March 13, 2017

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands  as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.
Exploitation Attempts

In searching through data Talos was able to find ample examples of the vulnerability being targeted and detection was covered by signatures that were released on 3/7/2017 (41818, 41819).

 

Vulnerability Analysis

 

Apache uses org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest to upload file.

 

 

In the exploit, #nike=’multipart/form-data’ will make the expression as true. Then function getMultiPartRequest() will be executed. It will configure struts.multipart.parser attribute using org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.

 

 

The struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework and needs only its required libraries added to a project. The pell parser uses Jason Pell’s multipart parser instead of the Commons-FileUpload library. The pell parser is a Struts 2 plugin, for more details see: pell multipart plugin. There was a third alternative, cos, but it was removed due to licensing incompatibilities.

 

 

Finally, Struts2 uses LocalizedTextUtil.findText in function buildErrorMessage to build the error message while the exploit takes advantage of LocalizedTextUtil.findText to execute OGNL commands.

 

 

Simple Probing

Below is an example of some simple probing attacks that are ongoing just checking to see if a system is vulnerable by executing a simple Linux based command.

 

 

Running the PoC will create a text file in /tmp folder in the target:

 

 

Attack Mitigation

One way to mitigate these targeted attacks is via Apache Struts patches. Patching the web server can be a never-ending race. New patches are released much faster than organizations can run them through staging, testing and then push them into production. An alternative solution is virtual patching through an external security tool like a Web Application Firewall (WAF), which provides immediate protection to the web servers and applications maintaining business continuity while the right patch is developed, staged and tested.

Share

 

WordPress is one of the most used content management system (CMS) in the world. So when there is a security flaw in its system, it affects millions of users on the Internet. That is exactly what has been discovered by security researchers at Sucuri, an Internet security company which revealed that WordPress websites are vulnerable to a critical and easily exploitable zero-day Content Injection vulnerability.

Sucuri found a Content Injection or Privilege Escalation vulnerability affecting the REST API allowing an attacker to modify the content of any post or page within a WordPress site. However, there is good news since Sucuri discretely reported the vulnerability to WordPress security team who handled the matter professionally and informed as many security providers and hosts and implemented a patch before this became public.
If you are using WordPress on your website the only way you may be at risk is if you have not updated your WordPress to the latest version 4.7.2. The update was issued on January 26th.

In their blog post, Marc Alexandre Montpas from Sucuri stated that “This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled by default on WordPress 4.7.0. One of these REST endpoints allows access (via the API) to view, edit, delete and create posts. Within this particular endpoint, a subtle bug allows visitors to edit any post on the site. The REST API is enabled by default on all sites using WordPress 4.7.0 or 4.7.1. If your website is on these versions of WordPress, then it is currently vulnerable to this bug.”

Montpas further stated that “This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. We are hiding some technical details to make it harder for the bad guys, but depending on the plugins installed on a site, it can lead to a RCE (remote command execution). Also, even though the content is passed through wp_kses, there are ways to inject Javascript and HTML through it. Update now!”

If you or your friends are using WordPress, it is highly advisable to update your website and inform others about the issue so they can also update their WordPress to the latest version.

WordPress has also acknowledged the issue and published a blog post earlier today urging users to update their WordPress since it poses a “severe security risk” for users.

 

Share

November 14, 2016

pixel-safari-edgewindows-10-1

 

 

Google’s new Pixel smartphone was reportedly hacked by a Chinese team in just 60 seconds.

 

At PwnFest, a hacking competition in Seoul on Friday (11 November), a team of white-hat hackers called Qihoo 360 cracked Google’s new handset and won $120,000 (£95,670) in cash. The hackers took advantage of a vulnerability to gain remote code execution that is undisclosed.

 

The exploit launched the Google Play store before opening Chrome and displaying a web page reading “Pwned By 360 Alpha Team”.

 

Google said the Chrome bug that Keen Team found was patched within 24 hours of the event and the changes have already been released into the stable branch by the Chrome team.

 

It was the second time in as many weeks that the Pixel has been compromised.

 

Chinese hacking group, Keen Team of Tencent, a rival of Qihoo 360, discovered a zero-day vulnerability at the Mobile Pwn2Own event in Japan. The vulnerability is yet to be patched. Thankfully, these exploits have been found in hacking events, instead of being used in the wild by attackers.
While these exploits suggest Pixel phones are vulnerable to attackers, earlier this month Adrian Ludwig, the director of security at Android, told Motherboard that the Google Pixel and the iPhone are equal when it comes to security. Ludwig said Android would be soon better though. “In the long term, the open ecosystem of Android is going to put it in a much better place,” he said.

 

 
Apple’s updated Safari browser running on MacOS Sierra also fell. Respected Chinese hacker outfit Pangu Team renowned for releasing million-dollar persistent modern iOS jailbreaks for free, along with hacker JH, blasted Cupertino’s web browser with a root privilege escalation zero day that took 20 seconds to run, earning the team $80,000.
Qihoo 360 also breached Adobe Flash with a flick of the finger, digging up a combination decade-old, use-after-free zero day and a win32k kernel flaw to score $120,000.

 

It took four seconds for Flash to fall.

 

The hacks conclude the PwnFest whitewash, which saw Microsoft Edge hacked and the first-ever zero day exploits against VMWare Workstation on Thursday.

 

Qihoo 360 hackers walked away with $520,000 in prize money.

Share

Squid proxy server

 
Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.

 
The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.

 
“The attack enables cache poisoning of ANY unencrypted HTTP website,”.

 

Cache Poisoning issue in HTTP Request handling

 

Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers.

 

“The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker” before hitting a victim site. It’s not hard to stage the attack as “… attackers can readily obtain the necessary vantage point using techniques such as web ads.”

 
“For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:

 

GET http://victim.com/ HTTP/1.1 Host: attack.com
The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.

 

 

Protection

 

The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.

 

C51 Security researchers recommend enabling the host_verify_strict option which is disabled by default, and considering the Suricata intrusion detection system rules to detect exploitation attempts.

 

 

https://drive.google.com/file/d/0ByM36MBckzBaQUFES0VYRlZydUE/view

Share