Downclimb: Summit Route’s Weekly Infosec News Recap
2014.09.19 – 2014.09.26: https://SummitRoute.com
Top stories
Shellshock: RCE in bash
CVE-2014-6271: Given the ability to set bash environmental variables, you can get code execution. One major attack vector is through CGI scripts that use bash scripts and often set environment variables based on HTTP header information. Another is DHCP clients. This is bigger than heartbleed because this allows RCE, instead of only leaking memory, and the exploits are easy because it’s just bash scripting.
- Original announcement: http://seclists.org/oss-sec/2014/q3/650
- In-The-Wild attack spotted: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
- Explanation on how this is used with links to some patches and snort signatures: http://garage4hackers.com/entry.php?b=3087
BERserk: Mozilla Network Security Services (NSS) fails to properly verify RSA signatures
CVE-2014-1568: This vuln affects Mozilla products (Firefox, Thunderbird, etc.) and Google products (Chrome and ChromeOS). It allows attackers to forge RSA certificates, which makes SSL/TLS vulnerable to MiTM. The impact of this is similar to Apple’s #gotofail bug.
- http://blogs.mcafee.com/executive-perspectives/need-know-berserk-mozilla
Xen missing checks on privileged instructions
CVE-2014-7155: The x86 instructions HLT, LGDT, LIDT, and LMSW are supposed to be accessible only from code running in the kernel. Xen’s hypervisor fails to check if these instructions were executed from a user process. This allows guest user processes to escalate to the guest kernel.
- http://seclists.org/oss-sec/2014/q3/643
jQuery.com compromised
jQuery is one of the most popular javascript libraries. Many sites link directly to the copy of the library hosted on jquery, but luckily that does not appear to have been impacted. The attackers fortunately only added malicious scripts that would be encountered by visitors who browsed directly to jquery.com. The attackers likely compromised the site in some automated fashion which did not take into account what they had access to, or else they could have use this to compromise many more sites.
- http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk#.VCGpsfneH3Q
Tools
- 2014 Hex Rays IDA Pro Plugin contest winners announced: In addition to IDA Sploiter discussed last week, there are also plugins for automatically identifying inlined functions (GraphSlick), correlating disassembled code with open source code (BinSourcerer), and one for helping reverse code with big integers as is seen in RSA code (Bignum dumper).
Other reads
- OS X Persistence mechanisms
- Analysis of CAs trusted by iOS: iOS 8.0 ships with 222 root CA’s.
- Arris Cable Modem Backdoor