Vmware – Storm in teacup (Sep 2019)

Preface: In 1894 Damoizeau developed a panoramic stereoscopic camera with twin-lenses, twin-spools and twin -slits.

Background information: With 3D graphics configured for RDS hosts, both applications in application pools and applications running on RDS desktops can display 3D graphics.

Vulnerability details: This vulnerability can be triggered by providing a tamper-evident pixel shader to the AMD ATIDXX64.DLL driver. An attacker can perform an attack from the VMware guest user mode, causing memory corruption on the vmware-vmx.exe process on the host. Successful exploitation of this issue may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host.

Reminder: Exploitation of this issue require an attacker to have access to a virtual machine with 3D graphics enabled.

Official announcement – https://www.vmware.com/security/advisories/VMSA-2019-0014.html

vmware Security Focus CVE-2019-5532 and CVE-2019-5534

Introduction: Open Virtualization Format. Open Virtualization Format (OVF) is an open standard for packaging and distributing virtual appliances or, more generally, software to be run in virtual machine.

Synopsis: Open Virtualization Format provides the ability to let a virtual appliance and run it on different vendors of virtual machine. For example: Vmware.
Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534, are rated “important” by VMware. They are all belongs to OVF technology domain.

  • CVE-2019-5534 – expose login information via the virtual machine’s vAppConfig properties.
  • CVE-2019-5532 – malicious user with access to the log files have view the credentials used to deploy the OVF.

Official announcement: Please refer to the url https://www.vmware.com/security/advisories/VMSA-2019-0013.html

Perhaps more risk will be occured on “OVF” not only the vulnerabilities alert by VMware this week. The OVA files can carry malicious code to any virtual machine OS; even mere data files of a certain complexity can effectively launch exploits.

Staying alert of your hhvm (cve-2019-11925 & cve-2019-11926)

What is HHVM? HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP. The mechanism is convert PHP to bytecode. Then, bytecode translated to machine code at runtime by JIT (just-in-time) compiler.

Vulnerability details: CVE-2019-11925 and CVE2019-11926 found design weakness of the boundary check when processing JPEG APP12 block marker and M_SOFx markers form JPEG marker in the GD extension. It could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. See attached diagram for the attack process. The supplier indicates that the defect will only lead to information leakage.

Summary: JPEG file (see specification) contains 2-bytes header (SOI) followed by series of markers, some markers can be followed by data array. Each type of marker has different header format. The bytes where the image is stored follows SOF0 marker (10-bytes length).
‘exif_process_SOFn’ assumes that the JPEG header has at least 6 length. On providing a length < 6, this leads to an out of bounds heap read.

Vendor advisory: https://www.facebook.com/security/advisories/cve-2019-11925

New generation of weapon iot+lora+Drone (2019)

Preface: Traditionally, only big country can have military weapon. Computer technology especially IoT devices not only replace human power. As we seen, IoT 4.0 is going to replace routine man power resources. Perhaps IoT technology also infiltrate in military arsenal .

Details: On Sep, 2019. Drone attacks have set alight two major oil facilities run by the state-owned company Aramco in Saudi Arabia. Refer to diagram, Drone integrate with Lora can increasing the control effective distance. If trouble maker is going to attack improtant facilties, they have more choices today. In last decade, APT cyber attack is the major channel to detroy the critical facilities. But APT attack rare to destroy the infrastructure. If enemy insists to destory the infrastructure. The setup of IoT, Lora and Drone can do it.

Can Drones be Detected by Radar? All newer radars are equipped and have the ability to locate even the smallest drones in the air. May be in future, all the critical facilities especially oil facilitiy, Power grid require to install Radar system.

Prediction: We heard APT cyber attack against critical facilities (especially power grid and oil facilities) by far. It looks that a hybrid attack (IoT+Lora+Drone) will be use in future.

cve-2019-11660 Data protector privilege escalation via omniresolve (Sep 2019)

Prefect: People prefer Veeam because the interface is easier, and Data Protector is difficult in comparison.

Product details: Data protector is a backup and disaster recovery solution for large, complex, and heterogeneous IT environments.

Vulnerability details: A potential vulnerability has been identified in Micro Focus Data Protector. The vulnerability could be exploited by a low-privileged user to execute a custom binary with higher privileges.

Our comment:
Above vulnerability might focus on Data protector server installed on Linux OS platform.
If authorized user exploit the power of SUID/GUID files on Linux, they can enable a file to have one of those bits, to shared the privileges. If a file has a SUID bit to run as root, it has the power to do everything that root can.

Reference: The omniresolve command reads the filesystem structures locating the physical disks (on Windows)
or volumes (on UNIX)on which a filesystem object resides. If the files reside on a logical volume which is a part of a volume group(diskgroup),all volumes in a volume group are displayed.

Status & remedy: versions 10.00, 10.01, 10.02, 10.03, 10.04, 10.10, 10.20, 10.30, 10.40 are affected. Require update Micro Focus Data protector to 2019.08 (A.10.50) or a higher version.

Who lives on the moon?

A myth from ancient China. The story tells a woman who lives on the moon. But the astronauts have never seen her. Because she lives in the interior of the moon.

The density of lunar rocks brought back by Apollo’s lunar landing plan is much larger than that of the Earth’s rocks. It can be seen that the density of the moon is astonishing. If we speculate according to this phenomenon, the center of the moon should be a core composed of large-density matter.

Considering the distance in between center and surface of the Lunar will be short than earth. Coupled with its total mass, gravity is much larger than we think. However the gravity of lunar merely 1/6 from earth. It seems that the lunar gravity has nothing to do with its density and mass. This shows what? This only shows that the moon is a huge hollow sphere.

Happy Mid-autumn Festival

Schneider Electric Security Notification – CVE-2019-6811 (Sep 2019)

Product background: The Modicon Quantum Ethernet I/O (QEIO) automation platform is designed to meet the requirements of both the industrial automation and process industries.

Vulnerability details: An Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability exists, which could cause denial of service when the module receives an IP fragmented packet with a length greater than 65535 bytes. The module then requires a power cycle to recover.

Additional info: The maximum packet length for IPv4 = 65,535 bytes but the size is limited due to the physical layers MTU( 1500 for Ethernet). So to send larger packets it would require fragmentation.

IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host.

Remark: Scapy is a tool to generate your own packets.

Affected Product – Quantum 140 NOE771x1 version 6.9 and earlier.

Remediation: This vulnerability is fixed in version 7.0

Dejablue vulnerability – Impact on Siemens Health Products (10th Sep 2019)

For healthcare, cyber attacks can have ramifications beyond financial loss and breach of privacy.

Preface: For healthcare, cyber attacks can have ramifications beyond financial loss and breach of privacy.

Background: The DejaBlue vulnerabilities are in the early stages of the RDP connection. The flaws precede the authentication phase, thereby there is no need for passwords of keys to breach the system and eventually can lead to remote code execution.

DejaBlue vulnerability trigger medical device manufacturer alert! People relies on doctor do the medical surgery to remediate their weakness of the health. But the medical industry itself also require cyber security doctor to remedy their product design weakness. It is fair. Siemens pioneer to introduce first computed tomography scanner in 70’s. In 1980 the first manufacturer to made the magnetic resonance imaging (MRI) scanner. As of today, their design has been intergarte with computing technology. And therefore the zero day and vulnerability happen in cyber world will become their pain!

Official announcement: SSA-187667: DejaBlue Vulnerabilities – Siemens Healthineers Products – https://cert-portal.siemens.com/productcert/pdf/ssa-187667.pdf

CVE-2019-15292 Linux Kernel up to 5.0.8 atalk_proc.c atalk_proc_exit memory corruption

Background: Appletalk support allows your Linux machine to interwork with Apple networks. Below components conduct the specified functions.

  • sysctl_net_atalk.c: sysctl interface to net AppleTalk subsystem.
  • ddp.c: AppleTalk DDP protocol for Ethernet ELAP (ethertalk).
  • atalk_proc.c: proc support for Appletalk

The Use-After-Free vulnerability is related to above three components. Even though you do not use ApplyTalk, attacker by sending a request that submits malicious input to the targeted system. A successful exploit could allow the attacker to execute arbitrary code.

In the Linux kernel version 2.6.23, the /proc/sys/vm/mmap_min_addr tunable was introduced to prevent unprivileged users from creating new memory mappings below the minimum address. To enable it, add or amend the following entry in the /etc/sysctl.conf file: vm.mmap_min_addr = 4096

Security Focus: What is NULL pointer dereference flaws in the Linux? NULL pointer dereference flaws in the Linux kernel can often be abused by a local, unprivileged user to gain root privileges by mapping attacker-controlled data to low memory pages.

But above adjustment cannot resolve these vulnerabilities. It was because if alloc_disk fails in pcd_init_units, cd->disk will be NULL, however in pcd_detect and pcd_exit, it’s not check this before free.It may result a NULL pointer dereference.

Remedy: Kernel.org has released remedy at the following link – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6377f787aeb945cae7abbb6474798de129e1f3ac

Quick and Dirty – walk through CVE-2019-15846

Preface: Quite a lot of cyber security expertise provides their explanation on vulnerability on Exim (A local or remote attacker can execute programs with root privileges). I will do a quick and dirty way to explain. Should you have interested, please refer below:

a. Connect to Exim with TLS and send an SNI that ends with backslash-null.
*unescaped-backslash bug in string_printing2()

b. We exploit the backslash-null bug in string_interpret_escape().

Hints: Brainstorm on above matter
When you do a malloc, it gives you a pointer to a block of memory in the heap
char *p=malloc(2048) – Virtual memory allocated 2048
strcpy(p,”123”) – Although only 3 bytes are used, the memory still allocates 2048 bytes of physical memory for it.
free(p) – Through the virtual address, find the physical page corresponding to it, release the physical page, and release the linear region.use this heap overflow to overwrite the header of a free malloc chunk.

c. use this heap overflow to overwrite the header of a free malloc chunk.

d. allocate this enlarged malloc chunk, and use it to overwrite large parts of the heap (the already-allocated malloc chunks) with arbitrary data:

e. Overwrite the “id” string: (by overwriting “id” with “/../../../../../../../../etc/passwd”)

Official announcement:

Download and build a fixed version:

    Tarballs: https://ftp.exim.org/pub/exim/exim4/
    Git:      https://github.com/Exim/exim.git
              - tag    exim-4.92.2
              - branch exim-4.92.2+fixes