Sunday 6 January 2019

Metadata and potential password leak in aria2

Hi Internet,

Summary: aria2 is a lightweight multi-protocol command-line utility, which store's "HTTP Basic Authentication" username and password in a file when `--log` attribute is used.

This issue was observed while performing the code review of aria2, However the file HttpConnection.cc was responsible for this issue, below is the vulnerable code :

1. It was observed that URL's which gets downloaded via `--log=` attribute stored sensitive information.
2. In combination with HTTP authentication a username and password can be part of the URL.
    `aria2c --log=file https://user:passwd@example.com/`

In such case the log file contains password as well, sometimes URL's may contain secret tokens, e.g. private file shared on a file hosting service. In general storing metadata at unexpected places should be avoided, rest other utility like cURL was patched to this issue, it uses HTTP digest authentication mechanism for such case.

Moving further this issue was patched and such information will be masked in latest versions of aria2. This is also similar to when URL of downloads gets stored via filesystem attributes on systems that support unix extended attributes. You can see these attributes on Linux systems by running getfattr -d [filename]

Later CVE-2019-3500 was assigned to this issue, hope you like the read.

Thank you
Share:

Friday 23 November 2018

Path traversal in mozilla pdf.js

Hi Internet,

Summary: A path traversal issue was observed in Mozilla PDF.js which is a PDF reader in JavaScript. (This issue is unpatched)

This issue was observed while code review of PDF.js (gulpfile.js)

PDF.js is built into version 19+ of firefox and a chrome extension is also available on chrome web store. To install and get a local copy of PDF.js here are the below steps :

Then navigate to http://127.0.0.1:8888/

I've used the attribute --path-as-is from cURL to verify this issue.

This was reported to mozilla via bugzilla but team says "The server with pdf.js is intended to be a development server and should not be exposed to public networks. I suppose we could update the docs to state that." and a upstream issue was filed against this[1].

Thank you
Share:

Sunday 11 November 2018

null-pointer dereference in poppler library - CVE-2018-19149

Hi Internet,

Summary: While fuzzing evince v3.28.4, on linux 4.15.0-38-generic (Ubuntu 18.04 LTS), a null-pointer dereference was observed, initially this was reported to evince but the evince team advised that the issue is in poppler, the library used by evince to render PDF, poppler version: 0.62.0-2ubuntu2.2 is vulnerable to null-pointer dereference, however the issue is already fixed in poppler 0.70, but this will still crash your evince v3.28.4 if poppler is not updated to v.0.70. Fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version.

Initially, I started fuzzing with evince which is a document reader which comes by default with most of the linux distribution. Also created a malformed PDF files to provide input to AFL, after a successfully compile of evince with afl-gcc, the final command was,

It took three days to get 21 crashes in which 6 unique crashes where observed, while analyzing the crash with triage_crashes which is one of the component which comes with AFL for analyzing crashes, I observed a null-PTR.

So basically a null-PTR is a type of error which causes a SIGSEGV, segmentation fault to the program, and this usually happens when a program or binary try to read or write to the memory with null-PTR.

I went ahead and reported this to GNOME, because evince is one of there asset, the team says "The issue is in Poppler, the library used by Evince to render PDF" arggh!, so stupid am I, I taught `libpoppler-glib.so` is one of the shared object in evince but didn't know that poppler is a PDF rendering library which comes by default in most of the PDF reader in linux distribution, and there is a standalone repo out there for poppler.

Also, GNOME evince team says "it seems it has already been addressed. See https://gitlab.freedesktop.org/poppler/poppler/merge_requests/93, Nevertheless, if the issue is still present, please file a bug in https://gitlab.freedesktop.org/poppler/poppler/"

Okay no worries, I still went ahead and file a bug in poppler, but the team over there asked me what poppler version am i using, and it was version 0.62.0-2ubuntu2.2 and they said the issue is already fixed in poppler version 0.70 After I read this, I was like....
Img Src: https://knowyourmeme.com/photos/1189534-canada

Pheww!, does that mean, my three days of fuzzing just went = to 0 OR am I actually missing something over here ?

I went back to the stack-trace read it again and also check whether am I fuzzing all the latest build of the binary for sure I was fuzzing the latest build of evince but not poppler. Hmmmmmm! I knew my fuzzing system was fully updated but still just to cross check, I did full apt-get update and upgrade but my poppler version remains the same all the time which is 0.62.0-2ubuntu2.2 strange.

I need a guidance over here, and didn't knew what to do ahead, so I contacted MITRE for this and went for a nap, they suggested - "That a fuzzing result showing a very important vulnerability in a package currently shipped by a major Linux distribution is still of interest, even if that Linux distribution does not package the latest released upstream version. For example, an out-of-bounds write finding is still very useful in that case, but not out-of-bounds read, NULL pointer dereference,divide-by-zero, etc."

Ohhh, I see so the latest version of poppler is still not shipped for most of the linux distribution out there, now i understood the entire concept, later MITRE also helped me by assigning a CVE to this issue which is CVE-2018-19149 - Poppler before 0.70.0 has a NULL pointer dereference in _poppler_attachment_new when called from poppler_annot_file_attachment_get_attachment.

An upstream bug is filed in Ubuntu launchpad to track this issue. 

PS: Its not about collecting CVE's, CVE's are just a reference number to an issue you can point for a vulnerability when you show case it somewhere, rather than pointing it to various post. (Personal opinion).

Lessons learned from this:
1. I didn't know poppler is a library which is used by evince and other PDF reader to render PDF's.
2. I understood how to create a malformed PDF to provide input to AFL while fuzzing.
3. The reply from MITRE helped me to resolve my query.
4. During all this, I also got my hands on hongfuzz

Hope you like the read, view this on oss-security mailing list.


Thank you
Dhiraj
Share:

Tuesday 6 November 2018

Fuzzing IEC 61850 protocol - CVE-2018-18957

Hi Internet,

Summary: While fuzzing(I've used AFL for this), a stack based buffer overflow was found in libIEC61850 (the open-source library for the IEC 61850 protocols) in prepareGooseBuffer in goose/goose_publisher.c and /linux/ethernet_linux.c

Steps to reproduce:
$ ./goose_publisher_example crash_goosecr_stack_smash_overflow_aaaaaaaaa
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***:  terminated
Aborted
$
File: crash_goosecr_stack_smash_overflow_aaaaaaaaa
[This file will be expired after 30 days.]

Debugging:
(gdb) run crash_goosecr_stack_smash_overflow_aaaaaaaaa
Starting program:
/home/input0/Desktop/libiec61850/examples/goose_publisher/goose_publisher_example
crash_goosecr_stack_smash_overflow_aaaaaaaaa
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Using interface crash_goosecr_stack_smash_overflow_aaaaaaaaa
*** stack smashing detected ***:  terminated

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@...ry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51    ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@...ry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7805801 in __GI_abort () at abort.c:79
#2  0x00007ffff784e897 in __libc_message (action=action@...ry=do_abort,
fmt=fmt@...ry=0x7ffff797b988 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff78f9cd1 in __GI___fortify_fail_abort
(need_backtrace=need_backtrace@...ry=false,
    msg=msg@...ry=0x7ffff797b966 "stack smashing detected") at
fortify_fail.c:33
#4  0x00007ffff78f9c92 in __stack_chk_fail () at stack_chk_fail.c:29
#5  0x000055555555a211 in Ethernet_getInterfaceMACAddress
(interfaceId=0x7fffffffdeee "crash_goosecr_stack_smash_overflow_aaaaaaaaa",
    addr=0x7fffffffd91c "k_smas\377\377") at
hal/ethernet/linux/ethernet_linux.c:170
#6  0x00005555555594ee in prepareGooseBuffer (self=0x5555557637d0,
parameters=0x7fffffffd9ac,
    interfaceID=0x7fffffffdeee
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
src/goose/goose_publisher.c:168
#7  0x0000555555559293 in GoosePublisher_create (parameters=0x7fffffffd9ac,
    interfaceID=0x7fffffffdeee
"crash_goosecr_stack_smash_overflow_aaaaaaaaa") at
src/goose/goose_publisher.c:72
#8  0x0000555555555387 in main (argc=2, argv=0x7fffffffdaa8) at
goose_publisher_example.c:52
(gdb) i r
rax            0x0    0
rbx            0x7fffffffd6b0    140737488344752
rcx            0x7ffff7803e97    140737345765015
rdx            0x0    0
rsi            0x7fffffffd410    140737488344080
rdi            0x2    2
rbp            0x7fffffffd840    0x7fffffffd840
rsp            0x7fffffffd410    0x7fffffffd410
r8             0x0    0
r9             0x7fffffffd410    140737488344080
r10            0x8    8
r11            0x246    582
r12            0x7fffffffd6b0    140737488344752
r13            0x1000    4096
r14            0x0    0
r15            0x30    48
rip            0x7ffff7803e97    0x7ffff7803e97 <__gi_raise>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb)
SRC:
Snip : src/goose/goose_publisher.c
{
    GoosePublisher self = (GoosePublisher) GLOBAL_CALLOC(1, sizeof(struct sGoosePublisher));
    prepareGooseBuffer(self, parameters, interfaceID);
    self->timestamp = MmsValue_newUtcTimeByMsTime(Hal_getTimeInMs());
    GoosePublisher_reset(self);
    return self;
}
Snip: src/goose/goose_publisher.c
    if (interfaceID != NULL)
        Ethernet_getInterfaceMACAddress(interfaceID, srcAddr);
    else
Ethernet_getInterfaceMACAddress(CONFIG_ETHERNET_INTERFACE_ID, srcAddr);
Snip: /linux/ethernet_linux.c
strcpy(buffer.ifr_name, interfaceId);
Later CVE-2018-18957 was assigned to this issue, Read this on oss-security.


Thank you
Dhiraj
Share:

Thursday 18 October 2018

Porting CVE-2018-8120 to an MSF module

Hi Internet,

#Shortpost
I have added the support of CVE-2018-8120 to MSF module, before porting this to MSF I read through the analysis of the issue.

After reading the blog post of xiaodaozhi I understood CVE-2018-8120 happens because of a null pointer dereference in the win32k kernel module at start this would lead to BSOD in vulnerable systems, however the exploit code was written in such a fashion that would override the function pointer which is present in kernel mode that achieves escalation of privilege to the remote or your local system.

It took me a while to port this to an MSF module also I would like to thank MSF team for there review's done during that time, at last this was successfully ported and landed!

The path for this module will be `exploit/windows/local/ms18_8120_win32k_privsec.rb` view this in action. (Sweeeeeeet!)
 
This module was tested against windows 7 x64 and x86 based systems and windows server 2008 R2 x64. However this vulnerability impacts following software versions or editions which are affected.
Reference: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120



Thank you
Dhiraj
Share: