Advisories – Tencent's Xuanwu Lab http://xlab.tencent.com/en Wed, 21 Dec 2016 08:35:57 +0000 en-US hourly 1 https://wordpress.org/?v=4.6 Pulse Secure Desktop Client (Juniper Junos Pulse) Privilege Escalation http://xlab.tencent.com/en/2016/07/19/xlab-16-001/ Tue, 19 Jul 2016 10:00:11 +0000 http://xlab.tencent.com/en/?p=52 Continue reading "Pulse Secure Desktop Client (Juniper Junos Pulse) Privilege Escalation"]]> XLAB ID: XLAB-16-001     

CVE ID: CVE-2016-2408     

Patch Status: Fixed

Affected Products:
Tested:
– Pulse Secure Desktop Client (Juniper Junos Pulse) All Versions up to v5.2r3

Vendor Provided (see vendor advisory in Solution section for details):
– Pulse Secure Desktop Client 5.2R1 to 5.2R2, 5.1R1 to 5.1R9, 5.0R1 to 5.0R15
– Standalone Pulse Installer Service 8.2R1 to 8.2R2, 8.1R1 to 8.1R9, 8.0R1 to 8.0R15, 7.4R1 to 7.4R13.6
– Pulse Secure Collaboration 8.2R1 to 8.2R2, 8.1R1 to 8.1R9, 8.0R1 to 8.0R15
– Odyssey Access Client all versions before 5.6R16

This vulnerability only affects Windows operating system.

Background:
“The Pulse Secure desktop client provides a secure and authenticated connection from an endpoint device (either Windows or Mac OS X) to a Pulse Secure gateway (either Pulse Connect Secure or Pulse Policy Secure).”

Vulnerability Details:
Juniper Junos Pulse (now known as Pulse Secure Desktop Client) installs a system service dsAccessService.exe, which owns a named pipe NeoterisSetupService.

This named pipe has an Everyone Full Control ACL and is writable by all users.

The pipe server employs a custom encryption function. The key is derived from processor type, processor frequency, operating system product id, operating system version, and hardcoded values.

This pipe is used to install new services, possibly for automatic upgrade purpose. Once new data is received from the pipe, it is decrypted as a file path, and the specified file is copied to C:\Windows\Temp\ and executed.

The service installation logic is implemented in dsInstallService.dll. It reads the path and split file name from the path. But this implementation has a bug which cause it to only split string after the “\” character from the path, but not the “/” character.

Pass in a path such as “C:\Users/Guest/AppData/Local/test.exe” will cause it to use “Users/Guest/AppData/Local/test.exe” as the file name, and CopyFile to path “C:\Windows\Temp\Users/Guest/AppData/Local/test.exe”.

When the CopyFile fails, the program then uses the original path “C:\Users/Guest/AppData/Local/test.exe” to create new process.

Finally, the service will verify the digital signature before executing the file. However, since the path is completely controllable by the attacker, simply placing a signed executable under “C:\Users/Guest/AppData/Local/” and hijack the executable with a malicious DLL can trigger arbitrary code execution and privilege escalation to SYSTEM.

Solution:
Install the latest version of Pulse Secure product, which is available from Pulse Secure official website.
Pulse Secure has also issued an advisory about this vulnerability:
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40241

Disclosure Timeline:

2016/02/18 Report vulnerability to MITRE
2016/02/18 MITRE assigned CVE-ID CVE-2016-2408
2016/02/18 Provide vulnerability detail and CVE-ID to Pulse Secure via psirt at pulsesecure.net
2016/02/18 Pulse Secure responded that they are developing a fix, but no timeline is available
2016/03/07 Pulse Secure responded that they are still developing a fix, but no timeline is available,
“update soon”
2016/03/25 Pulse Secure responded that they are still developing a fix, but no timeline is available
2016/04/22 Notify Pulse Secure it is now 63 days since original report, asking fix progress
2016/04/26 Pulse Secure responded that they are still developing a fix, but no timeline is available,
asking for grace periods
2016/05/03 Reply that we do give grace periods but need an ETA
2016/05/12 Pulse Secure responded that they are still developing a fix, but no timeline is available
2016/05/19 Pulse Secure responded that they are still developing a fix, ETA is October 2016,
asking for grace periods
2016/05/20 Reply that we do not give grace period this long and another 60 days is the maximum.
2016/05/20 Pulse Secure responded that another 60 days is acceptable
2016/07/18 Pulse Secure responded that an issue has been found in internal testing, and
request another extension to August 1, 2016.
2016/07/18 Reply that we have already requested coordination from multiple organizations and
the process is irreversible. Last day is July 25, 2016.
2016/07/25 Coordinated disclosure

Credit:
This vulnerability was discovered by:   Zhipeng Huo

]]>
Microsoft Internet Explorer And Microsoft Edge Object Use-After-Free Remote Code Execution Vulnerability http://xlab.tencent.com/en/2015/12/29/xlab-15-025/ Tue, 29 Dec 2015 09:59:19 +0000 http://xlab.tencent.com/en/?p=50 Continue reading "Microsoft Internet Explorer And Microsoft Edge Object Use-After-Free Remote Code Execution Vulnerability"]]> XLAB ID: XLAB-15-025     

CVE ID: CVE-2015-1752     

Patch Status: Fixed

Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer and Microsoft Edge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. An attacker can leverage this vulnerability to execute code under the context of the current process.

Disclosure Timeline:

2015/03/05 provide vulnerability detail to Microsoft Security Response Center via secure@microsoft.com
2015/04/01 Microsoft Security Response Center automatic reply
2015/06/09 Microsoft Security Response Center assigned CVE-ID CVE-2015-1752

Credit:
This vulnerability was discovered by:   exp-sky

]]>
Flash Player Memory Corruption in Display List Handling http://xlab.tencent.com/en/2015/12/29/xlab-15-024/ Tue, 29 Dec 2015 09:56:34 +0000 http://xlab.tencent.com/en/?p=48 Continue reading "Flash Player Memory Corruption in Display List Handling"]]> XLAB ID: XLAB-15-024     

CVE ID: CVE-2015-8459     

Patch Status: Fixed

Vulnerability Details:
The specific flaw exists within handling of display list. By maniuplating DisplayObject’s properties attacker can force memory corruption occuring in flash player. An attacker can leverage this vulnerability to execute code under the context of the current process.

Disclosure Timeline:

2015/07/13 Provide vulnerability detail to Adobe via psirt@adobe.com
2015/07/16 Adobe responded that they had opened case PSIRT-3929 for the issuse
2015/12/28 Adobe responded that they had assigned CVE-2015-8459 to the issue

Credit:
This vulnerability was discovered by:   kai kang

]]>
Trend Micro Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-023/ Wed, 02 Dec 2015 09:54:44 +0000 http://xlab.tencent.com/en/?p=44 Continue reading "Trend Micro Vulnerability"]]> XLAB ID: XLAB-15-023     

CVE ID: CVE-2015-8302     

Patch Status: Fixed

Vulnerability Details:

Disclosure Timeline:

2015/10/30 Provide vulnerability detail to Trend Micro via security at trendmicro.com
2015/10/31 Trend Micro automatic reply
2015/10/31 Trend Micro responded that they are verifying the proof of concept code
2015/11/20 Report vulnerability to MITRE
2015/11/21 MITRE assigned CVE-ID CVE-2015-8302
2015/11/25 Provide CVE-IDs to Trend Micro, asking fix progress
2015/12/02 Trend Micro responded that they are developing a fix, but no timeline is available
2015/12/09 Trend Micro responded that they have fixed the vulnerabilities, provided a hotfix for verification

Credit:
This vulnerability was discovered by:    wwq

]]>
Apple Safari Dialog Origin Spoofing Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-022/ Wed, 02 Dec 2015 09:54:03 +0000 http://xlab.tencent.com/en/?p=42 Continue reading "Apple Safari Dialog Origin Spoofing Vulnerability"]]> XLAB ID: XLAB-15-022     

CVE ID: CVE-2015-7093     

Patch Status: Fixed

Vulnerability Details:
Apple Safari is prone to a dialog box origin spoofing vulnerability. This issue may allow a remote attacker to carry out phishing style attacks. The vulnerability presents itself as dialog boxes from inactive windows may appear in other active windows. An attacker can exploit this issue by creating a malicious Web site and enticing a user to follow a link to the site. If the user follows the link, the attacker can then trigger this issue by somehow enticing a user to follow another link to a trusted site in a new window. The attacker can then display a spoofed dialog box to the user that seemingly originates from the trusted site. Typically this dialog box would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This vulnerability may aid in phishing style attacks.

Disclosure Timeline:

2015/8/25 Provide vulnerability detail to APPLE via product-security@apple.com
2015/8/25 APPLE automatic reply
2015/8/26 APPLE responded that they are verifying the proof of concept code
2015/11/17 APPLE asked how would you like to be acknowledged
2015/12/9 APPLE advisory disclosed,the issue was fiexed in IOS9.2. CVE-2015-7093

Credit:
This vulnerability was discovered by:   xisigr

]]>
BitDenfeder Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-021/ Wed, 02 Dec 2015 09:53:19 +0000 http://xlab.tencent.com/en/?p=40 Continue reading "BitDenfeder Vulnerability"]]> XLAB ID: XLAB-15-021     

CVE ID: CVE-2015-8693     

Patch Status: Unfixed

Vulnerability Details:

Disclosure Timeline:

2015/10/09 Ask for an vulnerability report contact address from BitDefender via bdsupport at bitdefender.com
2015/10/09 BitDefender technical support replied with template emails
2015/10/12 Stressed the seriousness of the vulnerability to BitDenfeder technical support
2015/10/19 BitDefender requests vulnerability detail
2015/10/19 Provide vulnerability detail to BitDefender
2015/10/19 BitDefender replied with apology for delay and a 1-year license key
2015/11/23 Report vulnerability to MITRE
2015/12/28 MITRE assigned CVE-ID CVE-2015-8693

Credit:
This vulnerability was discovered by:    wwq

]]>
Total Defense Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-020/ Wed, 02 Dec 2015 09:52:26 +0000 http://xlab.tencent.com/en/?p=37 Continue reading "Total Defense Vulnerability"]]> XLAB ID: XLAB-15-020     

CVE ID: CVE-2015-8695     

Patch Status: Unfixed

Vulnerability Details:

Disclosure Timeline:

2015/09/28 Ask for an vulnerability report contact address from Total Defense
via tdicustomerservice at totaldefense.com
2015/09/29 Total Defense requests vulnerability detail
2015/09/29 Provide vulnerability detail to Total Defense
2015/10/08 Ask if Total Defense has received the vulnerability detail
2015/10/08 Total Defense responded that they are planning a solution
2015/11/23 Report vulnerability to MITRE
2015/12/28 MITRE assigned CVE-ID CVE-2015-8695

Credit:
This vulnerability was discovered by:    wwq

]]>
Panda Security Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-019/ Wed, 02 Dec 2015 09:51:07 +0000 http://xlab.tencent.com/en/?p=33 XLAB ID: XLAB-15-019     

CVE ID: Pending     

Patch Status: Unfixed

Vulnerability Details:

Disclosure Timeline:

2015/09/28 Provide vulnerability detail to Panda Security via secure at pandasecurity.com (No Response)
2015/11/23 Report vulnerability to MITRE

Credit:
This vulnerability was discovered by:    wwq

]]>
Kaspersky Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-018/ Wed, 02 Dec 2015 09:50:20 +0000 http://xlab.tencent.com/en/?p=31 XLAB ID: XLAB-15-018     

CVE ID: CVE-2015-8691     

Patch Status: Unfixed

Vulnerability Details:

Disclosure Timeline:

2015/11/20 Ask for an vulnerability report contact address via info at kaspersky.com (No Response)
2015/11/23 Provide vulnerability detail to MITRE
2015/12/28 MITRE assigned CVE-ID CVE-2015-8691

Credit:
This vulnerability was discovered by:    wwq

]]>
Trend Micro Vulnerability http://xlab.tencent.com/en/2015/12/02/xlab-15-017/ Wed, 02 Dec 2015 09:49:33 +0000 http://xlab.tencent.com/en/?p=29 Continue reading "Trend Micro Vulnerability"]]> XLAB ID: XLAB-15-017     

CVE ID: CVE-2015-8301     

Patch Status: fixed

Vulnerability Details:

Disclosure Timeline:

2015/10/30 Provide vulnerability detail to Trend Micro via security at trendmicro.com
2015/10/31 Trend Micro automatic reply
2015/10/31 Trend Micro responded that they are verifying the proof of concept code
2015/11/20 Report vulnerability to MITRE
2015/11/21 MITRE assigned CVE-ID CVE-2015-8301
2015/11/25 Provide CVE-IDs to Trend Micro, asking fix progress
2015/12/02 Trend Micro responded that they are developing a fix, but no timeline is available
2015/12/09 Trend Micro responded that they have fixed the vulnerbilities, provided a hotfix for verification

Credit:
This vulnerability was discovered by:    wwq

]]>