SSD Advisory – Firefox JavaScript Type Confusion RCE

Vulnerabilities Summary
A vulnerability in register allocation in JavaScript can lead to type confusion, allowing for an arbitrary read and write, which leads to remote code execution inside the sandboxed content process when triggered.

Vendor Response
The reported security vulnerability was fixed in Firefox 62.0.3 and Firefox ESR 60.2.2.

CVE
CVE-2018-12386

Credit
Independent security researchers, Niklas Baumstark, Samuel Groß and Bruno Keith, had reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – Firefox JavaScript Type Confusion RCE

SSD Advisory – Firefox Information Leak

Vulnerabilities Summary
A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

Vendor Response
The security vulnerability was fixed in Firefox 62.0.3 and Firefox ESR 60.2.2

CVE
CVE-2018-12387

Credit
Independent security researchers, Bruno Keith and Niklas Baumstark, have reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – Firefox Information Leak

SSD Advisory – Cisco Prime Infrastructure File Inclusion and Remote Command Execution to Privileges Escalation

Vulnerabilities Summary
Cisco Prime Infrastructure (CPI) contains two vulnerabilities that when exploited allow an unauthenticated attacker to achieve root privileges and execute code remotely. The first vulnerability is a file upload vulnerability that allows the attacker to upload and execute JSP files as the Apache Tomcat user. The second vulnerability is a privilege escalation to root by bypassing execution restrictions in a SUID binary.

Vendor Response
Cisco has issued an advisory, https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-pi-tftp, which provides a workaround and a fix for the vulnerability. From our assessment the provided fix only addresses the file uploading part of the exploit, not the file inclusion, the ability to execute arbitrary code through it or the privileges escalation issue that the product has.

CVE
CVE-2018-15379

Credit
An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – Cisco Prime Infrastructure File Inclusion and Remote Command Execution to Privileges Escalation

SSD Advisory – Android Printing Man in the Middle Attack

Vulnerabilities Summary
Android 8.1 has introduced the new feature of a default printing service. This service, based on the very similar, freely available Mopria Alliance Print Service on the Google Play Store, suffers from a lack of validation which can lead to both man in the middle attacks and subsequent interception of print jobs, as well as an issue that results in potentially unsafe printing devices to be used without any sort of warning or confirmation.

Credit
An independent security researcher, Matt Parnell, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
Android 8.1 Default Printing Service

Vendor Response
“The Android Security Team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin. If you have additional information that you believe we should use to reassess this report, please let us know.
The Resolution Notes label has been set to NSBC (Not Security Bulletin Class) to reflect this assessment.”
Continue reading SSD Advisory – Android Printing Man in the Middle Attack