IOActive

Site Map  |  Privacy Policy  |  Advisories
IOActive Labs Backdrop

 
greybar

IOActive Labs Advisories
greybar
 


OleumTech Wireless Sensor Network Vulnerabilities
Author: Lucas Apa and Carlos Penagos

OleumTech has manufactured industrial wireless solutions for almost 15 years, providing visibility to disparate assets for major Oil & Gas producers for near real-time optimization decisions, resource deployment, and regulatory compliance. OleumTech also manufacturers industrial automation systems that represents the new paradigm of remote monitoring and control for industries, such as Oil & Gas, Refining, Petro-chemical, Utilities, and Water/Wastewater.

In June 2013, IOActive Labs reported four critical vulnerabilities in OleumTech's wireless sensor network to ICS-CERT. To date, IOActive Labs is not aware of any fixes released by OleumTech.

Read the technical details here.


Steam Client Creates World-writable Shell Script
Author: Ilja van Sprundel

While performing a routine world-writable file scan, one of IOActive’s consultants discovered that the Steam Client for Mac OS X creates world-writable shell scripts when installing games.

Read the technical details here.


X Font Service Protocol Handling Issues in libXfont Library
Author: Ilja van Sprundel

Ilja van Sprundel, an IOActive security researcher, discovered several issues in the way the libXfont library handles the responses it receives from XFS servers. Mr. van Sprundel has worked with X.Org's security team to analyze, confirm, and fix these issues. Most of these issues stem from libXfont trusting the font server to send valid protocol data and not verifying that the values will not overflow or cause other damage.  

This code is commonly called from the X server when an X Font Server is active in the font path, so it may be running in a setuid-root process, depending on the X server in use. Exploits of this path can be used by a local, authenticated user to attempt to raise privileges, or by a remote attacker who can control the font server to try to execute code with the privileges of the X server.

Read the technical details here.


Belkin WeMo Home Automation Vulnerabilities
Author: Mike Davis

The WeMo devices connect to the Internet using the STUN/TURN protocol. This gives users remote control of the devices and allows them to perform firmware updates from anywhere in the world. A generated GUID is the primary source of access control.

WeMo also uses a GPG-based, encrypted firmware distribution scheme to maintain device integrity during updates. Unfortunately, attackers can easily bypass most of these features due to the way they are currently implemented in the WeMo product line. The command for performing firmware updates is initiated over the Internet from a paired device. Also, firmware update notices are delivered through an RSS-like mechanism to the paired device, rather than the WeMo device itself, which is distributed over a non-encrypted channel. As a result, attackers can easily push firmware updates to WeMo users by spoofing the RSS feed with a correctly signed firmware.

Read the technical details here.


ProSoft Technology RadioLinx ControlScape PRNG Vulnerability
Authors: Lucas Apa and Carlos Penagos

The RadioLinx ControlScape application is used to configure and installradios in a FHSS radio network and to monitor their performance. ProSoft Technology states that default values built into the software work well for initial installation and testing. The software generates a random passphrase and sets the encryption level to 128-bit AES when it creates a new radio network.

This product uses the standard C runtime libraries calls "srand" and "rand" to seed and generate passphrases. Because it uses the local time as seed, an attacker can predict the default values built into the software. This makes the system vulnerable to expedited brute-force passphrase/password attacks and other cryptographic-based attacks. Custom passphrases are not vulnerable to this type of attack. An attacker could compromise the device network and affect its data integrity, confidentiality, and availability.

Read the technical details here .


DASDEC Vulnerabilities
Author: Mike Davis

The United States Emergency Alert System (EAS) in 1997 replaced the older and better known Emergency Broadcast System (EBS) used to deliver local or national emergency information. The EAS is designed to "enable the President of the United States to speak to the United States within 10 minutes" after a disaster occurs. In the past, these alerts were passed from station to station using the Associated Press (AP) or United Press International (UPI) "wire services", which connected to television and radio stations around the U.S. Whenever the station received an authenticated Emergency Action Notification (EAN), the station would disrupt its current broadcast to deliver the message to the public.

DASDEC is one of a small number of application servers that now fill the role of delivering emergency messages to television and radio stations. DASDEC encoder/decoders receive and authenticate EAS messages delivered over National Oceanic and Atmospheric Administration (NOAA) radio or relayed by a Common Alerting Protocol (CAP) messaging peer. After a station authenticates an EAS message, the DASDEC server interrupts the regular broadcast and relays the message onto the broadcast preceded and followed by alert tones that include some information about the event.

An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area. In addition, depending on the configuration of this and other devices, the attacker could forward these messages and mirror them by other DASDEC systems.

Read the technical details here.


Protocol Handling Issues in X.Org X Window System Client Libraries
Author: Ilja van Sprundel

X.Org believes all prior versions of these libraries contain the vulnerabilities discussed in this document, dating back to their introduction.

Versions of the X libraries built on top of the Xlib bridge to the XCB framework are vulnerable to fewer issues than those without. This is due to the added safety and consistency assertions in the XCB calls to read data from the network. However, most of these vulnerabilities are not caught by such checks.

Read the technical details here.


TURCK BL20/BL67 Programmable Gateways undocumented hardcoded accounts
Author: Ruben Santamarta

The affected products provide communication between the communications bus and I/O modules. According to TURCK, the BL20 and BL67 are deployed across several sectors. These include agriculture and food, automotive, and critical manufacturing. TURCK estimates that these products are used primarily in the United States and Europe with a small percentage in Asia.

This vulnerability allows an attacker to remotely access the device through its embedded FTP server by using the undocumented, hard-coded credentials. The attacker can then install a trojanized firmware to control communications and processes.

This malicious code may create false communication between remote I/Os, PLCs, or DCS systems in order to compromise additional devices, disrupt legitimate services, or alter industrial processes.

Read the technical details here.


Windows Kernel Library Filename Parsing Vulnerability
Author: Lucas Apa

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Windows. User interaction is required to exploit this vulnerability in that the target must open or browse to a file or subfolder with a specially crafted name on a network SMB share, UNC share, or WebDAV web folder.

The vulnerability exists in a critical operating system DLL. An attacker can exploit this by leveraging a user land application to browse the file system with the Windows API; for example, when opening a folder with File -> Open.

Routines within the KERNEL32.DLL dynamic link library do not properly validate substructure elements before using them to manipulate memory. This can lead to memory corruption, which an attacker can use to run arbitrary code in the context of the current user.

IOActive has developed a proof-of-concept Unicode exploit that overwrites the saved return address with arbitrary data sent by a modified SMB server.

Read the technical details here.


IBM Informix XML functions overflows
Author: Ariel Matias Sanchez

Informix is one of the world's most widely used database servers, with users ranging from the world's largest corporations to startups. Informix incorporates design concepts that are significantly different from traditional relational platforms. This results in extremely high levels of performance and availability, distinctive capabilities in data replication and scalability, and minimal administrative overhead.

Informix contains two vulnerabilities affecting several versions. Attackers can exploit these vulnerabilities to execute arbitrary code or cause denial-of-service conditions.

Read the technical details here.


Multiple Vulnerabilities in Fwknop
Author: Fernando Arnaboldi

Fwknop stands for the "FireWall KNock OPerator" and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based on a default-drop packet filter and libpcap. A server might appear to have no open ports available, but it could still grant access to certain services if authorized fwknop packets are received. Companies commonly use this service on exposed systems and need to diminish the attack surface of this service.

Fwknop contains several vulnerabilities. The most critical of these might allow remote, authenticated attackers to leverage flaws to execute code and produce denial-of-service conditions.

Read the technical details here.


XBMC File Traversal Vulnerability
Author: Lucas Lundgren

XBMC is an award-winning, free, and open source (GPL) software media player and entertainment hub for digital media. XBMC is available for Linux, OSX, and Windows. Created in 2003 by a group of like-minded programmers, XBMC is a nonprofit project run and was developed by volunteers located around the world. More than 50 software developers have contributed to XBMC, and 100-plus translators have worked to expand its reach, making it available in more than 30 languages.

Currently, XBMC plays almost all popular audio and video formats. It was designed for network playback, so you can stream your multimedia from anywhere in the house or directly from the Internet using almost any protocol available.

XBMC allows you to use your media "as is". It plays CDs and DVDs directly from the disk or image file, most popular archive formats from your hard drive, and files inside ZIP and RAR archives. It also scans all of your media and automatically creates a personalized library complete with box covers, descriptions, and fan art. It includes playlist and slideshow functions, a weather forecast feature ,and many audio visualizations. After installing XBMC, your computer will become a fully functional multimedia jukebox.

This vulnerability is exploitable and tested on XBMC 11 and the latest nightly build of 20121028 for Linux, Raspberry Pi, and a Jailbroken AppleTV 2. XBMC. Any device running XBMC with the web server might be vulnerable. XBMC is not installed by default on any of the tested platforms. The XBMC team was notified of the vulnerability on October 31, 2012 and has approved the release of this advisory.

Read the technical details here.


SIEMENS Sipass Integrated 2.6 Ethernet Bus Arbitrary Pointer Dereference
Author: Lucas Apa

This vulnerability exists within AscoServer.exe during the handling of RPC messages over the Ethernet Bus. Insufficient sanity checking allows remote and unauthenticated attackers to corrupt a Heap-Allocated Structure and then dereference an arbitrary pointer.

When manipulating an IOCP message, it is possible to alter the behavior of message parsing. This allows another IOCP message to subvert the listener of IOCP messages, which leads to export of a write-n primitive.

This flaw allows remote attackers to execute arbitrary code on the target system, under the context of the SYSTEM account, where the vulnerable versions of SIEMENS SiPass Integrated are installed.

Read the technical details here.


Invensys Wonderware InTouch 10 DLL Hijack
Author: Carlos Hollman

ICS-CERT originally released Advisory ICSA-12-177-01P on the US-CERT Portal on July 05, 2012. This web page release was delayed to provide the vendor with enough time to contact customers concerning this information.

Independent researcher Carlos Mario Penagos Hollmann has identified an uncontrolled search path element vulnerability, commonly referred to as a DLL hijack, in the Invensys Wonderware InTouch application. Successfully exploiting this vulnerability could lead to arbitrary code execution.

ICS-CERT has coordinated the report with Invensys, which has produced an upgrade to address this vulnerability. Mr. Hollmann has validated that the upgrade resolves the reported vulnerability.

Read the technical details here.


WellinTech KingView and KingHistorian Multiple Vulnerabilities
Author: Carlos Hollman

Independent researchers Carlos Hollmand and Dillon Beresford identified multiple vulnerabilities in WellinTech's KingView and a single vulnerability in WellinTech's KingHistorian applications. These vulnerabilities can be exploited remotely. WellinTech has created a patch, and the researchers have validated that the patch resolves these vulnerabilities in the KingView and KingHistorian applications.

Read the technical details here.


Sielco Sistemi Winlog Multiple Vulnerabilities
Author: Carlos Hollman

This advisory is a follow-up to the alerts titled "ICS-ALERT-12-166-01 Sielco Sistemi Winlog Buffer Overflow" that was published June 14, 2012, and "ICS-ALERT-12-179-01 Sielco Sistemi Winlog Multiple Vulnerabilities" that was published June 27, 2012, on the ICS-CERT web page.

Read the technical details here.


Wonderware Archestra ConfigurationAccessComponent ActiveX stack overflow
Author: Richard van Eeden

The Wonderware Archestra ConfigurationAccessComponent ActiveX control that is marked "safe for scripting" is suffering from a stack-overflow vulnerability. The UnsubscribeData method of the IConfigurationAccess interface is using wcscpy() to copy its first parameter into a static-sized local buffer. Attackers can exploit this vulnerability to overwrite arbitrary stack data and gain code execution.

Read the technical details here.


Authentication Bypass In Tranax Remote Management Software
Author: Barnaby Jack

Reported: 04.05.10. The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location.

To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. An attacker can leverage an implementation flaw that occurs when verifying credentials to craft a request that bypasses all authentication measures. The attacker could then perform remote management tasks with invalid credentials.

The RMS interface is enabled, by default, on a typical ATM installation.

Read the technical details here.


SQL Injection and Cross-site Scripting at www.courts.wa.gov
Author: Mike Davis, Rich Lundeen, and Sean Malone

Discovered: 03.18.10. Reported: 03.23.10. The formID parameter at http://www.courts.wa.gov/forms/ is vulnerable to SQL injection. The searchTerms parameter at http://www.courts.wa.gov/search/index.cfm is vulnerable to cross-site scripting attacks. Exploiting these vulnerabilities would likely expose sensitive data and may result in compromise of the affected systems.

Read the technical details here.


Multiple Vulnerabilities in Accoria Web Server
Author: Ilja van Sprundel

Discovered/Reported to Accoria: December 2008. Date Reported to US-Cert: March 1, 2010. The Accoria Web Server 1.4.7 for x86 Solaris exhibits multiple vulnerabilities, including cross-site scripting, directory traversal, and format string errors.

Read the technical details here.


Mach Exception Handling Privilege Escalation
Author: Richard van Eeden

Discovered: 01.05.10. Mach exception handling suffers from a vulnerability that allows an attacker to gain access to the memory of a suid process (set user identifier). Due to a vulnerability that is similar to CVE-2006-4392 (found by Dino Dai Zovi of Matasano Security), it is possible for a suid process to inherit the Mach exception ports of the parent.

Read the technical details here.


Microsoft Windows CryptoAPI X.509 Spoofing Vulnerability
Author: Dan Kaminsky (IOActive), Ian Wright and Jean-Luc Giraud (Citrix)

Release Date: 10.13.09. VUPEN ID: VUPEN/ADV-2009-2891. CVE ID: CVE-2009-2510, CVE-2009-2511. Researchers identified two vulnerabilities in Microsoft Windows relating to the use of X.509 certificates. Attackers could exploit these to bypass security restrictions.

Read the technical details here.


AppleTalk Response Packet Parsing Array Over-indexing Vulnerability
Author: Ilja van Sprundel

Discovered: 03.03.09. Reported: 03.03.09. Disclosed: 08.05.09. CVE-ID: CVE-2009-2193. The Mac OS X AppleTalk stack contains an array over-indexing vulnerability that, if exploited correctly while AppleTalk is powered on, could lead to a remote system compromise. Even if only partially exploited, it could lead to denial-of-service conditions and cause a kernel panic remotely, effectively shutting down the system.

Read the technical details here.


doc.export* Methods Allow Arbitrary File Creation

Discovered: 07.13.09. Several JavaScript methods of the Document Object do not honor the Privileged Context and Safe Path settings. IOActive was able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on a targeted file system.

Read the technical details here.


Recursive Stack Overflow in ClamAV
Author: Ilja van Sprundel

Reported: 10.30.08. Patched: 12.01.08. Disclosed: 06.09.0. ClamAV's JPEG parser contains code that recursively checks thumbnails, if they are included. Since the thumbnails can be JPEGs, there is no limit to the amount of recursions that can occur. This can lead to stack overflows.

Read the technical details here.


Heap Corruption in Tor
Author: Ilja van Sprundel

Discovered: January 2009. Reported: 01.20.09. Disclosed: 06.08.09. There is a potential heap corruption bug in Tor when escaping data for logging purposes. Only certain deployments are vulnerable, and the bug can be triggered only from certain locales.

Read the technical details here.


Diskimages-helper band-size Vulnerability
Author: Tiller Beauchamp

Reported to Vendor: 09.30.08. Patch Released: 04.29.09. CVE ID: CVE-2009-0150. A signed-to-unsigned conversion flaw exists in diskimages-helper when it reads the band-size parameter. When the value specified for the band-size key is changed to a negative number, the diskimages-helper process crashes when the user attempts to log in.

Read the technical details here.


Pointer Dereference in OpenSolaris
Author: Ilja van Sprundel

Reported: 09.29.08. Disclosed: 02.04.09. Patched: 02.05.09. The OpenSolaris kernel exhibits a vulnerability around a userland pointer dereference, and allows both reading from and writing to the kernel.

Read the technical details here.


Multiple Vulnerabilities in Apple's MobileMe Service
Author: Richard van Eeden, Ilja van Sprundel

Reported: 08.05.08. Patched: 11.06.08 Disclosed: 11.20.08. Apple's MobileMe (me.com) web service contains several serious security vulnerabilities. The most critical vulnerability combines cross-site request forgery and cross-site scripting, and allows an attacker to access the service without a valid password.

Read the technical details here.


QNX ker_msg_sendv System Call Integer Overflow
Author: Ilja van Sprundel

Discovered: 10.30.08. Reported: 10.30.08. Disclosed: 10.31.08. QNX's ker_msg_sendv() system call contains an integer overflow that could lead to heap corruption and, if correctly exploited, system compromise. If only partially exploited, this could lead to denial-of-service conditions and kernel panic, effectively shutting down the system.

Read the technical details here.


DNS TXT Record Parsing Bug in LibSPF2
Author: Dan Kaminsky

Reported: 10.20.08. Disclosed: 10.21.08. Researchers discovered a relatively common bug that parses TXT records delivered over DNS-dating back at least to 2002 in Sendmail 8.2.0 and almost certainly much earlier-in LibSPF2. This library retrieves Sender Policy Framework (SPF) records and applies policy according to those records. This implementation flaw allows for relatively flexible memory corruption and should be treated as a path to anonymous remote code execution.

Read the technical details here.


Buffer Overflow in Mono BigInteger Montgomery Reduction Method
Author: Jason Larsen, Walter Pearce

CVE-2007-5197, VU#146292. Discovered: 07.25.07. Reported: 08.24.07. Disclosed: 09.20.07. An exploitable buffer overflow vulnerability exists in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger).

Read the technical details here.


Multiple Total Remote Compromise Vulnerabilities in Mercury SiteScope Monitoring Software
Author: Chris Paget

CVE-2007-6257, VU#245025. Discovered: 10.05.06. Disclosed: 09.20.07. Critical vulnerabilities exist within the Mercury SiteScope server monitoring software. Some of these can result in a complete remote compromise of the entire monitored network, as well as arbitrary code execution on all servers managed by the SiteScope software.

Read the technical details here.


Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier
Author: Josh Betts, Jason Larsen, Walter Pearce

CVE-2007-6257, VU#245025. Discovered: 05.01.07. Reported: 06.27.07. Disclosed: 09.20.07. A buffer overflow vulnerability exists in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors), which allows for remote code execution in the context of the Apache process.

Read the technical details here.


Static Microsoft Windows WPAD entries might allow interception of traffic
Author: Chris Paget

CVE-2007-1692. Disclosed: 03.26.07. The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries. A remote attacker could leverage this to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests.


Numerous WebEOC Vulnerabilities

VU#956762, VU#170394, VU#138538, VU#372797, VU#491770, VU#258834, and VU#388282. Date first published: July 2005.
  • WebEOC is vulnerable to a denial-of-service condition via uploading large files (VU#956762). Details »
  • WebEOC account lock-out policy may allow a denial-of-service (VU#170394). Details »
  • WebEOC is vulnerable to cross-site scripting attacks (VU#138538). Details »
  • WebEOC contains multiple SQL injection vulnerabilities (VU#372797). Details »
  • WebEOC implements weak algorithms to encrypt sensitive information (VU#491770). Details »
  • WebEOC privileges are based on client-side authorization (VU#258834). Details »
  • WebEOC uses a global shared key (VU#388282). Details »



 
greybar