Preface: Arbitrary File Upload but require regular user sign in. Perhaps it lose the access control!

Product description: NewsOne is a web based application and fully responsive news & magazine script. Anyone can start your own media/press website with just few clicks without any codding knowledge.

Vulnerability details: Auth as a regular user. Go to specify URL (see attached diagram) and upload any file you want via <input type=”file” name=”user_image”> field. From security point of view, An attacker can use this vulnerability to perform a variety of malicious activities, including defacement, disclosure, and malware infection.

Remedy : Waiting for vendor announcement

Preface: Malware detection, SIEM and predictive technology enhance the detective and preventive control in cyber security world. However the hacker still have solutions to conduct infiltration thus compromise the system. Attacker exploit integer overflow do the evasion. From technical point of view. It is difficult to detect.

Historical records of cyber attack who exploit integer overflow vulnerability:

Total 329 ethereum tokens vulnerable for integer overflow – 9th Jul 2018 – http://www.antihackingonline.com/potential-risk-of-cve/9th-jul-2018-total-329-ethereum-tokens-vulnerable-for-integer-overflow/

CVE-2018-6983 VMware Workstation and Fusion updates address an integer overflow issue – 22nd Nov 2018 – http://www.antihackingonline.com/potential-risk-of-cve/cve-2018-6983-vmware-workstation-and-fusion-updates-address-an-integer-overflow-issue-22nd-nov-2018/

CVE-2018-20181 rdesktop seamless_process() Heap-Based Buffer Overflow Memory Corruption Vulnerability – https://cxsecurity.com/cveshow/CVE-2018-20181

Observation: According to my observations, there are technical limitation on software engineering, most likely the cyber criminal keen to develop a technique sound like F117. That is invisible to radar (IDS) and infrared (SIEM). Perhaps online web application shall require user input function. Even though software developer introduce pull down menu function. However it is not able to lack of name and password input. So this is the objective we highlight today. Integer overflow technique exact can provides silent attack. As a result it form a bridge let attacker execute the 2nd phase of attack. For instance in C environment, The range of unsigned char is (0 – 255). So if the input password length is 260, it will cause integer overflow . So passwd_len actually has a length of 4, so you can bypass the length limit. If buf parameter has design limitation, stuffed 260 length of data into it, it will cause stack overflow.

Preface: Ghidra is one such well-known software reverse engineering toolkit that the NSA agency has been using for a long time.

Synopsis: He ensured the audience that there’s no backdoor in Ghidra, said Rob Joyce, the cybersecurity adviser to the NSA director.

About installation: Quick and simple way

Prerequisite: Since “Ghidra” relies on JDK 11+ and therefore your Linux OS might require to update. For example: I am using Fedora system. In order to avoid any technical problem occurs during installation. My Fedora upgrade to Fedora 28.

1. Before kick start do the installation, please confirm your current OS whether compatibility with JDK 11+.

2. If you don’t have any technical concerns about item 1, you can download the software by going to the url below.

https://ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

3. Copy file (ghidra_9.0_PUBLIC_20190228.zip) to your decide location (/home/xxxx/ghidra).

Remark: xxxx is your user name in Linux

4. Permission setting

chmod 755 ghidra_9.0_PUBLIC_20190228.zip

5. unzip the download file

unzip ghidra-sre.org/ghidra_9.0_PUBLIC_20190228.zip

Now do the JDK 11+ installation:

6. As said, I am working on Fedora 28.So download the require JDK 11+ source file in the following location:

curl -O https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz

7. After the download, extract the archive

tar zxvf openjdk-11.0.1_linux-x64_bin.tar.gz

8. Move the resulting folder to /usr/local/

sudo mv jdk-11* /usr/local/

9. Set environment variables (create or edit existing jdk11.sh file)

sudo vi /etc/profile.d/jdk11.sh

Add:

export JAVA_HOME=/usr/local/jdk-11.0.1

export PATH=$PATH:$JAVA_HOME/bin

10. Source your profile file and check java command

$ source /etc/profile.d/jdk11.sh

$ java -version

openjdk version “11.0.1” 2018-10-16

OpenJDK Runtime Environment 18.9 (build 11.0.1+13)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

11. $ which java

/usr/local/jdk-11.0.1/bin/java

12. Installation has been done.

13. You can go to Ghidra now. Go the location which Ghidra in place. Then execute ./ghidraRun .

For users instruction, please refer below url:

https://ghidra-sre.org/InstallationGuide.html

End.

Preface: Docker’s introduction of the standardized image format has fueled of interest in the use of containers in the enterprise recently. A Docker container look likes a Virtual machine.

It is without antivirus or malware detector facilities install to Docker container platform. Is that secure?

On the market, there is no such product available in the market. However if you would like to find out something 101 about preventive control. It can find on this short discussion.

Hints: When a container accesses a database or service it will require a secret, like an API key or username and password. An attacker that gains access to the secret will also have access to the service. For more details, please refer to attached diagram.

Recommendation:

1. Ensure that processes in containers do not run as root, so when attacker try to exploiting privileges command, it will be restricted by role base control.
2. Cut down on the kernel calls that a container can make to reduce the potential attack surface.

So called “something 101” as usual technical details not suitable describe in long format. See whether we have chance to discuss more in future.