November 2017 – Page 7 – Computer Security Articles

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 13:45:53 +0000

Vulnerability Summary The following advisory describes a remote command execution vulnerability found in Synology StorageManager. Storage Manager is “a management application that helps you organize and monitor the storage capacity on your Synology NAS. Depending on the model and number of installed hard drives, Storage Manager helps you accomplish the following tasks: Create different types … Continue reading SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution

Independent Securiteam

November 27, 2017 admin

SSD安全公告–Linux内核AF_PACKET 释放后重用漏洞

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 08:12:04 +0000

漏洞概要以下安全公告描述了在Linux内核的AF_PACKET中存在的一个UAF漏洞，成功利用该漏洞可能导致权限提升。 AF_PACKET套接字”允许用户在设备驱动层发送或者接收数据包”。例如，用户可以在物理层之上实现自己的协议，或者嗅探包含以太网或更高层协议头的数据包。漏洞提交者一名独立的安全研究人员发现并向 Beyond Security 的 SSD 报告了该漏洞。厂商响应更新一 CVE:CVE-2017-15649 “该漏洞很可能已经通过以下方式修复了： packet: 重新绑定fanout hook时保持绑定锁定 – http://patchwork.ozlabs.org/patch/813945/ 与此相关，但未合并的是 packet:在packet_do_bind函数中，使用bind_lock测试fanout – http://patchwork.ozlabs.org/patch/818726/ 我们验证了在v4.14-rc2上不会触发该漏洞，但在第一次commit(008ba2a13f2d)上测试成功。” 漏洞详细信息该UAF漏洞是由于fanout_add(来自setsockopt)和AF_PACKET套接字之间竞争条件导致的。即使已经从fanout_add()创建了一个packet_fanout，竞争也会导致来自packet_do_bind()的__unregister_prot_hook()将po-> running设置为0。这允许我们绕过packet_release()中的unregister_prot_hook()的检查，从而导致即使packet_fanout已经被释放，但是仍然可以从packet_type链接列表引用。漏洞证明 [crayon-5a1c8f5b84fe1712795706/] 崩溃日志 [crayon-5a1c8f5b84fea292617098/] 我们知道已经被释放的是一个kmalloc-4096对象： [crayon-5a1c8f5b84ff4648568286/] 当通过af_packet.c中的register_prot_hook()的dev_add_pack()进行注册时，它的prot_hook成员在packet handler中被引用： [crayon-5a1c8f5b84ff7247098366/] 结构体packet_type内部的函数指针，保存在一个大的slab分配器（kmalloc-4096）中，这使得堆喷射变更容易和更可靠，因为内核较少使用较大slab分配器。我们可以使用常规的内核堆喷射来替换被释放的packet_fanout对象的内容，例如用sendmmsg()或其它函数。即使分配的内存空间不是永久的，但仍然可以替换packet_fanout中的目标内容（例如函数指针），并且由于kmalloc-4096非常稳定，所以我们的payload几乎不可能被其它分配破坏。当使用dev_queue_xmit()发送一个skb时会调用id_match()，通过AF_PACKET套接字上的sendmsg可以到达该路径。如果dev_queue_xmit参数非NULL，它通过调用id_match()的包处理程序列表进行循环。因此，可以通过下述方式进行漏洞利用。一旦知道了内核的代码段，我们就可以把内核栈转换成我们伪造的packet_fanout对象和ROP。第一个参数ptype包含我们伪造对象的prot_hook成员的地址，这使得我们知道在哪里跳转。一旦进入ROP，我们可以跳转到native_write_c4(x)去关闭SMEP/SMAP，然后跳回到用户空间执行我们真正的payload，通过调用commit_creds(prepare_kernel_cred(0))，将我们权限提升至root 。

Independent Securiteam

November 27, 2017 admin

SSD安全公告–Ikraus Anti Virus 远程代码执行漏洞

Credit to Author: SSD / Maor Schwartz| Date: Mon, 27 Nov 2017 07:50:39 +0000

漏洞概要以下安全公告描述了在Ikraus Anti Virus 2.16.7中发现的一个远程代码执行漏洞。 KARUS anti.virus“可以保护你的个人数据和PC免受各种恶意软件的入侵。此外，反垃圾邮件模块可以保护用户免受垃圾邮件和电子邮件中的恶意软件攻击。选择获奖的IKARUS扫描引擎，可以有效保护自己免受网络犯罪分子的侵害。 IKARUS是世界上最好的扫描引擎，它每天都在检测未知和已知的威胁。漏洞提交者一位独立的安全研究人员向 Beyond Security 的 SSD 报告了该漏洞厂商响应更新一 CVE: CVE-2017-15643 厂商已经发布了这些漏洞的补丁。获取更多信息： https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/ 漏洞详细信息网络攻击者（中间人攻击）可以在运行Ikraus反病毒软件的计算机上实现远程代码执行。 Windows版的Ikarus AV使用明文HTTP和CRC32校验进行更新，以及用于验证下载文件的一个更新值。另外，ikarus检查更新版本号，通过增加更新的版本号，以推动更新进程进行更新。在ikarus中执行更新的可执行文件是guardxup.exe guardxup.exe，通过端口80，发送更新请求如下： [crayon-5a1c8f5b8564c832670696/] 服务器响应如下： [crayon-5a1c8f5b85655113594378/] 通过代理，我们可以修改响应，将“update”值加1，并将响应转发给客户端。然后，客户端将通过此URL请求更新：http://mirror04.ikarus.at/updates/guardxup001005048.full ikarus服务器将返回404： [crayon-5a1c8f5b8565a461056357/] 但我们可以用IKUP格式修改上述响应： [crayon-5a1c8f5b8565f465486246/] 然后，我们将修改过后的响应转发到客户端，在那里用我们的可执行文件替换guardxup.exe。漏洞证明安装mitmproxy 0.17 – pip install mitmproxy == 0.17 要使用这个脚本，在透明代理模式下，通过中间人80端口转发客户端的通信流量。设置你的防火墙规则以拦截8080端口上的通信流量： [crayon-5a1c8f5b85664388983146/] 然后执行如下脚本： ./poc.py file_to_deploy.exe [crayon-5a1c8f5b85668324361117/]

MalwareBytes Security

November 27, 2017 admin

Terror exploit kit goes HTTPS all the way

Credit to Author: Jérôme Segura| Date: Mon, 27 Nov 2017 20:00:34 +0000

A look at some techniques used by the Terror exploit kit to evade traffic-based detection.

Categories:

Tags: exploit kits malvertising Propeller Ads Media smoke loader Terror EK Terror exploit kit

(Read more…)

The post Terror exploit kit goes HTTPS all the way appeared first on Malwarebytes Labs.

MalwareBytes Security

November 27, 2017 admin

Week in security (November 20 – November 26)

Credit to Author: Malwarebytes Labs| Date: Mon, 27 Nov 2017 19:25:39 +0000

Learn what happened in the world of security during the week of November 20 to November 26.

Categories:

Tags: bitcoins facebook imgur Imgur breach KRACK mac malware OSX.Proton security Terdot Trojan trojan Uber breach week in security

(Read more…)

The post Week in security (November 20 – November 26) appeared first on Malwarebytes Labs.

ScadaICS Schneider

November 27, 2017 admin

Empowering Industrial OEMs for the Digital Era

Credit to Author: Ali Haj Fraj| Date: Mon, 27 Nov 2017 18:28:08 +0000

Evolving customer needs and the impact of digital transformation has introduced a significant amount of complexity to the machine design and building process. OEM machine builders need to go beyond… Read more »

The post Empowering Industrial OEMs for the Digital Era appeared first on Schneider Electric Blog.

Fortinet Security

November 27, 2017 admin

Ph0wn: A CTF Cedicated to Smart Devices

Credit to Author: Axelle Apvrille, Alain Forcioli| Date: Mon, 27 Nov 2017 14:30:59 +0000

We have organized a Capture The Flag event this week. Codenamed Ph0wn, this CTF is really unique because it is dedicated to smart devices. This CTF is free and takes place this Wednesday, November 29, 2017, starting at 6pm at Campus SophiaTech, Sophia Antipolis, France – where our FortiSmart research team is located. Traditional CTFs include challenges on standard infrastructures: PCs, servers, webservers, etc. And from time to time, some CTFs feature hardware challenges. (We should probably cite Hardwear.io CTF , and RHME3 for automotive.)…