Category Archives: Potential Risk of CVE

Perhaps the IoT world should be vigilant – CVE-2021-3177 (26th Jan 2021)

Preface: On macOS, dynamic-link libraries are known as dylib files. This is the equivalent to a DLL on Windows and
a shared library (or .so library) on Linux.

Background: ctypes is a foreign function library for Python. It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python.

Design objective: Calling C++ libraries from Python allows the developer to build an application that takes advantage of the best of Python and C++. The result is an application that combines both speed and simplicity.

Vulnerability details: There’s a buffer overflow in the ctypes PyCArg_repr() function. (Disclosure date: 2021-01-16)

Design weakness: There’s a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of specify sprintf() function.

CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3177

CVE-2021-2018 Vulnerability in the Advanced Networking Option component of Oracle DB Srv (20-01-2021)

Preface: When Oracle has security advisory announce each time, I feel headache because vendor not willing to provide the details.

Vulnerability details: CVE-2021-2018 -Please refer to the link for details: https://nvd.nist.gov/vuln/detail/CVE-2021-2018

Technical Supplement: A large computer foot print around the world in the office is Microsoft window base machine. Therefore DB infrastructure integrate to Active Directory is common. Windows AD server classic way is Kerberos authentication. Oracle database competence support Kerberos. So called configuring the Kerberos authentication adapter. On Nov 2020 Microsoft do the remediation of Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049). When you read the official of Oracle vulnerability (CVE-2021-2018), it say, it is only affects Windows platform only. OK, be my guest. Using your imagination to understand this vulnerability. Great day, great fun!

Ref 1: To setup Kerberos on oracle DB. We will need to make changes in three places: DB Server, Client Workstation & Active Directory.

Ref 2: Kerberos KDC Security Feature Bypass Vulnerability – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

Bugs in popular chat apps let attackers spy on users. (21-01-2021)

Preface: I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger, said Natalie Silvanovich.

Background: Bugs in Signal, Google chat apps let attackers spy on users. Such vulnerability is given by programming code, and was not due to WebRTC functionality. Furthermore , expert found that facebook messenger is vulnerable to this matter perhaps they are not using WebRTC. Facebook official say that they use ‘fbthrift’. What is Thrift. Facebook’s branch of Apache Thrift, including a new C++ server.\ \.

For the details of vulnerability. You can found on the following website – https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html

Supplement: Discovering this vulnerability let us know the function of Frida hook framework. Frida is a hook framework based on python + javascript. To exploit the design weakness on Facebook Messenger. It was not straightforward because of the amount of reverse engineering required. Finally Frida hook framework complete the task.

Reference: Instrumentation technology

Instrumentation technology refers to injecting additional code into the program to collect runtime information. It can be divided into two types:

(1) Source Code Instrumentation (SCI): Additional code is injected into the program source code.

(2) Binary Instrumentation: Extra code is injected into the binary executable file.

●Static Binary Instrumentation (SBI): Insert additional code and data before program execution to generate a permanently changed executable file.

●Dynamic Binary Instrumentation (DBI): Insert additional code and data in real time while the program is running, without any permanent changes to the executable file.

Cyber security focus – dnsmasq vulnerabilities (20th Jan, 2021)

Preface: On August 27, 2015 Cisco announced it has completed the acquisition of OpenDNS (now branded as Cisco Umbrella). Perhaps they predict that this day will come.

Background: dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server,
router advertisement and network boot features, intended for small computer networks. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

Vulnerability details: Dnsmasq is vulnerable to memory corruption and cache poisoning. For more details, please see the follow links: https://kb.cert.org/vuls/id/434904

Workarounds:

  • Configure dnsmasqnot to listen on WAN interfaces
  • Reduce the maximum queries (–dns-forward-max=). The default is 150.
  • Do a patching
  • Use protocols that provide transport security for DNS (DoT or DoH)
  • Reducing the maximum size of EDNS message (Recommendations related to RFC5625)

Are you worried about UEFI BIOS attacks? (19th Jan, 2021)

Preface: Quite a lot of UEFI vulnerabilities and hardware misconfigurations have been found in past. This is an alert signal. As a matter of fact, the problem is that it’s very difficult to get malicious code into UEFI systems.

Background: Reading the first sector from a disk and loading it to 0x7C00 is a BIOS specific booting protocol. But it never been use. It is a old technology. UEFI bootloaders are loaded from a filesystem. UEFI requires the firmware and operating system loader (or kernel) to be size-matched; for example, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel.

Synopsis: A local attacker with access to system memory may exploit the UEFI vulnerability attack. Perhaps this is not the only way.

Dell mitigates design flaws in a specific product (Inspiron 5675). Please refer to the link below. https://www.dell.com/support/kbdoc/zh-hk/000180645/dsa-2020-247-dell-client-platform-security-update-for-uefi-bios-runtimeservices-overwrite-vulnerability

CVE-2021-24122 Apache Tomcat Information Disclosure (14th Jan 2021)

Synopsis:
What is a Reparse Point? According to official information by Microsoft, In NTFS Filesystem, there is a concept called “reparse point. The traditional NTFS junctions and Win10 “Unix-like” symlinks are two different kinds of reparse points.
Starting in Windows 10, version 1607, for the unicode version of this function (FindFirstFileW), you can opt-in to remove the MAX_PATH character limitation without prepending “\\?\”.

Vulnerability details: The existing design weakness affects the function File.getCanonicalPath of the component NTFS File System Handler. The manipulation with an unknown input leads to source code disclosure vulnerability. For details, see attached diagram

Vendor announcement: http://mail-archives.us.apache.org/mod_mbox/www-announce/202101.mbox/%3Cf3765f21-969d-7f21-e34a-efc106175373%40apache.org%3E

Fixed in:
– 10.0.x for 10.0.0-M10 onwards
– 9.0.x for 9.0.40 onwards
– 8.5.x for 8.5.60 onwards
– 7.0.x for 7.0.107 onwards

CVE-2020-27780 – Linux-pam vulnerability – Improper Authentication (18th Dec 2020)

Background: Linux pam originated from the open source implementation of the software DCE-RFC of Sun, a well-known manufacturer later acquired by Oracle. PAM is called Pluggable Authentication Modules, which can be inserted into authentication modules. Various authentication modules and plug-ins can be dynamically introduced for authentication without reloading the system, very flexible.

Vulnerability details: When the user doesn’t exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.

Reason: The default options set on pam_pwquality above include local_users_only, which tells pam_pwquality to ignore users that are not in the local [/]etc[/]passwd file. However, the blank check could return 1 if root had empty password
because in the second case (refer to diagram) the password hash of root was used.

Remediation: https://github.com/linux-pam/linux-pam/releases

CVE-2021-3006 (Loopring(LRC) Protocol Incident)- If you are passionate about cryptocurrency. You should be alert of this. (4th Jan 2021)

Background: In November 2020, lots of DeFi platforms in Ethereum encounters a security incident, such as Pickle Finance, 88mph.

What Is Decentralized Finance (DeFi)?
By deploying immutable smart contracts on Ethereum, DeFi developers can launch financial protocols and platforms that run exactly as programmed and that are available to anyone with an Internet connection.

What Are Flash Loans in DeFi?
A loan from strangers is possible in DeFi. In order to fulfill this request. The individuals should repay the lender in the same transaction that issued the funds.

Vulnerability details: The Farm contract is deployed in every Seal pool and the function breed() in the contract is used to issue new Seal tokens.However there is no access control designed for the breed() function, anyone can calls the breed() function of the Farm contract.

CVE-2021-3006 Detail – https://nvd.nist.gov/vuln/detail/CVE-2021-3006

To avoid malware misuse “PACKET_MMAP” function,from Linux environment. CISA Releases Free Detection Tool for Azure/M365 Environment (29th Dec 2020)

Preface: Neither shellcode or shellcode injection have anything to do with shell scripting. It is a sophisticated way of finding a vulnerable spot on the cyber security layer of an organization and exploiting it for malicious purposes.

Background: Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. The platform consists of the integration of hardware built around a secured silicon chip; the Azure Sphere OS (operating system), a custom high-level Linux-based operating system; and the Azure Sphere Security Service, a cloud-based security service….

About “PACKET_MMAP” function: From official article, it illustrated below:
PACKET_MMAP provides a size configurable circular buffer mapped in user space that can be used to either send or receive packets. However a design weakness has occured! The mmap‘ed memory buffer will be filled by the kernel when using PACKET_RX_RING. As a result, the user’s process, it’s enough to mmap a buffer with PROT_READ|PROT_EXEC permissions flags, and let the kernel fill the buffer.

Remedy: Perhaps shellcode injection sometimes can evade your malware protection mechanism. In certain point of view, use SIEM is one of the cost effective solution. Meanwhile, CISA Releases Free Detection Tool for Azure/M365 Environment. Reference link – https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment

Reminder: For those who are using it (SCO Openserver) 28th Dec 2020

Preface: Today’s web design tools are quite mature, and you can complete large websites without even touching HTML syntax. Maybe the vulnerability can happen in this way!

What’s HTTP Method?
OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT

What is the difference between GET and POST?
In HTTP GET Method, it is not allowed to pass data in message-body, because it is GET.
The original POST is to send the form data in the message-body. In addition, multi-part encoding will be used when sending files, and the files and other form fields will be placed in the message-body for sending.

Vulnerability details: It is possible to use various shell metacharacters to inject arbitrary OS commands. The command output does not appear to be returned in the application’s responses, however it is possible to inject time delay commands to verify the existence of the vulnerability. For more details, please refer below url: https://nvd.nist.gov/vuln/detail/CVE-2020-25494