Symantec VIP Access Desktop Arbitrary DLL Execution
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SYMANTEC-VIP-ACCESS-ARBITRARY-DLL-EXECUTION.txt [+] ISR: ApparitionSec Vendor: www.symantec.com Product: === Symantec VIP Access Desktop versions prior to 2.2.2 Vulnerability Type: === Arbitrary DLL Execution CVE Reference: == CVE-2016-6593 Vulnerability Details: = VIP Access Desktop UI Manager invokes DLLs from the current working folder during startup. A malicious local user can create specifically modified DLLs to replace the normal product DLLs required during startup. Then, by redirecting the startup path of the VIP Access Desktop UI Manager the user can cause the VIP Access Desktop UI Manager to invoke the substituted DLL instead of the required product DLL. Any specifically modified code execution could be performed with logged-on user privileges, which is normally user-level access in currently supported operating systems. Ultimately, this problem is caused by a failure to properly validate required product DLLs during start-up. This could result in a local user being able to manipulate VIP Access Desktop to load and execute an arbitrary DLL of the users choice with user-level privileges. Reference: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20161208_00 Disclosure Timeline: == Vendor Notification: February 4, 2016 December 8, 2016 : Public Disclosure Exploitation Technique: === Local [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
AST-2016-009:
Asterisk Project Security Advisory - ASTERISK-2016-009 ProductAsterisk Summary Nature of Advisory Authentication Bypass SusceptibilityRemote unauthenticated sessions Severity Minor Exploits KnownNo Reported On October 3, 2016 Reported By Walter Doekes Posted On Last Updated OnDecember 8, 2016 Advisory Contact Mmichelson AT digium DOT com CVE Name Description The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you. Resolution chan_sip has been patched to only treat spaces and horizontal tabs as whitespace following a header name. This allows for Asterisk and authenticating proxies to view requests the same way Affected Versions Product Release Series Asterisk Open Source 11.xAll Releases Asterisk Open Source 13.xAll Releases Asterisk Open Source 14.xAll Releases Certified Asterisk 13.8All Releases Corrected In Product Release Asterisk Open Source 11.25.1, 13.13.1, 14.2.1 Certified Asterisk11.6-cert16, 13.8-cert4 Patches SVN URL Revision Links Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at
AST-2016-008: Crash on SDP offer or answer from endpoint using Opus
Asterisk Project Security Advisory - AST-2016-008 ProductAsterisk SummaryCrash on SDP offer or answer from endpoint using Opus Nature of Advisory Remote Crash SusceptibilityRemote unauthenticated sessions Severity Critical Exploits KnownNo Reported On November 11, 2016 Reported By jorgen Posted On Last Updated OnNovember 15, 2016 Advisory Contact jcolp AT digium DOT com CVE Name Description If an SDP offer or answer is received with the Opus codec and with the format parameters separated using a space the code responsible for parsing will recursively call itself until it crashes. This occurs as the code does not properly handle spaces separating the parameters. This does NOT require the endpoint to have Opus configured in Asterisk. This also does not require the endpoint to be authenticated. If guest is enabled for chan_sip or anonymous in chan_pjsip an SDP offer or answer is still processed and the crash occurs. Resolution The code has been updated to properly handle spaces separating parameters in the fmtp line. Upgrade to a released version with the fix incorporated or apply patch. Affected Versions ProductRelease Series Asterisk Open Source 13.x13.12.0 and higher Asterisk Open Source 14.xAll Versions Corrected In Product Release Asterisk Open Source13.13.1, 14.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2016-008-13.diff Asterisk 13 http://downloads.asterisk.org/pub/security/AST-2016-008-14.diff Asterisk 14 Links https://issues.asterisk.org/jira/browse/ASTERISK-26579 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2016-008.pdf and http://downloads.digium.com/pub/security/AST-2016-008.html Revision History Date Editor Revisions Made November 15, 2016 Joshua Colp Initial draft of Advisory Asterisk Project Security Advisory - AST-2016-008 Copyright © 2016 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
CVE-2013-1306: MSIE 9 MSHTML CDispNode::InsertSiblingNode use-after-free details
Since November I have been releasing details on all vulnerabilities I found that I have not released before. This is the twenty-eighth entry in the series. This information is available in more detail on my blog at http://blog.skylined.nl/20161208001.html. There you can find a repro that triggered this issue in addition to the information below. Today's release is again not very interesting, because it also was one of the first bugs I found and reported back in 2012, before I had developed the tools and skills to properly analyze MSIE bugs. This report is therefore very scarce in information. I did get some more details from EIP about the root cause, which I've included. If you find this information useful, and would like to help me make time to continue releasing this kind of information, you can make a donation in bitcoin to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Follow me on http://twitter.com/berendjanwever for daily browser bugs. MSIE 9 MSHTML CDispNode::InsertSiblingNode use-after-free = (MS13-037, CVE-2013-1306) Synopsis A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability. Known affected software and attack vectors -- * Microsoft Internet Explorer 9 An attacker would need to get a target user to open a specially crafted web-page. JavaScript does not appear to be required for an attacker to triggering the vulnerable code path. Details --- This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The EIP provided me with some details of their analysis, which I'll paraphrase here: It is a use-after-free vulnerability where the span object in the frame.html file is reused after being freed. It appears to be impossible to reallocate the freed memory before it is reused. Part of the freed memory is overwritten when it is freed because a WORD `FreeEntryOffset` value is stored at offset 0. This value is then used as part of a pointer to a vftable in order to call a method. This pointer now consist of the upper 16-bits of the old vftable and the lower 16-bits contain the `FreeEntryOffset` value. Exploitation is near impossible without a way to have more control over this pointer in the freed memory block. ZDI also did a more thorough analysis and [provide very similar details in their advisory at http://www.zerodayinitiative.com/advisories/ZDI-13-082/ Time-line - * 27 September 2012: This vulnerability was found through fuzzing. * 3 October 2012: This vulnerability was submitted to EIP. * 11 October 2012: This vulnerability was rejected by EIP. * 2 November 2012: This vulnerability was submitted to ZDI. * 19 November 2012: This vulnerability was acquired by ZDI. * 22 January 2013: This vulnerability was disclosed to Microsoft by ZDI. * 29 May 2013: Microsoft addresses this vulnerability in MS13-037. * 8 December 2016: Details of this vulnerability are released. Cheers, SkyLined 0x2557C5AA.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature