable to client-only installations (in other words installations that do not have the Oracle Database Server installed).

Solaris
The Oracle update includes 15 new security fixes for the Oracle Sun Products Suite. Five of these vulnerabilities may be remotely exploitable without authentication. Eight of the fixes are for Solaris and covers Solaris 8, 9, 10, 11. There are also fixes for the GlassFish Enterprise Server which is has two remotely exploitable vulnerabilities.

MySQL
MySQL has also been updated. There are six new security fixes but none of these vulnerabilities are remotely exploitable without authentication.

The Rest

  • 11 new security fixes for Oracle Fusion Middleware. 9 of these vulnerabilities may be remotely exploitable without authentication.
  • 6 new security fixes for Oracle Enterprise Manager Grid Control. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 4 new security fixes for the Oracle E-Business Suite. All of these vulnerabilities may be remotely exploitable without authentication.
  • 5 new security fixes for the Oracle Supply Chain Products Suite. 4 of these vulnerabilities may be remotely exploitable without authentication.
  • 15 new security fixes for Oracle PeopleSoft Products. 1 of these vulnerabilities may be remotely exploitable without authentication.
  • 2 new security fixes for Oracle Industry Applications.
  • 17 new security fixes for Oracle Financial Services Software. 1 of these vulnerabilities may be remotely exploitable without authentication
  • 1 new security fix for the Oracle Primavera Products Suite. This vulnerability is remotely exploitable without authentication.
Filed Under: News, Vulnerability Tagged With: , , , ,

Apples Releases Flashback Malware Removal Tool as Another Mac Trojan is Discovered

April 17, 2012 By

(LiveHacking.Com) – Apple has released a malware removal tool to seek out and remove common variants of the Flashback malware. The tool will look for the malware and if it is found it presents a dialog notifying the user that malware was removed. In some cases, the user will need to restart in order to completely remove the malware. The tool can be downloaded separately for users of OS X Lion who do not have Java installed or as part of a security update.

The security update provides the removal tool for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and OS X Lion Server v10.7.3. It also adds functionality to automatically deactivated the Java browser plugin and Java Web Start on OS X Lion systems that have not used Java for a period of 35 days or more. The update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Meanwhile Sophos has discovered a new piece of malware, which it is calling Sabpab, that exploits the same Java vulnerability used by Flashback. Sabpab is a backdoor Trojan which connects to a command and control server to receive commands from the attackers. Sabpab can be commanded to make screenshots of the infected Mac, upload and download files, and execute commands remotely.

It looks like the Sabpab Trojan is not as widespread as Flashback and the release of the latest Java updates should thwart its spread – as long as Mac users update promptly!

“It’s time for Mac users to wake up and smell the coffee. Mac malware is becoming a genuine issue, and cannot be ignored any longer” said Sophos on its blog.

Filed Under: Apple, Apple, Java, Vulnerability Tagged With: , , , ,

Python Happy to put Hash Attack Issues Behind it

April 13, 2012 By

(LiveHacking.Com) – The Python development team have released Python 2.7.3 and 3.2.3 to fix Python’s hash based types to make them immune to denial of service attacks as disclosed at  the Chaos Communication Congress event in December 2011. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java and Ruby.

The problem is that computer languages that use hash functions, including Python, are susceptible to collision attacks. To work effectively hash tables require a well-distributed hash function to spread data evenly across the table. The algorithmic complexity of inserting colliding elements into a table makes it possible to exhaust hours of CPU time and cause a denial of service situation. Python has two hash based types dict and set which have been changed to add randomization to the hashing of Python’s string types datetime.date, and datetime.datetime. This prevents an attacker from computing colliding keys of these types without access to the Python process.

According to the release announcement, “hash randomization causes the iteration order of dicts and sets to be unpredictable and differ across Python runs. Python has never guaranteed iteration order of keys in a dict or set, and applications are advised to never rely on it.”

The new versions of Pthyon also update the expat XML parsing library which had the same hash security issue. The hashing algorithm used in the expat library is now randomized.

The update also fixes some other security related bugs:

  • Issue 14001 / CVE-2012-0845 – A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
  • Issue 13885  / CVE-2011-3389 – Disabling of the CBC IV attack countermeasure in the _ssl module.

The team also released Python 2.6.8 and Python 3.1.5 as security-fix source-only releases. 2.6 and 3.1 are now in security maintenance mode only with no new bug fix releases planned. The Python development intend to provide source-only security fixes for the Python 2.6 series until October 2013 (five years after the 2.6 final release) and  for the Python 3.1 series until June 2014 (five years after the 2.6 final release).

Filed Under: News, Security, Vulnerability Tagged With: , ,
« Older Posts
Newer Posts »