[CORE-2017-0006] Trend Micro Email Encryption Gateway Multiple Vulnerabilities
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Trend Micro Email Encryption Gateway Multiple Vulnerabilities
1. *Advisory Information*
Title: Trend Micro Email Encryption Gateway Multiple Vulnerabilities
Advisory ID: CORE-2017-0006
Advisory URL:
http://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities
Date published: 2018-02-21
Date of last update: 2018-02-21
Vendors contacted: Trend Micro
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cleartext Transmission of Sensitive Information [CWE-319],
External Control of File Name or Path [CWE-73], Insufficient
Verification of Data Authenticity [CWE-345], External Control of File
Name or Path [CWE-73], Missing Authentication for Critical Function
[CWE-306], Cross-Site Request Forgery [CWE-352], Improper Restriction of
XML External Entity Reference [CWE-611], Improper Neutralization of
Input During Web Page Generation ('Cross-site Scripting') [CWE-79],
Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') [CWE-79], Improper Neutralization of Input During Web Page
Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of
Special Elements used in an SQL Command [CWE-89], Improper
Neutralization of Special Elements used in an SQL Command [CWE-89],
Improper Neutralization of Special Elements used in an SQL Command
[CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-6219, CVE-2018-6220, CVE-2018-6221, CVE-2018-6222,
CVE-2018-6223, CVE-2018-6224, CVE-2018-6225, CVE-2018-6226,
CVE-2018-6226, CVE-2018-6227, CVE-2018-6228, CVE-2018-6229, CVE-2018-6230
3. *Vulnerability Description*
Trend Micro's website states that:[1]
Encryption for Email Gateway is a Linux-based software solution providing
the ability to perform the encryption and decryption of email at the
corporate gateway, regardless of the email client, and the platform from
which it originated. The encryption and decryption of email on the TMEEG
client is controlled by a Policy Manager that enables an administrator
to configure policies based on various parameters, such as sender and
recipient email addresses, keywords, or PCI compliance. Encryption for
Email Gateway presents itself as an SMTP interface and delivers email
out over an SMTP to configured outbound MTAs. This enables easy
integration with other email server-based products, be them content
scanners, mail servers, or archiving solutions."
Multiple vulnerabilities were found in the Trend Micro Email Encryption
Gateway web console that would allow a remote unauthenticated attacker
to gain command execution as root.
We also present two additional vectors to achieve code execution from a
man-in-the-middle position.
4. *Vulnerable Packages*
. Trend Micro Email Encryption Gateway 5.5 (Build .00)
Other products and versions might be affected, but they were not tested.
5. *Vendor Information, Solutions and Workarounds*
Trend Micro published the following Security Notes:
.
https://success.trendmicro.com/solution/1119349-security-bulletin-trend-micro-email-encryption-gateway-5-5-multiple-vulnerabilities
6. *Credits*
These vulnerabilities were discovered and researched by Leandro Barragan
and Maximiliano Vidal from Core Security Consulting Services. The
publication of this advisory was coordinated by Alberto Solino from Core
Advisories Team.
7. *Technical Description / Proof of Concept Code*
Trend Micro Email Encryption Gateway includes a web console to perform
administrative tasks. Section 7.4 describes a vulnerability in this
console that can be exploited to gain command execution as root. The
vulnerable functionality is accessible only to authenticated users, but
it is possible to combine 7.4 with the vulnerability presented in
section 7.5 to bypass this restriction and therefore execute root
commands from the perspective of a remote unauthenticated attacker.
The application does also use an insecure update mechanism that allows
an attacker in a man-in-the-middle position to write arbitrary files and
install arbitrary RPM packages, leading to remote command execution as
the root user.
Additional Web application vulnerabilities were found, including
cross-site request forgery (7.6), XML external entity injection (7.7),
several cross-site scripting vulnerabilities (7.8, 7.9, 7.10), and SQL
injection vulnerabilities (7.11, 7.12, 7.13).
7.1. *Insecure update via HTTP*
[CVE-2018-6219]
Communication to the update servers is unencrypted. The following URL is
fetched when the application checks for updates:
/-
[Request #1]
http://downloads.privatepost.com/files/TMEEG/updates/data.html
-/
The product expects to retrieve a plain-text file with the following
format:
/-
[Version Info]
[Installation RPM file name]
[Path to release notes]
-/
If a new update is found, then the RPM file is downloaded from
DefenseCode Security Advisory: PureVPN Windows Privilege Escalation Vulnerability
DefenseCode Security Advisory PureVPN Windows Privilege Escalation Vulnerability Advisory ID:DC-2018-02-001 Advisory Title: PureVPN Windows Privilege Escalation Vulnerability Advisory URL: http://www.defensecode.com/advisories.php Software: PureVPN Version:5.19.4.0 and below (Windows Build Version: 6) Vendor Status: Vendor contacted, vulnerability fixed Release Date: 21/02/2018 Risk: MEDIUM 1. General Overview === During the security analysis of PureVPN's Windows client software it has been discovered that the software contains a vulnerability that could allow a local user to escalate their privileges on the system. 2. Software Overview PureVPN is a paid VPN service provider which claims to provide online privacy and security to its users. The product is equipped with different tunneling protocols to offer end-to-end encryption to its users. According to their website, PureVPN's network of 550+ servers is spread across more than 145 countries, serving over 1 million users from all over the world. PureVPN provides client software for Windows, Mac, Android, and iOS. Homepage: https://www.purevpn.com 3. Vulnerability Description During the security analysis of PureVPN Windows client software it has been determined that the software installation grants Everyone group (i.e all users) full control permission to the software's installation directory (C:\Program Files (x86)\PureVPN by default). In addition, it has been determined that the PureVPNService.exe, which runs under NT Authority\SYSTEM privileges, tries to load several dynamic-link libraries using relative paths instead of the absolute path. When not using a fully qualified path, the application will first try to load the library from a directory from which the application is started. As the residing directory of PureVPNService.exe is writable to all users, this makes the application susceptible to privilege escalation through DLL hijacking. DLL hijacking proof of concept was done by placing a malicious cryptbase.dll inside the software's installation directory, resulting in privilege escalation to NT Authority\SYSTEM when the PureVPNService.exe service is started. 4. Solution === Vendor fixed the reported security issues and released a new version. All users are strongly advised to update to the latest available version. 5. Credits == Discovered by Bosko Stankovic (bo...@defensecode.com). 6. Disclosure Timeline == 02/02/2018Vendor contacted 13/02/2018Vendor responded 20/02/2018Vulnerability fixed 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/
SEC Consult SA-20180221-0 :: Hijacking of arbitrary miSafes Mi-Cam video baby monitors
We have published an accompanying blog post to this technical advisory with further information: https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html SEC Consult Vulnerability Lab Security Advisory < 20180221-0 > === title: Hijacking of arbitrary video baby monitors product: miSafes Mi-Cam remote video monitor vulnerable version: Android application v1.2.0, iOS v1.0.5 Firmware v1.0.38 fixed version: - CVE number: - impact: critical homepage: http://www.misafes.com/mi-cam found: 2017-11-30 by: Mathias Frank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal Moscow - Munich - Kuala Lumpur - Singapore Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: --- "Mi-CamHD, Wi-Fi remote video monitor for everyone; 720P HD quality video, easy set up & use, two-way talk and supports free local video recording, all can be use by our user friendly Mi-Cam app." Source: http://www.misafes.com/mi-cam Business recommendation: SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved! Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers. Furthermore, it seems there exist similar products from other vendors, e.g. "Qihoo 360 Smart Home Camera", that look exactly the same and may also be affected but SEC Consult could not verify this. The cloud component hosted by "qiwocloud2.com" may be used by other products as well. Additional information regarding other vendors are described in our blog post linked at the top of this advisory. Vulnerability overview/description: --- The usage of the Mi-Cam video baby monitor and its Android (or iOS) application, involves numerous requests to a cloud infrastructure available at ipcam.qiwocloud2.com with the aim of communicating with the video baby monitor or respective Android application. The Android application has at least 5-10 installations according to Google Play Store with potentially as many iOS users as well. SEC Consult has identified multiple critical security issues within this product. 1) Broken Session Management & Insecure Direct Object References The usage of the Android application "Mi-Cam" and the interaction with the video baby monitor involves several different API calls. A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management. This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID. 2) Missing Password Change Verification Code Invalidation The password forget functionality sends a 6-digit validation key which is valid for 30 minutes to the supplied email address in order to set a new password. Multiple codes can be requested though while previously delivered codes do not get invalidated and anyone of them can be used as a valid key. This can easily be brute-forced to take over other accounts. 3) Available Serial Interface The PCB of the video baby monitor holds an unlabeled UART interface where an attacker is able to get hardware level access to the device and for instance extract the firmware for further analysis. SEC Consult identified further security issues such as outdated software (issue 6) or weak passwords (issue 4) by analyzing the firmware using IoT Inspector (https://www.iot-inspector.com). 4) Weak Default Credentials The "root" user available on the video baby monitor uses very weak default credentials with only 4 digits. 5) Enumeration of user accounts The password reset functionality leaks information about the existence of supplied user accounts which can aid in further (brute-force) attacks. 6) Outdated and Vulnerable Software Several software components which are affected by publicly known vulnerabilities were identified in the firmware of the video baby monitor. Proof of concept: - As the vendor could not be reached in order to get the issues fixed we will omit detailed proof of concept information in this advisory. 1) Broke
Sharutils 4.15.2 Heap-Buffer-Overflow
Unshar scans the input files (typically email messages) looking for the start of a shell archive. If no files are given, then standard input is processed instead. Shipped along with Sharutils. Bug was found with AFL. = ==11164==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5901100 at pc 0x0804c695 bp 0xbfe86f28 sp 0xbfe86f18 READ of size 1 at 0xb5901100 thread T0 #0 0x804c694 in looks_like_c_code /home/john/sharutils-4.15.2/src/unshar.c:75 #1 0x804c694 in find_archive /home/john/sharutils-4.15.2/src/unshar.c:253 #2 0x804c694 in unshar_file /home/john/sharutils-4.15.2/src/unshar.c:379 #3 0x804a2f4 in validate_fname /home/john/sharutils-4.15.2/src/unshar-opts.c:604 #4 0x804a2f4 in main /home/john/sharutils-4.15.2/src/unshar-opts.c:639 #5 0xb70ab636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #6 0x804ab95 (/home/john/sharutils-4.15.2/src/unshar+0x804ab95) 0xb5901100 is located 0 bytes to the right of 4096-byte region [0xb5900100,0xb5901100) allocated by thread T0 here: #0 0xb72dfdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) #1 0x804c9e4 in init_unshar /home/john/sharutils-4.15.2/src/unshar.c:450 #2 0xb70ab636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/john/sharutils-4.15.2/src/unshar.c:75 looks_like_c_code Shadow bytes around the buggy address: 0x36b201d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b201e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b201f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b20200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36b20210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x36b20220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36b20270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==11164==ABORTING Thanks, nafiez
