Learn more about CVE-2019-18634 – sudo vulnerability

Preface: Sudo (substitute user [or superuser] do) is a program used in Unix-like operating systems such as BSD, Mac OS X, and GNU / Linux to allow users to execute programs in a secure manner with special permissions (usually the system Super user).

Highlight: When pwfeedback is set, sudo will provide visual feedback when the user presses a key. This function allows the system to indicate the currently entered character with an asterisk character.

Vulnerability details: In January 2020, CVE-2019-18634 announced a vulnerability that had existed for more than 9 years, pointing out in the pwfeedback feature option. This function allows the system to indicate the currently entered character with an asterisk character. However, after the pwfeedback function is enabled in the sudoer file, it may allow users to trigger a stack buffer overflow attack, allowing users without system management rights, even those not listed in the sudoer file. Users in can be elevated to root account permissions.

Remedy: The bug is fixed in sudo 1.8.31.

F-secure internet gatekeeper 5.40 (heap overflow) – 30th Jan 2020

Preface: Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated at runtime and typically contains program data.

Product background: F-Secure Internet Gatekeeper for Linux, aim to serve for small and medium business cyber security protection services. It capable to scanning incoming and outgoing including SMTP, HTTP, FTP and POP3 traffic for all types of malware.

Vulnerability details: F-Secure Internet Gatekeeper contains an admin panel that runs on port 9012/tcp. If attacker send a large size “Content-Length” with an unsigned long int through user administration process.
It will causes strtoul return the ULONG_MAX value which corresponds to 0xFFFFFFFF on 32 bit systems.
Adopt to above circumstances, when the fs_httpd_civetweb_callback_begin_request function tries to issue a malloc request to handle the data send by attacker, it first adds 1 to the content_length variable and then calls malloc. This causes a problem as the value 0xFFFFFFFF + 1 will cause an integer overflow. During the overflow, this code will read an arbitrary amount of data onto the heap – without any restraints.

Remedy: This critical issue was tracked as FSC-2019-3 and fixed in F-Secure Internet Gatekeeper versions 5.40 – 5.50 hotfix 8 (2019-07-11).

The endless story of the SMTP gateway – CVE-2020-7247

Preface: Ray Tomlinson sent the first email across a network, initiating the use of the “@” sign to separate the names of the user and the user’s machine in 1971, when he sent a message from one DEC-10 computer to another DEC-10.

Synopsis: An SMTP relay is a protocol that allows email to be transmitted through the internet. OpenSMTPD design goals include security, reliability & easy of configuration. If you are OpenBSD ( open-source Unix-like operating system ) user, you can setup OpenSMTPD to relay local emails to Gmail.

Vulnerability details: So called the code blew a hole in relay server.

Privileges escalation: When mail is received by server, it uses the root (superuser account) to deal with it. And therefore anyone who’s can exploit this vulnerability. It similar to “promote” themselves to root.

This vulnerability exists in OpenBSD’s mail server OpenSMTPD’s “smtp_mailaddr()” function, and affects OpenBSD version 6.6. This allows an attacker to execute arbitrary shell commands like “sleep 66” as root user.

Remedy: To remediate this vulnerability, affected OpenBSD users are recommended to install patches for OpenBSD 6.6. See reference 019 in https://www.openbsd.org/errata66.html.

Digital transformation – coronavirus phishing scam email – Feb 2020

Synopsis: Staying alert especially to healthcare and pharmaceutical industry.
Condemn this phishing scam email similar to harm ordinary people during this period of time.

Observation: A sample phishing email detected last Tuesday, by email filter expert firm (Mimecast), shows cyber criminal send email with malicious links and PDFs that claim to contain information on how to protect yourself from the spread of the disease (see attached diagram).
Their goal is stolen the credential and personal information because it found Emotet payloads inside.

To ensure the cyber security awareness of your staff. IT Dept especially healthcare and pharmaceutical industry should be staying alert.

Can it be remedied or is it a enigma? – JAN 2020

Preface: User Account Control (UAC) is a fundamental component of Microsoft’s overall security vision. UAC helps mitigate the impact of malware.

Synopsis: UAC Bypass Using eventvwr.exe was exploited by malware in 2017. Microsoft fixes Eventvwr.exe UAC Bypass Exploit in Windows 10 Creators Update. In Windows 10 Creators Update preview build 15007, Microsoft seems to have fixed the UAC bypass method involving eventvwr.exe. But the investigator still discovered similar of UAC bypass exploit technique was used by ransomware.
In April of 2019, expert found a new type of ransomware named Sodinokibi. Their design utilize a module loaded into memory functions as a loader on phase 1. Meanwhile it will try to conduct UAC bypass if the processes privileges are insufficient.

The mechanism of UAC bypass technique not limit to use eventvwr.exe. The attacker can writes itself to the registry key (Software\Classes\mscfile\shell\open\command) and launches a new instance of explorer.exe to execute compmgmtlauncher.exe. Whereby it executes anything configured in the registry key Software\Classes\mscfile\shell\open\command\ then execute a script (see above diagram).

So, we have a basic concept that if we only following vendor announcement conduct a patch management will not be a efficient technique to protect your machine avoid ransomware attack.

Objectives and definitions for establishing light weapons: In order to avoid the detection of the anti-malware mechanism, quite a lot of notorious APT malware will be relied on design weakness of UAC. As a result, it can bypass the access control, meanwhile it can significant increase the successful rate of the phase one of cyber attack because it bring the difficulties to the defense mechanism. The fact is that only detect a simple script or code not easy to predict what the intention was. When Wannacry ransomware was born, perhaps the design goal is SMB vulnerability. But it lack of competence of the attack strategy. Whereby, when ransomware take the action to deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation (see below diagram). So it alert the end user something will be happened when it click. Therefore the new generation of ransomware try to management this design weakness.

Ransomware author leverage UAC Bypass technique: A novel technique, Dridex User Account Control (UAC) bypass method characterized by its use of recdisc[.]exe, a Windows default recovery disc executable, and its loading of malicious code via impersonated SPP[.]dll. Perhaps you might say, this vulnerability has been fixed by Microsoft. But the market feedback is as follow:

Microsoft doesn’t consider UAC a security barrier, and thus they often don’t fix UAC bypasses. These bypasses are common and easy. The following figure shows another scenario of UAC bypass.
Let’s open our eyes and see what happens in the evolving world of cybersecurity?


Additional topic: I am wishing that the Coronavirus will be gone in next morning. Perhaps it was not possible but such punishment to man kind that has been enough!

FusionAuth 1.10 Remote Command Execution – JAN 2020

Preface: The biggest differentiator between CIAM and regular (internal) IAM is that in CIAM the consumers of the service manage their own accounts and profile data.

Background: FusionAuth provides all of the features you need without the need to code plugins or purchase an enterprise license. It also capable for SaaS architecture provides maximum flexibility when it comes to deployment. You can also choose the type of database to use and the OS to install on.

Vulnerability details: Who have privileges to modify templates, instead of system admin or root. They can exploit this feature to conduct a Remote Command Execution. Vendor has alert to the user with the following statement. BE CAREFUL! this tag, depending on use, may allow you to set something up so that users of your web application could run arbitrary code on your server. This can only happen if you allow unchecked GET/POST submissions to be used as the command string in the exec tag.

Remedy: This vulnerability has been fixed in version 1.11 of FusionAuth.

Are there other similarly vulnerability component like ws2ifsl.sys in Windows?

Preface: You found an error in somewhere, sometimes will be expanded your idea of thinking.

Synopsis: Ws2ifsl.sys is found in the C:\Windows\System32\drivers directory. In many cases, a driver creates a symbolic link and its name can be used as a file name for CreateFileA, but this is not the case with ws2ifsl. It only calls nt!IoCreateDevicewith the DeviceName set to ‘\Device\WS2IFSL’. IoCreateDevice creates a device object and returns a pointer to the object. The caller is responsible for deleting the object when it is no longer needed by calling IoDeleteDevice.

Vulnerability details: An elevation of privilege vulnerability exists in the way that ws2ifsl.sys (Winsock) handles objects in memory, aka ‘Windows Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-1253, CVE-2019-1278, CVE-2019-1303.

Patch analysis: According to Microsoft patched version (10.0.18362.356). We can see the patched features:
– CreateProcessFile
– Delivery closed
– Signal cancelled
– Signal requirements
– RequestRundownRoutine
– CancelRundownRoutine

Under my observation: If a device name is not supplied (that is, DeviceName is NULL), the device object created by IoCreateDevice will not (and cannot) have a discretionary access control list (DACL) associated with it. Do you think this issue will give an oppuntunity let attacker to exploit?

CVE-2020-2696 Local privilege escalation via CDE dtsession – JAN 2020

Technical Background: How to manages a CDE session? The dtsession command provides session management functionality, compliant with ICCCM 1.1, during a user session, from login to logout. It starts a window manager and allows users to save a session, restore a session, lock a session, start screen savers, and allocate colors for desktop-compatible clients.

Vulnerability details: A buffer overflow in the CheckMonitor() function in the Common Desktop. It allows local users to gain root privileges via a long palette name passed to dtsession in a malicious .Xdefaults file (CVE-2020-2696).

  • All Official Ubuntu variants 12.04 – 18.04
  • Debian 6, 7, 8, 9
  • Fedora 17 at least
  • Archlinux
  • Red Hat
  • Slackware 14.0
  • OpenBSD
  • NetBSD
  • FreeBSD 9.2, 10.x, 11.x
  • openSUSE Tumbleweed (gcc7)
  • openSUSE Leap 4.2 (gcc4)
  • SUSE 12 SP3 (gcc4)
  • Solaris, OpenIndiana

Remedy: The open source CDE 2.x version have issued the following patches for this vulnerability:



NewsOne design weakness – Arbitrary File Upload (18th Jan 2020)

Preface: Arbitrary File Upload but require regular user sign in. Perhaps it lose the access control!

Product description: NewsOne is a web based application and fully responsive news & magazine script. Anyone can start your own media/press website with just few clicks without any codding knowledge.

Vulnerability details: Auth as a regular user. Go to specify URL (see attached diagram) and upload any file you want via <input type=”file” name=”user_image”> field. From security point of view, An attacker can use this vulnerability to perform a variety of malicious activities, including defacement, disclosure, and malware infection.

Remedy : Waiting for vendor announcement

MS CryptoAPI spoofing flaw – 15th Jan 2020

Preface: We are all scared of Ransomware!

Background: crypt32.dll is a type of DLL file, with extension of .dll. It is associated with Crypto API32 and is used to run Crypto API32 based applications. Certain sophisticated video games and software applications use crypt32.dll to get access to certain API functionality, as provided by Windows.

Vulnerability details: The bug exploits crypt32.dll signature verification on elliptic curve. crypt32.dll only checks for matching public key and parameters, but not the generator G. An attacker could use your public certificate without owning its private key, combined with some other code-signing certificate issued to someone else, to bypass a publisher check this way.

Special comment: Do you think this vulnerability has relationship with surveillance program?

NSA Official announcementhttps://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF