[FD] HNS-2024-05 - HN Security Advisory - Multiple vulnerabilities in RT-Thread RTOS
Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in RT-Thread RTOS. * Title: Multiple vulnerabilities in RT-Thread RTOS * OS: RT-Thread <= 5.0.2 * Author: Marco Ivaldi * Date: 2024-03-05 * CVE IDs and advisory URLs: * CVE-2024-24334 - https://github.com/RT-Thread/rt-thread/issues/8282 * CVE-2024-24335 - https://github.com/RT-Thread/rt-thread/issues/8271 * CVE-2024-25388 - https://github.com/RT-Thread/rt-thread/issues/8285 * CVE-2024-25389 - https://github.com/RT-Thread/rt-thread/issues/8283 * CVE-2024-25390 - https://github.com/RT-Thread/rt-thread/issues/8286 * CVE-2024-25391 - https://github.com/RT-Thread/rt-thread/issues/8287 * CVE-2024-25392 - https://github.com/RT-Thread/rt-thread/issues/8290 * CVE-2024-25393 - https://github.com/RT-Thread/rt-thread/issues/8288 * CVE-2024-25394 - https://github.com/RT-Thread/rt-thread/issues/8291 * CVE-2024-25395 - https://github.com/RT-Thread/rt-thread/issues/8289 * https://github.com/RT-Thread/rt-thread/issues/8292 * Vendor URL: https://www.rt-thread.io/ The advisory is also available at: https://github.com/hnsecurity/vulns/blob/main/HNS-2024-05-rt-thread.txt For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos Regards, -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2024-05 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in RT-Thread RTOS * OS: RT-Thread <= 5.0.2 * Author: Marco Ivaldi * Date: 2024-03-05 * CVE IDs and advisory URLs: * CVE-2024-24334 - https://github.com/RT-Thread/rt-thread/issues/8282 * CVE-2024-24335 - https://github.com/RT-Thread/rt-thread/issues/8271 * CVE-2024-25388 - https://github.com/RT-Thread/rt-thread/issues/8285 * CVE-2024-25389 - https://github.com/RT-Thread/rt-thread/issues/8283 * CVE-2024-25390 - https://github.com/RT-Thread/rt-thread/issues/8286 * CVE-2024-25391 - https://github.com/RT-Thread/rt-thread/issues/8287 * CVE-2024-25392 - https://github.com/RT-Thread/rt-thread/issues/8290 * CVE-2024-25393 - https://github.com/RT-Thread/rt-thread/issues/8288 * CVE-2024-25394 - https://github.com/RT-Thread/rt-thread/issues/8291 * CVE-2024-25395 - https://github.com/RT-Thread/rt-thread/issues/8289 * https://github.com/RT-Thread/rt-thread/issues/8292 * Vendor URL: https://www.rt-thread.io/ --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 3.1 - CVE-2024-24335 - Buffer overflow in RT-Thread dfs_v2 romfs filesystem 3.2 - CVE-2024-24334 - Heap buffer overflows in RT-Thread dfs_v2 dfs_file 3.3 - CVE-2024-25389 - Weak random source in RT-Thread rt_random driver 3.4 - CVE-2024-25388 - Heap buffer overflow in RT-Thread wlan driver 3.5 - CVE-2024-25390 - Heap buffer overflows in RT-Thread finsh 3.6 - CVE-2024-25391 - Stack buffer overflow in RT-Thread IPC 3.7 - CVE-2024-25393 - Stack buffer overflow in RT-Thread AT server 3.8 - CVE-2024-25395 - Static buffer overflow in RT-Thread rt-link utility 3.9 - CVE-2024-25392 - Out-of-bounds static array access in RT-Thread var_export utility 3.10 - CVE-2024-25394 - Multiple vulnerabilities in RT-Thread ymodem utility 3.11 - Use of outdated lwIP and TinyDir dependencies in RT-Thread 4 - Affected products 5 - Remediation 6 - Disclosure timeline 7 - Acknowledgments 8 - References --[ 1 - Summary "Security is in the mind of the programmer and in the mind of the designer. Not so much in the code." -- Alisa Esage RT-Thread [1] is an open-source, community-based real-time operating system (RTOS). RT-Thread can be used in sensing nodes, wireless connection chips, and many other resource-constrained scenarios. It is also widely applied in gateways, IPC, smart speakers, and other high-performance IoT applications. We reviewed RT-Thread's source code hosted on GitHub [2] and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution. We also audited the lwIP [3] and TinyDir [4] codebases on which some RT-Thread functionalities depend, and found some additional vulnerabilities that were subsequently fixed by the respective maintainers. --[ 2 - Background After our recent vulnerability disclosures [5] in the IoT space, we decided to keep assisting open-source projects in finding and fixing security vulnerabilities by reviewing their source code. RT-Thread was selected as a target of interest. Other RTOSes will be featured in future advisories and writeups. During this review, we made use of our Semgrep C/C++ ruleset [6] to identify hotspots in code on which to focus our attention. We also took advantage of this opportu
[FD] HNS-2023-03 - HN Security Advisory - Multiple vulnerabilities in Zephyr RTOS
Hi all, Find attached a security advisory that details multiple vulnerabilities we discovered in the Zephyr real-time operating system. * Title: Multiple vulnerabilities in Zephyr RTOS * OS: Zephyr <= 3.4.0, except for: * CVE-2023-4265 that affects Zephyr <= 3.3.0 * CVE-2023-4261 that affects Zephyr <= 3.5.0 * Author: Marco Ivaldi * Date: 2023-11-07 * CVE IDs and severity: * CVE-2023-3725 - High - 7.6 * CVE-2023-4257 - Moderate - 6.8 * CVE-2023-4259 - High - 7.1 * CVE-2023-4260 - Moderate - 6.3 * CVE-2023-4261 - (unreleased) * CVE-2023-4262 - Moderate - 5.1 * CVE-2023-4263 - High - 7.6 * CVE-2023-4264 - High - 7.1 * CVE-2023-4265 - Moderate - 6.4 * CVE-2023-5139 - Moderate - 4.4 * CVE-2023-5184 - High - 7.0 * CVE-2023-5753 - Moderate - 6.3 * Vendor URL: https://www.zephyrproject.org/ * Advisory URLs: * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2g3m-p6c7-8rr3 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-853q-q69w-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gghm-c696-f4j4 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gj27-862r-55wh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5954-jcv4-7rvm * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-56p9-5p3v-hhrc * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rf6q-rhhp-pqhf * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rgx6-3w4j-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vgv-5r6q-r6xh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rhrc-pcxp-4453 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8x3p-q3r5-xh9g * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hmpr-px56-rvww For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/ost2-zephyr-rtos-and-a-bunch-of-cves Regards, -- Marco Ivaldi "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2023-03 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in Zephyr RTOS * OS: Zephyr <= 3.4.0, except for: * CVE-2023-4265 that affects Zephyr <= 3.3.0 * CVE-2023-4261 that affects Zephyr <= 3.5.0 and will be fixed in a future update * Author: Marco Ivaldi * Date: 2023-11-07 * CVE IDs and severity: * CVE-2023-3725 - High - 7.6 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4257 - Moderate - 6.8 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H * CVE-2023-4259 - High - 7.1 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4260 - Moderate - 6.3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L * CVE-2023-4261 - (unreleased) * CVE-2023-4262 - Moderate - 5.1 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2023-4263 - High - 7.6 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4264 - High - 7.1 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L * CVE-2023-4265 - Moderate - 6.4 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H * CVE-2023-5139 - Moderate - 4.4 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L * CVE-2023-5184 - High - 7.0 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H * CVE-2023-5753 - Moderate - 6.3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * Vendor URL: https://www.zephyrproject.org/ * Advisory URLs: * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2g3m-p6c7-8rr3 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-853q-q69w-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gghm-c696-f4j4 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gj27-862r-55wh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5954-jcv4-7rvm (unreleased) * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-56p9-5p3v-hhrc * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rf6q-rhhp-pqhf * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rgx6-3w4j-gf5j * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vgv-5r6q-r6xh * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rhrc-pcxp-4453 * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8x3p-q3r5-xh9g * https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hmpr-px56-rvww --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 3.1 - CVE-2023-3725 - Buffer overflow vulnerability in the Zephyr CANbus subsystem 3.2 - CVE-2023-4257 - Unchecked user input length in the Zephyr WiFi shell module 3.3 - CVE-2023-4259 - Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver 3.4 - CVE-2023-4260
Re: [FD] HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm
Hello again, Just a quick update. Mitre has assigned the following additional CVE IDs: * CVE-2023-24039 - Stack-based buffer overflow in libXm ParseColors * CVE-2023-24040 - Printer name injection and heap memory disclosure We have updated the advisory accordingly: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt Regards, Marco On Wed, Jan 18, 2023 at 9:48 AM Marco Ivaldi wrote: > > Dear Full Disclosure, > > Find attached a security advisory that details multiple > vulnerabilities we discovered in Oracle Solaris CDE dtprintinfo, Motif > libXm, and X.Org libXpm. > > * Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm > * Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15 > * OS: Oracle Solaris 10 (CPU January 2021) > * Author: Marco Ivaldi > * Date: 2023-01-18 > * Oracle vulnerability tracking numbers: > * S1597707 - Arbitrary printer name injection > * S1597724 - Heap memory disclosure via long printer names > * S1597711 - Memory corruption via malformed icon files > * S1597730 - Stack-based buffer overflow in libXm ParseColors > * CVE IDs: > * CVE-2022-46285 - Infinite loop on unclosed comments in Xorg libXpm > * Advisory URLs: > * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt > * https://lists.x.org/archives/xorg-announce/2023-January/003312.html > * https://lists.x.org/archives/xorg-announce/2023-January/003313.html > * Exploit URLs: > * > https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c > > For additional information, please refer to our vulnerability writeup: > https://security.humanativaspa.it/nothing-new-under-the-sun/ > > PS. No, HNS-2022-01 is not a typo. Check out the disclosure timeline > in the advisory and you'll understand why we used this label. -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm
Dear Full Disclosure, Find attached a security advisory that details multiple vulnerabilities we discovered in Oracle Solaris CDE dtprintinfo, Motif libXm, and X.Org libXpm. * Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm * Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15 * OS: Oracle Solaris 10 (CPU January 2021) * Author: Marco Ivaldi * Date: 2023-01-18 * Oracle vulnerability tracking numbers: * S1597707 - Arbitrary printer name injection * S1597724 - Heap memory disclosure via long printer names * S1597711 - Memory corruption via malformed icon files * S1597730 - Stack-based buffer overflow in libXm ParseColors * CVE IDs: * CVE-2022-46285 - Infinite loop on unclosed comments in Xorg libXpm * Advisory URLs: * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt * https://lists.x.org/archives/xorg-announce/2023-January/003312.html * https://lists.x.org/archives/xorg-announce/2023-January/003313.html * Exploit URLs: * https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/nothing-new-under-the-sun/ PS. No, HNS-2022-01 is not a typo. Check out the disclosure timeline in the advisory and you'll understand why we used this label. Regards, -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2022-01 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm * Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15 * OS: Oracle Solaris 10 (CPU January 2021) * Author: Marco Ivaldi * Date: 2023-01-18 * Oracle vulnerability tracking numbers: * S1597707 - Arbitrary printer name injection * S1597724 - Heap memory disclosure via long printer names * S1597711 - Memory corruption via malformed icon files * S1597730 - Stack-based buffer overflow in libXm ParseColors * CVE IDs: * CVE-2022-46285 - Infinite loop on unclosed comments in X.Org libXpm * Advisory URLs: * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt * https://lists.x.org/archives/xorg-announce/2023-January/003312.html * https://lists.x.org/archives/xorg-announce/2023-January/003313.html * Exploit URLs: * https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c --[ 0 - Table of contents 1 - Summary 2 - Vulnerabilities 2.1 - Arbitrary printer name injection 2.2 - Heap memory disclosure via long printer names 2.3 - Memory corruption via malformed icon files 2.4 - Stack-based buffer overflow in libXm ParseColors() 3 - Analysis 3.1 - Printer name injection and heap memory disclosure 3.2 - Memory corruption via malformed icon files 4 - Exploitation 5 - Affected products 6 - Remediation 7 - Disclosure timeline 8 - References --[ 1 - Summary "What has been will be again, what has been done will be done again; there is nothing new under the Sun." -- Ecclesiastes 1:9 We have identified multiple security vulnerabilities that are exploitable via the the setuid-root dtprintinfo binary from the Common Desktop Environment (CDE) distributed with Oracle Solaris 10 (CPU January 2021): * A bug in the parser of the lpstat external command invoked by dtprintinfo to list the names of available printers allows low-privileged local users to inject arbitrary printer names via the $HOME/.printers file. * Printer name injection allows low-privileged local users to manipulate the control flow of the target program and disclose memory contents. Based on our analysis, this bug does not seem to be directly exploitable to achieve arbitrary code execution. However, we recommend treating it as a potential security vulnerability and fix it as such. * The ability to inject arbitrary printer names opens other attack vectors that otherwise would not be available on systems without configured printers. As an example, we discovered multiple icon parsing bugs in the Motif library libXm that cause memory corruption. We demonstrated the possibility to exploit one of these memory corruption bugs, a stack-based buffer overflow in the ParseColors() function of libXm, to achieve local privilege escalation to root on Solaris 10. --[ 2 - Vulnerabilities Following our last CDE vulnerability disclosures [1], Oracle kindly shared with us a copy of their then current Solaris 10 security patch set (CPU January 2021), so that we could install it in our lab and verify the fixes for the bugs we had reported. In addition to verifying these fixes, we decided to take a closer look at the dtprintinfo program distributed with CDE, because of its complexity and its impressive historical record of high-impact vulnerabilities [2]. These are the results of our research. -
[FD] HNS-2022-02 - HN Security Advisory - Multiple vulnerabilities in Zyxel zysh
Dear Full Disclosure, Find attached a security advisory that details multiple vulnerabilities we discovered in the zysh shell distributed with some Zyxel products, including their security appliances. * Title: Multiple vulnerabilities in Zyxel zysh * Products: Zyxel firewalls, AP controllers, and APs * Author: Marco Ivaldi * Date: 2022-06-07 * CVE Names and Vendor CVSS Scores: CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1) CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8) * Advisory URLs: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml For additional information, please refer to our vulnerability writeup: https://security.humanativaspa.it/multiple-vulnerabilities-in-zyxel-zysh/ Regards, -- Marco Ivaldi https://0xdeadbeef.info/ "When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." --[ HNS-2022-02 - HN Security Advisory - https://security.humanativaspa.it/ * Title: Multiple vulnerabilities in Zyxel zysh * Products: Zyxel firewalls, AP controllers, and APs * Author: Marco Ivaldi * Date: 2022-06-07 * CVE Names and Vendor CVSS Scores: CVE-2022-26531: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H (6.1) CVE-2022-26532: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8) * Advisory URLs: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-02-zyxel-zysh.txt https://www.zyxel.com/support/multiple-vulnerabilities-of-firewalls-AP-controllers-and-APs.shtml --[ 0 - Table of contents 1 - Summary 2 - Background 3 - Vulnerabilities 4 - Analysis 4.1 - Buffer overflows in the "configure terminal > diagnostic" command 4.2 - Buffer overflow in the "debug" command 4.3 - Buffer overflow in the "ssh" command 4.4 - Format string bugs in the "extension" argument of some commands 4.5 - OS command injection in the "packet-trace" command 5 - Exploitation 5.1 - Buffer overflows 5.2 - Format string bugs 5.3 - OS command injection 6 - Affected products 7 - Remediation 8 - Disclosure timeline 9 - References --[ 1 - Summary "We live on a placid island of ignorance in the midst of black seas of infinity, and it was not meant that we should voyage far." -- H. P. Lovecraft, The Call of Cthulhu We have identified multiple security vulnerabilities in the zysh binary that implements the command-line interface (CLI) on a wide range of Zyxel products, including their security appliances such as those in the Unified Security Gateway (USG) product line: * Multiple stack-based buffer overflows in the code responsible for handling diagnostic tests ("configure terminal > diagnostic" command). * A stack-based buffer overflow in the "debug" command. * A stack-based buffer overflow in the "ssh" command. * Multiple format string bugs in the "extension" argument of the "ping", "ping6", "traceroute", "traceroute6", "nslookup", and "nslookup6" commands. * An OS command injection vulnerability in the "packet-trace" command. We demonstrated the possibility to exploit the format string bugs and the OS command injection vulnerability to escape the restricted shell environment and achieve arbitrary command execution on the underlying embedded Linux OS, respectively as regular user and as root. --[ 2 - Background The zysh binary is a restricted shell that implements the command-line interface (CLI) on multiple Zyxel [0] products. All regular user accounts have an /etc/passwd entry similar to the following: admin:x:10007:1:Administration account...:/etc/zyxel/ftp:/bin/zysh Only the root user and the reserved debug account, disabled by default, have access to a proper bash shell: root:x:0:0:root&120&120&480&480&1&0:/root:/bin/bash ... debug:!:0:0:Debug Account:/root:/bin/bash The Zyxel CLI can be accessed via SSH as follows: raptor@blumenkraft ~ % ssh -l admin (admin@) Password: Router> # hello zysh! On our Zyxel USG20-VPN test device, the CLI can also be accessed via Telnet (not enabled by default) or via the so-called Web Console, implemented with WebSockets, that is reachable with a web browser after authentication, at a URL such as the following: https:///webconsole/ In the context of a wider audit of the security posture of Zyxel devices [1], we decided to audit zysh with the primary goal of escaping the restricted shell environment and executing arbitrary commands on the underlying embedded Linux OS. It is pretty large for a dynamically-linked, stripped binary (~19MB) and it makes plenty of unsafe API function calls, which makes it an interesting target. --[ 3 - Vulnerabilities During our audit of the zysh binary, we identified the following vulnerabilities:
[FD] CVE-2020-2771, CVE-2020-2851, CVE-2020-2944 - Multiple vulnerabilities in Oracle Solaris
Hello, Please find attached 3 recent advisories for the following vulnerabilities, fixed in Oracle's Critical Patch Update (CPU) of April 2020: CVE-2020-2771. A difficult to exploit heap-based buffer overflow in setuid root whodo and w binaries distributed with Solaris allows local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges. CVE-2020-2851. A difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges via a long X11 display name. The vulnerable function is located in the libDtSvc library and can be reached by executing the setuid program dtsession. CVE-2020-2944. A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. For further details and some background information, please refer to: https://techblog.mediaservice.net/2020/04/cve-2020-2944-local-privilege-escalation-via-cde-sdtcm_convert/ https://github.com/0xdea/exploits/blob/master/solaris/raptor_sdtcm_conv.c https://0xdeadbeef.info/ PS. It looks like Bugtraq is not accepting posts anymore: it finally happened, the end of an era... -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ @Mediaservice.net Security Advisory #2020-05 (last updated on 2020-04-15) Title: Local privilege escalation via CDE sdtcm_convert Application: Common Desktop Environment 1.6 and earlier Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier Other platforms are potentially affected (see below) Description: A local attacker can gain root privileges by exploiting a buffer overflow in CDE sdtcm_convert Author: Marco Ivaldi Vendor Status: Oracle notified on 2019-12-08 CERT/CC notified on 2019-12-09 (tracking VU#308289) CVE Name: CVE-2020-2944 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8) References: https://github.com/0xdea/advisories/blob/master/2020-05-cde-sdtcm_convert.txt https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/technetwork/server-storage/solaris10/ https://www.mediaservice.net/ https://0xdeadbeef.info/ 1. Abstract. A buffer overflow in the _SanityCheck() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier allows local users to gain root privileges via a long calendar name or calendar owner passed to sdtcm_convert in a malicious calendar file. The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. 2. Example Attack Session. bash-3.2$ cat /etc/release Oracle Solaris 10 1/13 s10x_u11wos_24a X86 Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved. Assembled 17 January 2013 bash-3.2$ uname -a SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc bash-3.2$ id uid=54322(raptor) gid=1(other) bash-3.2$ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall bash-3.2$ ./raptor_sdtcm_conv raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel Copyright (c) 2019-2020 Marco Ivaldi Using SI_PLATFORM : i86pc (5.10) Using SI_HOSTNAME : nostalgia Using stack base: 0x8047fff Using rwx_mem address : 0xfeffa004 Using payload address : 0x8047dff Using strcpy() address : 0xfefe26a0 Preparing the evil calendar file... Done. Exploiting... Please answer "n" when prompted. Loading the calendar ... [...] Do you want to correct it? (Y/N) [Y] n # id uid=0(root) gid=1(other) egid=12(daemon) 3. Affected Platforms. All platforms shipping the Common Desktop Environment based on the CDE 1.x codebase are potentially affected. This includes: * Oracle Solaris 10 1/13 (Update 11) and earlier [default installation] The open source version of CDE (based on the CDE 2.x codebase) is not affected, because it does not ship the vulnerable program. 4. Fix. Oracle has assigned the tracking# S1239395 and has released a fix for all affected and supported versions of Solaris in the Critical Patch Update (CPU) of April 2020. As a workaround, it is also possible to remove the setuid bit from the vulnerable executable as follows (note that this might prevent it from working properly): bash-3.2# chmod -s /usr/dt/bin/sdtcm_convert Please note that during the audit many other p
[FD] CVE-2020-2696 - Local privilege escalation via CDE dtsession
Dear Full Disclosure, Please find attached an advisory for the following vulnerability, fixed in Oracle's Critical Patch Update (CPU) of January 2020: "A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file." For further information, please refer to: https://techblog.mediaservice.net/2020/01/local-privilege-escalation-via-cde-dtsession/ https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtsession_ipa.c Regards, -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ Tel: +39 011 19016595 | Fax: +39 011 3246497 @Mediaservice.net Security Advisory #2020-02 (last updated on 2020-01-15) Title: Local privilege escalation via CDE dtsession Application: Common Desktop Environment 2.3.1 and earlier Common Desktop Environment 1.6 and earlier Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier Other platforms are potentially affected (see below) Description: A local attacker can gain root privileges by exploiting a buffer overflow in CDE dtsession Author: Marco Ivaldi Vendor Status: Oracle notified on 2019-11-13 CERT/CC notified on 2019-12-09 (tracking VU#308289) CVE Name: CVE-2020-2696 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8) References: https://github.com/0xdea/advisories/blob/master/2020-02-cde-dtsession.txt https://www.oracle.com/security-alerts/cpujan2020.html https://sourceforge.net/p/cdesktopenv/wiki/Home/ https://www.oracle.com/technetwork/server-storage/solaris10/ https://www.mediaservice.net/ https://0xdeadbeef.info/ 1. Abstract A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based. 2. Example Attack Session. bash-3.2$ cat /etc/release Oracle Solaris 10 1/13 s10x_u11wos_24a X86 Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved. Assembled 17 January 2013 bash-3.2$ uname -a SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc bash-3.2$ id uid=54322(raptor) gid=1(other) bash-3.2$ gcc raptor_dtsession_ipa.c -o raptor_dtsession_ipa -Wall bash-3.2$ ./raptor_dtsession_ipa 192.168.1.1:0 raptor_dtsession_ipa.c - CDE dtsession LPE for Solaris/Intel Copyright (c) 2019-2020 Marco Ivaldi Using SI_PLATFORM : i86pc (5.10) Using stack base: 0x8047fff Using rwx_mem address : 0xfeffa004 Using payload address : 0x8047dff Using strcpy() address : 0xfefe26a0 # id uid=0(root) gid=1(other) 3. Affected Platforms. All platforms shipping the Common Desktop Environment are potentially affected. This includes: * Oracle Solaris 10 1/13 (Update 11) and earlier [default installation] According to the CDE Wiki, the following platforms are officially supported: * All Official Ubuntu variants 12.04 - 18.04 * Debian 6, 7, 8, 9 * Fedora 17 at least * Archlinux * Red Hat * Slackware 14.0 * OpenBSD * NetBSD * FreeBSD 9.2, 10.x, 11.x * openSUSE Tumbleweed (gcc7) * openSUSE Leap 4.2 (gcc4) * SUSE 12 SP3 (gcc4) * Solaris, OpenIndiana 4. Fix. The maintainers of the open source CDE 2.x version have issued the following patches for this vulnerability: https://sourceforge.net/p/cdesktopenv/mailman/message/36900154/ https://sourceforge.net/p/cdesktopenv/code/ci/6b32246d06ab16fd7897dc344db69d0957f3ae08/ Oracle, which maintains a different CDE codebase based on the 1.x train, has assigned the tracking# S1231688 and has released a fix for all affected and supported versions of Solaris in their Critical Patch Update (CPU) of January 2020. As a workaround, it is also possible to remove the setuid bit from the vulnerable executable as follows (note that this might prevent it from working properly): bash-3.2# chmod -s /usr/dt/bin/dtsession Please note that during the audit many other potentially exploitable bugs have surfaced in dtsession and in the Common Desktop Environment in general. Therefore, removing the setuid bit from all CDE binaries is recommended, regardless of patches released by vendors.
[FD] CVE-2020-2656 - Low impact information disclosure via Solaris xlock
Dear Full Disclosure, Please find attached an advisory for the following vulnerability, fixed in Oracle's Critical Patch Update (CPU) of January 2020: "A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely." Regards, -- Marco Ivaldi, Offensive Security Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ @Mediaservice.net Security Advisory #2020-01 (last updated on 2020-01-15) Title: Low impact information disclosure via Solaris xlock Application: Setuid root xlock binary distributed with Solaris Platforms: Oracle Solaris 11.x (confirmed on 11.4 X86) Oracle Solaris 10 (confirmed on 10 1/13 X86) OpenIndiana Hipster 2019.10 and earlier Other platforms are potentially affected Description: A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of potentially sensitive files Author: Marco Ivaldi Vendor Status: notified on 2019-09-24 CVE Name: CVE-2020-2656 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (Base Score: 4.4) References: https://github.com/0xdea/advisories/blob/master/2020-01-solaris-xlock.txt https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/technetwork/server-storage/solaris11/ https://www.oracle.com/technetwork/server-storage/solaris10/ https://www.openindiana.org/ https://github.com/oracle/solaris-userland/tree/master/components/x11/app/xlock/sun-src https://www.mediaservice.net/ https://0xdeadbeef.info/ 1. Abstract. A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to escalate privileges in a realistic scenario is unlikely. 2. Example Attack Session. In order to reproduce this bug, the following commands can be used: raptor@stalker:~$ cat /etc/release Oracle Solaris 11.4 X86 Copyright (c) 1983, 2018, Oracle and/or its affiliates. All rights reserved. Assembled 16 August 2018 raptor@stalker:~$ uname -a SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc raptor@stalker:~$ id uid=100(raptor) gid=10(staff) raptor@stalker:~$ tail -1 /etc/passwd user.mode:x:101:10::/export/home/user:/usr/bin/bash raptor@stalker:~$ ln -s /etc/shadow .Xdefaults raptor@stalker:~$ Xorg :1 & raptor@stalker:~$ xlock -name user -display :1 Unknown mode: xlock: bad command line option "$5$rounds=1$wHWiSUhf$NKjMUwIRiVVB/GYx.HZvnMhou9RUT.qaiJhKg265um7:18160::" 3. Discussion. The detected information disclosure happens because xlock does not drop root privileges and follows a malicious symlink to an arbitrary file when opening the ~/.Xdefaults configuration file with the XrmGetFileDatabase() function of libX11. Subsequently, xlock's CheckResources() function prints partial contents of the last line of the file that matches the following pattern (the resource-name string can be specified with the -name command line switch of xlock): [resource-name].mode:[sensitive data] For instance, if a username in the shadow file ends with the string ".mode" (e.g. "user.mode" as shown in the above example) it is possible for a low privileged user to exploit this flaw in order to reveal the corresponding password hash. Similar results can be achieved in case of usernames that end with the following strings: * ".font": the password hash is included in an error message printed by xlock * ".info": the password hash is displayed as part of xlock's unlock dialog * ".validate": the password hash is displayed as part of xlock's unlock dialog Instead of creating a symlink, an attacker could exploit this flaw by directly setting the XFILESEARCHPATH or XUSERFILESEARCHPATH environment variables to point to /etc/shadow. In this case, the password hash associated with usernames that end with the ".display" string can also be recovered. The XAPPLRESDIR environment variable can also be manipulated to achieve similar results. Finally, the directive #include "/etc/shadow" in a configuration file can also be used to trick xlock into opening the /etc/shadow file. Other exploitation vectors may be available. 4. Affected Platforms. This bug was
Re: [FD] local privilege escalation via CDE dtprintinfo
Hi, Just a quick follow-up to my original advisory. The CVE name CVE-2019-2832 has been assigned to the vulnerability and Oracle has released a patch in its July 2019 CPU. Further information is available at: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixSUNS https://support.oracle.com/epmos/faces/DocContentDisplay?id=2560938.1 Once again, I would like to thank Jon Trulson (maintainer of the open source CDE project), Alan Coopersmith, and Ritwik Ghoshal (Oracle Security team) for their smooth and professional handling of my vulnerability report, especially given the unusual circumstances. -- Marco Ivaldi, SAT Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ On 17/05/2019, 16:13, "Marco Ivaldi" wrote: Dear Full Disclosure, Please find attached an advisory for the following vulnerability: A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based. This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in the talk "A bug's life: story of a Solaris 0day". For further information, refer to the following links: https://vimeo.com/335197685 https://github.com/0xdea/raptor_infiltrate19 Regards, -- Marco Ivaldi, SAT Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] local privilege escalation via CDE dtprintinfo
Dear Full Disclosure, Please find attached an advisory for the following vulnerability: A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based. This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in the talk "A bug's life: story of a Solaris 0day". For further information, refer to the following links: https://vimeo.com/335197685 https://github.com/0xdea/raptor_infiltrate19 Regards, -- Marco Ivaldi, SAT Manager CISSP, OSCP, QSA, ASV, OPSA, OPST, OWSE, LA27001, PRINCE2F @Mediaservice.net S.r.l. con Socio Unico https://www.mediaservice.net/ @Mediaservice.net (Cybaze Group) Security Advisory #2019-01 (updated on 2019-05-08) Title: Local privilege escalation via CDE dtprintinfo Application: Common Desktop Environment 2.3.0 and earlier Platforms: Oracle Solaris 10 1/13 (Update 11) and earlier Other platforms are potentially affected (see below) Description: A local attacker can gain root privileges by exploiting a buffer overflow in CDE dtprintinfo Author: Marco Ivaldi Contributor: Dave Aitel (original discovery) Vendor Status: notified on 2019-05-05 notified on 2019-05-05 CVE: The Common Vulnerabilities and Exposures project has not assigned a name to this issue yet References: https://lab.mediaservice.net/advisory/2019-01-cde-dtprintinfo.txt https://github.com/0xdea/raptor_infiltrate19 https://sourceforge.net/p/cdesktopenv/wiki/Home/ https://www.oracle.com/technetwork/server-storage/solaris10/ https://www.mediaservice.net/ https://infiltratecon.com/ 1. Abstract. A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges via a long printer name passed to dtprintinfo by a malicious lpstat program. Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. Most notably, the vulnerable buffer in the Oracle Solaris CDE is stack-based, while in the open source version it is heap-based. This is a 0day vulnerability demonstrated at #INFILTRATE19 on May 2nd, 2019 in the talk "A bug's life: story of a Solaris 0day". 2. Example Attack Session. bash-3.2$ cat /etc/release Oracle Solaris 10 1/13 s10x_u11wos_24a X86 Copyright (c) 1983, 2013, Oracle and/or its affiliates. All rights reserved. Assembled 17 January 2013 bash-3.2$ uname -a SunOS nostalgia 5.10 Generic_147148-26 i86pc i386 i86pc bash-3.2$ id uid=54322(raptor) gid=1(other) bash-3.2$ gcc raptor_dtprintname_intel.c -o raptor_dtprintname_intel -Wall bash-3.2$ ./raptor_dtprintname_intel 192.168.1.1:0 raptor_dtprintname_intel.c - dtprintinfo 0day, Solaris/Intel Copyright (c) 2004-2019 Marco Ivaldi Using SI_PLATFORM : i86pc (5.10) Using stack base: 0x8047fff Using rwx_mem address : 0xfeffa004 Using sc address: 0x8047f60 Using strcpy() address : 0xfefe26a0 lpstat called with -v lpstat called with -v lpstat called with -d # id uid=0(root) gid=1(other) 3. Affected Platforms. All platforms shipping the Common Desktop Environment are potentially affected. This includes: * Oracle Solaris 10 1/13 (Update 11) and earlier [default installation] According to the CDE Wiki, the following platforms are officially supported: * All Official Ubuntu variants 12.04 - 18.04 * Debian 6, 7, 8, 9 * Fedora 17 at least * Archlinux * Red Hat * Slackware 14.0 * OpenBSD * NetBSD * FreeBSD 9.2, 10.x, 11.x * openSUSE Tumbleweed (gcc7) * openSUSE Leap 4.2 (gcc4) * SUSE 12 SP3 (gcc4) * Solaris, OpenIndiana 4. Fix. The maintainers of the open source CDE 2.x version have issued the following patches for this vulnerability: https://sourceforge.net/p/cdesktopenv/code/ci/30cd56ac389fbab521c52669a3bd25041d4e1df1/ https://sourceforge.net/p/cdesktopenv/code/ci/05d231606ebe3658712a36017d16ec3cc349145d/ https://sourceforge.net/p/cdesktopenv/code/ci/d59ec197e5307ad9650b6518dba67b7ef388f053/ Oracle, which maintains a different CDE codebase based on the 1.x train, is investigating the issue via tracking# S1153109 and is expected to release a fix for all affected-supported versions of Solaris via their quarterly C