Category: Exploits

Jan 23 2012

Tor – Multiple Vulnerabilities

Tor LogoMultiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.

Multiple vulnerabilities have been discovered in Tor:

  • When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).
  • When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).
  • An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).

Impact:
A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user’s connection.

Vulnerable Versions:
< 0.2.2.35

Workaround:
There is no known workaround at this time.

Resolution:
All Tor users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/tor-0.2.2.35″

References:
CVE-2011-2768
CVE-2011-2769
CVE-2011-2778

Dec 22 2011

Kaspersky Internet Security – Memory Corruption Vulnerability

Kaspersky VulnerabilityVulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.

Details:
The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, which could be exploited by attackers to crash the complete software process.
The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.

Vulnerable Modules:
[+] CFG IMPORT

Affected Version(s):
– Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012
– KIS 2012 v12.0.0.374
– KAV 2012 v12.x

– Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011
– KIS 2011 v11.0.0.232 (a.b)
– KAV 11.0.0.400
– KIS 2011 v12.0.0.374

– Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010

Severity:
Medium

Credits:
Vulnerability Research Laboratory – Benjamin K.M. (Rem0ve)

Original Advisory:
http://www.vulnerability-lab.com/get_content.php?id=129
http://www.vulnerability-lab.com/get_content.php?id=19

Dec 21 2011

Windows-7 Memory Corruption Vulnerability

Windows Memory CorruptionA vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to potentially compromise a user’s system.

The vulnerability is caused due to an error in win32k.sys and can be exploited to corrupt memory via e.g. a specially crafted web page containing an IFRAME with an overly large “height” attribute viewed using the Apple Safari browser.

Successful exploitation may allow execution of arbitrary code with kernel-mode privileges.

The vulnerability is confirmed on a fully patched Windows 7 Professional 64-bit.
Other versions may also be affected.

Solution:
No effective solution is currently available.

Discovered By:
webDEViL

Original Advisory:
https://twitter.com/#!/w3bd3vil/status/148454992989261824

<iframe height=’18082563′></iframe> causes a BSoD on win 7 x64 via Safari. Lol!

Dec 16 2011

Apple Crash Reports to Jailbreak iPhone

Apple Jailbreak ExploitThousands of iPhone owners have joined forces with a team of hackers to help them find new ways to jailbreak Apple’s phone software.

Jailbreaking involves unlocking a device so that it is not restricted to running software officially approved by the manufacturer.

Mobile phones that run Google’s Android operating system do not face this restriction and Microsoft allows its Windows Phone 7 operating system to be unlocked. But Apple has always fought very hard to prevent anyone jailbreaking its devices.

The latest version of the iPhone’s operating system is proving to be extremely hard to jailbreak fully, according to Joshua Hill, a member of the Chronic Dev hacker team.

“Apple is really making it tough for us. The iPhone is now better protected than most nuclear missile facilities,” he says.

Bug Hunt
Bugs may result in a program crashing or shutting down, and they are like gold dust to hackers because sometimes they can be exploited to create a jailbreak.

To help prevent this, Apple’s phones record details of program crashes and send these reports back to the company. Apple’s programmers can then analyse the crash reports and fix any underlying bugs that pose serious security risks.

Crash Reports
The solution to this problem is to subvert Apple’s crash reporting capability by turning it against the company, he says.

“Chronic Dev is ready to turn this little information battle into an all-out, no-holds-barred information WAR,” Mr Hill wrote on the Chronic-Dev blog recently, using his nom de guerre Posixninja.

To do this he has written and distributed a program called CDevreporter that iPhone users can download to their PC or Mac. The program intercepts crash reports from their phones destined for Apple and sends them to the Chronic Dev team.

“In the first couple of days after we released CDevreporter we received about twelve million crash reports,” he says.

Legal Breaks
Jailbreaking phones is legal in the United States, thanks to a ruling in July 2010 by the Library of Congress – an agency that carries out legal research for the US government.

“There’s nothing Apple can do that would make jailbreaking impossible,” he says.

“Apple will always add new features to its phones, and there will always be bugs in its software. It’s just a matter of find the right ones.”

Sep 20 2011

Hackers Break SSL Encryption

SSL BreaksResearchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this article was first published, Google released a developer version of its Chrome browser designed to thwart the attack.