Cisco Unity Connection CVE-2017-6629 Unauthorized Access Vulnerability
Google Android Kernel Trace Subsystem CVE-2017-0630 Information Disclosure Vulnerability

Enlarge (credit: Sean Gallup / Getty Images)

The "Google Docs" phishing attack that wormed its way through thousands of e-mail inboxes earlier this week exploited a threat that had been flagged earlier by at least three security researchers—one raised issues about the threat as early as October of 2011. In fact, the person or persons behind the attack may have copied the technique from a proof of concept posted by one security researcher to GitHub in February.

The issue may not technically be a vulnerability, but the way Google has implemented its application permissions interface—based on the OAuth 2 standard used by a large number of Web application providers—makes it far too easy to fool unsuspecting targets into giving away access to their cloud, e-mail, storage, and other Google-associated accounts. The websites used in the phishing attack each used domains that mimicked Google's in some way. The sites would call a Google Apps Script that used Google's own authentication system against itself. The malicious Web application (named "Google Docs") was delivered by an HTML e-mail message that looked so much like a genuine Google Docs sharing request that many users just sailed right through the permissions requested without thinking.

Researchers have repeatedly warned Google about this potential social engineering threat, and this shortcoming had already been exploited in malicious e-mails used by an alleged state actor. While Google quickly shut down the malicious application's access to customers' credentials, the threat remains, since all it takes to relaunch a campaign is to configure another application with Google's authentication API.

Read 10 remaining paragraphs | Comments

Google Android Bluetooth CVE-2017-0602 Information Disclosure Vulnerability
Google Android Framework Apis CVE-2017-0598 Information Disclosure Vulnerability
Google Android Framework Apis CVE-2017-0593 Privilege Escalation Vulnerability
Google Android Synaptics Touchscreen Driver CVE-2017-0634 Information Disclosure Vulnerability
Rpcbind CVE-2017-8779 Remote Denial of Service Vulnerability
Apple Safari CVE-2017-2491 Use After Free Remote Code Execution Vulnerability
Multiple Google Devices kernel UVC Driver CVE-2017-0627 Information Disclosure Vulnerability
Atlassian HipChat for iOS CVE-2017-8058 TLS Certificate Validation Security Bypass Vulnerability

Enlarge (credit: Arp et al.)

Almost a year after app developer SilverPush vowed to kill its privacy-threatening software that used inaudible sound embedded into TV commercials to covertly track phone users, the technology is more popular than ever, with more than 200 Android apps that have been downloaded millions of times from the official Google Play market, according to a recently published research paper.

As of January, there were 234 Android apps that were created using SilverPush's publicly available software developer kit, according to the paper, which was published by researchers from Technische Universitat Braunschweig in Germany. That represents a dramatic increase in the number of Android apps known to use the creepy audio tracking scheme. In April 2015, there were only five such apps.

The apps silently listen for ultrasonic sounds that marketers use as high-tech beacons to indicate when a phone user is viewing a TV commercial or other type of targeted audio. A representative sample of just five of the 234 apps have been downloaded from 2.25 million to 11.1 million times, according to the researchers, citing official Google Play figures. None of them discloses the tracking capabilities in their privacy policies.

Read 11 remaining paragraphs | Comments

PCRE 'pcre2_match.c' Stack Buffer Overflow Vulnerability
Xen CVE-2017-7995 Information Disclosure Vulnerability
Multiple Hikvision Cameras ICSA-17-124-01 Multiple Securtiy Vulnerabilities
Google Nexus Nvidia Video Driver CVE-2017-0331 Privilege Escalation Vulnerability
Google Android Qualcomm Adsprpc Driver CVE-2017-0465 Privilege Escalation Vulnerability

On Wednesday, Kenneth Lipp, a contributor to the Daily Beast, was doing what amounts to a random search on the security search engine Shodan when he discovered what appears to be a Web console for full-motion video feeds from two Predator drones.

The website Lipp found bears the logos of the National Reconnaissance Office, the National Geospatial-Intelligence Agency's (NGA's) Aerospace Data Facility-East, and the Washington University Cortex Innovation Center—an incubator that has partnered with NGA. The site displayed streaming video from drones named "Ranger1" and "Bonker," apparently flying somewhere over the Gulf of Mexico along the coast of Florida. So he tweeted and blogged about it. Soon, many were watching the same thing: aerial surveillance video of boats speeding across the Gulf's waters.

Read 8 remaining paragraphs | Comments

Dahua Technology Authentication Bypass and Information Disclosure Vulnerabilities

When browsing a target web application, a pentester is looking for all entry or injection points present in the pages. Everybody knows that a static website padding:5px 10px"> form action=/view.php method=post input name=article id=article input type=submit value=Submit /form

In both cases, the pentester will have a deeper look at the values that can be passed to the article parameter.

But, there are alternative ways to interact with a website. Today, modern sites have multiple versions available. Depending on the visitors browser, a mobile or light version of the website can be returned, optimised for mobile phones or tablets. Some websites react in different ways just based on the User-Agent passed by the browser. Chris John Riley developed a few years ago a nice script that I padding:5px 10px"> $ ./ -u -f my-useragents.txt -v

The HTTP referrer is also a very nice way to abuse some websites. A few years ago, I remember a Belgian newspaperwhich granted access to paid content based on the referrer! The HTTP headers passed in every HTTP requests are also a good source of vulnerabilities. We have a new example with two Wordpress vulnerabilities released this week:CVE-2017-8295[2] and a second one based on CVE-2016-10033[3].

The first affect the password reset feature provided by Wordpress (up to version 4.7.4). It might allow an attacker to get the password reset link sent via email and use it to compromise the user account then have more access to the Wordpress site. The second one has been discovered in 2016 but disclosed two days ago. This one affects thePHPMailer mailer component of Wordpress core 4.6. The Wordpress development team initially reported as not affected by the bug discovered in 2016. They are interesting because both are vulnerable to the injection of malicious data through HTTP headers. Many web servers (Apache included) set the SERVER_NAME variable using the hostname supplied by the client.

Keep in mind: When you read ... supplied by the client, you must understand: ... that can be altered or poisoned by the client padding:5px 10px"> if ( !isset( $from_email ) ) { $sitename = strtolower( $_SERVER[SERVER_NAME if ( substr( $sitename, 0, 4 ) == www. } $from_email = [email protected] }

Wordpress just uses theHost: HTTP header provided by the client padding:5px 10px">

In the padding:5px 10px"> HTTP/1.1 302 Object moved Connection: close Location: search.php?article=1234 Set-Cookie: MyCookie=pwn3d Content-Length: 105

Those attacks are not new, most of them are known for years but are still relevant today. Also, think outside HTTP. Most protocols use headers that might be abuse. A good example was Postfix in 2014 which was vulnerable to the ShellShock attack via SMTP headers[4].

The Top-10 OWASP project keeps injection (of any kind) as the first security issue since 2010[5]. They also have a project called Secure Headers Project which address this problem[6]. To resume, never trust data coming from the client side!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

[security bulletin] HPESBHF03736 rev.1 - HPE Aruba and HPE ProVision network switches using Diffie Hellman Group1 Sha1 Exchange Algorithm, Remote Disclosure of Information
[security bulletin] HPESBGN03740 rev.1 - HPE Network Automation, Multiple Remote Vulnerabilities
Internet Storm Center Infocon Status