Preface: When you are sitting on the same boat. The risks at the time of the event are equal.
Background: Open Data Protocol (OData) is an open protocol which allows the creation and consumption of queryable and interoperable RESTful APIs in a standard way. Apache Olingo is a Java library that implements the Open Data Protocol (OData). In SAP HANA DB environment, quite a lot of business application system will work with Apache Olingo.
Vulnerability details: The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type “application/xml”, which trigger the deserialization of entities, can be used to trigger XXE attacks.
Preface: When Meltdown and Spectre discovered, the tech community questioned chip security.
Security Focus: A new class of unprivileged speculative execution attacks to leak arbitrary data across address spaces and privilege boundaries (e.g., process, kernel, SGX, and even CPU-internal operations). Who is he?
Side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. For instance, hacker can use WebAssembly in both Firefox and Chrome to generate machine code which he can use to perform this attacks. If you are interested in learning more, please refer to the attached picture.
Preface: Sometimes while designing a software, you might have a requirement to hold some data (for reprocessing at later stage) for some duration. Some software do it within the memory in which they are running while others may create a temporary file for this purpose.
Technical background: The original design of Trend Micro able transform the malicious data for short duration write to temp file. The quarantine method was strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. This has the advantage that for the execution of malicious data can be aborted absolutely. The isolation level will be better than memory. Vulnerability details: When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately. But the names of the temp files are sometimes reused. The proof-of-concept shown that the reuse file name can redirect to another file by symbolic link.
Preface: Patching is a routine job in Cloud services provider. The job is similar do bathing with your puppy.
Background: There are five virtual appliances (OVA) used for Horizon DaaS; Service Provider, Tenant, Desktop Manager, Resource Manager and Access Point.
Vulnerability details: An unauthorized user with network access to port 427 on an ESXi host or on any Horizon DaaS management appliance may be able to overwrite the heap of the OpenSLP service resulting in remote code execution. We speculate that the vulnerability details shown on attached diagram. You can disable this service in minutes. Guidance for implementation on ESXi and Horizon DaaS have also been published. For details, see below URL: https://www.vmware.com/security/advisories/VMSA-2019-0022.html
How Windows Hello for Business works? It lets Windows 10 users who have devices with fingerprint readers or special cameras log into Windows via fingerprint or facial recognition.
Use cases: Client systems which joined to Kerberos based domains like Active Directory (AD) can use Windows Hello for Business authentication to replace password based authentication and still get full single-sign-on (SSO) access to the resources of the domain.
Vulnerability details: An authenticated attacker could obtain orphaned keys created on TPMs of the design vulnerability.The attacker pretend a user by using stolen private key to authenticate as the user within the domain using Public Key Cryptography for Initial Authentication (PKINIT).
Remark: PKINIT would provide a method to use Kerberos for authentication and get a Kerberos Ticket Granting Ticket (TGT) during the authentication so that network resources can be accessed with Kerberos/GSSAPI.
Background: XPC is a type of iOS IPC. Through XPC, an app can communicate with some system services. mediaserverd (/ usr / sbin / mediaserverd) is a daemon process launched by the root process launchd, and its description file is com.apple.mediaserverd.plist stored in / System / Library / LaunchDaemon directory, when the system starts, it will scan all plist files under this directory, start all background processes separately, probably there are more than 50 background processes are the real reason for the pseudo background in the iOS system. The decoding of audio and video involves the operation of hardware. Mediaserverd contains a large amount of code that calls the driver layer. Through xpc, users can prevent overflow attacks and improve system stability. Because the same xpc interface is cross-process, it makes it more difficult for overflow attacks to forge data.
Synopsis: Mediaserverd has various media parsing responsibilities, its reachable from various sandboxes and is able to talk to kernel drivers. Perhaps, hacker can find a valid trigger point in this place.
Status – Even though 13.1.3 IPXR, it also vulnerable. For more details, please refer to diagram.
Preface: The OAuth 2.0 Authorization Framework (RFC 6749, October 2012)
Technical background: In the traditional Client-Server architecture, when the Client wants to fetch the protected resources (Protected Resoruce), it is necessary to present the account and password of the user (Resource Owner) to the Server. OAuth introduces an authentication layerThe Client will get an Access Token to access Protected Resources instead of using the account password of the Resource Owner. An Access Token is a string that records information about a specific scope of access, timeliness, and more.
Vulnerability details: The details of the vulnerability shown on attached diagram. But the root cause of this design weakness perhaps not limited to CyberArk researchers discovery. Azure trust certain third-party domains and sub-domains. Can you imagine that the problem may be involved wildcard domain included in whitelist?
Focus: Heard that Microsoft didn’t issue a CVE because the bug is located only in their Online Service. Strange!
Preface: When you walk through trading floor area, you can see trader writing Python code, said chief digital officer at Nomura.
Background: Perhaps the popularity of the excel usage in trading floors are coincidence. I believe that DDE and Marco functions driven this trend in in past. Audit team found out that a data handling risk of the usage excel spreadsheet in trading floor. A technical term so called excel spreadsheet risk. You may say, that this is an old story!
Current finding on Excel spreadsheet design weakness: Excel query from file feature is vulnerable to “Error” based XML External Entity attacks, if the user chooses the “Import as Html page” functionality upon receiving errors importing a specially crafted XML file. Above scenario will cause unauthorized access control to remote server. Perhaps this is not the external hacker. It is a insider threat. This vulnerability just found, the impact not have official confirmation yet. But we must staying alert!
Preface: CVE record summarized by human. Perhaps sometimes might have typo!
Vulnerability description: A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service. However CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet the CVE text doesn’t mention “android-gif-drawable”. It only mentions WhatsApp. There could be over 28,400 free Android apps that use this library.
Observation: GifDrawable implements the interface of Animatable and MediaPlayerControl.Therefore, the impact will be greater than expected from the CVE record.
Preface: Flaws that require root access are not considered security issues in existing policy. If we are not using cloud computing concept. It is acceptable. But we need cloud system!
Security focus: Turkish information security specialist found a design weakness in Windows kernel design. According to the vendor’s Bug Bounty program rules, flaws that require root access are not considered security issues and are not classified as vulnerabilities. However our the whole IT world in the trend of cloud technology. It is hard to guarantee similar type of vulnerability will be impact the public cloud farm. Perhaps it might have possibility to do a re-engineering become as a Surveillance tool.
Defect details: An PoC tool proof that it can hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler. My intention is going to urge Microsoft should be consider this technical issue. Perhaps it may become a zero-day. So I do not display related url.Should you have interested of this topic, not difficult to do a search. You will find the details.
Reference:
The ntoskrnl.exe kernel service, which is responsible for handling exceptions, system call procedures, and thread scheduling in Windows.
Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel.
Fundamental design concept – related to this matter:
RSPx is loaded in whenever an interrupt causes the CPU to change PL to x. The TSS in long mode also holds the Interrupt Stack Table, which is a table of 7 known good stack pointers that can be used for handling interrupts.
BKPT #0x3 ; Breakpoint with immediate value set to 0x3 (debugger can ; extract the immediate value by locating it using the PC- (program counter))
x86_64 also has a feature which is not available on i386, the ability to automatically switch to a new stack for designated events such as double fault or NMI, which makes it easier to handle these unusual events on x86_64. This feature is called the Interrupt Stack Table (IST). There can be up to 7 IST entries per CPU. The IST code is an index into the Task State Segment (TSS). The IST entries in the TSS point to dedicated stacks; each stack can be a different size.
