Aug 18 2022

PoC exploit code for critical Realtek RCE flaw released online

Category: Security vulnerabilitiesDISC @ 8:14 am
Realtek

Exploit code for a critical vulnerability affecting networking devices using Realtek RTL819x system on a chip released online.

TheĀ PoC exploit codeĀ for a critical stack-based buffer overflow issue, tracked asĀ 

Ā (CVSS 9.8), affecting networking devices using Realtekā€™s RTL819x system on a chip was released online. The issue resides in the Realtekā€™s SDK for the open-source eCos operating system, it was discovered by researchers from cybersecurity firm Faraday Security

ā€œOn Realtek eCos SDK-based routers, the ā€˜SIP ALGā€™ module is vulnerable to buffer overflow. The root cause of the vulnerability is insufficient validation on the received buffer, and unsafe calls to strcpy. The ā€˜SIP ALGā€™ module calls strcpy to copy some contents of SIP packets to a predefined fixed buffer and does not check the length of the copied contents.ā€ reads theĀ advisoryĀ published by Realtek, which published the issue in March 2022. ā€œA remote attacker can exploit the vulnerability through a WAN interface by crafting arguments in SDP data or the SIP header to make a specific SIP packet, and the successful exploitation would cause a crash or achieve the remote code execution.ā€

Millions of devices, including routers and access points, are exposed to hacking.

The experts (Octavio Gianatiempo,Ā Octavio Galland,Ā Emilio Couto,Ā Javier Aguinaga)Ā disclosedĀ technical details of the flaw at the DEFCON hacker conference last week.

A remote attacker can exploit the flaw to execute arbitrary code without authentication by sending to the vulnerable devices specially crafted SIP packets with malicious SDP data.

The issue is very dangerous because the exploitation doesnā€™t require user interaction.

The PoC code developed by the experts works against Nexxt Nebula 300 Plus routers.

ā€œThis repository contains the materials for the talk ā€œExploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtekā€™s SDK for eCos OS.ā€, which was presented atĀ DEFCON30.ā€ reads theĀ descriptionĀ provided with the exploit code on GitHub.

The repo includes:

  • analysis: Automated firmware analysis to detect the presence of CVE-2022-27255 (Run analyse_firmware.py).
  • exploits_nexxt: PoC and exploit code. The PoC should work on every affected router, however the exploit code is specific for the Nexxt Nebula 300 Plus router.
  • ghidra_scripts: Vulnerable function call searching script and CVE-2022-27255 detection script.
  • DEFCON: Slide deck & poc video.

Johannes Ullrich, Dean of Research at SANS shared a Snort rule that can be used to detect PoC exploit attempt.

ā€œThe rule looks for ā€œINVITEā€ messages that contain the string ā€œm=audioĀ ā€œ. It triggers if there are more than 128 bytes following the string (128 bytes is the size of the buffer allocated by the Realtek SDK) and if none of those bytes is a carriage return. The rule may even work sufficiently well without the last content match. Let me know if you see any errors or improvements.ā€Ā wroteĀ the expert.

Slides for the DEFCON presentation along with exploits, and a detection script forĀ 

Ā areĀ availableĀ in this GitHub repository.

Tags: critical vulnerability, exploit code


Jul 14 2022

Microsoft published exploit code for a macOS App sandbox escape flaw

Category: App SecurityDISC @ 8:35 am

Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox.

ā€œMicrosoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system.ā€ reads theĀ postĀ published by Microsoft.

Microsoft reported the issue to Apple throughĀ Coordinated Vulnerability DisclosureĀ (CVD) viaĀ Microsoft Security Vulnerability ResearchĀ (MSVR) in October 2021. Apple addressed theĀ CVE-2022-26706Ā flaw on May 16, 2022.Ā 

ā€œAn access issue was addressed with additional sandbox restrictions on third-party applications. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Big Sur 11.6.6, macOS Monterey 12.4. A sandboxed process may be able to circumvent sandbox restrictions.ā€ reads theĀ descriptionĀ of this issue.

An attacker can trigger the flaw using a specially crafted Office document containing malicious macro code that allows to bypass sandbox restrictions and execute commands on the system.

TheĀ Apple App SandboxĀ provides protection to system resources and user data by limiting your appā€™s access to resources requested through entitlements.

Developers that want to distribute a macOS app through the Mac App Store must enable the App Sandbox capability.

Microsoft researchers demonstrated that using specially crafted codes could bypass the sandbox rules. An attacker could exploit the sandbox escape vulnerability to gain elevated privileges on the affected device or execute malicious commands like installing malicious payloads.

ā€œWe found the vulnerability while researching potential ways to run and detect malicious macros in Microsoft Office on macOS. For backward compatibility, Microsoft Word can read or write files with anĀ ā€œ~$ā€Ā prefix.ā€Ā reads the post. ā€œOur findings revealed that it was possible to escape the sandbox by leveraging macOSā€™s Launch Services to run anĀ open ā€“stdinĀ command on a specially crafted Python file with the said prefix.ā€

The root cause of the issue is backward compatibility, which allows Microsoft Word to read and write files with the prefix ā€œ~$.ā€ . 

The experts first created a POC exploit to create a macro that launches a shell script with the Terminal app, bit it was captured by the sandbox because it was automatically given the extended attribute com.apple.quarantine which prevents the execution by the Terminal. Then the experts tried using Python scripts, but the Python app had similar issues running files having the said attribute.

In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the ā€œcom.apple.quarantineā€ extended attribute restriction. In this way, there was no way for Python to determine that the contents from its standard input originated from a quarantined file.

ā€œOur POC exploit thus became simply as follows:

  1. Drop a ā€œ~$exploit.pyā€ file with arbitrary Python commands.
  2. Run open ā€“stdin=ā€™~$exploit.pyā€™ -a Python, which runs the Python app with our dropped file serving as its standard input. Python happily runs our code, and since itā€™s a child process of launchd, it isnā€™t bound to Wordā€™s sandbox rules.ā€ continues the post.
macos sandbox exploit

Exploit Code Not People

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: exploit code