SSD Advisory – Chrome AppCache Subsystem SBX by utilizing a Use After Free

Vulnerabilities Summary
The vulnerability exists in the AppCache subsystem in Chrome Versions 69.0 and before. This code is located in the privileged browser process outside of the sandbox. The renderer interacts with this subsystem by sending IPC messages from the renderer to the browser process. These messages can cause the browser to make network requests, which are also attacker-controlled and influence the behavior of the code.

Vendor Response
Vendor has fixed the issue in Google Chrome version 70.

CVE
CVE-2018-17462

Credit
Independent security researchers, Ned Williamson and Niklas Baumstark, had reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
Google Chrome Versions 69.0 and before.
Continue reading SSD Advisory – Chrome AppCache Subsystem SBX by utilizing a Use After Free

SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

Vulnerability Summary
VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS IP address.

The VRDP server is composted of two parts: a high level, which is open source and residing in the VirtualBox source tree, and is responsible for the display management, and a low level shipped with Extension Pack which is the RDP server which conforms to RDP specifications.

The vulnerability is in the high level part. The vulnerability can be triggered when a connection to a Windows guest OS is closed, i.e. when we close the window of the RDP client application like rdesktop or Microsoft Remote Desktop.

While the crashing bug was reported to the VirtualBox tracker (https://www.virtualbox.org/ticket/16444), it was never considered a security vulnerability, and is not marked as one. This ticket is 15 months old at the time of writing this post and still marked as unresolved.

Prerequisites to exploit the vulnerability:

  • VirtualBox Extension Pack installed on a host. It’s required to enable VRDP server
  • VRDP server enabled
  • 3D acceleration enabled
  • Windows 10 as a guest

The vulnerability can probably be triggered from other guest OS due to the fact the the vulnerable code resides inside the Guest Additions driver.

Credit
An independent security researcher, Sergey Zelenyuk, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

SSD安全公告 – Mac OS X 10.12隔离机制绕过漏洞

漏洞概要
Mac OS X存在一个漏洞,该漏洞允许攻击者绕过Apple的隔离机制,不受任何限制执行任意JavaScript代码.

漏洞提交者
来自WeAreSegment的安全研究者Filippo Cavallarin向Beyond Security的SSD报告了该漏洞.

厂商响应

苹果公司已于2017年6月27日收到了我们的报告,并和我们进行了多次沟通。苹果公司通知我们,在即将发布的High Sierra操作系统中会修补这个漏洞。这之后,苹果公司再没有提供任何其他信息 – 既没有链接公告,也没有提供关于CVE编号分配的任何信息.

我们已经验证在Mac OS X High Sierra中已不存在该漏洞。对于该漏洞的解决办法是升级到Mac OS X High Sierra,或者移除rhtmlPlayer.html文件修复该漏洞.

Continue reading SSD安全公告 – Mac OS X 10.12隔离机制绕过漏洞

SSD Advisory – Mac OS X 10.12 Quarantine Bypass

Vulnerability summary
Mac OS X contains a vulnerability that allows bypassing of the Apple Quarantine and the execution of arbitrary JavaScript code without any restrictions.

Credit
A security researcher from WeAreSegment, Filippo Cavallarin, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Apple has been notified on the 27th of June 2017, several correspondences were exchanged. Apple notified us that a patch has been put in place in the upcoming High Sierra version. No additional information has been provided by Apple since the notification that a patch has been made – no link to the advisory nor any information on what CVE has been assigned to this have been provided.

We have verified that Mac OS X High Sierra is no longer vulnerable to this, a solution would be to either upgrade High Sierra, or remove the rhtmlPlayer.html file (a workaround).

Continue reading SSD Advisory – Mac OS X 10.12 Quarantine Bypass