Vulnerebility Articles - H 2020 1  2  3  4  5  6  7  8  9  Vulnerebility List -  H  2021  2020  2019  2018  Vulnerebility blog  Vulnerebility blog


Computer science student discovers privacy flaws in security and doorbell cameras

28.5.2020  Net-Security  Vulnerebility

Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed.

privacy flaws security cameras
Privacy flaws in security and doorbell cameras

Janes discovered the mechanism for removing user accounts does not work as intended on many camera systems because it does not remove active user accounts. This could allow potential “malicious actors” to exploit the flaw to retain access to the camera system indefinitely, covertly recording audio and video in a substantial invasion of privacy or instances of electronic stalking.

The findings were presented in the paper, “Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices,” by Janes and two Florida Tech faculty members from the university’s top institute for cybersecurity research, L3Harris Institute for Assured Information, Terrence O’Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.

Janes’ work informed vendors about the vulnerabilities and offered several strategies to remediate the underlying problem.
The concerns

The flaw is concerning in cases where, for example, two partners are sharing a residence and then divorce. Each has smartphone apps that access the same camera.

Person A removes Person B’s access to the camera, but that is never relayed to Person B’s device. So Person B still has access even though it has been revoked on the camera and Person A’s smartphone and the account password has been changed.

The team found that this happens largely because the decisions about whether to grant access are done in the cloud and not locally on either the camera or the smartphones involved. This approach is preferred by manufacturers because it allows for the cameras to transmit data in a way that every camera does not need to connect to every smartphone directly.
Complicated security

Additionally, manufacturers designed their systems so users would not have to repeatedly respond to access requests, which could become annoying and lead them to turn off that security check, were it in place, or abandon the camera altogether.

And the security is further complicated by the fact that the potential malicious actor does not need advanced hacking tools to achieve this invasion, as the attack is achievable from the existing companion applications of the devices.

“Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems,” the paper concluded. “Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content.”
Devices to check

The devices where flaws were found are: Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and TP-Link Kasa Camera.

Though fixes will originate with the manufacturers, if you have one of the aforementioned cameras, it is important to update to the current firmware. Additionally, customers concerned about their privacy after removing additional users should always change their passwords and power cycle their cameras.


Bugs in open-source libraries impact 70% of modern software
26.5.2020  Securityaffairs  Vulnerebility

70 percent of mobile and desktop applications that today we use are affected at least by one security flaw that is present in open-source libraries.
According to the Veracode’s annual State of Software Security report, 70 percent of mobile and desktop applications being used today have at least one security flaw that is the result of the use of an open-source library.

Experts pointed out that every library could be affected by one o more issues which will be inherited from all the applications that use them.

According to Veracode’s annual State of Software Security report, almost any modern application includes open source libraries that implement functionality that would be extremely tedious to write from scratch.

The experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.

“The number of external libraries found in any given application varies quite a bit depending on the language in which the application is being developed.” reads the report.
The use of open-source libraries is quite common, for example most JavaScript applications contain hundreds of libraries.

“Our research found that most JavaScript applications contain hundreds of open source libraries – some have over 1,000 different libraries. In addition, most languages feature the same set of core libraries.” reads the post published by Veracode. “JavaScript and PHP in particular have several core libraries that are in just about every application.”

Most of the vulnerabilities affecting the applications analyzed by the researchers were present in the Swift, .NET, Go, and PHP open-source libraries.

“But not all flaws are equal. Some security issues are relatively exotic
or difficult to exploit while others may be much more significant to
their application. It’s this sorting of the zebras from the horses to
which we now turn.” continues the report.

Swift is widely used in the Apple ecosystem, it has the highest density of vulnerabilities, but it has an overall low percentage of flawed libraries.

.NET has the lowest percentage of flawed libraries on a population that is more than 17 times larger than Swift.

Go has a high percentage of libraries with flaws, the good news is that it has an overall low number of flaws per individual library. Compared with Go, PHP has a higher rate of flawed libraries, but more double the density of flaws in a given library.

open-source libraries flaws
Cross-site scripting (XSS) is the most common vulnerability affecting open-source libraries, it is present in 30 percent of them. Other major issues are insecure deserialization (23.5 percent) and broken access control (20.3 percent). Insecure deserialization was a rare issue flaw among in-house applications.

“The report found that 70 percent of applications have a security flaw in an open source library on initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries – present in 30 percent of libraries – followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).” continues the post.

Experts pointed out that addressing security vulnerabilities in open-source libraries is so difficult.
“In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!” concludes the report.

“This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”


Cisco fixed a critical issue in the Unified Contact Center Express
26.5.2020  Securityaffairs  Vulnerebility

Cisco has released several security patches, including one for a critical issue, tracked as CVE-2020-3280, in the call-center software Unified Contact Center Express.
Cisco released a set of security patches, including one for a critical flaw in its call-center software Unified Contact Center Express, tracked as CVE-2020-3280.
The CVE-2020-3280 vulnerability is a remote code execution issue that resides in the Java remote management interface for Unified CCE.
“A vulnerability in the Java Remote Management Interface of Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.” reads the security advisory published by Cisco.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system.”

An unauthenticated, remote attacker could exploit the issue to execute arbitrary code as the root user on a vulnerable device.

The issue could be exploited by supplying a malformed Java object to a specific listener on an vulnerable system

Administrators should update their Unified CCE installs as soon as possible.

The good news is that Cisco is not aware of attacks in the wild that exploited the flaw.


Docker fixes Windows client bug letting programs run as SYSTEM
24.5.2020  Bleepingcomputer  Vulnerebility

Docker fixed a security vulnerability in Docker for Windows that allowed attackers on the system to execute commands with the highest privileges.

The flaw received the tracking number CVE-2020-11492 and could be exploited to impersonate Docker Desktop Service, which runs with SYSTEM permissions.

Getting high permissions
Docker Desktop Service is installed with the Windows version of Docker and runs by default, standing by for the application to start and create child processes.

The service communicates with child processes via Windows named pipes, which permit the server side of a connection to impersonate the client, Ceri Coburn explains today in a blog post from Pen Test Partners.

“The impersonation functionality allows the service to drop its credentials in favour of the connecting client. When files or other various restricted operating system functionality is requested, the action is performed under the impersonated account and not the service account that the process was launched under.”

In the case of Docker, the child processes create the named pipes for inter-process communication (IPC) purposes and the Docker service would connect to them as the client, without serving them.

An attacker could use this to elevate privileges on an already compromised system with code that runs in the context of a process that has impersonation permission.

By setting up a pipe called “\\.\pipe\dockerLifecycleServer,” the only thing needed to get increased rights on the machine is for the Docker application to start and connect.

Coburn notes that when “Docker is connected, we impersonate the connecting client, which is SYSTEM, and launch a new process using the CreateProcessWithTokenW API.”

Docker addressed the problem in version 2.3.0.2, released on May 11 after receiving the initial details on March 25. The delay in releasing the fix was caused by confusion when reading the bug details.

Initially, Docker bounced the ball back saying that the problem should be addressed by Microsoft because impersonation is a feature in Windows.

However, the developer of a SYSTEM service that uses named pipes as a client should make sure that impersonation is disabled unless required.


Adobe releases critical out-of-band security update
23.5.2020  Bleepingcomputer  Vulnerebility

Adobe has released an out-of-band security update for Adobe Character Animator that fixes a critical remote code execution vulnerability.

Security updates for information disclosure vulnerabilities in Adobe Premiere Pro, Adobe Audition, and Adobe Premiere Rush were also released.

Adobe typically releases its security updates on the second Tuesday of each month, known as Patch Tuesday.

In some cases, Adobe will release updates at other times if a vulnerability is discovered that is classified as Critical or is being publicly exploited.

Yesterday, Adobe released four security updates, with one of them resolving a Critical remote code execution vulnerability.

All of these vulnerabilities were discovered by Mat Powell of Trend Micro Zero Day Initiative and were not found in the wild.

"To the best of our knowledge, they were not publicly known or under active attack when the patches were released," Dustin Childs, manager at Trend Micro’s ZDI, told BleepingComputer.

While the risks of being affected are low, users should still upgrade to the latest version as soon as possible as attackers can examine the changed files to help determine what was fixed.

Below are the released Adobe security bulletins.

APSB20-25 Security update available for Adobe Character Animator 
Adobe has released a security update for Character Animator that fixes a 'Critical' stack-based buffer overflow vulnerability that could lead to remote code execution.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Buffer overflow Arbitrary code execution Critical CVE-2020-9586
Users should install Character Animator 2020 3.3 to resolve these vulnerabilities.

APSB20-27 Security update available for Adobe Premiere Pro
Adobe has released a security update for Adobe Premiere Pro that resolves an out-of-bounds read vulnerability that could lead to information disclosure.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Out-Of-Bounds Read Information Disclosure Important CVE-2020-9616
This vulnerability is classified as 'Important'

Users should install Adobe Premiere Pro 14.2 to resolve these vulnerabilities.

APSB20-28 Security update available for Adobe Audition
Adobe has released a security update for Adobe Audition that fixes an important out-of-bounds read vulnerability that could lead to information disclosure.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Out-of-Bounds Read Information Disclosure Important CVE-2020-9618
This vulnerability is classified as 'Important'

Users should install Adobe Audition 13.0.6 to resolve these vulnerabilities.

APSB20-29 Security update available for Adobe Premiere Rush
Adobe has released a security update for Adobe Premiere Rush that resolves an out-of-bounds read vulnerability that could lead to information disclosure.

Of these vulnerabilities, twelve are classified as 'Critical' as they allow code execution or the bypassing of security features. The rest are denial of service or information disclosure vulnerabilities and are classified as 'Important'.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Out-Of-Bounds Read Information Disclosure Important CVE-2020-9617
This vulnerability is classified as 'Important'

Users should install Adobe Premiere Rush 1.5.12 to resolve these vulnerabilities.


Experts found a Privilege escalation issue in Docker Desktop for Windows
22.5.2020  Securityaffairs  Vulnerebility

A severe privilege escalation vulnerability, tracked as CVE-2020-11492, has been addressed in the Windows Docker Desktop Service.
Cybersecurity researchers from Pen Test Partners publicly disclosed a privilege escalation vulnerability in the Windows Docker Desktop Service.

The CVE-2020-11492 issue affects the way the service uses named pipes when communicating as a client to child processes.
“Docker Desktop for Windows suffers from a privilege escalation vulnerability to SYSTEM. The core of the issue lies with the fact that the Docker Desktop Service, the primary Windows service for Docker, communicates as a client to child processes using named pipes.” reads the analysis published by Pen Test Partners.

“The high privilege Docker Desktop Service can be tricked into connecting to a named pipe that has been setup by a malicious lower privilege process. Once the connection is made, the malicious process can then impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest level privileges.”

Experts discovered that the Docker Desktop Service can be tricked by attackers into connecting to a named pipe that has been set up by a malicious lower privilege process. Then the process can impersonate the Docker Desktop Service account and execute arbitrary commands with the highest privileges.

Upon installing Docker Desktop for Windows, a service called Docker Desktop Service is installed and runs by default, waiting for the Docker Desktop application to start.

Once the Docker software is started it will create several child processes to manage several functions such as process monitoring and image creation. Windows OS uses pipes for inter-process communication (IPC).
Named pipes could allow the server side of the connection to impersonate the client account who is connecting. The impersonation functionality allows the service to drop its credentials in favour of the connecting client. Experts pointed out that when restricted operating system functionalities and files are requested, the action is performed under the impersonated account and not the service account that the process was launched under.
This specific right is dubbed “Impersonate a client after authentication,” and is assigned to specific accounts by default including admin, network service, IIS App Pool, and Microsoft SQL Server Account.

“By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.” continues the post.

“Anything started by the Service Control Manager will automatically get the impersonation privilege, no matter which account is used to start the service.“

Experts discovered that an attacker that is able to execute code under the context of a process with the above privileges, could set up a malicious pipe to compromise the software and elevate their privileges to system-level.

Experts pointed out that attackers need Administrator rights to create such a service.

“Let’s say you happen to be hosting a vulnerable IIS Web Application on the same machine as Docker for Windows,” continues the analysis.”This could be one example of a successful attack vector. The initial attack vector could utilize a vulnerability in the web application to perform code execution under the limited IIS App Pool account.”

The researchers sent the details to the Docker security team on March 25, that initially said impersonation is a Windows feature and reported the issue to Microsoft.

Experts provided a Proof-of-Concept (PoC) to Docker that finally acknowledged it on April 1.

On May 11, Docker released version 2.3.0.2 that addresses the vulnerability.

“After a few emails back and forth, then finally submitting a working PoC, Docker did agree that it was a security vulnerability and as such have now issued a fix. When the Docker service process connects to the named pipes of spawned child processes it now uses the SecurityIdentification impersonation level. This will allow the server end of the pipe to get the identity and privileges of the client but not allow impersonation.” Pen Test Partners concludes.


Critical Cisco Bug in Unified CCX Allows Remote Code Execution
22.5.2020  Threatpost  Vulnerebility

Cisco has fixed a critical remote code-execution flaw in its popular customer interaction management solution.

Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express (CCX).

Cisco’s Unified CCX software is touted as a “contact center in a box” that allows companies to deploy customer-care applications. The flaw (CVE-2020-3280), which has a CVSS score of 9.8 out of 10, stems from the Java Remote Management Interface of the product.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software,” according to Cisco, in a Wednesday security alert. “An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device.”

An unauthenticated, remote attacker could exploit this flaw to execute arbitrary code on an affected device. Those who are using Cisco Unified CCX version 12.0 and earlier are urged to update to the fixed release, 12.0(1)ES03. Version 12.5 is not vulnerable, according to Cisco.

Cisco is not aware of any public announcements or malicious use of the flaw, according to the update. The tech giant on Wednesday also released a patch addressing a high-severity flaw (CVE-2020-3272) in its Prime Network Registrar, which enables dynamic host configuration protocol (DHCP) services (as well as DNS services).

The flaw stems from insufficient input validation of incoming DHCP traffic. It exists in the DHCP server and could enable an unauthenticated, remote attacker to trigger a denial of service (DoS) attack on an affected device.

“An attacker could exploit this vulnerability by sending a crafted DHCP request to an affected device,” according to Cisco. “A successful exploit could allow the attacker to cause a restart of the DHCP server process, causing a DoS condition.”

Also fixed were several medium-severity flaws, including a SQL injection flaw in Cisco’s Prime Collaboration Provisioning Software (CVE-2020-3184), a DOS flaw in Cisco AMP for Endpoints Mac Connector Software (CVE-2020-3314) and memory buffer flaws (CVE-2020-3343, CVE-2020-3344) in Cisco AMP for Endpoints Linux Connector Software and Cisco AMP for Endpoints Mac Connector Software.

Earlier this month, Cisco also stomped out 12 high-severity vulnerabilities affecting Cisco’s Firepower Threat Defense (FTD) software, which is part of its suite of network security and traffic management products; and its Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network-security devices. The flaws can be exploited by unauthenticated remote attackers to launch an array of attacks – from denial of service (DoS) to sniffing out sensitive data.


Cisco Patches Critical Vulnerability in Contact Center Software
22.5.2020  Securityweek  Vulnerebility
Cisco this week released security patches to address several vulnerabilities in its products, including a critical severity bug in its Unified Contact Center Express (Unified CCX) software.

Tracked as CVE-2020-3280 and assessed with a CVSS score of 9.8, the vulnerability could allow an attacker to execute arbitrary code on an affected device remotely.

The issue, Cisco explains in an advisory, exists because of the software’s insecure deserialization of user supplied content. An attacker could send a malicious serialized Java object to a specific listener to trigger the vulnerability and execute arbitrary code as the root user.

According to Cisco, the security flaw impacts Unified CCX releases up to 12.0, and was addressed in Unified CCX version 12.0(1)ES03. Unified CCX release 12.5 is not vulnerable.

Cisco also released a software update to address a high vulnerability (CVE-2020-3272, CVSS score of 7.5) in Prime Network Registrar that could be abused by a remote, unauthenticated attacker to cause a denial of service (DoS) condition.

The issue exists because incoming DHCP traffic isn’t properly validated, thus allowing an attacker to send crafted DHCP requests to an affected device and restart the DHCP server process, denying access to it.

Prime Network Registrar releases impacted by the flaw include 8.3, 9.0, 9.1, 10.0, and 10.1. Releases prior to 8.3 are not affected.

Additionally, Cisco addressed medium risk vulnerabilities in AMP for Endpoints Mac Connector Software and AMP for Endpoints Linux Connector Software, which could be abused to cause a DoS condition (CVE-2020-3314) or cause a crash and restart of the service (CVE-2020-3343 and CVE-2020-3344).

This week, the company also detailed a medium severity bug in Prime Collaboration Provisioning Software, which could be abused for SQL injection.

Caused by improper validation of user input, the flaw could be exploited by an attacker authenticated as admin, through malicious requests sent to the affected system. Thus, the attacker could access information, make changes to the system, or delete information from the database.

Prime Collaboration Provisioning Software releases earlier than 12.6 SU2 were found impacted and Cisco says it is not aware of a workaround for this issue.

The company notes that it is not aware of public announcements or malicious use of the above vulnerabilities. Details on each bug were published on Cisco’s support website.


XSS, Open Redirect Vulnerabilities Patched in Drupal
21.5.2020  Securityweek  Vulnerebility
The latest Drupal updates patch cross-site scripting (XSS) and open redirect vulnerabilities, but they have only been assigned “moderately critical” severity ratings.

Drupal 7.70 fixes an open redirect vulnerability related to “insufficient validation of the destination query parameter in the drupal_goto() function.” An attacker can exploit the flaw to redirect users to an arbitrary URL by getting them to click on a specially crafted link, Drupal said in its advisory.

Drupal 7.70 also patches a couple of potential XSS vulnerabilities that exist in the jQuery project. jQuery developers fixed the bugs in version 3.5.0 last month and Drupal has now also updated its jQuery version to prevent exploitation, which it says is possible against some Drupal websites.

The XSS vulnerabilities also affect Drupal 8.8 and 8.7 — these versions are not impacted by the open redirect issue — and they have been addressed with the release of Drupal 8.8.6 and 8.7.14.

“This Drupal security release backports the fixes to the relevant jQuery functions, without making any other changes to the jQuery version that is included in Drupal core or running on the site via some other module such as jQuery Update. It is not necessary to update jquery_update on Drupal 7 sites that have the module installed,” Drupal said.

It added, “Backwards-compatibility code has also been added to minimize regressions to Drupal sites that might rely on jQuery's prior behavior. With jQuery 3.5, incorrect self-closing HTML tags in JavaScript for elements where end tags are normally required will encounter a change in what jQuery returns or inserts. To minimize that disruption in 8.8.x and earlier, this security release retains jQuery's prior behavior for most safe tags. There may still be regressions for edge cases, including invalidly self-closed custom elements on Internet Explorer.”

This was only the second round of security updates released by Drupal in 2020. In March, the company announced fixing a couple of moderately critical XSS vulnerabilities affecting the CKEditor open source WYSIWYG editor.

Last year, they released seven rounds of security updates, including in January, February, March, April, May, July and December. While Drupal is not as targeted as WordPress, hackers have been known to exploit Drupal vulnerabilities to hijack websites.


VMware fixes CVE-2020-3956 Remote Code Execution issue in Cloud Director
21.5.2020  Securityaffairs  Vulnerebility

VMware has addressed a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, that affects its Cloud Director product.
VMware has patched a high-severity remote code execution vulnerability, tracked as CVE-2020-3956, in its Cloud Director product.

The vulnerability is a code injection issue that could be exploited by an authenticated attacker to send malicious traffic to Cloud Director, which could allow executing arbitrary code.

“A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.” reads the security advisory published by VMware.

“An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.”
According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

The vulnerability impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware vCloud Director 9.1.0.4, 9.5.0.6, 9.7.0.5 and 10.0.0.2 addresses the issue. VMware has also released a workaround to mitigate the risk of attacks exploiting the issue.
The vulnerability was discovered by Tomáš Melicher and Lukáš Václavík of Citadelo.

A couple of weeks ago, VMware addressed vulnerabilities impacting the vRealize Operations Manager (vROps) product, including two recently disclosed Salt issues.

Earlier this month, VMware has addressed a critical information disclosure flaw, tracked as CVE-2020-3952, that could be exploited by attackers to compromise vCenter Server or other services that use the Directory Service (vmdir) for authentication.

The CVE-2020-3952 vulnerability has received a CVSSv3 score of 10, it resides in the vCenter Server version 6.7 on Windows and virtual appliances.


Adobe fixed several memory corruption issues in some of its products
21.5.2020  Securityaffairs  Vulnerebility

Adobe addressed multiple memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.
Adobe addressed multiple memory corruption vulnerabilities in several of its products, including an arbitrary code execution.

The issues affect Character Animation, Premiere Rush, Premiere Pro, and Audition, they were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI).

APSB20-29 Security update available for Adobe Premiere Rush 05/19/2020 05/19/2020
APSB20-28 Security update available for Adobe Audition 05/19/2020 05/19/2020
APSB20-27 Security update available for Adobe Premiere Pro 05/19/2020 05/19/2020
APSB20-25 Security update available for Adobe Character Animator  05/19/2020 05/19/2020
The most serious flaw, tracked as CVE-2020-9586, is a critical stack-based buffer overflow affecting the Windows and macOS versions of the Adobe’s Character Animation product.

The vulnerability could be exploited by a remote attacker to execute arbitrary code.

“Adobe has released an update for Adobe Character Animator for Windows and macOS. This update resolves a stack-based buffer overflow vulnerability that could lead to remote code execution.” reads the advisory published by Adobe.
Adobe has also addressed updates an out-of-bounds read vulnerability in Adobe Premiere Rush for Windows and macOS that could lead to information disclosure.

The IT giant has released security updates for Adobe Premiere Pro for Windows and macOS that addressed an out-of-bounds read vulnerability that could lead to information disclosure.

The last issue addressed by Adobe is a stack-based buffer overflow vulnerability in Adobe Character Animator for Windows and macOS that could lead to remote code execution.

The good news is that Adobe is not aware of attacks in the wild that exploited the above vulnerabilities and assigned them a priority rating of 3 because they are unlikely to ever be exploited.

At the beginning of this month Adobe released security updates to address 36 vulnerabilities in Adobe Acrobat, Reader, and Adobe DNG Software Development Kit.


Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices to Attacks
21.5.2020  Securityweek  Vulnerebility
Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage (NAS) devices.

QNAP Photo Station is a photo album application that is present on the majority (roughly 80%) of QNAP NAS systems, allowing users to easily organize photos and videos on those devices, as well as to share them with others over the Internet.

Last year, CyCarrier CSIRT security researcher Henry Huang identified four critical vulnerabilities in QNAP software, three of which can be chained together to execute code remotely on the impacted systems, with root privileges.

The three bugs in Photo Station are tracked as CVE-2019–7192, CVE-2019–7194, and CVE-2019–7195, while the fourth impacts the QTS NAS operating system and is tracked as CVE-2019–7193. Each of the four vulnerabilities carries a CVSS score of 9.8.

All QNAP NAS devices with Photo Station on them would be impacted by these issues, thus being exposed to attacks, Huang explains. At the time of discovery, there were an estimated 450,000 vulnerable QNAP NAS systems connected to the Internet, the researcher says.

The first of the vulnerabilities could allow attackers to read files on the server without authentication. The attacker could abuse this bug to read a file containing a login token, which can then be leveraged to authenticate as a valid user named appuser.

Next, the attacker can proceed to exploit the second vulnerability, which allows them to inject arbitrary PHP code into the session.

The third vulnerability, the researcher explains, allows the attacker to write session contents to the server, without authentication.

Thus, an attacker could chain the three security flaws to authenticate as appuser, inject code into the PHP session, and write the modified session to Photo Station’s web directory to make a webshell.

The web server runs as root and the first bug provides access to the text file storing encrypted passwords and other password-related information, readable only by the root user, the researcher explains.

The security researcher decided not to disclose details about the fourth vulnerability he found, arguing that the other three flaws are enough for hacking a NAS device.

QNAP issued patches for these vulnerabilities in November last year, confirming that multiple versions of QTS and Photo Station are impacted.

All QNAP NAS devices running Photo Station that do not run the latest versions of QTS and Photo Station are exposed to attacks looking to exploit these vulnerabilities.


Remote Code Execution Vulnerability Patched in VMware Cloud Director
21.5.2020  Securityweek  Vulnerebility
VMware informed customers on Tuesday that it has patched a high-severity remote code execution vulnerability in its Cloud Director product.

The vulnerability, tracked as CVE-2020-3956, has been described as a code injection issue that allows an authenticated attacker to send malicious traffic to Cloud Director, which could result in arbitrary code execution.

“This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access,” VMware said in its advisory.

The security flaw impacts VMware Cloud Director 10.0.x, 9.7.x and 9.5.x on Linux and Photon OS appliances, and version 9.1.x on Linux. Versions 8.x, 9.0.x and 10.1.0 are not affected.

VMware has released updates that should patch the vulnerability, as well as a workaround that users can apply to prevent attacks.

Tomáš Melicher and Lukáš Václavík of Citadelo have been credited for reporting the issue to VMware.

Earlier this month, VMware released patches for vRealize Operations Application Remote Collector (ARC) to address a couple of recently disclosed Salt vulnerabilities that have already been exploited to hack organizations.

In April, the virtualization giant patched a critical vulnerability that can be exploited by hackers to compromise vCenter Server or other services. Researchers disclosed details about the flaw a few days later.


Researchers disclose five Microsoft Windows zero-days
20.5.2020  Securityaffairs  Vulnerebility

Security experts have disclosed five unpatched vulnerabilities in Microsoft Windows, four of which rated as high-risk severity.
Security experts from Trend Micro’s Zero Day Initiative (ZDI) have published information on five unpatched vulnerabilities in Microsoft Windows.

Four vulnerabilities are classified as high-risk severity, three of them are zero-day vulnerabilities tracked as CVE-2020-0916, CVE-2020-0986, and CVE-2020-0915. The flaws could allow an attacker to escalate privileges on the affected system, they received a CVSS score of 7.0.
The vulnerabilities affect in the user-mode printer driver host process splwow64.exe, and is caused by the lack of validation for user-supplied input being dereferenced as a pointer.

The fourth issue affecting the user-mode printer driver host process splwow64.exe, tracked as CVE-2020-0915, is a low severity information disclosure vulnerability.

The issue is caused by the lack of validation of a user-supplied value before being dereferenced as a pointer.

ZDI reported the issue to Microsoft in December 2019, but the tech giant failed to address them with May 2020 Patch Tuesday.

The last zero-day vulnerability disclosed by Trend Micro’s Zero Day Initiative (ZDI) is a privilege escalation vulnerability in the handling of WLAN connection profiles.

“This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the advisory published by Trend Micro.

“The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity.”


Three flaws in Nitro Pro PDF reader expose businesses to hack
20.5.2020  Securityaffairs  Vulnerebility

Two vulnerabilities in the Nitro Pro PDF editor could be exploited by threat actors to execute code remotely on vulnerable hosts.
Security experts from Cisco Talos have discovered three vulnerabilities in the Nitro Pro PDF editor, two of which rated as critical (CVSS score of 8.8) could be exploited by attackers for remote code execution.

Nitro Pro is a PDF application designed for creating, reading, editing, signing, converting, and protecting PDFs. The software is part of Nitro Software’s suite of enterprise tools, used by tens of thousands of organizations.

nitro pro Nitro
The first issue, tracked as CVE-2020-6074, is a nested pages remote code execution vulnerability that resides the PDF parser of Nitro Pro. An attacker could exploit the vulnerability by tricking the victims into opening a specially crafted PDF to trigger a use-after-free condition.
“An exploitable code execution vulnerability exists in the PDF parser of Nitro Pro 13.9.1.155. A specially crafted PDF document can cause a use-after-free which can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.” reads the advisory published by the company.
The second vulnerability, tracked as CVE-2020-6092, is an object code execution vulnerability that resides in the way Nitro Pro 13.9.1.155 parses Pattern objects. An attacker could exploit the flaw by tricking the victims into opening a specially crafted PDF and trigger an integer overflow and then achieve remote code execution.

“An exploitable code execution vulnerability exists in the way Nitro Pro 13.9.1.155 parses Pattern objects. A specially crafted PDF file can trigger an integer overflow that can lead to arbitrary code execution. A victim must open a malicious file to trigger this vulnerability” continues the advisory.

The third flaw is a Javascript XML error handling information disclosure vulnerability, tracked as CVE-2020-6093.

The information disclosure vulnerability exists in the way the version 13.9.1.155 handles XML errors,e it could be exploited by an attacker by tricking the victims into opening a specially crafted PDF document that can cause uninitialized memory access and consequent information disclosure.

Cisco security researchers also identified an information disclosure vulnerability in the application. Tracked as CVE-2020-6093 and carrying a CVSS score of 6.5, the bug is related to the way Nitro Pro does XML error handling.

In early May, the software vendor released a security update that address the above vulnerabilities.


Researcher Finds Memory Corruption Vulnerabilities in Several Adobe Products
20.5.2020  Securityweek  Vulnerebility
Adobe informed customers on Tuesday that it has patched memory corruption vulnerabilities, including one that allows arbitrary code execution, in several of its products.

All of the security flaws were reported to Adobe by researcher Mat Powell of Trend Micro’s Zero Day Initiative (ZDI). Powell found the vulnerabilities in Character Animation, Premiere Rush, Premiere Pro, and Audition.

The most serious of the vulnerabilities is CVE-2020-9586, a critical stack-based buffer overflow affecting the Windows and macOS versions of Adobe’s Character Animation motion capture animation software. The flaw can allow a remote attacker to execute arbitrary code.

In the Windows and Mac versions of the Adobe Premiere Rush and Premiere Pro video editing solutions, and in the Audition audio recording and editing software Powell discovered out-of-bounds read vulnerabilities that could result in information disclosure. Each product is affected by one security bug.

Adobe says it has found no evidence that any of these vulnerabilities has been exploited in malicious attacks. Furthermore, the company has assigned them a priority rating of 3, which indicates that they are unlikely to ever be exploited.

ZDI has yet to publish its own advisories for these vulnerabilities, but the company will likely do so in the upcoming period.

Earlier this month, Adobe announced patching 36 vulnerabilities in Acrobat and Reader products and the DNG software development kit (SDK).


Vulnerability in Qmail mail transport agent allows RCE

20.5.2020  Net-security  Vulnerebility

Qualys researchers have found a way to exploit an previously known (and very old) vulnerability in Qmail, a secure mail transport agent, to achieve both remote code execution (RCE) and local code execution.

Email delivery
The Qmail RCE flaw and other vulnerabilities

In 2005, security researcher Georgi Guninski unearthed three vulnerabilities in Qmail, which – due to its simplicity, mutually untrusting modules and other specific development choices made by its creator Daniel J. Bernstein – is still widely regarded as one of the most secure pieces of software out there.

At the time Bernstein pointed out that the vulnerabilities (CVE-2005-1513, CVE-2005-1514, CVE-2005-1515) could not be exploited in a default Qmail installation as “the memory consumption of each qmail-smtpd process is severely limited by default”, so they were never addressed.

But Qualys researchers recently decided to audit the security of the software again, and discovered that the three vulnerabilities also affect the qmail-local process, which is reachable remotely and is not memory-limited by default, ergo the flaws can be exploited.

“We investigated many qmail packages, and *all* of them limit qmail-smtpd’s memory, but *none* of them limits qmail-local’s memory,” they added.

“As a proof of concept, we developed a reliable, local and remote exploit [for CVE-2005-1513] against Debian’s qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory).”

They said they will publish their PoC exploit in the near future.

The’ve also unearthed two vulnerabilities in qmail-verify, a third-party qmail patch that is not part of Qmail but is included in Debian’s qmail package and other Qmail forks: a mail-address verification bypass (CVE-2020-3811) and a local information disclosure bug (CVE-2020-3812).
What now?

Bernstein stopped developing Qmail in 1998. The last stable release of the software is v1.03.

Since then, it has been forked (s/qmail, netqmail, notqmail) and “patched” (third-party “patches” added new features to it), and implemented in third-party platforms.

Bernstein told Qualys that he runs each qmail service with a low memory limit and recommends the same for other installations. This limit can be configured in the the startup scripts of all qmail services and foils the exploitation of all the flaws discovered in 2005 by Guninski.

Qualys wrote a patch for Debian’s qmail package that fixes the qmail-verify issues and all three 2005 CVEs in Qmail – the latter by hard-coding a safe, upper memory limit in the alloc() function.

An updated version (v1.50) of qmail-verify with the issues fixed is available for download and, according to Qualys, “the developers of notqmail have written their own patches for the three 2005 CVEs and have started to systematically fix all integer overflows and signedness errors in qmail.”


Adobe Patches Critical RCE Flaw in Character Animator App
20.5.2020  Threatpost  Vulnerebility

A critical remote code execution flaw in Adobe Character Animator was fixed in an out-of-band Tuesday patch.

Adobe has issued an out-of-band patch for a critical flaw in Adobe Character Animator, its application for creating live motion-capture animation videos. The flaw can be exploited by a remote attacker to execute code on affected systems.

The flaw (CVE-2020-9586) is found in versions 3.2 and earlier and exists within the parsing of the BoundingBox element in PostScript. Specifically, it stems from a stack-based buffer overflow error, meaning the element lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer.

“Of the bugs fixed today, CVE-2020-9586 stands out as it could code execution if a user opens a malicious file or visits a malicious web page,” Dustin Childs, manager at Trend Micro’s Zero Day Initiative, told Threatpost. “An attacker can leverage this vulnerability to execute code in the context of the current process.”

Users are urged to update to version 3.3 for Windows and macOS. While the flaw is critical, the security bulletin is a Priority 3 update, which according to Adobe resolves vulnerabilities in a product that has historically not been a target for attackers. “Adobe recommends administrators install the update at their discretion,” according to the update.

Adobe on Tuesday also issued several updates addressing other flaws. While these other vulnerabilities are “important” in severity, they would all need to be combined with additional bugs to gain code execution, Childs told Threatpost.

One such flaw exists in Adobe Premiere Rush, its video editing software for online video creators. The software has an out-of-bounds read vulnerability (CVE-2020-9617) that could lead to information disclosure. Users are urged to update to Adobe Premiere Rush version 1.5.12 for Windows and macOS.

Another “important”-severity flaw exists in Adobe Premiere Pro, another version of Adobe’s video editing software that is more advanced than Adobe Premiere Rush (which is instead more targeted toward YouTubers and social media creators). Like Premiere Rush, Premiere Pro has an out-of-bounds read flaw (CVE-2020-9616) that could lead to information disclosure. Users can update to version 14.2 for Windows and macOS.

Finally, Adobe stomped out a flaw in Audition, which is its toolset offering for creating and editing audio content. The out-of-bounds read flaw (CVE-2020-9618) can enable information disclosure if exploited. A patch is available in Audition 13.0.6 for Windows and macOS.

For all of these flaws, “Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates,” according to the alert. Mat Powell with ZDI was credited with discovering these flaws.

The unscheduled patches come a week after Adobe’s regularly-scheduled updates, which fixed 16 critical flaws across its Acrobat and Reader applications and its Adobe Digital Negative (DNG) Software Development Kit – and addressed 36 CVEs overall.


Nitro Pro Vulnerabilities Expose Many Enterprises to Attacks
20.5.2020  Securityweek  Vulnerebility
Two recently addressed vulnerabilities in the Nitro Pro PDF editor could be exploited by malicious actors to execute code remotely on affected hosts, according to Cisco’s Talos threat intelligence and research group.

Nitro Pro is a piece of software designed for reading, editing, signing, and saving PDF files. It is part of Nitro Software’s suite of enterprise tools, which the company claims to be helping more than 10,000 organizations boost productivity.

Security researchers with Cisco Talos identified three vulnerabilities in the PDF application, two of which could be exploited for remote code execution, both featuring a CVSS score of 8.8.

Tracked as CVE-2020-6074, the first of these flaws was identified in the PDF parser of Nitro Pro. An attacker looking to exploit the bug needs to provide the victim with a specially crafted PDF to trigger a use-after-free and achieve code execution.

The second security issue is tracked as CVE-2020-6092 and resides in the manner in which Nitro Pro parses Pattern objects. An attacker needs to craft a PDF file and lure the victim into opening it to trigger an integer overflow and then achieve remote code execution.

Cisco’s security researchers also identified an information disclosure vulnerability in the application. Tracked as CVE-2020-6093 and carrying a CVSS score of 6.5, the bug is related to the way Nitro Pro does XML error handling.

To exploit the flaw, an adversary would need to deliver a specially crafted PDF document to the victim and entice them into opening the file. This would cause uninitialized memory access that could be exploited to leak information.

All three vulnerabilities were found in Nitro Pro version 13.9.1.155 and were reported to the vendor in February. A security update to address these issues was released in early May and users are advised to install it to remain protected.


Researchers Divulge Details on Five Windows Zero Days
20.5.2020  Securityweek  Vulnerebility
Zero Day Initiative Researchers Publish Five Windows Zero Days

Security researchers working with Trend Micro’s Zero Day Initiative (ZDI) have published information on five unpatched vulnerabilities in Microsoft Windows, including four considered high risk.

Tracked as CVE-2020-0916, CVE-2020-0986, and CVE-2020-0915, and featuring a CVSS score of 7.0, the first three of these zero-day vulnerabilities could allow an attacker to escalate privileges on the affected system.

The security flaws were identified in the user-mode printer driver host process splwow64.exe, and exists because user-supplied input isn’t properly validated before being dereferenced as a pointer.

Adversaries looking to exploit these security flaws would first need to gain low privilege access to the system. Successful exploitation would allow them to execute code in the context of the current user at medium integrity.

The same user-mode printer driver host process splwow64.exe was also found vulnerable to a low severity information disclosure bug. Tracked as CVE-2020-0915 and featuring a CVSS score of 2.5, the issue results from the same lack of validation of a user-supplied value before being dereferenced as a pointer.

Microsoft was informed on the existence of these vulnerabilities in December 2019 and was aiming to release a patch on May 2020 Patch Tuesday, but missed the deadline. Only beta fixes were provided to the security researchers, for testing.

Also featuring a CVSS score of 7.0 and allowing attackers to escalate privileges is a vulnerability in the handling of WLAN connection profiles that has no CVE identifier.

“By creating a malicious profile, an attacker can disclose credentials for the machine account. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of an administrator,” ZDI explains.

The security researchers also revealed that Microsoft was informed on the vulnerability in January, but said that a patch won’t be released for the issue.


Bluetooth Vulnerability Allows Attackers to Impersonate Previously Paired Devices
20.5.2020  Securityweek  Vulnerebility
A vulnerability related to pairing in Bluetooth Basic Rate / Enhanced Data Rate (BR/EDR) connections could be exploited to impersonate a previously paired device, researchers have discovered.

The security flaw allows for an attacker within Bluetooth range of an affected device to spoof the Bluetooth address of a previously bonded remote device, thus successfully authenticating without knowing the link key normally used for establishing an encrypted connection.

“It is possible for an unauthenticated, adjacent attacker to impersonate a previously paired/bonded device and successfully authenticate without knowing the link key. This could allow an attacker to gain full access to the paired device by performing a Bluetooth Impersonation Attack (BIAS),” a CERT Coordination Center (CERT/CC) alert reads.

In a statement published on this vulnerability, the Bluetooth Special Interest Group (SIG) explains that the attacks allow hackers to “negotiate a reduced encryption key strength” if the device is still vulnerable to the KNOB (Key Negotiation of Bluetooth) attack disclosed last year.

The attacker could attempt to brute-force the encryption key and spoof the remote paired device. If the attack is not successful, the encrypted link is not established, but the attacker may still appear authenticated to the host.

For the attack to be successful, the attacker needs to know the Bluetooth address of the remote device to which the target was previously paired. Tracked as CVE-2020-10135, the vulnerability has a CVSS score of 4.8.

The vulnerability can be exploited in two manners, depending on the Secure Simple Pairing method (Legacy Secure Connections or Secure Connections) used to establish the previous connection with the remote device.

The first method allows the attacker to downgrade the authentication security and proceed with the BIAS method. If they can downgrade authentication or the device does not support Secure Connections, the attacker can initiate a master-slave role switch to become the authentication initiator.

“If successful, they complete the authentication with the remote device. If the remote device does not then mutually authenticate with the attacker in the master role, it will result in the authentication-complete notification on both devices, even though the attacker does not possess the link key,” the CERT/CC alert reads.

To mitigate the issue, vendors are advised to ensure that the encryption key length cannot be reduced below 7 octets and that hosts initiate mutual authentication or support Secure Connections Only mode when this is possible. Moreover, they should ensure that an encrypted link is required for the Bluetooth authentication to be used to independently signal a change in device trust.

“To remedy this vulnerability, the Bluetooth SIG is updating the Bluetooth Core Specification to clarify when role switches are permitted, to require mutual authentication in legacy authentication and to recommend checks for encryption-type to avoid a downgrade of secure connections to legacy encryption,” Bluetooth SIG notes.


New Bluetooth Vulnerability Exposes Billions of Devices to Hackers
19.5.2020  Thehackernews  Vulnerebility
hacking bluetooth devices
Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers.
The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concerns Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.
"The Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment," the researchers outlined in the paper. "Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade."
Given the widespread impact of the vulnerability, the researchers said they responsibly disclosed the findings to the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards in December 2019.
The Bluetooth SIG acknowledged the flaw, adding it has made changes to resolve the vulnerability. "These changes will be introduced into a future specification revision," the SIG said.
The BIAS Attack
For BIAS to be successful, an attacking device would need to be within the wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR connection with another Bluetooth device whose address is known to the attacker.
The flaw stems from how two previously paired devices handle the long term key, also known as link key, that's used to mutually authenticate the devices and activate a secure connection between them.

 

The link key also ensures that users don't have to pair their devices every time a data transfer occurs between, say, a wireless headset and a phone, or between two laptops.
The attacker, then, can exploit the bug to request a connection to a vulnerable device by forging the other end's Bluetooth address, and vice versa, thus spoofing the identity and gaining full access to another device without actually possessing the long term pairing key that was used to establish a connection.
Put differently, the attack allows a bad actor to impersonate the address of a device previously paired with the target device.
What's more, BIAS can be combined with other attacks, including the KNOB (Key Negotiation of Bluetooth) attack, which occurs when a third party forces two or more victims to agree on an encryption key with reduced entropy, thus allowing the attacker to brute-force the encryption key and use it to decrypt communications.
Devices Not Updated Since December 2019 Affected
With most standard-compliant Bluetooth devices impacted by the vulnerability, the researchers said they tested the attack against as many as 30 devices, including smartphones, tablets, laptops, headphones, and single-board computers such as Raspberry Pi. All the devices were found to be vulnerable to BIAS attacks.
The Bluetooth SIG said it's updating the Bluetooth Core Specification to "avoid a downgrade of secure connections to legacy encryption," which lets the attacker initiate "a master-slave role switch to place itself into the master role and become the authentication initiator."
In addition to urging companies to apply the necessary patches, the organization is recommending Bluetooth users to install the latest updates from the device and operating system manufacturers.
"The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades," the research team concluded. "The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction."


Stored XSS in WP Product Review Lite plugin allows for automated takeovers
18.5.2020 
Securityaffairs   Vulnerebility

A critical flaw in the WP Product Review Lite plugin installed on over 40,000 WordPress sites could potentially allow their take over.
Attackers could exploit a critical vulnerability in the WP Product Review Lite WordPress plugin to inject malicious code and potentially take over vulnerable websites.

The WP Product Review Lite plugin allows site owners to quickly create custom review articles using pre-defined templates, it is currently installed on over 40,000 WordPress sites.

The vulnerability was discovered by researchers at Sucuri Labs, it is a persistent XSS that could be exploited by remote, unauthenticated attackers.

“During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.” reads the analysis published by Sucuri.

“All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.”

Attackers can bypass the WordPress user input data sanitization function to exploit the Stored Cross-Site Scripting (Stored XSS) issue. Upon triggering the flaw, the attackers could inject malicious scripts in all the products stored in the database of the targeted website.

An attacker could trick a site admin into accessing the compromised products, then they could redirect them to a rogue site, or steal the session cookies to authenticate on behalf of the administrator.

Once the attacker has authenticated as an admin, it could add a new admin account to take over the site.

Researchers at the Sucuri Labs revealed that they are not aware of any attacks in the wild exploiting the flaw.

Experts recommend site administrators to update their plugin to version 3.7.6 as soon as possible because unauthenticated attacks could be automated by attackers.
“Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites,” Sucuri Labs conclude.

“The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.”

The vulnerability was reported to the plugin developers on May 13, and it was fixed in only 24 hours, on May 14, 2020.

At the time of writing, more than 7,000 users have already fixed their WP Product Review Lite plugin, this means that more than 32,000 sites have yet to do it.


Hackers Can Inject Code Into WordPress Sites via Flaw in Product Review Plugin
18.5.2020 
Securityweek   Vulnerebility
A vulnerability addressed recently in the WP Product Review Lite plugin for WordPress could be abused by unauthenticated attackers to hack websites.

WP Product Review Lite is designed for creating product reviews on WordPress websites. It supports the creation of a top products review widget and also allows monetization through the addition of a “buy now” button in posts. The plugin has more than 40,000 installations.

Last week, the team of developers behind the plugin addressed an unauthenticated persistent Cross-Site Scripting (XSS) vulnerability that could have been exploited to inject code into all of a website’s product pages.

The issue, Sucuri security researchers explain, is that, although all user input data is sanitized, one of the employed WordPress functions can be bypassed if the attacker sets a parameter inside an HTML attribute.

“A successful attack results in malicious scripts being injected in all the site’s products,” the researchers explain.

An attack can be launched without authentication, which means that threat actors can automate attacks, Sucuri warns. This makes it easy for cybercriminals to mount attacks against a large number of vulnerable websites.

“The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous,” Sucuri’s researchers note.

Sucuri reported the vulnerability on May 13 and a patch was released the next day, with version 3.7.6 of WP Product Review Lite.

While no active exploitation attempts have been observed, the security researchers recommend that site admins upgrade to the patched version as soon as possible, as older iterations of the plugin remain vulnerable to attacks and potential compromise.


Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP)

17.5.2020  SANS  Vulnerebility

This past two weeks my honeypot captured several probe for this URL /owa/auth/logon.aspx?url=https://1/ecp/ looking for the Exchange Control Panel. In the February 2020 patch Tuesday, Microsoft released a patch for ECP (CVE-2020-0688) for a remote code execution vulnerability affecting Microsoft Exchange server. Zero Day Initiative provided more details for this vulnerability here. Using CyberChef URL Decode, this is the output of the scan:

tcp-honeypot-20200502-072120.log:20200502-092115: 192.168.25.9:443-162.243.136.126:40998 data 'GET /owa/auth/logon.aspx?url=https://1/ecp/ HTTP/1.1\r\nHost: XX.YY.87.76\r\nUser-Agent: Mozilla/5.0 zgrab/0.x\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n'

This is a sample of the logs received over the past two weeks. You will notice that all the inbound scans are all from the same IP range owned by the same ASN.

Sample of Scanning Activity
tcp-honeypot-20200502-072120.log:20200502-092115: 192.168.25.9:443-162.243.136.126:40998 data 'GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1\r\nHost: XX.YY.87.76\r\nUser-Agent: Mozilla/5.0 zgrab/0.x\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n'
tcp-honeypot-20200507-140821.log:20200508-060105: 192.168.25.9:443-162.243.142.247:43656 data 'GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1\r\nHost: XX.YY.87.76\r\nUser-Agent: Mozilla/5.0 zgrab/0.x\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n'
tcp-honeypot-20200515-181040.log:20200516-160625: 192.168.25.9:443-162.243.138.144:45092 data 'GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1\r\nHost: XX.YY.87.76\r\nUser-Agent: Mozilla/5.0 zgrab/0.x\r\nAccept: */*\r\nAccept-Encoding: gzip\r\n\r\n'

If your organization has made OWA available on the web, verify the cumulative updates and the service pack that addressed this remote code execution vulnerability found in Microsoft Exchange 2010, 2013, 2016, and 2019 has been applied.

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
[2] https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
[3] https://isc.sans.edu/ipinfo.html?ip=162.243.136.126


Critical WordPress plugin bug allows for automated takeovers
17.5.2020 
Bleepingcomputer  Vulnerebility

Attackers can exploit a critical vulnerability in the WP Product Review Lite plugin installed on over 40,000 WordPress sites to inject malicious code and potentially take over vulnerable websites.

WP Product Review Lite helps site owners to quickly create custom review articles using pre-defined templates.

The plugin comes with support for including affiliate links, rich snippets, review widgets, as well as for buy buttons for additional monetization streams.

Persistent XSS leading to site takeover
The WP Product Review Lite bug found by the Sucuri Labs research team can be remotely exploited by unauthenticated attackers.

They can bypass the WordPress user input data sanitization function to launch Stored Cross-Site Scripting (Stored XSS) attacks which, on successful exploitation, allows them to inject malicious scripts in all the products stored in the targeted site’s database.

Fortunately, the Sucuri Labs team is not aware of any exploitation attempts currently targeting this vulnerability.

"Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites," Sucuri Labs vulnerability researcher John Castro explained.

"The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous."

Vulnerable function
Image: Sucuri Labs
If the attackers can successfully trick a site administrator into accessing the compromised products, they could redirect the admin to a malicious site, or steal the session cookies to authenticate on behalf of the administrator.

This would allow the threat actors to add new admin accounts to completely take over the compromised WordPress site.

Site visitors are also exposed to attacks since a malicious script executed in their browser could be used by the attackers to redirect those visitors to malicious sites.

Thousands of sites still exposed to attacks
WP Product Review Lite's developer, ThemeIsle, fixed the vulnerability in version 3.7.6 released on May 14, one day after Sucuri Labs reported it.

Users are urged to update their plugin to the latest release as soon as possible to prevent potential attacks aiming to take over their websites or to redirect visitors and admins to malicious sites.

Sucuri

@sucurisecurity
#WordPress Vulnerability Alert! During a recent audit we found an unauthenticated stored #XSS #vulnerability in WP Product Review. Plugin users: Please update ASAP! https://sucur.it/2WXDTO5 #websitesecurity #cybersecurity

18
10:30 PM - May 14, 2020
Twitter Ads info and privacy
See Sucuri's other Tweets
Almost 7,000 users have updated to the patched WP Product Review Lite version since it was released, with over 33,000 sites running vulnerable versions of the plugin still being exposed to attacks.

During the last 30 days, researchers found stored cross-site scripting (Stored XSS) vulnerabilities in several other plugins including Ninja Forms, Real-Time Find and Replace, and Contact Form 7 Datepicker, with more than 1,200,000 active installations.


SAP May 2020 Security Patch Day delivers critical updates
17.5.2020 
Bleepingcomputer  Vulnerebility

Enterprise software maker SAP released its May security patches, which cover six critical issues in several of its products, three of them with a severity score very close to maximum.

All but one of these flaws are remotely exploitable, require no user interaction, and have a low attack complexity. Not all of them are new vulnerabilities, though; one of them is an update to a security note from April 2018.

These are different from the security issues the company announced last week, which impact cloud-based products and will get a fix before the end of the second quarter of the year.

Critical bug alerts
SAP’s May 2020 Security Patch Day includes almost two dozen alerts for various types of vulnerabilities and half of them are for critical and high-severity bugs.


The gravest of them is tracked as CVE-2020-6262 and has a severity score of 9.9 out of 10. It is a code injection vulnerability in Service Data Download and impacts multiple versions of SAP‌ Application Server ABAP (2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740).

Second most serious security flaw on the list is CVE-2020-6242, with a severity rating of 9.8. It is a lack of authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.X.

A security update for the Chromium browser shipped with SAP‌ Business client is also listed as critical (9.8), based on the Common Vulnerability Scoring System (CVSS) version 3.

Another code injection was addressed in the backup server of SAP‌ Adaptive Server Enterprise (ASE) version 16.0. Identified as CVE-2020-6248, its severity is calculated at 9.1.

The same score was given to an update to a security note on April 2020 Patch Day, tracked as CVE-2020-6219 - a deserialization of untrusted data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer) versions 4.1 and 4.2.

An information disclosure flaw - CVE-2020-6252 (9.0) - in SAP ASE’s graphical administration tool, Cockpit, is the last on the list of critical vulnerabilities the company addresses with this week’s patches.

SAP‌ also addressed other high and medium-severity security vulnerabilities impacting Adaptive Server Enterprise and some of its components:

- an SQL injection bug, CVE-2020-6241 (8.8)
- a code injection in SAP ASE’s XP server on Windows platform, CVE-2020-6243 (8)
- an SQL injection affecting SAP ASE’s Web Services, CVE-2020-6253 (7.2)
- an information disclosure, CVE-2020-6250 (6.8)
- missing authorization check, CVE-2020-6259 (6.5)
SAP customers are strongly recommended to prioritize applying this month's patches, available via the company's support portal.


Adobe fixes critical vulnerabilities in Acrobat, Reader, and DNG SDK
16.5.2020 
Bleepingcomputer  Vulnerebility

Adobe has released security updates for Adobe Acrobat, Reader, and Adobe DNG Software Development Kit that resolve a combined total of thirty-six security vulnerabilities in the three products.

Of the thirty-six vulnerabilities, sixteen are classified as 'Critical' as they allow code execution or the bypassing of security features.

If you use either of these products, it is strongly suggested that you upgrade to the latest versions as soon as possible.

Security Update available for Adobe Acrobat and Reader | APSB20-24
Adobe has released security updates for Acrobat and Reader that resolve a total of twenty-four vulnerabilities.

Of these vulnerabilities, twelve are classified as 'Critical' as they allow code execution or the bypassing of security features. The rest are denial of service or information disclosure vulnerabilities and are classified as 'Important'.

Vulnerability Category Vulnerability Impact Severity CVE Number
Null Pointer Application denial-of-service Important   
CVE-2020-9610

Heap Overflow Arbitrary Code Execution         Critical  CVE-2020-9612
Race Condition Security feature bypass Critical  CVE-2020-9615
Out-of-bounds write Arbitrary Code Execution         Critical 
CVE-2020-9597

CVE-2020-9594

Security bypass Security feature bypass Critical 
CVE-2020-9614

CVE-2020-9613

CVE-2020-9596

CVE-2020-9592

Stack exhaustion Application denial-of-service Important  CVE-2020-9611
Out-of-bounds read Information disclosure Important 
CVE-2020-9609

CVE-2020-9608

CVE-2020-9603

CVE-2020-9602

CVE-2020-9601

CVE-2020-9600

CVE-2020-9599

Buffer error Arbitrary Code Execution         Critical 
CVE-2020-9605

CVE-2020-9604

Use-after-free   Arbitrary Code Execution         Critical 
CVE-2020-9607

CVE-2020-9606

Invalid memory access Information disclosure Important 
CVE-2020-9598

CVE-2020-9595

CVE-2020-9593

Users should install the latest versions of Adobe Acrobat and Adobe Reader to resolve these vulnerabilities.

Security update available for Adobe DNG Software Development Kit (SDK) | APSB20-26
This update fixes twelve vulnerabilities in the Adobe DNG Software Development Kit that resolve critical code executable vulnerabilities.

Of the twelve vulnerabilities fixed in this update, four of them classified as 'Critical' with the rest being classified as 'Important'.

Vulnerability Category      Vulnerability Impact      Severity   CVE Numbers     
Heap Overflow Arbitrary Code Execution       Critical  
CVE-2020-9589

CVE-2020-9590

CVE-2020-9620

CVE-2020-9621

Out-of-Bounds Read Information Disclosure Important
CVE-2020-9622

CVE-2020-9623

CVE-2020-9624

CVE-2020-9625

CVE-2020-9626

CVE-2020-9627

CVE-2020-9628

CVE-2020-9629

Users should install Adobe DNG Software Development Kit (SDK) 1.5.1 to resolve these vulnerabilities.


New Thunderbolt security flaws affect systems shipped before 2019
15.5.2020  Vulnerebility

Attackers who gain physical access to Windows, Linux, or macOS devices can access and steal data from their hard drives by exploiting 7 vulnerabilities found in Intel's Thunderbolt hardware interface and collectively known as Thunderspy.

Thunderbolt is a hardware interface designed by Intel and Apple in collaboration to help connect external peripherals that need high-speed connections (RAID arrays, network interface, video capture devices, and others) to a computer.

The new attack, discovered by Eindhoven University of Technology researcher Björn Ruytenberg, is designed to break Thunderbolt's security, making it possible for attackers to steal information from any vulnerable Thunderbolt-enabled device.

Systems shipped before 2019 are vulnerable
While Intel says that Windows, Linux, and macOS implemented Kernel Direct Memory Access (DMA) protection as mitigation for such attacks, this doesn't mitigate all possible attack scenarios and it is only available on compatible systems shipped from 2019 and later.

"Hence, all systems released before 2019, and more recent systems that do not ship Kernel DMA Protection, will remain fully vulnerable to Thunderspy forever," the researcher explains.

For Linux and Windows users, all systems purchased before 2019 are vulnerable to Thunderspy attacks according to Ruytenberg, while devices bought during and after 2019 might come with support for Kernel DMA Protection which protects against drive-by Direct Memory Access attacks.

Similarly, Macs from 2011 and older, except for Retina MacBooks, are all impacted by Thunderspy as they all provide users with Thunderbolt connectivity.

Below you can watch an embedded demo of a Thunderspy proof-of-concept demonstrating how to unlock a Windows PC in 5 minutes.

Breaks Thunderbolt security
"Thunderspy is stealth, meaning that you cannot find any traces of the attack. It does not require your involvement, i.e., there is no phishing link or malicious piece of hardware that the attacker tricks you into using," Ruytenberg says.

"Thunderspy works even if you follow best security practices by locking or suspending your computer when leaving briefly, and if your system administrator has set up the device with Secure Boot, strong BIOS and operating system account passwords, and enabled full disk encryption.

"All the attacker needs is 5 minutes alone with the computer, a screwdriver, and some easily portable hardware."

In all, Ruytenberg says that he "found 7 vulnerabilities in Intel’s design and developed 9 realistic scenarios how these could be exploited by a malicious entity to get access to your system, past the defenses that Intel had set up for your protection."

So far, these 7 security issues have been found to impact the Thunderbolt 1 and 2 (over Mini DisplayPort) and Thunderbolt 3 (over USB-C):

Inadequate firmware verification schemes
Weak device authentication scheme
Use of unauthenticated device metadata
Downgrade attack using backwards compatibility
Use of unauthenticated controller configurations
SPI flash interface deficiencies
No Thunderbolt security on Boot Camp
Mitigation requires a silicon redesign
Intel confirmed that the vulnerabilities are valid but will not mitigate the Thunderspy vulnerabilities by issuing a patch to already sold and known to be vulnerable devices as they would require a silicon redesign.

Intel said that they will incorporate additional hardware protections for future systems that come with support for the Thunderbolt technology.

As Intel told the researcher after examining the reported vulnerabilities:

All three versions of Thunderbolt are affected by the Thunderspy vulnerabilities.
Only systems shipping Kernel DMA Protection mitigate some, not all, of the Thunderspy vulnerabilities.
Only systems that began shipping since 2019 come with Kernel DMA Protection.
Beyond Kernel DMA Protection, Intel will not provide any mitigations to address the Thunderspy vulnerabilities. Hence, Intel will not assign any CVEs to the Thunderspy vulnerabilities, or release any public security advisories to inform the general public.
Until Intel will implement Thunderspy hardware protections, you can follow these recommendations to protect your data or disable the Thunderbolt controller in UEFI (BIOS).

Ruytenberg also developed Spycheck, a tool to help users check if their computers are affected by the Thunderspy vulnerabilities and to provide recommendations on how to protect their systems from attacks.

Last year, a team of researchers disclosed another set of security vulnerabilities — dubbed Thunderclap — requiring physical access and affecting modern Thunderbolt-enabled computers that run Windows, macOS, Linux, or FreeBSD.

The Thunderclap flaws can be exploited to run arbitrary code using the highest possible privilege level on the system to access or steal "passwords, banking logins, encryption keys, private files, browsing," as well as other sensitive data present on the vulnerable machine.


Vulnerabilities in SoftPAC Virtual Controller Expose OT Networks to Attacks
15.5.20  Securityweek  Vulnerebility
Vulnerabilities discovered by a researcher at industrial cybersecurity firm Claroty in Opto 22’s SoftPAC virtual programmable automation controller (PAC) expose operational technology (OT) networks to attacks.

SoftPAC is a software-based automation controller that can be hosted on a Windows device, which, according to the vendor, makes it particularly useful for applications that require more file storage, computing power, or frequent access to files.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) says the product is used worldwide in sectors such as transportation, IT, critical manufacturing and commercial facilities. Claroty has also seen it being used often in the power generation sector.

SoftPAC has three main components: Monitor, Agent and the virtual controller itself. The Monitor allows users to start and stop the PAC service and update the SoftPAC firmware. The Agent acts as an intermediary between the Monitor and the PAC.

Claroty researcher Mashav Sapir discovered a total of five vulnerabilities related to the lack of sanitization for firmware update file names, the lack of checks for firmware file signatures, communications over an open port, an uncontrolled search path that allows DLL hijacking, and the lack of authentication or authorization mechanisms.

The flaws can allow a remote attacker who can gain access to the SoftPAC Agent to send start or stop commands to the PAC or update its firmware. Claroty warned that these types of virtual controllers can serve as an entry point to OT networks.

“Since the protocol used by SoftPAC Agent does not require any form of authentication, a remote attacker could potentially mimic SoftPAC Monitor, establish a remote connection, and execute start/stop service or firmware update commands. While an attacker could use start/stop commands to cause costly and potentially dangerous operational changes, the firmware update command is an area of even greater concern,” Claroty explained in a blog post.

According to Claroty, an attacker can achieve arbitrary code execution on the targeted system by combining the firmware update vulnerabilities with DLL hijacking. The company has shared a description of an attack conducted in its lab.

“After initiating a connection with SoftPAC Agent, Claroty researchers used this connection to check whether SoftPAC PLC was currently running,” Claroty said. “Next, they sent a stop command to SoftPAC Agent to stop SoftPAC PLC. After stopping the PLC, they sent a firmware update command containing a network path to a malicious zip file. SoftPAC Agent extracted the zip file and dropped the malicious dynamic-link library (DLL) file it contained and placed in the same directory as SoftPAC’s executable. After delivering the malicious file, Claroty researchers sent a command to restart SoftPAC PLC, causing the malicious DLL to load, thus executing the code with SYSTEM privileges.”

Opto 22 patched the vulnerabilities with the release of version 10.3. Version 9.6 and earlier are affected, Claroty and CISA said.


Palo Alto Networks Patches Many Vulnerabilities in PAN-OS
15.5.20  Securityweek  Vulnerebility

Palo Alto Networks this week informed customers that it has patched over two dozen vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls.

One of the most serious of the flaws is CVE-2020-2018, which has a CVSS score of 9, and which allows an attacker with access to the Panorama management system’s interface to gain privileged access to managed firewalls. This authentication bypass issue affects the Panorama context switching feature, and the vendor says exploitation “requires some knowledge of managed firewalls.”

Another potentially serious issue is CVE-2020-2012, a high-severity XXE vulnerability that allows a remote and unauthenticated attacker with access to the Panorama interface to read arbitrary files from the system.

Another high-severity flaw, CVE-2020-2011, allows a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition to all Panorama services by sending specially crafted registration requests.

A serious cross-site scripting (XSS) vulnerability affecting the GlobalProtect Clientless VPN can allow an attacker to compromise a user’s session by getting them to visit a malicious website.

Some old vulnerabilities affecting the previous Nginx version included in PAN-OS can also be exploited without authentication, including some that have been rated high severity.

The latest versions of PAN-OS also address high-severity vulnerabilities that can be exploited to escalate privileges, execute shell commands or code with root permissions, hijack administrator accounts, launch XSS attacks, bypass authentication, and delete files. However, exploiting these security holes either requires authentication or the attacker needs to be able to intercept traffic.

One of these flaws is CVE-2020-2002, described as an authentication bypass issue that involves Kerberos key distribution center (KDC) spoofing. The vulnerability was discovered by researchers at Silverfort, who recently identified a similar problem in Cisco Adaptive Security Appliance (ASA).

Of the medium-severity vulnerabilities, one that appears interesting is CVE-2020-1996, which allows a remote, unauthenticated attacker to inject messages into the ms.log file on the management server.

“This vulnerability can be leveraged to obfuscate an ongoing attack or fabricate log entries in the ms.log file,” Palo Alto Networks said in its advisory.


Base Conversions and Creating GUI Apps in PowerShell

15.5.20  SANS  Vulnerebility

I don't know about you, but I find myself doing conversions from decimal to hex and binary several times per day. For me, working out binary equivalents of decimal numbers is something I do all the time to verify subnet masks, network and broadcast addresses - also in answering "is this IP in the same subnet or in an adjacent network?" Conversions of the same type crop up all the time in decoding constructs in packets. Wireshark and Burp will both often anticipate what you want to do on this score, but not always.

Anyway, this all started with a twitter conversation with Lee Holmes - he said that he hasn't used Windows Calc since Powershell got "grown up" math, I said that I used calc all the time for binary <-> decimal all the time, especially if I'm on a client server (and don't have my trusty HP 35s or 16c calculator or emulator handy). Of course, immediately after that conversation I started coding :-)

First of all ,there are more than a few ways to do base conversion in Powershell. I'll start with the obligatory shout out to the Windows PowerShell Cookbook (I'll never get tired of O'Reilly books) - oddly enough Lee is the author of that book!
https://www.amazon.com/gp/product/B00ARN9MEK/ref=dbs_a_def_rwt_hsch_vapi_tkin_p1_i0
specifically this set of "recipes" at http://powershellcookbook.com/recipe/VoMp/convert-numbers-between-bases

The main thing to remember though is that a number is a number, and how you print it is up to you. If you actually want to *store* a number in a different base, you need to convert it to a string value and store the string.

So to convert a number to a different base:

$result = [Convert]::ToString($Number,$BaseToConvertTo)

If you are starting with a string value in decimal, you'll want to convert it to an integer first:

$result = [Convert]::ToString([int]$NumberAsAString,$BaseToConvertTo)

Or if you are starting from some other base, you'll want to convert back. A handy shortcut, PowerShell understands that "0x4E" is a hex 4E - we'll use that to convert from Hex number in a string to Decimal:

[Convert]::ToString("0x"+$hexnum, 10)

or, an even simpler approach (thanks Lee!):

$decnum = [int]("0x"+$hexnum)

or Binary to Decimal:

$decnum = [convert]::toint32($binnum,2)

Note that I converted to int32 in this case, since printing a number by default will be in decimal.

Binary to hex:
Convert to $decnum above, then convert dec to hex:

$hexnum = [convert]::tostring($decnum,16)

So fun all around, but these don't tend to roll off your fingers like using a calculator does (especially if that calculator is RPN). Anyway, this got me to thinking about writing an actual app in Powershell, and looking at GUI support in the native language. Yes, PowerShell does Windows!

Some snips below illustrate various windowing features. First, a screenshot of the app to refer to:

The input box is where we input the starting value:

############################################## text box - INPUT

$TextInputBox = New-Object System.Windows.Forms.TextBox

$TextInputBox.Location = New-Object System.Drawing.Size(20,50)

$TextInputBox.Size = New-Object System.Drawing.Size(300,150)

$TextInputBox.Height = 150

$TextInputBox.font = New-Object System.Drawing.Font("Lucida Console",32,[System.Drawing.FontStyle]::Regular)

$Form.Controls.Add($TextInputBox)

Radio buttons are easy to code up too - I use these to select the source base of the number we just typed in. Note that we're setting the size of the box that the buttons live in as a "group box". Sizes are all defined, and the fonts and font size are as well. This code all works as-is on a 4k screen, I haven't tried it at other resolutions (please let me know if it works without tinkering on different res screens?):

############################################## group boxes

$groupBox = New-Object System.Windows.Forms.GroupBox

$groupBox.Location = New-Object System.Drawing.Size(350,20)

$groupBox.size = New-Object System.Drawing.Size(500,400)

$groupBox.text = "Source Base"

$groupbox.font = New-Object System.Drawing.Font("Lucida Console",16,[System.Drawing.FontStyle]::Regular)

$Form.Controls.Add($groupBox)

##############################################

############################################## radio buttons

$RadioButton1 = New-Object System.Windows.Forms.RadioButton

$RadioButton1.Location = new-object System.Drawing.Point(15,50)

$RadioButton1.size = New-Object System.Drawing.Size(800,70)

$RadioButton1.Checked = $true

$RadioButton1.Text = "Decimal (0d)"

$groupBox.Controls.Add($RadioButton1)

$RadioButton2 = New-Object System.Windows.Forms.RadioButton

$RadioButton2.Location = new-object System.Drawing.Point(15,130)

$RadioButton2.size = New-Object System.Drawing.Size(800,70)

$RadioButton2.Text = "Hexadecimal (0x)"

$groupBox.Controls.Add($RadioButton2)

The "GO" button takes the values entered and sends it off to be converted in every-which format in a function:

############################################## GO button

$Button = New-Object System.Windows.Forms.Button

$Button.Location = New-Object System.Drawing.Size(100,150)

$Button.Size = New-Object System.Drawing.Size(220,70)

$Button.Font = New-Object System.Drawing.Font("Lucida Console",16,[System.Drawing.FontStyle]::Regular)

$Button.Text = "CONVERT"

$Button.Add_Click({SrcBase $TextInputBox.Text})

$Form.Controls.Add($Button)

Finally, outputting the number to an output box is easy too. First create the output box:

############################################## text fields - OUTPUT

$outputBox = New-Object System.Windows.Forms.TextBox

$outputBox.Location = New-Object System.Drawing.Size(100,475)

$outputBox.Size = New-Object System.Drawing.Size(1000,300)

$outputBox.MultiLine = $True

$outputBox.Font = New-Object System.Drawing.Font("Lucida Console",32,[System.Drawing.FontStyle]::Regular)

$Form.Controls.Add($outputBox)

Then calculate what goes into it (the "GO" function), then output the result:

$NL = "`r`n"

$TAB="`t"

$result = $NL+"BIN (0b)"+$TAB + $binnum +$NL+"HEX (0x)"+$TAB + $hexnum+$NL+ "DEC (0d)"+$TAB+ $decnum

$outputBox.AppendText($result)

Just for fun, I added ASCII conversions too:
decimal to ascii: [char][int]$decnum

ascii to decimal can be more fun - first convert it to a list of numbers:
$list = [int[]][char[]]$asciistring

Then in a loop convert each list number to hex or binary string representation:
$d = $list[$i]
$h = [convert]::tostring($d,16)
$b = [convert]::tostring($d,2)

The ASCII conversion will convert a string-to-values (yes you can use longer strings, but you'll need to scroll to see the results), but values-to-strings is a single unicode character proposition (so the input values are 0-65535 or 0x0000 -0xFFFF)

As in most GUI apps, this is more or less 20 lines of code and 150-ish lines of formatting, I/O, and yes, input validation - I do check if the value input is valid for the source base.

What I haven't tackled correctly yet is screen resolution. At the moment this little app all hard-coded for a 4k screen, so it's not going to render all that well on other resolutions, especially with lower pixel counts. The better approach would be to set all of the size and position numbers to variables, and get the screen resolution during startup.

For a single screen, that's easy - WMI is your go-to:

(Get-WmiObject -Class Win32_VideoController) | select CurrentHorizontalResolution,CurrentVerticalResolution

CurrentHorizontalResolution CurrentVerticalResolution

--------------------------- -------------------------

3840 2160

This is a bit more involved for a multiple screen system:

Add-Type -AssemblyName System.Windows.Forms

[System.Windows.Forms.Screen]::AllScreens.workingarea | select width,height

Width Height

----- ------

3840 2080

3840 2080

3840 2080

With this information in hand, the plan is to change each size / position number to a list of values, so that you can then set a "$res" variable to then use as an index to each list to get the right value for the current screen.

As with everything I post, the source for this is in my github, at https://github.com/robvandenbrink

Got a neat idea that a GUI app in Powershell would be just the ticket for? Or better yet, a link to your github for one that you've written? Please, share using our comment form! If it's an idea that appeals, it might become a future post!

Want to dig deeper into PowerShell with a security focus? Check out SANS SEC505 - you can take it online at the SANSFIRE conference, which is virtual this year ( https://www.sans.org/event/sansfire-2020/course/securing-windows-with-powershell ). If you've taken SEC505 before, re-read the current description, it looks like there's a ton of new content!


Flaw in WordPress Plugin Grants Access to Google Search Console
14
.5.2020  Securityweek  Vulnerebility

A vulnerability that Google has addressed in one of its official WordPress plugins could be abused by attackers to gain access to the Google Search Console of an impacted website.

The plugin, Site Kit by Google, was designed to provide site admins with information on how people find and use their websites, providing insights from critical Google tools, straight to the WordPress dashboard. The plugin has over 400,000 active installations.

The recently identified security flaw, which has already been patched by Google, is rated critical severity and has a CVSS score of 9.1. It could allow an attacker to obtain owner access to the Search Console and modify sitemaps or tamper with search engine result pages (SERPs).

During the initial connection with Google Search Console, the plugin generates a proxySetupURL through which the site admin is redirected to Google OAuth, and leverages a proxy to run the verification process.

The proxySetupURL, the Wordfence Threat Intelligence team at Defiant discovered, was displayed as part of the HTML source code of admin pages and could be viewed by any authenticated user who accessed the /wp-admin dashboard.

Additionally, the security researchers say, the verification request was found to be a registered admin action that had no capability checks. Thus, any authenticated user, even one with minimal permissions, could send verification requests.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” Defiant explains.

Google addressed the vulnerabilities with the release of version 1.8.0 of Site Kit with the addition of capability checks to prevent the proxySetupURL from being displayed to unauthorized users and to verify that the verification request sent during a legitimate authenticated session came from a user with administrative permissions.

An attacker could abuse the Google Search Console owner access to manipulate SERPs through black-hat SEO, the researchers say. The attacker could also combine the vulnerability with another exploit that provides the ability to inject malicious content on the site, for monetization.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results,” Defiant says.


Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable
14
.5.2020  Thehackernews  Vulnerebility
Reverse RDP Attacks
Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft's Remote Desktop Protocol?
Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes.
Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655.
In the latest report shared with The Hacker News, Check Point researcher disclosed that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function "PathCchCanonicalize," unchanged.
Apparently, the workaround works fine for the built-in RDP client in Windows operating systems, but the patch is not fool-proof enough to protect other third-party RDP clients against the same attack that relies on the vulnerable sanitization function developed by Microsoft.
"We found that not only can an attacker bypass Microsoft's patch, but they can bypass any canonicalization check that was done according to Microsoft's best practices," Check Point researcher Eyal Itkin said in a report shared with The Hacker News.
For those unaware, path traversal attacks occur when a program that accepts a file as input fails to verify it, allowing an attacker to save the file in any chosen location on the target system, and thus exposing the contents of files outside of the root directory of the application.
"A remote malware-infected computer could take over any client that tries to connect to it. For example, if an IT staff member tried to connect to a remote corporate computer that was infected by malware, the malware would be able to attack the IT staff member's computer as well," the researchers described.
The flaw came to light last year, and a subsequent research in August found that it impacted Microsoft's Hyper-V hardware virtualization platform as well.
Here's a demonstration video on the original vulnerability from the last year:

 

An Improperly Patched Path Traversal Flaw
According to researchers, the July patch can be bypassed because of a problem that lies in its path canonicalization function "PathCchCanonicalize," which is used to sanitize file paths, thus allowing a bad actor to exploit the clipboard synchronization between a client and a server to drop arbitrary files in arbitrary paths on the client machine.
In other words, when using the clipboard redirection feature while connected to a compromised RDP server, the server can use the shared RDP clipboard to send files to the client's computer and achieve remote code execution.
Although Check Point researchers originally confirmed that "the fix matches our initial expectations," it appears there's more to it than meets the eye: the patch can be simply bypassed by replacing backward slashes (e.g., file\to\location) in paths with forward slashes (e.g., file/to/location), which traditionally act as path separators in Unix-based systems.
"It seems that PathCchCanonicalize, the function that is mentioned in Windows's best practice guide on how to canonicalize a hostile path, ignored the forward-slash characters," Itkin said. "We verified this behavior by reverse-engineering Microsoft's implementation of the function, seeing that it splits the path to parts by searching only for '\' and ignoring '/.'"
Reverse RDP Attack
The cybersecurity firm said it found the flaw when trying to examine Microsoft's Remote Desktop client for Mac, an RDP client that was left out from their initial analysis last year. Interestingly, the macOS RDP client in itself isn't vulnerable to CVE-2019-0887.
With the main vulnerability still not rectified, Check Point cautioned that the implications of a simple bypass to a core Windows path sanitation function pose a serious risk to many other software products that could potentially be affected.
"Microsoft neglected to fix the vulnerability in their official API, and so all programs that were written according to Microsoft's best practices will still be vulnerable to a Path-Traversal attack," Check Point's Omri Herscovici said. "We want developers to be aware of this threat so that they could go over their programs and manually apply a patch against it."