Downclimb: Summit Route's Weekly Infosec News Recap
2014.09.19 – 2014.09.26: https://SummitRoute.com
Shellshock: RCE in bash
CVE-2014-6271: Given the ability to set bash environmental variables, you can get code execution. One major attack vector is through CGI scripts that use bash scripts and often set environment variables based on HTTP header information. Another is DHCP clients. This is bigger than heartbleed because this allows RCE, instead of only leaking memory, and the exploits are easy because it's just bash scripting.
- Original announcement: http://seclists.org/oss-sec/2014/q3/650
- In-The-Wild attack spotted: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
- Explanation on how this is used with links to some patches and snort signatures: http://garage4hackers.com/entry.php?b=3087
BERserk: Mozilla Network Security Services (NSS) fails to properly verify RSA signatures
CVE-2014-1568: This vuln affects Mozilla products (Firefox, Thunderbird, etc.) and Google products (Chrome and ChromeOS). It allows attackers to forge RSA certificates, which makes SSL/TLS vulnerable to MiTM. The impact of this is similar to Apple's #gotofail bug.
Xen missing checks on privileged instructions
CVE-2014-7155: The x86 instructions HLT, LGDT, LIDT, and LMSW are supposed to be accessible only from code running in the kernel. Xen's hypervisor fails to check if these instructions were executed from a user process. This allows guest user processes to escalate to the guest kernel.
- 2014 Hex Rays IDA Pro Plugin contest winners announced: In addition to IDA Sploiter discussed last week, there are also plugins for automatically identifying inlined functions (GraphSlick), correlating disassembled code with open source code (BinSourcerer), and one for helping reverse code with big integers as is seen in RSA code (Bignum dumper).