Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Arbitrary code execution. Show all posts

Critical Security Flaws Identified in Popular Japanese Word Processing Software

 

Ichitaro is a widely recognized word processing software in Japan created by JustSystems.

Cisco Talos recently discovered four bugs in it that might result in arbitrary code execution. Ichitaro employs the.jtd file extension and the ATOK input method (IME). In Japan, there is only Microsoft Word that is more widely used as a word processor. 

The researchers identified four flaws that might provide an attacker access to the target machine and the ability to run arbitrary code. In the event that the target accesses a malicious file prepared by the attacker, TALOS-2022-1673 (CVE-2022-43664) might cause the attacker to reuse freed memory, which could result in more memory corruption and even arbitrary code execution. 

Similar effects can also be seen as a result of TALOS-2023-1722 (CVE-2023-22660), except this time the cause is a buffer overflow. 

The two other memory corruption flaws, TALOS-2022-1687 (CVE-2023-22291) and TALOS-2022-1684 (CVE-2022-45115), which can also result in code execution if the target opens a specially prepared, malicious document, are similarly exploitable. 

In accordance with Cisco's vulnerability disclosure policy, Cisco Talos collaborated with JustSystems to ensure that these vulnerabilities were patched and that an update was accessible to customers who were affected. 

Users are advised to update these impacted products as soon as they can: Version 1.0.1.57600 of Ichitaro 2022. This version of the word processor can be abused by these flaws, according to Talos' testing. 

61011, 61012, 61091, 61092, 61163, 61164, 61393 and 61394 are the Snort rules that will catch attempts to exploit this issue. In the absence of new vulnerability information, further rules may be provided in the future, and existing rules may change. Please consult your Cisco Secure Firewall Management Center or Snort.org for the latest up-to-date rule information.

Newly Discovered XSS Flaw in Google Chrome’s ‘New Tab’ Page Evades Security Feature

 

A cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code has been patched by the Chromium team. 

Threat actors can exploit the vulnerability by sending an HTML file to the target that contains a cross-site request forgery (CSRF), which sends a malicious JavaScript code snippet as a search query to Google, said Ashish Dhone, cybersecurity researcher at Persistent System who discovered the vulnerability.

If the target opens the file, the CSRF script starts operating and the query is stored in the browser’s search history. When the user opens an NTP for a second time and clicks on the Google search bar, the malicious code is triggered.

The situation worsens, if the user was logged into their Google account when opening the malicious file, the request will be saved to their account’s search history and triggered on any other device where their Google account is logged in. 

“I wanted to find XSS in Chrome, hence my hunting started with the desktop application of Google Chrome. I was looking for HTML markup functionality where XSS can be executed. After spending hours, somehow, I found that in NTP, stored search queries are not sanitized and then I was able to execute [the uXSS],” Ashish stated. 

UXSS attacks abuse client-side flaws in a browser or browser extensions in order to generate an XSS condition and execute malicious code. “When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,” Dhone explained.

While the vulnerability is dangerous, other researchers have pointed out that it is not a uXSS. “This XSS is a classic DOM-based XSS, where user-controlled text is assigned as an HTML using innerHTML,” security researcher Jun Kokatsu explained. 

Chrome’s NTP exposes Mojo.JS bindings that can send inter-process communication (IPC) messages to the browser through JavaScript code. The XSS bug could abuse this IPC channel to exploit a bug in the browser process, which executes at a much higher privilege than code running in web pages. 

“Usually, getting control over sending arbitrary IPC requires native code execution in the renderer process such as memory corruption bugs in the JS engine,” Kokatsu said. “However, because the IPC channel was exposed to JS directly in NTP, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”

An Attacker Could Take Advantage of a Flaw in WinRAR to Execute Arbitrary Code

 

A new security flaw in the WinRAR trialware file archiver programme for Windows has been discovered, which might be exploited by a remote attacker to execute arbitrary code on targeted systems, highlighting how software flaws can serve as a gateway for a variety of assaults. 

The bug, tracked as CVE-2021-35052, affects the trial version of the software running version 5.70. In a technical write-up, Positive Technologies' Igor Sak-Sakovskiy stated, "This vulnerability allows an attacker to intercept and change requests sent to the user of the application. This can be used to get remote code execution (RCE) on the PC of a victim." 

Before gently urging customers to acquire a license, WinRAR offers a free trial license. The .rar archive, with which it is most closely connected, is not opened by Windows Explorer, hence WinRAR is popular among individuals who need to work with the format, or who just had to download a .rar archive once and required software to open it. 

An investigation into WinRAR began after Sak-Sakovskiy noticed a JavaScript error rendered by MSHTML, a proprietary browser engine for the now-defunct Internet Explorer that is used in Office to render web content inside Word, Excel, and PowerPoint documents, leading to the discovery that the error window is displayed once every three times when the application is launched after the trial period has expired. 

Positive Technologies discovered that by intercepting the response code sent when WinRAR notifies the user about the end of the free trial period via "notifier.rarlab[.]com" and changing it to a "301 Moved Permanently" redirect message, the redirection to an attacker-controlled malicious domain could be cached for all subsequent requests.

An almost two-decades-old flaw was discovered in WinRAR a few years ago, impacting an older file compression format initially developed in the 1990s. Positive Technologies was sanctioned by the US government earlier this year after the US claimed the company had transferred vulnerabilities to Russian state hackers rather than revealing them. The company has categorically disputed these allegations and continues to publish security research. 

Application security expert Sean Wright said of the vulnerability, "Remote Code Execution vulnerabilities should always be taken seriously and handled with a sense of urgency, as the risk they pose is significant. Even so, in the case of WinRAR's vulnerable trial, the likelihood of an attacker being able to successfully exploit the vulnerability in question seems fairly limited, as there are a number of conditions and stages that the victim would need to fulfill before the attacker could achieve RCE."

New SmashEx Attack Breaks Intel SGX Enclaves

 

A recently disclosed vulnerability affecting Intel CPUs could be used by attackers to get access to sensitive information kept within enclaves and potentially run arbitrary code on vulnerable systems. 

The vulnerability (CVE-2021-0186, CVSS score: 8.2) was found in early May 2021 by a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology, who utilized it to perform a confidential data disclosure attack called "SmashEx" that can distort and compromise private data stored in the enclave. 

SGX (short for Software Guard eXtensions) was introduced with Intel's Skylake processors which allow developers to operate selected application modules in a totally isolated secure compartment of memory known as an enclave or a Trusted Execution Environment (TEE). It is designed to be guarded against processes running at higher privilege levels such as the operating system. Even if a computer's operating system has been tampered with or is under assault, SGX assures that data remains safe. 

The research stated, "For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point." 

"This feature enables enclave runtimes (e.g., Intel SGX SDK and Microsoft Open Enclave) to support in-enclave exception or signal handling, but it also opens up enclaves to re-entrancy bugs. SmashEx is an attack which exploits enclave SDKs which do not carefully handle re-entrancy in their exceptional handling safely." 

Outside Calls, or OCALLS, enable enclave functions to call out to the untrusted programme and subsequently return to the enclave. However, when the enclave additionally handles in-enclave exceptions (e.g., timer interrupt or division-by-zero), the vulnerability allows a local attacker to take over the control flow of execution by injecting an asynchronous exception soon after the enclave is entered. 

With this power, the attacker can then damage the in-enclave memory, allowing sensitive data such as RSA private keys to leak or malicious code to be executed. Because SmashEx impacts runtimes that assist in-enclave exception handling, the researchers stated that "such OCALL return flow and the exception handling flow should be written with care to ensure that they interleave safely," and that "when the OCALL return flow is interrupted, the enclave should be in a consistent state for the exception handling flow to progress correctly, and when the exception handling flow completes, the enclave state should also be ready for the enclave to progress correctly." 

Since then, Intel has launched software updates to address this vulnerability, including SGX SDK versions 2.13 and 2.14 for Windows and Linux, respectively. Microsoft fixed the problem (CVE-2021-33767) in its July 2021 Patch Tuesday updates with Open Enclave version 0.17.1 of the SDK. The results of the research team are anticipated to be disclosed next month at the ACM Conference on Computer and Communications Security.  

The researchers stated, "Asynchronous exception handling is a commodity functionality for real-world applications today, which are increasingly utilizing enclaves and highlighted "the importance of providing atomicity guarantees at the OS-enclave interface for such exceptions."

JFrog Expose Code Injection Vulnerability Affecting Yamale Python Package

 

Security researchers at JFrog, have recently exposed a code injection vulnerability in Yamale, a schema and validator for YAML, that could easily be exploited by an attacker to execute arbitrary Python code.

The issue tracked as CVE-2021-38305 (CVSS score: 7.8), allows hackers to circumvent existing protections and execute arbitrary Python code by exploiting the schema file provided as input to Yamale, JFrog security researchers explained.

Yamale is a Python package that allows manufacturers to validate YAML (a data serialization language for writing configuration files) from the command line. The popular package is used by at least 224 repositories On GitHub.

"This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process. We recommend sanitizing any input going to eval() extensively and — preferably — replacing eval() calls with more specific APIs required for your task,” JFrog Security CTO Asaf Karas stated. 

According to researchers, the vulnerability has been patched in Yamale version 3.0.8. "This release fixes a bug where a well-formed schema file can execute arbitrary code on the system running Yamale," the developers of Yamale noted.

The findings are the latest in a series of security flaws unearthed by JFrog in Python packages. In June 2021, Yamale revealed typo squatted packages in the PyPi repository that were identified to download and implement third-party cryptominers such as T-Rex, ubqminer, or PhoenixMiner for mining Ethereum and Ubiq on exploited devices. 

Soon after, the JFrog security researchers uncovered eight more malicious Python libraries, downloaded over 30,000 times, that could have been exploited to implement remote code on the targeted device, collect system data, automatically store credit card information and passwords in Chrome and Edge browsers, and even steal Discord authentication tokens.

"Software package repositories are becoming a popular target for supply chain attacks and there have been malware attacks on popular repositories like npm, PyPI, and RubyGems," the researchers said. "Sometimes malware packages are allowed to be uploaded to the package repository, giving malicious actors the opportunity to use repositories to distribute viruses and launch successful attacks on both developer and CI/CD machines in the pipeline."

CERT-In Alerts Mozilla Firefox Users to Update their Browsers Immediately


Mozilla Firefox users are receiving alerts regarding multiple vulnerabilities in the web browser by the Indian Computer Emergency Response Team (CERT-In). An advisory has also been issued in the regard asking the users to update their web browsers as soon as possible.

While rating the severity of the vulnerability as 'High' on all the versions of Mozilla Firefox that have been released before version 75 and version 68.7 on Mozilla Firefox ESR, the CERT-In stated in the advisory that remote hackers can take advantage of these browser flaws to acquire sensitive data through the browser.

According to the CERT-In advisory, “Out-of-Bounds Read Vulnerability in Mozilla Firefox ( CVE-2020-6821 ). This vulnerability exists in Mozilla Firefox due to a boundary condition when using the WebGLcopyTexSubImage method. A remote attacker could exploit this vulnerability by specially crafted web pages. Successful exploitation of this vulnerability could allow a remote attacker to disclose sensitive information,”

“Information Disclosure Vulnerability in Mozilla Firefox ( CVE-2020-6824). This vulnerability exists in Mozilla Firefox to generate a password for a site but leaves Firefox open.A  remote attacker could exploit this vulnerability by revisiting the same site of the victim and generating a new password. The generated password will remain the same on the targeted system,” the advisory further reads.

The aforementioned vulnerability also allows the attacker to execute 'arbitrary code' on the targeted system, letting them run any chosen command onto it. As per sources, another flaw was also found to be existing in the internet browser that concerns with a boundary condition in GMP Decode Data as images exceeding 4GB are being processed on 32-bit builds. The exploitation of this flaw requires the attacker to trick users into opening specially designed images. Upon successful exploitation, the attacker can yet again execute arbitrary code on the targeted system.

Another way by which a remote attacker can take advantage of this exploit is by convincing a user to install a crafted extension, on doing so the attacker will be able to obtain sensitive information.

Cisco Vulnerable Again; May Lead To Arbitrary Code Execution!


Earlier this year Cisco was in the headlines for the Zero-day vulnerabilities that were discovered in several of its devices including IP Phones, routers, cameras and switches.

The vulnerabilities that were quite exploitable were found in the Cisco Discovery Protocol (CDP), which is a layer 2 network protocol so that any discrepancies of the devices could be tracked.

Now again, Cisco has been found to be more unreliable than ever. Only this time the researchers learnt about numerous severe security vulnerabilities.

These susceptibilities could let the attackers or hackers execute “arbitrary commands” with the supposed “consent” of the user. Per sources, the affected Cisco parts this time happen to be the software, namely the Cisco UCS Manager Software, Cisco NX-OS Software and Cisco FXOS Software.

Reports reveal that the vulnerability in the Cisco FXOS and NX-OS Software admits unauthorized “adjacent” attackers into the system and lets them execute arbitrary code in order to achieve the “DoS”. (Denial of Service)

The vulnerabilities in Cisco FXOS and UCS Manager Software lets unauthenticated “local attackers” to execute arbitrary commands on the victim’s devices.

The reason for this vulnerability rises from the absence of “input validation”. The misuse of this makes it way easy for attackers to execute the arbitrary code making use of the user’s authority (which they don’t even know about) who’s logged in, per sources.

The other vulnerabilities in the Cisco FXOS and UCS Software include allowing unauthenticated local attackers to execute arbitrary commands.

A hacker could also try to send specially structures “arguments” to certain commands. This exploit if successful could grant admittance to the hacker to not only enter but also execute arbitrary commands.

All the exploitable loopholes of the Cisco software are really dangerous and critical in all the possible terms. Cisco has been in the limelight for more times than that could be overlooked. It is up to the users now to be well stacked with respect to security mechanisms.

However, understanding the seriousness of the vulnerabilities in the software, Cisco has indeed released various security updates that work for all the vulnerable software, in its Software Security Advisory.

The users are advised to get on top of the updates as soon as possible.