Tag: CVE

Operation JASK – Just a Single Keystroke

Apart from the IETF hackathons, the hackers.mu team also focused on internal hackathon either remotely or on-site participation. Another remote hackathon was already in progress since Saturday the 16th of June 2018. It was named Operation JASK – Just a Single Keystroke. Announced publicly on Sunday the 17th of June 2018 after noticing that several Crypto currency mining tools were vulnerable to CVE-2018-12356. By the time, many members of the team were already mobilised even if it was a public holiday in Mauritius. The operation was named JASK – Just a Single Keystroke as the security issues is concerned with the hardening of a regular expression, in particular requiring [GNUPG:] to be at the beginning of a line (^\[GNUPG:\]). We had to fire a single keystroke at the right place to fix a single vulnerability.

Marcus Brinkmann, who is a free software activist explained “An issue was discovered in password-store.sh in pass in Simple Password Store 1.7 through 1.7.1. The signature verification routine parses the output of GnuPG with an incomplete regular expression, which allows remote attackers to spoof file signatures on configuration files and extensions scripts. Modifying the configuration file allows the attacker to inject additional encryption keys under their control, thereby disclosing passwords to the attacker. Modifying the extension scripts allows the attacker arbitrary code execution.” 

However, simple the patch is, the attack aimed GnuPG signature verification process which is specific to pass the Simple Password Store. It can give the attacker access to passwords and remote code execution. On theRegister.co.uk – Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug, Loganaden Velvindron core member of the hackers.mu explained “It’s hard to identify just how many downstream projects inherit a vulnerability like the one Brinkmann spotted, but the number of problem projects will likely be non-trivial because the GnuPG cryptography suite has applications beyond e-mail protection.”

The hackers.mu usual suspects during Operation JASK hackathon are: Kifah Meeran, Loganaden Velvindron, Rahul Golam, Muzaffar Auhammud, Nigel Yong and myself (Nitin J Mutkawoa) all members from the hackers.mu. Some of the projects are Bitcoin, Litecoin, Dash, Bitcoin Gold, Monacoin, Binarium, Terracoin, SmartCash and many other crypto currency projects.

Hackers.mu is now looking forward for other hackathons. We are also inviting everyone to meet us at Flying Dodo Bagatelle conference room for the Security Disclosure Process event. Feel free to RSVP on meetup.com  and Facebook before attending.

CVE-2016-0777 – Are you still vulnerable to this OpenSSH Vulnerability?

I was quite surprised to notice that though, since the 14th of January 2016, the OpenSSH has released a patch to correct a major bug issue for those using the OpenSSH remote connectivity login tool many IT professionals have forgotten about that issue. The security vulnerability has been announced on the Common Vulnerabilities and Exposures (CVE) website since the middle of January, yet many systems and security administrators may have not missed this information.

Credits: openssh.com
Credits: openssh.com

As mentioned, the ssh bug is about “The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. “ To be more explicit, what really happens is that an attacker can guess the client’s get_snd_buf_size() in order to control out_buf_size(). In order to exploit this vulnerability, the attacker will have to force the malloc() to return free()d and an uncleaned chunk of sensitive information. 

This block of code on the old roaming_common.c clearly demonstrate the issue. View full code here.

void
resend_bytes(int fd, u_int64_t *offset)
{
size_t available, needed;

if (out_start < out_last)
available = out_last - out_start;
else
available = out_buf_size;
needed = write_bytes - *offset;
debug3("resend_bytes: resend %lu bytes from %llu",
    (unsigned long)needed, (unsigned long long)*offset);
if (needed > available)
fatal("Needed to resend more data than in the cache");
if (out_last < needed) {
int chunkend = needed - out_last;
atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,
    chunkend);
atomicio(vwrite, fd, out_buf, out_last);
} else {
atomicio(vwrite, fd, out_buf + (out_last - needed), needed);
}
}

You can perform some test on your machine or may be you are using an emulator such as MobaXterm to SSH on several servers by launching the following command

ssh whoami.filippo.io

You might encounter the following beautiful message:

         ***** WARNING ***** WARNING *****
You have roaming turned on. If you are using OpenSSH, that most likely means you are vulnerable to the CVE-2016-0777 information leak.

In case, this is true, you might want to secure yourself from this vulnerability by editing the /etc/ssh/ssh_config and pass the following parameter UseRoaming no . Of course, you will need to reload the ssh daemon and don’t forget to perform a new test!

 

CVE-2015-7547 – Update Glibc & restart BIND with Ansible

You might be seeing a huge crowd of system administrators and Devops rushing to update their servers immediately due to the security flaws detected on Glibc. This security leak is identified as skeleton key under CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow. What is most sour to taste is where the Glibc library is used in the BIND application!

 In brief, the CVE-2015-7547 vulnerability is simply where an attacker can performed mutilple stack-based overflows of the function send_dg and send_vc in the Glibc library to execute malicious code even causing denial of service attack.

Screenshot from 2016-02-21 12:14:09

Redhat have put it in this way “A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.” I have try a little Ansible cookbook to update your Glibc package. Check it out on my Git Account

- - - 
  - hosts: ansible2
     user: root
     tasks:
       - name: update Glib
          yum: name=glibc* state=latest
       - name: restart named
          service: name=named state=restarted

Screenshot from 2016-02-21 11:30:52

Other articles on Buffer Overflow of Memory:

Other article related to Ansible

Debug your Internet bugs and vulnerabilities with ICSI Netalyzr

Can your Network be easily compromised? Is your Internet vulnerable? You might want to perform some tests on the Quality of Service your Internet Service Provider – ISP is providing you. It can also be more dangerous if your ISP is also your router vendor! One of the fast and reliable tools which I would propose is the ICSI Netalyzr tool which tests your internet connections for signs of trouble and provides you detailed report vulnerabilities, latency, and several tests. The test can be performed by almost anyone with just a simple click.


“ICSI Netalyzr is a service maintained by the Networking Group at the International Computer Science Institute, an affiliate with the University of California, Berkeley and funded by the National Science Foundation. The service got some publicity and found importance after late 2007 when Comcast was sued for throttling Internet traffic which Comcast later admitted being true.” – freewareGenius

The report consists of:


  • A summary of the Noteworthy Events
  • Addresses-based Tests
  • Reachability Tests
  • Network Access Link Properties
  • HTTP and DNS tests
  • IPV6 tests and Network Security Protocols
  • Host Properties

I made several tests myself and notice that many routers are vulnerable to attacks. One of the tests I made from a Netgear router DG series intentionally downgraded with an old firmware from the official website of Netgear was found to be vulnerable. Click here on this link to access to the Netalyzr tool. I would, however, recommend you to use DD-WRT or OpenWRT for best QoS.


Example - A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959
Example – A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959

You could also check for DNS resolution, Latency issues and Measurement of your Network buffering capacity. You would need to authorize your browser to access a JAVA plugin to be able to perform the test.

You can also perform your test using the Android App as well as on the Netalyzer command line client.

A brief description of the fopen PHP vulnerability

One of the PHP vulnerability that is still being found on many websites is the fopen function in PHP – CVE-2007-0448. You can secure your website by disabling includes when calling the fopen function.


According to cvedetails.com “PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI”

It’s usually not recommended to enable the fopen function in the php.ini, however, some developers include it in the code itself for a specific task. Let’s see how this is exploited:

Let’s say we have a page called vulnerability.php containing these code


<?php
$vulnerable = $_GET['vulnerable'];
include($vulnerable);
?>

So, $vulnerable = $_GET[‘vulnerable’]; means to put the ‘vulnerable’ GET property in the variable $vulnerable; i.e GET property that is in the URL. An example is http://mysite.com/page.php?vulnerable=yes&howmuch=Very.


By including the value of the variable ($vulnerable), you allowing an attacker to inject code. Someone, for instance, can try this on his browser

http://www.mywebsite.com/fopen.php?vulnerable=../../../index.php

This will enable the attacker to get into subdirectories and start exploring the whole directory. However, if you are running PHP-FPM for a particular instance, only that particular instance is impacted as PHP-FPM allows you to isolate each running instances within the server.