Tag Archives: Elevation of Privilege

FTP Handling Vulnerabilities Disclosed in Java and Python

Last month security researchers Alexander Klink and Blindspot Security Researcher Timothy Morgan publicly disclosed information disclosure and low-privilege code execution vulnerabilities affecting Oracle Java and Oracle Java/Python respectively. Alexander Klink’s vulnerability relates to XXE (XML External Entity) processing specifically crafted XML files leading to information disclosure. Timothy Morgan’s vulnerabilities involve adding Carriage Return (CR) and Line Feed (LF) characters to the TCP stream (a structured sequence of data) to the FTP processing code within Java and Python. The researchers notified the affected vendors over a year ago but the vendors did not address these issues. Timothy Morgan’s vulnerability also causes firewalls to open a port to temporarily allow an FTP connection.

How can I protect myself from these vulnerabilities?
Fortunately exploitation of these vulnerabilities is not trivial since the first FTP vulnerability requires an attacker to already have already compromised an organizations internal email server. The second vulnerability requires an attacker to know the victims internal IP address and for the FTP packets to be in alignment.

System administrators responsible for network infrastructure should monitor communications to email servers for suspicious activity and ensure internal computer systems are not accessible from the external internet (for example using Shodan). Apply vendor software updates when made available for these issues. The blog posts from the researchers here and here provide further detailed recommendations to mitigate these vulnerabilities.

Thank you.

Mitigating the Increasing Risk Facing Critical Infrastructure and the Internet of Things

With attackers and malware authors extending their reach to more and more areas of our everyday lives, both companies and individuals need to take steps to improve the security of their equipment/devices. It’s not just devices such as thermometers (while important) in our homes at risk; devices that impact health and safety as well as entire communities and economies are being / or will be targeted.

For example, last month a cyber-attack took place in Ukraine that while it only lasted approximately 1 hour, served to cause a power outage in an entire district of Kiev. The on-going investigation into this attack believes it to be the same attackers responsible for the December 2015 attack (that attack affected approximately 250,000 people for up to 6 hours).

In a similar manner, a smaller energy company (at an undisclosed location) was a victim of the Samsam ransomware (defined). The attackers initially compromised the web server and used a privilege escalation vulnerability (defined) to install further malware and spread throughout the network. The attackers demanded 1 Bitcoin per infected system. The firm paid the ransom and received a decryption key that didn’t work.

Fortunately, this energy company had a working backup and was back online after 2 days. The root cause of infection? Their network not being separated by a DMZ (defined) from their industrial networks. This Dark Reading article also details 2 further examples of businesses affected who use industrial systems namely a manufacturing plant and a power plant. Both were located in Brazil.

Mark Stacey of RSA’s incident response team says that while nation states have not yet employed ransomware in industrial systems, it will certainly happen. He cites the example of a dam, where the disabling of equipment may not demand a large ransom compared to the act of encrypting the data required for its normal operation.

Former US National Security Official Richard Clarke is suggesting the use of a tried and tested means of increasing the security of all deployed industrial control systems. As it is very difficult convincing those on the Board of Directors to provide budget for something that has not happened/may not happen, he suggests employing an approach similar to that of the Y2K bug. This would require introducing regulations that require all devices after a given date be in a secured state against cyber-attack. He advocates electric power, connected cars and healthcare providers follow this approach and notes that without regulation “none of this is going to happen.” Since these regulations would apply to all ICS/SCADA (defined) vendors, they would also not loose competitiveness

With security analysts predicting further compromises of ICS/SCADA equipment this year, we need to better protect this infrastructure.

For enterprises and businesses, the regulations proposed above should assist with securing IoT and ICS/SCADA devices. However, this is just the beginning. This scanner from Beyond Trust is another great start. As that article mentions the FTC is offering $100,000 to “a company that can discover an innovative way of managing and patching IoT devices.” Securing IoT devices is not an easy problem to solve.

However, progress is happening with securing critical infrastructure and Internet of Things (IoT)(defined) devices. For example, please find below resources/recommendations, tools and products that can help protect these systems and devices.

How can we better secure ICS/SCADA devices?
These devices power our critical infrastructure e.g. power, gas, communications, water filtration etc. The US ICS-CERT has a detailed list of recommendations available from the following links:

ICS CERT Recommended Practices
ICS-CERT Secure Architecture Design
ICS Defense In-Depth (PDF)

An ICS-CERT overview of the types of vulnerabilities that these systems face.

Securing IoT devices in industry
Free IoT Vulnerability Scanner Hunts Enterprise Threats (Dark Reading.com)
Defending the Grid
Network and IoT to underpin Trend Micro’s 2017 strategy

Securing IoT in the medical sector/businesses
Hospitals are under attack in 2016 (Kaspersky SecureList)
Fooling the Smart City (Kaspersky SecureList)

Recommendations for consumer IoT devices are the following
My previous recommendations on securing IoT devices
Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection
Securing Your Smart TV
8 tips to secure those IoT devices (Network World)
Who Makes the IoT Things Under Attack? (Krebs on Security)

I hope that you find the above resources useful for securing ICS/SCADA as well as IoT devices that are very likely a target this year.

Thank you.

Encrypted Linux Systems Affected By Boot Process Vulnerability

Early last week a potentially serious vulnerability (assigned CVE-2016-4484 (defined)) within the Linux boot sequence was disclosed by security researchers at the DeepSec conference in Vienna.

Why Should This Issue Be Considered Important?
This is an elevation of privilege (defined) vulnerability that when exploited can result in an attacker obtaining root (defined) level access over your Linux system. It can be exploited by continually pressing the Enter key at the LUKS (Linux Unified Key Setup) password prompt. According to the researchers Hector Marco & Ismael Ripoll after approximately 70 seconds a new root shell (defined) will appear.

With this shell the attacker can delete all of information on the encrypted disks the LUKS prompt is designed to protect. This could also be used to copy the encrypted information to another location to attempt to brute force (defined) it. This also applies to any unencrypted information on the disk. Finally it could be used to elevate privileges from a standard user by storing an executable file with the SetUID bit enabled.

Interestingly this issue can only occur if the system partition is encrypted. At least Debian and Ubuntu distributions are vulnerable to this issue. Others may be too but the researchers have not exhaustively tested them.

Further details of this issue are provided within the researcher’s blog post.

How Can I Protect Myself From This Issue?
The researchers have provided a workaround and have proposed a more permanent fix within their blog post. It involves editing the cryptroot file so that the computer simply reboots when the number of password guesses reaches the limit.

If you are a Linux system administrator or know someone who is, this issue and it’s fix may be of interest. Thank you.

Disclosed Microsoft Zero Day Under Attack By APT Group

Update: 8th November:
The Microsoft zero day vulnerability discussed in this post has now been patched. Please refer to this post for the appropriate information and download links.

Thank you.

Original Post:
Earlier this week Google publicly disclosed (defined) details of a new zero day (defined) vulnerability affecting supported versions of Windows up to Windows 10. Fortunately, the disclosure only included minimal details.

Why Should These Issues Be Considered Important?
The vulnerability disclosed by Google could result with an attacker being able to elevate their privileges (defined) on an affected system. However, when used in combination with a previously patched Adobe Flash Player vulnerability (reference previous post) this could result in a Windows system under your responsibility or in your ownership to have a backdoor (defined) installed.

Some good news is that this new exploit primarily targets organisations that operate in the following sectors (thus all other organisations are at somewhat reduced risk): government, intelligence or military organisations.

The nature of the backdoor is the decision of the attacker but would usually include a means of remaining persistent on the system and allowing the attacker to remote access the infected system. This backdoor can then be used to move data of the attacker’s choice off the affected system. The APT group known as STRONTIUM by Microsoft (other aliases used in the wider cyber security industry are APT28, also aka Sofacy aka Fancy Bear aka TsarTeam aka Sednit aka PawnStorm). STRONTIUM is also known for moving laterally throughout the network which they compromise (where the pass the hash (PtH) (defined) technique is the method of choice to do so).

How Can I Protect Myself From This Issue?
While a patch from Microsoft is in progress (scheduled for release on the 8th of November): follow safe email guidelines namely don’t click on unexpected/unsolicited links or open potentially dangerous email attachments to prevent the execution (carrying out of) the exploits actions in the first instance.

If you use the Microsoft Edge or Google Chrome web browsers the exploit for the local elevation of privilege vulnerability will be mitigated. This is due to Chrome’s sandbox (defined) blocking the use of API (defined) calls to the win32k.sys driver (defined). This in addition to its existing mitigations when installed on Windows 10 which I previously discussed.

Microsoft Edge on the other hand implements Code Integrity to prevent the next steps of exploitation.

To protect endpoints within your organisation you could consider utilising the logging capabilities of Microsoft EMET and Systinternals’ Sysmon by processing their logs using a SIEM (defined) and taking action when that SIEM a alerts you to suspicion activity. This is especially true since this exploit can occur from within web browsers, the Java JRE, Microsoft Word and Microsoft PowerPoint (namely that these applications are used to open suspicious/untrusted files).

My thanks to a colleague (you know who you are!) for compiling very useful information for this blog post.

Thank you.

Google Releases Security Updates for Android (April 2016)

In the first week of April; Google made available a scheduled security update for their Android smartphone operating system. Android devices with a security patch level of April 2, 2016 include all of the fixes within Google’s most recent security advisory.

The April updates resolve 39 security vulnerabilities more formally known as CVEs (defined) of the following severities:

15x critical severity CVEs
16x high severity CVEs
8x moderate severity CVEs

Why Should These Issues Be Considered Important?
On the 18th of March Google released an out of band (unscheduled) security update to resolve a local elevation of privilege (defined) vulnerability.

This vulnerability was present in the Android kernel (defined). This issue was used in a public exploit against a Google Nexus 5 and was detected by security firm Zimperium who then reported it to Google on March 15th.

This issue was assigned a critical severity rating since it escalates privileges on a vulnerable Android device which can lead to arbitrary code execution (instructions of an attacker choice can be carried out) as well as permanently compromising the device (which can only be resolved by re-flashing the device as described in a previous blog post).

Other critical issues resolved by this update were present in the DHCP (defined) service known as DHCPCD. This could have been exploited by an installed malicious app allowing an attacker to run (carry out) arbitrary code execution. The remaining critical issues involved the Qualcomm Performance Module and RF driver (defined). Exploitation would have allowed an attacker to run code with the same privileges as the Android kernel. Both of these issues if exploited would require re-flashing an affected device since they lead to a permanent device compromise.

Finally, 13 issues (of critical and high severity) that are related to the previous Stagefright vulnerabilities were also resolved. These vulnerabilities continue to arise due to the increased attention towards the MediaServer component of Android from security researchers after last year’s disclosure of the original Stagefright issue.

How Can I Protect Myself From These Issues?

Updates to resolve these issues were made available by Google on 4th of April 2016. Manufacturers such as Samsung/LG etc. received these updates on the 16th of March.

As mentioned by Sophos you may need to ask your device manufacturer or mobile carrier when this update will be made available to you. As discussed in a previous post regarding Android updates, please ensure to only apply updates from your mobile carrier or device manufacturer.

In my previous post discussing Android security updates; I mentioned that a single update to my Sony smartphone was made available on the 8th of March. At the time of writing I still have not received this update. As before, I hope that you are more successful with your phone receiving the appropriate update as soon as possible.

Thank you.

VMware Security Updates Address Elevation of Privilege Vulnerability

In the second half of last week VMware released security updates for the following products:

  • VMware ESXi 6.0 without patch ESXi600-201512102-SG
  • VMware ESXi 5.5 without patch ESXi550-201512102-SG
  • VMware ESXi 5.1 without patch ESXi510-201510102-SG
  • VMware ESXi 5.0 without patch ESXi500-201510102-SG
  • VMware Workstation prior to 11.1.2
  • VMware Player prior to 7.1.2
  • VMware Fusion prior to 7.1.2

These updates address elevation of privilege (the concept is defined here) security issue which has been assigned 1x CVE number, (defined). This vulnerability was responsibly disclosed (defined) by Dmitry Janushkevich from the Secunia Research Team to VMware.

Why Should This Issue Be Considered Important?
Since multiple VMware products have this vulnerability which could allow an attacker to escalate their level of privilege/access within the guest operating system (namely one or more of your virtual machines) this issue should be patched as soon as possible. The issue is due to memory corruption vulnerability within the kernel (defined) of the VMware Tools “Shared Folders” HGFS feature.

How Can I Protect Myself From This Issue?
VMware have released updates to resolve this issue within the affected products. Please refer to VMware’s security advisory to download the necessary updates.

Thank you.

Linux GRUB Security Vulnerability Swiftly Patched

Earlier this month a pair of security researchers within the Cybersecurity Group at Universitat Politècnica de València discovered an integer underflow (defined) vulnerability within the Linux GRUB bootloader (defined, my thanks to Lucian Constantin, IDG News Service for providing an excellent summary of the purpose/function of the GRUB bootloader within that article). The researchers responsibly disclosed (defined) this issue to the main distributors of Linux in order to protect their users. My thanks to everyone involved for so quickly addressing this vulnerability.

Why Should This Issue Be Considered Important?
This issue is very easy for an attacker to exploit namely that they only need to have physical access (be in front of the system) for a short time in order to exploit it. With this access, they simply press the backspace key (just above the main Enter/Carriage return) key 28 times in order to exploit this vulnerability. They could easily obtain this physical access by breaking into the premises where such a system is located.

Moreover, systems with defences such as disabled CR-ROM drives (otherwise known as optical drives), disabled USB ports, restricted network boot options, password protected BIOS/UEFI firmware (defined), password protected GRUB edit mode and where the hard disk/SSD (solid state drive (defined)) is encrypted can all be bypassed by exploiting this vulnerability.

The researchers in their description of this vulnerability bypass the encryption of the hard disk/SSD by infecting the system (by means of this vulnerability) and allowing the user to decrypt the data (information disclosure) for the attackers by having the legitimate user enter the correct password as they log on normally to the system (an elevation of privilege attack (defined); since the attackers would not normally have this level of access). A denial of service attack (DoS)(the concept of DoS is defined here) can also be carried out by the attacker by corrupting the encrypted data and/or the GRUB leaving the legitimate user unable to access their own data.

Before bypassing the encryption however, they also describe patching (modifying the genuine/legitimate GRUB loader) so that it always authenticates the logged on user rather than asking for a password (bypassing the password protected edit mode of GRUB mentioned above).

Next they describe using the patched GRUB loader to load a Linux kernel so that they can then install malware of their choice. This also has the advantage that logging of their actions is not recorded since the syslog daemon (defined) is not running (carrying out it’s purpose) since the bash (Bourne-Again SHell)(defined) is the first process to run.

With that shell (defined) running on the system the researchers next describe how they illustrated a proof of their concept by installing a modified library (the general concept of a code library is defined here, only Windows systems use DLLs (defined) and so are not relevant for this discussion of Linux systems) belonging to Mozilla Firefox so that when Firefox is active, code (instructions) of their choice are also carried out. This code uses Netcat (defined) to set up a reverse shell (defined) allowing them to control the victim system as if they were in front of it (in this case the researchers show the reverse shell being able to access the private data folders belonging to the logged in user).

How Can I Protect Myself From This Issue?
Debian, Ubuntu and Red Hat (among others) have released updates to GRUB to address this vulnerability. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux).

Thank you.