Normal view

There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

The March 2024 Security Update Review

12 March 2024 at 17:29

It’s the second Tuesday of the month, and Adobe and Microsoft have released a fresh crop of security updates. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for March 2024

For March, Adobe released six patches addressing 56 vulnerabilities in Adobe Experience Manager, Premiere Pro, ColdFusion, Adobe Bridge, Lightroom, and Adobe Animate. Two of these bugs were submitted through the ZDI Program. The largest is the update for Experience Manager, which addresses 44 CVEs. However, all but two of these are simple cross-site scripting (XSS) bugs. The fix for Adobe Animate corrects four CVEs. Only one of these CVEs is rated Critical and could lead to arbitrary code execution if a user opens a specially crafted file on an affected system. The other three bugs are all memory leaks resulting from Out-of-Bounds (OOB) Read bugs. The patch for Premiere Pro fixes two Critical-rated bugs that also require user interaction to gain code execution.

For those still running ColdFusion, there’s a single Critical-rated arbitrary file system read bug getting fixed. Adobe also recommends updating your ColdFusion JDK/JRE LTS version to the latest update release. The fix for Adobe Bridge addresses three Critical rated and one Important severity bug. The worst could lead to code execution when opening a specially crafted file. The final patch fixes a single code execution bug in Lightroom. Adobe also made the odd decision to stop tweeting when its patches become available and limiting communication to just email subscriptions. Let’s hope they reverse that decision as many people (myself included) rely on the twitter feed for notifications.

And with this release, anyone targeting Adobe Reader at next week’s Pwn2Own Vancouver event can breathe a sigh of relief. It seems your exploits won’t be patched before the event.  

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for March 2024

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; Skype; Microsoft Components for Android; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 64. One of these bugs was reported through the ZDI program.

Of the new patches released today, two are rated Critical, and 57 are rated Important in severity. This is a relatively low volume for March, especially considering this is the last patch cycle before the Pwn2Own contest next week. Vendors usually try to patch as much as possible knowing we update all targets to the latest release. Considering Microsoft has several targets in the contest, it’s interesting to see such a small release.

None of the CVEs released today are listed as publicly known or under active attack, but that could change. After the February release, Microsoft revised multiple updates to indicate they were being actively exploited. For now, nothing is listed as in the wild. I’ll update this blog should that change.

Let’s take a closer look at some of the more interesting updates for this month, starting with a Critical-rated Hyper-V bug:

-       CVE-2024-21407 – Windows Hyper-V Remote Code Execution Vulnerability
This is one of the two Critical-rated bugs for this month, and this is the only one that could result in code execution. This vulnerability would allow a user on a guest OS to execute arbitrary code on the host OS. This is often referred to as a guest-to-host escape and could be used to impact other guest OSes on the server. It’s a shame we won’t see this bug get exploited at Pwn2Own next week, where it could have won $250,000. Maybe next year.

-       CVE-2024-26198 – Microsoft Exchange Server Remote Code Execution Vulnerability
It seems there are Exchange patches almost every month now, and March is no different. This bug is a classic DLL loading vulnerability. An attacker places a specially crafted file in a location they control. They then entice a user to open the file, which loads the crafted DLL and leads to code execution. Last month, Microsoft stated the Exchange bug was being actively exploited only after the release. This bug is currently NOT listed as exploited in the wild, but I’ll update this blog should Microsoft change its mind (again).

-       CVE-2024-21334 – Open Management Infrastructure (OMI) Remote Code Execution Vulnerability
This bug rates the highest CVSS rating for this release with a 9.8. It would allow a remote, unauthenticated attacker to execute code on OMI instances on the Internet. It’s not clear how many of these systems are reachable through the Internet, but it’s likely a significant number. Microsoft gives this an “Exploitation less likely” rating, but considering this is a simple Use After Free (UAF) bug on a juicy target, I would expect to see scanning for TCP port 5986 on the uptick soon.

-       CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability
This bug allows an unauthenticated attacker to access the untrusted AKS Kubernetes node and AKS Confidential Container to take over confidential guests and containers. Successful exploitation would allow the attacker to steal credentials and affect other resources. While that’s bad enough, patching won’t be straightforward. Customers must ensure they are running the latest version of “az confcom” and Kata Image. The bulletin contains additional information on the commands needed. Be sure to check it out.

Here’s the full list of CVEs released by Microsoft for March 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21408 Windows Hyper-V Denial of Service Vulnerability Critical 5.5 No No DoS
CVE-2024-21407 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2024-21392 .NET and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-26203 Azure Data Studio Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-21421 † Azure SDK Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21431 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-28746 * Intel: CVE-2023-28746 Register File Data Sampling (RFDS) Important N/A No No Info
CVE-2024-21438 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21390 Microsoft Authenticator Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21400 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-20671 Microsoft Defender Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-26164 Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21419 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-26198 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26201 Microsoft Intune Linux Agent Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2024-21451 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26159 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21440 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26162 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26199 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26190 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21426 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21448 † Microsoft Teams for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2024-21441 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21444 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21450 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26161 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-26166 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21434 Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21446 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21330 Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21334 Open Management Infrastructure (OMI) Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2024-26204 Outlook for Android Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2024-21411 † Skype for Consumer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21418 Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26165 Visual Studio Code Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-26160 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26170 Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26185 Windows Compressed Folder Tampering Vulnerability Important 6.5 No No Tampering
CVE-2024-26169 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21437 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21436 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-26181 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2024-26182 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26173 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26176 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-26178 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21443 Windows Kernel Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-26174 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-26177 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21435 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21433 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26197 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21439 Windows Telephony Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21432 Windows Update Stack Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21430 Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability Important 5.7 No No RCE
CVE-2024-21429 Windows USB Hub Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21442 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21445 Windows USB Print Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-26167 Microsoft Edge for Android Spoofing Vulnerability Unknown 4.3 No No Spoofing
CVE-2024-2173 * Chromium: CVE-2024-2173 Out of bounds memory access in V8 High N/A No No RCE
CVE-2024-2174 * Chromium: CVE-2024-2174 Inappropriate implementation in V8 High N/A No No RCE
CVE-2024-2176 * Chromium: CVE-2024-2176 Use after free in FedCM High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

The only other Critical-rated bug is a Denial-of-Service (DoS) vulnerability in Hyper-V Server. Microsoft does not indicate how extensive the DoS is or if the system automatically recovers, but considering its rating, the bug likely shuts down the entire system.

Moving on to the other remote code execution bugs, as we saw last month, there are many impacting SQL clients that would require connecting to a malicious SQL server. Practical exploitation is unlikely without significant social engineering. That’s not the case for the bug in Django Backend for SQL Server. This vulnerability is a classic SQL injection via unsanitized parameters. There’s also a DLL loading bug for Windows OLE. The RCE bug in SharePoint requires user interaction in that the threat actor needs to convince the user to open a specially crafted file. Social engineering will also be required for the Skype for Consumer vulnerability. You’ll also need to manually download the latest version of Skype here as there doesn’t seem to be an automated upgrade option. The final two RCE bugs are a bit rare in that they require physical access to the target system. Both vulnerabilities rely on the attacker plugging a device into an open USB port. It’s uncommon to see patches for bugs with this physical attack vector, but it’s good to see Microsoft is willing to make updates for these types of issues.

Speaking of rarities, there is a single patch for a Tampering bug in the Windows compressed folder component. Microsoft doesn’t give any indication of how the vulnerability would manifest other than to say it requires a user to open a specially crafted file. After that, it’s not clear what is actually being tampered with, although the inclination is to believe an attacker could change file contents with this bug.

There are more than 20 elevation of privilege (EoP) patches in this month’s release. In most cases, a local attacker would need to run specially crafted code to elevate to SYSTEM. The bug in the telephony component would lead to the similar (but distinctly different) “NT AUTHORITY\Network Service” privilege. The bug in the Azure Data Studio would only elevate to the permission level of the user running the application. Another reminder to not do daily tasks with administrative privileged accounts. The bug in the Microsoft Intune Linux Agent bypasses compliance checks when using custom compliance scripts, thus altering the results. The bug in the Authenticator app sounds quite bad as it could bypass 2FA, but it requires a fair bit of user interaction to succeed. An attacker needs to be already executing code on the target and have the user close and re-open the Authenticator application. The vulnerability in the Windows Installer would allow an attacker to delete files. We recently blogged about a similar bug in the .NET framework. The bug in OMI is interesting in that an attacker could exploit it to communicate as Root with an OMI server. The final EoP patch for March affects the Software for Open Networking in the Cloud (SONiC) component. Successful exploitation would allow an attacker to escalate to Root in the Border Gateway Protocol (BGP) container and perform specific actions that enable them to escape the container.

There are three separate Security Feature Bypass (SFB) patches in this month’s release with the most impactful affecting Windows Defender. The good news is that you’ll likely need to take no action as the Defender engine automatically updates itself. The bad news is that if you’re in an isolated environment or have Defender disabled, you’ll likely need to manually verify the Defender version. Given that this bug allows attackers to prevent Defender from starting, it’s best to make sure you have that patch applied. The bug in the hypervisor-protected code integrity (HVCI) could allow an attacker to bypass code integrity protections, but it requires administrator-level permissions. Another rarity, as exploits that begin with admin permissions rarely get fixed. The final SFB update fixes a bug in Kerberos that could lead to impersonating other users.  

The March release includes five information disclosure bugs, but unusually, only one leaks unspecified memory contents. The two bugs in the kernel could allow an attacker to view registry keys they would otherwise not be able to access. The bug in Teams for Android would allow the reading of files from the private directory of the app. You’ll also need to manually get this update from the Google Play Store. That’s also the case for Outlook for Android. That bug allows attackers to view the ineffable “file contents”. In addition to the one already documented, the March release includes fixes for five different denial-of-service (DoS) bugs in various. However, Microsoft provides no real information or details for them.

There are two spoofing bugs receiving patches this month, and the Microsoft Edge for Android is a strange one. It was actually published earlier this month but without an actual fix. Instead, it notes, “The security update for Edge for Android is not immediately available.” It seems odd that Microsoft would choose to publish information about the bug without also pushing a fix for the bug. Perhaps it will be updated soon. The other spoofing bug is in the Azure SDK, and you may or may not need to take extra steps to be fully protected. If you are running a deployment created before October 19, 2023, you will need to manually upgrade Azure-core to Azure Core Build 1.29.5 or higher. If you have a deployment from after October 19, you should receive the patch automatically.

There is one new advisory for this month as Microsoft announces the deprecation of Oracle’s libraries within Exchange. This is a long time coming and a welcome change, as Exchange was essentially 0-day’ed every time Oracle updated their libraries.

Finally, there is a single cross-site scripting (XSS) bug in Microsoft Dynamics fixed this month.

Looking Ahead

Be sure to look out for updates from Pwn2Own Vancouver, and if you’re at the CanSecWest conference, please stop by to say hello. I like it when people say hello. The next Patch Tuesday of 2024 will be on April 9, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Yazhi Wang of the Trend Micro Research Team detail a recently patched privilege escalation vulnerability in .NET Framework and Visual Studio. This bug was originally discovered by Piotr Bazydło of Trend Micro’s Zero Day Initiative (ZDI). Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications.


A remote command execution vulnerability has been reported in the Microsoft .NET Framework and Visual Studio. This vulnerability is due to improper validation of user input. An attacker could exploit this vulnerability by sending malicious requests to the FTP servers. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.

The Vulnerability

The .NET Framework is a software framework for Microsoft Windows that provides development and execution tools for software applications. Applications written for the .NET Framework are executed in the Common Language Runtime (CLR) environment. The CLR takes .NET applications as Common Intermediate Language (CIL) object code and uses a just-in-time (JIT) compiler to compile the CIL object code to native code for the target platform.

FTP is the File Transfer Protocol described in RFC 959 and other RFCs. FTP uses two separate TCP connections - one for control and another for data transfer. A connection to the listening port from the FTP client forms the control stream on which FTP service commands are passed from the FTP client to the FTP server and on occasion from the FTP server to the FTP client. FTP service commands are used for authentication, file transfer, file system functions, etc. FTP commands have the following syntax:

         <command> <SP> [parameters] <CRLF>

where is the string of the command name, and [parameters] are optional or multiple depending on the command. represents the new line sequence Carriage Return (CR) followed by Line Feed (LF) and represents a space character that splits the command and parameters or parameters themselves. The following is an example of an RETR command, which is used to begin the transmission of a file from the remote host.

         RETR remote-filename

A separate TCP connection is used for the transfer of data when a command, such as STOR, RETR, LIST, and so on, is received. Information, such as command results, the content of the transferred file, and so on are exchanged via this data stream connection. This data stream connection can be initiated by the client or the server. The client can issue the PASV command to request the FTP server to open an ephemeral port to wait for connections from the client. If the client wishes to wait for connections from the server instead, a PORT command is issued.

A command injection vulnerability exists in Microsoft .NET Framework. The vulnerability is due to insufficient validation of FTP command parameters and FTP URI requests. More specifically, the .NET Framework implements a class FtpControlStream to handle basic FTP control connections. In the implementation, it calls an internal function FormatFtpCommand() to form a valid FTP command with command and parameters as arguments. However, when the vulnerable function handles the FTP parameters, it fails to validate if the parameters include CRLF characters. It will form the following FTP commands when the command is "RETR" and the parameter is "onefile<CRLF>DELE otherfile\<CRLF>":

Similarly, another internal function FtpWebRequest() fails to validate if the URI argument contains or not. A malicious FTP URI could make the vulnerable function send malicious FTP command after the FTP connection established.

The attack vector depends on how the vulnerable .NET functions are used in the FTP applications. An attacker could exploit this vulnerability by sending malicious requests to the FTP server. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.

Source Code Walkthrough

The following code snippet was taken from .NET commit 0ed0438152b25a8a19bcc87eb335fa8a089ac8db. Comments added by Trend Micro have been highlighted.

In src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs:

In src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs:

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse all FTP traffic, which is on TCP port 21 by default.

The detection device must inspect if there are multiple FTP commands (multiple CRLF) sent in one packet. If found, the traffic should be considered suspicious, and an attack exploiting this vulnerability is likely underway.

Note that since most FTP servers accept multiple FTP commands in one packet, there might be false positives using this detection guidance in normal FTP traffic.

Conclusion

Microsoft addressed this vulnerability by releasing a patch in November, however, it has been revised multiple times. The most notable revision adds PowerShell versions 7.2, 7.3, and 7.4 as affected platforms. If you are unable to apply the patch, you can prevent exploitation by refusing to accept FTP URIs from untrusted peers or otherwise filtering FTP traffic. Still, it is recommended to apply the vendor fix to fully resolve this vulnerability.

Special thanks to Justin Hung and Yazhi Wang of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The February 2024 Security Update Review

12 February 2024 at 15:16

It’s the second patch Tuesday of the year, and Adobe and Microsoft have released a fresh crop of security updates just in time to be our Valentine. Take a break from your other activities and join us as we review the details of their latest advisories. For those interested in the Microsoft 0-day discovered by the ZDI Threat Hunting Team, you can watch this special edition of the Patch Report:

If you’d rather watch the full video recap covering the entire release, you can check out here:

Adobe Patches for February 2024

For February, Adobe released six patches addressing 29 CVEs in Adobe Acrobat and Reader, Commerce, Substance 3D Painter, FrameMaker Publishing Server, Audition, and Substance 3D Designer. A total of four of these bugs were reported through the ZDI program. If you need to prioritize, I would suggest starting with the update for Acrobat and Reader. The patch fixes five Critical-rated arbitrary code execution bugs that are often used in phishing and ransomware campaigns. The fix for Commerce also has a couple of Critical-rated code execution bugs being addressed. Considering this is an aptly named commerce platform, rolling patches quickly here also makes sense.

The updates for Substance 3D Painter and Substance 3D Designer address nine and one bug respectively. The most severe of these would result in arbitrary code execution, but they also require user interaction – something like opening a specially crafted file or browsing to a malicious URL. The patch for the FrameMaker Publishing Server (not to be confused with FrameMaker itself) fixes a security feature bypass (SFB) that’s rated at a CVSS 9.8. Although not specifically stated, that reads like either a complete authentication bypass or hard-coded credentials. The final patch for Adobe Audition corrects a single heap-based buffer overflow that could lead to arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for February 2024

This month, Microsoft released 72 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 78. Two of these bugs were reported through the ZDI program, including one of the bugs under active attack.

Of the new patches released today, five are rated Critical, 65 are rated Important, and two are rated Moderate in severity. This is a relatively typical volume of fixes for a February release, and so far, the number of fixes from Adobe and Microsoft is lower than last year over the same time. It will be interesting to see if this trend continues throughout 2024.

Two of these CVEs are listed as under active attack at the time of release, although neither is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the discovery made by the ZDI Threat Hunting team:

-       CVE-2024-21412 – Internet Shortcut Files Security Feature Bypass Vulnerability
This is the bug found by Peter Girnus and the rest of the ZDI Threat Hunting team. I won’t go into great detail about the technical aspects of the bug because my colleagues at Trend Micro Research have already done that here. The video above also provides some context and a demonstration of the vulnerability. This bug is currently targeting forex traders with a remote access trojan through forum posts and responses, but we expect it to spread now that it is publicly known. Trend Micro customers are already protected by various filters and virtual patches, but everyone else should test and deploy this fix as soon as possible.

-       CVE-2024-21351 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the other actively exploited bug being patched this month, and it appears to be very similar to the previous ITW exploit. Windows uses Mark-of-the-Web (MotW) to distinguish files that originate from an untrusted location. SmartScreen bypasses in Windows Defender allow attackers to evade this inspection and run code in the background. Microsoft does not indicate how widespread these attacks may be but you should expect exploits to increase as threat actors add this to their toolkits. Again, test and deploy this update quickly.

-       CVE-2024-21410 – Microsoft Exchange Server Elevation of Privilege Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild
It’s been a minute since we’ve had an Exchange Server patch, and this vulnerability doesn’t disappoint with a CVSS rating of 9.8. A remote, unauthenticated attacker could use this bug to relay NTLM credentials and impersonate other users on the Exchange server. Patching won’t be straightforward either – if there is such a thing as a straightforward patch for Exchange Server. You’ll need to make sure to install the Exchange Server 2019 Cumulative Update 14 (CU14) update and ensure the Extended Protection for Authentication (EPA) feature is enabled. Microsoft has provided this article with additional information for Exchange administrators.

-       CVE-2024-21413 – Microsoft Outlook Remote Code Execution Vulnerability
*Note: On February 14, Microsoft updated their advisory to indicate this bug is being actively exploited in the wild - then they changed the bulletin again and said it wasn’t

This is an intriguing bug that allows an attacker to bypass the Office Protected View and open a file in editing mode rather than protected mode. Not only does this somehow allow code execution to occur, but it could also occur in the Preview Pane. This vulnerability also rates a CVSS of 9.8, so the severity isn’t being overstated. Also, users of the 32- and 64-bit versions of Office 2016 will need to install multiple updates to fully address this vulnerability. Be sure to close all running Office apps when installing these fixes to help avoid a reboot, which is listed as a “Maybe” for the Office 2016 patches.

Here’s the full list of CVEs released by Microsoft for February 2024:

CVE Title Severity CVSS Public Exploited Type
CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability Important 8.1 No Yes SFB
CVE-2024-21351 Windows SmartScreen Security Feature Bypass Vulnerability Moderate 7.6 No Yes SFB
CVE-2024-21410 † Microsoft Exchange Server Elevation of Privilege Vulnerability Critical 9.8 No Yes EoP
CVE-2024-21413 † Microsoft Outlook Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2024-21380 Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability Critical 8 No No Info
CVE-2024-20684 Windows Hyper-V Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-21386 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21404 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21329 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2024-20667 Azure DevOps Server Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20679 Azure Stack Hub Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-21394 Dynamics 365 Field Service Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21396 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21328 Dynamics 365 Sales Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2024-21348 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21349 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21381 † Microsoft Azure Active Directory B2C Spoofing Vulnerability Important 6.8 No No Spoofing
CVE-2024-21397 Microsoft Azure File Sync Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2024-21403 † Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2024-21376 † Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2024-21315 Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21395 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 8.2 No No XSS
CVE-2024-21389 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21393 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21327 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No XSS
CVE-2024-21401 † Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2024-21354 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21355 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21405 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21363 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21347 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-21384 Microsoft Office OneNote Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20673 † Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21402 Microsoft Outlook Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2024-21378 Microsoft Outlook Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-21374 Microsoft Teams for Android Information Disclosure Important 5 No No Info
CVE-2024-21353 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21350 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21352 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21358 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21360 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21361 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21366 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21369 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21375 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21420 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21359 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21365 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21367 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21368 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21370 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21391 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-50387 * MITRE: CVE-2023-50387 DNS RRSIGs and DNSKEYs validation can be abused to remotely consume DNS server resources Important N/A No No DoS
CVE-2024-20695 Skype for Business Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-21304 Trusted Compute Base Security Feature Bypass Vulnerability Important 4.1 No No SFB
CVE-2024-21346 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21406 Windows Device Metadata Retrieval Client (DMRC) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2024-21342 Windows DNS Client Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21377 Windows DNS Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-21340 Windows Kernel Information Disclosure Vulnerability Important 4.6 No No Info
CVE-2024-21341 Windows Kernel Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2024-21362 Windows Kernel Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2024-21356 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-21343 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21344 Windows Network Address Translation (NAT) Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2024-21372 Windows OLE Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-21339 Windows USB Generic Parent Driver Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2024-21364 Microsoft Azure Site Recovery Elevation of Privilege Vulnerability Moderate 9.3 No No EoP
CVE-2024-21399 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 8.3 No No RCE
CVE-2024-1059 * Chromium: CVE-2024-1059 Use after free in WebRTC High N/A No No RCE
CVE-2024-1060 * Chromium: CVE-2024-1060 Use after free in Canvas High N/A No No RCE
CVE-2024-1077 * Chromium: CVE-2024-1077 Use after free in Network High N/A No No RCE
CVE-2024-1283 * Chromium: CVE-2024-1283: Heap buffer overflow in Skia High N/A No No RCE
CVE-2024-1284 * Chromium: CVE-2024-1284: Use after free in Mojo High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical-rated bugs, the fix for Dynamics Business Central stands out as it could lead to a threat actor accessing other tenants’ applications and content. The attacker must be authenticated, but successful exploitation would grant them read, write, and delete functionality. You don’t see Critical-rated DoS bugs often, but the patch for Hyper-V deserves the rating as a guest OS could impact the Hyper-V host. The vulnerability in Pragmatic General Multicast (PGM) is serious but less likely to be exploited as it requires the attacker to be network adjacent. Multicast messages aren’t routable beyond a single network segment.

Moving on to the other code execution bugs, SQL clients are having a moment with 18 different patches. Thankfully, each of these bugs requires an affected client to connect to a malicious SQL Server, so practical exploitation is unlikely without significant social engineering. It’s the same scenario for the bug in ActiveX, too. The more concerning bugs are in Word and Outlook and have the Preview Pane as an attack vector. Word bugs are typically open-and-own, but having one that hits in the Preview Pane is definitely a rarity. The other RCEs in Office components are more traditional, but CVE-2024-20673 also requires users of the 32- and 64-bit versions of Office 2016 to install multiple updates to be protected. Speaking of extra steps, there are additional actions required to address the bug in the Azure Kubernetes Service. As stated by Microsoft in the bulletin:


Customers who do not have az confcom installed can install the latest version by executing az extension add -n confcom. Customers who are running versions prior to 0.3.3 need to update by executing az extension update -n confcom. For more information, see https://learn.microsoft.com/en-us/cli/azure/extension?view=azure-cli-latest#az-extension-update and Confidential computing plugin for Confidential VMs.


The bug in Azure DevOps requires attackers to have Queue Build permissions. The bug in Microsoft Message Queuing (MSMQ) is written as an “open and own” style bug. This could mean opening an application that uses MSMQ could trigger the bug, but it’s not clear. It’s also not clear how an attacker would get RCE through the USB driver or Windows kernel. One can assume plugging in a malicious USB drive for the former, but the latter is definitely more opaque. Kernel bugs tend to either be privilege escalations or info disclosures. Maybe this is something through SMB?

There are a total of 14 different elevation of privilege (EoP) patches in this month’s release, and most simply result in an authenticated attacker executing code at SYSTEM on a target. There are some notable exceptions, starting with the CVSS 9.8 bug in Entra Jira SSO plugin. A remote, unauthenticated attacker could fully update Entra ID SAML metadata and info for the plugin. The attacker could then change the authentication of the application to their tenant as needed. Patching this requires the admin to download and install version 1.1.2 of the plugin either from the Microsoft Download Center or from Atlassian Marketplace. You also need to take the same steps to address the bug in the Azure Kubernetes Service as are listed above. The escalation in Azure File Sync allows attackers to create files in directories where they shouldn’t have access. They wouldn’t be able to modify or delete existing files. The Moderate-rated (yet somehow CVSS 9.3) bug in Azure Site Recovery could allow an attacker to obtain the MySQL root password – allowing even further compromise. Not sure how that ended up as “Moderate”, but I would treat it as critical if you are running Azure Site Recovery. Finally, the privilege escalation in Outlook simply yields code execution at the level of the user running the application.

There are only a few information disclosure bugs receiving fixes in this month’s release. The bugs in the Windows kernel and DNS server only result in info leaks consisting of unspecified memory contents. The vulnerability in Skype for Business (remember it?) would allow an attacker to view file contents. Microsoft doesn’t specify what information can be disclosed by the bug in Teams for Android, but they do note user interaction is required. You’ll also need to get the update directly from the Android Play Store to be protected from this vulnerability.

In addition to the two I’ve already mentioned, there are two additional SFB patches released this month. The SFB in the kernel allows attackers to bypass the Windows Code Integrity Guard (CIG). The final SFB in Trusted Compute Base could allow some to bypass – you guessed it – secure boot.

In addition to those already documented, the February release includes fixes for just over a half dozen denial-of-service (DoS) bugs. However, Microsoft provides no real information or details for them. If I were to guess, I would put the DNS and LDAP bugs at the top of my severity rankings due to their role in the enterprise.

This month’s release also includes six fixes for spoofing bugs. Three of these are in Dynamics 365 and would allow an attacker to modify the content of a link on an affected system to redirect the victim to a malicious site. There’s a fix for the Device Metadata Retrieval Client (DMRC) that fixes a vulnerability triggered when a remote attacker sends a specially crafted packet to an affected system. The final two spoofing bugs are both in Azure. The bug in Azure Stack Hub requires a user to click on a link. The bug in Azure Active Directory requires an attack to intercept traffic (MitM), but servicing goes beyond just installing a patch. Microsoft rolled out a fix already that includes Proof Key for Code Exchange (PKCE) as outlined here. However, not all customers may have received the update. If you were notified directly via Azure Service Health Alerts under Tracking ID: XXXXXX, you will need to take additional actions.

Finally, there are four cross-site scripting (XSS) bugs in Microsoft Dynamics receiving patches. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on March 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

CVE-2023-46263: Ivanti Avalanche Arbitrary File Upload Vulnerability

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Ivanti Avalanche enterprise mobility management program. Other Ivanti products have recently been under active exploitation, and the mobile device management system is an attractive target. This bug was originally reported to the ZDI program by an anonymous researcher and was also discovered by Lucas Miller of Trend Micro Research. Successful exploitation of this vulnerability would allow an authenticated attacker to execute code in the context of SYSTEM. The following is a portion of their write-up covering CVE-2023-46263, with a few minimal modifications.


An arbitrary file upload vulnerability has been reported for Ivanti Avalanche. This vulnerability is due to improper input validation in the FileStoreConfig app.

A remote, authenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successfully exploring this vulnerability could result in remote code execution as SYSTEM.

The Vulnerability

Ivanti Avalanche is a mobile device management system. The Central FileStore and the Central File Server in Avalanche are used to store and distribute files that are associated with payloads for mobile device configuration. For example, .apk files or OS update files could be stored in the Central FileStore. The Central FileStore is relevant to understanding this vulnerability.

The Avalanche web interface can be accessed over HTTP on TCP port 8080 as follows:

HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:

where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF). SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like:

A corresponding HTTP request using the POST method might look like:

If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:

Avalanche allows users to change the location where the Central FileStore saves files by changing the FileStore path through the web interface. To change the FileStore path a request to AvalancheWeb/app/ FileStoreConfig.jsf is made and the request is handled by the com.wavelink.amc.web.view.FileStoreConfigBean class. The request includes a txtUncPath request parameter that contains the new path to store files. Before saving the new values the validateFileStoreUncPath method is called to verify the new path is allowed. The path is checked against a deny list of disallowed values and for directory traversal characters. If the path passes the checks the new path is saved. Future uploads to the FileStore will be stored in the new location.

An arbitrary file upload vulnerability exists in the Central FileStore. The vulnerability is due to insufficient sanitization of the txtUncPath field in the Central FileStore configuration settings. The validateFileStoreUncPath attempts to prevent the new path from containing the webroot folders for Avalanche servers in the path. However, the validateFileStoreUncPath method does not prevent the use of the parent folder of the RemoteControl server webroot folder at: “C:\ProgramData\Wavelink\Avalanche\RemoteControlServer\app\”. An attacker can set the txtUncPath value to “C:\ProgramData\Wavelink\Avalanche”, bypassing the disallowed path checks. Then an attacker can send a request to upload a malicious file to the “RemoteControlServer\app” subfolder. The RemoteControl server is typically used to control connected Windows Mobile/CE devices and can be accessed by sending an HTTP request to http://<hostname>:1900/. By default, the RemoteControl server executes Velocity macro code. By uploading a crafted file to the RemoteControl server webroot, an attacker could execute arbitrary commands on the system.

Source Code Walkthrough

The following code snippet was taken from Ivanti Avalanche version 6.4.1. Comments added by Trend Micro have been highlighted.

From app/FileStoreConfigSettings.xhtml in AvalancheWeb.jar.

From the decompiled WEB-INF.classes.com.wavelink.amc.web.view. CentralFileStoreDialog class in AvalancheWeb.jar.

Detection Guidance

To detect an attack exploiting this vulnerability, the detection device must monitor and parse traffic on TCP ports 8080 (HTTP) and 8443 (HTTPS). Note that the traffic may be SSL encrypted. The detection device may be required to decrypt the traffic before proceeding through the next steps.

The detection device must monitor all HTTP POST requests to a request-URI containing the following path:

      /AvalancheWeb/app/FileStoreConfig.jsf

If such a request is found, then the detection device must search the request body for the linkFileStoreConfigSave parameter. If the linkFileStoreConfigSave parameter value is “linkFileStoreConfigSave”, the value of the txtUncPath parameter must be inspected for the following string:

      ProgramData\Wavelink\Avalanche

If found, the request should be considered suspicious as an attack exploiting this vulnerability is likely underway. Below is an example of a malicious request:

Conclusion

Ivanti patched this vulnerability and several others with the release of version 6.4.2. No other mitigations are listed, so it is recommended that users of Ivanti Avalanche test and deploy this patch to fully address this vulnerability.

Special thanks to Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Pwn2Own Automotive 2024 - Day Three Results

26 January 2024 at 02:08

Welcome to the final day of the first ever Pwn2Own Automotive! We’re already over $1 million in prizes awarded, and today’s attempts will keep the wins going. We’ll be updating this blog as well as social media with results in real time. All times are in Japan Standard Time (GMT +9).

SUCCESS - Computest Sector 7 used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.

FAILURE - Connor Ford was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS Synacktiv exploited the Sony XAV-AX5500. They earn $20,000 and 4 Master of Pwn Points.

FAILURE - Katsuhiko Sato was not able to get his exploit of the Pioneer DMH-WT7600NEX working in the time allotted.

SUCCESS - Sina Kheirkhah used a 2-bug chain to exploit the Ubiquiti Connect EV. He earns $30,000 and 6 Master of Pwn Points.

SUCCESS / BUG COLLISION - fuzzware.io used a 2-bug chain to exploit the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.

SUCCESS - Connor Ford of Nettitude used a stack-based buffer overflow in his exploit of the JuiceBox 40 Smart EV Charging Station. He earns $30,000 and 6 Master of Pwn Points.

SUCCESS / BUG COLLISION - Team Cluck used a 4-bug chain to exploit the Phoenix Contact CHARX SEC-3100. However, one of the bugs was previously known. They still earn $26,250 and 5.25 Master of Pwn Points.

SUCCESS - fuzzware.io used a buffer overflow to exploit the EMPORIA EV Charger Level 2. They earn $60,000 and 6 Master of Pwn Points.


The first ever Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to Synacktiv, the Masters of Pwn! Stay with us here and across social media as we prepare for Pwn2Own Vancouver in March!

Pwn2Own Automotive 2024 - Day Two Results

25 January 2024 at 02:48

Welcome to Day Two of the first ever Pwn2Own Automotive. We awarded $722,500 yesterday for 24 unique 0-days. Today’s attempts promise to be just as exciting, with another Tesla attempt at 1300 Japan Standard Time (GMT +9). As always, we’ll be updating this blog with results as we have them.


BUG COLLISION
-- Team Tortuga successfully used a 2-bug chain against the ChargePoint Home Flex. However, the exploit used was previously known. They still earn $15,000 and 3 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team used a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - Computest Sector 7 successfully executed their attack against the JuiceBox 40 Smart EV Charging Station. However, the bug they used was previously known. They still earn $15,000 and 3 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Autel MaxiCharger AC Wallbox Commercial working in the time allotted.

SUCCESS - The Synacktiv team used a 2-bug chain to attack the Tesla Infotainment System. They earn $100,000 and 10 Master of Pwn Points.

SUCCESS - NCC Group EDG successfully used a 2-bug chain against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.

FAILURE - PCAutomotive’s attempt to exploit the JuiceBox 40 Smart EV Charging Station was unsuccessful.

BUG COLLISION - Katsuhiko Sato successfully executed his attack against the Sony XAV-AX5500. However, the bug he used was previously known. He still earns $10,000 and 2 Master of Pwn Points.

SUCCESS - Synacktiv used a 3-bug chain to exploit Automotive Grade Linux. They earn $35,000 and 5 Master of Pwn Points.

SUCCESS - Le Tran Hai Tung used a 2-bug chain against the Alpine Halo9 iLX-F509. He earns $20,000 and 4 Master of Pwn Points.

WITHDRAWN - Sina Kheirkhah withdrew his entry against the EMPORIA EV Charger Level 2. Penalty: -3 Master of Pwn Points.

WITHDRAWN - Team Cluck withdrew their entry against Automotive Grade Linux. Penalty: -2.5 Master of Pwn Points.

SUCCESS / BUG COLLISION - Computest Sector 7’s 2-bug chain against the Autel MaxiCharger AC Wallbox Commercial was a success. However, one of the bugs used was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Alpine Halo9 iLX-F509 working in the time allotted.

FAILURE - Alex Olson was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS - fuzzware.io used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team used a stack-based buffer overflow to exploit the Autel MaxiCharger AC Wallbox Commercial. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - fuzzware.io used a 2-bug chain to successfully exploit the Alpine Halo9 iLX-F509. However, the exploits used were previously known. They still earn $10,000 and 2 Master of Pwn Points.

SUCCESS - RET2 Systems used a stack-based buffer overflow to exploit the JuiceBox 40 Smart EV Charging Station. They earn $30,000 and 6 Master of Pwn Points.

BUG COLLISION - fuzzware.io used a 2-bug chain to attack the Autel MaxiCharger AC Wallbox Commercial. However, both bugs were previously known. They still earn $15,000 and 3 Master of Pwn Points.


That’s a wrap for Day 2 of Pwn2Own Automotive. We’ve already awarded over $1,000,000 in prizes this week (¥150 million!) Tune back in tomorrow here or across social media for the final day of the contest!

Pwn2Own Automotive 2024 - Day One Results

24 January 2024 at 03:00

Welcome to the first ever Pwn2Own Automotive: live from Tokyo January 24-26, 2024! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Japan Standard Time (GMT +9:00).


SUCCESS - Sina Kheirkhah was able to execute his attack against the ChargePoint Home Flex for $60,000 and 6 Master of Pwn Points.

COLLISION - Rob Blakely from Cromulence successfully executed his attack on Automotive Grade Linux. However, an n-day exploit was used in the attack. He still earns $47,500 and 3.75 Master of Pwn Points.

SUCCESS - The PCAutomotive Team successfully targeted the Alpine Halo9 iLX-F509 with a UAF exploit for $40,000 and 4 Master of Pwn Points.

SUCCESS - Tobias Scharnowski and Felix Buchmann of fuzzware.io executed their attack against the Sony XAV-AX5500 for $40,000 and 4 Master of Pwn Points.

SUCCESS - The Synacktiv Team successfully executed their 3-bug chain against the Tesla Modem. They win $100,000 and 10 Master of Pwn Points.

SUCCESS - Katsuhiko Sato executed his command injection attack against the Alpine Halo9 iLX-F509. As this was a second round win, he wins $20,000 and 4 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Sony XAV-AX5500 working in the time allotted.

SUCCESS - NCC Group EDG executed a 3-bug chain against the Pioneer DMH-WT7600NEX. They earn $40,000 and 4 Master of Pwn Points.

SUCCESS - The Synacktiv Team used a 2-bug chain against the Ubiquiti Connect EV Station. They earn $60,000 and 6 Master of Pwn Points.

SUCCESS - RET2 Systems executed a 2-bug chain against the Phoenix Contact CHARX SEC-3100. They earn $60,000 and 6 Master of Pwn Points.

SUCCESS - The Midnight Blue / PHP Hooligans team executed a stack-based buffer overflow against the Sony XAV-AX5500. They win $20,000 and 4 Master of Pwn Points.

SUCCESS - Vudq16 and Q5CA from u0K++ successfully executed a stack-based buffer overflow against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.

BUG COLLISION - The Synacktiv Team used a two-bug chain against the ChargePoint Home Flex. However, the exploit they used was previously known. They still earn $16,000 and 3 Master of Pwn Points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.

SUCCESS - Gary Li Wang used a stack-based buffer overflow against the Sony XAV-AX5500. He wins $20,000 and 4 Master of Pwn Points.

SUCCESS - Synacktiv executed a 2-bug chain against the JuiceBox 40 Smart EV Charging Station. They earn $60,000 and 6 Master of Pwn Points.

BUG COLLISION - Connor Ford of Nettitude executed his attack against the ChargePoint Home Flex. However, his 2-bug chain was previously known. He still earns $16,000 and 3 Master of Pwn Points.

BUG COLLISION - Chris Anastasio and Fabius Watson of Team Cluck successfully attacked the ChargePoint Home Flex. However, the bug they used was previously known. They still earn $16,000 and 3 Master of Pwn Points.

SUCCESS - NCC Group EDG used an improper input validation against the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.

SUCCESS - The Synacktiv team used a 2-bug chain to successfully exploit the Autel MaxiCharger AC Wallbox Commercial. In doing so, they earn $60,000 and 6 Master of Pwn points.

FAILURE - Sina Kheirkhah was not able to get his exploit of the JuiceBox 40 Smart EV Charging Station working in the time allotted.

FAILURE - Unfortunately, Sina Kheirkhah was not able to get his exploit of the Pioneer DMH-WT7600NEX working in the time allotted.


That concludes Day 1 of Pwn2Own Automotive 2024. Check back here and across social media tomorrow for our second day of attempts!

Pwn2Own Automotive 2024 - The Full Schedule

23 January 2024 at 09:20

Welcome to our very first Pwn2Own Automotive – coming to you live from Tokyo and the Automotive World conference. The number of entries has surpassed our expectations, so we expect to award more than $1,000,000 USD for the over 45 entries we have across all categories. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Japan Standard Time [GMT + 9:00]).

Note: All times subject to change

Wednesday, January 24 – 1100

Sina Kheirkhah (@SinSinology) targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

 Rob Blakely from Cromulence (@CromulenceLLC) targeting Automotive Grade Linux in the Operating System category

Wednesday, January 24 – 1130

 The PCAutomotive Team (@PC_Automotive) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1200

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1300

 The Synacktiv Team (@synacktiv) targeting the Tesla Modem in the Tesla category

Wednesday, January 24 – 1330

 Katsuhiko Sato (@goroh_kun) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Wednesday, January 24 – 1400

 Sina Kheirkhah (@SinSinology) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

 NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) category   

Wednesday, January 24 – 1500

 The Synacktiv Team (@synacktiv) targeting the Ubiquiti Connect EV Station in the Electric Vehicle Chargers category

RET2 Systems (@ret2systems) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Wednesday, January 24 – 1530

 Vudq16 (@vudq16) and Q5CA (@_q5ca) from u0K++ (@u0Kplusplus) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category 

Wednesday, January 24 – 1600

 The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category                 

 Wednesday, January 24 – 1700

 The Synacktiv Team (@synacktiv) targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

 Sina Kheirkhah (@SinSinology) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Wednesday, January 24 – Pwn2Own After Dark

The following attempts will occur after the Automotive World venue has closed. Results will be posted online as they occur.

 The Synacktiv Team (@synacktiv) targeting the JuiceBox 40 Smart EV Charging Station Electric Vehicle Chargers category

Gary Li Wang targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Connor Ford (@ByteInsight) of Nettitude targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category  

NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category    

Sina Kheirkhah (@SinSinology) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category      

The Synacktiv Team (@synacktiv) targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Sina Kheirkhah (@SinSinology) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) category

 

Thursday, January 25 – 1100

Team Tortuga targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category 

Thursday, January 25 – 1200

 Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Sina Kheirkhah (@SinSinology) targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Thursday, January 25 – 1300

 The Synacktiv Team (@synacktiv) targeting the Tesla Infotainment system with a Sandbox Escape in the Tesla category

Thursday, January 25 – 1330

 NCC Group EDG (@nccgroupinfosec, @_mccaulay, and @alexjplaskett) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1400

 The PCAutomotive Team (@PC_Automotive) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Katsuhiko Sato (@goroh_kun) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1500

 Sina Kheirkhah (@SinSinology) targeting the EMPORIA EV Charger Level 2 in the Electric Vehicle Chargers category

 The Synacktiv Team (@synacktiv) targeting Automotive Grade Linux in the Operating System category

 Thursday, January 25 – 1530

 Le Tran Hai Tung (@tacbliw) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Thursday, January 25 – 1600

RET2 Systems (@ret2systems) targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category

Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category 

Thursday, January 25 – 1700

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Alex Olson (Ghada) targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Thursday, January 25 – Pwn2Own After Dark

The following attempts will occur after the Automotive World venue has closed. Results will be posted online as they occur.

Sina Kheirkhah (@SinSinology) targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

The Midnight Blue (@midnightbluelab) / PHP Hooligans team targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting Automotive Grade Linux in the Operating Systems category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Autel MaxiCharger AC Wallbox Commercial in the Electric Vehicle Chargers category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category

Friday, January 26 – 1100

 Daan Keuper (@daankeuper), Thijs Alkemade (@xnyhps) and Khaled Nassar (@notkmhn)  from Computest Sector 7 (@sector7_nl) Sector 7 targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category

Connor Ford (@ByteInsight) of Nettitude targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category         

Friday, January 26 – 1200

 Katsuhiko Sato (@goroh_kun) targeting the Pioneer DMH-WT7600NEX in the In-Vehicle Infotainment (IVI) system

The Synacktiv Team (@synacktiv) targeting the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category

Friday, January 26 – 1300

Sina Kheirkhah (@SinSinology) targeting the Ubiquiti Connect EV Station in the Electric Vehicle Chargers category

Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category 

Friday, January 26 – 1400

Connor Ford (@ByteInsight) of Nettitude targeting the JuiceBox 40 Smart EV Charging Station in the Electric Vehicle Chargers category 

Friday, January 26 – 1500

 Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of fuzzware.io targeting the EMPORIA EV Charger Level 2 in the Electric Vehicle Chargers category

Chris Anastasio (@mufinnnnnnn) and Fabius Watson of Team Cluck targeting the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category

Friday, January 26 – 1600

Final ceremony and Awarding the Master of Pwn Trophy

Pwn2Own Vancouver 2024: Bringing Cloud-Native/Container Security to Pwn2Own

16 January 2024 at 14:52

If you just want to read the contest rules, click here. These rules have been updated as of March 1, 2024, to clarify the registration process and to further define the guest operating systems available in the Virtualization category.

Even though we’re a week out from our first ever Pwn2Own Automotive, it’s time to start thinking ahead to the original Pwn2Own event, which takes place at CanSecWest in Vancouver on March 20-22, 2024. We’re always excited to return to Vancouver for the event, but we are cognizant of the evolution of the event as well. The contest began with a single Mac Book, but over the years, it grew to include web browsers, enterprise applications, virtualization solutions, and an automotive category. Last year, we awarded over $1,000,000 in cash and prizes – including a Tesla Model 3. This year, we evolved again by simplifying the Automotive category and adding a Cloud-Native/Container category.

We introduced the Virtualization category back in 2016 because we wanted to see what the state-of-the-art in exploits targeting hypervisors looked like. Many cloud services rely on virtualization, and that was the beginning of bringing “The Cloud™” into Pwn2Own. Since that time, the industry has adopted other cloud-native technologies and made containers a central part of enterprise deployments. Of course, that just makes them a great choice to include in Pwn2Own, and we’re excited to see what exploits contestants bring for these targets.

Of course, we’re also thrilled to have Tesla return as a partner for this year’s event. They continue to innovate and increase the security of their vehicles, and I’m sure they will take the learnings from Pwn2Own Automotive forward to the Vancouver event. We simplified the Automotive category by eliminating the multiple tiers. For this event, we’re focused simply on impact and getting code execution in a target component on the vehicle. For some targets, that may mean you need to get code execution in multiple systems on the way. And no, the awards aren’t cumulative. For example, you may need to exploit the infotainment system on the way to the Autopilot, but you’ll only get the award for the Autopilot.

In addition to the new categories, we’ve added Slack as a target within the Enterprise Communications category. This, along with all the other returning categories, means that we’ll again be offering more than $1,000,000 USD in cash and prizes at this year’s event. All-in-all, it should be a wonderful event with some cutting-edge exploitation on display. Here is a full list of the categories for this year’s event:

-- Web Browser Category
-- Cloud-Native/Container Category
-- Virtualization Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category

Of course, no Pwn2Own competition would be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each unique, successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.

Let's look at the details of the rules for this year's event.

Web Browser Category

While browsers are the “traditional” Pwn2Own target, we’re continuously tweaking the targets in this category to ensure they remain relevant. We re-introduced renderer-only exploits a couple of years ago, and their reward remains at $60,000. However, if you have that Windows kernel privilege escalation or sandbox escape, that will earn you up to $100,000 or $150,000 respectively. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $25,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant can compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $80,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox. Here’s a detailed look at the targets and available payouts:

Back to top

Cloud-Native/Container Category

We’re excited to have this new category for the contest, and we are hopeful our contestants bring their usual stellar research to the event. Of course, you can’t talk containers without mentioning Docker Desktop, and they’re the first target on the list. However, they aren’t alone. The containerd runtime is an industry standard and always popular. Firecracker is our third target as they are a common choice for creating and managing secure, multi-tenant container and function-based services.

For an attempt to be ruled a success against these three, the exploit must be launched from within the guest container/microVM and execute arbitrary code on the host operating system. The final target in this category is gRPC – a modern open-source high-performance Remote Procedure Call (RPC) framework that can run in any environment.  A success here must leverage a vulnerability in the gRPC code base to obtain arbitrary code execution. Here are the payouts for this category:

Back to top

Virtualization Category

Some of the highlights for each contest can be found in the Virtualization Category, and we’re thrilled to see what this year’s event could bring with it. As usual, VMware is the main highlight of this category as we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $80,000 respectively. Microsoft also returns as a target and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox rounds out this category with a prize of $40,000.

There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi), they can earn an additional $50,000 and 5 more Master of Pwn points. That could push the payout on a Hyper-V bug to $300,000. Here’s a detailed look at the targets and available payouts in the Virtualization category:

Back to top

Enterprise Applications Category

Enterprise applications also return as targets with Adobe Reader and various Office components on the target list once again. This year, we’re also allowing these applications to be run on an M-series MacBook. Prizes in this category run from $50,000 for a Reader exploit with a sandbox escape or a Reader exploit with a kernel privilege escalation and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. Microsoft Office-based targets will have Protected View enabled where applicable. Adobe Reader will have Protected Mode enabled where applicable. Here’s a detailed view of the targets and payouts in the Enterprise Application category:

Back to top

Server Category

The Server Category for 2024 is trimmed down a bit to focus on the server components we’re most interested in. These servers are often targeted by everyone from ransomware crews to nation/state actors, so we know there are exploits out there for them. The only question is whether we’ll see any of the competitors bring one of those exploits to Pwn2Own. SharePoint was recently exploited in the wild, and part of that exploit chain was demonstrated at last year’s event. Microsoft Exchange has been a popular target for some time, and it returns as a target this year as well with a payout of $200,000. This category is rounded out by Microsoft Windows RDP/RDS, which also has a payout of $200,000. Here’s a detailed look at the targets and payouts in the Server category:

Back to top

Local Escalation of Privilege Category

This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. A successful entry in this category must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop, Apple macOS, and Microsoft Windows 11 are the OSes available as targets in this category. 

Back to top

Enterprise Communications Category

We introduced this category in 2021 to reflect the importance of these tools in our modern, remote workforce, and we were thrilled to see both targets compromised during the contest. This year, we’re expanding the category to include the ever-popular Slack productivity platform with a $25,000 payout. A successful attempt in this category must compromise the target application by communicating with the contestant. Some example communication requests could be audio calls, video conferences, or messages. Both Zoom and Microsoft Teams have a $60,000 award available, so we’re hoping to see more great research in this category.

Back to top

Automotive Category

Since adding the Automotive Category in 2019, we’ve seen some amazing and creative research displayed – so much so that we expanded to holding a Pwn2Own Automotive event. Still, Vancouver is where this category began, and we’re happy to have Tesla return as a target. As previously mentioned, we’ve streamlined the rules for this category this year, but that doesn’t mean it’s any easier to win. We’ll have both the Tesla Model 3 (Ryzen-based) and Tesla Model S (Ryzen-based) as target, and we’ll also have the equivalent bench-top unit ready should it be needed. Last year, we conducted all tests on the bench-top unit as attempting the exploits on the actual vehicle could prove hazardous to bystanders and other vehicles in the area. Here are this year awards for the Automotive Category:

Back to top

Conclusion

The complete rules for Pwn2Own 2024 are found here. They were updated as of March 1, 2024. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have specific configuration or rule-related questions, email us. Questions asked over X (nee Twitter) or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration for onsite participation closes at 5 p.m. Pacific Time on March 14, 2024. If you plan on participating remotely, the registration deadline is 5 p.m. Pacific Time on March 12, 2024.

Be sure to stay tuned to this blog and follow us on TwitterMastodonLinkedIn, or Instagram for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a new car to drive home from this year’s Pwn2Own competition.

With special thanks to our Pwn2Own 2024 Partner Tesla

 

©2024 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

The January 2024 Security Update Review

9 January 2024 at 18:32

Welcome to the first patch Tuesday of 2024. As expected, Microsoft and Adobe have released their latest security patches. Take a break from your other activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Adobe Patches for January 2024

For January, Adobe released a single patch addressing six CVEs in Substance 3D Stager. All six bugs are rated Important with the most severe allowing arbitrary code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for January 2024

This month, Microsoft released 49 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and Visual Studio; SQL Server; Windows Hyper-V; and Internet Explorer. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 53.

Of the new patches released today, two are rated Critical and 47 are rated Important in severity. This release is coincidentally the same number of CVEs addressed in both the January 2019 and January 2020 releases.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a security feature bypass in Kerberos:

-       CVE-2024-20674 – Windows Kerberos Security Feature Bypass Vulnerability
This is the highest-rated CVSS for this month and one of the two Critical-rated patches. The bug would allow an unauthenticated attacker to perform a machine-in-the-middle (MitM) that spoofs a Kerberos server. An affected client would receive what they believe to be authentic messages from the Kerberos authentication server. While this would certainly take some setting up, Microsoft does give the bug its highest exploitability index rating (1), which means they expect to see public exploit code within 30 days. Make sure to test and deploy this update quickly.

-       CVE-2024-20700 – Windows Hyper-V Remote Code Execution Vulnerability
This is the other Critical-rated patch for January, although “remote” in this case actually means network adjacent. Microsoft doesn’t provide much of a description beyond that, so it’s not clear how the code execution would occur. However, they do note that neither authentication nor user interaction is required, which makes this vulnerability quite juicy to exploit writers. Although winning a race condition is required for successful exploitation, we’ve seen plenty of Pwn2Own winners use race conditions in their exploits.

-       CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
Besides being a mouthful of a title, this SFB bug could allow an MITM attacker to decrypt, read, or modify TLS traffic between an affected client and server. If you happen to be using these data providers, you’ll also need to take additional steps to be fully protected. The bulletin lists the additional NuGet packages you’ll need to load to completely resolve this vulnerability. Microsoft links to an article that claims to provide further information on the steps admins need to take to be protected, but as of now, that link leads nowhere. I’ll update the blog once they update the link to something relevant. Note: Microsoft has updated the link to point to the article here.

CVE Title Severity CVSS Public Exploited Type
CVE-2024-20700 Windows Hyper-V Remote Code Execution Vulnerability Critical 7.5 No No RCE
CVE-2024-20674 Windows Kerberos Security Feature Bypass Vulnerability Critical 9 No No SFB
CVE-2024-0057 .NET and Visual Studio Framework Security Feature Bypass Vulnerability Important 8.4 No No SFB
CVE-2024-20672 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21312 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21319 Microsoft Identity Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2024-20676 Azure Storage Mover Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20666 BitLocker Security Feature Bypass Vulnerability Important 6.6 No No SFB
CVE-2024-21305 Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2024-20652 Internet Explorer Security Feature Bypass Vulnerability Important 7.5 No No SFB
CVE-2024-20687 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-21306 Microsoft Bluetooth Driver Spoofing Vulnerability Important 5.7 No No Spoofing
CVE-2024-20653 Microsoft Common Log File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20692 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2024-20661 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2024-20660 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20664 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-21314 Microsoft Message Queuing Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2024-20654 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2024-20677 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20655 Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2024-21318 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2024-20658 Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-0056 † Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability Important 8.7 No No SFB
CVE-2022-35737 * MITRE: CVE-2022-35737 SQLite allows an array-bounds overflow Important 7.5 No No RCE
CVE-2024-21307 Remote Desktop Client Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2024-20656 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20683 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20686 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21310 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20694 Windows CoreMessaging Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-21311 Windows Cryptographic Services Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2024-20682 Windows Cryptographic Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-20657 Windows Group Policy Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2024-20699 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2024-20698 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21309 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-20696 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20697 Windows Libarchive Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2024-20680 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20663 Windows Message Queuing Client (MSMQC) Information Disclosure Important 6.5 No No Info
CVE-2024-20690 Windows Nearby Sharing Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-20662 Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability Important 4.9 No No Info
CVE-2024-21316 Windows Server Key Distribution Service Security Feature Bypass Important 6.1 No No SFB
CVE-2024-20681 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2024-21313 Windows TCP/IP Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2024-20691 Windows Themes Information Disclosure Vulnerability Important 4.7 No No Info
CVE-2024-21325 Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2024-21320 Windows Themes Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2024-0222 * Chromium: CVE-2024-0222 Use after free in ANGLE High N/A No No RCE
CVE-2024-0223 * Chromium: CVE-2024-0223 Heap buffer overflow in ANGLE High N/A No No RCE
CVE-2024-0224 * Chromium: CVE-2024-0224 Use after free in WebAudio High N/A No No RCE
CVE-2024-0225 * Chromium: CVE-2024-0225 Use after free in WebGPU High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

Moving on to the other code execution bugs, most are of the “open and own” variety, where an attacker must convince a user to open a malicious file or browse to a specially crafted site to get arbitrary code execution. However, there are a couple of fixes that stand out. The first is an RCE in Office through FBX files. Microsoft is taking the unusual step of disabling that file type from being embedded within Office documents. However, they note “3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.” Here are some additional details about this change. According to Microsoft, you may not need the fix for the Printer Metadata Troubleshooter if you’ve already installed the tool listed in KB5034510. I would still apply the update to ensure the problem is fully addressed. There’s a fix for an RCE in RDP, but it’s in the client, not the server so that greatly reduces the threat of exploitation. The one Azure-related code execution bugs require specific privileges to be exploited. The SharePoint bug requires authentication, but anyone on the SharePoint site has the privileges needed to exploit this bug and take over the system. The bug in ODBC requires connecting to a malicious database. The bugs in Libarchive require the attacker to be authenticated as a guest user on the target system. The final RCE fix is found in OCSP. This bug requires an authenticated user to be assigned the “manage online responder” permission, which is typically reserved for privileged users. Still, now may be a good time to audit your domain to confirm which users have this permission.

There are only ten elevation of privilege (EoP) patches in this month’s release, and all but oneof them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. These types of bugs are usually paired with a code execution bug in the wild to take over a system. The lone exception to this is the bug in the Virtual Hard Disk, which could allow an attack to escalate privileges when processing “.vhdx” files in the kernel.

Looking at the 11 different information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. There are only two notable exceptions. The first is in Local Security Authority Subsystem Service (LSASS) and could allow an attacker to gain network secrets when an affected client connects to an AD Domain Controller. Microsoft notes this could be done by either sniffing traffic on a network or by running a malicious script. I don’t expect to see a lot of exploitation of this vulnerability, but it would be an interesting method of lateral movement after an initial compromise. The bug in TCP/IP requires an MITM attacker, but successful exploitation could lead to revealing unencrypted contents of IPsec packets from other sessions on a server.

In addition to the two I’ve already mentioned, there are five additional SFB patches released this month. The patch for .NET Framework and Visual Studio fixes a bug that could allow attackers to improperly validate X.509 certificates. That’s similar to the bug in the Windows Server Key Distribution Service. The bug in Hypervisor-Protected Code Integrity (HVCI) is specific to certain Microsoft Surface devices. The vulnerability incorrectly allows certain kernel-mode pages to be marked as Read, Write, Execute (RWX) even with HVCI enabled. As expected, the bypass for BitLocker allows an attacker to bypass BitLocker protections. And you may have thought it was completely gone, but there’s a patch for Internet Explorer that addresses a bug that could allow bypassing zone restrictions.

The January release includes six fixes for denial-of-service (DoS) bugs, but Microsoft does not provide any real information for most of them. The bug in Hyper-V could allow a guest OS to somehow impact other guest OSes on the same hypervisor. 

Lastly, there are four spoofing bugs receiving fixes this month. The bug in the Nearby Sharing feature could be triggered by an attacker with a similarly-named machine. I would love to see additional details on this one and find out how close the machine names need to be. The bug in the Azure Stack requires clicking a specially crafted URL. User interaction is also required for the Themes bug, but Microsoft notes you can disable NTLM as a mitigation. You’re not actually using NTLM, are you? You can also add a group policy to restrict outgoing NTLM traffic to remote servers. The bug in Bluetooth requires the attacker to both be in close proximity to a target and have a paired Bluetooth device.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2024 will be on February 13, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Looking Back at the ZDI Activities from 2023

4 January 2024 at 17:14

We’ve successfully orbited our star once more and are full throttle into the new year. Before we roll too fast into 2024, let’s pause for a moment and look back at some of the highlights of the past year.

A Year of Pwn2Own Competitions

Back in January, we announced our first-ever Pwn2Own Automotive competition in Tokyo, and now we’re just a couple of weeks from that event. We already have several registrations, so I can’t wait to see what exploits researchers put on display.

In February, we held Pwn2Own Miami, which focuses on industrial control systems (ICS) and SCADA targets. During that event, we saw the debut of ChatGPT in the competition. We also awarded over $150,000 for 27 unique 0-day vulnerabilities.

In March, we returned to Vancouver for the original edition of Pwn2Own. The highlight of the event saw the team from Synacktiv exploit the Tesla Model 3 head unit on their way to winning $350,000 (and the Tesla Model 3 itself). We used the head unit instead of the car itself because we were concerned the exploits may cause the vehicle to move uncontrollably. Safety first.  In total, we awarded $1,035,000 during the three-day contest.

In October, Pwn2Own Toronto turned its attention to devices commonly found in homes and small offices. We added wired and Wi-Fi cameras to the event this year to see what security problems they may have, and our contestants did not disappoint our curiosity. One team hacked a camera by showing it a QR code. Another was able to exploit any camera provided he knew the MAC address. Probably most impressively, the Synacktiv team returned to target the cameras with a remote attack over Wi-Fi that exploited a kernel buffer overflow. They just needed to be within range of a vulnerable camera to completely control it. We awarded $938,250 in total during the event.

Combine those events, and you’ll find we paid out $2,126,750 for Pwn2Own competitions during 2023. With the Automotive event looking like it will be an exciting show, we’ll likely pay out even more in 2024.

A Few Bugs of Renown

There were so many good bugs in 2023, that it’s hard to narrow it down to just a few. I would if I didn’t mention the Activation Context Cache Poisoning privilege escalation discovered by ZDI researcher Simon Zuckerbraun. It won a Pwnie Award for Most Under-Hyped Research. There was also ZDI-23-233/CVE-2023-27350. That PaperCut exploit showed why patch management is so important as it caused quite a bit of damage – after the patch was available. But perhaps my favorite bug of the year was found in the Schneider Electric APC Easy UPS Online. ZDI-23-444/CVE-2023-29411 is an authentication bypass. The “system” RMI interface exposes the method `updateManagerPassword(String managerPassword)` which allows an unauthenticated user to update the administrative password without requiring a password. Neat!

By the Numbers

In 2023, the ZDI published 1,913 advisories – the most ever in the history of the program. This is the fourth year in a row that eclipsed our previous record. While it’s unlikely we’ll keep up a record-breaking pace for a fifth year in a row, it does speak to the overall health of the program. Of course, I said that last year as well. While we do work with people from around the world, our own researchers had their busiest year ever, too. Just over 49.4% of all published advisories were reported by ZDI vulnerability analysts. Here’s how those numbers of advisories stack up year-over-year. 

Coordinated disclosure of vulnerabilities continues to be a priority for our program, and it continues to be a success as well. While 2020 saw our largest percentage of 0-day disclosures, the number declined over the next two years. However, this year saw an increase to 198 cases – just over 10% of the total disclosures.

Here’s a breakdown of advisories by vendor. The top vendors should not surprise many, but it is interesting to see Adobe that far ahead of everyone else. If you exclude the XSS bugs patched in December, our program is responsible for over 78% of Adobe bugs fixed last year. Not too shabby. Of course, Microsoft remains a popular target for our researchers as well. Just over 20% of the bugs patched by the Redmond giant came through the ZDI. D-Link stormed up the charts in 2023 with 176 advisories. And PDF parsing remains a security challenge for vendors beyond just Adobe. Foxit, Kofax, and PDF-XChange all had a significant number of file parsing bugs reported by ZDI.

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2023, we did just that. A total of 73% of these vulnerabilities were rated Critical or High severity.

When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2023:

It’s interesting to see deserialization bugs crack the top 10. It’s also interesting to see stack-based buffer overflows rank above OOB Write bugs.

Looking Ahead

Moving into the new year, we anticipate staying just as busy – especially in the first quarter. We currently have more than 500 bugs reported to vendors awaiting disclosure. We have Pwn2Own Automotive and Pwn2Own Vancouver just on the horizon. Don’t worry if you can’t attend in person. We’ll be streaming and posting videos of the event to just about every brand of social media available.

We’re also looking to update our website and blog at some point this year. I know – I said that last year as well. When that occurs, I promise you’ll be able to choose between a light and dark theme. We’re aware our website doesn’t look the best on certain platforms. We’ll also be expanding our video offerings, too. I’ll continue offering the Patch Report on Patch Tuesdays and hope to tweak the format a bit in the coming year.

As always, we look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem. In other words, 2024 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on TwitterMastodonLinkedIn, or Instagram for the latest updates from the ZDI. 

The December 2023 Security Update Review

12 December 2023 at 18:27

It’s the final patch Tuesday of 2023, and Apple, Adobe, and Microsoft have released their latest security offerings. Take a break from your holiday hustle and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Apple Patches for December 2023

Apple kicked off the December release cycle with patches for iOS and iPadOS with eight CVEs. Two of these CVEs in Webkit are reported as being under active attack on iOS versions 16.7.1 and older. If you’re using an older iPhone or iPad, you should definitely update your device immediately. If you’re using a device running iOS 17 and later, you should still update when possible.

Adobe Patches for December 2023

For December, Adobe released nine patches covering a whopping 212 CVEs in Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer. Ten of these bugs came through the ZDI program. A total of 186 of these CVEs are in Experience Manager and are all Important-rate cross-site scripting (XSS) bugs. That definitely skews the numbers a bit for this month. Looking beyond that, the patch for After Effects stands out as it is Critical rated and could allow arbitrary code execution. The patches for Illustrator and Substance 3D Sampler are also rated Critical and could result in arbitrary code execution.

The remaining patches are rated Important or Moderate. The fix for InDesign addressed a denial of service and a memory leak. The Dimension update corrects four memory leaks, all reported by ZDI’s Mat Powell. The patch for Substance 3D Stager fixes two different out-of-bounds (OOB) Read bugs. The Substance 3D Designer update addresses a single Critical-rated OOB Write and three OOB Read bugs. The final Adobe patch for December is a fix for Prelude that corrects a single memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for December 2023

This month, Microsoft released a scant 33 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.

Of the new patches released today, four are rated Critical and 29 are rated Important in severity. The December release is typically small, and this month is no exception. In fact, this is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with an impactful bug in the MSHTML engine:

-       CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability
This patch corrects a bug that could allow a remote, unauthenticated attacker to execute arbitrary code on affected systems just by sending a specially crafted e-mail to the target. This usually means the Preview Pane is an attack vector, but that’s not the case here. Instead, the code execution occurs when Outlook retrieves and processes the mail, which occurs BEFORE the Preview Pane. No doubt ransomware gangs will attempt to create a reliable exploit for this vulnerability. They may run into some problems as exploitation does require memory-shaping techniques.

-       CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability
This is the highest-rated CVSS this month at 9.6 and acts more like a code execution bug than a spoofing bug. The vulnerability exists on the web server. However, if an affected system follows a specially crafted link, a malicious script will execute on the client’s browser. Microsoft also notified affected users of this bug via the Microsoft 365 Admin Center. If you’re running the Admin Center, be sure to read the bulletin for full details.

-       CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability
This Outlook bug does not have a Preview Pane attack vector. However, if exploited, the vulnerability allows the disclosure of NTLM hashes. These hashes could be used to spoof other users and gain further access within an enterprise. Earlier this year, Microsoft called a similar bug Elevation of Privilege (EoP) rather than Info Disclosure. Regardless of how you categorize it, threat actors find these types of bugs enticing and use them frequently.  

Here’s the full list of CVEs released by Microsoft for December 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-36019 † Microsoft Power Platform Connector Spoofing Vulnerability Critical 9.6 No No Spoofing
CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability Important 2.5 No No Info
CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2023-36006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36011 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35631 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-35622 Windows DNS Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability Important 7.5 No No Spoofing
CVE-2023-35635 Windows Kernel Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-21740 Windows Media Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35644 Windows Sysmain Service Elevation of Privilege Important 7.8 No No EoP
CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-20588 * AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice Important N/A Yes No Info
CVE-2023-6508 * Chromium: CVE-2023-6508 Use after free in Media Stream High N/A No No RCE
CVE-2023-6509 * Chromium: CVE-2023-6509 Use after free in Side Panel Search HIgh N/A No No RCE
CVE-2023-6510 * Chromium: CVE-2023-6510 Use after free in Media Capture Medium N/A No No RCE
CVE-2023-6511 * Chromium: CVE-2023-6511 Inappropriate implementation in Autofill Low N/A No No SFB
CVE-2023-6512 * Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI Low N/A No No SFB
CVE-2023-35618 * Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate 9.6 No No EoP
CVE-2023-36880 * Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low 6.5 No No Info
CVE-2023-38174 * Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low 4.3 No No Info

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

There are only two other Critical-rated bugs to discuss, and both deal with the Internet Connection Sharing (ICS) service. This isn’t enabled by default and is rarely used, but if you are using it, code execution could occur when a network-adjacent attacker sends a specially crafted packet to an affected server.

Moving on to the other code execution bugs, two require connecting to a malicious SQL server to gain code execution. Two of the other RCE bugs are much more interesting. The bug in the USBHUB requires physical access, even though Microsoft lists this as a Remote Code Execution bug. It reads like plugging in a specially crafted USB driver could result in code execution. The vulnerability in the Bluetooth driver requires the attacker to be in close physical proximity but only requires the attacker to send and receive radio transmissions to exploit.

There are 10 EoP patches in this month’s release, and all but two of them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. The bug in the Telephony server is only slightly different as it results in code execution at “NT AUTHORITY\Network Service” level. The vulnerability in the Azure Connected Machine Agent requires several preconditions – mainly a non-admin local user with the privileges to create symlinks. An attacker who exploits this bug could add symlinks and cause arbitrary file deletions as SYSTEM.

Looking at the information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. The bug in the Azure Machine Learning Compute Instance is an exception as it discloses Azure Machine Learning (ML) training data associated with user accounts. The final information disclosure bug resides in Word and could allow an attacker to read data from the file system.

This month also brings three fixes for Spoofing bugs. The fix for Outlook for Mac addresses a bug that could allow a user to mistakenly trust a signed e-mail message as if it came from a legitimate user. The vulnerability in Windows DPAPI requires a machine-in-the-middle (MitM), between a domain controller and the target, but Microsoft doesn’t detail what sort of spoofing an attacker could do if they are in the correct position to intercept the transmission. Microsoft also provides no details about the spoofing vulnerability in the Windows DNS server, but considering the importance of DNS, I certainly wouldn’t ignore this fix.

There are only five DoS bugs in the release, and Microsoft provides no additional details about four of them. The DoS vulnerability in the Windows kernel will crash the OS if an authenticated user opens a specially crafted file or browses to that file on a network share while on an affected system.

Finally, the December release is rounded out by a single cross-site scripting (XSS) bug in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The first Patch Tuesday of 2024 will be on January 9, and I’ll return with details and patch analysis then. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!

Attack Surface of the Ubiquiti Connect EV Station

5 December 2023 at 17:58

Previously, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another EV Charger. The Ubiquiti Connect EV Station is a weatherproof Level 2 electric vehicle charging station designed for organizations. We cover the most obvious areas a threat actor would explore when attempting to compromise the device.


The Ubiquiti Connect EV Station is a Level 2 charging station for electric vehicles. The EV Station is meant to be managed by a Ubiquiti management platform running the UniFi OS Console, such as the Ubiquiti Dream Machine or Cloud Gateway. Users can also use the iOS or Android UniFi Connect mobile apps to configure the EV Station.

Attack Surface Summary

The Ubiquiti EV Station is an Android device. In this respect, it is unique amongst the electric vehicle chargers included as target devices in Pwn2Own Automotive 2024.

Trend Micro researchers observed the UART port of the device during power-up. The Ubiquiti EV Station employs a Qualcomm APQ8053 SoC as the primary CPU. The Android operating system boots and emits boot messages on the UART serial port located inside the device housing. The following areas are confirmed and represent a potential attack surface on the device:

·       Android OS
·       USB
o   Android USB debugging might be possible
·       Ubiquiti Connect mobile applications
·       Network attack surface
o   Wi-Fi, including Wi-Fi driver
o   Ethernet / Local IP networking
§  Realtek
o   Multicast IP networking
§  UDP port 10001
·       Bluetooth Low Energy (BLE) 4.2
·       Near Field Communication (NFC)

Ubiquiti EV Station Documentation

Documentation for the Ubiquiti EV Station provides only high-level information about the installation and operation of the device. Additional documentation can be found at:

·       Ubiquiti EV Station product page
·       Ubiquiti EV Station technical specifications
·       Ubiquiti EV Station installation guide
·       UniFi Connect iOS application
·       UniFi Connect Android application

Ubiquiti EV Station Hardware Analysis

Ubiquiti provides high-level technical specifications for the EV Station on their website. Trend Micro researchers have performed an analysis of the discrete hardware devices found in the EV Station. The following list summarizes the components Trend Micro research have identified as notable components and/or potential attack surface in the Ubiquiti EV Station.

•         Qualcomm APQ8053 SoC
•         Nuvoton M482LGCAE (ARM)
•         Samsung KMQX60013A-B419 DRAM / NAND
•         Realtek RTL8153-BI Ethernet controller
•         Qualcomm WCN3680B (Wi-Fi)
•         NXP PN71501 (NFC)
•         TI USB 4 Port Hub - TUSB2046BI
•         Qualcomm PMI8952 (PMIC)
•         Qualcomm PM8953 (PMIC)
•         UART DEBUG port
•         USB C port

Figure 1 below is an overview of the main CPU board of the Ubiquiti EV Station. The board has several collections of highly integrated components, each one isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.

In the center of the board sits the Qualcomm APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.

Three connectors reside just beneath this section of the PCB. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquiti EV Station upon startup. In the center is a USB-C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.

In the top center of the following image is an unpopulated component marked U20. It is possible this is an unpopulated footprint for a cellular communication module.

Figure 1 - Overview image of the main PCB of the Ubiquiti EV Station

The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquiti EV Station:

Figure 2 - Detail image of the EV Station Qualcomm APQ8053 SoC, Samsung KMQX60013A-B419 DRAM / NAND and UART Debug Port

In the following image, the PCB shows a stencil marked ‘J23.’ Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.

Figure 3 - Detail image of the EV Station Realtek RTL8153-BI Ethernet controller

Network Analysis.

The device can connect to local networks over both Wi-Fi and Ethernet. Trend Micro researchers connected the EV Station to a test Ethernet network to investigate the network attack surface prior to associating the EV Station to a Ubiquiti UniFi Console.

In an unconfigured state, the EV Station does not listen on any TCP ports. The EV Station sends out regular probes looking for HTTP proxies on TCP port 8080.

Additionally, the Ubiquiti EV Station attempts to join an IGMP group using IP address 233.89.188.1. The EV Station sends packets to this address on UDP port 10001. The EV Station communicates on this port using the protocol that has been called the ‘UBNT Discovery Protocol.’ This protocol identifies the device model, firmware, and other information.

The following hex data shows an Ethernet frame, IP packet, and UDP datagram that encapsulate the UBNT discovery packet. The UBNT discovery data begins at offset 0x2A.

Bluetooth LE Analysis

In the unconfigured state, the Ubiquiti EV Station Bluetooth LE interface acts as a BLE peripheral device. Using a BLE scanning tool, the Trend Micro researchers observed the following Bluetooth LE endpoints on the EV Station.

The device set its BLE name to QCOM-BTD, which appears to be a default Qualcomm configuration. There is a single BLE service defined. This service exports three characteristics: one characteristic is read-only, one is notify-only, and one allows read, write, and notify operations.

Further analysis of the EV Station file system shows native code libraries responsible for the observed behavior. Additional investigation into these libraries may prove fruitful for contestants.

Additional information about expected BLE functionality can also be understood via analysis of the mobile applications. Trend Micro researchers performed reverse engineering of the UniFi Connect Android app and found code meant to communicate with the device over BLE. However, the discovered BLE characteristics present in the Android application do not match those broadcast by the EV Station. It is possible that after fully setting up the EV Station, the BLE stack may be reconfigured to match the expected BLE endpoints.

Future potential analysis

To mount a successful attempt against the Ubiquiti EV Station at Pwn2Own Automotive in Tokyo, contestants will need to perform additional analysis of the device to determine potential weaknesses. Trend Micro research has analyzed the Samsung KMQX60013A-B419 DRAM / NAND device by extracting it from the EV Station. This combination DRAM and NAND flash device contains the storage that supports the functionality of the EV Station.

As previously mentioned, the Ubiquiti EV Station runs the Android operating system. The EV Station flash contains numerous partitions. Using standard Linux tools, Trend Micro researchers identified several potential partitions. Some of these are real partitions and some appear to be false-positive detections by various tools. Several partitions have been verified and investigated. The following list shows the output produced on a Linux system using the `parted` command listing the partitions on the NAND flash device.

Trend Micro researchers used several methods for identifying partition data and mounting the partitions on the NAND flash device. The following command shows one method for mounting the system_a partition. Once the partition is mounted, a typical Android OS system partition is discovered.

Extracting the data from flash storage is the first step to performing the analysis necessary to discover vulnerabilities that might be present in the Ubiquiti EV Station.

Summary

While these may not be the only attack surfaces available on the Ubiquiti EV Station, they represent the most likely avenues a threat actor may use to exploit the device. We’ve already heard from several researchers who intend to register in the EV Charger category, so we’re excited to see their findings displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

A Detailed Look at Pwn2Own Automotive EV Charger Hardware

29 November 2023 at 17:29

In a previous blog, we took a look at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, dive in with even greater detail on all of the EV Chargers targeted in the upcoming Pwn2Own Automotive competition. This isn’t meant to be a detailed exploitation guide. However, we hope these high-resolution images will inspire some of the research we hope to see on display in Tokyo.


This post provides detailed imagery of the target EV chargers we are including in the upcoming Pwn2Own Automotive contest. Our intention is to help contestants understand the component hardware included in the EV chargers for the competition. But first, a safety reminder:

EV Chargers contain high voltages. Use extreme caution when working with them.  Never touch interior components when powered on.  If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding.  An open enclosure can be a deadly enclosure. Modifications to charging devices should not be made if there is an intent to ever plug the device into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer's instructions. 

With that out of the way, let’s move on to the images.

Autel Maxi EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Autel Maxi EV Charger.

·       ST Micro STM32F407ZGT6
·       Renergy RN830(B)
·       Barrot BR8051A01 bluetooth radio
·       Quectel EC25-AFX
·       GigaDevices GD32F407
·       Espressif ESP32-WROOM-32D
·       Winbond 128Mbit Flash device
·       ISSI IS62WV10248EALL/BLL

The Autel Maxi comprises multiple boards. One board is dedicated to the display, one board is a metrology board for power measurement and distribution, one is a mobile communication module board, and, finally, there’s a CPU board.

Figure 1 - The Autel Maxi metrology board hosts the ST Micro STM32F407ZGT6 and Renergy RN830(B).

Figure 2 - The Autel Maxi mobile communication PCB hosts the Quectel EC25-AFX.

Figure 3 - The Autel Maxi CPU PCB hosts the GigaDevices GD32F407, an Espressif ESP32-WROOM, a Winbond flash storage chip, and a Barrot BR8051A01 Bluetooth radio.

Figure 4 -The reverse side of the Autel Maxi CPU board contains the Barrot BR8051A01 Bluetooth radio.

Figure 5 - A detailed look at the Barrot BR8051A01 Bluetooth radio.

ChargePoint Home Flex

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the ChargePoint Home Flex EV charger.

·       Atmel AT91SAM9N12
·       Micron MT47H64M16NF-25E IT:M - 1GB DRAM
·       Micron MT29F4G08ABBDAH4-IT:D - 4GB NAND flash
·       Inventek ISM43340 Wi-Fi Bluetooth SIP Module

The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board. The CPU board hosts an Atmel ARM CPU, a Wi-Fi radio, and a Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings. Also, the unpopulated debug header labeled CN1 exposes the JTAG debugging interface of the Atmel AT91SAM9N12.

Figure 6 – ChargePoint Home Flex CPU board side 1, with Atmel ARM CPU, WiFi radio, and Bluetooth LE radio. P3 serial port labels have been added to the image.

Figure 7 – ChargePoint Home Flex CPU board, side 2.

The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply. It also terminates the charging cable that end users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silk screen markings.

Figure 8 – ChargePoint Home Flex metrology board side 1, with MSP430 microcontroller.

Figure 9 - ChargePoint Home Flex metrology board side 2.

Emporia Smart Home EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Emporia Smart Home EV charger.

·       Espressif ESP32-WROVER-IB
·       TI MSP430F6736A

The device is built around the Espressif ESP32-WROVER-IB Wi-Fi and Bluetooth module. It is marked on the board as U1. The serial interface of the ESP32 is connected to the vias located directly next to the module labeled H3-H10. Identifying the pinout is an exercise for the reader.

Figure 10 - Emporia Smart Home EV Charger employs a single board design. The ESP32 module is to the left, and the MSP430 is in the center.

The Emporia Smart Home EV charger uses a TI MSP430F6736A microcontroller for the metrology function.

Figure 11 - Emporia Smart Home EV Charger detail image of the TI MSP430F6736A used for metrology.

Enel X Way Juicebox 40 EV Charger

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Enel X Way Juicebox EV charger.

·       Silicon Labs WGM160PX22KGA3
·       Silicon Labs MGM13S SiP Module
·       Atmel ATmega328P
·       Atmel M90E36A Metering IC

The following image shows an overview of most of the main PCB. The Silicon Labs WGM160PX22KGA3 is toward the top-left of the following image and is marked U3. The Silicon Labs MGM13S SiP Module is toward the lower left of the following image and is labeled U11. The Atmel ATmega328P is located left-of-center in the following image and is labeled U14.

Figure 12 - Enel X Way Juicebox 40 EV Charger main PCB hosts both application and metrology. The Silicon Labs WGM160PX22KGA3 is shown in the lower right of this figure, and the Atmel ATmega328P is shown in the middle.

The following image shows the right-hand side of the board. This is where the Atmel M90E36A Metering IC is located. It is located on the right-hand side of the board and is marked U25.

Figure 13 - Enel X Way Juicebox 40 EV Charger main PCB is shown with the Atmel M90E36A metrology processor shown to the right.

Figure 14 - Enel X Way Juicebox 40 EV Charger detail view of Silicon Labs WGM160PX22KGA3.

Phoenix Contact CHARX SEC 3100

The following list summarizes the components Trend Micro Research has identified as notable components and/or potential attack surfaces in the Phoenix Contact CHARX SEC 3100 EV charge controller.

·       NXP MCIMX6G2CVM05AB - i.MX 6UltraLite Processor
·       Infineon OPTIGATM TPM SLB 9670 TPM2.0
·       Micron MT41K256M16TW-107 IT:P - 4gb DDR3 memory module
·       Micron MTFC8GAKAJCN-4M IT - 64 Gbit MMC NAND flash
·       Sierra Wireless RC7620-1
·       STM32F303 Arm microcontroller

The Phoenix Contact CHARX SEC 3100 is an EV charging controller. The device is typically mounted on a DIN rail. The enclosure contains two PCBs interconnected via a bus at the rear of the enclosure. In this document, we refer to one PCB as the CPU Board, and the other as the Metrology Board.

The CPU Board hosts the NXP MCIMX6G2CVM05AB ARM Cortex A7 CPU along with its associated DDR3 and NAND flash components. Additionally, the CPU Board comprises two Ethernet interfaces, one USB C interface, a micro SD card reader, a micro SIM card slot, and a Sierra Wireless RC7620 cellular modem.

The Phoenix Contact CHARX SEC 3100 runs Linux, and the manufacturer provides access via a preexisting user account on the system.

Figure 15 - Phoenix Contact CPU Board Side 1. This CPU board contains the NXP MCIMX6G2CVM05AB - i.MX 6UltraLite Processor, the Micron MT41K256M16TW-107 IT:P - 4gb DDR3 memory module, and the Micron MTFC8GAKAJCN-4M IT - 64 Gbit MMC NAND flash.

Figure 16 - Phoenix Contact CPU Board Side 2. This side of the CPU board has two Ethernet controller chips and the Infineon OPTIGATM TPM SLB 9670 TPM2.0

The Metrology Board hosts the STM32F303 Arm microcontroller.

Figure 17 - Phoenix Contact Metrology Board Side 1. The metrology board hosts circuitry for power metering.

Figure 18 - Phoenix Contact Metrology Board Side 2. The metrology board hosts a STM32F303 Arm microcontroller and communicates with the CPU board over the inter-board bus connector shown on the left side of the board in this figure.

Ubiquity EV Station

The following list summarizes the components Trend Micro research has identified as notable components and/or potential attack surfaces in the Ubiquity EV Station.

·       Qualcomm APQ8053 SoC
·       Nuvoton M482LGCAE (ARM)
·       Samsung KMQX60013A-B419 DRAM / NAND
·       Realtek RTL8153-BI Ethernet controller
·       Qualcomm WCN3680B (Wi-Fi)
·       NXP PN71501 (NFC)
·       TI USB 4 Port Hub - TUSB2046BI
·       Qualcomm PMI8952 (PMIC)
·       Qualcomm PM8953 (PMIC)
·       UART DEBUG port
·       USB C port

The following is an overview image of the main CPU board of the Ubiquity EV Station. The board has several collections of highly integrated components, each isolated inside its own dedicated footprint on the board. Each of these areas of the PCB appears to be dedicated to discrete functionality, such as CPU with RAM and flash, Wi-Fi, NFC, Ethernet, USB, and display.

In the center of the board sits the Qualcom APQ8053 and Samsung KMQX60013A-B419 combination DRAM and NAND controller. These represent the primary application processor for the device, along with the RAM and flash storage for the device. They are marked U5 on the PCB silkscreen.

Just beneath this section of the PCB lie three connectors. A connector marked JDB2 and UART DEBUG emits boot messages from the Ubiquity EV Station upon boot. In the center is a USB C connector marked J20. To the right is a two-pin connector marked J28. The functionality of this connector is not yet understood.

In the top center of the following image is an unpopulated component marked U20. It’s possible this is an unpopulated footprint for a cellular communication module.

Figure 19 - Ubiquity EV Station CPU board. The Ubiquity EV Station is a highly integrated device based around a Qualcomm APQ8053 SoC.

The following image shows the Qualcomm CPU and associated RAM and NAND flash chip inside the Ubiquity EV Station:

Figure 20 - Ubiquity EV Station CPU board, showing details of the Qualcomm APQ8053 SoC and Samsung KMQX60013A-B419 combination flash storage and RAM device.

In the following image, the PCB shows a stencil marked “J23.” Trend Micro researchers endeavored to discover where this header is connected. They surmised it might be possible that the vias in J23 might be connected to a debug interface on the board. Upon further inspection, they determined the vias on J23 are connected to the unpopulated device marked U20.

Figure 21 - Ubiquity EV Station detail image of Realtek RTL8153-BI Ethernet controller.

Conclusion

We hope this imagery will inspire you to take a deeper look at the EV chargers to be targeted at Pwn2Own Automotive. Time is running out to register, with the deadline being January 18, 2024. As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source. We hope to see both you and your exploits in Tokyo.

Until then, stay tuned to this blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The November 2023 Security Update Review

14 November 2023 at 18:36

It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:

Adobe Patches for November 2023

For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs came through the ZDI program, with most attributed to ZDI vulnerability researcher Mat Powell. The patch for Acrobat and Reader is the largest with 17 CVEs, and likely the most important since it is often targeted in phishing campaigns. The update for ColdFusion contains three Critical-rated CVEs and should also be at the top of your test and deployment list. The update for Audition is quite large, with nine total CVEs addressed. The After Effects is just behind it with eight CVEs receiving fixes.

The Photoshop patch should also be prioritized. It contains six fixes and could allow code execution when opening a specially crafted file. That’s also true for the Premiere Pro update. Both of those applications often rely on Media Encoder, and it gets five patches this month as well. The patch for InDesign includes seven CVEs, but the most severe is only rated Important. The update for RoboHelp includes five CVEs – four of which are rated Critical. If you use that tool to author your technical content, definitely test and deploy the patch quickly. The fix for Adobe Bridge contains three Moderate-rated CVEs. The fixes for InCopy and the FrameMaker Publishing Server both fix a single Critical-rated CVE, while the patches for Dimension and Animate both correct a single Important-rated CVE.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for November 2023

This month, Microsoft released 63 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. A total of five of these CVEs were reported through the ZDI program. In addition to the new CVEs, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.

Of the new patches released today, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. This is one of the smallest monthly releases Microsoft has done this year, although the total CVEs to date are right at 2021 levels with a month more to go. It will be interesting to see what patches come out of Microsoft in December.

Three of the CVEs released today are listed as under active attack at the time of release and a total of three CVEs are listed as publicly known. It seems the “Hot 0-day Summer” lasts into the fall. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
This bug allows a privilege escalation through the Windows Desktop Manager (DWM) and is listed as being under active attack. Microsoft doesn’t provide any indication of how widespread the attacks are at this point, but these types of exploits typically begin with small outbreaks before spreading wider. An attacker who uses this can gain SYSTEM privileges, which is why these types of bugs are often paired with some form of code execution bug to compromise a system.

-       CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
This is another privilege escalation bug under active attack, and just like the DWM bug, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly.

-       CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the final bug listed as under active attack this month, but this is a bypass rather than a privilege escalation. An attack that exploits this bug would be able to bypass Windows Defender SmartScreen checks and other prompts. That means this bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen. I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document.

-       CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
With a CVSS of 9.8, this is the highest-rated bug for the month, and it deserves the rating. It would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment. There shouldn’t be a lot of those out there, but if you are one of them, definitely test and apply this update quickly.

Here’s the full list of CVEs released by Microsoft for November 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36033 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 Yes Yes EoP
CVE-2023-36036 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-36025 Windows SmartScreen Security Feature Bypass Vulnerability Important 8.8 No Yes SFB
CVE-2023-36038 ASP.NET Core Denial of Service Vulnerability Important 8.2 Yes No DoS
CVE-2023-36413 Microsoft Office Security Feature Bypass Vulnerability Important 6.5 Yes No SFB
CVE-2023-36052 Azure CLI REST Command Information Disclosure Vulnerability Critical 8.6 No No Info
CVE-2023-36400 Windows HMAC Key Derivation Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2023-36397 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36049 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability Important 7.6 No No EoP
CVE-2023-36558 ASP.NET Core - Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2023-36560 ASP.NET Security Feature Bypass Vulnerability Important 8.8 No No SFB
CVE-2023-36437 Azure DevOps Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36392 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36031 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36410 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36016 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.2 No No XSS
CVE-2023-36030 Microsoft Dynamics 365 Sales Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2023-36024 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36027 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No No SFB
CVE-2023-36439 † Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-38151 Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36428 Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36021 Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2023-36028 Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2023-36401 Microsoft Remote Registry Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36423 Microsoft Remote Registry Service Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36007 Microsoft Send Customer Voice survey from Dynamics 365 Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2023-38177 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2023-36719 Microsoft Speech Application Programming Interface (SAPI) Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2023-36402 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36422 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-24023 * Mitre: CVE-2023-24023 Bluetooth Vulnerability Important Unknown No No Spoofing
CVE-2023-36043 † Open Management Infrastructure Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36018 Visual Studio Code Jupyter Extension Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2023-36042 Visual Studio Denial of Service Vulnerability Important 6.2 No No DoS
CVE-2023-36046 Windows Authentication Denial of Service Vulnerability Important 7.1 No No DoS
CVE-2023-36047 Windows Authentication Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36424 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36395 Windows Deployment Services Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36425 Windows Distributed File System (DFS) Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36407 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36408 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36427 Windows Hyper-V Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36406 Windows Hyper-V Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36705 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36403 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36405 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36404 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36398 Windows NTFS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36017 Windows Scripting Engine Memory Corruption Vulnerability Important 8.8 No No RCE
CVE-2023-36394 Windows Search Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36399 Windows Storage Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2023-36393 Windows User Interface Application Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36014 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 7.3 No No RCE
CVE-2023-36034 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 7.3 No No RCE
CVE-2023-36022 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Moderate 6.6 No No RCE
CVE-2023-36029 Microsoft Edge (Chromium-based) Spoofing Vulnerability Moderate 4.3 No No Spoofing
CVE-2023-5480 * Chromium: CVE-2023-5480 Inappropriate implementation in Payments High N/A No No RCE
CVE-2023-5482 * Chromium: CVE-2023-5482 Insufficient data validation in USB High N/A No No RCE
CVE-2023-5849 * Chromium: CVE-2023-5849 Integer overflow in USB High N/A No No RCE
CVE-2023-5996 * Chromium: CVE-2023-5996 Use after free in WebAudio High N/A No No RCE
CVE-2023-5850 * Chromium: CVE-2023-5850 Incorrect security UI in Downloads Medium N/A No No SFB
CVE-2023-5851 * Chromium: CVE-2023-5851 Inappropriate implementation in Downloads Medium N/A No No RCE
CVE-2023-5852 * Chromium: CVE-2023-5852 Use after free in Printing Medium N/A No No RCE
CVE-2023-5853 * Chromium: CVE-2023-5853 Incorrect security UI in Downloads Medium N/A No No SFB
CVE-2023-5854 * Chromium: CVE-2023-5854 Use after free in Profiles Medium N/A No No RCE
CVE-2023-5855 * Chromium: CVE-2023-5855 Use after free in Reading Mode Medium N/A No No RCE
CVE-2023-5856 * Chromium: CVE-2023-5856 Use after free in Side Panel Medium N/A No No RCE
CVE-2023-5857 * Chromium: CVE-2023-5857 Inappropriate implementation in Downloads Medium N/A No No RCE
CVE-2023-5858 * Chromium: CVE-2023-5858 Inappropriate implementation in WebApp Provider Low N/A No No SFB
CVE-2023-5859 * Chromium: CVE-2023-5859 Incorrect security UI in Picture In Picture Low N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates post-installation actions are required to fully address the vulnerability.

There are only two other Critical-rated bugs to discuss, and the first is an information disclosure in the Azure Command-Line Interface (CLI). Info disclosure vulnerabilities rarely get a Critical rating, but this one could reveal plaintext passwords and usernames from log files, so it seems appropriate. The other Critical-rated patch is a privilege escalation in the Windows Hash-based Message Authentication Code (HMAC) that could allow a guest on Hyper-V to execute code on the underlying host OS. Fortunately, this is a local-only attack. However, if one guest can take over the host, they could do anything they wanted to other guest OSes on that server.

Looking at the remaining code execution bugs, the glaring one we all dread is sitting right there – a patch for Exchange Server. The good news here is that an attacker would need to be network adjacent and authenticated. The bad news is that simply installing the patch isn’t enough to be protected from this vulnerability. You will need to follow the post-install steps listed here to enable the Serialized Data Signing feature to be fully protected. Most of the remaining RCE bugs are mostly the typical open-and-own sort in Office and other Windows components. The bug in Azure DevOps reads more like an EoP since it requires an attacker to be authenticated. That’s also the same for the Registry Service, DFS, and SharePoint bugs. The bugs in the Host Integration Server and WDAC require connecting to a malicious database. The bug in Protected Extensible Authentication Protocol (PEAP) is nearly as bad as the PGM bug, but again, it requires a non-default setting. Fortunately, PEAP isn’t used too much these days, but if you have a legacy enterprise, you should not skip this patch.

Moving on to the privilege escalation bugs, most require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. This is even true for the bugs in Hyper-V, although it’s not entirely clear they could all be launched from a guest OS.

There are several spoofing bugs getting addressed this month, and for obvious reasons, the Exchange bugs stand out the most. These were reported by ZDI vulnerability researcher Piotr Bazydlo and act as NTLM relay bugs. One (CVE-2023-36035) results from a failed patch. These bugs do require authentication, but an insider could exploit these to relay NTLM credentials and gain further access. The bugs in Dynamics 365 both occur in the webserver. However, they allow malicious scripts to execute in the victim’s browser. The final spoofing bug in Visual Studio reads more like a privilege escalation as Microsoft states it could allow an attacker to gain high privileges, which include read, write, and delete functionality.

In addition to the one under active attack, there are five other security feature bypass (SFB) bugs getting patches this month. The bug in ASP.NET Core allows attackers to bypass validations on Blazor Server forms. There’s another bug in ASP.NET that would allow the bypass of certain checks designed to prevent an attacker from accessing internal applications on a website. The SFB in Office allows attackers to evade the Office Protected View, while the one in Excel could bypass the Microsoft Office Trust Center external links check. The final SFB for November is in the On-Prem Data Gateway. An attacker could exploit this bug to bypass certificate validation mechanisms and provide arbitrary certificates that do not have proper signatures.

There are just a few information disclosure bugs to discuss, and the majority of these merely result in info leaks consisting of unspecified memory contents. There are two exceptions to this. The bug in Open Management Infrastructure could allow an attacker to access the credentials of privileged accounts stored in trace logs on the machine being monitored by SCOM. Microsoft recommends resetting the passwords of privileged accounts after applying the update. The kernel information disclosure bug would allow attackers to view registry keys they would normally be able to access.

This month’s release includes a handful of fixes for denial-of-service (DoS) bugs. The most intriguing is the bug in the DHCP Server. This could certainly cause quite a disruption to most enterprises. Unfortunately, Microsoft provides no additional information about the bug. The Windows Authentication could also cause a disruption as it would prevent normal authentication actions from occurring. No substantial information regarding the other DoS bugs is provided by Microsoft.

Lastly, the November release is rounded out by three cross-site scripting (XSS) bugs in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The final Patch Tuesday of 2023 will be on December 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

How To: Modifying EV Chargers for Benchtop Experiments

Previously, we looked at the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at how to safely modify an EV charger to perform research through benchtop experiments. This isn’t meant to be a comprehensive guide, but it should provide you with a solid base to start your own research into these devices.


In some of our previous blogs, we’ve looked at the attack surface of devices included in the Pwn2Own Automotive competition. In this post, we provide some information on hardware modifications that can be made to most electric vehicle (EV) chargers to assist in benchtop experimentation. But first, a safety reminder:

 EV Chargers contain high voltages, use extreme caution when working with them.  Never touch interior components when powered on.  If you are unable to determine the safe vs unsafe regions within the device, seek qualified assistance before proceeding.  An open enclosure can be a deadly enclosure. These modifications should not be made if there is an intent to ever plug into a vehicle or use the charging cable power or signal conductors as part of the experimentation. If there is such an intent, the EV charger should not be modified, and the appropriate connections should be made per the manufacturer's instructions.  Additionally, these suggested modifications do not reduce the danger or the need to exercise caution and appropriate high-voltage safety precautions.

Most residential EV chargers arrive out of the box with both the input and output power cables attached to the unit. The power input will generally be a household appliance-type plug, and the charger output will likely be a cable with an SAE J1772 connector that plugs into the vehicle. The input power is typically high current and high voltage (230VAC). However, most researchers do not need a high current connection to power up the device when looking for bugs. You can use a cheap, pre-built power cable that can be sacrificed to avoid the cost of setting up a high current and voltage infrastructure by a licensed electrician just to power up the device under test.

Here’s a look at a typical input cable plug:

Figure 1 - Typical EV charger residential input cable plug

And here’s a typical output cable plug (SAE J1772)

Figure 2 - Typical EV charger output cable plug

These connectors and voltages cannot be easily or safely handled at an electronics bench, so the following modification steps aim to simplify some of this infrastructure for experimentation. As a reminder, these modifications should only be done on EV chargers meant for research. If you intend to plug a vehicle into the charger, we do not recommend making any modifications whatsoever. Instead, follow the manufacturer’s instructions on the proper installation and use of the charger.

With that out of the way, let’s look at the steps needed to modify the EV charger for benchtop experimentation. 

1)     Remove the unit from any power source.

2)     Disconnect the output cable. Since the goal is to experiment on the device only as a stand-alone unit, the output cable can be removed. This involves opening the enclosure and unscrewing the terminals that hold the wires for the SAE J1772 cable. This will typically consist of 3 heavy gauge wires and 1 light gauge communication wire.   Here are some examples:

Figure 3 - Output cable terminals found on the Ubiquity charger

Figure 4 - Output cable terminals found on the Juicebox charger

Figure 5 - Output cable terminals found on the Autel charger

3)     Remove the now loosened output cable from the enclosure. This may also involve removing cable clamps and bulkhead connectors.

4)     Disconnect the input cable. This cable will have 3 large gauge wires attached to the inside of the enclosure. The terminals may or may not be in the same space as the output terminals. Some of the EV chargers place all terminals on the same PCB while others isolate them in different compartments inside the enclosure. It’s best practice to take a photograph of the terminals before disconnecting for future reference. You will be using these terminals to provide power with a smaller cable.

5)     Remove the now loosened input cable from the enclosure. This may involve removing cable clamps and bulkhead connectors.

6)     Identify your region’s voltage. The EV chargers typically run on higher voltages (230VAC) per the manufacturer’s installation documents. If your region has a higher voltage, then no step-up transformer is required. If your region has lower voltages (100VAC – 120VAC), it is recommended that you use a step-up transformer. However, some EV chargers will initialize to some extent with lower voltages so it is possible that, depending on your EV Charger model and the type of exploit you are experimenting with, a step-up transformer may not be necessary. If one is required for you, one suggestion is something like an LVYUAN DT-500VA device that accepts 110VAC input and produces 230VAC output.

Figure 6 - Example of an AC to AC step-up/step-down transformer

7)     You can now install an input cable inside the enclosure. The cable can be lighter gauge since only the electronics are being powered up. On one end will be 3 bare wires and on the other can be a typical 3-prong residential plug. An example is a standard PC power cord with the PC side cut off.  With the insulation removed, there will be 3 wires that can be stripped and the ends tinned (see picture below). Route the cable through the enclosure opening that the previous cable was in. Using the locations where you removed the large input cable, connect the bare wires to those terminals. The ground wire (green) is the first connection. Attach it to where the previous green wire was connected. The other two wires will be energized, so it does not matter which color connects to which of the remaining input power terminals. The picture below is an example of the cable end relative to the terminals.

Figure 7 -  Example of a new input cable prepared for attachment

Figure 8 - Input cable attachment terminals in an Autel charger

8)     With the wiring is complete, you can re-assemble the enclosure.

9)     You can now plug the new input power cable into the 230V receptacle on the step-up transformer. We recommend securing the cable with zip ties to prevent accidental removal of the input cable.

Figure 9 - Input cable attached to the 230V port on the transformer

Conclusion

This shows you how to wire an EV charger for benchtop experimentation. The intent is to use an easy to get, cheap, pre-built cable that can be sacrificed to avoid having a researcher working with a limited budget attempt to build the high current and voltage infrastructure to their bench if they only intend to power up the electronics.  If a researcher already has a 230VAC plug right next to their testbench, they will not need this modification. However, we suspect that most researchers just getting into the automotive space will not have these resources. That’s why we’re offering this work-around for those who don’t intend to connect to a vehicle and thus don’t need a high-current connection.

As always, we recommend using basic electrical safety handling procedures whenever working with electrical devices. Potentially lethal voltages will be present within the unit, especially when powered from a 230VAC source.

The modifications shown in this article should assist you in conveniently conducting your research into potential vulnerabilities in EV chargers. Our research has uncovered some already, and we continue looking into the attack surface of such devices. We hope you’re successful with your research, and if you discover a vulnerability, we hope you demonstrate it during the upcoming Pwn2Own Automotive contest.

Stay tuned to the blog for attack surface reviews and how-to guides for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Unpatched Powerful SSRF in Exchange OWA – Getting Response Through Attachments

2 November 2023 at 16:18

Server Side Request Forgery (SSRF). This vulnerability class triggers a wide range of emotions and reactions, ranging from complete ignorance to panic. Though it is included in the OWASP Top 10 list of web application security risks, at times vendors tend to downplay it and not treat it seriously.

As usual, the truth lies somewhere in between. What appears to be SSRF may sometimes in fact be intended functionality. Even so, an attacker may be able to abuse that functionality to improperly disclose sensitive information, either from the application containing the SSRF or from unrelated internal systems.

You may have noticed battles between researchers and vendors where an SSRF vulnerability was at the center of the disagreement. The fun part starts when a single vendor responds to different SSRF vulnerabilities in different ways and you are not able to reverse engineer their decision-making algorithm.

Whenever I find an SSRF vulnerability, my personal approach is to divide the assessment into four main categories. 

a)     Internal vs. external application

Ideally, we want to find SSRF vulnerabilities in applications that are widely exposed to the internet. Such a vulnerability may allow you to interact with an internal network to which you would not have direct access.

This isn’t to say that SSRF vulnerabilities in internal applications are without value. Sometimes, internal applications may be placed in the DMZ or another restricted area of the network. When you are an internal attacker (an attacker who is already in the internal network), you may find an SSRF useful for reaching some inaccessible networks or machines. Still, it’s typically a much less attractive case than an internet-reachable SSRF.

 b)     Does the product expose services on the loopback interface?

Some products expose services that are reachable only through a loopback interface. If we can interact with such a service through the SSRF, it allows us to extend the attack surface and to potentially chain it with other vulnerabilities. It makes the SSRF potentially more interesting and useful.

c)     Privileges required

As always, the strongest vulnerabilities are those that do not require authentication.

After that come vulnerabilities requiring low privileges. Though less powerful, they can still be very dangerous. Consider an externally exposed application with 50,000 users. An authenticated SSRF in such a case may be very dangerous, as we all know that threat actors have multiple ways of obtaining credentials.

Last and least, there are SSRFs that require administrative privileges. Typically, I almost immediately drop those. Seeing a vendor that fixes admin-level SSRF is a rarity.

d)     What can we achieve with the SSRF

This is a crucial category, and we can divide it into two subparts.

1 - Request shaping:

— What protocols can we use? HTTP, HTTPS, FTP, any other?
— How much do we control the request? In case of HTTP:

o   Can we pick the HTTP method? GET, POST or any other? If not, which method is being used for the request?
o   Can we fully control the URL? Are some query string parameters hardcoded, or do we have full control?
o   Can we specify arbitrary HTTP headers?
o   Can we insert arbitrary data into the request body?
o   And so forth.

2 - Response handling:

— Does the SSRF sink follow redirects? If so, does it allow switching protocols?
— Does it return a response to the attacker?

I find this last question particularly important. If the attacker can use the SSRF to receive a response, the information leak risk is real. I’ve done hundreds of penetration tests and believe me – SSRF that allows you to make GET requests to the internal network and receive the response will give you a ton of sensitive information.

That was long, I’m sorry. But this shows that the evaluation of SSRF vulnerabilities is in fact complex and it depends on many factors. When you find an SSRF vulnerability, you will need to do a similar evaluation by yourself. Afterward, you might find that when the vendor performs their own evaluation, they may have a completely different definition of a “potentially harmful SSRF”.

To illustrate, I once reported an SSRF vulnerability in Microsoft SharePoint, CVE-2023-28288. This vulnerability could be exploited by any authenticated user and allowed the attacker to make any HTTP GET request but did not return the response. Microsoft treated this vulnerability seriously and provided a quick fix. MSRC even assigned a higher CVSS score than we originally had. This may be because the vulnerability additionally allowed disclosure of the contents of local files with the xsl extension. I did not find that especially interesting, but perhaps Microsoft did.

On the other hand, the researcher known as Frycos found a pre-auth SSRF in Skype for Business, and more than a year passed waiting for the fix. It was not treated as an immediate threat. Quoting from that blog post:

Since the MSRC rejected my submission for this vulnerability with a “not meeting the bar” argument, I told them to publish a blog post instead.

I am doing something similar right now. Not so long ago, I had 4 hours to spare, and I decided to look at Exchange OWA. I quickly identified 3 SSRF issues, one of which seemed to be particularly dangerous:

— Exchange OWA is frequently exposed to the internet.
— The vulnerability could be exploited by any authenticated user (any user with a mailbox). Even though this means that authentication is required, the number of mailboxes deployed in some organizations can run into the hundreds of thousands.
— It allows performing any HTTP GET request, with full control over the URL and query string parameters.
It retrieves the content of the response.

As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree:

MSRC has investigated this issue and concluded that this does not require immediate servicing. We have shared your report with the team responsible for maintaining the product or service and they will consider a potential future fix, taking the appropriate action as needed to help keep customers protected.

We do not have a timeline for when this review will occur, and will not be able to provide status for this issue moving forward.

In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing.

Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring.

ZDI-CAN-22101 – CreateAttachmentFromURI Server-Side Request Forgery

When a user wants to attach a file to a message through Exchange OWA, he can use the “clip” button. It allows the selection of any file from the local file system.

Figure 1 — Inserting an attachment through the GUI

Quite an obvious thing, right? On the other hand, when I was going through the methods defined in the Exchange OWAService, I found an interesting one called CreateAttachmentFromUri.

At [1], the CreateAttachmentFromUri is initialized and then its Execute method is called.

At [1], the Uri object is instantiated on the basis of the attacker-controlled string.

The Execute method will finally lead us to CreateAttachmentFromUri.InternalExecute:

At [1], CreateAttachmentFromUri.DownloadAndAttachFileFromUri is called. The name of the method says everything that we need to know.

It leads to an asynchronous task. I am including a fragment of this task:

At [1], an HttpClient is created.

At [2], a request is made.

At [3], an attachment is created on the basis of the retrieved response.

According to that, this method allows performing an HTTP GET SSRF. The attacker can target any endpoint and can specify any query string parameters.

One may notice that this SSRF has an additional feature that makes it even more dangerous. It creates the attachment on the basis of the response. There are also bonus points for the fact that this SSRF sink handles redirects – they are supported by default by HttpClient, and the AllowAutoRedirect property is not modified by the code.

My guess is that this is some obsolete Exchange OWA feature, which has been deprecated and removed from the GUI. However, it has not been removed from the server-side code. This is only a guess though, as I have never been a serious user of OWA.

To sum up, the following attack scenario is possible:
• The attacker authenticates to OWA.
• The attacker creates a new draft message.
• The attacker invokes CreateAttachmentFromUri, triggering the SSRF.
• The response of the SSRF gets added to the mail message as an attachment.
• The attacker downloads the attachment and retrieves the response content.

I implemented this attack scenario in my exploit. The following screenshot presents a sample exploitation, where the http://internaltomcat.zdi.local:8080 URL was targeted.

Figure 2 — SSRF Exploit – retrieving the response from internal Tomcat server

The response content also can be retrieved easily through the GUI. You need to access your message and open the attachment.

Figure 3 — SSRF response stored in the attachment

Proof of Concept

In general, this SSRF can be exploited with a single HTTP Request to the OWA service:

Such a request produces SSRF. It will not allow you to retrieve the response content, though. If you want to retrieve the content, you must provide a valid message’s ChangeKey and Id in the respective JSON keys (here, they were set to poc). If a proper ChangeKey and Id are provided, the response will be attached to the specified message.

The JSON payload can be also delivered through the X-Owa-Urlpostdata HTTP header. The following snippet presents an example of such a request:

The following video presents this vulnerability in action.

Summary

Assessment of Server Side Request Forgery issues may be hard and lead to disagreements. Such vulnerabilities often do not impact the same product in which they exist, which is an argument frequently heard from vendors. However, they can be used as an access path for external attackers to reach the restricted areas of networks, thereby causing an impact on other systems in the corporate environment. Accordingly, I would recommend that vendors take SSRF seriously, and reassess functionality that involves forwarding arbitrary requests.

I hope you liked this writeup. Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

 

Pwn2Own Toronto 2023 - Day Four Results

27 October 2023 at 13:31

The contest has wrapped, and we awarded $1,038,500 during the event for 58 unique 0-days. These bugs have been disclosed to the vendors, who now have 90 days to produce a patch. Congratulations to Team Viettel for winning Master of Pwn with $180,000 and 30 points. Our thanks goes out to the contestants and vendors for participating, and special thanks to Google and Synology for co-sponsoring the contest.


Welcome to the final day of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. All times are Eastern (GMT -4:00).

FAILURE - Foundry Zero was unable to get their exploit of the Lexmark CX331adwe working within the time allotted.

BUG COLLISION - ANHTUD was able to execute a 2-bug chain of stack-based buffer overflows against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. However, one of the bugs he used was previously known. He still earns $31,250 and 6.25 Master of Pwn points.

BUG COLLISION - Interrupt Labs was able to execute a 2-bug chain including a UAF and integer underflow against the Sonos Era 100. However, one of the bugs they used was previously known. They still earn $18,750 and 3.75 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a heap-based buffer overflow and a stack-based buffer overflow against the TP-Link Omada Gigabit Router and the Canon imageCLASS MF753Cdw for the SOHO Smashup. They earn $50,000 and 10 Master of Pwn points.

Pwn2Own Toronto 2023 - Day Three Results

26 October 2023 at 13:17

Welcome to Day 3 of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Eastern (GMT -4:00).


FAILURE - The DEVCORE Intern was unable to get their exploit of the Canon imageCLASS MF753Cdw working within the time allotted.

BUG COLLISION - Interrupt Labs was able to execute an RCE attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

FAILURE - Team Orca of Sea Security was unable to get their exploit of the Xiamoi 13 Pro working within the time allotted.

WITHDRAWAL - ToChim withdrew their attempt to target the Xiaomi 13 Pro.

BUG COLLISION - Claroty was able to execute a 4-bug chain against the TP-Link Omada Gigabit Router and Synology BC500 for the SOHO Smashup. However, one of the bugs they used was previously known. They still earn $40,750 and 8.25 Master of Pwn points.

SUCCESS - STEALIEN executed a stack-based buffer overflow attack against the Wyze Cam v3 resulting in a root shell. They earn $15,000 and 3 Master of Pwn Points.

SUCCESS - Rafal Goryl used a 2-bug chain to exploit the Wyze Cam v3 and gain a root shell. He earns $15,000 and 3 Master of Pwn Points.

BUG COLLISION - Team Orca of Sea Security was able to execute their attack against the Samsung Galaxy S23. However, the bug they used was previously known. They still earn $6,250 and 1.25 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a stack-based buffer overflow attack leading to RCE against the Lexmark CX331adwe. They earn $10,000 and 2 Master of Pwn points.

FAILURE - Interrupt Labs was unable to get their exploit of the Xiaomi 13 Pro working within the time allotted.

SUCCESS - Synacktiv was able to execute a heap-based buffer overflow in the kernel triggered via WiFi and leading to RCE against the Wyze Cam v3. They earn $15,000 and 3 Master of Pwn points.

WITHDRAWAL - ANHTUD withdrew their attempt to target the Xiaomi 13 Pro.

BUG COLLISION - Sina Kheirkhah was able to exploit a stack-based buffer overflow and a missing authentication for critical function against the TP-Link Omada Gigabit Router and the Lexmark CX331adwe for the SOHO Smashup. However, one of the bugs he used was previously known. He still earns $31,250 and 6.25 Master of Pwn points.


That’s a wrap for Day 3 of Pwn2Own Toronto 2023 – total prize payout is now $938,250! We’ll be back tomorrow with our last few attempts to see if we can break $1 million in prizes. Follow along on Twitter, YouTube, Mastodon, LinkedIn, and Instagram.

Pwn2Own Toronto 2023 - Day Two Results

25 October 2023 at 13:26

Welcome to Day 2 of Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Eastern (GMT -4:00).


SUCCESS - Team Viettel was able to execute an OOB write against the Sonos Era 100. They earn $30,000 and 6 Master of Pwn points.

SUCCESS - Chris Anastasio was able to exploit a bug in the TP-Link Omada Gigabit Router and another in the Lexmark CX331adwe. He earns $100,000 and 10 Master of Pwn points.

BUG COLLISION - Bugscale was able to execute their stack-based buffer overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

SUCCESS - A DEVCORE Intern was able to execute a stack overflow attack against the TP-Link Omada Gigabit Router and exploit two bugs in the QNAP TS-464. They earn $50,000 and 10 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a stack-based buffer overflow attack against the HP Color LaserJet Pro MFP 4301fdw. They earn $20,000 and 2 Master of Pwn points.

WITHDRAWAL - Peter Geissler withdrew his attempt to target the Wyze Cam v3.

WITHDRAWAL - Eason Liu withdrew his attempt to target the Xiaomi 13 Pro.

BUG COLLISION - Interrupt Labs was able to execute their stack-based buffer overflow attack against the Canon imageCLASS MF753Cdw. However, the exploit they used was previously known. They still earn $2,500 and 0.5 Master of Pwn points.

BUG COLLISION - SAFA ex Teamt5 was able to execute their stack-based buffer overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

SUCCESS - Team Orca of Sea Security was able to execute their attack with one bug against the Synology RT6600ax and a three-bug chain against the QNAP TS-464 for the SOHO Smashup. They earn $50,000 and 10 Master of Pwn points.

BUG COLLISION - The VNG Security Response Center was able to execute a 2-bug chain against the QNAP TS-464. However, the exploit they used was previously known. They still earn $5,000 and 1 Master of Pwn point.

BUG COLLISION - Sina Kheirkhah was able to execute an RCE attack against the Synology BC500. However, the exploit he used was previously known. He still earns $3,750 and 0.75 Master of Pwn points.

SUCCESS - Sonar was able to execute a command injection against the Wyze Cam v3. They earn $30,000 and 3 Master of Pwn points.

BUG COLLISION - SEFCOM T0 was able to execute a command injection against the Wyze Cam v3. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

WITHDRAWAL - Peter Geissler withdrew his attempt to target the QNAP TS-464.

WITHDRAWAL - Chris Anastasio withdrew his attempt to target the Lexmark CX331adwe.

SUCCESS - Interrupt Labs was able to execute an improper input validation attack against the Samsung Galaxy S23. They earn $25,000 and 5 Master of Pwn points.

FAILURE - Nettitude was unable to get their exploit of the Canon imageCLASS MF753Cdw working within the time allotted.

SUCCESS - ToChim was able to exploit a permissive list of allowed inputs against the Samsung Galaxy S23. They earn $25,000 and 5 Master of Pwn points.

SUCCESS - ANHTUD was able to execute a stack-based buffer overflow attack against the Canon imageCLASS MF753Cdw. They earn $10,000 and 2 Master of Pwn points.


That’s a wrap for Day 2 of Pwn2Own Toronto 2023 – we’ve awarded a total of $801,250 so far this week! We’ll be back tomorrow with another full day of attempts, so follow along on Twitter, YouTube, Mastodon, LinkedIn, and Instagram.

Pwn2Own Toronto 2023 - Day One Results

24 October 2023 at 13:28

Welcome to Pwn2Own Toronto 2023! We’ll be updating this blog in real time as results become available. We have a full schedule of attempts today, so stay tuned! All times are Eastern (GMT -4:00).


FAILURE - Peter Geissler was unable to get his exploit of the Canon imageCLASS MF753Cdw working within the time allotted.

SUCCESS - Binary Factory was able to execute their stack-based buffer overlow attack against the Synology BC500. They earn $30,000 and 3 Master of Pwn points.

SUCCESS - Pentest Limited was able to execute their 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and SSRF. They earn $40,000 and 4 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a single-bug attack against the Xiaomi 13 Pro. They earn $40,000 and 4 Master of Pwn points.

SUCCESS - Nguyen Quoc Viet was able to execute a buffer overflow attack against the Canon imageCLASS MF753Cdw. He earns $20,000 and 2 Master of Pwn points.

SUCCESS - Synacktiv was able to execute a 3-bug chain against the Synology BC500. They earn $15,000 and 3 Master of Pwn points.

SUCCESS - Team Orca of Sea Security was able to execute a 2-bug chain using an OOB Read and UAF against the Sonos Era 100. They earn $60,000 and 6 Master of Pwn points.

SUCCESS - Team ECQ was able to execute a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464. They earn $40,000 and 4 Master of Pwn points.

BUG COLLISION - Compass Security was able to execute their stack overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.

SUCCESS - "Ben" was able to execute a stack-based buffer overflow against the Canon imageCLASS MF753Cdw. He earns $10,000 and 2 Master of Pwn points.

SUCCESS - Pentest Limited was able to execute an Improper Input Validation against the Samsung Galaxy S23. They earn $50,000 and 5 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a 2-bug chain against the QNAP TS-464. They earn $20,000 and 4 Master of Pwn points.

SUCCESS - Team PHPHooligans were able to execute a memory corruption bug leading to RCE against the Lexmark CX331adwe. They earn $20,000 and 2 Master of Pwn points.

SUCCESS - STAR Labs SG was able to execute a 2-bug chain including directory traversal and command injection against the QNAP TS-464. They earn $20,000 and 4 Master of Pwn points.

FAILURE - Interrupt Labs was unable to get their exploit of the Lexmark CX331adwe working within the time allotted.

SUCCESS - NCC Group was able to execute their attack against the Xiaomi 13 Pro. They earn $20,000 and 4 Master of Pwn points.

SUCCESS - Team Viettel was able to execute a stack-based buffer overflow attack against the Canon imageCLASS MF753Cdw. They earn $10,000 and 2 Master of Pwn points.

SUCCESS STAR Labs SG was able to exploit a permissive list of allowed inputs against the Samsung Galaxy S23. They earn $25,000 and 5 Master of Pwn points.

BUG COLLISION - Thales was able to execute their attack against the QNAP TS-464. However, the exploit they used was previously known. They still earn $12,500 and 2.5 Master of Pwn points.

BUG COLLISION - R-sec was able to execute their stack buffer overflow attack against the Canon imageCLASS MF753Cdw. However, the exploit they used was previously known. They still earn $2,500 and 0.5 Master of Pwn points.


That’s a wrap for Day 1 of Pwn2Own Toronto 2023 – we’ve already awarded over $400,000 in prizes! We’ll be back tomorrow with another full day of attempts, so follow along on Twitter, YouTube, Mastodon, LinkedIn, and Instagram.

Pwn2Own Toronto 2023 - The Full Schedule

23 October 2023 at 23:21

Welcome to Pwn2Own Toronto for 2023! Last year’s event was our largest ever, and this year’s contest looks to be just as exciting. Despite last-minute patches from many vendors, we have plenty of attempts across multiple categories - with plenty of attempts in the new Surveillance category as well. We have more than $1,000,000 in cash and prizes available for contestants. We came close last year to exceeding the million-dollar mark, and we are fans of setting records. As always, we began our contest with a random drawing to determine the order of attempts. If you missed it, you can watch the replay here.

The complete schedule for the contest is below (all times Eastern [GMT -4:00]).

Note: All times subject to change

Tuesday, October 24 – 0930

Peter Geissler targeting the Canon imageCLASS MF753Cdw in the Printers category.

Binary Factory targeting the Synology BC500 in the Surveillance Systems category.

Tuesday, October 24 – 1030

Pentest Limited targeting the My Cloud Pro Series PR4100 in the NAS category.

Team Viettel targeting the Xiaomi 13 Pro in the Mobile Phone category.

Tuesday, October 24 – 1130

Nguyen Quoc Viet targeting the Canon imageCLASS MF753Cdw in the Printers category. 

Synacktiv targeting the Synology BC500 in the Surveillance Systems category.

Tuesday, October 24 – 1230

Team ECQ targeting the QNAP TS-464 in the NAS category.

Team Orca of Sea Security targeting the Sonos Era 100 in the Smart Speakers category.

Tuesday, October 24 – 1330

An anonymous researcher targeting the Canon imageCLASS MF753Cdw Printers category.

Compass Security targeting the Synology BC500 in the Surveillance Systems category.

Tuesday, October 24 – 1430

Team Viettel targeting the QNAP TS-464 in the NAS category.

Pentest Limited targeting the Samsung Galaxy S23 in the Mobile Phone category.

Tuesday, October 24 – 1530

Team PHPHooligans targeting the Lexmark CX331adwe in the Printers category.

Tuesday, October 24 – 1630

STAR Labs SG targeting the QNAP TS-464 in the NAS category.

NCC Group targeting the Xiaomi 13 Pro in the Mobile Phone category.

Tuesday, October 24 – 1730

Team Viettel targeting the Canon imageCLASS MF753Cdw in the Printers category.

Interrupt Labs targeting the Lexmark CX331adwe in the Printers category.

Tuesday, October 24 – 1830

Thales targeting the QNAP TS-464 in the NAS category.

STAR Labs SG targeting the Samsung Galaxy S23 in the Mobile Phone category.

Tuesday, October 24 – 1930

R-sec targeting the Canon imageCLASS MF753Cdw in the Printers category.

 Wednesday, October 25 – 0930

Chris Anastasio attempting a SOHO Smashup, going from the TPLink router to the Lexmark printer.

Team Viettel targeting the Sonos Era 100 in the Smart Speakers category.

Wednesday, October 25 – 1030

DEVCORE Intern attempting a SOHO SMASHUP, going from the TPLink router to the QNAP NAS device.

Wednesday, October 25 – 1130

Team Viettel targeting the HP Color LaserJet Pro MFP 4301fdw in the Printers category.

Bugscale targeting the Synology BC500 in the Surveillance Systems category.

Wednesday, October 25 – 1200

Peter Geissler targeting the Wyze Cam v3 in the Surveillance Systems category.

Wednesday, October 25 – 1230

Team Orca of Sea Security attempting a SOHO Smashup, going from the Synology router to the QNAP NAS device.

Eason Liu targeting the Xiaomi 13 Pro in the Mobile Phone category.

Wednesday, October 25 – 1330

Interrupt Labs targeting the Canon imageCLASS MF753Cdw in the Printers category.

SAFA ex Teamt5 targeting the Synology BC500 in the Surveillance Systems category.

Wednesday, October 25 – 1400

Sonar targeting the Wyze Cam v3 in the Surveillance Systems category.

Wednesday, October 25 – 1430

VNG Security Response Center (VSRC) targeting the QNAP TS-464 in the NAS category.

Wednesday, October 25 – 1530

Nettitude targeting the Canon imageCLASS MF753Cdw in the Printers category.

Sina Kheirkhah targeting the Synology BC500 in the Surveillance Systems category.

Interrupt Labs targeting the Samsung Galaxy S23 Mobile Phone category.

Wednesday, October 25 – 1630

Peter Geissler  Targeting the QNAP TS-464 in the NAS Device category.

SEFCOM T0 targeting the Wyze Cam v3 in the Surveillance Systems category.

Wednesday, October 25 – 1730

ANHTUD targeting the Canon imageCLASS MF753Cdw in the Printers category.

Chris Anastasio targeting the Lexmark CX331adwe in the Printers category.

ToChim targeting the Samsung Galaxy S23 in the Mobile Phone category.

Thursday, October 26 – 0930

DEVCORE Intern targeting the Canon imageCLASS MF753Cdw in the Printers category.

Interrupt Labs targeting the Synology BC500 in the Surveillance Systems category.

Thursday, October 26 – 1000

Rafal Goryl targeting the Wyze Cam v3 in the Surveillance Systems category.

Thursday, October 26 – 1030

Team Orca of Sea Security targeting the Xiaomi 13 Pro in the Mobile Phone category.

Thursday, October 26 – 1130

Claroty Research - Team82 attempting a SOHO Smashup, going from the TPLink router to the Synology BC500 surveillance camera.

Thursday, October 26 – 1200

STEALIEN targeting the Wyze Cam v3 in the Surveillance Systems category.

Thursday, October 26 – 1230

Team Orca of Sea Security targeting the Samsung Galaxy S23 in the Mobile Phone category.

ToChim targeting the Xiaomi 13 Pro in the Mobile Phone category.

Thursday, October 26 – 1330

Team Viettel targeting the Lexmark CX331adwe in the Printers category.

Thursday, October 26 – 1400

Synacktiv targeting the Wyze Cam v3 in the Surveillance Systems category.

Thursday, October 26 – 1430

Interrupt Labs targeting the Xiaomi 13 Pro in the Mobile Phone category.

Thursday, October 26 – 1530

Sina Kheirkhah attempting a SOHO Smashup, going from the TPLink router to the Lexmark CX331adwe printer.

Thursday, October 26 – 1630

ANHTUD targeting the Xiaomi 13 Pro in the Mobile Phone category.

Friday, October 27 – 0930

ANHTUD attempting a SOHO SMASHUP, going from the TPLink router to the Canon printer.

Foundry Zero targeting the Lexmark CX331adwe in the Printers category.

Friday, October 27 – 1030

Interrupt Labs targeting the Sonos Era 100 in the Smart Speakers category

Friday, October 27 – 1130

Team Viettel attempting a SOHO SMASHUP, going from the TPLink router to the Canon printer.

We’ll be publishing results live on the blog as the contest unfolds. We’ll also be posting brief video highlights to Twitter, YouTube, Mastodon, LinkedIn, and Instagram, so follow us on your favorite flavor of social media for the latest news from the event.

CVE-2023-38600: Story of an innocent Apple Safari copyWithin gone (way) outside

18 October 2023 at 16:56

In May 2023, we received a vulnerability report from an anonymous researcher regarding a vulnerability in Apple Safari. It turned out to be an interesting classic integer underflow vulnerability. Apple assigned CVE-2023-38600 to this issue and fixed it in the following security advisories:

iOS 16.6 and iPadOS 16.6
macOS Ventura 13.5
tvOS 16.6
Safari 16.6
watchOS 9.6

 Now that this vulnerability has been addressed by the vendor, we are ready to share additional details with the community.

Proof of Concept

Here is the minimal proof-of-concept code for this bug:

Let’s break it down quickly:

     1 - A new ArrayBuffer object of size 0x1000 is created. Note that it is resizable as it specifies maxByteLength.
     2 - The ArrayBuffer object created at step 1 is used to create a Uint8Array typed array.
     3 - A function is defined which resizes the ArrayBuffer object to zero. It also returns a value of zero.
     4 - The copyWithin method is called, which copies part of typed array to another location in the same typed array without modifying its length. It takes 3 arguments:
          a - insert (“target”) position: The value provided here is 0x20.
          b - start position: The value provided is an object having a valueOf property, specifying the function defined above as the callback.
          c - end position: not specified, and thus it is undefined.

An experienced eye will quickly notice presence of the object with the valueOf callable property defined. This is often used to receive control in the middle of a function execution to change (cached) values and trigger incorrect behavior. There have been many vulnerabilities triggered using callbacks in this fashion.

Here the results of running the PoC against a vulnerable version of JSC under LLDB (a debug build of JSC commit cb91b749f30d1cc1bb01bfce9adbe18ad3cea698 is used in this blog):

Now we have enough information to find the root cause of this vulnerability.

Root Cause Analysis

There are some hints in the output of LLDB session. The crash happens inside a loop during a memmove. The loop counter (rdx) is huge (0xffffffffffffefc0) and thus a crash is inevitable. Looking at the backtrace, the faulty memmove call is performed by the JSC::genericTypedArrayViewProtoFuncCopyWithin function in JSGenericTypedArrayViewPrototypeFunctions.h. Let’s go step by step inside this function and see what is going on.

Here is the code of the unpatched version of the function:

The function first gets the length of ArrayBuffer at (1) and saves it into the length variable. This is 0x1000 based on the PoC. Then, at (2), (3) and (4), it parses the arguments we passed in our call to copyWithin method by calling argumentClampedIndexFromStartOrEnd function for each argument, assigning the results to the to, from and final variables respectively. The code of argumentClampedIndexFromStartOrEnd is as follows:

The main goal of this function is to perform a sanity check (e.g., to check that the value is not more than the length). Let’s see what happens when each argument is parsed:

• First argument: The provided value is the integer 0x20. Thus the argumentClampedIndexFromStartOrEnd function will reach (2) and return 0x20 after checking that it does not exceed length (0x1000). So the to variable will be 0x20.

• Second argument: The provided value is an object having a valueOf callback. Thus execution reaches (3), where a call to toIntegerOrInfinity method is made. This will invoke the valueOf callback function. Inside the callback, the PoC changes the ArrayBuffer length to zero and then returns a value of 0. Thus, the from variable will be 0. Note that the length variable remains set to 0x1000, which is now out-of-date and incorrect.

• Third argument: The PoC did not specify a third argument, so it is undefined. Therefore the condition at (1) is true, and argumentClampedIndexFromStartOrEnd returns the length value of 0x1000. This becomes the value of final.

Now that it is done with parsing arguments, genericTypedArrayViewProtoFuncCopyWithin function reaches (5) to compute count (the number of array elements that need to be copied):

size_t count = std::min(length [0x1000] - std::max(to [0x20], from [0]), final [0x1000] – from [0]);

Therefore, the count variable will be 0xfe0.

We now reach the final part of the function, where it performs the actual copy. Here, things get interesting. The developers were aware that it is possible that the ArrayBuffer object has been resized, and mentioned that in the comment:

At (6) the code fetches the updated length, which is zero. As it is not equal to the previously extracted length (0x1000), a further check is done to make sure the count is within bounds:

At (7), the length variable will be adjusted to the updated length, which is 0. The code also attempts to adjust count accordingly. However, this doesn’t go properly. to is already 0x20, so an integer underflow occurs, causing count to get the value 0xffffffffffffffe0. This huge value is then used as the count argument in a call to the memmove function where the crash occurs.

The Patch

The issue was patched by aborting the copy if either of the two variables to or from is larger than the updated length.

Final Notes

This blog demonstrates how even an old trick can be used to trigger a new vulnerability. The values we used during the exploit were sane as they went through a sanitizer function. However, in the final stage, the values were updated without checking if there are inside the buffer length bounds. A classic technique that never seems to go out of style. Thanks again to the anonymous researcher who submitted the bug. If you find something similar, we’re always interested in acquiring great bugs.

Until then, you can find me on Twitter at @hosselot and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The October 2023 Security Update Review

10 October 2023 at 17:29

Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.

Adobe Patches for October 2023

For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2023

This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.

Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below).  That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.

Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack.  Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability
This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.

-       CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.

-       CVE-2023-35349 - Microsoft Message Queuing Remote Code Execution Vulnerability
This is one of 20(!) Message Queuing patches this month and the highest CVSS (9.8) of the bunch. A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.

-       CVE-2023-36434 - Windows IIS Server Elevation of Privilege Vulnerability
Although labeled Important by Microsoft, it receives a CVSS 9.8 rating. An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly.

Here’s the full list of CVEs released by Microsoft for October 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability Important 6.5 Yes Yes Info
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability Important 5.3 Yes Yes EoP
CVE-2023-44487 * MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack Important 8.8 No Yes DoS
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability Critical 6.5 No No DoS
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2023-36718 Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2023-36585 Active Template Library Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36420 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.3 No No RCE
CVE-2023-36730 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36785 Microsoft SQL ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36417 Microsoft SQL OLE DB Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36789 Skype for Business Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability Important Unknown No No EoP
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability Important 9.8 No No EoP
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability Important 3.6 No No SFB
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability Important 5.4 No No SFB
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability Important 7.4 No No EoP
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-5346 * Chromium: CVE-2023-5346 Type Confusion in V8 High N/A No No RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

A quick note about CVE-2023-44487 – this was reported as being under active attack across Google systems in August. They have provided a thorough write-up of the exploit, but at a high level, attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.

As I already mentioned, about 20% of this entire release impacts the Message Queuing service with a variety of remote code execution and DoS bugs. Unlike the previously mentioned bug, the other RCEs do require user interaction – typically by clicking a link on an affected system. The DoS bugs do not require user interaction. Microsoft doesn’t state if successful exploitation would simply stop the service or blue screen the entire system. They also don’t note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.

And yes, there is another Exchange bug being patched this month. It could allow an authenticated attacker on the same LAN to execute code through a PowerShell remoting connection. Last month’s “patch” ended up just being more CVEs being publicly documented in the August patch. We’ll what the Exchange team does with this one.

Moving on to the other Critical-rated patches, nine are for the Layer 2 Tunneling Protocol – all of which could lead to RCE. A remote, unauthenticated attacker could send malicious packets to an affected server to get arbitrary code execution. Microsoft rates this a bit lower since the attack involves exploiting a race condition, but I’d still take these seriously. The patch for the Virtual Trusted Platform Model addresses a container escape.

Looking at the other RCE fixes in this release, only a few really stand out. There are additional fixes for Skype for Business similar to the one under active attack. There are several patches for bugs that involve connecting to a malicious SQL server. The bugs in MSHTML and PrintHTML require user interaction – essentially open-and-own type attacks. There are also two updates for Azure Identity SDK that result from integer overflows. An attacker could use these to run arbitrary code with elevated privileges.

There are nearly 30 EoP bugs receiving patches this month, and the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. There are a couple of exceptions. The EoP in Azure DevOps server could reveal to secrets of the user of the affected application, which sounds like information disclosure to me. The bug in Azure HDInsight Apache Oozie Workflow Scheduler could lead to an attacker gaining cluster administrative privileges. And who names something “Oozie”? The bug in Azure Network Watcher seems intriguing. According to Microsoft, “An attacker who successfully exploited this vulnerability could route Packet Captures to a location in their control and perform file deletions that would limit the victim's troubleshooting and diagnostic capabilities.” Neat. The Office Click-to-Run vulnerability could allow an attacker to gain administrative privileges. The bug in Windows Runtime C++ Template Library could allow an attacker to delete arbitrary files. This has been known to lead to privilege escalation as explained in this blog by Simon Zuckerbraun.

There are just a few security feature bypass (SFB) vulnerabilities to discuss this month. The SFB in the kernel could allow an attacker to evade the Arbitrary Code Guard exploit protection feature. That would certainly help make other exploits more reliable. The bug in Mark-of-the-Web (MotW) could allow attackers to evade MotW detection. The bug in Search allows attackers to plant files without the MotW on affected systems.

Information disclosure bugs account for 12 fixes this month, including the one under active attack. As usual, the majority of these merely result in info leaks consisting of unspecified memory contents. There are also a few of these that disclose the ever enigmatic “sensitive information”. There’s a rare kernel info disclosure that isn’t random memory. It instead discloses device information such as resource IDs, SAS tokens, user properties, and other sensitive information. The bug in TCP/IP stack could allow an attacker to view the unencrypted contents of IPsec packets from other sessions on a server.

The October release contains fixes for around a dozen DoS bugs. Unfortunately, Microsoft doesn’t provide much information regarding these vulnerabilities. It would be nice to know if the DoS affected just the impacted component or the whole system. If you need to prioritize your testing, I suggest focusing on the TCP/IP and DHCP bugs as they have potentially the biggest impact on your enterprise.

Wrapping up this release, there is one cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit

5 October 2023 at 15:37

Last month, we looked at the attack surface of the ChargePoint Home Flex EV charger – one of the targets in the upcoming Pwn2Own Automotive contest. In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile.


The Sony XAV-AX5500 is an aftermarket vehicle head unit. This head unit supports many technologies that encompass its attack surface. This post endeavors to introduce the Sony XAV-AX5500, describe the relevant technologies in the head unit, and identify the attack surface present in the device.

Sony XAV-AX5500 Attack Surface Summary

Broadly speaking, the attack surface of the device can be broken down into the following categories:

WebLink by Abalta Technologies
Apple CarPlay 
Android Auto
SiriusXM Satellite Radio
— Bluetooth connectivity
— USB media
Radio Data System (RDS)
— Open-Source Software

Sony XAV-AX5500 Documentation

The following links provide details from the manufacturer about the XAV-AX5500 head unit. They provide a high-level description of the technologies used in the device.

Sony XAV-AX5500 Product Page
Sony XAV-AX5500 Documentation Download
Sony XAV-AX5500 Firmware Download
Sony XAV-AX5500 Specifications
Sony XAV-AX5500 Help Guide
Sony XAV-AX5500 Help Guide - Description of USB port capabilities

WebLink by Abalta Technologies

The Sony XAV-AX5500 uses the WebLink application by Abalta Technologies. This application enables both Apple CarPlay and Android Auto support on the device. When connecting a mobile phone to the head unit over USB, the user must launch the WebLink application to activate Apple CarPlay or Android Auto. 

In addition to enabling the driver’s preferred driving assistance technologies, the WebLink application also provides its own set of features. These features potentially expand the attack surface of both the Sony XAV-AX5500 and the connected mobile phone.

The first application with the greatest potential for misuse is the “Cast” feature of WebLink. The Cast feature displays the touch interface of the connected handset. This allows the user to control their phone directly from the Sony XAV-AX5500 touchscreen. The Cast feature requires the user to grant permissions from their mobile device. Additionally, each time a Cast connection is initiated, the user must allow this linking from the connected handset. This potentially limits the security exposure. Once permission is given, any application on the phone may be launched from the head unit. The Sony XAV-AX5500 will then have near complete control over phone functionality, including the ability to change the configurations on the handset and access sensitive user data. If the head unit is compromised by an attacker, the attacker might leverage the Cast features to access or modify data on the handset.

The second WebLink feature with a potential for misuse is the “Music” feature of WebLink. This feature displays information about the songs currently playing on the handset. The potential for abuse by connecting a malicious handset is not fully known at this time but does present a potential attack surface.

Other applications come bundled with WebLink, such as an integration with the Waze Satellite navigation application on the connected handset. It also implements a native YouTube application.

Apple CarPlay

The Sony XAV-AX5500 supports the Apple CarPlay driver assistance technology. The connected handset must have the WebLink application installed for CarPlay to be accessible on the head unit. Once the handset is connected, WebLink will establish a CarPlay session with the device. The security implications of this manner of integration are currently unknown.

Once the CarPlay session is established, the head unit and connected handset communicate over USB in a manner that appears identical to the observed communications that happen between a connected handset and head units sold by other manufacturers.

Apple CarPlay communication between the head unit and connected handset operates over USB using an IPv6 connection. During connection initiation, the head unit and connected handset exchange a small amount of information in plain text. Some of this communication includes the transfer of binary Apple plist data. After this initial configuration is established, the connected handset initiates an encrypted TLS session with the head unit. Further research into this communication will be needed to assess the security of the CarPlay communication over USB and IPv6.

Android Auto

The Sony XAV-XV5500 also supports the Android Auto driver assistance technology. The connected handset must have the WebLink application installed for Android Auto to be accessible on the head unit. Once the handset is connected, WebLink will establish an Android Auto session with the head unit. The security implications of this manner of integration are currently unknown.

Trend Micro researchers are conducting further research to better understand the communication that occurs between the Sony XAV-AX5500 and connected Android handsets. Further work in this area will help determine what the attack surface exposes and how attacks against the implementation of Android Auto function on the head unit.

SiriusXM Satellite Radio

The Sony XAV-AX5500 ships bundled with a receiver for SiriusXM satellite radio. This receiver connects to a ten-pin connector on the rear of the device. The communication using this receiver represents a potential attack surface against the head unit. However, an attacker may have to defeat layers of security in the signal received from the SiriusXM network in order to attempt an attack against the Sony XAV-AX5500 over this communication channel. 

In addition to radio layer attacks against the receiver, there is the potential for attacks over the local communication between the SiriusXM receiver and the Sony XAV-AX5500. This part of the threat model may not be in scope for Pwn2Own Automotive, as attacks against this require uncontrolled physical access to the device. Moreover, unlike attacks over the USB bus, which require casual physical access, the connector for the SiriusXM receiver is not available to passengers of a vehicle without removing the entire unit from the dashboard to access the connector on the rear of the head unit.

Bluetooth Communications

The Sony XAV-AX5500 provides support for using Bluetooth communications with a compatible mobile handset. This allows the head unit to access the connected handset to make phone calls, play audio, and other potential uses. The supported profiles and other Bluetooth support are identified in the user manual for the head unit.

From the user guide provided by the vendor:

Frequency band:
2.4 GHz band (2.4000 GHz – 2.4835 GHz) Modulation method: FHSS
Compatible BLUETOOTH Profiles*2:
A2DP (Advanced Audio Distribution Profile) 1.3 AVRCP (Audio Video Remote Control Profile) 1.3 HFP (Handsfree Profile) 1.6
PBAP (Phone Book Access Profile) 1.1
Corresponding codec: SBC, AAC

USB Media Connections

The Sony XAV-AX5500 makes extensive use of the USB bus for connecting handsets. The head unit also supports other types of USB devices, such as media players and USB storage devices. The device supports multiple types of media file codecs for playback.

The Sony XAV-AX5500 also supports several versions of the FAT file system. Devices that support this file system type often implement support in a file system driver. These types of system drivers are subject to parsing specially crafted file systems. If a vulnerability in the head unit file system driver is present, an attacker with casual physical access might be able to perform attacks against the head unit file system driver if they connect a properly crafted file system. 

The Sony XAV-AX5500 supports several media codecs for playback on the head unit. These include many of the most widely used audio codecs, including MP3, WAV, AAC, and other media formats. The head unit also supports several widely used video codecs, such as MPEG-4 and WMV. Media formats such as these are complex data streams. The parsing of these codecs can be prone to containing parsing errors, and these errors can potentially have a security impact on the code that performs the parsing.

Radio Data System (RDS)

The Sony XAV-AX5500 implements support for the Radio Data System (RDS) standard. This standard defines a method for the transmission of digital information in conventional FM radio broadcasts. This represents an unauthenticated source of data that is processed by the head unit. There are a number of data formats supported by this standard. Many of the data fields are limited in size as defined in the standard. The Trend Micro research team has not investigated the RDS implementation in the Sony XAV-AX5500, and its security risk is currently unknown.

Open Source Software

This information is gathered from the Sony touchscreen. The years are provided here as a start to trying to identify the version in use. A better method would be to get the file system image of the device to get better information.

— OpenSSL (1998-2018)
— LwIP (2001-2004)
— libpng (1995-2018)
— zlib (1995-2017)
— md5 (RSA md5 1990)
— unrarlib (2000-2002)
— BidiReferenceCpp (1991-2012)
— LibYuv (2011)
— LZ4 (2011-2016)

Further research into the software used by the head unit is warranted.

Sony XAV-AX5500 Hardware Details

The Sony XAV-AX5500 comprises two circuit boards. The display board hosts the main display screen, as well as all the other user interface buttons on the unit. The primary board connects to the vehicle and hosts the primary ARM CPU and wireless modules. More research will be done to better identify these devices.

Detailed images of the Sony XAV-AX5500 PCBs are provided as follows:

Figure 1 - Side A of the PCB board featuring the wireless module and the ARM CPU

Figure 2 - Side B of the PCB board featuring the wireless module and the ARM CPU

Figure 3 - Side A of the PCB showing the MXT499T-T Adaptive Touchscreen Controller and other components

Figure 4 - Side B of the PCB showing the MXT499T-T Adaptive Touchscreen Controller and other components

Summary

While these may not be the only attack surfaces available on the Sony XAV-AX5500 head unit, they represent the most likely avenues a threat actor may use to exploit the device. Sony has long been a leader in innovative radio and consumer devices. From their simple transistor radios in the 1950s to the ubiquitous Walkman of the 1980s to the world's first car mini-disc player in the 1990s, Sony has consistently advanced entertainment technology. It will be interesting to see if the security of their devices has kept up with their other innovations. We’re excited to see what research is displayed in Tokyo during the event.

Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Finding Deserialization Bugs in the SolarWinds Platform

21 September 2023 at 16:12

It’s been a while since I have written a blog post, please accept my sincerest apologies. This is because a lot of fun stuff that I’ve recently done is going to be presented during conferences.

Please treat this post as a small introduction to my upcoming Hexacon 2023 talk titled “Exploiting Hardened .NET Deserialization: New Exploitation Ideas and Abuse of Insecure Serialization”. The entire talk and research was inspired by two small research projects, one of which focused on issues in SolarWinds deserialization.

In this blog post, I would like to present four old vulnerabilities that were fixed within the last year:

CVE-2022-38108
CVE-2022-36957
CVE-2022-36958
CVE-2022-36964

A small part of the Hexacon talk will show how I have bypassed patches to some of these vulnerabilities. Right now, we will focus on the original issues.

CVE-2022-38108

This vulnerability was already mentioned in this blog post. Let me reintroduce it to you in more detail.

Several SolarWinds services communicate with each other through a RabbitMQ instance, which is accessible through port 5671/TCP. Credentials are required to access it. However:

— High-privileged users were able to extract those credentials through SolarWinds Orion Platform.
— I later found CVE-2023-33225, which allowed low-privileged users to extract those credentials.

This vulnerability targeted the SolarWinds Information Service. In order to deliver an AMQP message to the Information Service, the Routing-Key of the message must be set to SwisPubSub.

Figure 1 - Routing-Key in AMQP message

Now, let’s verify how SolarWinds handles those messages! We can start with the EasyNetQ.Consumer.HandleBasicDeliver method:

At [1], the code retrieves the properties of the AMQP message. Those properties are controlled by the attacker who sends the message.

At [2], it creates an execution context, containing both the AMQP message properties and the message body.

At [3], it executes a task to consume the message.

This leads us to the Consume method:

At [1], EasyNetQ.DefaultMessageSerializationStrategy.DeserializeMessage is called. It accepts the message properties and the message body as input. The interesting stuff happens here.

At [1], we can see something really intriguing. A method named DeSerialize is called and it returns an output of type Type. As an input, it accepts the Type property from the message. That’s right – we can control messageType type through an AMQP message property!

At [2], it calls BytesToMessage, which accepts both the attacker-controlled type and the message body as input.

At [1], the message body is decoded as a UTF-8 string. It is expected to contain JSON-formatted data.

At [2], the deserialization is performed. We control both the target type and the serialized payload.

At [3], it can be seen that the TypeNameHandling deserialization setting is set to Auto.

We have more than we need to achieve remote code execution here! To do that, we have to send an AMQP message with the Type property set to a dangerous type.

Figure 2 - Deserialization Type control through AMQP properties

In the message body, we must deliver the corresponding JSON.NET gadget. I have used a simple WindowsPrincipal gadget from ysoserial.net, which is a bridge for the internally stored BinaryFormatter gadget. Upon the JSON deserialization, the RCE will be achieved through the underlying BinaryFormatter deserialization.

RCE achieved!

CVE-2022-36957

In the previous vulnerability, we were able to fully control the target deserialization type through the AMQP property. When I find such a vulnerability, I like to ask myself the following question: “What does a legitimate message look like?” I often check the types that are being deserialized during typical product operation. It sometimes leads to interesting findings.

I quickly realized that SolarWinds sends messages of one type only:

         SolarWinds.MessageBus.Models.Indication

Let’s take a moment to analyze this type:

At [1] and [2], we can see two public members of type SolarWinds.MessageBus.Models.PropertyBag. The fun begins here.

At [1], you can see the definition of the class in question, SolarWinds.MessageBus.Models.PropertyBag.

At [2], a custom converter is registered for this class - SolarWinds.MessageBus.Models. PropertyBagJsonConverter. It implements the ReadJson method, which will be called during deserialization.

At [1], the code iterates over the JSON properties.

At [2], a JSON value is retrieved and casted to the JObject type.

At [3], a Type is retrieved on the basis of the value stored in the t key.

At [4], the object stored in the v key is deserialized, where we control the target deserialization type (again)!

You can see that we are again able to control the deserialization type! This type is delivered through the t JSON key and the serialized payload is delivered through the v key.

Let’s have a look at a fragment of a legitimate message:

We can take any property, for instance: IndicationId. Then, we need to:
• Set the value of the t key to the name of a malicious type.
• Put a malicious serialized payload in the value of the v key.

As the JSON deserialization settings are set to TypeNameHandling.Auto, it is enough to deliver something like this:

Now, let’s imagine that the first bug described above, CVE-2022-38108, got fixed by hardcoding of the target deserialization type to SolarWinds.MessageBus.Models.Indication. After all, this is the only legitimate type to be deserialized. That fix would not be enough, because SolarWinds.MessageBus.Models.Indication can be used to deliver an inner object, with an attacker-controlled type. We have a second RCE through control of the type here.

CVE-2022-36958

SolarWinds defines some inner methods/operations called “SWIS verbs”. Those verbs can be either:
a) Invoked directly through the API.
b) Invoked indirectly through the Orion Platform Web UI (Orion Platform invokes verbs internally).

There are several things that we need to know about SWIS verbs:
• They are invoked using a payload within an XML structure.
• They accept arguments of predefined types.

For instance, consider the Orion.AgentManagement.Agent.Deploy verb. It accepts 12 arguments. The following screenshot presents those arguments and their corresponding types.

Figure 3 - Arguments for Orion.AgentManagement.Agent.Deploy

The handling of arguments is performed by the method SolarWinds.InformationService.Verb. VerbExecutorContext.UnpackageParameters(XmlElement[], Stream):

At [1], the Type is retrieved for the given verb argument.

At [2], a DataContractSerializer is initialized with the retrieved argument type.

At [3] and [4], the argument is deserialized.

We know that we are dealing with a DataContractSerializer. We cannot control the deserialization types though. My first thought was: I had already found some abusable PropertyBag classes. Maybe there are more to be found here?

It quickly turned out to be a good direction. There are multiple SWIS verbs that accept arguments of a type named SolarWinds.InformationService.Addons.PropertyBag. We can provide arbitrary XML to be deserialized to an object of this type. Let’s investigate!

At [1], the ReadXml method is defined. It will be called during deserialization.

At [2], the code iterates over the provided items.

At [3], the key element is retrieved. If present, the code continues.

At [4], the value of the type element is retrieved. One may safely assume where it leads.

At [5], the value element is retrieved.

At [6], the Deserialize method is called, and the data contained in both the value and type tags are provided as input.

At [7], the serialized payload and type name are passed to the SolarWinds.InformationService.Serialization.SerializationHelper.Deserialize method.

Again, both the type and the serialized payload are controlled by the attacker. Let’s check this deserialization method.

At [1], the code checks if the provided type is cached.

If not, the type is retrieved from a string at [2].

At [3], the static DeserializeFromStrippedXml is called.

As you can see, the static DeserializeFromStrippedXml method retrieves a serializer object by calling SerializationHelper.serializerCache.GetSerializer(type). Then, it calls the (non-static) DeserializeFromStrippedXml(string) method on the retrieved serializer object.

Let’s see how the serializer is retrieved.

At [1], the code tries to retrieve the serializer from a cache. In case of a cache miss, it retrieves the serializer by calling GetSerializerInternal ([2]), so our investigation continues with GetSerializerInternal.

At [3], an XmlTypeMapping is retrieved on the basis of the attacker-controlled type. It does not implement any security measures. It is only used to retrieve some basic information about the given type.

At [4], an XmlStrippedSerializer object is initialized. Four arguments are supplied to the constructor:
• A new XmlSerializer instance, where the type of the serializer is controlled by the attacker(!).
• The XsdElementName of the target type, obtained from the XmlTypeMapping.
• The Namespace of the type, also obtained from the XmlTypeMapping.
• The type itself.

So far, we have two crucial facts:
• We are switching deserializers. The overall SWIS verb payload and arguments are deserialized with a DataContractSerializer. However, our PropertyBag object will eventually be deserialized with an XmlSerializer.
• We fully control the type provided to the XmlSerializer constructor, which is a key condition for exploitation.

It seems that we have it, another RCE through type control in deserialization. As XmlSerializer can be abused through the ObjectDataProvider, we can set the target deserialization type to the following:

System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

However, let’s analyze the XmlStrippedSerializer.DeserializeFromStrippedXml(String) before celebrating.

Something unusual is happening here. At [1], a new XML string is being created. It has the following structure:

         <XsdElementName xmlns=’Namespace’>ATTACKER-XML</XsdElementName>

To sum up:
• The attacker’s XML gets wrapped with a tag derived from the delivered type (see GetSerializerInternal method).
• Moreover, the retrieved Namespace is inserted into the xmlns attribute.

The attacker controls a major fragment of the final XML and controls the type. However, due to the custom XML wrapping, the ysoserial.net gadget will not work out of the box. The generated gadget looks like this:

The first tag is equal to ExpandedWrapperOfLosFormatterObjectDataProvider. This tag will be automatically generated by the DeserializeFromStrippedXml method, thus we need to remove it from the generated payload! When we do so, the following XML will be passed to the XmlSerializer.Deserialize method:

We still have a major issue here. Can you spot it?

When you compare both the original ysoserial.net gadget and our current gadget, one big difference can be spotted:
• The original gadget defines two namespaces in the root tag: xsi and xsd.
• The current gadget contains an empty xmlns attribute only.

The ObjectInstance tag relies on the xsi namespace. Consequently, deserialization will fail.

Luckily, the namespace does not have to be defined in the root tag specifically. Accordingly, we can fix our gadget by defining both namespaces in the ProjectedProperty0 tag. The final gadget is as follows:

In this way, we get a third RCE, where we fully control the target deserialization type!

Here is a fragment of the API request, where the malicious SWIS verb argument is defined:

CVE-2022-36964

Technically, this issue is identical to CVE-2022-36958. However, it exists in a different class that shares the same implementation of the ReadXml method. In this case, the vulnerable class is SolarWinds.InformationService.Contract2.PropertyBag.

An argument of this type is accepted by the TestAlertingAction SWIS verb, thus this issue is exploitable through the API.

This class may appear familiar to some of you. I already abused that same class with JSON.NET deserialization in CVE-2021-31474. Almost one and a half years later, I realized that this class can be abused in a totally different way as well.

Summary

In this blog post, I have shown you four different deserialization vulnerabilities in SolarWinds where the attacker could control the type of the deserialized object. One of them was particularly interesting, because DataContractSerializer could be used to ultimately reach XmlSerializer. During my Hexacon 2023 talk, I will show you some of the patches applied to the described issues and I will show you how I have bypassed them by using custom deserialization gadgets. These patch bypasses have also been patched by SolarWinds, but the discussion will show how hunting deserialization bugs can lead to some fun discoveries.

I hope you liked this writeup. Until my next post, you can follow me @chudypb and follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

The September 2023 Security Update Review

12 September 2023 at 17:28

Hello and welcome to another patch Tuesday in what continues to be a hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check it out here.

Apple Patches for September 2023

Apple kicked off the September patch release by patching two bugs in macOS Ventura, iPad and iOS, and watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.

Cisco Advisories for September 2023

You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.   

Adobe Patches for September 2023

For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for Experience Manager and Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.

Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2023

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.

Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.

Two of the CVEs released today are listed as being under active attack at the time of release while only one is listed as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug being exploited:

-       CVE-2023-36761 - Microsoft Word Information Disclosure Vulnerability
This is the bug currently under active attack, but I wouldn’t classify it as “information disclosure”. An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack. Those are usually defined as Spoofing bugs (see Exchange blew). Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list.

-       CVE-2023-29332 - Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
This Critical-rated bug in the Azure Kubernetes service could allow a remote, unauthenticated attacker to gain Cluster Administration privileges. We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity. Microsoft gives this an “Exploitation Less Likely” rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.

-       CVE-2023-38148 - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
This Critical-rated bug is the highest-rated CVSS this month (8.8), but it’s not all bad news. First, this is limited to network-adjacent attackers. A successful exploit also relies on ICS being enabled. Most places these days don’t require ICS, and it’s not turned on by default. However, if you’re in one of those places where ICS is used, this could allow an unauthenticated attacker to run their code on affected systems.

-       CVE-2023-38146 - Windows Themes Remote Code Execution Vulnerability
This probably isn’t one of the most severe bugs patched this month, but it kicked off such a wave of nostalgia, that I had to call it out. This bug could allow code execution if an attacker can convince a user to open a specially crafted theme file. If this sounds like screensaver exploits from 20+ years, it’s because it’s just like screensaver bugs from 20+ years ago. Congrats to Pwn2Own winners Thijs Alkemade and Daan Keuper of Computest Sector 7 for helping bring this oldie but goodie to light.

Here’s the full list of CVEs released by Microsoft for September 2023:

CVE Title Severity CVSS Public Exploited Type
CVE-2023-36761 Microsoft Word Information Disclosure Vulnerability Important 6.2 Yes Yes Info
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-38148 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2023-29332 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Critical 7.5 No No EoP
CVE-2023-36792 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36793 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36796 Visual Studio Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2023-36799 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2023-36788 .NET Framework Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36770 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36771 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36772 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36773 3D Builder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36739 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No EoP
CVE-2023-36740 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36760 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-41303 * AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior Important 7.8 No No RCE
CVE-2023-38155 Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2023-33136 Azure DevOps Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38156 Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability Important 7.2 No No EoP
CVE-2023-38162 DHCP Server Service Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-36801 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-38152 DHCP Server Service Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2023-36800 Dynamics Finance and Operations Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-39956 * Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2023-36886 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-38164 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 7.6 No No XSS
CVE-2023-36766 Microsoft Excel Information Disclosure Vulnerability Important 7.8 No No Info
CVE-2023-36777 Microsoft Exchange Server Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2023-36744 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36745 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36756 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2023-36757 Microsoft Exchange Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2023-36736 Microsoft Identity Linux Broker Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2023-36765 Microsoft Office Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36767 Microsoft Office Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2023-36763 Microsoft Outlook Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2023-36764 Microsoft SharePoint Server Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2023-36802 Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2023-36805 Windows MSHTML Platform Security Feature Bypass Vulnerability Important 7 No No RCE
CVE-2023-36742 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-36758 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36759 Visual Studio Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2023-36794 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2023-35355 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38143 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38144 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38163 Windows Defender Attack Surface Reduction Security Feature Bypass Important 7.8 No No SFB
CVE-2023-36804 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38161 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38139 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38141 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38142 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-38150 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2023-36803 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38140 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38147 Windows Miracast Wireless Display Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-38149 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2023-38160 Windows TCP/IP Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2023-38146 Windows Themes Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2023-41764 Microsoft Office Spoofing Vulnerability Moderate 5.5 No No Spoofing
CVE-2023-4761 * Chromium: CVE-2023-4761 Out of bounds memory access in FedCM High N/A No No RCE
CVE-2023-4762 * Chromium: CVE-2023-4762 Type Confusion in V8 High N/A No No RCE
CVE-2023-4763 * Chromium: CVE-2023-4763 Use after free in Networks High N/A No No RCE
CVE-2023-4764 * Chromium: CVE-2023-4764 Incorrect security UI in BFCache High N/A No No SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

Before we get to the other Critical-rated patches for September, let’s talk about the Exchange fixes released this month. Yes – even though Exchange just received a big update last month, there’s another one* today. There are five different Exchange CVEs today, and all were reported by ZDI researcher Piotr Bazydło. He’s been on quite the Exchange kick recently, including finding bypasses for both patches and silent fixes. The one that concerns me the most is the NTLM relay, which is marked as a Spoofing bug (see my pedantic note above). What’s most concerning about this is that this vulnerability seems to have been patched last month but wasn’t documented. This bug, along with the three RCE bugs, require authentication, but recall that last month’s Exchange patches included an auth bypass. Nifty. The final Exchange patch corrects an info disclosure bug that could disclose “file content.” It’s not clear if that’s a random file or if an attacker can name an arbitrary file. All of these patches require the August update to be installed, so don’t skip that and think you’re protected. And to all those admins rebooting Exchange over the weekend, I wish you Godspeed and good luck.

*UPDATE: Microsoft reached out to let us know these CVEs are not new updates but were released in the August update and are now being documented. They did not state why they were patched silently in August and gave no indication if their omission was intentional or accidental.

The remaining Critical-rated patches are all for Visual Studio. These are all open-and-own bugs that could lead to arbitrary code execution when opening a malicious package file with an affected version of Visual Studio.

Looking at the 15 other RCE getting patches this month, most share that open-and-own exploit scenario as the Critical-rated Visual Studio bugs. Interestingly, there are two Important-rated Visual Studio RCEs that look identical to the Critical-rated ones. There’s no indication why one is more severe than the others. There are six fixes for RCE in 3D Viewer Remote, and four of these were reported by ZDI researcher Mat Powell. The bugs are simple open-and-own vulns, but the product must be updated through the app store. If automatic updates from the store are disabled or if you’re otherwise disconnected, you’ll need to manually update. One of the RCEs in Word has a Preview Pane vector, but a user needs to click the attachment preview to trigger the exploit. There’s a scripting engine (Trident/EdgeHTML) bug that was reported through the ZDI. Under limited circumstances, crafted data in an image can lead to execution of untrusted script. An attacker can leverage this vulnerability to execute code in the context of the current process. There’s a patch for Miracast that could allow an attacker to project to an affected system in limited circumstances. Microsoft lists that as Adjacent, but I would consider it more of a Physical attack. Finally, there’s a fix for Azure DevOps that’s listed as RCE, but I would classify it as a privilege escalation instead. An attacker needs Queue Build permissions on an Azure DevOps pipeline that has an overridable variable. They could then use this to get a code injection by overriding the variable. You decide if it’s RCE or EoP as you patch your affected servers.

Before looking at the privilege escalation bugs, there are some impactful Denial-of-Service (DoS) vulnerability we should address. The first involves TCP/IP. A remote, unauthenticated attacker could take down an affected system by sending specially crafted IPv6 packets. As you might imagine, systems with IPv6 disabled aren’t impacted, but considering IPv6 is enabled by default, this could create some havoc on unpatched systems. Microsoft lists disabling router discovery on the IPv6 as a temporary workaround. As above, patches are permanent while workarounds are temporary. The other DoS bug of note impacts the DHCP server, although Microsoft provides no other details about the bug. The final DoS impact .NET and Visual Studio, but this bug requires someone to open a specially crafted file.

Moving on to the other EoP bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. That’s true for CVE-2023-36802, which is the other bug listed as being under active attack. In most cases, this leads to either administrator privileges or running code at SYSTEM level. In fact, this is true of all of the EoP bugs patched this month outside of the previously mentioned Azure Kubernetes escalation.

Two fixes in this month’s release address security feature bypass (SFB) bugs. The first is in the Windows Defender Attack Surface Reduction blocking feature. The vulnerability could allow attackers to bypass the Windows Defender Attack Surface Reduction blocking feature, which definitely falls into the you-had-one-job category. The other patch impacts Office and corrects a bypass that could allow a potentially dangerous extension from being uploaded and downloaded. Like one of the Office bugs mentioned above, the Preview Pane is an attack vector, but a user would need to click to preview an attachment.

The September release contains eight additional information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. There are two significant exceptions. The first is in Outlook. A successful exploit could allow the disclosure of credentials. Yikes. At least the Preview Pane is not an attack vector here. The other interesting bug resides in the Microsoft Identity Linux Broker. Exploiting this vulnerability could disclose application data on the target. However, encrypted data at rest remains encrypted.

The lone Moderate-rated bug in this month’s release impacts Office components. Successful exploitation would allow an unauthenticated attacker to insert malicious content into a document. This document may then pass an authentication check when a partial signature is present.

Wrapping things up, there are three cross-site scripting (XSS) bugs fixed in this release. One fix is for Dynamics Finance and Operations while the remaining are for the on-prem Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday will be on October 10, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Looking at the ChargePoint Home Flex Threat Landscape

7 September 2023 at 16:09

We recently announced the rules and targets for the upcoming Pwn2Own Automotive competition. As we look forward to the event, we thought we would review the attack surface on some of the targets. We begin with the ChargePoint Home Flex – a 240-volt Level 2 home charger that delivers up to 50 amps of power.


The ChargePoint Home Flex is a level 2 electric vehicle charge station designed for use by end-users in their homes. The device has a minimal user interface in its hardware. The device employs mobile applications for both the installation and the regular operation of the equipment by the consumer.

ChargePoint Home Flex Attack Surface Summary

Broadly speaking, the attack surface of the device can be broken down into three categories.

1.     ChargePoint Mobile Applications
The ServicePro application used by electricians during the installation of the ChargePoint Home Flex unit offers one avenue of attack.
The ChargePoint application used by end-users when configuring and using the ChargePoint Home Flex also provides an attack surface.

2.     ChargePoint Home Flex hardware
The device includes an embedded Linux host that communicates over Wi-Fi to hosts on the internet. The unit also contains a PCB based around the Texas Instruments MSP430 micro-controller. The wireless communication PCB is based on an Atmel CPU. Finally, the JTAG interface is accessible via the wireless communication PCB.

3.     Network Attack Surfaces
Software patches to the device are provided via Internet-based over-the-air (OTA) updates. The Bluetooth Low Energy (BLE) endpoint used by mobile applications for local communication could provide an opportunity for attack. Any Wi-Fi communication with a local access point opens the opportunity for interception and manipulation. Finally, the device implements the Open Charge Point Protocol (OCPP). Any deficiencies in this protocol would be inherited by the charger.

Prior Security Research

The ChargePoint Home Flex was the subject of a security assessment performed by Dmitry Skylar, a researcher from Kaspersky Labs. This review was performed in 2018, and the results were published in a paper, as well as a presentation at a number of security conferences. The slides can be found here.

ChargePoint Home Flex Mobile Applications

ChargePoint distributes two applications for use with the Home Flex charger. Both applications interact with the ChargePoint Home Flex over Bluetooth Low Energy (BLE).

The ChargePoint ServicePro application is intended for use by an electrician when installing the device for an end-user. This application is written using the React Native application development framework. This is a JavaScript-based development framework intended for cross-platform mobile application development.

The consumer-focused ChargePoint mobile app is intended for use by end-users to manage their charging preferences.

While we did not thoroughly investigate these applications for vulnerabilities or other bugs, problems in mobile applications have been used by threat actors in the past and represent a significant attack surface. Even though the mobile applications themselves are out of scope for the Pwn2Own Automotive contest, they should still be thoroughly reviewed by the research community.

ChargePoint Home Flex Bluetooth Low Energy

The ChargePoint Home Flex uses Bluetooth Low Energy to communicate with mobile applications. Trend Micro researchers used a custom BLE scanning tool to enumerate the endpoints made available by the charger.

The following service is defined in the BLE spec:

— BLE Service Device Information
System ID
Model Number String: CPH50
Serial Number String
Software Revision String: 5.5.2.5

The researchers observed the following BLE services and characteristics when scanning the device under test (DUT): 

— Device Details Service 274BC3A3-1A52-4D30-99C0-4DE08FFF2358
Get/Set PowerSourceType: Characteristic 8D4D6AF5-E562-4DC7-85AD-842FBF321C87
Get/Set PowerSourceAmps: Characteristic F24F7C35-A5FD-4B98-BCA5-50BB5DC8E7CD
Get/Set Apply Settings Status : Characteristic 5597DD46-7EDD-40CC-9904-B6934DC05E19
Get/Set UserId : Characteristic E79C86D4-8106-4908-B602-5B61266B2116
Get/Set Latitude : Characteristic 85F296FC-3152-4EF0-84CB-FAB8D05432E4
Get/Set Longitude : Characteristic 9253A155-701A-4582-A0CF-5E517E553586
Get/Set NOSStatus : Characteristic C31D51E5-BD61-4D09-95E2-C0E34ED1224C
Get/Set Power Source: Characteristic C1972E92-0D07-4464-B312-E60BA5F284FC

— WIFI Service DFAF46E7-04F9-471C-8438-A72612619BE9
Get/Set NextWIFIAccessPoint: Characteristic E5DEBB4B-4DAC-4609-A533-B628E5797E91
Get/Set CurrentSSID: Characteristic EB61F605-DED9-4975-9235-0A5FF4941F32
Get/Set WIFISecurityType: Characteristic 733ED10A-CD1B-43CA-A0C2-6864C8DCF7C1
Get/Set WiFi Configuration: Characteristic 25A03F00-1AF2-44F0-80F2-D6F771458BB9
Get/Set ApplyStatusCode: Characteristic 3BE83845-93E4-461E-8A49-7370F790EBC4
Get/Set Always Empty Response Characteristic: Characteristic CED647D7-E261-41E2-8F0D-35C360AAE269

— Unknown Service B67CB923-50E4-41E8-BECC-9ACD24776887 B67CB923-50E4-41E8-BECC-9ACD24776887
Get/Set Always NULL Byte Characteristic: Characteristic 7AC61302-58AB-47BA-B8AA-30094DB0B9A1

Trend Micro researchers performed limited probing of these BLE endpoints using a bespoke BLE scanner. In addition, Trend researchers performed reverse engineering of the end-user ChargePoint application. The names identified in the above listing have been inferred from the understanding of the Android application code.

ChargePoint Home Flex Hardware Details

The ChargePoint Home Flex comprises two circuit boards within the device housing. Those boards are the metrology board and the CPU board.

The metrology board hosts an MSP430 microcontroller. It terminates the power connection from the power supply, and it also terminates the charging cable that end-users connect to the electric vehicle. The metrology board also provides power to the CPU board via a stacked PCB connector on the upper right of the metrology board. The metrology board is labeled with the identifier Panda AC 50 on the PCB silkscreen markings. It hosts an MSP430 microcontroller.

The CPU board hosts an ATMEL Arm CPU, Wi-Fi radio, and Bluetooth LE radio. The CPU board is labeled CPH-50 CPU on the PCB silkscreen markings.

Here are some images detailing the ChargePoint Home Flex Metrology board and CPU board:

Figure 1 - Front side of the CPH-50 CPU Board

Figure 2 - Back side of the CPH-50 CPU Board

Figure 3 - Front side of the ChargePoint Home Flex metrology Board

Figure 4 - Back side of the ChargePoint Home Flex metrology Board

ChargePoint Home Flex Embedded Linux

Prior research performed by Kaspersky Labs indicates the charger uses the Linux operating system. The charger hardware has a board identified as the “Panda CPU” board, which implements all the accessible attack surface on the charger. The hardware comprises an ARM CPU, and the device provides a JTAG debug header. Prior research showed this JTAG header could be leveraged to obtain shell access to the charger.

During a preliminary assessment of the charger, Trend Micro researchers used a captive test network to interrogate the ChargePoint Home Flex. The test network had a Wi-Fi access point running connected to a network running a set of services configured to simulate the services the charger required. This network has a DNS server configured to respond to all DNS A-record queries with an IP address from within the test network.

During testing, the researchers observed the DNS queries made by the DUT and configured the DNS server with all the observed host names it attempted to connect to. Additionally, the test network includes a web server configured to respond to the web requests made by the DUT. The DUT has made DNS requests to the following domains:

        ba79k2rx5jru.chargepoint.com
        homecharger.chargepoint.com
        publish.chargepoint.com

The researchers noted that TLS connections initiated to web servers failed to establish due to the TLS certificate authority mismatches. The enforcement of TLS certificate authority matching is a security benefit.

The ChargePoint Home Flex connected over SSH to the server ba79k2rx5jru.chargepoint.com on TCP port 343. The research network included a permissive SSH server that would allow authentication for any user. When the charger initiated a connection to the permissive SSH server in the test network, the researchers noted the SSH client from the DUT initiated a TCP port forward from the SSH server back to TCP port 23 on the charger. This matches the results noted by the Kaspersky research report.

Summary

While these may not be the only attack surfaces available on the ChargePoint Home Flex unit, they represent the most likely avenues a threat actor may use to exploit the device. ChargePoint has committed to providing the hardware for us to use during the Pwn2Own Automotive competition, and we appreciate their support. We’re excited to see what research is displayed in Tokyo during the event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

Revealing the Targets and Rules for the First Pwn2Own Automotive

29 August 2023 at 15:04

If you just want to read the rules, you can find them here.

 

Earlier this year, I announced the ZDI, along with our cohorts at VicOne, will host a new Pwn2Own contest focused on automotive systems – Pwn2Own Automotive – at the upcoming Automotive World conference in Tokyo, Japan, held on January 24th – 26th, 2024. Today, we are releasing the targets and payouts for this inaugural event. As a reminder, we have three primary goals in hosting this event:

1.     Provide an avenue to encourage automotive research. We want to offer a place where researchers can submit and be financially rewarded for reports targeting various products and platforms.
2.     Incentivize vendors to participate in the security research community. We want to connect our global community of security researchers with automotive manufacturers to help improve their security and resiliency.
3.     Bring a focus to the sub-components of a vehicle. Rather than looking at the vehicle as a monolithic unit, we want to bring attention to the multiple complex systems that comprise a modern automobile ecosystem.

We’re also excited to announce Tesla will partner with us on this event. They have worked with us extensively for our Pwn2Own Vancouver event, and we rely on their guidance and understanding of the complexities of electric vehicles (EV). We’re also grateful that ChargePoint decided to provide their EV chargers to use during the contest. The researchers from VicOne have also been essential in helping to determine targets and providing technical guidance on EV attack surfaces. We have more than $1,000,000 USD in cash and prizes available, and we can’t wait to see what researchers bring to demonstrate in Tokyo. However, we know not everyone can make it to Automotive World, so we will allow remote participation similar to other events. You will still need to register before the contest deadline (January 18, 2024) and submit your entry, a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry by the end of the registration period. If you plan on participating remotely, you will need to contact us even earlier the ensure we put you in the best position for success. We recommend two weeks prior to the deadline at the very latest.

As with other Pwn2Own events, we’ll have a random drawing to determine the schedule of attempts prior to the contest, and we will proceed from there. As always, if you have questions, don't hesitate to get in touch with us at [email protected]. We will be happy to address your issues or concerns directly.

Now on to the four categories we’ll have for the first Pwn2Own Automotive contest:

            - Tesla
            - In-Vehicle Infotainment (IVI)
            - Electric Vehicle Chargers
            - Operating Systems

Tesla Category 

We introduced the Automotive Category at Pwn2Own Vancouver in 2019, and Pwn2Own Automotive wouldn’t be complete without something similar. Earlier this year, the team from Synacktiv combined multiple exploits to target a combination of systems. It will be interesting to see what researchers bring to Tokyo. Contestants can register an entry against either a Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based) equivalent bench top unit.  Also note that while a Tesla is available as a prize, not every successful attempt will win the vehicle itself. Some of the targets have add-ons available, but to drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below:

Here’s some additional info on the optional add-ons that are included in targets:

Previous exploits in this category have provided highlights of past events, and we’re hopeful we’ll see something similar in Tokyo. If you are going to participate in this category, please notify us at least two weeks before the event so we can source the hardware in time for the contest.  

Back to top

In-Vehicle Infotainment (IVI)

When we started looking at targets within an automotive system, one of the first things we thought of was the first thing we looked at – the In-Vehicle Infotainment (IVI) system. These serve as radios and connect with our phones, but they do so much more as well. Navigation, in-car internet, and Wi-Fi are provided through these devices, but they also server a connection to other vehicle systems through the CAN bus – making them a ripe target for attackers. These devices are also retrofitted to existing vehicles to modern capabilities – and perhaps modern vulnerabilities as well. For our first Pwn2Own Automotive contest, we’ll have three IVI devices to target. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

Back to top

Electric Vehicle Chargers Category

There’s been a fair amount of research into the security of EVs, but there hasn’t been as much scrutiny around what we plug into an EV. Attack surfaces such as mobile apps, Bluetooth Low Energy (BLE) connections, and the OCPP protocol could all allow threat actor to cause harm to an EV. For this event, we’ll have six different EV Chargers available as targets. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

Back to top

Operating Systems

Most don’t think of operating systems within their car, but if you drive a recent Mercedes, Subaru, Mazda, or Toyota, there’s a good chance you’re also driving something with Automotive Grade Linux installed. How do these onboard OSes compare to their desktop counterparts? That’s what we aim to discover. An attempt in this category must be launched against the target's exposed services/features or launched against the target’s communication protocols that are accessible to a typical user.

Back to top

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2025).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt.

The Complete Details

The full set of rules for Pwn2Own Automotive 2024 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Japanese Standard Time on January 18, 2024.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OAuto hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo and online, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Automotive 2024 partners, Tesla, for providing their assistance and technology and to ChargePoint for providing hardware to use during the event. Thanks also to the researchers from VicOne for their guidance and recommendations.

©2023 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

❌
❌