CVE-2016-4484: - Cryptsetup Initrd root Shell
Hello All, Affected package Cryptsetup <= 2:1 CVE-ID -- CVE-2016-4484 Description --- A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exflitrate data. In cloud environments it is also possible to remotely exploit this vulnerability without having "physical access." Full description: - http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html Regards, Hector Marco & Ismael Ripoll. signature.asc Description: OpenPGP digital signature
Back to 28: Grub2 Authentication Bypass 0-Day [CVE-2015-8370]
Hi everyone, A vulnerability in Grub2 (Back to 28) has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer. More details at: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html Regards, Hector Marco & Ismael Ripoll. -- Dr. Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)
AMD Bulldozer Linux ASLR weakness: Reducing entropy by 87.5%
A security issue in Linux ASLR implementation which affects some AMD processors has been found. The issue affects to all Linux process even if they are not using shared libraries (statically compiled). The problem appears because some mmapped objects (VDSO, libraries, etc.) are poorly randomized in an attempt to avoid cache aliasing penalties for AMD Bulldozer (Family 15h) processors. Affected systems have reduced the mmapped files entropy by eight. Grsecurity/PaX is also affected. The total entropy for the VVAR/VDSO, mmapped files and libraries of a processes are reduced by eight. The number of possible locations where the mapped areas can be placed are reduced by 87.5%. On 32-bit systems, for example, the entropy for libraries is reduced from 2^8 to 2^5, which means that libraries only have 32 different places where they can be loaded. Under this scenario, advanced techniques used by PaX to thwart brute force attacks (for example, force a delay on the process creation when a crash occurs) are no longer effective. The attackers need on average only 16 trials. Advisory details at: http://hmarco.org/bugs/AMD-Bulldozer-linux-ASLR-weakness-reducing-mmaped-files-by-eight.html We sent a patch, and Linux 4.1 Will Improve AMD Bulldozer's ASLR Entropy Issue: http://www.spinics.net/lists/linux-tip-commits/msg27373.html -- Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)
Linux ASLR mmap weakness: Reducing entropy by half
A bug in Linux ASLR implementation has been found. The issue is that the mmap base address for processes is not properly randomized on some architectures due to an improper bit-mask manipulation. Affected systems have reduced the mmap area entropy of the processes by half. The number of possible locations are reduced by 50%, which for example will reduce the cost of brute force attacks. PowerPC, Sparc64 and ARM have 18 bits of entropy. Non-vulnerable systems have 262144 (2^18) different places to locate the mmap area. On vulnerable systems, this value is reduced to 131072 (2^17). Advisory details at: http://hmarco.org/bugs/linux-ASLR-reducing-mmap-by-half.html -- Hector Marco-Gisbert @ http://hmarco.org/ Cyber Security Researcher @ http://cybersecurity.upv.es Universitat Politècnica de València (Spain)
CVE-2015-1593 - Linux ASLR integer overflow: Reducing stack entropy by four
Hi, A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. Affected systems have reduced the stack entropy of the processes by four. Details at: http://hmarco.org/bugs/linux-ASLR-integer-overflow.html Regards, Hector Marco. http://hmarco.org
CVE-2015-1574 - Google Email App 4.2.2 remote denial of service
Hello, Summary: A bug in the stock Google email application version 4.4.2.0200 has been found. An attacker can remotely perform an Denial Of Service attack by sending a specially crafted email. No interaction from the user is needed to produce the crash just receive the malicious email. The CVE-2015-1574 has been assigned. Version 4.2.2.0200 running on a Samsung Galaxy 4 mini fully updated (19 Jan 2015) is affected. Newer versions 4.2.2.0400 are not affected. Details and proof of concept exploit at: http://hmarco.org/bugs/google_email_app_4.2.2_denial_of_service.html Regards, Hector Marco. http://hmarco.org
Offset2lib: bypassing full ASLR on 64bit Linux
Hi, This is a disclosure of a weakness of the ASLR Linux implementation. The problem appears when the executable is PIE compiled and it has an address leak belonging to the executable. We named this weakness: offset2lib. In this scenario, an attacker is able to de-randomize all mmapped areas (libraries, mapped files, etc.) by knowing only an address belonging to the application and the offset2lib value. We have built a PoC which bypasses on a 64 bit Linux system, the three most widely adopted and effective protection techniques: No-eXecutable bit (NX), address space layout randomization (ASLR) and stack smashing protector (SSP). The exploit obtains a remote shell in less than one second. We have proposed the ASLRv3 which is a small Linux patch which removes the offset2lib weakness. Details of the weakness, steps to exploit the offset2lib weakness, a working proof of concept exploit, recommendations and a demonstrative video has been publish at: http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html Hector Marco. http://cybersecurity.upv.es
CVE-2014-5439 - Root shell on Sniffit [with exploit]
CVE-2014-5439 - Root shell on Sniffit Sniffit is a packet sniffer and monitoring tool. The attacker can create a specially-crafted sniffit configuration file, which is able to bypass all three protection mechanisms: - Non-eXecutable bit NX - Stack Smashing Protector SSP - Address Space Layout Randomisation ASLR And execute arbitrary code with root privileges. Exploit, fix and discussion in: http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html Regards, Hector Marco. http://hmarco.org Cybersecurity researcher at: http://cybersecurity.upv.es/
Re: Bug in bash = 4.3 [security feature bypassed]
On 05/06/14 12:02, Daryl Tester wrote: On 03/06/14 23:46, Hector Marco wrote: Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed. ... Any comments about this issue are welcomed. Details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html I'm only going by the patch presented above, so ... 1. The program should be calling setgid() before setuid() (which is another common class of security mistake). 2. Why is exit() returning values greater than 255? It's not capable of doing that under (most) Unix environments. a) I tried to patch by doing minimal changes to bash source code. Originally, the bash call first setuid() and later setgid(). And as you point this is not the best option. So, this code has actually 2 mistakes. I changed the patch code order calls, thanks, but anyway the patch achieve their goal, avoid the bash to be a valid target shell in an attack. b) I can imagine why you spent time writing about the patch and not about the important point here which is the bug.
Re: [FD] [oss-security] Bug in bash = 4.3 [security feature bypassed]
On 04/06/14 11:13, Jose Carlos Luna Duran wrote: In my opinion the drop of privs in bash was mostly a help measure for poorly written setuid programs executing system() calls. I don't think is the role of bash to do this as the problem that could be exploited by that would really be in the original program that does not drop privs before invoking the shell. This has been known for some time in some circles at least, but as I said the problem would really be in the non-priv-dropping privileged program, that's why most people did not really care that much. Last year there was a vuln that is very much related to this subject: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html We already knew that this bug was known by the Bash developers. Correct me if I'm wrong, but even in that case there is another help measure that has been implemented at least in linux kernels 3.1: http://lxr.free-electrons.com/source/kernel/sys.c?v=3.1#L628 Therefore setuid calls do not fail anymore even in the case of existing resource limits for processes (in linux). You can still exploit this in the 2.6.x Linux kernel. The 2.6.x versions are still in widespread use. (Red Hat Enterprise Linux version 6.5, released a few time ago, is based on version 2.6.32. Possibly Red Hat changed the RLIMIT_NPROC behavior, but there are other 2.6.x-based Linux distributions also.) But in any case, for the sake of correctness I agree that the drop_priv code should be fixed (or just completely removed...). I agree but If finally they decide to remove the code it would seems as a consequence of the disclosure. Right now it has more sense to fix the bug. This is because this vulnerability (thanks to help measure in the kernel) is more difficult to exploit. So, the drop privilege code has more sense nowadays than when was initially coded. 2014-06-03 16:16 GMT+02:00 Hector Marco hecma...@upv.es: Hi everyone, Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed. We think that this is a security issue because in some circumstances the bash security feature could be bypassed allowing the bash to be a valid target shell in an attack. We strongly recommend to patch your bash code. Why don't fix this bug by simple adding mandatory if clause ? Any comments about this issue are welcomed. Details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Thanks you, Hector Marco http://hmarco.org
CVE-2013-6876 s3dvt Root shell
CVE-2013-6876 s3dvt Root shell About s3dvt: s3dvt is part of the 3d network display server which can be used as 3d desktop environment. Vulnerability: A vulnerability in s3dvt for versions prior to 0.2.2 allows to obtain a root shell. Details, patches, discussion and strategy to exploit at: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html Because we found a bug in bash = 4.3 this vulnerability can be successfully exploited. Bash bug details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Hector Marco http://hmarco.org
CVE-2013-6825 DCMTK Root Privilege escalation
CVE-2013-6825 DCMTK Root Privilege escalation About DCMTK: DCMTK is a collection of libraries and applications implementing large parts the DICOM standard. It includes software for examining, constructing and converting DICOM image files, handling offline media, sending and receiving images over a network connection, as well as demonstrative image storage and worklist servers Vulnerability: A bug in DCMTK for versions prior to 3.6.1 allows to do a privilege escalation. All DCMTK versions since 1993 to the current 3.6.1 (released February-2014) are affected. The vulnerable packages are: - dcmpsrcv - dcmprscp - movescu - storescp - dcmqrscp - wlmscpfs - dcmrecv Details, patches, discussion and strategy to exploit at: http://hmarco.org/bugs/dcmtk-3.6.1-privilege-escalation.html Hector Marco http://hmarco.org
CVE-2014-1226 s3dvt Root shell (still)
CVE-2014-1226 s3dvt Root shell (still) About s3dvt: s3dvt is part of the 3d network display server which can be used as 3d desktop environment. Vulnerability: The s3dvt developers forgot to review all the code. There is still a vulnerable function as in the previous CVE-2013-6825. At the date of Jun 1, 2014 the last commit of the s3dvt is still vulnerable and exploitable. Commit: 1e9c9c53fa192cbf4f79d724b5e6c76374516968 Details, patches, discussion and strategy to exploit at: http://hmarco.org/bugs/CVE-2014-1226-s3dvt_0.2.2-root-shell.html Because we found a bug in bash = 4.3 this vulnerability can be successfully exploited. Bash bug details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Hector Marco http://hmarco.org
Bug in bash = 4.3 [security feature bypassed]
Hi everyone, Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed. We think that this is a security issue because in some circumstances the bash security feature could be bypassed allowing the bash to be a valid target shell in an attack. We strongly recommend to patch your bash code. Why don't fix this bug by simple adding mandatory if clause ? Any comments about this issue are welcomed. Details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Thanks you, Hector Marco http://hmarco.org
[FD] CVE-2013-6876 s3dvt Root shell
CVE-2013-6876 s3dvt Root shell About s3dvt: s3dvt is part of the 3d network display server which can be used as 3d desktop environment. Vulnerability: A vulnerability in s3dvt for versions prior to 0.2.2 allows to obtain a root shell. Details, patches, discussion and strategy to exploit at: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html Because we found a bug in bash = 4.3 this vulnerability can be successfully exploited. Bash bug details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Hector Marco http://hmarco.org
CVE-2014-1226 s3dvt Root shell (still)
CVE-2014-1226 s3dvt Root shell (still) About s3dvt: s3dvt is part of the 3d network display server which can be used as 3d desktop environment. Vulnerability: The s3dvt developers forgot to review all the code. There is still a vulnerable function as in the previous CVE-2013-6825. At the date of July 1, 2014 the last commit of the s3dvt is still vulnerable and exploitable. Commit: 1e9c9c53fa192cbf4f79d724b5e6c76374516968 Details, patches, discussion and strategy to exploit at: http://hmarco.org/bugs/CVE-2014-1226-s3dvt_0.2.2-root-shell.html Because we found a bug in bash = 4.3 this vulnerability can be successfully exploited. Bash bug details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Hector Marco http://hmarco.org
CVE-2013-6825 DCMTK Root Privilege escalation
CVE-2013-6825 DCMTK Root Privilege escalation About DCMTK: DCMTK is a collection of libraries and applications implementing large parts the DICOM standard. It includes software for examining, constructing and converting DICOM image files, handling offline media, sending and receiving images over a network connection, as well as demonstrative image storage and worklist servers Vulnerability: A bug in DCMTK for versions prior to 3.6.1 allows to do a privilege escalation. All DCMTK versions since 1993 to the current 3.6.1 (released February-2014) are affected. The vulnerable packages are: - dcmpsrcv - dcmprscp - movescu - storescp - dcmqrscp - wlmscpfs - dcmrecv Details, patches, discussion and strategy to exploit at: http://hmarco.org/bugs/dcmtk-3.6.1-privilege-escalation.html Hector Marco http://hmarco.org
CVE-2013-4788 - Eglibc PTR MANGLE bug
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys, The following is a bug that we found while we were working around stack smashing protection techniques. Title: CVE-2013-4788 - Eglibc PTR MANGLE bug 0.- Description This bug was discovered in March 2013 while we were developing the RAF SSP technique. The glibc bug makes it easy to take advantage of common errors such as buffer overflows allows in these cases redirect the execution flow and potentially execute arbitrary code. 1.- Impact All statically linked applications compiled with glibc and eglibc are affected, independent of the operating system distribution. Note that this problem is not solved by only patching the eglibc, but it is also necessary to recompile all static executables. As far I know there are a lot of routers, embedded systems etc., which use static linked applications. Since the bug is from the beginning of the PTR_MANGLE implementations (years 2005-2006) there are a ton of vulnerable devices. 2.- Vulnerable packages The bug has been propagated to all the static code compiled with all versions, on all architectures, of glibc from 2.4 (06-Mar-2006) to 2.17 (Current version). 3.- Vulnerability The vulnerability is caused due to the non initialization to a random value (it is always zero) of the pointer guard by the glibc only when generating static compiled executables. Dynamic executables are not affected. Pointer guard is used to mangle the content of sensible pointers (longjmp, signal handlers, etc.), if the pointer guard value is zero (non-initialized) then it is not effective. An example: Library functions like setjmp() or longjmp() use PTR_MANGLE and PTR_DEMANGLE. These macros are used to protect structures like jmp_buf. Basically consist on XOR-ing the pointer value with a random 32/64-bit value. Since the pointer guard (random value) is 0x0 the attacker can easily calculate off-line the value of a target address. By overwriting the env structure with the pre-computed address the vulnerability is triggered when longjmp() is called and the execution flow is redirected to attacker address. 4.- Exploit The bug was tested with Debian 7.1 and Ubunu 12.04 LTS and 13.04). I already created a proof of concept to exploit this vulnerability for both 32 and 64 bits x86 architectures. The proof of concept poc-bug-mangle.c redirect the execution flow to a function which prompt a shell. This exploit can be compiled for both i386 and x86_64 architectures. More architectures can be added easily by adding the correspondent defines. Compilation for i386: gcc poc-bug-mangle.c -o poc-bug-mangle -static Compilation for x86_64: gcc poc-bug-mangle.c -o poc-bug-mangle_32 -static -m32 gcc poc-bug-mangle.c -o poc-bug-mangle_64 -static -m64 Execution output: b...@iti.upv.es:~$ ./poc-bug-mangle [+] Exploiting ... [+] hacked !! $ 5.- FIX Note that the bug is not solved by only patching the eglibc, but it is also necessary to recompile all static executables. I have created a non official patch ptr_mangle-eglibc-2.17.patch for the gblic-2.17. Patching glibc-2.17: wget http://hmarco.org/bugs/patches/ptr_mangle-eglibc-2.17.patch cd glibc-2.17 patch -p1 ../ptr_mangle-eglibc-2.17.patch 6.- Discussion Although this bug is not exploitable by itself, the truth is that the PTR Mangle encryption is useless. The goal of the protection technique is not achieved. This can be seen as the canary stack is set to 0x0, although is not exploitable by itself is clearly an issue. What about whether the canary has been set to zero from 2006 to today ? This is what happened with the pointers protected with this mechanism. According to Ulrich_Drepper to use encryption pointers (instead of canaries) to protect structures like jmp_buf is at least as secure and in addition faster. Following the above and since the protection mechanism is useless from the first implementation, the number of potentially affected systems could be huge. Patch and exploit source code: http://hmarco.org/bugs/CVE-2013-4788.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJR5D3CAAoJEI9kAsYMQl6irpMQAJ7vGyBETTHeyURqLmKUgofg YRnK1ia/CszGyNSZVTCF6NIv6JMtaXsF3xvITk0dj68WMtc5DdTSMkw2XQSwzBJv Vlh8QE6KayM+D0esBy6m7+7dLcPyshW4zTKzU6vQwAkxB+PdRKPuEwnVO3hoqtB/ cwiAhk7J2m5sTkKWVz48JJG/f6EjJRZJLaB6J2pzHPijvBCGmTeXLU4+9RnO4i0q CoPcJai5uwDk9yRtj2iwbnHj6PIdSeJj3Sw3UJwZb9vF5gX2FQdSQJTc3yvzc3+7 UMHzuEcScFXWPJpKZGuiHU43sBu9pKvye3MUroEOcG6e4woncABRYRSQzDriN/AJ aUpmvaFtllCA9es286GTBVN7/GGlpLb0PyfdfQW9cVgPqpFZ7Z5GQFMa+pZ/nPRZ gM4aa2YFveQckBJS14yVMz/lyixcVxpEQH0lJbLYO6L9G+0kdaK8knUMR5q9SFYZ GkUzauDkzsGUmDrCvam9mYqc55HOmyQETIfu34SorTOnhD2Seg+BWujbU3BJ2NI1 qIp8SrmX+7V75Jsy9p5/LzkjDXyAoSlwi/RchhtCo5Ih99ZJgjlDrtuR9C+GVBL9 36IemhVfUdM0SFIUJVcCfSMPlrZO/eCCWRnJmTCUBhox9dZ01dUHMNC0h2q/gdxt Bp4l0er3CX70KglD5YIx =gFhS -END PGP SIGNATURE-
