SSD Advisory – phpMyAdmin File Inclusion and Remote Code Execution

Vulnerabilities Summary
Authenticated users can exploit a file inclusion vulnerability in phpMyAdmin which can then be combined with another vulnerability, to perform Remote Code Execution. In addition, authnticated attackers can view files and execute PHP files that located on the server by exploiting a bug in the part of the code that is responsible for redirects and loading of whitelisted pages.

Vendor Response
The vendor, phpMyAdmin, issued a fix on the 21st of June 2018. Version 4.8.2 and newer aren’t affected.

CVE
CVE-2018-12613

Credit
An independent security researcher, Henry Huang working for CyCarrier CSIRT, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
phpMyAdmin 4.8.0 and 4.8.1 (running on Linux systems)
Continue reading SSD Advisory – phpMyAdmin File Inclusion and Remote Code Execution

Hack2Win eXtreme Warm Up

Hack2Win eXtreme

In our upcoming Hack2Win eXtreme event in Hong Kong we will be asking contest participants to come and try their skills breaking into devices and software, showing their abilities in finding vulnerabilities in iOS and Android, as well as in Chrome and Firefox.

In preparation for the event, we are launching a “warm up” event where the target is different from the above devices and software. The event will be open to anyone who wants to participate, and will be open until the 19th of September (inclusive).

The target for this Hack2Win eXtreme warm-up will be Adobe Reader on Android, and the goal is to get it to run arbitrary code when a PDF file is opened.

Scope
An award prize of 30,000$ USD will be given to any person (up to 5 winners) that is able to provide a PDF file which is opened from either the local storage (on the Android device) or accessed through a URL being typed into a browser (Chrome, Firefox, etc), where that the PDF is able to:

  • Get code execution, which is able to do either:
    • Write an arbitrary file to the data folder of the Adobe Reader
      OR
    • Run /bin/bash – which should be visible when you run ‘ps’ on the Android OS

In addition, the vulnerability should be in Adobe Reader and not in some external application that can be launched from within Adobe Reader; it should not require any interaction beyond opening the file (e.g. clicking on popups or a confirmation dialog after the PDF is opened will not be considered a code execution vulnerability).

How to submit?
The submission process will be the same as any other vulnerability that being submitted to us, please refer to Submission Process page for more details.

Contest Deadline
Once we have reached the deadline (19th of September) or receive 5 valid submissions, we will no longer accept additional submissions. We will announce this on this blog page as well as on our @SecuriTeam_SSD twitter account.

Eligibility
The Hack2Win eXtreme is open for registration to anyone who is 18 years of age or older at the time of submission – excluding anyone working for Adobe. Also excluded are Beyond Security employees and any of its affiliates.

Winner Selection
The first 5 (five) submissions received will be selected, according to the email timestamp. Only complete and working submissions will be considered. If a submission does not work you will be asked to provide a working version – the submission date will be the date the working version was sent to Beyond Security.

Vulnerabilities and exploit techniques revealed by contest winners will be disclosed to Adobe and the exploits and whitepapers will be the property of Beyond Security. The original finder of the vulnerability will receive credit (or remain anonymous if he/she wishes to remain anonymous) for the vulnerabilities, the whitepaper and the disclosure.

beVX Conference Challenge – HiTB

During the event of Hack In the Box, we launched an ARM reverse engineering and exploitation challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-10 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge consisted of a binary that is acting as a ‘server’ which expects incoming connections to it, when an incoming connection occurs and a certain ‘protocol’ is implemented and it will print out ‘All your base’ and exit. The challenge was to write an exploit that will cause the program to print out ‘Belong to us!’.

The intended way of solving this challenge was to preform an overflow and cause the execution path of the code to change, while one of the solutions provided did not follow this path – and was still able to change the output of the program.

We received several submissions, only two were complete and solved the challenge completely, others were close but did not meet our minimum requirements and therefore are not presented here.
ebux25
In this submission, the execution path is not overwritten rather the string displayed is changed such that the program does not crash while it still prints the required string. While this was not the intended idea of the challenge, there was no rule against this kind of solution.

yohanes
The solution provided by yohanes, was meeting more our expectations to what we were looking, it changes the execution code path.

SSD Advisory – QRadar Remote Command Execution

Vulnerability Summary
Multiple vulnerabilities in QRadar allow a remote unauthenticated attackers to cause the product to execute arbitrary commands. Each vulnerability on its own is not as strong as their chaining – which allows a user to change from unauthenticated to authenticated access, to running commands, and finally running these commands with root privileges.

Vendor Response
“You reported this vulnerability to IBM on January 25th, and we notified you on April 27th that the vulnerability had been fixed. Here is the link to our public notice and the independent researcher that reported it to you was acknowledged: http://www.ibm.com/support/docview.wss?uid=swg22015797. We thank you for your efforts in reporting these issues to us, and for delaying your disclosures until IBM published a fix.

For your awareness the third vulnerability you reported with regards to privilege escalation to root had been fixed in patches a few weeks prior to the initial report. This is the bulletin for that particular CVE: http://www.ibm.com/support/docview.wss?uid=swg22012293.

After concerns regarding the scoring of the other vulnerabilities were brought to our attention, the scoring has been reviewed and some corrections made. The reported issue has been separated into separate CVEs: a new one for the authentication bypass CVE-2018-1612; and the existing one for the command injection as an unprivileged user CVE-2018-1418. The updated descriptions and scoring for these CVEs is as follows:

CVE-2018-1612 IBM QRadar Incident Forensics could allow a remote attacker to bypass authentication and obtain sensitive information
CVSS Base: 5.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2018-1418 IBM QRadar Incident Forensics could allow an authenticated attacker to execute commands as ‘nobody’.
CVSS Base: 7.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

The issue in the initial scoring occurred due to a miscommunication in our process and we are working to improve our process going forward. We apologize for the problematic scoring in our initial disclosure. Also while the fix for the authentication CVE-2018-1612 was included in 7.2.8 Patch 11 we discovered an issue with 7.3.1 Patch 2 and are issuing an iFix as outlined here www.ibm.com/support/docview.wss?uid=swg22017062. The command injection issue is fixed in 7.3.1 Patch 2 as previously published.”

CVE
CVE-2018-1418
(NOTE while only a single CVE was issued three vulnerabilities were patched by the vendor)

Credit
An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – QRadar Remote Command Execution