SSD Advisory – IRDA Linux Driver UAF

Vulnerabilities Summary
The following advisory describes two vulnerabilities in the Linux Kernel. By combining these two vulnerabilities a privilege escalation can be achieved. The two vulnerabilities are quite old and have been around for at least 17 years, quite a few Long Term releases of Linux have them in their kernel. While the assessment of the Linux kernel team is that they only pose a denial of service, that is incorrect, we will provide here proof that they can run code with a bit of effort and some luck (the probability of success of gaining root privileges is above 50%).

Vendor Response
“Memory leak in the irda_bind function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (memory consumption) by repeatedly binding an AF_IRDA socket. (CVE-2018-6554) The irda_setsockopt function in net/irda/af_irda.c and later in drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17 allows local users to cause a denial of service (ias_object use-after-free and system crash) or possibly have unspecified other impact via an AF_IRDA socket. (CVE-2018-6555)”

https://lists.ubuntu.com/archives/kernel-team/2018-September/095137.html

CVE
CVE-2018-6554
CVE-2018-6555

Credit
An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – IRDA Linux Driver UAF

SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

Vulnerabilities Summary
An ASUSTOR NAS or network attached storage is “a computer appliance built from the ground up for storing and serving files. It attaches directly to a network, allowing those on the network to access and share files from a central location”. In the following advisory we will discuss a vulnerability found inside ASUSTOR NAS which lets anonymous attackers bypass authentication requirement of the product.

Credit
An independent security researcher, Ahmed Y. Elmogy, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected systems
ASUSTOR NAS devices running ADM version 3.0.5.RDU1 and prior
Continue reading SSD Advisory – ASUSTOR NAS Devices Authentication Bypass

SSD Advisory – CloudByte ElastiStor OS Unauthenticated Remote Code Execution

Vulnerabilities Summary

The following advisory describes two vulnerabilities found in ElastiCenter,
ElastiStor’s management console, File Injection that leads to unauthenticated remote code execution.

ElastiCenter is the centralized management tool that you use to configure, monitor, manage, and deploy the services provided by CloudByte ElastiStor.
ElastiCenter lets you:

  • Use the Graphical User Interface to manage the storage environment
  • Generate statistical and configuration reports to help troubleshoot
  • Delegate administration tasks
  • Track events
  • Globally control various settings

CVE
CVE-2018-15675

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – CloudByte ElastiStor OS Unauthenticated Remote Code Execution

SSD Advisory – VirtualBox VRDP Guest-to-Host Escape

Vulnerability Summary
VirtualBox has a built-in RDP server which provides access to a guest machine. While the RDP client sees the guest OS, the RDP server runs on the host OS. Therefore, to view the guest OS the RDP client will make a connection to the host OS IP address rather than the guest OS IP address.

The VRDP server is composted of two parts: a high level, which is open source and residing in the VirtualBox source tree, and is responsible for the display management, and a low level shipped with Extension Pack which is the RDP server which conforms to RDP specifications.

The vulnerability is in the high level part. The vulnerability can be triggered when a connection to a Windows guest OS is closed, i.e. when we close the window of the RDP client application like rdesktop or Microsoft Remote Desktop.

While the crashing bug was reported to the VirtualBox tracker (https://www.virtualbox.org/ticket/16444), it was never considered a security vulnerability, and is not marked as one. This ticket is 15 months old at the time of writing this post and still marked as unresolved.

Prerequisites to exploit the vulnerability:

  • VirtualBox Extension Pack installed on a host. It’s required to enable VRDP server
  • VRDP server enabled
  • 3D acceleration enabled
  • Windows 10 as a guest

The vulnerability can probably be triggered from other guest OS due to the fact the the vulnerable code resides inside the Guest Additions driver.

Credit
An independent security researcher, Sergey Zelenyuk, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Continue reading SSD Advisory – VirtualBox VRDP Guest-to-Host Escape