Posts tagged: Vulnerability

Sep 02 2013

Facebook Vulnerability that Allowed any Photo to be Deleted Earns $12,500 Bounty

Facebook BountyAn Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.

Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.

For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.

The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.

Kumar explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.

By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.

Jan 10 2013

New Java 0-Day Exploit Spotted in the Wild

Java 7 0-Day ExploitA new Java 0-day vulnerability has been discovered, and is already being exploited in the wild. Currently, disabling the plugin is the only way to protect your computer.

Description:
The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via vectors related to unspecified classes that allow access to the class loader, as exploited in the wild in January 2013, as demonstrated by Blackhole and Nuclear Pack, and a different vulnerability than CVE-2012-4681.

Impact:
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.

CVE Standard Vulnerability Entry: CVE-2013-0422

This actual vulnerability was later confirmed by security firm AlienVault Labs. With Kafeine’s help, the company reproduced the exploit on a new, fully-patched installation of Java, and used a malicious Java applet to remotely execute the Calculator application on Windows XP as shown in the below screen-shot:

Java 7 update 10 0-day exploit demo

Jan 23 2012

Tor – Multiple Vulnerabilities

Tor LogoMultiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.

Multiple vulnerabilities have been discovered in Tor:

  • When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).
  • When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).
  • An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).

Impact:
A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user’s connection.

Vulnerable Versions:
< 0.2.2.35

Workaround:
There is no known workaround at this time.

Resolution:
All Tor users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/tor-0.2.2.35″

References:
CVE-2011-2768
CVE-2011-2769
CVE-2011-2778

Dec 22 2011

Kaspersky Internet Security – Memory Corruption Vulnerability

Kaspersky VulnerabilityVulnerability-Lab Team discovered a Memory & Pointer Corruption Vulnerability on Kaspersky Internet Security 2011/2012 & Kaspersky Anti-Virus 2011/2012.

Details:
The vulnerability is caused by an invalid pointer corruption when processing a corrupt .cfg file through the kaspersky exception filters, which could be exploited by attackers to crash the complete software process.
The bug is located over the basegui.ppl & basegui.dll when processing a .cfg file import.

Vulnerable Modules:
[+] CFG IMPORT

Affected Version(s):
– Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012
– KIS 2012 v12.0.0.374
– KAV 2012 v12.x

– Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011
– KIS 2011 v11.0.0.232 (a.b)
– KAV 11.0.0.400
– KIS 2011 v12.0.0.374

– Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010

Severity:
Medium

Credits:
Vulnerability Research Laboratory – Benjamin K.M. (Rem0ve)

Original Advisory:
http://www.vulnerability-lab.com/get_content.php?id=129
http://www.vulnerability-lab.com/get_content.php?id=19

Dec 22 2011

Backdoor in Android for No-Permissions Reverse Shell

Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes.

Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon-18 Presentation.

It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms.

The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication.

“In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it.”Thomas Cannon said