SSD Advisory – BusyBox (local) cmdline stack buffer overwrite

Vulnerability Description
BusyBox provides an arp applet which is missing an array bounds check for command-line parameter IFNAME. It is therefore vulnerable to a command-line based local stack buffer overwrite effectively allowing local users to write past a 16 bytes fixed stack buffer. This leads to two scenarios, one (A) where an IOCTL for GET_HW_ADDRESS (SIOCGIFHWADDR) fails and results in a corrupted va_list being passed to *printf() and one (B) where an attacker might provide valid params for the IOCTL and trick the program to proceed and result in a RET eip overwrite eventually gaining code execution.

Continue reading SSD Advisory – BusyBox (local) cmdline stack buffer overwrite

Know your community – Orange Tsai

Happy new year everyone!

One of our new year’s resolution is to promote the security community in different ways – sponsoring security conferences, publish new vulnerabilities and to write blog posts about leading security researchers that work and strengthen their local community.

One of the best things of being part of the cyber security community is that you get to meet great and interesting people along the way. In every conference we attend, and we sponsor quite a few throughout the year, we get to know new and talented researchers.

Recently, we decided to write a series of blog posts on individuals who are part of the community and promote their local community.

We have the honor to interview Orange Tsai, a security researcher from Taiwan, for our first blog post!

Continue reading Know your community – Orange Tsai

SSD Advisory – SwiftMailer Remote Code Execution

Vulnerability Summary
The following report describes a remote code execution vulnerability found in SwiftMailer. The vulnerability allows an attacker injecting sendmail program due to insufficient address sanitization. Swift Mailer integrates into any web app written in PHP 5, offering a flexible object-oriented approach to sending emails with a multitude of features

Credit
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vulnerability Details

When using SwitMailer to send emails with Sendmail transport, a malicious user might be able to inject arbitrary parameters to sendmail program due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address.

Prof of Concept

In this example , -X -oQ parameters would be injected to the sendmail program and write out a /tmp/exp.php file
as a result if the MTA in use was Sendmail.

Vendor response
The vendor has released SwiftMailer version 5.4.5 to address the vulnerability

SSD Advisory – ZendMail Remote Code Execution Vulnerability

Vulnerability Summary

The following report describes a remote code execution vulnerability found in ZendMail. The vulnerability allows an attacker injecting additional parameters to the sendmail binary via the From address.

Credit
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Continue reading SSD Advisory – ZendMail Remote Code Execution Vulnerability