Friday, August 26, 2016

Vulnerability Spotlight: Kernel Information Leak & Multiple DOS Issues Within Kaspersky Internet Security Suite

Vulnerability discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.

Overview

Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.

Details

To provide anti-virus functionality, Kaspersky’s software hooks into the Windows API via a driver named KLIF. Talos has identified two vulnerabilities in the way that the driver handles intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. In both cases a malicious application on a machine with Kaspersky’s KLIF driver installed is able to execute a malicious API call using invalid parameters. This can cause an attempt to access inaccessible memory by the driver resulting in a system crash.

A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.

Monday, August 15, 2016

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within Lexmark Perceptive Document Filters.

Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos

Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.

Overview


These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

The three vulnerabilities disclosed today allow for remote code execution using specifically crafted files such as XLS, Bzip2 & Compound Binary File Format (MS-CFB). This can provide an attacker with the capability to perform remote code execution within your environment and potentially offers the adversary full control of the attacked resource.

Friday, August 12, 2016

Vulnerability Spotlight: Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability

This vulnerability was discovered by Patrick DeSantis.

Description


Talos recently discovered a vulnerability in Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controllers (PLCs) related to the default configuration that is shipped with devices running affected versions of firmware. This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.

In addition to the default, documented SNMP community string of ‘public’ (read) and ‘private’ (read/write), an undocumented community string of ‘wheel’ (read/write) also exists, which enables attackers to make unauthorized device changes, such as modification of settings or conducting malicious firmware updates. It is possible that this community string allows access to other OIDs, however Talos tested specific use cases.

Wednesday, August 10, 2016

Vulnerability Spotlight: BlueStacks App Player Privilege Escalation

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos


Talos is releasing an advisory for a vulnerability in BlueStacks App Player. (TALOS-2016-0124/CVE-2016-4288). The BlueStacks App Player is designed to enable Android applications to run on Windows PCs and Macintosh computers. It’s commonly used to run popular Android games on these platforms.

Details

A weak registry key permission vulnerability exists in the BlueStacks application. By default the BlueStack installer sets a weak permission to the registry key, which contains InstallDir reg value, this can be used later by the BlueStacks service component. This default configuration gives a malicious user the ability to modify this value, which can lead to privilege escalation.

 Let’s examine the BlueStacks registry key where vulnerable "InstallDir" value is located:



As we can see the "Users" group has full access permissions to this key.

Vulnerability Spotlight: MS Edge/Windows PDF Library Arbitrary Code Execution Vulnerability Identified and Patched

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Yesterday, Microsoft released its monthly set of security bulletins and patches for various flaws within currently supported products. Two of the bulletins in yesterday's release are rated critical and address CVE-2016-3319, a arbitrary code execution vulnerability in Microsoft Edge and in the Windows PDF library. With Microsoft's bulletin release, Talos is disclosing the details of this vulnerability we identified through our research efforts on our Vulnerability Report portal.

CVE-2016-3319 (TALOS-2016-0170)

CVE-2016-3319 is an arbitrary code execution vulnerability which manifests in Microsoft Edge and in the Windows PDF library. A user who opens a specifically crafted PDF file on a vulnerable system could result in the system executing arbitrary code of an attacker's choosing. On Windows 10 systems that are configured to use Microsoft Edge as the default browser, this vulnerability could be triggered by simply browsing to a website hosting a malicious PDF, as Edge will attempt to render the file contents automatically. Note that this vulnerability affects Windows 8.1, Windows Server 2012 (and R2), and Windows 10.

Tuesday, August 9, 2016

Microsoft Patch Tuesday - August 2016

This post was authored by Edmund Brumaghin and Jonah Samost

Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.

Bulletins Rated Critical


Microsoft has listed bulletins MS16-095, MS16-096, MS16-097, MS16-099, MS16-102 as critical in this month’s release.

MS16-095 and MS16-096 are this month’s bulletins addressing security vulnerabilities associated with Microsoft Internet Explorer and Edge. The Internet Explorer bulletin addresses a total of nine vulnerabilities, including five memory corruption bugs and four information disclosure vulnerabilities. The Edge bulletin covers a total of eight vulnerabilities, including a remote code execution vulnerability, four memory corruption bugs and three information disclosure vulnerabilities. The Internet Explorer bulletin is rated Critical for affected Windows clients and Moderate for affected Windows Servers.

Thursday, August 4, 2016

Vulnerability Spotlight: Multiple Arbitrary Code Execution Vulnerabilities Identified in Hancom Hangul Office

Vulnerabilities discovered by the Talos Vulnerability Development Team. Blog post authored by Alex Chiu.

Securing your network and environment is a challenging task, especially when organizations need to keep track of various software packages that are used on a daily basis. Productivity suites, such as Hancom Hangul Office, are an example of critical software that organizations need to track and patch amongst other things such as operating systems, browsers, and antivirus. Talos is committed to helping our customers be as secure as possible through a variety of means, such as identifying zero-day vulnerabilities in critical software packages. Today, Hancom is disclosing 8 arbitrary code execution vulnerabilities identified and reported by Talos. Hancom has released a software update that addresses these vulnerabilities and Talos would like to sincerely thank Hancom for their cooperation.

Hancom Office is commonly used in parts of the world and is known to be used in various government organizations, public institutions, and non-governmental organizations in South Korea. In fact, the South Korean government previously made Hancom Office its official productivity suite for use on government systems. By some estimates, Hancom has around 30% of the productivity suite market share in South Korea.

The fact that there is a sizeable installation base of Hancom Office makes it an attractive target for adversaries to leverage and exploit. It's believed that the North Korean government is behind several targeted attacks that exploited vulnerabilities in the Hangul word processor. Other companies have previously documented these incidents in 2013 and 2015. In addition, Hancom is actively looking to expand its market share in South Korea and abroad.

Tuesday, August 2, 2016

Macro Intruders: Sneaking Past Office Defenses

This blog was written by Matthew Molyett with contributions from Martin Lee .

Introduction


Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.

In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.

Monday, July 25, 2016

Ransomware: Because OpSec is Hard?


This blog was authored by Edmund Brumaghin and Warren Mercer

Summary


Talos recently published research regarding a new variant of destructive ransomware, which we dubbed Ranscam. During further analysis of Ranscam samples, we discovered several indicators of compromise (IOCs) that piqued our curiosity as to which malware this threat actor might be involved in or responsible for besides Ranscam. We began to expand the scope of our research into other destructive "ranscamware" in an effort to determine if they had any shared characteristics that might indicate the same threat actor or group might be responsible for multiple variants. We found several interesting ties between known destructive ransomware variants such as Jigsaw and AnonPop which correlated with the threat actor we believe to be responsible for Ranscam.

Thursday, July 21, 2016

Vulnerability Spotlight: OpenOffice Impress MetaActions Arbitrary Read Write Vulnerability

This vulnerability was discovered by Richard Johnson and Yves Younan of Cisco Talos.

Talos is releasing an advisory for a vulnerability in OpenOffice Impress. (TALOS-2016-0051/CVE-2016-1513). Talos has discovered an exploitable out-of-bounds vulnerability which exists in OpenOffice when handling MetaActions. A specially crafted OpenDocument Presentation .ODP or Presentation Template .OTP file can cause an out-of-bounds read/write resulting in denial-of-service (memory corruption and application crash) and possible execution of arbitrary code.

Overview

OpenOffice is an open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and other office functions. It works on various operating systems and is available in a host of languages. It uses an international open standard format for the common file types and can also read and write files from other common office software packages, such as Microsoft Office. It’s flexibility and open source nature has led to wide adoption. 

OpenOffice currently reports a user base of over 84 million, over 125 million downloads, 87% of which runs Microsoft Windows. An attacker could trigger this vulnerability by enticing an end user to open a malicious file specially crafted to exploit this vulnerability. This could be accomplished by directing a user to open a file hosted on a web server, sent as an attachment in a phishing email, or any other means that could be used to convince a user to open the malicious file.

Details

In the attached sample the out of bounds vulnerability occurs when replacing a Polygon in the PolyPolygon object when performing a MetaPolyPolygonAction. In this case, the position in the array is 512, while the array containing Polygons (mpPolyAry) is only 2 in size. This will result in the deletion of a pointer which is read out of bounds at line 228 of file main\tools\source\generic\poly2.cxx. This will be immediately followed by an out-of-bounds write, writing a new pointer which is obtained by creating a new Polygon at that location. This provides an attacker with multiple ways to exploit this vulnerability: through a free of an invalid pointer, but if that fails, the writing of a new pointer out of bounds could provide a second opportunity for exploitation. Below are line 217-230 of main\tools\source\generic\poly2.cxx:


While there is a check to ensure that npos is smaller than the array size, at line 220, it is simply an assert that is only enabled in debug mode.

The value is read from the sample file in the function MetaPolyPolygonAction::Read in the file main\vcl\source\gdi\metaact.cxx at line 1189:



Here is the call stack when the problem occurs:



Conclusion

Finding and responsibly disclosing zero-day vulnerabilities helps improve the overall security of the software people use on a day-to-day basis. Talos is committed to this effort by developing programmatic ways to identify vulnerabilities that could be otherwise exploited by malicious adversaries. This helps secure the platforms and software customers use and also helps provide insight into how Cisco can improve its own processes to develop better, more secure products. 

In addition, Talos has released rules that detect attempts to exploit this vulnerability to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules:35828-35829.

For further zero day or vulnerability reports and information visit:
http://www.talosintelligence.com/vulnerability-reports/