Author Archives: CERT

Overview

An authentication bypass vulnerability exists in the N300 Wireless N VDSL2 Modem Router manufactured by Tenda. This vulnerability allows a remote, unauthenticated user to access sensitive information.

Description

CVE-2023-4498 is an authentication bypass vulnerability that enables an unauthenticated attacker who has access to the web console, either locally or remotely, to access resources that would normally be protected. The attacker can construct a web request that includes a white-listed keyword in the path, causing the URL to be served directly (rather than blocked or challenged with an authentication prompt).

Impact

Successful exploitation of this vulnerability could grant the attacker access to pages that would otherwise require authentication. An unauthenticated attacker could thereby gain access to sensitive information, such as the Administrative password, which could be used to launch additional attacks.

Solution

There is no known solution to the vulnerability. Always update your router to the latest available firmware version. Disabling both the remote (WAN-side) administration services and the web interface on the WAN on any SoHo router is also recommended.

Acknowledgements

Thanks to the reporter from the Spike Reply Cybersecurity Team. This document was written by Timur Snoke.

Continue reading VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router→

Overview

Groupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.

Description

Every five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it’s possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.

Impact

An attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thank you to Dan Revah for reporting this issue.

This document was written by Kevin Stephens.

Continue reading VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account→

Overview

Parsec updater for Windows was prone to a local privilege escalation vulnerability, this vulnerability allowed a local user with Parsec access to gain NT_AUTHORITY/SYSTEM privileges.

Description

The vulnerability is a time-of-check time–of-use (TOCTOU) vulnerability. There existed a small window between verifying the signature and integrity of the update DLL and the execution of DLL main.

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250.

CVE-2023-37250
The application launches DLLs from a User owned directory. Since the user owns both the DLL file and the directory, it is possible to (successfully) attempt tricking Parsec into loading an unsigned/arbitrary DLL file and execute its DllMain() method with SYSTEM privileges, creating a Local Privilege Escalation vulnerability.

Impact

By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user.

Solution

The vulnerability applies to a “Per User” installation as opposed to a “Shared User”. There is an update that has been made available. To force an update, you can either completely quit, and re-open the application several times until the loader is updated (by confirming in the logs). Or you can download a special installer that only updates the files inside of the program files that can be downloaded from https://builds.parsec.app/package/parsec-update-executables.exe.

Acknowledgements

Thanks to the reporter, Julian Horoszkiewicz.This document was written by Timur Snoke.

Continue reading VU#287122: Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process→

Overview

urllib.parse is a very basic and widely used basic URL parsing function in various applications.

Description

An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.

URL Parsing Security *

The urlsplit() and urlparse() APIs do not perform validation of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity.

Instead of raising an exception on unusual input, they may instead return some component parts as empty strings. Or components may contain more than perhaps they should.

We recommend that users of these APIs where the values may be used anywhere with security implications code defensively. Do some verification within your code before trusting a returned component part. Does that scheme make sense? Is that a sensible path? Is there anything strange about thathostname? etc.

What constitutes a URL is not universally well defined. Different applications have different needs and desired constraints. For instance the living WHATWG spec describes what user facing web clients such as a web browser require. While RFC 3986 is more general. These functions incorporate some aspects of both, but cannot be claimed compliant with either. The APIs and existing user code with expectations on specific behaviors predate both standards leading us to be very cautious about making API behavior changes.

*Note: This was added as part of the documentation update in https://github.com/python/cpython/pull/102508

Impact

Due to this issue, attackers can bypass any domain or protocol filtering method implemented with a blocklist. Protocol filtering failures can lead to arbitrary file reads, arbitrary command execution, SSRF, and other problems. Failure of domain name filtering may lead to re-access of blocked bad or dangerous websites or to failure of CSRF referer type defense, etc.

Because this vulnerability exists in the most basic parsing library, more advanced issues are possible.

Solution

The fixes are in the following releases:

fixed in >= 3.12

fixed in 3.11.x >= 3.11.4

fixed in 3.10.x >= 3.10.12

fixed in 3.9.x >= 3.9.17

fixed in 3.8.x >= 3.8.17

fixed in 3.7.x >= 3.7.17

Acknowledgements

Thanks to the reporter, Yebo Cao for researching and reporting this vulnerability.

This document was written by Ben Koo.

Continue reading VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329→

Overview

Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host.

Description

Freewill Solutions IFIS new trading web application passes a user controlled variable directly to a shell_exec function call on a specific report page. To exploit the vulnerability, an attacker can add shell meta characters to the user controlled variable so that the application executes attacker specified commands.

Impact

An attacker with access to the applications web interface can execute code on the remote host. This level of access allows for complete compromise of the affected machine.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thanks to Sameer Mohite (Mandiant) for reporting the vulnerability.

This document was written by Kevin Stephens.

Continue reading VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution→

Overview

The software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.

Description

D-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible to an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user.

The following conditions are required to trigger this bug
* The software is installed in a directory with a space in it. (The default settings for directory will work)
* An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient)

Impact

An attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system.

Solution

D-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version.

Acknowledgements

Thanks to @L1v1ng0ffTh3L4n for reporting the vulnerability.

This document was written by Kevin Stephens.

Continue reading VU#813349: Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation→

Overview

A command injection vulnerability can be used in the Perimeter81 macOS application to run arbitrary commands with administrative privileges.

Description

At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc.

By combining insufficient checks of an XPC connection and creating a dictionary with the key “usingCAPath” a command can be appended within that value to be run with administrative privileges.

Impact

By exploiting the vulnerability, attackers can run arbitrary commands with administrative privileges.

Solution

Perimeter81 has released a fix in version 10.1.2.318
(https://support.perimeter81.com/docs/macos-agent-release-notes)

Acknowledgements

Thanks to Erhad Husovic who also published vulnerability details via (https://www.ns-echo.com/posts/cve_2023_33298.html)

This document was written by Ben Koo.

Continue reading VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities→

Overview

The Technicolor TG670 DSL Gateway Router includes a hard-coded service account that allows for authentication over services on the WAN interface, using HTTP, SSH, or TELNET. The authenticated user can use it to gain full administrative control of the router.

Description

A hard-coded password refers to an unchangeable password that is stored within a device or an application. This type of password carries a significant risk as it can be exploited by malware or hackers to gain unauthorized access to devices and systems, enabling them to engage in malicious activities. In certain cases, a hard-coded account may possess administrative privileges, granting complete control over a device through an account that cannot be modified or deactivated.

Recently, it was uncovered that the Technicolor TG670 DSL Gateway Router with firmware version 10.5.N.9. contains more than one hard-coded service account. These particular accounts allow full administrative access to the device via the WAN interface. If Remote Administration is enabled, the device can be remotely accessed from an external network interface, such as the Internet. This account seems to have full administrative access to modify the device settings. Additionally, it appears that this account is not documented and cannot be disabled or removed from the device.

Impact

A remote attacker can use the default username and password to login as the administrator to the router device. This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways. This requires Remote Administration is enabled on the router, which is the default settings as observed by the CODE WHITE security researcher Florian Hauser.

Solution

It is recommended that you check with your service provider for appropriate patches and updates are available to resolve the hard-coded credentials stored on the devices. As a precaution, it is also recommended that you disable Remote Administration (WAN side administration), when not needed to reduce the risk of abuse of this service account.

Acknowledgements

Thanks to Florian Hauser from CODE WHITE for reporting this vulnerability.

This document was written by Timur Snoke.

Continue reading VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router→

Overview

Two buffer overflow vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification, currently at Level 00, Revision 01.59 November 2019. An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities. This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys).

Description

Trusted Platform Module (TPM) technology is a hardware-based solution that provides secure cryptographic functions to the operating systems on modern computers, making it resistant to tampering. As cloud computing and virtualization have become more popular in recent years, software-based TPM implementations have also gained popularity. TPM can be implemented in the form of Discrete, Integrated or Firmware TPM in its hardware form. The virtual TPM’s exists in Hypervisor form or in a purely software-based TPM implementation e.g., swtpm. The Trusted Computing Group (TCG) is responsible for maintaining the TPM specifications, which are actively contributed to by both hardware and software manufacturers. The TCG released the TPM 2.0 specifications in October 2014 and has since revised them multiple times. The latest version, Revision 01.59, was released in November 2019. Many TPM hardware and software manufacturers use these specifications to build firmware that complies with standards and provides a secure interface to sensitive cryptographic data. TPM is employed in a variety of devices, from specialized enterprise-grade hardware to Internet of Things (IoT) appliances.

The TPM Library Specification Architecture documents “Session-based encryption” that allows a cryptographic client application to perform various operations, including those that provide Parameter Encryption capabilities. Session-based encryption may be used to ensure confidentiality of these parameters. The operating system or the client software relies on the TPM to securely provide capabilities such as Cipher Feedback (CFB) for block cipher or streaming hash-based XOR obfuscation of the intended parameter payloads.

Quarkslab security researchers found two vulnerabilities in the way the TPM reference specification processes some of these parameters that are part of TPM commands. An Out Of Bound (OOB) read vulnerability in the CryptParameterDecryption() routine allowed a 2-byte read access to data that was not part of the current session. It was also possible to write 2-bytes past the end of the current command buffer resulting in corruption of memory.

An attacker with access to a device built with a vulnerable version of the TPM can trigger this bug by sending crafted commands to the TPM. The vulnerable TPM can thus be tricked to access data that is not part of the intended operation. As the OS relies on the TPM firmware for these functions, it may be difficult to detect or prevent such access using traditional host-based security capabilities.

Impact

An authenticated, local attacker could send maliciously crafted commands to a vulnerable TPM allowing access to sensitive data. In some cases, the attacker can also overwrite protected data in the TPM firmware. This may lead to a crash or arbitrary code execution within the TPM. Because the attacker’s payload runs within the TPM, it may be undetectable by other components of the target device.

Solution

Apply an update
The Trusted Computing Group (TCG) has released an update to their Errata for TPM2.0 Library Specification with instructions to address these vulnerabilities. To ensure the security of their systems, users should apply any updates provided by hardware and software manufacturers through their supply chain as soon as possible. Updating the firmware of TPM chips may be necessary, and this can be done through an OS vendor or the original equipment manufacturer (OEM). In some cases, the OEM may require resetting the TPM to its original factory default values as part of the update process.

Users in high-assurance computing environments should consider using TPM Remote Attestation to detect any changes to devices and ensure their TPM is tamper proofed. As these attacks involve TPM-based software, mechanisms such as user-password or PIN protection and tpm-totp do not protect against attacks leveraging the vulnerabilities discussed in this article.

Note: the TCG’s Errata covers a larger scope and addresses additional security issues beyond the two vulnerabilities discussed in this advisory.

Acknowledgements

Thanks to Francisco Falcon and Ivan Arce of Quarkslab who researched and reported these vulnerabilities, respectively. The TCG and their members worked closely with us and other vendors to coordinate the disclosure of these vulnerabilities. Note that the Immune Gmbh’s https://github.com/immune-gmbh/tpm-vuln-checker software has added support for detecting this vulnerability.

This document was written by Vijay Sarvepalli.

Continue reading VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption→

Overview

TP-Link router WR710N-V1-151022 running firmware published 2015-10-22 and Archer-C5-V2-160201 running firmware published 2016-02-01 are susceptible to two vulnerabilities:

1. A buffer overflow during HTTP Basic Authentication allowing a remote attacker to corrupt memory allocated on a heap causing denial of service or arbitrary code execution;
2. A side-channel attack via a strcmp() function in the HTTP daemon allowing deterministic guessing of each byte of a username and password input during authentication.

Description

TP-Link device WR710N-V1-151022 is a 150Mbps Wireless N Mini Pocket router, and Archer-C5-V2-160201 is a Wireless Dual Band Gigabit router. These SOHO devices are sold by TP-Link and their latest firmware available as of January 11, 2023, have two vulnerabilities.

CVE-2022-4498
When receiving user input during HTTP Basic Authentication mode, a crafted packet may cause a heap overflow in the httpd daemon. This can lead to denial of service (DoS) if the httpd process crashes or arbitrary remote code execution (RCE).

CVE-2022-4499
A strcmp() function in httpd, is susceptible to a side-channel attack when used to verify usename and password credentials. By measuring the response time of the vulnerable process, each byte of the username and password strings may be easier to guess.

Impact

The two different vulnerabilities have unrelated impacts. The first vulnerability is a heap-based buffer overflow that can cause a crash or allow for arbitrary remote code execution. The second vulnerability is an information disclosure issue where the function used by the httpd process may allow an attacker to guess each byte of a username and password deterministically.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Acknowledgements

Thanks to the reporter, Jonathan Bar of Microsoft, for responsibly disclosing these issues.

This document was written by Timur Snoke.

Continue reading VU#572615: Vulnerabilities in TP-Link routers, WR710N-V1-151022 and Archer C5 V2→