Static analysis tool exposition (SATE) V Call for participation

[aure]

NIST is preparing the fifth Static Analysis Tool Exposition (SATE V). Briefly, 
participating tool makers run their static analyzer on a set of programs. 
Researchers led by NIST analyze the tool reports and present the results and 
experiences at a workshop. A detailed plan is available at:

http://samate.nist.gov/SATE.html

We plan to provide test cases by June 3rd. Tool makers will have until August 
1st (if at all possible; September 1st at the latest) to run their tool and 
return their tool outputs.

The main changes since SATE IV:

1. Virtual machines (VM) with the test cases will be hosted by the
Software Assurance Marketplace (SWAMP). We will ask tool makers to install 
temporarily (for the duration of SATE V only) and run their tools in the 
assigned VMs. SWAMP is described at: http://www.cosalab.org

2. We will ask teams to provide a Coverage Claims Representation (CCR) of the 
weaknesses their tool can find. CCR is described at:
http://cwe.mitre.org/compatible/ccr.html

3. So as to encourage wider participation, NIST will not make tool outputs 
publicly available, unless otherwise specified by the teams. In case a team 
wants to release its own data, we can host them on the SATE website.

4. We will recognize and encourage sound static analyzers (tools that in theory 
never report incorrect findings). We will publish our sound analysis criteria 
shortly.

We invite tool makers to sign up. If you would like to participate in
the exposition, or if you have questions or suggestions, please email Aurelien 
Delaitre (aure 'at' nist.gov).

Defense in depth -- the Microsoft way

[Stefan Kanthak]

Hi @ll,

the Microsoft Installer creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see http://msdn.microsoft.com/library/aa372105.aspx):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
UninstallString=MsiExec.Exe /X{GUID}
ModifyPath=MsiExec.Exe /I{GUID}

Note the unqualified path to the executable msiexec.exe.

On Windows installations without the SafeProcessSearchMode hotfix
(cf. http://support.microsoft.com/kb/905890) or with this safeguard
turned off (cf. http://msdn.microsoft.com/library/dd266735.aspx,
which refers to http://support.microsoft.com/kb/959426 alias MS09-015),
an executable msiexec.exe placed in the CWD or the users base
directory (addressed by %HOMEDRIVE%%HOMEPATH% and typically equal to
%USERPROFILE%) can be run instead of the intended executable
%SystemRoot%\System32\MsiExec.Exe.


The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.

JFTR: cf. http://seclists.org/fulldisclosure/2011/Sep/160

Stefan Kanthak

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products (ViPNet Client\Coordinator, SafeDisk, Personal Firewall)

[chudakovma]

CVE-2013-3496. Local privilege escalation vulnerability in Infotecs products 
(ViPNet Client\Coordinator, SafeDisk, Personal Firewall)
 
CVE reference:
CVE-2013-3496

Credit:
Maksim Chudakov (@MChudakov)
Andrey Kurtasanov(andreykurtasa...@gmail.com)

Severity:
Medium

Local\Remote:
Local

Vulnerability Class:
Privilege Escalation

Vendor URL:
http://www.infotecs.biz/

Affected OS:
Windows

Vulnerable systems:
ViPNet Client 3.2.10 (15632) and prior
ViPNet Coordinator 3.2.10 (15632) and prior
ViPNet SafeDisk 4.1 (0.5643) and prior
VipNet Personal Firewall 3.1 and prior
Possibly same issues in other Infotecs products and other versions

Overview:
A local privilege escalation vulnerability exists in the Infotecs products 
(ViPNet Client, SafeDisk, Personal Firewall and possibly other products), which 
could be exploited by an attacker to execute commands on the affected machine 
under the context of the SYSTEM user or user with local administrative 
privileges.

Technical Background:
The vulnerability exists because Infotecs products installs to folder with 
insecure permissions. Everyone group has Full Control rights to the 
files/folders in the following path: %Program Files%\Infotecs\[product_name]. 
It means that any unprivileged user can modify, delete or change permissions of 
any file in data the folder consists of data, executable and configuration 
files. 

Solution:
1) Request a patch from Vendor or
2) Go to every executable and dll file within a ViPNet folder and change 
permissions manually

Disclosure Timeline:
25/03/2013 Initial vendor notification
08/04/2013 Vendor response that patches has been released
20/05/2013 Advisory released

Sony PS3 Firmware v4.31 - Code Execution Vulnerability

[Vulnerability Lab]

Title:
==
Sony PS3 Firmware v4.31 - Code Execution Vulnerability


Date:
=
2013-05-12


References:
===
http://www.vulnerability-lab.com/get_content.php?id=767


VL-ID:
=
767


Common Vulnerability Scoring System:

6.5


Introduction:
=
The PlayStation 3 is the third home video game console produced by Sony 
Computer Entertainment and the successor to the 
PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes 
with Microsoft`s Xbox 360 and Nintendo`s Wii 
as part of the seventh generation of video game consoles. It was first released 
on November 11, 2006, in Japan, with 
international markets following shortly thereafter.

Major features of the console include its unified online gaming service, the 
PlayStation Network, its multimedia capabilities, 
connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as 
its primary storage medium.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )


PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming 
and digital media delivery service provided/run 
by Sony Computer Entertainment for use with the PlayStation 3, PlayStation 
Portable, and PlayStation Vita video game consoles. 
The PlayStation Network is the video game portion of the Sony Entertainment 
Network.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)


Abstract:
=
The Vulnerability Laboratory Research Team discovered a code execution 
vulnerability in the official Playstation3 v4.31 Firmware.


Report-Timeline:

2012-10-26: Researcher Notification  Coordination
2012-11-18: Vendor Notification 1
2012-12-14: Vendor Notification 2
2012-01-18: Vendor Notification 3
2012-**-**: Vendor Response/Feedback
2012-05-01: Vendor Fix/Patch by Check
2012-05-13: Public Disclosure


Status:

Published


Affected Products:
==
Sony
Product: Playstation 3 4.31


Exploitation-Technique:
===
Local


Severity:
=
High


Details:

A local code execution vulnerability is detected in the official Playstation3 
v4.31 Firmware. 
The vulnerability allows local attackers to inject and execute code out of 
vulnerable ps3 menu main web context. 

There are 3 types of save games for the sony ps3. The report is only bound to 
the .sfo save games of the Playstation3.
The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) 
to display movable text like marquees, 
in combination with a video, sound and the (path) background picture. Normally 
the ps3 firmware parse the redisplayed 
save game values  detail information text when processing to load it via 
usb/ps3-hd. The import ps3 preview filtering 
can be bypassed via a splitted char by char injection of script code or system 
(ps3 firmware) specific commands.

The attacker syncronize his computer (to change the usb context) with USB (Save 
Game) and connects to the network 
(USB, COMPUTER, PS3), updates the save game via computer and can execute the 
context directly out of the ps3 savegame preview 
listing menu (SUB/HD). The exploitation requires local system access, a 
manipulated .sfo file, an usb device. The attacker 
can only use the given byte size of the saved string (attribute values) to 
inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not 
recognize special chars and does not provide 
any kind of input restrictions. Attackers can manipulate the .sfo file of a 
save game to execute system specific commands 
or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local 
system command executions, psn session 
hijacking, persistent phishing attacks, external redirect out of the vulnerable 
module, stable persistent save game preview 
listing context manipulation.


Vulnerable Section(s):
[+] PS Menu  Game (Spiel)

Vulnerable Module(s):
[+] SpeicherDaten (DienstProgramm) PS3  USB 
Gerät

Affected Section(s):
[+] Title - Save Game Preview Resource (Detail 
Listing)


Proof of Concept:
=
The firmware preview listing validation vulnerability can be exploited by local 
attackers and with low or medium required user interaction.
For demonstration or reproduce ...

The attacker needs to sync his computer (to change the usb context) with USB 
(Save Game) and connects to the network
(USB, COMPUTER, +PS3), updates the save game via computer and can execute the 
context directly out of the ps3 savegame preview 
listing menu (SUB/HD). The exploitation requires local system access, a 
manipulated .sfo file, an usb device. The attacker 
can only use the given byte size of the saved string (attribute values) to 
inject his own commands or script code.

The 

[slackware-security] kernel (SSA:2013-140-01)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  kernel (SSA:2013-140-01)

New Linux kernel packages are available for Slackware 13.37 and 14.0 to fix
a security issue.


Here are the details from the Slackware 14.0 ChangeLog:
+--+
patches/packages/linux-3.2.45/*:  Upgraded.
  Upgraded to new kernels that fix CVE-2013-2094, a bug that can allow local
  users to gain a root shell.  Be sure to upgrade your initrd and reinstall
  LILO after upgrading the kernel packages.
  For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2094
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the Get Slack section on http://slackware.com for
additional mirror sites near you.

Updated packages for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/linux-2.6.37.6-3/

Updated packages for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/linux-2.6.37.6-3/

Updated packages for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/linux-3.2.45/

Updated packages for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/linux-3.2.45/


MD5 signatures:
+-+

Slackware 13.37 packages:
99b5d3961b5be56497cd53510a9572ff  kernel-firmware-20130512git-noarch-1.txz
de925c472fb6c330eead07a3e767b65a  kernel-generic-2.6.37.6-i486-3.txz
d2f771b44accf311737c776fb5704805  kernel-generic-smp-2.6.37.6_smp-i686-3.txz
9d0b7d34403e2a6a2e4936b7095b8e47  kernel-headers-2.6.37.6_smp-x86-3.txz
30f60d09d7b1690ab314db56d6d65df5  kernel-huge-2.6.37.6-i486-3.txz
9184cfc5b40d882336b443aef1897029  kernel-huge-smp-2.6.37.6_smp-i686-3.txz
0b3644301f1404a0cdcc76f6adffeaf6  kernel-modules-2.6.37.6-i486-3.txz
c130f273b9a2aa8cd54a3167ffa48aec  kernel-modules-smp-2.6.37.6_smp-i686-3.txz
c4fb8b49f8cb8e4cc62c53ad2a0a4c00  kernel-source-2.6.37.6_smp-noarch-3.txz

Slackware x86_64 13.37 packages:
99b5d3961b5be56497cd53510a9572ff  kernel-firmware-20130512git-noarch-1.txz
7efb7195c7d7dbc6ab3f40454670bc64  kernel-generic-2.6.37.6-x86_64-3.txz
e9f689a3ee6f1937c33d0c9ea20ac9ff  kernel-headers-2.6.37.6-x86-3.txz
93bc2c1264a195e08ce9bb616832f29d  kernel-huge-2.6.37.6-x86_64-3.txz
cc788fc70ae0204c54228c40bce1e8f6  kernel-modules-2.6.37.6-x86_64-3.txz
ed5bbc7fb55c1a4c8e34de5a7a9c43fc  kernel-source-2.6.37.6-noarch-3.txz

Slackware 14.0 packages:
99b5d3961b5be56497cd53510a9572ff  kernel-firmware-20130512git-noarch-1.txz
3e2a61b57a99907d99eb74e67ff57e0c  kernel-generic-3.2.45-i486-1.txz
6fbd61f493081e0526254ed0b7f1f735  kernel-generic-smp-3.2.45_smp-i686-1.txz
3a3a54ba8c971b9b9f93551c97bb06d9  kernel-headers-3.2.45_smp-x86-1.txz
778ff709728bf92c3adf5c7cdaab4dd7  kernel-huge-3.2.45-i486-1.txz
b1416ff63c7d9b497292c2a9997bcd5c  kernel-huge-smp-3.2.45_smp-i686-1.txz
39312f1bbffc432c236f03b35c74b790  kernel-modules-3.2.45-i486-1.txz
02927b33dfd01ccbb44f8276484802b1  kernel-modules-smp-3.2.45_smp-i686-1.txz
6a2a843660fd349fe88de23d8db017df  kernel-source-3.2.45_smp-noarch-1.txz

Slackware x86_64 14.0 packages:
99b5d3961b5be56497cd53510a9572ff  kernel-firmware-20130512git-noarch-1.txz
25804c3fc32f8dc4b8ba25c2de8f969e  kernel-generic-3.2.45-x86_64-1.txz
6ea9ec608564408bad734d8610c695b0  kernel-headers-3.2.45-x86-1.txz
0b452f0c8ec46c4ce04fd2d9c78e7687  kernel-huge-3.2.45-x86_64-1.txz
eba43509f3118eb27c7b4e4918b87155  kernel-modules-3.2.45-x86_64-1.txz
43b0d8457ab00cdf1f46461676fc1d71  kernel-source-3.2.45-noarch-1.txz


Installation instructions:
++

Upgrade the packages as root:
# upgradepkg kernel-*.txz

On Slackware 14.0 systems the kernel version has changed, so you will need
to rebuild your initrd if you are using one.

For Slackware 64-14.0 use this command:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45 | bash

For Slackware 14.0 (32-bit) SMP, use this command:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45-smp | bash

For Slackware 14.0 (32-bit) uniprocessor, use this command:
/usr/share/mkinitrd/mkinitrd_command_generator.sh -k 3.2.45 | bash

Please note that uniprocessor has to do with the kernel you are running,
not with the CPU.  Most systems should run the SMP kernel if they can
regardless of the number of cores the CPU has.  If you aren't sure which
kernel you are running, run uname -a.  If you see SMP there, you are
running the SMP kernel and should use the 3.2.45-smp version when running
mkinitrd_command_generator.  Note that this is only for 32-bit -- 64-bit
systems should always use 3.2.45 as the version.

For all systems (13.37 and 14.0):

If needed, edit your /etc/lilo.conf to adjust the version number on the
image = line.  By default this will not have a