Category Archives: Application Development

Advisory on PHP Vulnerabilities – 12th Oct 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities today (refer below url):

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/

Perhaps PHP program version will make you frustrated. Why? The vulnerabilities addressed by MS-ISAC only for Version 7.2.11 & Version 7.1.23. However there is another fix coming soon (see below):

PHP 7.1.24

Core:

Fixed bug #76946 (Cyclic reference in generator not detected)

Date: unknown

Fixed bug #75851 (Year component overflow with date formats “c”, “o”, “r” and “y”). (Adam Saponara)

FCGI:

Fixed bug #76948 (Failed shutdown/reboot or end session in Windows).

(Anatol)

Fixed bug #76954 (apache_response_headers removes last character from header

name). (stodorovic)

FTP:

. Fixed bug #76972 (Data truncation due to forceful ssl socket shutdown).

(Manuel Mausz)

intl:

. Fixed bug #76942 (U_ARGUMENT_TYPE_MISMATCH). (anthrax at unixuser dot org)

Standard:

. Fixed bug #76965 (INI_SCANNER_RAW doesn’t strip trailing whitespace).

(Pierrick)

XML:

. Fixed bug #30875 (xml_parse_into_struct() does not resolve entities).

Should you have interested, please review above diagram. PHP look likes a game.

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.

About vulnerabilities of PHP – Aug 2018

PHP is a popular open source general-purpose scripting language. It capable for web development and can be embedded into HTML. Perhaps a fundamental weakness of PHP and therefore we seen common problem especially SQL Injection and Trusting user input to execute code happens in frequent.

Below details are the php vulnerabilities found on Aug 2018.

(CVE-2018-14883) An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c

https://bugs.php.net/bug.php?id=76423

(CVE-2018-14851) Allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

https://bugs.php.net/bug.php?id=76557

(CVE-2018-14884) Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

https://bugs.php.net/bug.php?id=75535

Reference: Vulnerability found on Jul 2018

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

Aug 2018 – Similar to establish new challenge in IT world, mingw-w64 design limitation!

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. ASLR function like the last line of defense of the system against cyber attack. Recently, security expert comment that the software application developer might not following guideline issue by CPU vendor. The fact is that an error occur on their software application when apply ASLR or SGX ( Software Guard Extensions – Intel). As a result, the non compliance application products will be available in the cyber world.

The actual scenario is that several tools that check for ASLR compatibility assume that the presence of the “Dynamic base” PE header is sufficient for ASLR compatibility. Because Process Explorer does not check that a relocation table is present, its indication of “ASLR” for a running process may be incorrect, and it may provides room for malware alive. I forseen that it may create the impact to the docker environment.

 

MinGW is an implementation of most of the GNU building utilities, like gcc and make on windows, while gcc is only the compiler. It looks that it has more Linux operating system includes in ASLR non compatible checklist announced by MinGW. The CPU vendor on the way to address the CPU design flaw (Meltdown and Spectre). It looks that a new form of challenge is going to join into the mistaken task force.

Should you have interest. Below hyperlink can provides the detail.

Vulnerability Note VU#307144 : mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil

 

 

Node.js hits arbitrary command injection (CVE-2018-13797)

Node.js framework become popular today. Node.js can build the application on ethereum (cryptocurrency). Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world.

Meanwhile, npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. Software developers must stay alert on CVE-2018-13797. Should you have interested, please refer below:

Fixes arbitrary command injection by using execFile instead of exec:

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

https://github.com/scravy/node-macaddress/pull/20/

Integer overflow weakness similar kill the Ethereum. But SafeMath to protect from overflows.

Integer overflow weakness similar kill the Ethereum – for more details, please see below (url):

Jul 2018 – Integer overflow may killed Ethereum!

But SafeMath to protect from overflows.

c >= a causes integer overflow happen

arithmetic: c=a+b-M (where M = 2**256 is the max unit256 plus one)

If c >=a replace to get a + b -M >=a

Cancelling and recording terms and get b >= M

Result: b is a uint256 and thus b < M

write an algebraic expression in a certain order. We start with the terms that have the largest exponents and work our way down to the constants. Using the commutative property of addition, we can rearrange the terms and put this expression in correct order, like this.

Reference:
Before you evaluate an algebraic expression, you need to simplify it. This will make all your calculations much easier. Here are the basic steps to follow to simplify an algebraic expression:

remove parentheses by multiplying factors
use exponent rules to remove parentheses in terms with exponents
combine like terms by adding coefficients
combine the constants

http://www.math.com/school/subject2/lessons/S2U2L5DP.html

How does the SafeMath library of OpenZeppelin protect your code from integer overflow?

https://ethereum.stackexchange.com/questions/38525/how-does-the-safemath-library-of-openzeppelin-protect-your-code-from-integer-ove?rq=1

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

CVE-2018-12882 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

Use-After-Free vulnerabilities are a type of memory corruption flaw that can be leveraged by hackers to execute arbitrary code. Refer to statistic, PHP Version 5 is used by 82.0% of all the websites who use PHP. How about this vulnerable version? It  is 17.3 %. Both statistic informaiton seems up to date. PHP programming language have following advantage.

  1. Cross-Platform. PHP is, an application can be run on various platforms.
  2. Ease of use. Any individuals who are new to programming can easily learn to use them within a short duration of time.
  3. Open source and Powerful library support.

Hey, but do the remediation first! If you are using version 7.x.

CVE details shown as below: https://www.securityfocus.com/bid/104551/info

See whether Bitcoin signatures do not comply with RFC 6979

Have you heard a song by Dinah Washington ? The song title is what a difference a day made? In crypto currency world, bitcoin is the big brother. However technology world still concerns Bitcore signatures is able to comply with RFC 6979 specification?

Bitcoin owner must protect the private key. The conceptal idea is that generating random number k in elliptic curve is crucial and in any transactions signature in Bitcoin, random number k is required to compute a point k*G. If this k is chosen not randomly, it instantly leaks the private key.

Do you think attached diagram can provide the resolution to you in this regard?

What A Diff’rence A Day Makes Lyrics: What a difference a day made? Twenty-four little hours. Brought the sun and the flowers.Where there used to be rain……..

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA):

https://tools.ietf.org/html/rfc6979

Attention: Stay Alert – Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

Preface:

PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Security concern by security experts

The security issues are typically exposed when PHP code makes use of system-level calls.

Found critical security problem today! – Original release date: April 27, 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review MS-ISAC Advisory 2018-046 and the PHP Downloads page and apply the necessary updates.

See whether any short term remediation can take before upgrade?

1.Restrict PHP Information Leakage

expose_php=Off

2.Disable Remote Code Execution

Allow_url_fopen=Off

allow_url_include=Off

3.Not show errors to the visitors

(/etc/php.d/security.ini file)

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

4.Disable Dangerous PHP Functions (php.ini)

disable_functions =exec,passthru,

shell_exec,system,proc_open,popen,curl_exec,

curl_multi_exec,parse_ini_file,show_source

5.Upload Files (/etc/php.d/ directory)

file_uploads=Off

6.Control File System Access

always keep the open_basedir directive set to the /var/www/html directory.

open_basedir=”/var/www/html/”

7.Control the POST Size (/etc/php.d/security.ini)

post_max_size=1k

— End —