[FD] HNS-2024-05 - HN Security Advisory - Multiple vulnerabilities in RT-Thread RTOS
Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in RT-Thread RTOS. * Title: Multiple vulnerabilities in RT-Thread RTOS * OS: RT-Thread <= 5.0.2 * Author: Marco Ivaldi * Date: 2024-03-05 * CVE IDs and advisory URLs: * CVE-2024-24334 - https://github.com/RT-Thread/rt-thread/issues/8282 * CVE-2024-24335 - https://github.com/RT-Thread/rt-thread/issues/8271 * CVE-2024-25388 - https://github.com/RT-Thread/rt-thread/issues/8285 * CVE-2024-25389 - https://github.com/RT-Thread/rt-thread/issues/8283 * CVE-2024-25390 - https://github.com/RT-Thread/rt-thread/issues/8286 * CVE-2024-25391 - https://github.com/RT-Thread/rt-thread/issues/8287 * CVE-2024-25392 - https://github.com/RT-Thread/rt-thread/issues/8290 * CVE-2024-25393 - https://github.com/RT-Thread/rt-thread/issues/8288 * CVE-2024-25394 - https://github.com/RT-Thread/rt-thread/issues/8291 * CVE-2024-25395 - https://github.com/RT-Thread/rt-thread/issues/8289 * https://github.com/RT-Thread/rt-thread/issues/8292 * Vendor URL: https://www.rt-thread.io/ The advisory is also available at: https://github.com/hnsecurity/vulns/blob/main/HNS-2024-05-rt-thread.txt For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos Regards, -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2024-05 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in RT-Thread RTOS * OS: RT-Thread <= 5.0.2 * Author: Marco Ivaldi * Date: 2024-03-05 * CVE IDs and advisory URLs: * CVE-2024-24334 - https://github.com/RT-Thread/rt-thread/issues/8282 * CVE-2024-24335 - https://github.com/RT-Thread/rt-thread/issues/8271 * CVE-2024-25388 - https://github.com/RT-Thread/rt-thread/issues/8285 * CVE-2024-25389 - https://github.com/RT-Thread/rt-thread/issues/8283 * CVE-2024-25390 - https://github.com/RT-Thread/rt-thread/issues/8286 * CVE-2024-25391 - https://github.com/RT-Thread/rt-thread/issues/8287 * CVE-2024-25392 - https://github.com/RT-Thread/rt-thread/issues/8290 * CVE-2024-25393 - https://github.com/RT-Thread/rt-thread/issues/8288 * CVE-2024-25394 - https://github.com/RT-Thread/rt-thread/issues/8291 * CVE-2024-25395 - https://github.com/RT-Thread/rt-thread/issues/8289 * https://github.com/RT-Thread/rt-thread/issues/8292 * Vendor URL: https://www.rt-thread.io/ --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 3.1 - CVE-2024-24335 - Buffer overflow in RT-Thread dfs_v2 romfs filesystem 3.2 - CVE-2024-24334 - Heap buffer overflows in RT-Thread dfs_v2 dfs_file 3.3 - CVE-2024-25389 - Weak random source in RT-Thread rt_random driver 3.4 - CVE-2024-25388 - Heap buffer overflow in RT-Thread wlan driver 3.5 - CVE-2024-25390 - Heap buffer overflows in RT-Thread finsh 3.6 - CVE-2024-25391 - Stack buffer overflow in RT-Thread IPC 3.7 - CVE-2024-25393 - Stack buffer overflow in RT-Thread AT server 3.8 - CVE-2024-25395 - Static buffer overflow in RT-Thread rt-link utility 3.9 - CVE-2024-25392 - Out-of-bounds static array access in RT-Thread var_export utility 3.10 - CVE-2024-25394 - Multiple vulnerabilities in RT-Thread ymodem utility 3.11 - Use of outdated lwIP and TinyDir dependencies in RT-Thread 4 - Affected products 5 - Remediation 6 - Disclosure timeline 7 - Acknowledgments 8 - References --[ 1 - Summary "Security is in the mind of the programmer and in the mind of the designer. Not so much in the code." -- Alisa Esage RT-Thread [1] is an open-source, community-based real-time operating system (RTOS). RT-Thread can be used in sensing nodes, wireless connection chips, and many other resource-constrained scenarios. It is also widely applied in gateways, IPC, smart speakers, and other high-performance IoT applications. We reviewed RT-Thread's source code hosted on GitHub [2] and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution. We also audited the lwIP [3] and TinyDir [4] codebases on which some RT-Thread functionalities depend, and found some additional vulnerabilities that were subsequently fixed by the respective maintainers. --[ 2 - Background After our recent vulnerability disclosures [5] in the IoT space, we decided to keep assisting open-source projects in finding and fixing security vulnerabilities by reviewing their source code. RT-Thread was selected as a target of interest. Other RTOSes will be featured in future advisories and writeups. During this review, we made use of our Semgrep C/C++ ruleset [6] to identify hotspots in code on which to focus our attention. We also took advantage of this opportu
[FD] HNS-2023-03 - HN Security Advisory - Multiple vulnerabilities in Zephyr RTOS
Hi all, Find attached a security advisory that details multiple vulnerabilities we discovered in the Zephyr real-time operating system. * Title: Multiple vulnerabilities in Zephyr RTOS * OS: Zephyr <= 3.4.0, except for: * CVE-2023-4265 that affects Zephyr <= 3.3.0 * CVE-2023-4261 that affects Zephyr <= 3.5.0 * Author: Marco Ivaldi * Date: 2023-11-07 * CVE IDs and severity: * CVE-2023-3725 - High - 7.6 * CVE-2023-4257 - Moderate - 6.8 * CVE-2023-4259 - High - 7.1 * CVE-2023-4260 - Moderate - 6.3 * CVE-2023-4261 - (unreleased) * CVE-2023-4262 - Moderate - 5.1 * CVE-2023-4263 - High - 7.6 * CVE-2023-4264 - High - 7.1 * CVE-2023-4265 - Moderate - 6.4 * CVE-2023-5139 - Moderate - 4.4 * CVE-2023-5184 - High - 7.0 * CVE-2023-5753 - Moderate - 6.3 * Vendor URL: https://www.zephyrproject.org/ * Advisory URLs: * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2g3m-p6c7-8rr3 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-853q-q69w-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gghm-c696-f4j4 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gj27-862r-55wh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5954-jcv4-7rvm * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-56p9-5p3v-hhrc * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rf6q-rhhp-pqhf * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rgx6-3w4j-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vgv-5r6q-r6xh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rhrc-pcxp-4453 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8x3p-q3r5-xh9g * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hmpr-px56-rvww For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves Regards, -- Marco Ivaldi "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2023-03 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in Zephyr RTOS * OS: Zephyr <= 3.4.0, except for: * CVE-2023-4265 that affects Zephyr <= 3.3.0 * CVE-2023-4261 that affects Zephyr <= 3.5.0 and will be fixed in a future update * Author: Marco Ivaldi * Date: 2023-11-07 * CVE IDs and severity: * CVE-2023-3725 - High - 7.6 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4257 - Moderate - 6.8 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H * CVE-2023-4259 - High - 7.1 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4260 - Moderate - 6.3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L * CVE-2023-4261 - (unreleased) * CVE-2023-4262 - Moderate - 5.1 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2023-4263 - High - 7.6 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4264 - High - 7.1 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2023-4265 - Moderate - 6.4 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H * CVE-2023-5139 - Moderate - 4.4 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2023-5184 - High - 7.0 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H * CVE-2023-5753 - Moderate - 6.3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * Vendor URL: https://www.zephyrproject.org/ * Advisory URLs: * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2g3m-p6c7-8rr3 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-853q-q69w-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gghm-c696-f4j4 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gj27-862r-55wh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5954-jcv4-7rvm (unreleased) * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-56p9-5p3v-hhrc * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rf6q-rhhp-pqhf * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rgx6-3w4j-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vgv-5r6q-r6xh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rhrc-pcxp-4453 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8x3p-q3r5-xh9g * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hmpr-px56-rvww --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 3.1 - CVE-2023-3725 - Buffer overflow vulnerability in the Zephyr CANbus subsystem 3.2 - CVE-2023-4257 - Unchecked user input length in the Zephyr WiFi shell module 3.3 - CVE-2023-4259 - Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver 3.4 - CVE-2023-4260
Re: [FD] HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm
Hello again, Just a quick update. Mitre has assigned the following additional CVE IDs: * CVE-2023-24039 - Stack-based buffer overflow in libXm ParseColors * CVE-2023-24040 - Printer name injection and heap memory disclosure We have updated the advisory accordingly: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt Regards, Marco On Wed, Jan 18, 2023 at 9:48 AM Marco Ivaldi wrote: > > Dear Full Disclosure, > > Find attached a security advisory that details multiple > vulnerabilities we discovered in Oracle Solaris CDE dtprintinfo, Motif > libXm, and X.Org libXpm. > > * Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm > * Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15 > * OS: Oracle Solaris 10 (CPU January 2021) > * Author: Marco Ivaldi > * Date: 2023-01-18 > * Oracle vulnerability tracking numbers: > * S1597707 - Arbitrary printer name injection > * S1597724 - Heap memory disclosure via long printer names > * S1597711 - Memory corruption via malformed icon files > * S1597730 - Stack-based buffer overflow in libXm ParseColors > * CVE IDs: > * CVE-2022-46285 - Infinite loop on unclosed comments in Xorg libXpm > * Advisory URLs: > * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt > * https://lists.x.org/archives/xorg-announce/2023-January/003312.html > * https://lists.x.org/archives/xorg-announce/2023-January/003313.html > * Exploit URLs: > * > https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c > > For additional information, please refer to our vulnerability writeup: > https://security.humanativaspa.it/nothing-new-under-the-sun/ > > PS. No, HNS-2022-01 is not a typo. Check out the disclosure timeline > in the advisory and you'll understand why we used this label. -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm
Dear Full Disclosure, Find attached a security advisory that details multiple vulnerabilities we discovered in Oracle Solaris CDE dtprintinfo, Motif libXm, and X.Org libXpm. * Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm * Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15 * OS: Oracle Solaris 10 (CPU January 2021) * Author: Marco Ivaldi * Date: 2023-01-18 * Oracle vulnerability tracking numbers: * S1597707 - Arbitrary printer name injection * S1597724 - Heap memory disclosure via long printer names * S1597711 - Memory corruption via malformed icon files * S1597730 - Stack-based buffer overflow in libXm ParseColors * CVE IDs: * CVE-2022-46285 - Infinite loop on unclosed comments in Xorg libXpm * Advisory URLs: * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt * https://lists.x.org/archives/xorg-announce/2023-January/003312.html * https://lists.x.org/archives/xorg-announce/2023-January/003313.html * Exploit URLs: * https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/nothing-new-under-the-sun/ PS. No, HNS-2022-01 is not a typo. Check out the disclosure timeline in the advisory and you'll understand why we used this label. Regards, -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2022-01 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm * Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15 * OS: Oracle Solaris 10 (CPU January 2021) * Author: Marco Ivaldi * Date: 2023-01-18 * Oracle vulnerability tracking numbers: * S1597707 - Arbitrary printer name injection * S1597724 - Heap memory disclosure via long printer names * S1597711 - Memory corruption via malformed icon files * S1597730 - Stack-based buffer overflow in libXm ParseColors * CVE IDs: * CVE-2022-46285 - Infinite loop on unclosed comments in X.Org libXpm * Advisory URLs: * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt * https://lists.x.org/archives/xorg-announce/2023-January/003312.html * https://lists.x.org/archives/xorg-announce/2023-January/003313.html * Exploit URLs: * https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c --[ 0 - Table of contents 1 - Summary 2 - Vulnerabilities 2.1 - Arbitrary printer name injection 2.2 - Heap memory disclosure via long printer names 2.3 - Memory corruption via malformed icon files 2.4 - Stack-based buffer overflow in libXm ParseColors() 3 - Analysis 3.1 - Printer name injection and heap memory disclosure 3.2 - Memory corruption via malformed icon files 4 - Exploitation 5 - Affected products 6 - Remediation 7 - Disclosure timeline 8 - References --[ 1 - Summary "What has been will be again, what has been done will be done again; there is nothing new under the Sun." -- Ecclesiastes 1:9 We have identified multiple security vulnerabilities that are exploitable via the the setuid-root dtprintinfo binary from the Common Desktop Environment (CDE) distributed with Oracle Solaris 10 (CPU January 2021): * A bug in the parser of the lpstat external command invoked by dtprintinfo to list the names of available printers allows low-privileged local users to inject arbitrary printer names via the $HOME/.printers file. * Printer name injection allows low-privileged local users to manipulate the control flow of the target program and disclose memory contents. Based on our analysis, this bug does not seem to be directly exploitable to achieve arbitrary code execution. However, we recommend treating it as a potential security vulnerability and fix it as such. * The ability to inject arbitrary printer names opens other attack vectors that otherwise would not be available on systems without configured printers. As an example, we discovered multiple icon parsing bugs in the Motif library libXm that cause memory corruption. We demonstrated the possibility to exploit one of these memory corruption bugs, a stack-based buffer overflow in the ParseColors() function of libXm, to achieve local privilege escalation to root on Solaris 10. --[ 2 - Vulnerabilities Following our last CDE vulnerability disclosures [1], Oracle kindly shared with us a copy of their then current Solaris 10 security patch set (CPU January 2021), so that we could install it in our lab and verify the fixes for the bugs we had reported. In addition to verifying these fixes, we decided to take a closer look at the dtprintinfo program distributed with CDE, because of its complexity and its impressive historical record of high-impact vulnerabilities [2]. These are the results of our research. -
[FD] HNS-2022-02 - HN Security Advisory - Multiple vulnerabilities in Zyxel zysh
Dear Full Disclosure,
Find attached a security advisory that details multiple
vulnerabilities we discovered in the zysh shell distributed with some
Zyxel products, including their security appliances.
* Title: Multiple vulnerabilities in Zyxel zysh
* Products: Zyxel firewalls, AP controllers, and APs
* Author: Marco Ivaldi
* Date: 2022-06-07
* CVE Names and Vendor CVSS Scores:
CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)
CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)
* Advisory URLs:
https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
For additional information, please refer to our vulnerability writeup:
https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/
Regards,
--
Marco Ivaldi
https://0xdeadbeef.info/
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl."
--[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/
* Title: Multiple vulnerabilities in Zyxel zysh
* Products: Zyxel firewalls, AP controllers, and APs
* Author: Marco Ivaldi
* Date: 2022-06-07
* CVE Names and Vendor CVSS Scores:
CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1)
CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8)
* Advisory URLs:
https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt
https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml
--[ 0 - Table of contents
1 - Summary
2 - Background
3 - Vulnerabilities
4 - Analysis
4.1 - Buffer overflows in the "configure terminal > diagnostic" command
4.2 - Buffer overflow in the "debug" command
4.3 - Buffer overflow in the "ssh" command
4.4 - Format string bugs in the "extension" argument of some commands
4.5 - OS command injection in the "packet-trace" command
5 - Exploitation
5.1 - Buffer overflows
5.2 - Format string bugs
5.3 - OS command injection
6 - Affected products
7 - Remediation
8 - Disclosure timeline
9 - References
--[ 1 - Summary
"We live on a placid island of ignorance in the midst of black seas of
infinity, and it was not meant that we should voyage far."
-- H. P. Lovecraft, The Call of Cthulhu
We have identified multiple security vulnerabilities in the zysh binary
that implements the command-line interface (CLI) on a wide range of Zyxel
products, including their security appliances such as those in the Unified
Security Gateway (USG) product line:
* Multiple stack-based buffer overflows in the code responsible for
handling diagnostic tests ("configure terminal > diagnostic" command).
* A stack-based buffer overflow in the "debug" command.
* A stack-based buffer overflow in the "ssh" command.
* Multiple format string bugs in the "extension" argument of the "ping",
"ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6"
commands.
* An OS command injection vulnerability in the "packet-trace" command.
We demonstrated the possibility to exploit the format string bugs and the
OS command injection vulnerability to escape the restricted shell
environment and achieve arbitrary command execution on the underlying
embedded Linux OS, respectively as regular user and as root.
--[ 2 - Background
The zysh binary is a restricted shell that implements the command-line
interface (CLI) on multiple Zyxel [0] products. All regular user accounts
have an /etc/passwd entry similar to the following:
admin:x:10007:1:Administration account...:/etc/zyxel/ftp:/bin/zysh
Only the root user and the reserved debug account, disabled by default,
have access to a proper bash shell:
root:x:0:0:root&120&120&480&480&1&0:/root:/bin/bash
...
debug:!:0:0:Debug Account:/root:/bin/bash
The Zyxel CLI can be accessed via SSH as follows:
raptor@blumenkraft ~ % ssh -l admin
(admin@) Password:
Router> # hello zysh!
On our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet
(not enabled by default) or via the so-called Web Console, implemented with
WebSockets, that is reachable with a web browser after authentication, at a
URL such as the following:
https:///webconsole/
In the context of a wider audit of the security posture of Zyxel devices
[1], we decided to audit zysh with the primary goal of escaping the
restricted shell environment and executing arbitrary commands on the
underlying embedded Linux OS. It is pretty large for a dynamically-linked,
stripped binary (~19MB) and it makes plenty of unsafe API function calls,
which makes it an interesting target.
--[ 3 - Vulnerabilities
During our audit of the zysh binary, we identified the following
vulnerabilities:
[FD] CVE-2020-2771, CVE-2020-2851, CVE-2020-2944 - Multiple vulnerabilities in Oracle Solaris
Hello, Please find attached 3 recent advisories for the following vulnerabilities, fixed in Oracle's Critical Patch Update (CPU) of April 2020: CVE-2020-2771. A difficult to exploit heap-based buffer overflow in setuid root whodo and w binaries distributed with Solaris allows local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges. CVE-2020-2851. A difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges via a long X11 display name. The vulnerable function is located in the libDtSvc library and can be reached by executing the setuid program dtsession. CVE-2020-2944. A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. For further details and some background information, please refer to: https://techblog.mediaservice.net/2020/04/cve-2020-2944-local-privilege-escalation-via-cde-sdtcm_convert/ https://github.com/0xdea/exploits/blob/master/solaris/raptor_sdtcm_conv.c https://0xdeadbeef.info/ PS. It looks like Bugtraq is not accepting posts anymore: it finally happened, the end of an era... -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ @Mediaservice.net Security Advisory #2020-05 (last updated on 2020-04-15) Title: Local privilege escalation via CDE sdtcm_convert Application: Common Desktop Environment 1.6 and earlier Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier Other platforms are potentially affected (see below) Description: A local attacker can gain root privileges by exploiting a buffer overflow in CDE sdtcm_convert Author: Marco Ivaldi Vendor Status: Oracle notified on 2019-12-08 CERT/CC notified on 2019-12-09 (tracking VU#308289) CVE Name: CVE-2020-2944 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8) References: https://github.com/0xdea/advisories/blob/master/2020-05-cde-sdtcm_convert.txt https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/technetwork/server-storage/solaris10/ https://www.mediaservice.net/ https://0xdeadbeef.info/ 1. Abstract. A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. 2. Example Attack Session. bash-3.2$ cat /etc/release Oracle Solaris 10 1/13 s10x_u11wos_24a X86 Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved. Assembled 17 January 2013 bash-3.2$ uname -a SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc bash-3.2$ id uid=54322(raptor) gid=1(other) bash-3.2$ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall bash-3.2$ ./raptor_sdtcm_conv raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel Copyright (c) 2019-2020 Marco Ivaldi Using SI_PLATFORM : i86pc (5.10) Using SI_HOSTNAME : nostalgia Using stack base: 0x8047fff Using rwx_mem address : 0xfeffa004 Using payload address : 0x8047dff Using strcpy() address : 0xfefe26a0 Preparing the evil calendar file... Done. Exploiting... Please answer "n" when prompted. Loading the calendar ... [...] Do you want to correct it? (Y/N) [Y] n # id uid=0(root) gid=1(other) egid=12(daemon) 3. Affected Platforms. All platforms shipping the Common Desktop Environment based on the CDE 1.x codebase are potentially affected. This includes: * Oracle Solaris 10 1/13 (Update 11) and earlier [default installation] The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. 4. Fix. Oracle has assigned the tracking# S1239395 and has released a fix for all affected and supported versions of Solaris in the Critical Patch Update (CPU) of April 2020. As a workaround, it is also possible to remove the setuid bit from the vulnerable executable as follows (note that this might prevent it from working properly): bash-3.2# chmod -s /usr/dt/bin/sdtcm_convert Please note that during the audit many other p
[FD] CVE-2020-2696 - Local privilege escalation via CDE dtsession
Dear Full Disclosure,
Please find attached an advisory for the following vulnerability, fixed in
Oracle's Critical Patch Update (CPU) of January 2020:
"A buffer overflow in the CheckMonitor() function in the Common Desktop
Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root
privileges via a long palette name passed to dtsession in a malicious
.Xdefaults file."
For further information, please refer to:
https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/
https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtsession_ipa.c
Regards,
--
Marco Ivaldi, Offensive Security Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
Tel: +39 011 19016595 | Fax: +39 011 3246497
@Mediaservice.net Security Advisory #2020-02 (last updated on 2020-01-15)
Title: Local privilege escalation via CDE dtsession
Application: Common Desktop Environment 2.3.1 and earlier
Common Desktop Environment 1.6 and earlier
Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier
Other platforms are potentially affected (see below)
Description: A local attacker can gain root privileges by exploiting a
buffer overflow in CDE dtsession
Author: Marco Ivaldi
Vendor Status: Oracle notified on 2019-11-13
CERT/CC notified on 2019-12-09 (tracking VU#308289)
CVE Name: CVE-2020-2696
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
References:
https://github.com/0xdea/advisories/blob/master/2020-02-cde-dtsession.txt
https://www.oracle.com/security-alerts/cpujan2020.html
https://sourceforge.net/p/cdesktopenv/wiki/Home/
https://www.oracle.com/technetwork/server-storage/solaris10/
https://www.mediaservice.net/
https://0xdeadbeef.info/
1. Abstract
A buffer overflow in the CheckMonitor() function in the Common Desktop
Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle
Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root
privileges via a long palette name passed to dtsession in a malicious
.Xdefaults file.
Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
different from the CDE 2.x codebase that was later open sourced. Most notably,
the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
open source version it is heap-based.
2. Example Attack Session.
bash-3.2$ cat /etc/release
Oracle Solaris 10 1/13 s10x_u11wos_24a X86
Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
Assembled 17 January 2013
bash-3.2$ uname -a
SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2$ id
uid=54322(raptor) gid=1(other)
bash-3.2$ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall
bash-3.2$ ./raptor_dtsession_ipa 192.168.1.1:0
raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel
Copyright (c) 2019-2020 Marco Ivaldi
Using SI_PLATFORM : i86pc (5.10)
Using stack base: 0x8047fff
Using rwx_mem address : 0xfeffa004
Using payload address : 0x8047dff
Using strcpy() address : 0xfefe26a0
# id
uid=0(root) gid=1(other)
3. Affected Platforms.
All platforms shipping the Common Desktop Environment are potentially affected.
This includes:
* Oracle Solaris 10 1/13 (Update 11) and earlier [default installation]
According to the CDE Wiki, the following platforms are officially supported:
* All Official Ubuntu variants 12.04 - 18.04
* Debian 6, 7, 8, 9
* Fedora 17 at least
* Archlinux
* Red Hat
* Slackware 14.0
* OpenBSD
* NetBSD
* FreeBSD 9.2, 10.x, 11.x
* openSUSE Tumbleweed (gcc7)
* openSUSE Leap 4.2 (gcc4)
* SUSE 12 SP3 (gcc4)
* Solaris, OpenIndiana
4. Fix.
The maintainers of the open source CDE 2.x version have issued the following
patches for this vulnerability:
https://sourceforge.net/p/cdesktopenv/mailman/message/36900154/
https://sourceforge.net/p/cdesktopenv/code/ci/6b32246d06ab16fd7897dc344db69d0957f3ae08/
Oracle, which maintains a different CDE codebase based on the 1.x train, has
assigned the tracking# S1231688 and has released a fix for all affected and
supported versions of Solaris in their Critical Patch Update (CPU) of January
2020.
As a workaround, it is also possible to remove the setuid bit from the
vulnerable executable as follows (note that this might prevent it from working
properly):
bash-3.2# chmod -s /usr/dt/bin/dtsession
Please note that during the audit many other potentially exploitable bugs have
surfaced in dtsession and in the Common Desktop Environment in general.
Therefore, removing the setuid bit from all CDE binaries is recommended,
regardless of patches released by vendors.
[FD] CVE-2020-2656 - Low impact information disclosure via Solaris xlock
Dear Full Disclosure,
Please find attached an advisory for the following vulnerability, fixed in
Oracle's Critical Patch Update (CPU) of January 2020:
"A low impact information disclosure vulnerability in the setuid root xlock
binary distributed with Solaris may allow local users to read partial contents
of sensitive files. Due to the fact that target files must be in a very
specific format, exploitation of this flaw to escalate privileges in a
realistic scenario is unlikely."
Regards,
--
Marco Ivaldi, Offensive Security Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
@Mediaservice.net Security Advisory #2020-01 (last updated on 2020-01-15)
Title: Low impact information disclosure via Solaris xlock
Application: Setuid root xlock binary distributed with Solaris
Platforms: Oracle Solaris 11.x (confirmed on 11.4 X86)
Oracle Solaris 10 (confirmed on 10 1/13 X86)
OpenIndiana Hipster 2019.10 and earlier
Other platforms are potentially affected
Description: A low impact information disclosure vulnerability in the setuid
root xlock binary distributed with Solaris may allow local
users to read partial contents of potentially sensitive files
Author: Marco Ivaldi
Vendor Status: notified on 2019-09-24
CVE Name: CVE-2020-2656
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (Base Score: 4.4)
References:
https://github.com/0xdea/advisories/blob/master/2020-01-solaris-xlock.txt
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/technetwork/server-storage/solaris11/
https://www.oracle.com/technetwork/server-storage/solaris10/
https://www.openindiana.org/
https://github.com/oracle/solaris-userland/tree/master/components/x11/app/xlock/sun-src
https://www.mediaservice.net/
https://0xdeadbeef.info/
1. Abstract.
A low impact information disclosure vulnerability in the setuid root xlock
binary distributed with Solaris may allow local users to read partial contents
of sensitive files. Due to the fact that target files must be in a very
specific format, exploitation of this flaw to escalate privileges in a
realistic scenario is unlikely.
2. Example Attack Session.
In order to reproduce this bug, the following commands can be used:
raptor@stalker:~$ cat /etc/release
Oracle Solaris 11.4 X86
Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved.
Assembled 16 August 2018
raptor@stalker:~$ uname -a
SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
raptor@stalker:~$ id
uid=100(raptor) gid=10(staff)
raptor@stalker:~$ tail -1 /etc/passwd
user.mode:x:101:10::/export/home/user:/usr/bin/bash
raptor@stalker:~$ ln -s /etc/shadow .Xdefaults
raptor@stalker:~$ Xorg :1 &
raptor@stalker:~$ xlock -name user -display :1
Unknown mode: xlock: bad command line option
"$5$rounds=1$wHWiSUhf$NKjMUwIRiVVB/GYx.HZvnMhou9RUT.qaiJhKg265um7:18160::"
3. Discussion.
The detected information disclosure happens because xlock does not drop root
privileges and follows a malicious symlink to an arbitrary file when opening
the ~/.Xdefaults configuration file with the XrmGetFileDatabase() function of
libX11. Subsequently, xlock's CheckResources() function prints partial contents
of the last line of the file that matches the following pattern (the
resource-name string can be specified with the -name command line switch of
xlock):
[resource-name].mode:[sensitive data]
For instance, if a username in the shadow file ends with the string ".mode"
(e.g. "user.mode" as shown in the above example) it is possible for a low
privileged user to exploit this flaw in order to reveal the corresponding
password hash. Similar results can be achieved in case of usernames that end
with the following strings:
* ".font": the password hash is included in an error message printed by xlock
* ".info": the password hash is displayed as part of xlock's unlock dialog
* ".validate": the password hash is displayed as part of xlock's unlock dialog
Instead of creating a symlink, an attacker could exploit this flaw by directly
setting the XFILESEARCHPATH or XUSERFILESEARCHPATH environment variables to
point to /etc/shadow. In this case, the password hash associated with usernames
that end with the ".display" string can also be recovered. The XAPPLRESDIR
environment variable can also be manipulated to achieve similar results.
Finally, the directive #include "/etc/shadow" in a configuration file can also
be used to trick xlock into opening the /etc/shadow file.
Other exploitation vectors may be available.
4. Affected Platforms.
This bug was
Re: [FD] local privilege escalation via CDE dtprintinfo
Hi,
Just a quick follow-up to my original advisory. The CVE name CVE-2019-2832 has
been assigned to the vulnerability and Oracle has released a patch in its July
2019 CPU. Further information is available at:
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixSUNS
https://support.oracle.com/epmos/faces/DocContentDisplay?id=2560938.1
Once again, I would like to thank Jon Trulson (maintainer of the open source
CDE project), Alan Coopersmith, and Ritwik Ghoshal (Oracle Security team) for
their smooth and professional handling of my vulnerability report, especially
given the unusual circumstances.
--
Marco Ivaldi, SAT Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
On 17/05/2019, 16:13, "Marco Ivaldi" wrote:
Dear Full Disclosure,
Please find attached an advisory for the following vulnerability:
A buffer overflow in the DtPrinterAction::PrintActionExists() function in
the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10
1/13
(Update 11) and earlier, allows local users to gain root privileges via a
long
printer name passed to dtprintinfo by a malicious lpstat program.
Note that Oracle Solaris CDE is based on the original CDE 1.x train, which
is
different from the CDE 2.x codebase that was later open sourced. Most
notably,
the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
open source version it is heap-based.
This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019
in
the talk "A bug's life: story of a Solaris 0day".
For further information, refer to the following links:
https://vimeo.com/335197685
https://github.com/0xdea/raptor_infiltrate19
Regards,
--
Marco Ivaldi, SAT Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] local privilege escalation via CDE dtprintinfo
Dear Full Disclosure,
Please find attached an advisory for the following vulnerability:
A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.
Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
different from the CDE 2.x codebase that was later open sourced. Most notably,
the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
open source version it is heap-based.
This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in
the talk "A bug's life: story of a Solaris 0day".
For further information, refer to the following links:
https://vimeo.com/335197685
https://github.com/0xdea/raptor_infiltrate19
Regards,
--
Marco Ivaldi, SAT Manager
CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F
@Mediaservice.net S.r.l. con Socio Unico
https://www.mediaservice.net/
@Mediaservice.net (Cybaze Group) Security Advisory #2019-01 (updated on
2019-05-08)
Title: Local privilege escalation via CDE dtprintinfo
Application: Common Desktop Environment 2.3.0 and earlier
Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier
Other platforms are potentially affected (see below)
Description: A local attacker can gain root privileges by exploiting
a buffer overflow in CDE dtprintinfo
Author: Marco Ivaldi
Contributor: Dave Aitel (original discovery)
Vendor Status: notified on 2019-05-05
notified on 2019-05-05
CVE: The Common Vulnerabilities and Exposures project has not
assigned
a name to this issue yet
References:
https://lab.mediaservice.net/advisory/2019-01-cde-dtprintinfo.txt
https://github.com/0xdea/raptor_infiltrate19
https://sourceforge.net/p/cdesktopenv/wiki/Home/
https://www.oracle.com/technetwork/server-storage/solaris10/
https://www.mediaservice.net/
https://infiltratecon.com/
1. Abstract.
A buffer overflow in the DtPrinterAction::PrintActionExists() function in the
Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13
(Update 11) and earlier, allows local users to gain root privileges via a long
printer name passed to dtprintinfo by a malicious lpstat program.
Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is
different from the CDE 2.x codebase that was later open sourced. Most notably,
the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the
open source version it is heap-based.
This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in
the talk "A bug's life: story of a Solaris 0day".
2. Example Attack Session.
bash-3.2$ cat /etc/release
Oracle Solaris 10 1/13 s10x_u11wos_24a X86
Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved.
Assembled 17 January 2013
bash-3.2$ uname -a
SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc
bash-3.2$ id
uid=54322(raptor) gid=1(other)
bash-3.2$ gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall
bash-3.2$ ./raptor_dtprintname_intel 192.168.1.1:0
raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel
Copyright (c) 2004-2019 Marco Ivaldi
Using SI_PLATFORM : i86pc (5.10)
Using stack base: 0x8047fff
Using rwx_mem address : 0xfeffa004
Using sc address: 0x8047f60
Using strcpy() address : 0xfefe26a0
lpstat called with -v
lpstat called with -v
lpstat called with -d
# id
uid=0(root) gid=1(other)
3. Affected Platforms.
All platforms shipping the Common Desktop Environment are potentially affected.
This includes:
* Oracle Solaris 10 1/13 (Update 11) and earlier [default installation]
According to the CDE Wiki, the following platforms are officially supported:
* All Official Ubuntu variants 12.04 - 18.04
* Debian 6, 7, 8, 9
* Fedora 17 at least
* Archlinux
* Red Hat
* Slackware 14.0
* OpenBSD
* NetBSD
* FreeBSD 9.2, 10.x, 11.x
* openSUSE Tumbleweed (gcc7)
* openSUSE Leap 4.2 (gcc4)
* SUSE 12 SP3 (gcc4)
* Solaris, OpenIndiana
4. Fix.
The maintainers of the open source CDE 2.x version have issued the following
patches for this vulnerability:
https://sourceforge.net/p/cdesktopenv/code/ci/30cd56ac389fbab521c52669a3bd25041d4e1df1/
https://sourceforge.net/p/cdesktopenv/code/ci/05d231606ebe3658712a36017d16ec3cc349145d/
https://sourceforge.net/p/cdesktopenv/code/ci/d59ec197e5307ad9650b6518dba67b7ef388f053/
Oracle, which maintains a different CDE codebase based on the 1.x train, is
investigating the issue via tracking# S1153109 and is expected to release a fix
for all affected-supported versions of Solaris via their quarterly C
