by researchers from the hacking collective the Exploiteers ( formerly GTVHacker ) , who have foundVulnerability-related.DiscoverVulnerabilityvulnerabilities in the Samsung SmartCam devices in the past . The flaw allows for command injection through a web script , even though the vendor has disabled the local web-based management interface in these devices . The Samsung SmartCam is a series of cloud-enabled network security cameras that were originally developed by Samsung Techwin . Samsung sold this division to South Korean business conglomerate Hanwha Group in 2015 and the company was renamed Hanwha Techwin . In response to vulnerabilities reported inVulnerability-related.DiscoverVulnerabilitythe web-based management interface of various SmartCam models over the past few years , Hanwha Techwin decided to completely disable the local administration panel and only allow users to access the cameras through the accompanying smartphone app and its My SmartCam cloud service . The Exploiteers researchers recently analyzed the Samsung SmartCam SNH-1011 and noticed that while accessing the web interface over the local network was no longer possible , the web server was still running on the device and hosted some PHP scripts related to a video monitoring system called iWatch . One of these scripts allows users to update the iWatch software by uploading a file , but has a vulnerability that stems from improper sanitization of the file name . The flaw can be exploitedVulnerability-related.DiscoverVulnerabilityby unauthenticated attackers to inject shell commands that will then be executed by the web server running with root privileges . `` The iWatch Install.php vulnerability can be exploitedVulnerability-related.DiscoverVulnerabilityby crafting a special filename which is then stored within a tar command passed to a php system ( ) call , '' the researchers explainedVulnerability-related.DiscoverVulnerabilityin a blog post Saturday . `` Because the web-server runs as root , the filename is user supplied , and the input is used without sanitization , we are able to inject our own commands within to achieve root remote command execution . '' While the flaw was foundVulnerability-related.DiscoverVulnerabilityin the SNH-1011 model , the researchers believe that it affects the entire Samsung SmartCam series . Ironically the vulnerability can be exploitedVulnerability-related.DiscoverVulnerabilityto turn on the disabled web management interface , whose removal was criticized by some users . The Exploiteers publishedVulnerability-related.DiscoverVulnerabilitya proof-of-concept exploit that does just that .
The vulnerability was discoveredVulnerability-related.DiscoverVulnerabilityby researchers from the hacking collective the Exploiteers ( formerly GTVHacker ) , who have foundVulnerability-related.DiscoverVulnerabilityvulnerabilities in the Samsung SmartCam devices in the past . The flaw allows for command injection through a web script , even though the vendor has disabled the local web-based management interface in these devices . The Samsung SmartCam is a series of cloud-enabled network security cameras that were originally developed by Samsung Techwin . Samsung sold this division to South Korean business conglomerate Hanwha Group in 2015 and the company was renamed Hanwha Techwin . In response to vulnerabilities reported inVulnerability-related.DiscoverVulnerabilitythe web-based management interface of various SmartCam models over the past few years , Hanwha Techwin decided to completely disable the local administration panel and only allow users to access the cameras through the accompanying smartphone app and its My SmartCam cloud service . The Exploiteers researchers recently analyzed the Samsung SmartCam SNH-1011 and noticed that while accessing the web interface over the local network was no longer possible , the web server was still running on the device and hosted some PHP scripts related to a video monitoring system called iWatch . One of these scripts allows users to update the iWatch software by uploading a file , but has a vulnerability that stems from improper sanitization of the file name . The flaw can be exploitedVulnerability-related.DiscoverVulnerabilityby unauthenticated attackers to inject shell commands that will then be executed by the web server running with root privileges . `` The iWatch Install.php vulnerability can be exploitedVulnerability-related.DiscoverVulnerabilityby crafting a special filename which is then stored within a tar command passed to a php system ( ) call , '' the researchers explainedVulnerability-related.DiscoverVulnerabilityin a blog post Saturday . `` Because the web-server runs as root , the filename is user supplied , and the input is used without sanitization , we are able to inject our own commands within to achieve root remote command execution . '' While the flaw was foundVulnerability-related.DiscoverVulnerabilityin the SNH-1011 model , the researchers believe that it affects the entire Samsung SmartCam series . Ironically the vulnerability can be exploitedVulnerability-related.DiscoverVulnerabilityto turn on the disabled web management interface , whose removal was criticized by some users . The Exploiteers publishedVulnerability-related.DiscoverVulnerabilitya proof-of-concept exploit that does just that .
Argentinean security researcher Manuel Caballero has discoveredVulnerability-related.DiscoverVulnerabilityanother vulnerability in Microsoft 's Edge browser that can be exploitedVulnerability-related.DiscoverVulnerabilityto bypass a security protection feature and steal data such as passwords from other sites , or cookie files that contain sensitive information . The vulnerability is a bypass of Edge 's Same Origin Policy ( SOP ) , a security feature that prevents a website from loading resources and code from other domains except its own . To exploit the flaw , Caballero says that an attacker can use server redirect requests combined with data URIs , which would allow him to confuse Edge 's SOP filter and load unauthorized resources on sensitive domains . The expert explains the attack step by step on his blog . In the end , the attacker will be able to inject a password form on another domain , which the built-in Edge password manager will automatically fill in with the user 's credentials for that domain . Below is a video of the attack . Additionally , an attacker can steal cookies in a similar manner . More demos are available on a page Caballero set up here . Two weeks ago , Caballero foundVulnerability-related.DiscoverVulnerabilityanother SOP bypass in Edge , which an attacker could also exploit to steal cookies and passwords . That particular exploit relied on a combination of data URIs , meta refresh tag , and domainless pages , such as about : blank . Compared to the previous SOP bypass , the technique Caballero disclosedVulnerability-related.DiscoverVulnerabilityyesterday has the advantage that it 's faster to execute compared to the first , which required the attacker to log users out of their accounts and re-authenticate them in order to collect their credentials . Caballero has a history of findingVulnerability-related.DiscoverVulnerabilitysevere bugs in Microsoft browsers . He previously also bypassed the Edge SOP using Edge 's new Reading Mode , showed how you could abuse the SmartScreen security filter for tech support scams , and found a serious JavaScript attack in Internet Explorer 11 ( still unpatched ) . What 's more worrisome is that Microsoft has not patchedVulnerability-related.PatchVulnerabilityany of the SOP bypass issues the expert discoveredVulnerability-related.DiscoverVulnerability. `` We have 3 SOP bypasses right now , '' Caballero told Bleeping Computer today when asked to confirm the status of the three bugs . This month 's Patch Tuesday , releasedVulnerability-related.PatchVulnerabilitytwo days ago , patchedVulnerability-related.PatchVulnerabilitythe Edge SmartScreen issue Caballero discoveredVulnerability-related.DiscoverVulnerabilitylast December , but the researcher found a way to bypass Microsoft 's patch within minutes .
Details on serious vulnerabilities in a number of routers freely distributed by a major Thai ISP were published onVulnerability-related.DiscoverVulnerabilityMonday after private disclosuresVulnerability-related.DiscoverVulnerabilitymade to the vendors in July went unanswered . Researcher Pedro Ribeiro of Agile Information Security foundVulnerability-related.DiscoverVulnerabilityaccessible admin accounts and command injection vulnerabilities in ZyXel and Billion routers distributed by TrueOnline , Thailand ’ s largest broadband company . Ribeiro saidVulnerability-related.DiscoverVulnerabilityhe disclosedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities through Beyond Security ’ s SecuriTeam Secure Disclosure Program , which contacted the affected vendors last July . Ribeiro publishedVulnerability-related.DiscoverVulnerabilitya proof of concept exploit yesterday as well . Ribeiro toldVulnerability-related.DiscoverVulnerabilityThreatpost he ’ s unsure whether TrueOnline introducedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities as it adds its own customization to the routers , or whether they came from the respective manufacturers . A ZyXel representative told Threatpost the router models are no longer supported and would not comment on whether patches were being developedVulnerability-related.PatchVulnerability. A request for comment from Billion was not returned in time for publication . The commonality between the routers appears to be that they ’ re all based on the TC3162U system-on-a-chip manufactured by TrendChip . Affected routers are the ZyXel P660HN-T v1 and P660HN-T v2 , and Billion 5200 W-T , currently in distribution to TrueOnline customers . The TC3162U chips run two different firmware variants , one called “ ras ” which includes the Allegro RomPage webserver vulnerable to the Misfortne Cookie attacks , and the other called tclinux . The tclinux variant contains the vulnerabilities foundVulnerability-related.DiscoverVulnerabilityby Ribeiro , in particular several ASP files , he saidVulnerability-related.DiscoverVulnerability, are vulnerableVulnerability-related.DiscoverVulnerabilityto command injection attacks . He also cautions that they could be also vulnerable to Misfortune Cookie , but he did not investigate this possibility . “ It should be noted that tclinux contains files and configuration settings in other languages ( for example in Turkish ) . Therefore it is likely that these firmware versions are not specific to TrueOnline , and other ISP customised routers in other countries might also be vulnerable , ” Ribeiro said in his advisory . “ It is also possible that other brands and router models that use the tclinux variant are also affectedVulnerability-related.DiscoverVulnerabilityby the command injection vulnerabilities ( the default accounts are likely to be TrueOnline specific ) ” . In addition to Ribeiro ’ s proof-of-concept , Metasploit modules are availableVulnerability-related.DiscoverVulnerabilityfor three of the vulnerabilities . Most of the vulnerabilities can be exploitedVulnerability-related.DiscoverVulnerabilityremotely , some without authentication . “ These vulnerabilities are present in the web interface . The default credentials are part of the firmware deployed by TrueOnline and they are authorized to perform remote access over the WAN , ” Ribeiro said . “ Due to time and lab constraints I was unable to test whether these routers expose the web interface over the WAN , but given the credentials , it is likely ” . The ZyXel P660HN-T v1 router is vulnerableVulnerability-related.DiscoverVulnerabilityto an unauthenticated command injection attack that can be exploited remotely . Ribeiro saidVulnerability-related.DiscoverVulnerabilityhe foundVulnerability-related.DiscoverVulnerabilitythe vulnerability in the remote system log forwarding function , specifically in the ViewLog.asp page . V2 of the same router containsVulnerability-related.DiscoverVulnerabilitythe same vulnerability , but can not be exploitedVulnerability-related.DiscoverVulnerabilitywithout authentication , he said . “ Unlike in the P660HN-Tv1 , the injection is authenticated and in the logSet.asp page . However , this router contains a hardcoded supervisor password that can be used to exploit this vulnerability , ” Ribeiro said . “ The injection is in the logSet.asp page that sets up remote forwarding of syslog logs , and the parameter vulnerable to injection is the serverIP parameter ” . The Billion 5200W-T is also vulnerableVulnerability-related.DiscoverVulnerabilityto unauthenticated and authenticated command injection attacks ; the vulnerability was foundVulnerability-related.DiscoverVulnerabilityin its adv_remotelog.asp page . “ The Billion 5200W-T router also has several other command injections in its interface , depending on the firmware version , such as an authenticated command injection in tools_time.asp ( uiViewSNTPServer parameter ) , ” Ribeiro said . It should be noted that this router contains several hardcoded administrative accounts that can be used to exploit this vulnerability ” . Ribeiro said default and weak admin credentials were found on the all of the versions and were accessible remotely . The researcher said it ’ s unknown whether the routers can be patched remotely . “ Again , given the existence of default credentials that have remote access , it is likely that it is possible to update the firmware remotely , ” Ribeiro said . Most of iBall baton routers in India are also vulnerableVulnerability-related.DiscoverVulnerabilityto unauthenticated and authenticated command injection attack , i have reason to believe default and weak admin credentials are on the all of the versions and were accessible remotely . i Have I “ Ball WRA150N ” ADSL2+ iBall baton Router.And IBall is never accepting not even taking response to complains and request for latest firmware patches . ASUS patchedVulnerability-related.PatchVulnerabilitya bug that allowed attackers to pair two vulnerabilities to gain direct router access and execute commands as root . Thanks to Meltdown and Spectre , January has already been an extremely busy month of patchingVulnerability-related.PatchVulnerabilityfor Microsoft .
Details on serious vulnerabilities in a number of routers freely distributed by a major Thai ISP were published onVulnerability-related.DiscoverVulnerabilityMonday after private disclosuresVulnerability-related.DiscoverVulnerabilitymade to the vendors in July went unanswered . Researcher Pedro Ribeiro of Agile Information Security foundVulnerability-related.DiscoverVulnerabilityaccessible admin accounts and command injection vulnerabilities in ZyXel and Billion routers distributed by TrueOnline , Thailand ’ s largest broadband company . Ribeiro saidVulnerability-related.DiscoverVulnerabilityhe disclosedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities through Beyond Security ’ s SecuriTeam Secure Disclosure Program , which contacted the affected vendors last July . Ribeiro publishedVulnerability-related.DiscoverVulnerabilitya proof of concept exploit yesterday as well . Ribeiro toldVulnerability-related.DiscoverVulnerabilityThreatpost he ’ s unsure whether TrueOnline introducedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities as it adds its own customization to the routers , or whether they came from the respective manufacturers . A ZyXel representative told Threatpost the router models are no longer supported and would not comment on whether patches were being developedVulnerability-related.PatchVulnerability. A request for comment from Billion was not returned in time for publication . The commonality between the routers appears to be that they ’ re all based on the TC3162U system-on-a-chip manufactured by TrendChip . Affected routers are the ZyXel P660HN-T v1 and P660HN-T v2 , and Billion 5200 W-T , currently in distribution to TrueOnline customers . The TC3162U chips run two different firmware variants , one called “ ras ” which includes the Allegro RomPage webserver vulnerable to the Misfortne Cookie attacks , and the other called tclinux . The tclinux variant contains the vulnerabilities foundVulnerability-related.DiscoverVulnerabilityby Ribeiro , in particular several ASP files , he saidVulnerability-related.DiscoverVulnerability, are vulnerableVulnerability-related.DiscoverVulnerabilityto command injection attacks . He also cautions that they could be also vulnerable to Misfortune Cookie , but he did not investigate this possibility . “ It should be noted that tclinux contains files and configuration settings in other languages ( for example in Turkish ) . Therefore it is likely that these firmware versions are not specific to TrueOnline , and other ISP customised routers in other countries might also be vulnerable , ” Ribeiro said in his advisory . “ It is also possible that other brands and router models that use the tclinux variant are also affectedVulnerability-related.DiscoverVulnerabilityby the command injection vulnerabilities ( the default accounts are likely to be TrueOnline specific ) ” . In addition to Ribeiro ’ s proof-of-concept , Metasploit modules are availableVulnerability-related.DiscoverVulnerabilityfor three of the vulnerabilities . Most of the vulnerabilities can be exploitedVulnerability-related.DiscoverVulnerabilityremotely , some without authentication . “ These vulnerabilities are present in the web interface . The default credentials are part of the firmware deployed by TrueOnline and they are authorized to perform remote access over the WAN , ” Ribeiro said . “ Due to time and lab constraints I was unable to test whether these routers expose the web interface over the WAN , but given the credentials , it is likely ” . The ZyXel P660HN-T v1 router is vulnerableVulnerability-related.DiscoverVulnerabilityto an unauthenticated command injection attack that can be exploited remotely . Ribeiro saidVulnerability-related.DiscoverVulnerabilityhe foundVulnerability-related.DiscoverVulnerabilitythe vulnerability in the remote system log forwarding function , specifically in the ViewLog.asp page . V2 of the same router containsVulnerability-related.DiscoverVulnerabilitythe same vulnerability , but can not be exploitedVulnerability-related.DiscoverVulnerabilitywithout authentication , he said . “ Unlike in the P660HN-Tv1 , the injection is authenticated and in the logSet.asp page . However , this router contains a hardcoded supervisor password that can be used to exploit this vulnerability , ” Ribeiro said . “ The injection is in the logSet.asp page that sets up remote forwarding of syslog logs , and the parameter vulnerable to injection is the serverIP parameter ” . The Billion 5200W-T is also vulnerableVulnerability-related.DiscoverVulnerabilityto unauthenticated and authenticated command injection attacks ; the vulnerability was foundVulnerability-related.DiscoverVulnerabilityin its adv_remotelog.asp page . “ The Billion 5200W-T router also has several other command injections in its interface , depending on the firmware version , such as an authenticated command injection in tools_time.asp ( uiViewSNTPServer parameter ) , ” Ribeiro said . It should be noted that this router contains several hardcoded administrative accounts that can be used to exploit this vulnerability ” . Ribeiro said default and weak admin credentials were found on the all of the versions and were accessible remotely . The researcher said it ’ s unknown whether the routers can be patched remotely . “ Again , given the existence of default credentials that have remote access , it is likely that it is possible to update the firmware remotely , ” Ribeiro said . Most of iBall baton routers in India are also vulnerableVulnerability-related.DiscoverVulnerabilityto unauthenticated and authenticated command injection attack , i have reason to believe default and weak admin credentials are on the all of the versions and were accessible remotely . i Have I “ Ball WRA150N ” ADSL2+ iBall baton Router.And IBall is never accepting not even taking response to complains and request for latest firmware patches . ASUS patchedVulnerability-related.PatchVulnerabilitya bug that allowed attackers to pair two vulnerabilities to gain direct router access and execute commands as root . Thanks to Meltdown and Spectre , January has already been an extremely busy month of patchingVulnerability-related.PatchVulnerabilityfor Microsoft .
UPDATE At DEFCON 22 in 2014 , researchers demonstrated hacks against the Samsung Smartcam that allowed an attacker to remotely take over the device . Samsung ’ s reaction at the time was to remove the web interface enabling the attack rather than patch the code in question . The Exploitee.rs , formerly the GTVHacker group , said users weren ’ t pleased with the response and in turn , decided to take another crack at analyzingVulnerability-related.DiscoverVulnerabilitythe device for vulnerabilities . On Saturday , the group publicly disclosedVulnerability-related.DiscoverVulnerabilitya remote code execution bug it foundVulnerability-related.DiscoverVulnerabilityin the SNH-1011 Smartcam , and cautioned that it likely existsVulnerability-related.DiscoverVulnerabilityin all Samsung Smartcam devices . “ The vulnerability occursVulnerability-related.DiscoverVulnerabilitybecause of improper sanitization of the iWatch firmware update filename , ” the group wroteVulnerability-related.DiscoverVulnerabilityin a technical description of the vulnerability that also included a proof-of-concept exploit and instructions on how to patchVulnerability-related.PatchVulnerabilitythe flaw . “ A specially crafted request allows an attacker the ability to inject his own command providing the attacker remote root command execution ” . A request for comment from Samsung was not returned in time for publication . A Samsung contact told Threatpost that the vulnerability affectsVulnerability-related.DiscoverVulnerabilityonly the SNH-1011 model and it will be removedVulnerability-related.PatchVulnerabilityin an upcoming firmware update . The Exploitee.rs said they were motivated to look further at the cameras because of Samsung ’ s response to their first disclosureVulnerability-related.DiscoverVulnerability. “ This angered a number of users and crippled the device from being used in any DIY monitoring solutions . So , we decided to audit the device once more to see if there is a way we can give users back access to their cameras while at the same time verifying the security of the devices new firmware ” . The original response looks especially weak in a climate where connected devices are being especially scrutinized for their security . “ While this flaw by default would not directly allow attacks from the Internet suitable for something like Mirai , it would be pretty trivial to use CSRF to infect devices on home networks , ” Tripwire principal security researcher Craig Young said . “ It is always disappointing when a vendor eliminates features rather than fixingVulnerability-related.PatchVulnerabilityvulnerabilities as was the case in this camera ” . While the original issue from 2014 has been addressed , the Exploitee.rs wrote that what remains of the web interface includes a set of PHP scripts that allow the camera ’ s firmware to be updated through the iWatch webcam monitoring service . “ These scripts contain a command injection bug that can be leveraged for root remote command execution to an unprivileged user , ” they said . The researchers saidVulnerability-related.DiscoverVulnerabilitythe flaw in iWatch can be exploitedVulnerability-related.DiscoverVulnerabilitythrough a special filename stored in a tar command that is passed to a php system call . “ Because the web-server runs as root , the filename is user supplied , and the input is used without sanitization , we are able to inject our own commands within to achieve root remote command execution , ” they said . ASUS patchedVulnerability-related.PatchVulnerabilitya bug that allowed attackers to pair two vulnerabilities to gain direct router access and execute commands as root
Security researchers at Qualys Security have discoveredVulnerability-related.DiscoverVulnerabilitya Linux flaw that could be exploitedVulnerability-related.DiscoverVulnerabilityto gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems . The high severity flaw , tracked asVulnerability-related.DiscoverVulnerabilityCVE-2017-1000367 , resides inVulnerability-related.DiscoverVulnerabilitythe Sudo ’ s get_process_ttyname ( ) for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem . The Linux flaw could be exploitedVulnerability-related.DiscoverVulnerabilityby a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root . The Sudo ’ s get_process_ttyname ( ) function opens “ /proc/ [ pid ] /stat ” ( man proc ) and reads the device number of the tty from field 7 ( tty_nr ) . These fields are space-separated , the field 2 ( comm , the filename of the command ) can contain spaces . Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command ’ s output , including root-owned files . “ We discoveredVulnerability-related.DiscoverVulnerabilitya vulnerability in Sudo ’ s get_process_ttyname ( ) for Linux : this function opens “ /proc/ [ pid ] /stat ” ( man proc ) and reads the device number of the tty from field 7 ( tty_nr ) . Unfortunately , these fields are space-separated and field 2 ( comm , the filename of the command ) can contain spaces ( CVE-2017-1000367 ) . ” reads the security advisory . “ On an SELinux-enabled system , if a user is Sudoer for a command that does not grant him full root privileges , he can overwrite any file on the filesystem ( including root-owned files ) with his command ’ s output , because relabel_tty ( ) ( in src/selinux.c ) calls open ( O_RDWR|O_NONBLOCK ) on his tty and dup2 ( ) s it to the command ’ s stdin , stdout , and stderr . This allows any Sudoer user to obtain full root privileges. ” To exploit the issue , a Sudo user would have to choose a device number that doesn ’ t exist under “ /dev ” . If the terminal isn ’ t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev , the user could allocate a pseudo-terminal between the two searchers and create a “ symbolic link to the newly-created device in a world-writable directory under /dev , such as /dev/shm , ” “ Exploiting the bug requires that the user already have sudo privileges . SELinux must also be enabled on the system and sudo must have been built with SELinux support . To exploit the bug , the user can choose a device number that does not currently exist under /dev . If sudo does not find the terminal under the /dev/pts directory , it performs a breadth-first search of /dev . It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev . The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev , such as /dev/shm. ” read a Sudo alert . “ This file will be used as the command ’ s standard input , output and error when an SELinux role is specified on the sudo command line . If the symbolic link under /dev/shm is replaced with a link to an another file before it is opened by sudo , it is possible to overwrite an arbitrary file by writing to the standard output or standard error . This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers. ” The Linux flaw affectsVulnerability-related.DiscoverVulnerabilityall Sudo versions from 1.8.6p7 through 1.8.20 , the Sudo 1.8.20p1 fixesVulnerability-related.PatchVulnerabilityit , the issue was rated with a CVSS3 Base Score of 7.8 .
Security researchers at Qualys Security have discoveredVulnerability-related.DiscoverVulnerabilitya Linux flaw that could be exploitedVulnerability-related.DiscoverVulnerabilityto gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems . The high severity flaw , tracked asVulnerability-related.DiscoverVulnerabilityCVE-2017-1000367 , resides inVulnerability-related.DiscoverVulnerabilitythe Sudo ’ s get_process_ttyname ( ) for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem . The Linux flaw could be exploitedVulnerability-related.DiscoverVulnerabilityby a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root . The Sudo ’ s get_process_ttyname ( ) function opens “ /proc/ [ pid ] /stat ” ( man proc ) and reads the device number of the tty from field 7 ( tty_nr ) . These fields are space-separated , the field 2 ( comm , the filename of the command ) can contain spaces . Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command ’ s output , including root-owned files . “ We discoveredVulnerability-related.DiscoverVulnerabilitya vulnerability in Sudo ’ s get_process_ttyname ( ) for Linux : this function opens “ /proc/ [ pid ] /stat ” ( man proc ) and reads the device number of the tty from field 7 ( tty_nr ) . Unfortunately , these fields are space-separated and field 2 ( comm , the filename of the command ) can contain spaces ( CVE-2017-1000367 ) . ” reads the security advisory . “ On an SELinux-enabled system , if a user is Sudoer for a command that does not grant him full root privileges , he can overwrite any file on the filesystem ( including root-owned files ) with his command ’ s output , because relabel_tty ( ) ( in src/selinux.c ) calls open ( O_RDWR|O_NONBLOCK ) on his tty and dup2 ( ) s it to the command ’ s stdin , stdout , and stderr . This allows any Sudoer user to obtain full root privileges. ” To exploit the issue , a Sudo user would have to choose a device number that doesn ’ t exist under “ /dev ” . If the terminal isn ’ t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev , the user could allocate a pseudo-terminal between the two searchers and create a “ symbolic link to the newly-created device in a world-writable directory under /dev , such as /dev/shm , ” “ Exploiting the bug requires that the user already have sudo privileges . SELinux must also be enabled on the system and sudo must have been built with SELinux support . To exploit the bug , the user can choose a device number that does not currently exist under /dev . If sudo does not find the terminal under the /dev/pts directory , it performs a breadth-first search of /dev . It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev . The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev , such as /dev/shm. ” read a Sudo alert . “ This file will be used as the command ’ s standard input , output and error when an SELinux role is specified on the sudo command line . If the symbolic link under /dev/shm is replaced with a link to an another file before it is opened by sudo , it is possible to overwrite an arbitrary file by writing to the standard output or standard error . This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers. ” The Linux flaw affectsVulnerability-related.DiscoverVulnerabilityall Sudo versions from 1.8.6p7 through 1.8.20 , the Sudo 1.8.20p1 fixesVulnerability-related.PatchVulnerabilityit , the issue was rated with a CVSS3 Base Score of 7.8 .
With everything that ’ s gone down in 2016 it ’ s easy to forget Tim Cook ’ s and Apple ’ s battle with the FBI over data encryption laws . Apple took a strong stance though , and other tech giants followed suite leading to a victory of sorts for ( the little guy in ) online privacy . In this era of web exposure , it was a step in the right direction for those who feel our online identities are increasingly vulnerable on the web . All of this stands for little though when a security flaw in your operating system allows carefully encrypted messages to be effectively decrypted offline . That ’ s what happened to Apple with its iOS 9.2 operating system . Though the patches that ensued largely fixedVulnerability-related.PatchVulnerabilitythe problem , the whole issue has understandably left iOS users with questions . What really happened and are we at immediate risk ? A paper released in March by researchers at John Hopkins University exposedVulnerability-related.DiscoverVulnerabilityweaknesses in Apple ’ s iMessage encryption protocol . It was foundVulnerability-related.DiscoverVulnerabilitythat a determined hacker could intercept the encrypted messages between two iPhones and reveal the 64-digit key used to decrypt the messages . As iMessage doesn ’ t use a Message Authentication Code ( MAC ) or authenticated encryption scheme , it ’ s possible for the raw encryption stream , or “ ciphertext ” to be tampered with . iMessage instead , uses an ECDSA signature which simulates the functionality . It ’ s still no easy feat exploiting the security flaw detailedVulnerability-related.DiscoverVulnerabilityby the researchers . The attacker would ultimately have to predict or know parts of the message they are decrypting in order to substitute these parts in the ciphertext . Knowing whether the substitution has been successful though , is a whole other process which may only be possible with attachment messages . The full details of the security flaw , and the complex way it can be exploitedVulnerability-related.DiscoverVulnerabilityare detailedVulnerability-related.DiscoverVulnerabilityin the John Hopkins paper . The paper includes the recommendation that , in the long run , “ Apple should replace the entirety of iMessage with a messaging system that has been properly designed and formally verified ” . One thing that should be made clear is that these weaknesses were exposedVulnerability-related.DiscoverVulnerabilityas a result of months of investigation by an expert team of cryptologists . The type of hacker that would take advantage of these weaknesses would undeniably be a sophisticated attacker . That of course doesn ’ t mean that Apple shouldn ’ t take great measures to eradicate this vulnerability in their system . Your messages , though , are not immediately at risk of being decrypted , and much less if you ’ ve installed the patches that came with iOS 9.3 and OS X 10.11.4 ( though they don ’ t completely fixVulnerability-related.PatchVulnerabilitythe problem ) . Tellingly , the flaws can ’ t be used to exploit numerous devices at the same time . As already mentioned , the process that was exposed by the John Hopskins paper is incredibly complex and relies on various steps that are by no means easy to complete successfully .
Using an SSL proxy that simplistically stored certificates , Kaspersky Anti-Virus left its users open to TLS certificate collisions . By Chris Duckett Google 's Project Zero has foundVulnerability-related.DiscoverVulnerabilitythat it was previously trivial to create an SSL certificate collision thanks to Kaspersky using only the first 32 bits of an MD5 hash in its SSL proxy packaged with its Anti-Virus product . `` You do n't have to be a cryptographer to understand a 32-bit key is not enough to prevent brute-forcing a collision in seconds , '' Tavis Ormandy of Project Zero said in its issue tracker . `` They effectively proxy SSL connections , inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on the fly . This is why if you examine a certificate when using Kaspersky Anti-Virus , the issuer appears to be 'Kaspersky Anti-Virus Personal Root ' , '' he said . `` It seems incredible that Kaspersky have n't noticed that they sometimes get certificate errors for mismatching commonNames just by random chance . After Ormandy reportedVulnerability-related.DiscoverVulnerabilitythe bug and received acknowledgementVulnerability-related.DiscoverVulnerabilityfrom Kaspersky on November 1 , despite learning the security vendor was doing some commonName checks , the bug was still able to be exploitedVulnerability-related.DiscoverVulnerability. `` If you 're not being attacked , you would see random errors . A MITM [ man in the middle ] can send you packets from where you were expecting , '' Ormandy said on Twitter . Ormandy also foundVulnerability-related.DiscoverVulnerabilityanother bug on November 12 that allowed any unprivileged user to become a local certificate authority . In May last year , the Project Zero security researcher discoveredVulnerability-related.DiscoverVulnerabilitythat Symantec Antivirus Engine was vulnerable to buffer overflow when parsing malformed portable-executable header files that resulted in instant blue-screening and kernel memory corruption without user action on Windows . `` This is about as bad as it can possibly get , '' Ormandy said at the time . Because Symantec use a filter driver to intercept all system I/O , just emailing a file to a victim or sending them a link is enough to exploit it .
Commonly used office printers and multi-function devices can be exploitedVulnerability-related.DiscoverVulnerabilityto leak information and execute code , presenting multiple attack vectors that are often overlooked , a security researcher has foundVulnerability-related.DiscoverVulnerability. Jens Müller from the Ruhr-Universität Bochum in Germany publishedVulnerability-related.DiscoverVulnerabilitymultiple advisories on vulnerabilities that he had discoveredVulnerability-related.DiscoverVulnerabilityas part of his Master 's degree thesis on the security of printers . The vulnerabilites stem from vendors not separating page description languages such as PostScript and PJL/PCL used to generate the output from printer control . `` Potentially harmful commands can be executed by anyone who has the right to print , '' Müller said . Müller outlined multiple attacks on his Hacking Printers wiki , ranging from accessing print jobs to credentials disclosure and bypassing device security , and included proofs of concept . HP LaserJet 1200 , 4200N and 4250N as well as Dell 3130cn and Samsung Multipress 6345N have a vulnerableVulnerability-related.DiscoverVulnerabilityline printer daemon ( LPD ) service that can not handle usernames with 150 or more characters . Sending a long username to the LPD service on the above devices crashes the printer , requiring manual restart to bring it back up . Müller saidVulnerability-related.DiscoverVulnerabilitywith correct shellcode and return address , the vulnerability could be used for remote code execution . More printers than the above are likely to be vulnerable , he said . It is even possible to launch denial of service attacks against printers that support PJL , and permanently damage the non-volatile random access memory ( NVRAM ) that is used to persistently store settings for the devices , Müller found . He tested the NVRAM destruction attack on printers from Brother , Konica Minolta , Lexmark , Dell and HP , and verified that they are vulnerableVulnerability-related.DiscoverVulnerability. Printers can be attacked via networks or USB interfaces .
The zero-day memory corruption flaw resides inVulnerability-related.DiscoverVulnerabilitythe implementation of the SMB ( server message block ) network file sharing protocol that could allow a remote , unauthenticated attacker to crash systems with denial of service attack , which would then open them to more possible attacks . According to US-CERT , the vulnerability could also be exploitedVulnerability-related.DiscoverVulnerabilityto execute arbitrary code with Windows kernel privileges on vulnerable systems , but this has not been confirmedVulnerability-related.DiscoverVulnerabilityright now by Microsoft . Without revealingVulnerability-related.DiscoverVulnerabilitythe actual scope of the vulnerability and the kind of threat the exploit poses , Microsoft has just downplayedVulnerability-related.DiscoverVulnerabilitythe severity of the issue , saying : `` Windows is the only platform with a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection . '' However , the proof-of-concept exploit code , Win10.py , has already been releasedVulnerability-related.DiscoverVulnerabilitypublicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser . The memory corruption flaw resides inVulnerability-related.DiscoverVulnerabilitythe manner in which Windows handles SMB traffic that could be exploitedVulnerability-related.DiscoverVulnerabilityby attackers ; all they need is tricking victims to connect to a malicious SMB server , which could be easily done using clever social engineering tricks . `` In particular , Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , '' CERT said in the advisory . `` By connecting to a malicious SMB server , a vulnerable Windows client system may crash ( BSOD ) in mrxsmb20.sys . '' Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft , all Windows users are left open to potential attacks at this time . Until Microsoft patchesVulnerability-related.PatchVulnerabilitythe memory corruption flaw ( most probably in the upcoming Windows update or out-of-band patch ) , Windows users can temporarily fixVulnerability-related.PatchVulnerabilitythe issue by blocking outbound SMB connections ( TCP ports 139 and 445 and UDP ports 137 and 138 ) from the local network to the WAN .
The zero-day memory corruption flaw resides inVulnerability-related.DiscoverVulnerabilitythe implementation of the SMB ( server message block ) network file sharing protocol that could allow a remote , unauthenticated attacker to crash systems with denial of service attack , which would then open them to more possible attacks . According to US-CERT , the vulnerability could also be exploitedVulnerability-related.DiscoverVulnerabilityto execute arbitrary code with Windows kernel privileges on vulnerable systems , but this has not been confirmedVulnerability-related.DiscoverVulnerabilityright now by Microsoft . Without revealingVulnerability-related.DiscoverVulnerabilitythe actual scope of the vulnerability and the kind of threat the exploit poses , Microsoft has just downplayedVulnerability-related.DiscoverVulnerabilitythe severity of the issue , saying : `` Windows is the only platform with a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection . '' However , the proof-of-concept exploit code , Win10.py , has already been releasedVulnerability-related.DiscoverVulnerabilitypublicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser . The memory corruption flaw resides inVulnerability-related.DiscoverVulnerabilitythe manner in which Windows handles SMB traffic that could be exploitedVulnerability-related.DiscoverVulnerabilityby attackers ; all they need is tricking victims to connect to a malicious SMB server , which could be easily done using clever social engineering tricks . `` In particular , Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , '' CERT said in the advisory . `` By connecting to a malicious SMB server , a vulnerable Windows client system may crash ( BSOD ) in mrxsmb20.sys . '' Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft , all Windows users are left open to potential attacks at this time . Until Microsoft patchesVulnerability-related.PatchVulnerabilitythe memory corruption flaw ( most probably in the upcoming Windows update or out-of-band patch ) , Windows users can temporarily fixVulnerability-related.PatchVulnerabilitythe issue by blocking outbound SMB connections ( TCP ports 139 and 445 and UDP ports 137 and 138 ) from the local network to the WAN .
Microsoft Windows users beware ofVulnerability-related.DiscoverVulnerabilityan unpatched memory corruption bug which could be exploitedVulnerability-related.DiscoverVulnerabilityto cause denial of service ( DoS ) attacks as well as other exploits . The vulnerability is in the SMB ( Server Message Block ) and is caused by the platform 's inability to properly handle a specially-crafted server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure , according to a Feb 2 CERT advisory . If a user connects to a malicious SMB server , a vulnerable Windows client system may crash and display a blue screen of death ( BSOD ) in mrxsmb20.sys , the advisory said . Researchers have confirmedVulnerability-related.DiscoverVulnerabilitythe flaw affectsVulnerability-related.DiscoverVulnerabilityfully-patched Windows 10 and Windows 8.1 client systems , as well as the server equivalents of these platforms , Windows Server 2016 and Windows Server 2012 R2 . The vulnerability is still being examined and it is possible that the flaw may enable more exploits as well . A researcher by the moniker “ PythonResponder ” first reportedVulnerability-related.DiscoverVulnerabilitythe zero day and a proof-of-concept code was published to GitHub shortly after . It is recommended that users consider blocking outbound SMB connections from the local network to the WAN in order to prevent remote attackers from causing denial of service attacks
Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince saidVulnerability-related.DiscoverVulnerabilitythere is no evidence the vulnerability , which leaked customer data from memory , was exploitedVulnerability-related.DiscoverVulnerabilityby attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploitedVulnerability-related.DiscoverVulnerability. In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaksAttack.Databreachhave included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaksAttack.Databreach. The vulnerability was privately disclosedVulnerability-related.DiscoverVulnerabilityFeb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leakingAttack.Databreachcustomer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumpedAttack.Databreachonto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notifiedVulnerability-related.DiscoverVulnerabilityby Google ’ s Project Zero team and were able to patchVulnerability-related.PatchVulnerabilityit , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploitingVulnerability-related.DiscoverVulnerabilitythe bug before it was patchedVulnerability-related.PatchVulnerability. We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .
DiscoveredVulnerability-related.DiscoverVulnerabilityby a security researcher who goes by the name of Zenofex , these security flaws have not been reportedVulnerability-related.DiscoverVulnerabilityto Western Digital , are still unpatchedVulnerability-related.PatchVulnerability, and with public exploit code is available for more than half of the vulnerabilities . According to Zenofex multiple WD MyCloud NAS device models are affectedVulnerability-related.DiscoverVulnerability, such as : Zenofex 's decision not to informVulnerability-related.DiscoverVulnerabilityWestern Digital came after the researcher attended a security conference last year , where other infosec professionals complained about Western Digital ignoring vulnerability reportsVulnerability-related.DiscoverVulnerability. It was at the same conference , Black Hat USA 2016 , where Western Digital also won a Pwnie Award in a category called `` Lamest Vendor Response . '' `` Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosureVulnerability-related.DiscoverVulnerabilityis worked out , '' Zenofex argued his decision not to wait until Western Digital patchesVulnerability-related.DiscoverVulnerabilitythe security bugs . `` Instead we ’ re attempting to alertVulnerability-related.DiscoverVulnerabilitythe community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , '' he added . Zenofex , who 's a member of the Exploitee.rs community , says he foundVulnerability-related.DiscoverVulnerabilitya whopping total of 85 security issues . Based on the exploit code , many of these security flaws can be exploitedVulnerability-related.DiscoverVulnerabilityby altering cookie values or embedding shell commands in cookie parameters . When the image loads inside their browser , the exploit code executes against the local NAS drive and takes over the device . The most severe of these issues , according to Zenofex , is authentication bypass issue , which ironically was also the easiest to exploit , requiring only the modification of cookie session parameters . And since Murphy 's Law applies to hardware devices as well , things went wrong all the way , and the commands are n't executed under a limited user , but run under root , giving attackers full control over affected devices , allowing them to upload or download data at will .