OS X security researcher Patrick Wardle is expected at Black Hat to demonstrate how to write advanced Mac malware, including Gatekeeper and Xprotect bypasses, in hopes of raising awareness to the current state of OS malware detection.
Tag Archives: Vulnerabilities
Yahoo Touts Success of Bug Bounty Program
Yahoo established its formal bug bounty program nearly two years ago, and the company has paid out more than $1 million in rewards to researchers in that time. But security officials say the value the program has provided to the company has been just as great. Although Yahoo was among the latter wave of major […]
Remote code execution via serialized data
Most programming languages contain powerful features, that used correctly are incredibly powerful, but used incorrectly can be incredibly dangerous. Serialization (and deserialization) is one such feature available in most modern programming languages. As mentioned in a previous article:
“Serialization is a feature of programming languages that allows the state of in-memory objects to be represented in a standard format, which can be written to disk or transmitted across a network.”
So why is deserialization dangerous?
Serialization and, more importantly, deserialization of data is unsafe due to the simple fact that the data being processed is trusted implicitly as being “correct.” So if you’re taking data such as program variables from a non trusted source you’re making it possible for an attacker to control program flow. Additionally many programming languages now support serialization of not just data (e.g. strings, arrays, etc.) but also of code objects. For example with Python pickle() you can actually serialize user defined classes, you can take a section of code, ship it to a remote system, and it is executed there.
Of course this means that anyone with the ability to send a serialized object to such a system can now execute arbitrary code easily, with the full privileges of the program running it.
Some examples of failure
Unlike many classes of security vulnerabilities you cannot really accidentally create a deserialization flaw. Unlike memory management flaws for example which can easily occur due to a single off-by-one calculation, or misuse of variable type, the only way to create a deserialization flaw is to use deserialization. Some quick examples of failure include:
CVE-2012-4406 – OpenStack Swift (an object store) used Python pickle() to store metadata in memcached (which is a simple key/value store and does not support authentication), so an attacker with access to memcached could cause arbitrary code execution on all the servers using Swift.
CVE-2013-2165 – In JBoss’s RichFaces ResourceBuilderImpl.java the classes which could be called were not restricted allowing an attacker to interact with classes that could result in arbitrary code execution.
There are many more examples spanning virtually every major OS and platform vendor unfortunately. Please note that virtually every modern language includes serialization which is not safe by default to use (Perl Storage, Ruby Marshal, etc.).
So how do we serialize safely?
The simplest way to serialize and deserialize data safely is to use a format that does not include support for code objects. Your best bet for serialization almost all forms of data safely in a widely supported format is JSON. And when I say widely supported I mean everything from Cobol and Fortran to Awk, Tcl and Qt. JSON supports pairs (key:value), arrays and elements and within these a wide variety of data types including strings, numbers, objects (JSON objects), arrays, true, false and null. JSON objects can contain additional JSON objects, so you can for example serialize a number of things into discrete JSON objects and then shove those into a single large JSON (using an array for example).
Legacy code
But what if you are dealing with legacy code and can’t convert to JSON? On the receiving (deserializing end) you can attempt to monkey patch the code to restrict the objects allowed in the serialized data. However most languages do not make this very easy or safe and a determined attacker will be able to bypass them in most cases. An excellent paper is available from BlackHat USA 2011 which covers any number of clever techniques to exploit Python pickle().
What if you need to serialize code objects?
But what if you actually need to serialize and deserialize code objects? Since it’s impossible to determine if code is safe or not you have to trust the code you are running. One way to establish that the code has not been modified in transit, or comes from an untrusted source is to use code signing. Code signing is very difficult to do correctly and very easy to get wrong. For example you need to:
- Ensure the data is from a trusted source
- Ensure the data has not been modified, truncated or added to in transit
- Ensure that the data is not being replayed (e.g. sending valid code objects out of order can result in manipulation of the program state)
- Ensure that if data is blocked (e.g. blocking code that should be executed but is not, leaving the program in an inconsistent state) you can return to a known good state
To name a few major concerns. Creating a trusted framework for remote code execution is outside the scope of this article, however there are a number of such frameworks.
Conclusion
If data must be transported in a serialized format use JSON. At the very least this will ensure that you have access to high quality libraries for the parsing of the data, and that code cannot be directly embedded as it can with other formats such as Python pickle(). Additionally you should ideally encrypt and authenticate the data if it is sent over a network, an attacker that can manipulate program variables can almost certainly modify the program execution in a way that allows privilege escalation or other malicious behavior. Finally you should authenticate the data and prevent replay attacks (e.g. where the attacker records and re-sends a previous sessions data), chances are if you are using JSON you can simply wrap the session in TLS with an authentication layer (such as certificates or username and password or tokens).
Valve Patches Password Reset Vulnerability in Steam
Valve Software has patched a vulnerability in the Steam gaming platform that enabled account hijacking through its password reset mechanism.
PHP File Manager Riddled With Vulnerabilities, Including Backdoor
Multiple critical vulnerabilities have existed, some for nearly five years, in PHP File Manager, a web-based file manager used by several high profile corporations.
Stakeholders Argue Against Restrictive Wassennaar Proposal
The commenting period regarding the Wassenaar Arrangement expired on Monday but the echo chamber around the largely maligned proposal continues to reverberate.
VUPEN Launches New Zero-Day Acquisition Firm Zerodium
In the weeks since the Hacking Team breach, the spotlight has shone squarely on the small and often shadowy companies that are in the business of buying and selling exploits nd vulnerabilities. One such company, Netragard, this week decided to get out of that business after its dealings with Hacking Team were exposed. But now […]
libuser vulnerabilities
It was discovered that the libuser library contains two vulnerabilities which, in combination, allow unprivileged local users to gain root privileges.
libuser is a library that provides read and write access to files like /etc/passwd, which constitute the system user and group database. On Red Hat Enterprise Linux it is a central system component.
What is being disclosed today?
Qualys reported two vulnerabilities:
- CVE-2015-3245: The
userhelperprogram allows local users to add linefeeds in the middle of records to the/etc/passwd, corrupting the file. - CVE-2015-3246:
libuseruses a non-standard way of updating/etc/passwdand related files. Its locking is incompatible with the rest of the system, and the files are rewritten in place, which means that the system may observe incorrect data.
It turns out that these vulnerabilities can be exploited by an unprivileged local user to gain root privileges on an affected system. However, due to the way libuser works, only users who have accounts already listed in /etc/passwd can exploit this vulnerability, and the user needs to supply the account password as part of the attack. These requirements mean that exploitation by accounts listed only in LDAP (or some other NSS data source) or by system accounts without a valid password is not possible.
Further analysis showed that the first vulnerability, CVE-2015-3245, is also due to a missing check in libuser.
Which system components are affected by these vulnerabilities?
libuser is a library, which means that in order to exploit it, a program which employs it must be used. Ideally, such a program has the following properties:
- It uses
libuser. - It is SUID-root.
- It allows putting almost arbitrary content into
/etc/passwd.
Without the third item, exploitation may still be possible, but it will be much more difficult. If the program is not SUID-root, a user will not have unlimited attempts to exploit the race condition.
A survey of programs processing /etc/passwd and related files presents this picture:
passwdis SUID-root, but it uses PAM to change the password, which has custom code to modify/etc/passwdnot affected by the race condition. The account locking functionality inpasswddoes uselibuser, but it is restricted toroot.chfnandchshfromutil-linuxare SUID-root and uselibuserto change/etc/passwd(the latter depending on howutil-linuxwas compiled) but they have fairly strict filters controlling what users can put into these files.lpasswd,lchfn,lchshand related utilities fromlibuserare not SUID-root.userhelperin theusermodepackage has all three qualifications:libuser-based, SUID-root, and lack of filters.
This is why userhelper is a plausible target for exploitation, and other programs such as passwd and chfn are not.
How can these vulnerabilities be addressed?
System administrators can apply updates from your operating system vendor. Details of affected Red Hat products and security advisories are available on the knowledge base article on the Red Hat Customer Portal.
This security update will change libuser to apply additional checks to the values written to the user and group files (so that injecting newlines is no longer possible), and replaces the locking and file update code to follow the same procedures as the rest of the system. The first change is sufficient to prevent newline injection with userhelper as well, which means that only libuser needs to be updated.
If software updates are not available or cannot be applied, it is possible to block access to the vulnerable functionality with a PAM configuration change. System administrators can edit the files /etc/pam.d/chfn and /etc/pam.d/chsh and block access to non-root users by using pam_warn (for logging) and pam_deny:
#%PAM-1.0 auth sufficient pam_rootok.so auth required pam_warn.so auth required pam_deny.so auth include system-auth account include system-auth password include system-auth session include system-auth
This will prevent users from changing their login shells and their GECOS field. userhelper identifies itself to PAM as “chfn”, which means this change is effective for this program as well.
Acknowledgements
Red Hat would like to thank Qualys for reporting these vulnerabilities.
Several Critical Flaws Patched in Drupal Module
There are several critical vulnerabilities in a middleware layer used in Drupal, including both cross-site scripting and cross-site request forgery bugs, that can be exploited remotely. The vulnerabilities are in the Open Semantic Framework, which is a third-party project and not part of the Drupal Core. The framework is used to allow “structured data (RDF) […]
WordPress Patches Critical XSS Vulnerability in All Builds
WordPress rolled out a new version of its content management system this morning that addresses a nasty cross-site scripting (XSS) vulnerability that could ultimately lead to site compromise.