a series of vulnerabilities in its Super Hub 3.0 home broadband router modem , after they were reportedVulnerability-related.DiscoverVulnerabilitymore than 18 months ago . Balazs Bucsay , managing security consultant at NCC Group , says that after receiving one of the devices as a home customer and examining it for a few hours , he was quickly able to findVulnerability-related.DiscoverVulnerabilitya remote command execution bug . He uncovered many others during the following days . Eventually , he says , he was able to create a full chain of exploits that made it possible to perform a remote authentication as an administrator on the router . This could potentially allow a hacker to take control of millions of these devices , installing backdoors in a way that would be extremely hard to find and investigate . “ After hacking into my own Super Hub 3.0 , I was able to findVulnerability-related.DiscoverVulnerabilitymultiple security flaws within the router ’ s firmware and combine these to create an exploit that could have been hidden within webpages and sent to other unsuspecting owners via scam emails or other methods , ” Bucsay tells The Daily Swig . “ If customers had opened the webpages and activated the exploit , hackers could have gained unauthorized access to their modems and other devices on the victim ’ s home network , enabling them to spy on online activity and even execute their own commands on the devices. ” Bucsay reportedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities to Virgin Media in March 2017 , but says they weren't fixedVulnerability-related.PatchVulnerabilityuntil the end of July this year . “ The proposed roll-out date was postponed many times , ” he says . However , a Virgin Media spokeswoman defended the company ’ s actions . “ The online security of our customers is a top priority for Virgin Media and the issues describedVulnerability-related.DiscoverVulnerabilityby NCC have been fixedVulnerability-related.PatchVulnerability, ” she told The Daily Swig . “ We have seen no evidence that these advanced technical exploits , carried out by NCC as a proof of concept , were used maliciously to impact customers. ” With the patch rolled outVulnerability-related.PatchVulnerabilityin August , Super Hub 3.0 users don ’ t need to do anything extra to protect themselves . “ However , this research should remind consumers that no connected device is inherently secure , and that they should consider additional security measures around their home network , such as using password managers and different passwords for each device and service , ” Bucsay warns . He also urged internet service providers to be more proactive in checking the security of any third-party devices they use .
A critical vulnerability in Moodle , an open source PHP-based learning management system deployed across scores of schools and universities , could expose the server its running on to compromise . Tens of thousands of universities worldwide , including the California State University system , the University of Oxford , and Stanford University , use the service to provide students with course outlines , grades , and other personal data . The issue–at its root a SQL injection vulnerability–could be used by an attacker to execute PHP code on a university ’ s server according to Netanel Rubin , the researcher who foundVulnerability-related.DiscoverVulnerabilitythe bug . Rubin , who has previously dug upVulnerability-related.DiscoverVulnerabilityvulnerabilities in Mozilla ’ s Bugzilla bug tracking system , e-commerce platform Magento , and WordPress , describedVulnerability-related.DiscoverVulnerabilitythe bug in depth in a blog post on Monday . “ Similar scenarios could be used in previous versions of Moodle but only by managers/admins and only via web services , ” the advisory reads . School IT administrators are being encouraged to apply a patch that maintainers of the system pushed 10 days ago . Rubin discovered that he could exploit the feature however and get an unserialize call by leaving a preference in a block mechanism empty . That could open the door to an object injection attack . While the attack had its limitations , Rubin discovered a way to pivot from it to a series of method calls . From there , he found he could use the system ’ s “ update ” method to update any row in an affected database . This gave him the ability to tweak administrator accounts , passwords , the site configuration , “ basically whatever we want , ” he wrote . Rubin used a double SQL injection to top off his exploit , helping him gain full administrator privileges on any server running Moodle . “ After gaining full administrator privileges executing code is as simple as uploading a new plugin or template to the server , ” Rubin writes .
In November 8 , 2016 Microsoft releasedVulnerability-related.PatchVulnerabilitya security update for Windows Authentication Methods ( MS16-137 ) which included 3 CVEs : Talking specifically about CVE-2016-7237 , this fix was appliedVulnerability-related.PatchVulnerabilityto `` lsasrv.dll '' , which affected the LSASS service . The vulnerability affectedVulnerability-related.DiscoverVulnerabilityall Windows versions , either 32 or 64 bits , and was reportedVulnerability-related.DiscoverVulnerabilityand later describedVulnerability-related.DiscoverVulnerabilityin more detail by Laurent Gaffié ( @ PythonResponder ) the same day that the fix was publishedVulnerability-related.PatchVulnerability. He also published proof-of-concept ( PoC ) code triggering the vulnerability . When the LSASS service crashes , the target is automatically restarted after 60 seconds , which is not very nice when it 's a production server . As this allocation is close to 4GB , this will probably fail.If the allocation fails , one of the necessary conditions to reproduce the NULL-Pointer dereference will be reached . There was a misunderstanding here about the vulnerability , because according to the PoC released by Laurent Gaffié , the problem WAS N'T in the structure pointer , but rather in one field of the CRITICAL_SECTION object pointed by this structure , which is NULL when the huge allocation fails ! To be clear , the check of the NULL pointer should probably have been here : Although the public PoC does n't trigger the vulnerability in Windows 8.1 or Windows 10 , the researcher and Microsoft declared these Windows versions as vulnerable . As I said before , the `` NegGetExpectedBufferLength '' function reads the evil size from the SMB packet . Now , this function has to return the 0x90312 value ( SEC_I_CONTINUE_NEEDED ) to produce the fail in the huge allocation . Unfortunately , in the latest Windows versions , an extra check was added in this function which compares the evil size against 0xffff ( 64KB ) . If the evil size is greater , this function wo n't return the 0x90312 value , but rather this will return the 0xC00000BB value ( STATUS_NOT_SUPPORTED ) , which wo n't produce any allocation fail resulting in the vulnerability not being triggered . On the other hand , if we use the evil size with a value less or equal than 0xffff ( 64KB ) , the allocation wo n't fail and again , the vulnerability wo n't be triggered . So , why are Windows 8.1 and Windows 10 vulnerable ? Although the bug is triggered when a memory allocation fails , that does n't mean that the allocation has to be giant , but rather that the LSASS service does n't have enough available memory to allocate . I had been able to confirmVulnerability-related.DiscoverVulnerabilitythat this vulnerability can be triggered in Windows 7 and 2008 R2 by establishing several SMB connections and sending evil sizes with values like 0x1000000 ( 16 MB ) . The problem is that in the case of the latest Windows versions , it 's not possible to use this kind of sizes , because as I said before , the limit is 64KB . So , the only way to trigger this vulnerability should be by producing a memory exhaustion in the LSASS service . It may be possible to do so by finding a controllable malloc in the LSASS authentication process , creating multiple connections and producing a memory exhaustion until the `` LsapAllocateLsaHeap '' function fails . Maybe , this memory exhaustion condition could be easily reached in local scenarios . I realized that the fix was n't working when I tried to understand why the public PoC was n't working against Windows 10 . It 's surprising to see that nobody else noticed that –that we know of- , and that a considerable amount of Windows users have been unprotected for more than 2 months since the public exploit was released . As of January 10th , Microsoft decided to releaseVulnerability-related.PatchVulnerabilitya new security bulletin including a patch for the affected systems ( MS17-004 ) . If we diff against the latest `` lsasrv.dll '' version ( v6.1.7601.23642 ) , we can see that the vulnerability was fixedVulnerability-related.PatchVulnerabilityby changing the '' NegGetExpectedBufferLength '' function . Basically , the same 64KB packet size check used by Windows 8.1 and Windows 10 was now added to the rest of the Windows versions