Background: XPC is a type of iOS IPC. Through XPC, an app can communicate with some system services. mediaserverd (/ usr / sbin / mediaserverd) is a daemon process launched by the root process launchd, and its description file is com.apple.mediaserverd.plist stored in / System / Library / LaunchDaemon directory, when the system starts, it will scan all plist files under this directory, start all background processes separately, probably there are more than 50 background processes are the real reason for the pseudo background in the iOS system. The decoding of audio and video involves the operation of hardware. Mediaserverd contains a large amount of code that calls the driver layer. Through xpc, users can prevent overflow attacks and improve system stability. Because the same xpc interface is cross-process, it makes it more difficult for overflow attacks to forge data.
Synopsis: Mediaserverd has various media parsing responsibilities, its reachable from various sandboxes and is able to talk to kernel drivers. Perhaps, hacker can find a valid trigger point in this place.
Status – Even though 13.1.3 IPXR, it also vulnerable. For more details, please refer to diagram.
Preface: The OAuth 2.0 Authorization Framework (RFC 6749, October 2012)
Technical background: In the traditional Client-Server architecture, when the Client wants to fetch the protected resources (Protected Resoruce), it is necessary to present the account and password of the user (Resource Owner) to the Server. OAuth introduces an authentication layerThe Client will get an Access Token to access Protected Resources instead of using the account password of the Resource Owner. An Access Token is a string that records information about a specific scope of access, timeliness, and more.
Vulnerability details: The details of the vulnerability shown on attached diagram. But the root cause of this design weakness perhaps not limited to CyberArk researchers discovery. Azure trust certain third-party domains and sub-domains. Can you imagine that the problem may be involved wildcard domain included in whitelist?
Focus: Heard that Microsoft didn’t issue a CVE because the bug is located only in their Online Service. Strange!
Preface: When you walk through trading floor area, you can see trader writing Python code, said chief digital officer at Nomura.
Background: Perhaps the popularity of the excel usage in trading floors are coincidence. I believe that DDE and Marco functions driven this trend in in past. Audit team found out that a data handling risk of the usage excel spreadsheet in trading floor. A technical term so called excel spreadsheet risk. You may say, that this is an old story!
Current finding on Excel spreadsheet design weakness: Excel query from file feature is vulnerable to “Error” based XML External Entity attacks, if the user chooses the “Import as Html page” functionality upon receiving errors importing a specially crafted XML file. Above scenario will cause unauthorized access control to remote server. Perhaps this is not the external hacker. It is a insider threat. This vulnerability just found, the impact not have official confirmation yet. But we must staying alert!
Preface: CVE record summarized by human. Perhaps sometimes might have typo!
Vulnerability description: A double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service. However CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet the CVE text doesn’t mention “android-gif-drawable”. It only mentions WhatsApp. There could be over 28,400 free Android apps that use this library.
Observation: GifDrawable implements the interface of Animatable and MediaPlayerControl.Therefore, the impact will be greater than expected from the CVE record.
Preface: Flaws that require root access are not considered security issues in existing policy. If we are not using cloud computing concept. It is acceptable. But we need cloud system!
Security focus: Turkish information security specialist found a design weakness in Windows kernel design. According to the vendor’s Bug Bounty program rules, flaws that require root access are not considered security issues and are not classified as vulnerabilities. However our the whole IT world in the trend of cloud technology. It is hard to guarantee similar type of vulnerability will be impact the public cloud farm. Perhaps it might have possibility to do a re-engineering become as a Surveillance tool.
Defect details: An PoC tool proof that it can hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler. My intention is going to urge Microsoft should be consider this technical issue. Perhaps it may become a zero-day. So I do not display related url.Should you have interested of this topic, not difficult to do a search. You will find the details.
Reference:
The ntoskrnl.exe kernel service, which is responsible for handling exceptions, system call procedures, and thread scheduling in Windows.
Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel.
Fundamental design concept – related to this matter:
RSPx is loaded in whenever an interrupt causes the CPU to change PL to x. The TSS in long mode also holds the Interrupt Stack Table, which is a table of 7 known good stack pointers that can be used for handling interrupts.
BKPT #0x3 ; Breakpoint with immediate value set to 0x3 (debugger can ; extract the immediate value by locating it using the PC- (program counter))
x86_64 also has a feature which is not available on i386, the ability to automatically switch to a new stack for designated events such as double fault or NMI, which makes it easier to handle these unusual events on x86_64. This feature is called the Interrupt Stack Table (IST). There can be up to 7 IST entries per CPU. The IST code is an index into the Task State Segment (TSS). The IST entries in the TSS point to dedicated stacks; each stack can be a different size.
Preface: XSS attack can be either server-side or client-side.
Vulnerability details: A vulnerability occurs on Outlook for Android that would allow an attacker to perform cross-site scripting (XSS) attacks on the affected systems and run scripts in the security context of the current user. The official announcement did not described in details. So my earlier attention focus in TaintTracking Configuration. However it looks that it is incorrect. The best way to fix DOM based cross-site scripting is use the right output method (sink). From technical point of view, XSS occurs when attacker inject client side script into web pages. So in order to fix this vulnerability. it should do a sanitization of user-supplied data.
Preface: To improve bandwidth utilization, an introduce of layer-4 relay(s) that enable the pipelining of TCP connections.
Background: BIND 9 has evolved to be a very flexible, full-featured DNS system. On a server with TCP-pipelining capability,it is possible for one TCP client to send a large number of DNS requests over a single connection.
Vulnerability details: It was discovered that Bind incorrectly handled certain TCP-pipelined queries. A remote attacker could possibly use this issue to cause Bind to consume resources, resulting in a denial of service.
Observation: Before remedy apply, such design weakness may provide a pathway to cyber criminals conduct a denial of service attack. Perhaps it is easy to start the attack then suspened the DNS services. Eventhough you have defense control but cannot avoid. The official announcement and remedy solution can be find in following url. https://kb.isc.org/docs/cve-2019-6477
Preface: Unlike C, C++ is an object-oriented programming language, following a programming model that uses objects that contain data as well as functions to manipulate the data. Word is an object-oriented program.
Security focus: The malware author usually exploit some kind of arbitrary code execution or zero day. And therefore it have chances to evade the anti-defense mechanism detection. The reason behind is that before reassemble of the modules, it do not take any action. But perhaps you have doubt? How do they get another module? In modern defense technology, the machanism of the malware detector will be based on blacklist domain for the first piority. If attacker compromise a web site not included in domain blacklist. So, when download other module by http or https traffic might not detected by defense machanism. As a matter of fact, the http get and put action are frequently happens in our internet web browsing. Therefore you will understand that why does cyber criminals target to compromising a boutique shop style web site and social media. It was because the web sites still in white list before compromise.
Preface: Starting from around 2012 the use of ransomware scams has grown internationally.
Background: About 5 days ago, headline news of Bloomberg told that cyber criminals compromised the IT infrastructure for Mexican Petroleum. Meanwhile, hacker hopes to extract nearly $5 million from the company, with a final deadline of 30th November, 2019.
Tremendous incident record: EternalBlue leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. EternalBlue opened the door to one of the nastiest ransomware outbreaks in history, known as WannaCryptor.
Our point of view: Most older NAS devices do not support SMB version 2 or above, even though it can be do a firmware upgrade. But system admin sometimes lack of awareness or running out of labor resources. And therefore remains SMB V1 on the workstation. As a matter of fact, it let the small to medium size enterprise shot by ransomware. Even though manufacturing and petroleum industries you might found SMB v1 still alive in their place. Perhaps this is the story began.
Preface: As far as I know, VMware announced CVE-2019-5541 on April 2019. But the security update just released two days ago. Perhaps this products not in profitable area. But the flaw awaken quite a lot of people to concerning the weakness in virtual machine design.
Background: VMware Workstation is for Windows/Linux while Fusion is for Intel Based Apple Computers only running Mac OS X 10.4.9 and later.
Type 1 hypervisors are commonly considered bare metal hypervisors, in that the hypervisor code itself runs directly on top of your hardware. VMware Workstation is an example of a type 2 hypervisor. You can install it on top of an existing instance of Windows (and a number of Linux distributions).
Vulnerability details: VMware workstation and Fusion versions identified as victims to out-of-bounds write vulnerability in the e1000 virtual network adapter. The affected guest may allow to execute a malicious code on the hypervisor.
Supplement: The idea of heap buffer overflow is generally to achieve out-of-bounds write. According to the data of write, there are more specific subdivisions. For more details, please refer to attached diagram.
