Hack2Win eXtreme Warm Up

We have moved to a new site: https://typhooncon.com/typhoonpwn/

Hack2Win eXtreme

In our upcoming Hack2Win eXtreme event in Hong Kong we will be asking contest participants to come and try their skills breaking into devices and software, showing their abilities in finding vulnerabilities in iOS and Android, as well as in Chrome and Firefox.

In preparation for the event, we are launching a “warm up” event where the target is different from the above devices and software. The event will be open to anyone who wants to participate, and will be open until the 19th of September (inclusive).

The target for this Hack2Win eXtreme warm-up will be Adobe Reader on Android, and the goal is to get it to run arbitrary code when a PDF file is opened.

An award prize of 30,000$ USD will be given to any person (up to 5 winners) that is able to provide a PDF file which is opened from either the local storage (on the Android device) or accessed through a URL being typed into a browser (Chrome, Firefox, etc), where that the PDF is able to:

  • Get code execution, which is able to do either:
    • Write an arbitrary file to the data folder of the Adobe Reader
    • Run /bin/bash – which should be visible when you run ‘ps’ on the Android OS

In addition, the vulnerability should be in Adobe Reader and not in some external application that can be launched from within Adobe Reader; it should not require any interaction beyond opening the file (e.g. clicking on popups or a confirmation dialog after the PDF is opened will not be considered a code execution vulnerability).

How to submit?
The submission process will be the same as any other vulnerability that being submitted to us, please refer to Submission Process page for more details.

Contest Deadline
Once we have reached the deadline (19th of September) or receive 5 valid submissions, we will no longer accept additional submissions. We will announce this on this blog page as well as on our @SecuriTeam_SSD twitter account.

The Hack2Win eXtreme is open for registration to anyone who is 18 years of age or older at the time of submission – excluding anyone working for Adobe. Also excluded are Beyond Security employees and any of its affiliates.

Winner Selection
The first 5 (five) submissions received will be selected, according to the email timestamp. Only complete and working submissions will be considered. If a submission does not work you will be asked to provide a working version – the submission date will be the date the working version was sent to Beyond Security.

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to Adobe and the exploits and whitepapers will be the property of Beyond Security. The original finder of the vulnerability will receive credit (or remain anonymous if he/she wishes to remain anonymous) for the vulnerabilities, the whitepaper and the disclosure.

beVX Conference Challenge – HiTB

During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-10 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge consisted of a binary that is acting as a ‘server’ which expects incoming connections to it, when an incoming connection occurs and a certain ‘protocol’ is implemented and it will print out ‘All your base’ and exit. The challenge was to write an exploit that will cause the program to print out ‘Belong to us!’.

The intended way of solving this challenge was to preform an overflow and cause the execution path of the code to change, while one of the solutions provided did not follow this path – and was still able to change the output of the program.

We received several submissions, only two were complete and solved the challenge completely, others were close but did not meet our minimum requirements and therefore are not presented here.
In this submission, the execution path is not overwritten rather the string displayed is changed such that the program does not crash while it still prints the required string. While this was not the intended idea of the challenge, there was no rule against this kind of solution.

The solution provided by yohanes, was meeting more our expectations to what we were looking, it changes the execution code path.

SSD Advisory – QRadar Remote Command Execution

Vulnerability Summary
Multiple vulnerabilities in QRadar allow a remote unauthenticated attackers to cause the product to execute arbitrary commands. Each vulnerability on its own is not as strong as their chaining – which allows a user to change from unauthenticated to authenticated access, to running commands, and finally running these commands with root privileges.

Vendor Response
“You reported this vulnerability to IBM on January 25th, and we notified you on April 27th that the vulnerability had been fixed. Here is the link to our public notice and the independent researcher that reported it to you was acknowledged: http://www.ibm.com/support/docview.wss?uid=swg22015797. We thank you for your efforts in reporting these issues to us, and for delaying your disclosures until IBM published a fix.

For your awareness the third vulnerability you reported with regards to privilege escalation to root had been fixed in patches a few weeks prior to the initial report. This is the bulletin for that particular CVE: http://www.ibm.com/support/docview.wss?uid=swg22012293.

After concerns regarding the scoring of the other vulnerabilities were brought to our attention, the scoring has been reviewed and some corrections made. The reported issue has been separated into separate CVEs: a new one for the authentication bypass CVE-2018-1612; and the existing one for the command injection as an unprivileged user CVE-2018-1418. The updated descriptions and scoring for these CVEs is as follows:

CVE-2018-1612 IBM QRadar Incident Forensics could allow a remote attacker to bypass authentication and obtain sensitive information
CVSS Base: 5.8

CVE-2018-1418 IBM QRadar Incident Forensics could allow an authenticated attacker to execute commands as ‘nobody’.
CVSS Base: 7.4

The issue in the initial scoring occurred due to a miscommunication in our process and we are working to improve our process going forward. We apologize for the problematic scoring in our initial disclosure. Also while the fix for the authentication CVE-2018-1612 was included in 7.2.8 Patch 11 we discovered an issue with 7.3.1 Patch 2 and are issuing an iFix as outlined here www.ibm.com/support/docview.wss?uid=swg22017062. The command injection issue is fixed in 7.3.1 Patch 2 as previously published.”

(NOTE while only a single CVE was issued three vulnerabilities were patched by the vendor)

An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – QRadar Remote Command Execution

SSD Advisory – Linux AF_LLC Double Free

Vulnerability Summary
A use after free vulnerability in AF_LLC allows local attackers to control the flow of code that the kernel executes, allowing them to cause it to run arbitrary code and gain elevated privileges.

Vendor Response
The vulnerability was reported to the Kernel Security, which asked us to contact the netdev team. A patch was provided by the netdev team, on the 27th of March, and was later integrated into the main code of Linux (we are not certain when).

Attempts to recontact the netdev and understand more on the timeline, went unanswered.

We know that the patch has been introduced as part of:

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
The oldest known version to be affected Linux version, the patch has been introduced as part of 4.17-rc2.
Continue reading SSD Advisory – Linux AF_LLC Double Free