CVE-2022-30165 – Windows Kerberos Elevation of Privilege Vulnerability (16th June 2022)

Preface: On May 2022 Security Updates from Microsoft by introducing a new Object ID (OID) in new certificates to further fingerprint the user. This is done by embedding the user’s objectSid (SID) within the new szOID_NTDS_CA_SECURITY_EXT (1.3.6.1.4.1.311.25.2) OID. Certificate Templates with the new CT_FLAG_NO_SECURITY_EXTENSION (0x80000) flag set in the msPKI-Enrollment-Flag attribute will not embed the new szOID_NTDS_CA_SECURITY_EXT OID, perhaps those templates still have design weakness.

Background: Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service. However Kerberos Authentication has risks associated with the older NTLM protocol.
Beginning with Windows Server 2016, KDCs support a way of public key mapping. If the public key is provisioned for an account, then the KDC supports Kerberos PKInit explicitly using that key. Since there is no certificate validation, self-signed certificates are supported and authentication mechanism assurance is not supported.

*PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa.

Vulnerability details: Microsoft Windows Kerberos could allow a remote authenticated attacker to gain elevated privileges on the system.

By default, domain users can enroll in the User certificate template, and domain computers can enroll in the Machine certificate template. Both certificate templates allow for client authentication. This means that the issued certificate can be used for authentication against the KDC via the PKINIT Kerberos extension.

When we use the certificate for authentication, the KDC tries to map the UPN from the certificate to a user. However, computer accounts do not have a UPN.Therefore, specify an alternative to SubjectAltRequireDns (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS) instead.
According to non-patch version design, authorized low priviliges user had the “Validated write to DNS host name” permission.
If authorized user modify the dNSHostName property value from itself to other (UPN to another user’s UPN). The servicePrincipalName property value of low priviliges user will update to reflect new “dNSHostName” value.
So if attacker want to update the servicePrincipalName of low priviliges user, the updated values must also be compliant with the dNSHostName property. When attacker use his low priviliges account delete the “servicePrincipalName” vlaues that contain the “dNSHostName”. And update the DNSHostName property value of low priviliges user to domain controller (example: DC.xxx.local). So it will triggers the priviliges escalation.

Since vendor do not announce the details, however I beleive the design weakness of this kerberbos which shown in vulnerability was patched as part of the May 2022 Security Updates from Microsoft.

Remedy: https://support.microsoft.com/en-us/topic/june-14-2022-kb5014702-os-build-14393-5192-e60ac0e1-44a4-49f9-871f-7c25eb0e5bb1

About SAP ASE – CVE-2022-31594 (14th June 2022)

Preface: SAP Adaptive Server Enterprise (SAP ASE) Protocol – Originally designed for Unix platforms in 1987 under the name Sybase SQL Server, it was renamed Sybase ASE, then renamed again when SAP bought Sybase. It is often used for online transaction management on location and in the cloud.

Background: The new SAP Adaptive Server Platform Edition (ASPE) is a packaged database solution consisting of SAP ASE, SAP IQ, and SAP Replication Server that provides.
SAP ASPE licenses SAP ASE, IQ, and Replication Server belonging to the ASPE suite in the form you want. You can choose within your license. Users can reconfigure their licenses at any time in any combination at no additional cost. This is provided to select an appropriate IT solution in a rapidly changing business processing environment. Mission-Critical OLTP From business support to data warehousing (DW) business analysis applications, disaster recovery (DR)/load balancing and data replication are supported.

Vulnerability details: A highly privileged user can exploit SUID-root program to escalate his privileges to root on a local Unix system.

Since the supplier did not describe the details. But the following situation would be one of the ways to trigger this design weakness.
SAP ASE may reuse the server user ID (suid) of a dropped login account when the next login account is created. This occurs only when the dropped login holds the highest suid in syslogins; however, it can
compromise accountability if execution of drop login is not being audited. Also, it is possible for a user with the reused suid to access database objects that were authorized for the old suid.

Solution (Preventive control): If the above details are correct with the technical issues of the subject. According to SAP ASE security practices. You are avoid to do the following.

You cannot drop a login when:
● The user is in any database.
● The login is the last remaining user who holds the system security officer or system administrator roles.
The system security officer can lock or drop a login using sp_locklogin or drop login. If the system procedure is being logged for replication, the system security officer must be in the master database when issuing the command.

Official announcement: SAP Patch Day Blog – https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVE-2022-28217 Design weakness of SAP NetWeaver (EP Web Page Composer) 13th June 2022

Preface: An XML External Entity (XXE) attack is a type of attack against an application that parses XML input. Furthermore, SSRF is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources.

Background: SAP Enterprise Portal is the Web front-end component for SAP NetWeaver – the comprehensive integration and application platform that facilitates the alignment of people, information, and business processes across organizational and technical boundaries.
Enterprise Portal (EP) provides users with a single, uniform point of access to the applications, services, and information they need for their daily work. Moreover, the Portal offers business users the features to easily create and manage portal pages and generate their own content using the following capabilities:
● KM and Web Content Capabilities
EP provides basic document management capabilities and content services within SAP Enterprise Portal (KM). KM provides the basic capabilities that customers need to run their scenarios, as well as an extension framework for custom implementations.
These KM capabilities are also integrated into the Web Page Composer environment to enable flexible Web content management scenarios, bringing relevant information from user-generated content and business
applications together in the portal.

Vulnerability details: Missing XML Validation vulnerability in SAP NW EP WPC. Product – SAP NetWeaver (EP Web Page Composer), Versions – 7.20, 7.30, 7.31, 7.40, 7.50.

Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which allows an adversary to exploit unprotected XML parking at endpoints, and a possibility to conduct SSRF attacks that could compromise system’s Availability by causing system to crash.

One of the possibilities: This is an example of an insider threat – In order to utilize SSRF through the escalation of the XXE, the XML entity must be identified by the URL attacker want to locate and use the data value that defines the entity. By using the given entity in the data value, i.e. returned in the application’s response. Then we can view the response from the URL in the application response.

Official announcement: https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Timeline:
03/30/2022 CVE reserved
06/13/2022 +75 days Advisory disclosed

CVE-2022-25845: About fastjson (security advisory) – 11th June 2022

Preface: Vulnerability management is included in the security development life cycle. Maybe you’ll be concerned about vulnerabilities. In fact, computer products (software and hardware) are hard to avoid without design flaws. This is the reality.

Background: Fastjson is Alibaba’s open source JSON parsing library, based on the Java language, which supports the conversion between JSON-formatted strings and JavaBeans. It uses an “assumed ordered fast matching” algorithm to maximize the performance of JSON Parse. Furthermore, fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object.

The fastjson does not use Java’s original serialization mechanism in the process of serialization and deserialization . It is a set of proprietary mechanisms.

Because the interface is simple and easy to use, it has been widely used in various application scenarios such as cache serialization, protocol interaction, and web output.

Vulnerability details: The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers.

Workaround: If upgrading is not possible, you can enable [safeMode] – https://github.com/alibaba/fastjson/wiki/fastjson_safemode

Official announcement: Autotype bug fix, please refer to the link – https://github.com/alibaba/fastjson/commit/8f3410f81cbd437f7c459f8868445d50ad301f15

CVE-2022-31045: ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing. 9th June 2022

Preface: Hard to speculate that what is this technique (Ill-formed headers). Whether we can apply the following method that google experts exploited before.

Background: Istio enables organizations to secure, connect, and monitor microservices, so they can modernize their enterprise apps more swiftly and securely. Istio manages traffic flows between services, enforces access policies, and aggregates telemetry data, all without requiring changes to application code.

How a service mesh works?
Web services typically exchange data directly through APIs.
A service mesh architecture layer decouples communications from the application logic and uses a proxy or sidecar to manage communication between services and control plane.

Vulnerability details: Ill-formed headers sent to Envoy in certain configurations can lead to unexpected memory access resulting in undefined behavior or crashing.

Reference: Hard to speculate that what is this technique (Ill-formed headers). Whether we can apply the following method that google experts exploited before.

Sent multiple large requests with techniques display below:

  • Have multiple requests, each with allocations that are ≈8kb.
  • Sending large bodies in the request that are ≈8kb.
  • We also had prior knowledge that Envoy’s HeaderMapImpl would malloc buffers to fit request header values, so using large headers could also force such allocations.

Populated with ASCII A (0x41) in the method header and ASCII B (0x42) in the data payload, set a breakpoint on the firing ASSERT and inspected memory contents under gdb.

Remedy: This vulnerability has been resolved in versions 1.12.8, 1.13.5, and 1.14.1.

Workarounds: Users are advised to upgrade. There are no known workarounds for this issue.

Das U-Boot 2022.01 has Buffer Overflow occured. (8th June 2022)

Preface: It is not uncommon to rewrite the bootloader during a cyber attack, malicious code present in the bootloader will be executed after restart. After this, the code will hijack the Linux boot process in memory and then download and execute the malware with root privileges. Finally, the downloaded program attacks other devices through password scanning or remote code execution vulnerabilities.
The above scenario is capable of infecting various types of IoT devices, including ARM and MIPS architectures. The target victim device uses Uboot[1] as the bootloader and Linux as the operating system.

Background: Das U-Boot (Normally shortened to U-Boot), us a universal bootloader designed for used with a variety of embedded device. It is commonly used in IoT devices to manage the booting process into the main operating system. U-Boot bootloader allows you to update the firmware of your device over Ethernet. U-Boot uses the TFTP protocol to get the firmware images from a TFTP server running on your computer and programs them onto the eMMC of the device.

Vulnerability details: Hole Descriptor Overwrite in U-Boot IP Packet Defragmentation Leads to Arbitrary Out of Bounds Write Primitive (CVE-2022-30790).

Impact: The U-Boot implementation of RFC815 IP DATAGRAM REASSEMBLY ALGORITHMS is susceptible to a Hole Descriptor overwrite attack which ultimately leads to an arbitrary write primitive.

Remedy: This bug was disclosed to U-Boot support team and will be fixed in an upcoming patch. Update to the latest master branch version once the fix has been committed.

For more information on this vulnerability, see the following linkhttps://research.nccgroup.com/2022/06/03/technical-advisory-multiple-vulnerabilities-in-u-boot-cve-2022-30790-cve-2022-30552/

SAMSUNG Mobile Security JUN-2022 Updates – 7th June 2022

Preface: According to the information provided by the supplier. This vulnerability was reported on April 5, 2022. But we didn’t see that record until this month.

Background: Samsung Kies is the official tool from Samsung for Android devices. Using Samsung Kies, you can view apps in full screen on your Windows, no matter what network you’re on. You can personalise services too, simply by becoming a Samsung Apps member or registering your mobile phone. If transferring data from Samsung device to PC is your prime intention then Samsung Kies would be a good choice.
Additional reference: The new version of Smart Switch let you move data from your old device to your new Galaxy device quickly and easily.

Vulnerability details: DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code. The patch changes to load default DLL in Windows. Since the vendor hasn’t released details yet, therefore our speculating based on the app design.

According to my observations. The following details may be related to such vulnerabilities. But I think MSCOREE[.]dll will be closely related to this.

“C:\Program Files (x86)\Samsung\Kies\KiesAgent[.]exe”
USER32[.]DLL
SHELL32[.]DLL
ADVAPI32[.]DLL
KERNEL32[.]DLL

“C:\Program Files (x86)\Samsung\Kies\Kies[.]exe”
MSCOREE[.]DLL

So, it is possible for cyber criminal exploit this design weakness by Reflective Code Loading.

About Reflective code loading: Reflective code injection is very similar to Process Injection except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.

Remedy: Install version 2.6.4.22043_1

For details, please refer to the official announcement – https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=6

The developer has fixed the vulnerability before an attacker could exploit it (6th June 2022)

Preface: Packet filtering are divided into two categories :

  • Stateless (Packet filtering) – Stateless is the polar opposite of stateful
  • Stateful (Packet filtering)
    Stateless (Packet filtering): It is also known as an access control list (ACL), does not store information on the connection state. Stateless ACLs are applicable to the network and physical layers, and sometimes the transport layer to find out the source and destination port numbers. When the sender sends a packet and gets filtered through a filter, the device checks for matches to any of the ACL rules that are configured in the filter and then drops or rejects the packet accordingly.

Background: Netfilter is an infrastructure; it is the basic API that the Linux 2.4 kernel offers for applications that want to view and manipulate network packets. Netfilter offers various functions and operations for packet filtering, network address translation, and port translation.

Vulnerability details: A use-after-free vulnerability was found in the Linux kernel’s Netfilter subsystem in net/netfilter/nf_tables_api[.]c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
Remark: nft_expr_init() calls expr->ops->init() first, then check for NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful lookup expressions which points to a set, which might lead to UAF since the set is not properly detached from the set->binding for this case. The specific debugging method is shown in the attached drawing.

Red Hat Bugzilla – Bug 2092427
Bug 2092427 (CVE-2022-1966) – CVE-2022-1966 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
Please refer to the link for details – https://bugzilla.redhat.com/show_bug.cgi?id=2092427

CVE-2022-32296: The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used. (5th June 2022)

Preface: Move the TCP hashtable functions/structs to inet_hashtables.[ch] , it was happened 17 years ago.
On April 27, 2022, in an unpublished paper, report that clients can be accurately identified by forcing them to issue 40 times more connections than the number of entries in table_perturb[ ] Table, indexed by hash-joined tuples.
The current 2^8 setup allows them to perform this attack using only 10k connections, which is not hard to do in seconds.

Background: TCP – dynamically allocate the perturb table used by source ports. The kernel keeps the INET socket in a hash table so that the lookup operation is reasonably fast .

The vulnerability will be triggered under below circumstances.
Stochastic Fair Queuing: This queuing mechanism is based on fair queuing algorithm and proposed by John Nagle in 1987. Because it is impractical to have one queue for each conversation SFQ uses a hashing algorithm which divides the traffic over a limited number of queues. It is not so efficient than other queues mechanisms but it also requires less calculation while being almost perfectly fair. It is called “Stochastic” due to the reason that it does not actually assign a queue for every session; it has an algorithm which divides traffic over a restricted number of queues using a hashing algorithm. SFQ assigns a pretty large number of FIFO queues.

Ref: Stochastic Fairness Queueing is a classless queueing discipline available for traffic control with the tc(8) command. Example: man sfq

Vulnerability details: The Linux kernel before 5.17.9 allows TCP servers to identify clients by observing what source ports are used.

RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm
tcp: dynamically allocate the perturb table used by source ports. Note that we use 32bit integers (vs RFC ‘short integers’) because 2^16 is not a multiple of num_ephemeral and this property might be used by clever attacker.

Remedy: The solution is increasing the perturb table from 2^8 to 2^16 so that the same precision now requires 2.6M connections, which is more difficult in this time frame and harder to hide as a background activity. The impact is that the table now uses 256 kB instead of 1 kB, which could mostly affect devices making frequent outgoing connections. However such components usually target a small set of destinations (load balancers, database clients, perf assessment tools), and in practice only a few entries will be visited. Please refer to the link for details – https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5

My point of view for CVE-2022-30127 (2nd June 2022)

Preface: The official release of the vulnerability did not elaborate. So we don’t know what happened? Maybe you can use speculation. Even if you can’t figure out the root cause, it will let you know more about your Edge browser.

Background: The new Microsoft Edge is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows, and macOS.
The chrome engine is used for Microsoft edge chromium. The features of Microsoft edge chromium are not stable as they keep on changing. The Microsoft edge chromium offers many types of user interfaces. From customer point of view, Microsoft Edge is still developing till now.

Microsoft, in true maverick fashion, built its Edge browser with its own EdgeHTML browser engine and Chakra JavaScript Engine. With the Edge 79 release, Microsoft is switching to Blink browser engine with V8 JavaScript engine.

According to Stable Channel Update for Desktop issued on Tuesday, April 26, 2022. A Type Confusion vulnerability found on V8 Javascript Engine.

Vulnerability details: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-30128.

Based on the attached diagram and the above details, I speculate that CVE-2022-30127 is related to a javascript Engine design flaw. The technical problem that occurs will be a type confusion vulnerability.

Type confusion can be very dangerous because a type is expressed as a layout of memory in the lower level implementation of application software itself. Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution and Elevation of Privilege.

Official announcement: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30127