Skip to content

Posts tagged ‘0day’

7
May

Mac OS X Skype 0day Remote Code Execution Vulnerability [Updated]

A fairly significant 0day vulnerability is being reported in the Skype client (< 5.1.0.922) for Mac OS X. By sending a specially-crafted instant message, an attacker may be able to remotely execute code on the recipient’s computer and gain access to a root shell. This issue has been discovered (by accident it seems) by Gordon Maddern of Australian security consultancy Pure Hacking.

“About a month ago I was chatting on skype to a collegue about a payload for one of our clients.  Completely by accident, my payload executed in my collegues skype client. I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. […] Low and behold (sic) I was able to remotely gain a shell.”

It is believed that due to the relative simplicity in the delivery of the payload, it may be possible for this attack to be automated in the form of a worm. Skype are aware of this issue, but have yet to release a patch (see below). Mac users should be extra careful until a patch is made available, and in the short term I recommend quitting Skype when not using it, or at least checking that your Skype client is set to only allow messages from your contacts (Skype > Preferences > Privacy Tab > Allow Messages From: Contacts).

No further details or proof-of-concept of the vulnerability are available as of yet, although I’d be interested to see it… time to start pasting random Metasploit payloads into Skype! ;)

[Updated 8/5/2011] Skype addressed this vulnerability in version 5.1.0.922 of the Mac OS X client. Run the updater by going to the Skype menu > Check for Updates, or download the latest  version here.

Full disclosure of the vulnerability is now available here. In short, the issue was a persistent XSS that could be used to redirect the user to a malicious website. Here’s the PoC attack string:

http://www.example.com/?foo=”><script>document.location=’http://10.11.1.225′;</script>

31
Aug

Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit

A new (read: yet another) 0day QuickTime vulnerability has been discovered by researcher Ruben Santamarta which leads to arbitrary client-side code execution. The vulnerability, which affects QuickTime <= 7.6.7 on Windows XP, Vista and 7 and defeats DEP and ASLR, is due to a flaw in the way the QuickTime ActiveX controller handles a supplied parameter and treats it as a trusted pointer.

This vulnerability can be exploited by luring the victim to a malicious web page. A heap-spraying Metasploit module has already been published which exploits this issue.

Read Reuben’s original advisory and then get Firefox.

15
May

Mitigating SSH Vulnerabilities Using Single Packet Authorization

Note: This is a 2008 post I managed to recover from my archive of Securethoughts.net

This past week has seen a bit of activity on the SSH security front. To begin with, on Tuesday (13/05/08) Linux distributions Debian and Ubuntu announced that due to a flaw in the random number generator used to generate cryptographic keys used by OpenSSL, OpenSSH and OpenVPN, making these keys far more predictable than they should be, and can be discovered by performing a brute force attack. This is particularly true of the encryption keys used by OpenSSH. HD Moore of the Metasploit project has created a page cover these vulnerabilities, with links to tools that can be used to check for weak keys, as well as key blacklists.

Coincidentally, on Wednesday (14/05/08) a number of network administrators issued warnings of increased brute force and dictionary attacks on systems running SSH. It is believed, however, that these increased attacks are most likely unrelated to the vulnerabilities disclosed in SSH the day before.
As a result of the vulnerability disclosures, users of Ubuntu and Debian systems are not only strongly encouraged to update their software, but also delete all cryptographic keys generated between September 2006 and the 13th of May 2008, and re-generate new keys. Some Debian system administrators, whose systems make significant OpenSSH and OpenVPN, frantically trying to determine which systems are vulnerable and where new keys need to be generated.
As you can expect, due to the nature of services like SSH, it is quite a crucial service to keep secure. Doing so is potentially a complex task due to brute force/dictionary attacks, weak key attacks, and 0day exploits. This is one area in particular where Single Packet Authorization (SPA) excels.
SPA is a method for keeping a host’s firewall completely closed down until a valid authorization packet is received, which will then allow the authorized client to connect during a very short timeframe. As such, an attacker cannot even reach the SSH daemon in order to carry out the attacks mentioned above. This would give system administrators a lot more breathing room for carrying out updates, re-generating keys, etc. It essentially adds an extra layer of security, and adds to the concept of defense-in-depth which is an important part good all-round security.

A very robust implementation of SPA is the Firewall Knock Operator (fwknop), developed in Perl by Michael Rash, which includes features such as replay-protection. I’ll be posting a tutorial on setting up fwknop on OS X very soon. Aldaba, another implementation by Luis Martin Garcia, is written entirely in C, and offers similar functionality to fwknop. Finally the latest implementation that has come to my attention in the past few days is “Ramius“, written entirely in Bash by John Brendler. Although I have not tested it yet, it’s good to see new implementations using readily-available tools.

css.php