CVE-2016-5080: Memory corruption in code generated by Objective Systems Inc. ASN1C compiler for C/C++ [STIC-2016-0603]
Fundación Dr. Manuel Sadosky - Programa STIC Advisory www.fundacionsadosky.org.ar Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++ 1. *Advisory Information* Title: Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++ Advisory ID: STIC-2016-0603 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2016-07-18 Date of last update: 2016-07-19 Vendors contacted: Objective Systems Inc. Release mode: Coordinated release 2. *Vulnerability Information* Class: Heap-based Buffer Overflow [CWE-122] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Identifier: CVE-2016-5080 3. *Vulnerability Description* Abstract Syntax Notation One (ASN.1) is a technical standard and formal notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking[1]. It is a joint standard of the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), and International Telecommunication Union Telecommunication Standardization Sector ITU-T[2] used in technical standards for wireless communications such as GSM, UMTS and LTE, Lawful Interception, Intelligent Transportation Systems, signalling in fixed and mobile telecommunications networks (SS7), wireless broadband access (WiMAX), data security (X.509), network management (SNMP), voice over IP and IP-based videoconferencing (H.323), manufacturing, aviation, aerospace and several other areas[3]. Software components that generate, transmit and parse ASN.1 encoded data constitute a critical building block of software that runs on billions of mobile devices, telecommunication switching equipment and systems for operation and management of critical infrastructures. The ASN.1 specification is sufficiently complicated to make writing programs that parse ASN.1 encoded data a perilious and error-prone activity. Many technology vendors have adopted the practice of using computer-generated programs to parse ASN.1 encoded data. This is accomplished by using an ASN.1 compiler, a software tool that given as input a data specification written in ASN.1 generates as output the source code of a program that can be used to encode and decode in compliance with the specification. The output of an ASN.1 compiler is generally incorporated as a building block in a software system that transmits or processes ASN.1 encoded data. Objective Systems Inc. is a US-based private company[5] that develops and commercializes ASN1C, a ASN1 compiler for various programming languages, to vendors in the telecommunications, data networking, aviation, aerospace, defense and law enforcement sectors[6]. A vulnerability found in the runtime support libraries of the ASN1C compiler for C/C++ from Objective Systems Inc. could allow an attacker to remotely execute code in software systems, including embedded software and firmware, that use code generated by the ASN1C compiler. The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network. Objective Systems Inc. has addressed the issue and built a fixed interim version of the ASN1C for C/C++ compiler that is a available to customers upon request. The fixes will be incorporated in the next (v7.0.2) release of ASN1C for C/C++. For further information about vulnerable vendors and available fixes refer to the CERT/CC vulnerability note [4]. 4. *Vulnerable packages* Software systems that use ASN.1 parsing code generated with Objective Systems Inc. ASN1C compiler for C/C++ version 7.0 or below. Refer to the CERT/CC vulnerability note[4] for a list of potentially affected vendors. 5. *Vendor Information, Solutions and Workarounds* Vendor fixed the issue in an interim release of the ASN1C v7.0.1 compiler available to customers upon request[5]. The upcoming ASN1C v7.0.2 release will incorporate the fixes. 6. *Credits* This vulnerability was discovered and researched by Lucas Molas. The publication of this advisory was coordinated by Programa Seguridad en TIC. 7. *Technical Description* This document details a bug found in the latest release of Objective Systems Inc,. ASN1C compiler for C/C++ (v7.0.0), particularly in the 'rtxMemHeapAlloc' function contained in the pre-compiled 'asn1rt_a.lib' library, where two integer overflows have been detected, which could lead to corruption of heap memory in an attacker-controlled scenario. The component analyzed
Prey Anti-Theft for Android missing SSL certificate validation [STIC-2014-0731]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Fundación Dr. Manuel Sadosky - Programa STIC Advisory
www.fundacionsadosky.org.ar
Prey Anti-Theft for Android missing SSL certificate validation
1. *Advisory Information*
Title: Prey Anti-Theft for Android missing SSL certificate validation
Advisory ID: STIC-2014-0731
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-11
Date of last update: 2014-11-11
Vendors contacted: Fork Ltd. (developer of Prey Anti-theft)
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Improper Following of a Certificate's Chain of Trust [CWE-296]
Impact: Denial of service, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Identifier: CVE-PENDING
3. *Vulnerability Description*
Prey Anti-theft for Android is a free application that lets
smartphone owners track and locate lost or stolen devices. It provides
accurate geolocation of a missing device and allows users to remotely
lock it, take pictures, play alarm sounds or display onscreen
messages. The application features can be controlled from the Prey
project's website or via SMS. As of November, 2014 the application had
between 1 to 5 million installations worldwide according to Google
Play statistics[1].
Although communication between the Prey application running on an
Android device and the controlling web server is performed over HTTPS,
the former does not validate the SSL certificate presented by the
latter. As a result it is possible to completely subvert the
anti-theft protection of Prey. To do so, an attacker simply needs to
perform a Man-in-the-Middle attack on the communications between the
Prey app running in the device (presumably stolen and locked with a
user-provided password) and the web server, present a fake server SSL
certificate and send a 'lock command' with a password of the
attacker's choosing to the device. The attacker can then unlock the
device manually with her provided password. Other types of attacks are
possible since all communications between the device and the website
can be inspected and modified by an attacker.
4. *Vulnerable packages*
. Prey Anti-theft for Android version 1.1.3 and below.
5. *Vendor Information, Solutions and Workarounds*
The vendor acknowledged the problem and committed to publish a
new version of the application fixing the issue by November 11th, 2014.
In the meantime, users can uninstall the Prey Anti-theft
application by opening the Settings panel on their devices,
selecting the Application Manager, clicking on Prey and
Uninstall. These step by step instructions may vary depending on
which version of the Android OS is running on the device.
6. *Credits*
This vulnerability was discovered and researched by Joaquín Manuel
Rinaudo. The publication of this advisory was coordinated by Programa
de Seguridad en TIC.
7. *Technical Description*
The vulnerability is found in the 'com.prey.net.HttpUtils' class
which instantiates an HttpClient to connect to Prey's server. The
HttpClient uses a custom SSLSocketFactory named EasySSLSocketFactory
to obtain socket objects used to communicate with the server. This
class also calls the method
'setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)' to
accept as valid any hostname presented in the server certificate[2].
Furthermore, since the EasySSLCocketFactory implements a
'X509TrustManager' with empty verifier methods [3], any SSL
certificate presented by the server is considered valid by the
application. This allows an attacker to mount a MITM attack to
impersonate the Prey panel server with a self-made X509 certificate.
To unlock a stolen device, the attacker needs to spoof the lock
command specifying a new password to gain control of the device. This
could be done by modifying the server's response to the device request
for commands at
'https://solid.preyproject.com/api/v2/devices/[DEVICE_ID].json' to:
/-
[
{
command: start,
options: {
unlock_pass: easy
},
target: lock
}
]
- -/
The application tries to obtain new commands from the server by
registering to listen multiple Android events such as changes in
connectivity, battery level, accessing the airplane mode and even
turning on and off the device.
8. *Report Timeline*
. 2014-09-17:
Request for security contact info filed in support page on
the Prey project's website.
. 2014-09-23:
The vendor team asks Programa de Seguridad en TIC to send
the vulnerability report via unencrypted email to
secur...@preyproject.com.
. 2014-10-01:
Technical details sent to the vendor.
. 2014-10-25:
Programa de Seguridad en TIC requested an status update about the
issue and communicated an estimated release date of the advisory by
the 27th of October, 2014. Vendor
Missing SSL certificate validation in MercadoLibre app for Android [STIC-2014-0211]
Fundación Dr. Manuel Sadosky - Programa STIC Advisory www.fundacionsadosky.org.ar Missing SSL certificate validation in MercadoLibre app for Android 1. *Advisory Information* Title: Missing SSL cert validation in MercadoLibre app for Android Advisory ID: STIC-2014-0211 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2014-11-11 Date of last update: 2014-11-10 Vendors contacted: MercadoLibre (NASDAQ:MELI) Release mode: Coordinated release 2. *Vulnerability Information* Class: Improper Following of a Certificate's Chain of Trust [CWE-296] Impact: Data loss Remotely Exploitable: Yes Locally Exploitable: No CVE Identifier: CVE-2014-5658 3. *Vulnerability Description* MercadoLibre (NASDAQ:MELI) is an online trading company focused on enabling e-commerce and its related services in Latin America. According to the company[1] MercadoLibre is the largest e-commerce ecosystem in Latin America, offering a wide range of services to sellers and buyers throughout the region including marketplace, payments, advertising and e-building solutions. It operates in 13 countries including Argentina, Brazil, Chile, Colombia, Mexico, Peru, and Venezuela. The company provides services to its users through a set of country-localized web applications and an Android application that is available for download in Argentina, Brasil, Chile, Colombia, Costa Rica, Ecuador, México, Panamá, Perú, Portugal, República Dominicana, Uruguay y Venezuela. As of November, 2014 the application has between 10 and 50 million installations according to Google Play statistics[2]. Vulnerable versions of the MercadoLibre's app for Android do not validate the SSL certificate presented by the server. This allows attackers to present fake certificates and perform Man-in-the-Middle attacks allowing them to capture user's credentials to the site and credit card information. The vendor fixed the problem in the latest version of the applications. Users are advised to update their app as soon as possible. 4. *Vulnerable packages* . MercadoLibre for Android prior to 3.10.6. 5. *Vendor Information, Solutions and Workarounds* MercadoLibre acknowledged and fixed the vulnerability in version 3.10.6. They did so by updating the LoopJ Asynchronous Http Client library to a version that does not skip the certificate validation process by default. To determine which version of the application you have installed on your Android device, go to Settings|application settings|manage application then tap on the MercadoLibre app. 6. *Credits* This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC. Will Dormann of CERT/CC independently discovered the SSL certificate validation vulnerability using the CERT Tapioca tool.[5] 7. *Technical Description* MercadoLibre Android's application uses the LoopJ Android Asynchornous HTTP client library [3] to communicate with the company's web services. HTTP requests destined to the server are passed through the 'MLAPIClient' interface to this library, which is responsible for establishing a secure connection. The vulnerability is found in the class 'AsyncHttpClient' inside the loopj library, which uses the class 'FakeSocketFactory' to set up new sockets used to connect to remote web services. The sockets created use a custom X509TrustManager named 'FakeTrustManager'. The TrustManager's task is to verify that the SSL certificate presented by the server is valid in order to prevent Man-in-the-Middle attacks. Since 'FakeTrustManager' is just an empty implementation, all SSL certificates presented to it will be considered valid. This allows an attacker to mount a MITM attack to capture user authentication credentials and other security-sensitive data by intercepting traffic, creating fake X509 certificates on the fly and submitting them to MercadoLibre's Android application. 8. *Report Timeline* . 2014-09-02: Initial contact with the vendor requesting security contact information to report vulnerabilities. . 2014-09-09: Security contact information provided . 2014-09-09: Programa de Seguridad en TIC sent the vendor a description of the vulnerability notifying them also that CERT/CC[5] had published a document listing applications that failed to validate SSL certificates that included the MercadoLibre app, making the vulnerability now public. . 2014-09-09: The vendor acknowledged the vulnerability and assured that the problem was being addressed. . 2014-09-09: Programa de Seguridad en TIC sent description of the ongoing research project in which the vulnerabilitty was discovered as well as reference to the vulnerability disclosure policy and procedures[4]. . 2014-09-17: Programa de Seguridad en TIC requested an status update and estimated date for the release of a fixed
Insecure management of login credentials in PicsArt Photo Studio for Android [STIC-2014-0426]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fundación Dr. Manuel Sadosky - Programa STIC Advisory http://www.fundacionsadosky.org.ar Insecure management of login credentials in PicsArt Photo Studio for Android 1. *Advisory Information* Title: Insecure management of login credentials in PicsArt Photo Studio for Android Advisory ID: STIC-2014-0426 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2 Date published: 2014-11-06 Date of last update: 2014-11-06 Vendors contacted: PicsArt Release mode: Unilateral release 2. *Vulnerability Information* Class: Improper Certificate Validation [CWE-295], Insufficiently Protected Credentials [CWE-522] Impact: Data loss Remotely Exploitable: Yes Locally Exploitable: Yes CVE Identifier: CVE-2014-5674, CVE-2014-NOCVE 3. *Vulnerability Description* PicsArt Photo Studio is a free and full featured photo-editing and drawing mobile app available on Android, iOS and Windows Phone. As of October, 2014 the Android version of the app had between 100 and 500 million downloads from the Google Play store. According to the vendor the app has been installed more than 175 million times, has a 7 million monthly growth and more than 45 million monthly active users[1]. Users can take, edit, publish and share photos on the PicsArt website and on popular social networks such as Facebook, Twitter and Google+ directly from the mobile app. Originally the PicsArt application for Android[2] did not use HTTPS to send security-sensitve information to the servers, allowing attackers to hijack PicsArt user accounts simply by capturing network traffic. After our original report to the vendor in May 2014, the app started using HTTPS but it does not validate the server's SSL certificate, allowing an attacker to perform Man-In-The-Middle attacks. PicsArt user accounts can still be hijacked by capturing the user id sent as value of the 'key' parameter in certain HTTPS GET requests. Additionally, a user can sign up to PicsArt using her Facebook, Twitter or Google+ account or using a standard email and password scheme. When the user signs up using a third party social network account, the user ID and access token obtained from those social networks are sent to the PicsArt servers to identify the user during the login phase. This implies that the PicsArt servers, not just the PicsArt Photo Studio application running on thte user's device, can impersonate the user on the social networks. However the PicsArt server API does not verify if the user's Google+, Facebook or Twitter access token is valid during the login of the Android application. As a result, an attacker can send a login request providing only a social network ID to obtain the PicsArt's credentials associated to that Google+/Facebook/Twitter user. This allows the attacker to obtain access to any user account created from a social network account. The attacker can also steal access tokens of PicsArt users to third party social networks such as Facebook, Twitter, Google+, etc. This issue affects all PicsArt user's who access their account via Google+/Facebook/Twitter. 4. *Vulnerable packages* . PicsArt Photo Studio for Android application prior or equal to version 4.6.12 and greater than 4.6.3 uses HTTPS but does not validate the SSL server certificate. . PicsArt Photo Studio for Android application prior to version 4.6.3 and greater than 4.2.2 uses both HTTP and HTTPS and does not validate the SSL server certificate. . PicsArt Photo Studio for Android application prior to version 4.2.2 does not use HTTPS to receive and transmit security sensitive data. 5. *Vendor Information, Solutions and Workarounds* After the initial report to the vendor, PicsArt released version 4.2.2. This version started using HTTPS for most, but not all, of the server API. Since 4.6.3 there are no API methods that leak the user's session key using HTTP. Adding HTTPS communication to the server in 4.2.2 didn't help fixing the problem since the application lacks of certificate validation allowing Man-in-the-Middle attacks. Despite several notifications sent to PicsArt, the last version (4.6.12, as of publication of this advisory) is still missing proper certificate validation checks. The server API is still missing the validation of the login access token. A workaround to prevent attackers from compromising a PicsArt user's Facebook, Twitter or Google+ account is to disable the PicsArt application access to their profile. From Facebook or Twitter go to Settings|App and remove PicsArt application from the list of apps. For Google+ go to Account|Security|Apps and websites and click on revoke access on PicsArt application. PicsArt users concerned about their privacy or the security of their account should stop using the Andorid application until patches with proper SSL certificate validation are issued by the vendor nad the Server APIs fixed. 6. *Credits* This vulnerability was discovered and researched by Joaquín Manuel
Vulnerabilities in Facebook and Facebook Messenger for Android [STIC-2014-0529]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Security advisory of Programa STIC at Fundación Dr. Manuel Sadosky www.fundacionsadosky.org.ar Vulnerabilities in Facebook and Facebook Messenger for Android 1. *Advisory Information* Title: Vulnerabilities in Facebook and Facebook Messenger for Android Advisory ID: STIC-2014-0529 Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones Date published: 2014-07-28 Date of last update: 2014-07-28 Vendors contacted: Facebook Inc. (NASDAQ:FB) Release mode: Coordinated release 2. *Vulnerability Information* Class: Information Exposure Through Sent Data [CWE-201], Information Exposure Through Sent Data [CWE-201], Unintended Proxy or Intermediary [CWE-441] Impact: Denial of service, Data loss Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-2014-Y, CVE-2014-X, CVE-2014-Z 3. *Open proxy in Facebook application for Android* [CVE-2014-Z] According to Facebook's published financial results for the second quarter of 2014, as of June 30th the company had 1.07 billion mobile active users and an average of 654 million mobile daily active users[1]. The Facebook application for Android is among the top 10 most installed Android applications worldwide with 500 to 1,000 million installations as of June 24th, 2014[3]. The application embeds a generic HTTP server component that is used as a caching proxy for playing video recordings. This server is misconfigured and accepts requests from any client, local or remote, allowing attackers to connect to it and use a victim's device as an open proxy. As a results, among other things, an attacker could carry out various forms of denial of service attacks such as filling up the device's storage or running up the subscriber's data transfer limit over 3G or LTE networks. 4. *Disclosure of private video content in Facebook application for Android* [CVE-2014-X] The application allows users to upload video to Facebook and configure who should be able to play it back (publicly accessible, friends only, oneself, custom list). The application also allows users to playback video on the Android device. Viewing video content marked by the user as private is prevented by Facebook in accordance to the company's privacy policy [2] if the connecting client is a web browser. However, if the user connects to Facebook using the Android application the confidentiality of private video and audio content is not enforced. The application retrieves video content for playback in an insecure manner, allowing anyone with access to the same network where the Android device is connected or to any network in the path between the device and Facebook's Content Delivery Network to capture or retrieve video content disregarding the user's configured access policy and bypassing Facebook's privacy policy. 5. *Disclosure of audio recordings in chat messages in Facebook and Facebook Messenger for Android* [CVE-2014-Y] The Facebook Messenger application is also among the top 10 most installed Android applications worldwide with 500 to 1000 million installs [4] . Both Facebook and Facebook Messenger applications allow users to send and playback audio recordings as messages within a chat session. Transmission of the audio content is done using an insecure network protocol, allowing anyone with access to the same network where the Android device is connected or to any network in the path between the device and Facebook's Content Delivery Network to capture or retrieve chat audio recordings bypassing Facebook's privacy policy. 6. *Video Cache Server vulnerability: Vulnerable packages* . Facebook Android application older than version 13.0.0.13.14 7. *Video vulnerability: Vulnerable packages* . Facebook Android application older than version 10.0.0.28.27 up until June 11th, 2014. 8. *Audio vulnerability: Vulnerable packages* . Facebook Android application older than version 10.0.0.28.27 . Facebook Messenger Android application older than version 5.0.0.25.1 9. *Vendor Information, Solutions and Workarounds* Facebook acknowledged and corrected all three vulnerabilities. According to the company, the audio recording issue was already known and a fix was being beta tested at the time the bug was originally reported. The company released new application updates that fix both audio and video vulnerabilities. The fix to the disclosure of audio recordings required a new application update. The fix to the video disclosure vulnerability works with current and prior versions of the application that support retrieval of video from the CDN using HTTPS. Facebook's new update to version 13.0.0.13.14 fixed the open proxy issue by configuring the video cache server to listen only to local requests. To determine which version of the applications you have installed on your Android device, go to Settings|application settings|manage application then tap on the Facebook
