SSD Advisory – Linux Kernel AF_PACKET Use-After-Free

Credit to Author: SSD / Maor Schwartz| Date: Tue, 17 Oct 2017 11:42:53 +0000

Vulnerabilities summary The following advisory describes a use-after-free vulnerability found in Linux Kernel’s implementation of AF_PACKET that can lead to privilege escalation. AF_PACKET sockets “allow users to send or receive packets on the device driver level. This for example lets them to implement their own protocol on top of the physical layer or to sniff … Continue reading SSD Advisory – Linux Kernel AF_PACKET Use-After-Free

Read more

SSD Advisory – Ikraus Anti Virus Remote Code Execution

Credit to Author: SSD / Maor Schwartz| Date: Mon, 16 Oct 2017 09:21:04 +0000

Vulnerability summary The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7. KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by … Continue reading SSD Advisory – Ikraus Anti Virus Remote Code Execution

Read more

SSD Advisory – Webmin Multiple Vulnerabilities

Credit to Author: SSD / Maor Schwartz| Date: Sun, 15 Oct 2017 06:54:31 +0000

Vulnerability summary The following advisory describes three (3) vulnerabilities found in Webmin version 1.850 Webmin “is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets … Continue reading SSD Advisory – Webmin Multiple Vulnerabilities

Read more

SSD Advisory – ZTE uSmartView DLL Hijacking

Credit to Author: SSD / Maor Schwartz| Date: Sun, 15 Oct 2017 06:43:40 +0000

Vulnerability summary The following advisory describes an DLL Hijacking found in ZTE uSmartView. ZTE uSmartView offers: “ZTE provides full series of cloud computing products (including cloud terminals, cloud desktops, virtualization software, and cloud storage products) and end-to-end integrated product, which can be applied to different scenarios such as office, training classroom, multimedia classroom, and business … Continue reading SSD Advisory – ZTE uSmartView DLL Hijacking

Read more

SSD安全公告 – Mac OS X 10.12隔离机制绕过漏洞

Credit to Author: SSD / Maor Schwartz| Date: Sun, 15 Oct 2017 06:02:53 +0000

漏洞概要 Mac OS X存在一个漏洞,该漏洞允许攻击者绕过Apple的隔离机制,不受任何限制执行任意JavaScript代码. 漏洞提交者 来自WeAreSegment的安全研究者Filippo Cavallarin向Beyond Security的SSD报告了该漏洞. 厂商响应 苹果公司已于2017年6月27日收到了我们的报告,并和我们进行了多次沟通。苹果公司通知我们,在即将发布的High Sierra操作系统中会修补这个漏洞。这之后,苹果公司再没有提供任何其他信息 – 既没有链接公告,也没有提供关于CVE编号分配的任何信息. 我们已经验证在Mac OS X High Sierra中已不存在该漏洞。对于该漏洞的解决办法是升级到Mac OS X High Sierra,或者移除rhtmlPlayer.html文件修复该漏洞. 漏洞详细信息 苹果隔离机制的运行原理是在下载的文件上设置一个扩展属性(从已下载的归档文档/图片提取的文件也适用),以便系统在受限制的环境中打开/执行这些文件. 例如,一个被隔离的HTML文件不能加载本地资源. 此漏洞存在于一个html文件(Mac OS X内核的一部分)中,容易受到基于DOM的XSS攻击,允许在其(无限制)上下文中执行任意JavaScript命令. 上述文件的具体路径为:/System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html 文件包含如下代码: [crayon-59e3ded896bb2180670324/] 简而言之,这段代码从“rhtml”查询字符串参数中提取URL地址,向该URL发出请求,并将响应数据作为JavaScript代码加以执行. 下面的代码包含两段不同的基于DOM的XSS的代码。第一个是在loadLocStrings()函数中创建一个SCRIPT元素,并使用“rhtml”参数作为其“src”属性。第二个是在init()函数中使用“rhtml”参数进行ajax调用,然后将响应直接传递给eval()。这样做的结果是同样的载荷被执行两次. 攻击者通过提供一个uri,就可以控制响应数据,进而获得代码执行. 通过使用.webloc文件是一种可能的漏洞利用方式。基本上这些文件都包含一个URL,他们只需在Safari中加载即可。通过构造一个.webloc文件,并诱导受害者打开,攻击者就可以在受害者的计算机上以高权限执行JavaScript命令. 由于.webloc文件同样使用扩展属性来存储数据,因此攻击者必须将文件打包放在tar文件中(或其他任何支持扩展属性的文件格式)中. 漏洞证明 通过以下步骤复现漏洞 创建一个你想要要在目标上执行的JavaScript文件 使用base64对文件内容编码 将其编码为“uri组件”(比如,使用js的encodeURIComponent函数完成这个任务) 使用它来构造如下形式的uri:data:text / plain; base64, 在开头添加如下字符串:file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml = 使用Safari打开它 将其另存为书签 将该书签拖放到Finder中(此时会创建一个.webloc文件,如果扩展名不是.webloc,重命名为.webloc) 创建一个包含.webloc文件的tar归档文件 将归档文件发送给受害者 请注意,受限于rhtmlPlayer.html的处理流程,为了访问本地资源,JavaScript代码的第一行必须是: [crayon-59e3ded896bbb626384155/] 以下bash脚本会将JavaScript文件转换为最终的“文件”URL: … Continue reading SSD安全公告 – Mac OS X 10.12隔离机制绕过漏洞

Read more

SSD Advisory – Microsoft Office SMB Information Disclosure

Credit to Author: SSD / Maor Schwartz| Date: Sun, 15 Oct 2017 05:41:56 +0000

Vulnerability Summary The following advisory describes an information disclosure found in Microsoft Office versions 2010, 2013, and 2016. Microsoft Office is: “Whether you’re working or playing, Microsoft is here to help. We’re the company that created Microsoft Office, including Office 365 Home, Office 365 Personal, Office Home & Student 2016, Office Home & Business 2016, … Continue reading SSD Advisory – Microsoft Office SMB Information Disclosure

Read more

SSD Advisory – FiberHome Directory Traversal

Credit to Author: SSD / Maor Schwartz| Date: Fri, 13 Oct 2017 12:50:11 +0000

Vulnerability Summary The following advisory describes a directory traversal vulnerability found in FiberHome routers. FiberHome Technologies Group “was established in 1974. After continuous and intensive development for over 40 years, its business has been extended to R&D, manufacturing, marketing & sales, engineering service, in 4 major areas: fiber-optic communications, data networking communications, wireless communication, and … Continue reading SSD Advisory – FiberHome Directory Traversal

Read more

SSD Advisory – QNAP HelpDesk SQL Injection

Credit to Author: SSD / Maor Schwartz| Date: Mon, 09 Oct 2017 14:26:28 +0000

Vulnerability Summary The following advisory describes a SQL injection found in QTS Helpdesk versions 1.1.12 and earlier. QNAP helpdesk: “Starting from QTS 4.2.2 you can use the built-in Helpdesk app to directly submit help requests to QNAP from your NAS. To do so, ensure your NAS can reach the Internet, open Helpdesk from the App … Continue reading SSD Advisory – QNAP HelpDesk SQL Injection

Read more