By now, you may have heard about CVE-2014-6271, also known as the “bash bug“, or even “Shell Shock”, that may affect your organisation. It’s rated the maximum CVSS score of 10 for impact and ease of exploitability. The affected software, Bash (the Bourne Again SHell), is present on most Linux, BSD, and Unix-like systems, including Mac OS X. New packages were released today, but further investigation made it clear that the patched version may still be exploitable, and at the very least can be crashed due to a null pointer exception. The incomplete fix is being tracked as CVE-2014-7169.
How do you protect yourself?
The most straightforward answer is to deploy the patches that have been released as soon as possible. Even though CVE-2014-6271 is not a complete fix, the patched packages are more complicated to exploit. We expect to see new packages arrive to address CVE-2014-7169 in the near future. If you have systems that cannot be patched (for example systems that are End-of-Life), it’s critical that they are protected behind a firewall. And test whether that firewall is secure.
How can we help?
Pentura Threatsweeper service (Powered by Rapid7) has been updated with authenticated and remote checks for CVE-2014-6271. Checks for CVE-2014-7169 will follow as soon as they are verified.
If you have any questions, please contact the Pentura support team: firstname.lastname@example.org
The Pentura Team
Reports surfaced this week that Amazon’s Twitch.TV gaming site had been hit by a malware attack that targeted chat forums to access user’s machines. Hackers were found to be sending phishing messages across the site’s chat forums, which lured users with offers of raffle prizes, then drops a malicious Windows binary file on anyone who replies with their name and email address.
The news presents an interesting twist on traditional phishing scams and provides yet another platform for hackers to target sensitive information. The obvious attraction for criminals are the large numbers of users on chat forums and the fact that the platforms offer a haven for phishing scams.
With chat forums becoming increasingly popular in the corporate environment this is a trend that businesses should be monitoring closely and reacting quickly to adjust data loss prevention strategies to maintain security. With employees turning to chat forums to share best practice and problem shoot they need to be aware that they don’t know the identity, or credentials, of the people they are interacting with.
Hackers targeting chat forums will rely upon users trusting they are there to legitimately share information and assist one another to increase the chances of them opening links and files that contain malware. The attack on Twitch is a warning shot to organisations and has given them advanced warning of this latest tactic of the cyber-criminal.
Pentura are currently recruiting for CHECK Team Members (CTM) with Web Application Testing experience.
Please send CVs to:
Head of Penetration Testing Services
New Kaspersky research released this week reported that Children are a major threat to internet security with 20% of parents reporting losing money or information due to their children’s online activity. While parents are already feeling the repercussions of children using devices, businesses should also be taking note of the threat posed.
With professionals increasingly working from home and employees offering flexible working it is important that organisations and their employees are aware of the implications for both security and data loss prevention. While flexible, home based working provides many benefits it is critical that organisations pay careful consideration to the expanded IT, security and data protection implications that accompany these changing working patterns. This extends beyond children using devices with business critical information stored on but also the other challenges posed by the home environment.
Employees working from home need to consider setting up separate work accounts with robust access controls on personally owned devices to ensure that family members, including children, cannot inadvertently put business information at risk. Equally employers need to be setting out clear guidelines on the use of business issued devices for home use and providing relevant security and data loss prevention for home working.
Ultimately employers need to be treating data security in home ‘offices’ with the same level of importance as they would on any business owned property, providing employees with the training and solutions required to holistically secure business data. An out of sight, out of mind approach to data security towards home based employees could prove a costly mistake.
Researchers at the University of California’s College of Engineering and the University of Michigan have identified a weakness in Gmail’s mobile application that could allow malicious third party apps to obtain personal information from users’ email accounts. Researchers found that 92 percent of Gmail accounts, and around 82 per cent of the several apps they tested, can be cracked using the memory interrogation technique.
While this is an alarmingly high success rate the important fact is that this predominantly results from social engineering attacks or downloads of infected applications rather than a direct flaw in the Gmail application. This can probably be linked to the fact that both businesses and individuals are increasingly using a range of mobile applications from a variety of developers and sources. While these applications can have a lot to offer it is important that users consider the access they may be inadvertently offering to third parties by using such services.
With applications often requiring a variety of access permissions, people need to be aware of the other functionality and systems running on their device that they might be making accessible to external parties and hackers. Individuals and businesses alike should carefully consider and research what applications they are downloading to their mobile devices to ensure they don’t inadvertently leave themselves open to attacks from hackers. Simple steps like only downloading apps from trusted stores and developers can massively reduce the risks of cyber-attacks that people are exposed to.
In the case of businesses this should fall under a clearly defined data loss prevention strategy that covers all aspects of their IT operations. This includes both managing the applications used on corporate devices and ensuring staff receive the required training to reduce the risk of an infected app making its way onto the corporate network.
Irish bookmaker Paddy Power has admitted that personal details of more than 600,000 customers were stolen in a cyber-attack that occurred in 2010. The company revealed that it was aware of an attack on its system four years ago but failed to inform customers of the security breach.
Data including names, usernames, postal addresses, email addresses, phone numbers, dates of birth as well as security questions and answers were stolen, although it’s not thought that financial information was accessed or that any customer accounts were violated. The company was informed in May this year that a man in Canada had a large database of customer information, but it remains unclear how long Paddy Power has known about this security breach, or whether they knew the full extent of it.
Failing to inform people of a data leak in good time leaves customers exposed to the danger of identity theft. Any security breach, no matter how big or small, should be taken seriously by organisations and communicated to customers to enable them to take necessary steps to minimise the damage caused to them personally. It’s also essential that an organisation properly investigates how the data was stolen and closes off any vulnerability that may have enabled the theft.
In this instance the information stolen placed affected account holders at severe risk of further social engineering attacks and identity theft. While a security breach will always draw negative attention it is always better to communicate quickly and openly to restore customer trust and ensure that customers are better protected against further attacks.
Before naming your vulnerabilities became cool (Heartbleed anyone?) I discovered an issue on the EMC Documentum software and internally called it “injeception”. Now that naming your vulnerability is so mainstream I will just call it ESA-2014-046 (that, surprisingly, matches with the name used by the vendor!)
But why that name? Well, it’s 2014 and they have released other 45 vulner…. Oh, you mean the injeception? Well, because if you do an injection inside an injection; let me explain to you how it works:
- The EMC Documentum software uses an abstraction layer to allow the software to use any backend database server, such as Oracle or MSSQL. This layer uses their own query language (DQL, from Documentum Query Language) and this the first part for the injeception to work.
- I found an issue (CVE-2014-2508) that allows me to inject DQL at the end of a query. Descriptive error messages also helped to understand what was happening on the backend.
- We are now at the DQL level (moving from the app level that we were before) and we are still confined to the ORM system that EMC has in place to prevent users from one unit/department accessing files from other departments.
- Reviewing the DQL Reference Manual I found references to two interesting keywords: ENABLE and ORACLE. The use of both can be seen in the page 323 (Passthrough hits) of the manual. It essentially allows insertion of custom Oracle (and presumably MSSQL, but didn’t have the chance to try that) SQL into the final query that is generated by the Documentum software. We have our third jump! (And I think this one is CVE-2014-2507 but I haven’t been credited for this one, so I am not sure if I am right assuming this…)
- Now we find ourselves in an interesting position. We are inside an Oracle hint. For those who don’t know (I didn’t at the time) hints are a special set of keywords that you can write between the SELECT and the first parameter of the query to improve the performance. Like this:
SELECT /* HINT */ 1 from dual;
- So… can we escape from the hint syntax and execute code? Sure thing! If we write ‘*/’ Documentum passed it unescaped to the SQL query and we are able to inject any SQL query from our original DQL injection. Let’s go up a level again on this injection to construct the final valid query.
- First we need to make our Oracle query:
*/ user FROM dual--
- Now we need to add it into a valid DQL query:
ENABLE(ORACLE('*/user FROM DUAL--'))
- Finally, we have to add that string at the end of our DQL Injection:
table_field from valid_table ENABLE(ORACLE('*/user FROM DUAL--'));--
- As you can see we need a valid table and a valid field but I got those from the debug messages, documentation might also help.
This way we have moved from a DQL Injection (CVE-2014-2508) to a shell injection (CVE-2014-2507?) and execute Oracle queries. But what about CVE-2014-2506? Well, the user running those Oracle queries does not have any privilege limitations so it can access any information, no matter what department or OU the user executing the DQL is member of, they will access even configuration details from the server.