SSD Advisory – Cisco MSE Preauthentication Remote Code Execution

Vulnerabilities Summary
Cisco Mobile Services Engine (MSE) is a platform that helps organizations increase visibility into the network, customize location-based mobile services, and strengthen security. The following advisory describes Cisco MSE Pre-Authentication Code Execution (Cisco MSE version 8.0.100.0).

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vendor has released Mobility Services Engine patches (November 2015) to address the vulnerabilities, advisory can be found here and here

Continue reading SSD Advisory – Cisco MSE Preauthentication Remote Code Execution

SSD Advisory – DropBear Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes four (4) vulnerabilities in DropBear. DropBear is a SSH server and client. It runs on a variety of POSIX-based platforms. DropBear is open source software, distributed under a MIT-style license. DropBear is particularly useful for “embedded”-type Linux (or other Unix) systems, such as wireless routers.

The four vulnerabilities found in DropBear are:

  1. Server-side disclose memory
  2. Stack buffer overflow
  3. Format string vulnerability
  4. Heap buffer overwrite and arbitrary memory read vulnerabilities

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
The vendor has released DropBear patches (21st of July 2016) to address the vulnerabilities, advisory can be found https://matt.ucc.asn.au/dropbear/CHANGES.

Continue reading SSD Advisory – DropBear Multiple Vulnerabilities

SSD Advisory – BusyBox (local) cmdline stack buffer overwrite

Vulnerability Description
BusyBox provides an arp applet which is missing an array bounds check for command-line parameter IFNAME. It is therefore vulnerable to a command-line based local stack buffer overwrite effectively allowing local users to write past a 16 bytes fixed stack buffer. This leads to two scenarios, one (A) where an IOCTL for GET_HW_ADDRESS (SIOCGIFHWADDR) fails and results in a corrupted va_list being passed to *printf() and one (B) where an attacker might provide valid params for the IOCTL and trick the program to proceed and result in a RET eip overwrite eventually gaining code execution.

Continue reading SSD Advisory – BusyBox (local) cmdline stack buffer overwrite