Archive for February, 2017


February 6, 2017

 

Last weekend a security researcher publically disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.

 

The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.

 

According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.

 

Without revealing the actual scope of the vulnerability and the kind of threat the exploit poses, Microsoft has just downplayed the severity of the issue, saying:

 

“Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

 

However, the proof-of-concept exploit code, Win10.py, has already been released publicly for Windows 10 by security researcher Laurent Gaffie and does not require targets to use a browser.

 

The memory corruption flaw resides in the manner in which Windows handles SMB traffic that could be exploited by attackers; all they need is tricking victims to connect to a malicious SMB server, which could be easily done using clever social engineering tricks.

 

“In particular, Windows fails to properly handle a server response that contains too many bytes following the structure defined in the SMB2 TREE_CONNECT Response structure,” CERT said in the advisory.

 

“By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”
Since the exploit code is now publicly available to everyone and there is no official patch from Microsoft, all Windows users are left open to potential attacks at this time.

 

Until Microsoft patches the memory corruption flaw (most probably in the upcoming Windows update or out-of-band patch), Windows users can temporarily fix the issue by blocking outbound SMB connections (TCP ports 139 and 445 and UDP ports 137 and 138) from the local network to the WAN.

 

The vulnerability has been given Common Vulnerability Scoring System (CVSS) score of 7.8. Proof-of-concept code has been published on GitHub.

Share

February 5, 2017

 

United States Computer Emergency Readiness Team (US-CERT) has discovered a zero-day vulnerability in the SMB service of Microsoft Windows which lets attackers carry out Denial of Service attacks and crash the entire system leading to Blue Screen of Death (BSOD).

 

CERT’s advisory specifies that “by connecting to a malicious SMB server (Server Message Block), a vulnerable Windows client system may crash BSOD in mrxsmb20.sys.”

 

Furthermore, using this vulnerability, an attacker can launch all sorts of attacks such as executing arbitrary code. This vulnerability makes Windows 8.1 and Windows 10 exposed to exploitation and may also affect the Windows Server systems.

 

The advisory also states that Microsoft Windows has failed to handle traffic coming from a malicious or infected server properly and also it cannot handle server response that contains too many bytes “following the structure defined in the SMB2 TREE_CONNECT Response structure.”

 

The CERT team also reproduced the attack method by conducting a denial of service attack onto computers running patched versions of Windows 8.1 and Windows 10. However, the team could not successfully run arbitrary code.

https://t.co/xAsDOY54yl

 

 

The problem may worsen now since the exploit code that may let attackers take advantage of this zero-day vulnerability is already available online and therefore, a patch for the flaw is required badly. Until then, US-CERT cannot provide a solution to keep the users safe. It, however, has provided a temporary fix in the form of blocking outbound SMB connections on the local network.

Share

 

WordPress is one of the most used content management system (CMS) in the world. So when there is a security flaw in its system, it affects millions of users on the Internet. That is exactly what has been discovered by security researchers at Sucuri, an Internet security company which revealed that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.

Sucuri found a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site. However, there is good news since Sucuri discretely reported the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch before this became public.
If you are using WordPress on your website the only way you may be at risk is if you have not updated your WordPress to the latest version 4.7.2. The update was issued on January 26th.

In their blog post, Marc Alexandre Montpas from Sucuri stated that “This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”

Montpas further stated that “This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!”

If you or your friends are using WordPress, it is highly advisable to update your website and inform others about the issue so they can also update their WordPress to the latest version.

WordPress has also acknowledged the issue and published a blog post earlier today urging users to update their WordPress since it poses a “severe security risk” for users.

 

Share