RSS Security

🔒
❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

Pwn2Own Tokyo (Live from Toronto) - Day Two Results

7 November 2020 at 14:26

We’ve wrapped up the second day of the 2020 edition of Pwn2Own Tokyo (Live from Toronto). Again, this year, our talented crew in the Toronto office is running the exploit attempts, while the contestants connect via a Zoom call to observe and troubleshoot as needed. For today, we awarded $59,000 for 10 bugs across five devices. Here’s a quick video with a recap of the day’s events: 

The second day began the same way the first day ended, with Team Flashback compromising the WAN interface on a wireless router. This time, they used three bugs to get arbitrary code execution on the TP-Link AC1750 Smart WiFi router. Their effort earned them another $20,000, which brings their two-day winnings to $40,000. It also puts them in the lead for Master of Pwn with 4 total points.

Figure 1 - Showing the shell gained on the TP-Link router

Figure 1 - Showing the shell gained on the TP-Link router

Next up, Team Bugscale targeted the Western Digital My Cloud Pro Series PR4100 NAS server. While they were able to successfully exploit the NAS, the bugs they used had been previously reported during the contest. This does count as a partial win, but no Master of Pwn points were awarded.

Figure 2 - Team Bugscale watches their exploit succeed

Figure 2 - Team Bugscale watches their exploit succeed

The next contestant was 84c0, who returned to target the LAN interface of the NETGEAR Nighthawk R7800 router. He used three different bugs to get a root shell on the device. However, one of the three bugs had previously been submitted. This is another partial win, with 84c0 earning $4,000 and .5 Master of Pwn points.

Figure 3 - 84c0 observes his exploit get a shell on the NETGEAR Nighthawk WiFi router

Figure 3 - 84c0 observes his exploit get a shell on the NETGEAR Nighthawk WiFi router

Pwn2Own veterans F-Secure Labs targeted the Samsung Q60T television and wasted no time in getting a reverse shell on the fully patched smart TV. However, the bug they used was publicly known, which means this is another partial win. They do earn 1 point towards Master of Pwn for their efforts.

Figure 4 - Showing the reverse shell from the Samsung Q60T smart TV

Figure 4 - Showing the reverse shell from the Samsung Q60T smart TV

Sam Thomas of Pentest Ltd followed with an exploit chain targeting the Western Digital My Cloud Pro Series PR4100 NAS. He was able to gain arbitrary code execution through a combination of two bugs. However, one of the bugs had been previously submitted earlier in the contest. This results in another partial win, as Sam earns $10,000 and 1 Master of Pwn point.

Figure 5 - Sam Thomas of Pentest Ltd watches exploit on the Western Digital NAS succeed

Figure 5 - Sam Thomas of Pentest Ltd watches exploit on the Western Digital NAS succeed

In the penultimate attempt of Day Two, the team from Synacktiv used a trio of unique bugs to get a root shell via the LAN interface of the TP-Link AC1750 Smart WiFi router. They also gained some styled points by having the router’s light flash on and off in a showy display. The successful entry earned them $5,000 and 1 point towards Master of Pwn.

Figure 6 - The successful demonstration from the Synacktiv team included a light show on the router

Figure 6 - The successful demonstration from the Synacktiv team included a light show on the router

The final entry of day two was filled with drama as the DEVCORE team targeted the Synology DiskStation DS418Play NAS. Their first attempt failed, and their second try needed more than three and a half minutes before their elegant heap overflow provided them with root access to the server. Their effort earns them $20,000 and 2 Master of Pwn points.

Figure 7 - The DEVCORE team notches a win with just 1:24 left in the second attempt

Figure 7 - The DEVCORE team notches a win with just 1:24 left in the second attempt

Here are the current Master of Pwn standings:

MoP Standings-Day 2.jpg

Day Three starts with the DEVCORE team targeting the Western Digital NAS. A fully successful exploit would put them in a tie with Team Flashback for Master of Pwn. A failure or partial win would mean Team Flashback can’t be caught and will win. It should be an exciting demonstration. The attempt will happen at 10:00 Eastern (UTC-4). 

Until then, stay tuned to our Twitter feed and this blog for tomorrow's results as we wrap up the 2020 edition of Pwn2Own Tokyo (Live from Toronto).

Pwn2Own Tokyo (Live from Toronto) - Day Two Results

Pwn2Own Tokyo (Live from Toronto) – Day Three Results and Master of Pwn

8 November 2020 at 16:24

Pwn2Own Tokyo (Live from Toronto) has completed, but not without its fair share of drama and excitement. The third and final day of the competition saw us award $37,500 for 6 bugs across 4 devices. Here’s a quick video recapping the day’s events:

Our day began with the DEVCORE team successfully demonstrating their code execution bug chain on the Western Digital My Cloud Pro Series PR4100 NAS. They used a six-bug chain to get their root shell, but two of these bugs has been previously reported. They still earn $17,500 and 1.5 points towards Master of Pwn.

Figure 1 - Demonstrating the root shell on the Western Digital NAS

Figure 1 - Demonstrating the root shell on the Western Digital NAS

Next up, Team Bugscale targeted the LAN interface of the NETGEAR Nighthawk R7800 router. Unfortunately, they could not get their exploit to work within the time allotted.

Figure 2 - Team Bugscale could not get their exploit to work in the time allotted

Figure 2 - Team Bugscale could not get their exploit to work in the time allotted

Following that, Pwn2Own newcomer Gaurav Baruah targeted the Western Digital My Cloud Pro Series PR4100. He was able to demonstrate getting a root shell on the device. However, the bug he used had been previously reported during the contest. He still earns 1 point towards Master of Pwn.

Figure 3 - Gaurav Baruah watches his demonstration gain a root shell

Figure 3 - Gaurav Baruah watches his demonstration gain a root shell

The Viettel Cyber Security team returned for their second attempt of the contest. This time, the Sony X800 smart TV was their focus. They were able to read sensitive files from a fully patched device. However, the bug they used was publicly known. This partial win does result is 1 point towards Master of Pwn.

Figure 4 - Disclosing sensitive files from a Sony smart TV

Figure 4 - Disclosing sensitive files from a Sony smart TV

In the final entry of the contest, the STARLabs team returned to target the Synology DiskStation DS418Play NAS. They combined a race condition and an Out-Of-Bounds (OOB) Read to get a root shell on the device. This successful demonstration earned them $20,000 and 2 Master of Pwn points.

Figure 5 - The STARLabs team observes the ZDI Bug Extraction Crew demonstrate their root shell on the Synology NAS

Figure 5 - The STARLabs team observes the ZDI Bug Extraction Crew demonstrate their root shell on the Synology NAS

And thus ends another exciting Pwn2Own event. After counting all the points, Team Flashback, also known as Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro), came out on top and were crowned the Master of Pwn for the event. Congratulations to the duo of researchers. Here’s how the final standings look:

MoP Standings-Day 3.jpg

For the entire competition, we award $136,500 for 23 unique bugs across six different devices. As always, vendors have received the details of these bugs, and they now have 120 days to produce security patches to address the issues we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting research we saw this week. 

Special Thanks

We wanted to be sure to thank everyone who participated in this year’s competition. There were definitely unique challenges to overcome, but everyone came together to not just make it happen – they made it fabulous. We want to thank the participants for trusting us with their research and allowing us to run each attempt. We want to thank vendors for their support and for dialing in throughout the disclosure process. Their continued involvement in coordinated disclosure and security response processes helps the entire community. Special thanks also go out to our partners Facebook for their continued support before and during the contest.

Our next competition will be in Vancouver, where enterprise applications and tools will be put to the test. We hope to see you there. Until then, you can follow the team for the latest in exploit techniques and security patches.

Pwn2Own Tokyo (Live from Toronto) – Day Three Results and Master of Pwn

The November 2020 Security Update Review

10 November 2020 at 18:25

November is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for November 2020

Adobe kicked off their November patch cycle a bit early by releasing an update for Acrobat and Reader last Tuesday. The patch fixes 14 CVEs, four of which were reported through the ZDI program. Four of these CVEs are rated as Critical and could lead to code execution if a user opened a specially crafted PDF.

Today, Adobe released patches for Reader for Android and Connect fixing three total CVEs. The update for Reader for Android fixes an info disclosure bug. The two CVEs addressed by the Connect patch cover reflective cross-site scripting (XSS) bugs. None of the CVEs fixed by Adobe this or last week were listed as publicly known or under active attack at the time of release.

Microsoft Patches for November 2020

For November, Microsoft released patches to correct 112 CVEs in Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer (IE), Edge (EdgeHTML-based and Chromium-based), ChakraCore, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. After a brief dip in October, we’re back into the 110+ CVEs per month volume of patches again. That makes eight months this year with this level of patches, so we really need to think of this as the new normal.

Of these 112 patches, 17 are rated as Critical, 93 are rated as Important, and two are rated Low in severity. A total of six of these bugs came through the ZDI program. Only one bug is listed as publicly known and under active attack. You’ll notice some big changes in the documentation for this month’s release (see below for details). Microsoft has decided to withhold the amount of information it publishes about the bugs being patched. Consequently, you’ll see less detail in this blog as well. We’ll still do what we can to parse the release with what data Microsoft does publish and our deep knowledge of bug reports. We do see quite a few of them. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug currently being exploited:

-       CVE-2020-17087 - Windows Kernel Local Elevation of Privilege Vulnerability
This privilege escalation bug was publicly disclosed by Google in late October. They noted it was combined with a Chrome bug to escape the browser sandbox and execute code on the target system. While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly.

-       CVE-2020-17084 - Microsoft Exchange Server Remote Code Execution Vulnerability
This patch corrects a code execution bug in Exchange that was reported by Pwn2Own Miami winner Steven Seeley. With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned. It is very likely he will his publish the details of these bugs soon. Microsoft rates this as Important, but I would treat it as Critical, especially since people seem to find it hard to patch Exchange at all.

-       CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
With no description to work from, we need to rely on the CVSS to provide clues about the real risk from this bug. At a 9.8, it’s about as critical as a bug can get. Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.

-       CVE-2020-17040 - Windows Hyper-V Security Feature Bypass Vulnerability
Here’s another bug that could be helped by a description. It’s not clear which security feature in Hyper-V is being bypassed or how an attacker can abuse it. Again, the attack complexity is low, authentication is not required, and there is no user interaction. Additional details are needed to accurately judge the risk from this bug, but the title and CVSS values alone put this bug on everyone’s radar.

Here’s the full list of CVEs released by Microsoft for November 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability Important Yes Yes EoP
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability Critical No No EoP
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability Important No No DoS
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16983 Azure Sphere Tampering Vulnerability Important No No Tampering
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-17054 Chakra Scripting Engine Memory Corruption Vulnerability Important No No RCE
CVE-2020-16998 DirectX Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17090 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17006 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17018 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17021 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability Important No No DoS
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability Important No No Spoof
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-16979 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17017 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17060 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17020 Microsoft Word Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability Important No No Info
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17104 Visual Studio Code JSHint Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17100 Visual Studio Tampering Vulnerability Important No No Tampering
CVE-2020-17102 WebP Image Extensions Information Disclosure Vulnerability Important No No Info
CVE-2020-17010 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17013 Win32k Information Disclosure Vulnerability Important No No Info
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability Important No No Info
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability Important No No Info
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability Important No No Info
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17045 Windows KernelStream Information Disclosure Vulnerability Important No No Info
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability Important No No Info
CVE-2020-17047 Windows Network File System Denial of Service Vulnerability Important No No DoS
CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability Important No No Info
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-1599 Windows Spoofing Vulnerability Important No No Spoof
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17037 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16999 Windows WalletService Information Disclosure Vulnerability Important No No Info
CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17015 Microsoft SharePoint Spoofing Vulnerability Low No No Spoof
CVE-2020-17046 Windows Error Reporting Denial of Service Vulnerability Low No No DoS

You’ll notice this month’s patch table does not contain the Exploitability Index (XI) rating. Originally, XI was intended to help sysadmins prioritize which patches to test and deploy first. The thought was that some would prioritize Important-rated bugs likely to be exploited over Critical-rated bugs that were unlikely to be exploit. Since that time, security patches from Microsoft have become cumulative. Today, it is rare that you apply one patch for one component – you apply the monthly rollup that fixes many CVEs. Therefore, you have to treat all bugs in that update as though it has the highest XI rating, provided at least one bug fixed has the highest rating. Therefore, it doesn’t make sense to call out the few XI=1 when the whole update should be treat as XI=1. The exploitability index was a good initiative when it was introduced [PDF] back in 2008. These days, it’s an outdated rating that has run its course.

The other big change this month relates to Microsoft’s removal of the description section of the CVE overview. In Microsoft’s examples on their blog explaining the change, they pick some simple cases to review. In those cases, an accurate CVSS is really all you need. After all, there’s only so much you can say about another SharePoint cross-site scripting (XSS) bug or a local privilege escalation that requires you to log on and run a specially crafted program. However, CVSS itself is not flawless. For example, “Privileges Required” and “User Interaction” are relatively straightforward to answer. Other fields, such as “Attack Complexity” does have gray areas where people can disagree on the rating. From Microsoft’s perspective, I’m sure they think they know best about how to rate a bug. There have been times when the researcher who found the bug disagreed.

As someone who has written many bulletins myself, I understand the repetitive nature of these descriptions. I have literally forgotten how many kernel EoP bugs I have written up - and they were all almost identical. However, there are those outlier cases where a description does matter. Two examples are above. Another example is CVE-2020-17049. What security feature in Kerberos is being bypassed? What is the likelihood? As a network defender, I have defenses to mitigate risks beyond just applying security patches. Should I employ those other technologies while the patches roll out? Until I have some idea of the answers to those questions, I can’t accurately assess the risk to my network from this or any of the other bugs with outstanding questions. Hopefully, Microsoft will decide to re-add the executive summaries in future releases.

Back to the actual patches…

Looking at the Critical-rated updates, most involve either one of the browsers or a video codec. We’re seeing more and more research into the multitude of codecs available for Windows, so expect this trend to continue. There’s also a code execution bug in the print spooler that could be worrying. There are quite a few bugs related to Azure Sphere, including a Critical rated one. However, you most likely won’t need to take any action on these bugs. IoT devices running Azure Sphere connected to the Internet check for updates every day and have likely already applied the patches. You only need to take action if your devices are not connected to the Internet or if you are a device manufacturer.

There are a relatively high number of remote code execution bugs getting fixes this month. Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults. It does require user interaction, so remind your kids not to click on links from strangers. There’s also another Exchange Server code execution bug, but this one has a lower CVSS than the one previously mentioned. Steven has been a busy guy.

There are a total of 37 elevation of privilege (EoP) bugs getting fixes this month. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a couple of exceptions, such as CVE-2020-17012. IN this case, the specific flaw exists within the bindflt.sys driver. A crafted request with an IOCTL of 0x220000 can perform remapping of directories. This was reported through the ZDI program, so we do have a good understanding of this bug.

There are a significant number of information disclosure bugs being addressed this month as well. For the most part, the information leaked consists of unspecified memory contents. There are a couple of exceptions. The first impacts Azure Sphere and could allow attackers to find device information like resource IDs, SAS tokens, user properties, and other sensitive information. There’s also a bug in SharePoint that could allow attackers to read from the file system.

Six patches address spoofing bugs, but without a description, it’s difficult to guess what these might be. The spoofing bugs in SharePoint typically indicate XSS, but CVE-2020-1599 title “Windows Spoofing Vulnerability” could be just about anything. The same could be said for the tampering fixes for Azure Sphere and Visual Studio. The November release is rounded out by four patches to address XSS in Microsoft Dynamics 365.

The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The final Patch Tuesday for 2020 falls on December 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!

The November 2020 Security Update Review

Detailing SaltStack Salt Command Injection Vulnerabilities

24 November 2020 at 17:30

On November 03, SaltStack released a security patch for Salt to fix three critical vulnerabilities. Two of these fixes were in response to five bugs originally reported through the ZDI program. These bugs can be used to achieve unauthenticated command injection on a system running the affected Salt application. ZDI-CAN-11143 was reported to the ZDI program by an anonymous researcher, while the remaining bugs are variants of ZDI-CAN-11143 discovered by me. In this blog, we will look into the root cause of these bugs.

The Vulnerability 

The vulnerabilities affect the rest-cherrypy netapi module of the application. The rest-cherrypy module provides REST APIs for Salt. The module is dependent on the CherryPy Python module and is not enabled by default. To enable the rest-cherrypy module, the master configuration file /etc/salt/master must contain the following lines:

In this case, the “/run” endpoint is important. It is used to issue commands via the salt-ssh subsystem. The salt-ssh subsystem allows the execution of Salt routines using Secure Shell (SSH).

A POST request sent to the “/run” API will invoke the POST() method of the salt.netapi.rest_cherrypy.app.Run class, which eventually calls the run() method of salt.netapi.NetapiClient:

As shown above, the run() method validates the value of the client parameter. Valid values of the client parameter are “local”, “local_async”, “local_batch”, “local_subset”, “runner”, “runner_async”, “ssh”, “wheel”, and “wheel_async”. After validating the client parameter, it checks for the presence of the token or eauth parameter in the request. Interestingly, the method doesn’t validate the value of the token or eauth parameter. Because of this, an arbitrary value of the token or eauth parameter can pass this check. Once this check is passed, the method invokes a corresponding method depending on the value of the client parameter.

The vulnerability occurs when the value of the client parameter is “ssh”. In this case, the run() method calls the ssh() method. The ssh() method executes ssh-salt commands synchronously by calling the cmd_sync() method of the salt.client.ssh.client.SSHClient class, which eventually results in the _prep_ssh() method being called.

The _prep_ssh() function sets parameters and initializes the SSH object.

ZDI-CAN-11143

The vulnerable request to trigger this vulnerability is as follows:

In this, the value of the client parameter is “ssh” and the vulnerable parameter is ssh_priv. Internally, the ssh_priv parameter is used during SSH object initialization, as shown below:

The value of the ssh_priv parameter is used as an SSH private file. If the file represented by the ssh_priv value doesn’t exist, the gen_key() method of /salt/client/ssh/shell.py is called to create the file and ssh_priv is passed to the method as the path argument. Basically, the gen_key() method generates public and private RSA key pair and stores it in a file defined by the path argument.

The method shown above indicates that path is not sanitized, and it is used in a shell command to create an RSA key pair. If ssh_priv contains command injection characters, it is possible to execute user-controlled commands while executing the command by the subprocess.call() method. This allows an attacker to run arbitrary commands on the system running the Salt application.

On further investigation of the SSH object initialization method, it can be observed that multiple variables are set to the user-controlled HTTP parameters’ values. Later on, these variables are used as arguments in a shell command to execute an SSH command. Here, the user, port, remote_port_forwards, and ssh_options variables are vulnerable as shown below:

The _update_targets() method sets the user variable, which is dependent on the tgt or ssh_user value. If the value of the tgt HTTP parameter is in “[email protected]” format, “username” is assigned to the user variable. Otherwise, the value of user is set by the ssh_user parameter. The port, remote_port_forwards, and ssh_options values are defined by ssh_port, ssh_remote_port_forwards, and ssh_options HTTP parameters, respectively.

After initializing the SSH object, the _prep_ssh() method spawns a child process via handle_ssh() to eventually execute the exec_cmd() method of salt.client.ssh.shell.Shell class.

As shown, exec_cmd() first calls the_cmd_str() method to create a command string without any validation. Afterwards, it calls _run_cmd() to execute the command by invoking the system shell explicitly. This treats command injection characters as shell metacharacters rather than the arguments of the command. Execution of this crafted command string can lead to the arbitrary command injection condition.

Conclusion:

SaltStack released patches to fix the command injection and authentication bypass vulnerabilities. In doing so, they assigned them CVE-2020-16846 and CVE-2020-25592, respectively. The patch for CVE-2020-16846 addressed the vulnerability by disabling the system shell when executing commands. The disabling of the system shell means that shell metacharacters will be treated as part of the arguments of the first command.

The patch for CVE-2020-25592 addressed the vulnerability by adding validation for the eauth and token parameters. This allows only valid users to access the salt-ssh functionality via the rest-cherrypy netapi module. These were the first SaltStack bugs to come through the ZDI program, and they were interesting to work on. We hope to see more in the future.

You can find me on Twitter @nktropy, and follow the team for the latest in exploit techniques and security patches.

Detailing SaltStack Salt Command Injection Vulnerabilities

The December 2020 Security Update Review

8 December 2020 at 18:24

December is upon us and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for December 2020

Adobe kicked off their December patch release with four CVEs fixed with updates for Adobe Prelude, Experience Manager, and Lightroom. The patch for Prelude fixes a Critical-rated uncontrolled search path vulnerability that could lead to remote code execution. The Experience Manager patch addresses a cross-site scripting (XSS) bug and an information disclosure bug caused by a blind server-side request forgery. The update for Lightroom addresses a Critical-rated uncontrolled search path element vulnerability that could lead to arbitrary code execution. None of these bugs are listed as publicly known or under active attack at the time of release.

Interestingly, Adobe also noted they will be releasing an update for Acrobat and Reader at some point this week. This blog will be updated once they do.

Update: The update for Acrobat and Reader was released on December 9, 2020. I fixes a single CVE that could lead to information disclosure.

Microsoft Patches for December 2020

For December, Microsoft released patches to correct 58 CVEs and one new advisory in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere. December is historically a light month of patches from Microsoft and this remains true for 2020. It also brings their CVE total to 1,250 for the year. It will be interesting to see if these trends continue in 2021.

Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug found by multiple researchers:

-       CVE-2020-17132 - Microsoft Exchange Remote Code Execution Vulnerability
This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

-       CVE-2020-17121 - Microsoft SharePoint Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.

-       CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release. However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9. 

-       CVE-2020-16996 - Kerberos Security Feature Bypass Vulnerability
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. We do know this impacts Kerberos Resource-Based Constrained Delegation (RBCD), as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article. This likely helps to protect against RBCD attacks such as the one detailed here. This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers. This will be enforced in a future update in February. 

Here’s the full list of CVEs released by Microsoft for December 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability Important No No Spoof
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure Important No No Info
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability Important No No Info
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability Important No No Info
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability Important No No Info
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17140 Windows SMB Information Disclosure Vulnerability Important No No Info
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability Moderate No No SFB
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability Moderate No No Spoof
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability Moderate No No Spoof

Looking at the remaining Critical-rated updates, only one (surprisingly) impacts the browser. That patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season. There are two patches for Dynamics 365 for Finance and Operations (on-premises), but both are listed as post-authentication. There’s another SharePoint patch, and multiple additional Exchange patches. Interestingly, there are two Important-rated Exchanges patches that are documented as being identical to the Critical rated ones. They have the same CVSS score, same FAQs, and affected products. Be on the safe side and count those as Critical-rated bugs, too.

Moving on to the Important-rated updates, we find 10 Office bugs impacting Outlook, PowerPoint, and Excel. Most are Excel open-and-own types of bugs, although there is also an Excel SFB that requires a group policy to be set. While these types of bugs aren’t typically all that exciting, there are currently no updates for Office 2019 for Mac. If you’re using that edition, be extra vigilant about clicking links until the update arrives.

There are a surprising number of security feature bypass (SFB) bugs getting patched this month. In addition to those previously mentioned, the Azure SDK for both C and Java receive patches. Azure Sphere also gets an SFB fixed, although this should have been automatically applied to IoT devices running Sphere. You only need to take action on that one if your devices are isolated from the update service. There’s an SFB-related patch for the Windows Overlay Filter. There’s no information about it from Microsoft but given the researcher who found it, we’ll likely see some details soon. Perhaps the most interesting SFB this month is in the Windows lock screen. An attacker with physical access could bypass the lock screen of someone who had logged in and locked their session. I’m sure this bug will be a favorite for on-site red teams for years to come.

There are a handful of information disclosure bugs getting patched this month. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, there is a bug in the Windows Error Reporting service that could allow an attacker to read from the file system. The info disclosure bug in SharePoint could allow an attacker to view SQL table columns that are normally hidden. There’s a mysterious info disclosure bug being patched in Exchange. Microsoft simply states the information disclosed is “sensitive information.” With no further information to work with, assume a successful attacker could expose any email on the server.

The December release also contains a fair number of Elevation of Privilege (EoP) fixes. The majority of these are found in the Windows Backup Engine and the Cloud Files Mini Filter Driver. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a handful of spoofing bugs receiving fixes this month, but without a description, it’s difficult to guess what these might be. The release is rounded out by a Cross-Site Scripting (XSS) bug in Dynamics CRM Webclient.

Looking at the new advisory for December, ADV200013 provides guidance on a spoofing vulnerability in the DNS Resolver. While they provide no information on whether this is being exploited in the wild, they recommend limiting the UDP buffer size to 1221. Implementing this will cause larger DNS queries to switch to TCP, so it seems a relatively safe change to make. The other advisory for this month is the monthly revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The first Patch Tuesday for 2021 falls on January 12, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!

The December 2020 Security Update Review

CVE-2020-27897: Apple macOS Kernel OOB Write Privilege Escalation Vulnerability

10 December 2020 at 17:08

On Tuesday of this week, we published six advisories covering vulnerabilities in Apple macOS. One of those advisories covered a bug reported by ABC Research s.r.o. pertaining to GPUs in Apple hardware. It’s one of many macOS bugs they have submitted to the program. Now that these bugs are fixed in Big Sur, we can cover the details. In this blog, we’ll be taking a closer look at ZDI-20-1403/CVE-2020-27897, which could allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.

Certain MacBook models come with an Intel graphics module, and macOS uses kernel extensions for managing it. One of these is called AppleIntelKBLGraphics. We will be talking about a local privilege escalation vulnerability in that module.

Communication between user-space and the Intel kernel driver is done using IOConnectCallMethod, which ultimately utilizes Mach messages. IntelMTLRenderFunctions is a class that handles kernel commands from clients for rendering the UI via its execute() method. Each kernel command is identified by a numeric value. In our case, we will be concerned with command 0x10005. Along with the kernel command number, execute() also accepts a buffer from the client. An offset in this buffer is used in an arithmetic operation that produces an address of a structure. This operation occurs without boundary checks and causes an out-of-bounds write vulnerability.

The code path that ends up in IntelMTLRenderFunctions::execute() starts as follows: A user-space client creates two shared memory mappings by calling the IOAccelSharedUserClient2::create_shmem() function, which is made available by another kernel extension, IOAcceleratorFamily2. The first memory mapping will be used as a segment descriptor for the request and the second contains a command buffer. create_shmem() registers the mappings with unique IDs and returns them. Those IDs are then passed to IOAccelCommandQueue::s_submit_command_buffers() along with the kernel command buffer, which is roughly an array of the following structure:

The array is split up later and eventually reaches IGAccelCommandQueue::processKernelCommand() as a single kernel command having a structure such as:

From there, it goes to IntelMTLRenderFunctions::execute() in AppleIntelKBLGraphics for processing the kernel command 0x10005.

64C8C4E9-6629-4ADD-8333-0AC07BDB93EB.png

A functional exploit is shown where the aforementioned kernel task port is exposed.

42434E8E-8004-42BC-AACF-A6BDE634229C.png

Conclusion

Bugs in kernel drivers are always interesting even though their attack vector requires an accompanying RCE vulnerability. With such a pair of vulnerabilities, full compromise becomes possible. This is accurate for both macOS and iOS. Thanks again to ABC Research s.r.o. for submitting this and all of their other bugs to the program. We’ll be publishing details about the more interesting submissions as they patch out.

You can find me on Twitter at @ziadrb, and follow the team for the latest in exploit techniques and security patches.

CVE-2020-27897: Apple macOS Kernel OOB Write Privilege Escalation Vulnerability

The Top 5 Bug Submissions of 2020

16 December 2020 at 16:23

As the year draws to a close, we thought it would be fun to look back at some of the best submissions we received throughout 2020. We’re very close to having a record-breaking year in terms of published advisories, so narrowing 1,400+ bugs to just five was quite the challenge. In the end, we came up with the following submissions from 2020 that stood out from the pack. Without further ado and presented in no particular order, here are our Top 5 submissions for 2020.


CVE-2020-0688/ZDI-20-258: Microsoft Exchange Server Exchange Control Panel Fixed Cryptographic Key Remote Code Execution Vulnerability

This bug was reported to the program by an anonymous researcher. This highly critical vulnerability in Microsoft Exchange Server allows any authenticated Exchange user to gain SYSTEM privileges on the server. The vulnerability is found in the Exchange Admin Center web interface. Even though this web interface is called an “Admin” interface, by default it is available to any user who has credentials to a mailbox on the Exchange server and is exposed on the network alongside Outlook Web Access. The vulnerability relates to the cryptographic keys (“machine keys”) installed in the Exchange Admin Center ASP.NET application. Exchange should generate these keys randomly at install time so that they will be secret and unique to every installation. Instead, they are copied verbatim from install media, so that an outside attacker can know these keys by referring to any other installation of the product. An attacker can use knowledge of the keys to forge messages that will be deserialized at the server, leading to arbitrary code execution. Vulnerabilities in Exchange Server are highly significant because Exchange is at the nerve center of the enterprise, making it an exceptionally valuable target for adversaries. If your organization has not yet applied the patch, it is imperative to do so at the very earliest time. For further details about this bug, including a video of the bug in action, refer to our previous blog covering the full details of this vulnerability.

 CVE-2020-3992/ZDI-20-1377: VMware ESXi SLP Use-After-Free Remote Code Execution Vulnerability

This bug was discovered by ZDI vulnerability researcher Lucas Leong. ESXi is an enterprise-class hypervisor developed by VMWare. One of the protocols enabled by default in ESXi is the Service Location Protocol (SLP). SLP is a protocol that enables clients to discover networked services. The most popular implementation of SLP is OpenSLP. However, Lucas discovered that ESXi is using their own custom implementation. Furthermore, there were flaws in this custom implementation that led to two critical security issues. One of these security issues resulted in an SLPMessage object being freed within SLPDProcessMessage() despite the program still retaining a reference to the freed object in the SLPDatabase structure. This results in a Use-After-Free (UAF) condition that can be exploited by a remote attacker within the WAN environment. This vulnerability was initially reported as ZDI-CAN-11563. However, the security patch produced by VMWare did not fully address the issue. This resulted in a bypass that was reported to VMWare as ZDI-CAN-12190. It should be noted that in addition to being remotely exploitable, these SLP bugs can be used for sandbox escapes by processes running within a restricted environment. This vulnerability is a great example that even heavily researched products such as ESXi contain attack surfaces that are often overlooked with dangerous security implications.

CVE-2020-9850/ZDI-20-672: Apple Safari in Operator JIT Type Confusion Remote Code Execution Vulnerability

This bug was reported during the spring Pwn2Own competition by the team from the Georgia Tech Systems Software & Security Lab. This bug is a portion of an interesting chain of bugs that starts with Webkit’s type confusion in the DFG tier, similar to last year’s bug. Then comes Safari’s ability to execute “.app” symlinks, which is aided by a heap overflow bug in OpenGL’s CVM (Core Virtual Machine). Add to that a first-time app protection bypass, root access, and privilege escalation in cfprefsd and kextload respectively due to race conditions. The end result was a successful Pwn2Own demonstration, which earned the team $70,000. The dedication of those researchers in finding and exploiting six vulnerabilities is mind-boggling. This all occurs behind the scenes when an unsuspecting victim visits a simple web page. Imagine browsing the web and 10 seconds later, malicious code is running on your machine. That is pretty neat I would say.

CVE-2020-7460/ZDI-20-949: FreeBSD Kernel sendmsg System Call Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability

This vulnerability was reported to the ZDI program by a researcher who goes by the name m00nbsd. The bug allows an attacker to achieve kernel-level code execution on FreeBSD starting from an unprivileged user using a Time-Of-Check Time-Of-Use (TOCTOU) vulnerability present in the 32-bit sendmsg() system call. The vulnerability is a double-fetch bug in a system call. To trigger the overflow, userland must quickly replace one of the MsgLen values with a bigger value between the first access and the second access. An attacker could trigger this by spawning a thread that calls sendmsg() in a loop, giving it correct arguments. They could then spawn another thread that replaces one of the MsgLen with a gigantic value and then puts back the correct value in a loop. Wait for the two threads to race and the overflow will be triggered. It is surprising that the depth of the bug is quite shallow and yet it survived for many years. We previously blogged about this bug back in September, and you can read all of the details (including PoC) here.

CVE-2020-17057/ZDI-20-1371: Microsoft Windows DirectComposition Uninitialized Pointer Privilege Escalation Vulnerability

This bug was reported to the ZDI program by an anonymous researcher. This is a vulnerability the Windows DirectComposition kernel-mode graphics component. The win32kbase!DirectComposition::CInteractionTrackerMarshaler::SetBufferProperty function populates an object of type DirectComposition::CInteractionTrackerMarshaler based upon data passed from user mode. If this function encounters invalid data, it branches to an error path, which attempts to release resources the function has already created and stored in the object. Due to a bug in this error path, the function can be influenced to release a pointer that was never initialized. This gives an attacker control over the instruction pointer in kernel mode, which can be leveraged to gain SYSTEM privileges.


Thanks for joining us as we recapped some of the best bugs submitted to the ZDI program this year. It’s been an amazing year for the program as we celebrated 15 years of operation. Many things have changed over the years, but our desire to work with independent security researchers from around the globe has never wavered. If you have submitted to the program, we thank you for your hard work and participation. If you haven’t submitted to the program, we hope you consider doing so in the future.

Until then, you can follow the ZDI team on Twitter for the latest in exploit techniques and security patches.

The Top 5 Bug Submissions of 2020

CVE-2020-7468: Turning Imprisonment to Advantage in the FreeBSD ftpd chroot Jail

21 December 2020 at 18:05

In July, we received a local privilege escalation bug in FreeBSD from an anonymous researcher. The target is the file transfer protocol daemon (ftpd) that ships as part of FreeBSD. It provides a feature, ftpchroot, that is designed to restrict the file system access of authenticated users. The feature is implemented using the “chroot” system call, a security technique commonly known as a “chroot jail”. A chroot jail functions by confining a process to a restricted portion of the filesystem. By exploiting a vulnerability in the implementation, though, an attacker can actually use this imprisoned state to gain an enormous advantage, escalating their privileges from a restricted FTP account to `root`. This allows the attacker to execute arbitrary code on the system. This vulnerability was present in the FreeBSD FTP daemon for a long time. It can be tracked back to FreeBSD 6.3-Release. The bug is assigned as CVE-2020-7468/ZDI-20-1431 and the patch was released in September.

The Vulnerability

The root cause of the vulnerability is the flawed handling of chroot() inside freebsd/libexec/ftpd/ftpd.c. Here is a simplified version of the vulnerable function:

If an FTP user attempts to log in and is configured to be jailed inside a chroot jail in /etc/ftpchroot, ftpd will call the chroot and chdir syscalls as shown above. If the chdir syscall fails, the code jumps to label bad. In this situation, ftpd still awaits a new login, but the connection is already locked inside the chroot jail. This causes incorrect behavior during the next login attempt on that connection.

Exploitation

In order to force the chdir syscall to fail during login, an attacker can change the permissions on their home directory by using the command chmod 0. Additionally, the attacker would upload a specially prepared file named etc/spwd.db relative to their home directory. This file is a modified password database of a regular FreeBSD system containing a known password for the root user. After a chdir failure, ftpd is locked inside the chroot jail, so that all subsequent file system accesses are made relative to the user’s home folder instead of the true root of the filesystem. As a result, when performing authentication for a subsequent login, ftpd reads the attacker’s spwd.db instead of the legitimate /etc/spwd.db located relative to the true root of the filesystem. At this point, the attacker can log in as root with the known password. The next step is to upload /etc/pam.d/ftpd and /usr/lib/pam_opie.so.5. The first file forces ftpd to load serval dynamic libraries, including the second file, during the login process. The second file is designed to break the chroot jail with the obtained root permission and execute a reverse shell. Then, the attacker can execute arbitrary code as root. Here is a summary of the steps of the exploit.

  1. Log in as a restricted FTP account.
  2. Upload etc/spwd.db containing a known root password.
  3. Execute chmod 0.
  4. Log in as the restricted FTP account again. During login, chdir fails, leaving the ftpd process locked in the chroot jail.
  5. Log in as root with the known password.
  6. Upload /etc/pam.d/ftpd and /usr/lib/pam_opie.so.5, which contains a reverse shell.
  7. Log in as the restricted FTP account again. As before, chdir fails, leaving the ftpd process locked in the chroot jail.
  8. Log in as root with the known password. ftpd executes the reverse shell.

The Patch

To address this vulnerability, FreeBSD made a simple change. If the chdir syscall fails, ftpd will now close the connection immediately.

Conclusion

This is a logic bug for privilege escalation. Because of this, this bug is quite reliable, unlike the FreeBSD privilege escalation we blogged about in September. This is the first bug submitted by this anonymous researcher. We don’t receive many bug reports for the FreeBSD operating system, so we hope they submit more in the future.

You can find me on Twitter @_wmliang_, and follow the team for the latest in exploit techniques and security patches.

CVE-2020-7468: Turning Imprisonment to Advantage in the FreeBSD ftpd chroot Jail

MindShaRE: Analysis of VMware Workstation and ESXi Using Debug Symbols from Flings

7 January 2021 at 17:27

The availability of debug symbols greatly assists a researcher in understanding a software architecture, performing live debugging or static analysis. An end-to-end black box analysis of a closed source hypervisor is a time-consuming process. Microsoft has made this work easier by publishing debug symbols for most of the Hyper-V components. However, there is still no debug info available for VMware Workstation (WS) or ESXi. Considering this, the Project Zero blog posts on Adobe Reader symbols greatly inspired me to carry out a similar analysis for VMware.

This blog details how VMware Flings can be useful in obtaining some of the symbol information stripped from VMware WS or ESXi. Flings are free, short-term projects released without support by VMware mostly as an enhancement to some of the existing products. The two Flings of interest for this analysis are VNC Server and VNC Client and ESXi ARM Edition, the former having DWARF debug information for SVGA device implementation and the latter having function names of many other components of the vmx worker process.      

SVGA symbols in VNC Server and VNC Client Fling

VNC Server and VNC Client Fling released in February 2016. It is a cross-platform VNC implementation with code leveraged from VMware Workstation. The Fling has VNC server and client binaries for all major operating systems – Windows, Linux, and Mac. The Windows binary is not accompanied by a corresponding PDB debug file, but the Mac and Linux binaries have the embedded debug information in them.

In order to understand the code shared by VNC Fling and WS, I decided to compare the binaries having debug information against vmware-vmx. For the comparison to be effective, it is best to choose a WS version released around the same timeline as that of the Fling. The idea behind this is to increase the likelihood of having a similar code base as well as build environment. Since the Fling was released on February 25, 2016, the following list of WS and Fusion releases seemed ideal for analysis:

WS version

Fusion version

Release date

12.0.1

8.0.2

29 Oct 2015

12.1.0

8.1.0

08 Dec 2015

12.1.1

8.1.1

21 Apr 2016

12.5.0

8.5.0

08 Sep 2016

 

IDA’s F.L.I.R.T. (version 7.5) was my first choice for performing signature matching between executables. To generate the pattern file, I modified the IDB2PAT script published by FireEye to support 64-bit mode RIP relative addressing. In RIP relative addressing, 32-bit signed displacements (+/- 2GB) are used to reference code or data. These 4 bytes of displacement are treated as variable bytes during signature generation. Below is essential part of the patch applied to find_ref_loc() function:

Three binaries are under consideration: mksVNCServer for Linux, mksVNCClient for Linux, and mksVNCServer for macOS. The mksVNCServer binary returned the best results during signature matching and also had a superset of functions available in mksVNCClient. Moreover, the availability of DWARF debug information provides rich details regarding source code, structure declarations, function inlining and other optimizations. The WS version 12.1.0 released couple of months before the Fling turned out to be the most promising one. Here is the summary of FLIRT signature matching:

WS version

FLIRT hits

12.0.1

40041

12.1.0

43283

12.1.1

43231

12.5.0

42998

 

After narrowing down the version of interest, I relied on the symbol porting feature in BinDiff to import the function and variable names from mksVNCServer.

Figure 1 - vmware-vmx after porting symbols using BinDiff

Figure 1 - vmware-vmx after porting symbols using BinDiff

Anyone who has previously looked into VMware’s SVGA attack surface will recognize where these functions originate. If you are new to this, Wandering through the Shady Corners of VMware Workstation/Fusion and Straight outta VMware [PDF] are excellent references to start with. 

What more essential information can be ported to WS from the Fling? The type information. IDA can export typeinfo as C header from mksVNCServer, which can be then loaded in vmware-vmx. There are some caveats in this approach. The exported C header needs a few fixes, like renaming variables with C++ keywords (new, template, class and private), rewriting of certain variadic function definitions and so forth to be successfully parsed by IDA. Once the typeinfo is imported, function prototypes can be ported, too. To accomplish this, first extract each prototype from mksVNCServer as a key value pair of function_name:function_type, then iterate through the extracted type information and apply it to vmware-vmx having symbols.

Figure 2 - vmware-vmx after porting function prototypes

Figure 2 - vmware-vmx after porting function prototypes

At this point, it is convenient to analyze vmware-vmx and mksVNCServer side-by-side. Moreover, there are couple other of the dwarves tools [PDF] that I find useful in static analysis of available DWARF information: pahole and pfunct.

pahole was originally developed to inspect alignment holes in structures using DWARF debug information. Considering that mksVNCServer is compiled with debug information, pahole provides a way to analyze data structures, their size, and their usage information in the source file. It is possible to either query a particular structure by name using -C or dump everything including anonymous structures using -a and then grep for information.

Similarly, pfunct provides great insights about functions. This is especially useful in recovering details regarding inlined function definitions and local variable optimizations. Consider the below case of StateFFP_TranslateSM4(), where pfunct allows us to statically map a code block from 0xe8610 - 0xe864c (60 bytes) to AddOutputDecl().

Figure 3 - Block of inlined code belonging to AddOutputDecl()

Figure 3 - Block of inlined code belonging to AddOutputDecl()

Now what? Can we put together all this information for a better understanding of past vulnerabilities or research? Yes - the first thing that comes to mind is shader translation. In fact, StateFFP_TranslateSM4() analyzed using pfunct is one of those vulnerable functions.

WS 12.5.5 released in March 2017 fixed some vulnerabilities in shader translation. We are not going to dive into the details of the bugs again. Wandering through the Shady Corners of VMware Workstation/Fusion provides a very detailed walkthrough of shader attack surface, the vulnerabilities found in opcode handling, and the proof-of-concepts to trigger them. I was more curious to check what the vulnerable code looks like after porting all the symbols and type information to WS 12.1.0.

Figure 4 - Vulnerabilities in StateFFP_TranslateSM4()

Figure 4 - Vulnerabilities in StateFFP_TranslateSM4()

Clearly, the decompiled code has more information than previously available from vmware-vmx-debug. This being the tip of iceberg, a lot more shader bugs got fixed over the years. In the current state of GPU virtualization, shaders are probably the JavaScript of hypervisors. Given the reality of this complex and ever-growing attack surface, VMware has now introduced a sandboxed graphics renderer as a security enhancement.

At this point, one might wonder if this debug information from the Fling is still relevant, given it was released 5 years back? I strongly believe that it is. Despite all the changes due to bug fixes and feature additions, the core design and APIs have not changed drastically. Also, this can be a great addition to the paper Straight outta VMware [PDF] for anyone interested in analyzing VMware’s SVGA implementation.

Symbols in ESXi ARM edition

The next Fling of choice is the more recent ESXi ARM edition released on October 6, 2020. Since ESXi ARM is bound to share a lot of code with ESXi x86, this is an easy pick for analysis when compared to the VNC Fling. But how do we set up ESXi ARM? The easily available options are installation on a Raspberry Pi or emulation with QEMU. However, a more convenient option for static analysis is to just extract the vmx executable from the ISO image. To get this working, install ESXi x86 7.0 (available for free download as a guest VM) then extract the ESXi ARM vmx executable using the vmtar utility available in ESXi x86. Note that the vmx mentioned in this section has nothing to do with Virtual Machine Extension (VMX) but refers to the VMware worker process executable.

After successfully extracting the vmx aarch64 ELF, things did not go as I hoped. The binary was completely stripped of debug information. However, the dynamic section had a lot more entries than one would generally see in an executable. A quick line count of readelf -s returned a number as high as ~25k. Below is a rough comparison of the number of entries in the dynamic symbol table of ESXi for x86 and ARM (Fling version 1.1):

Executable

Entries in x86

Entries in ARM

vmx

820

25200

vmx-debug

845

25434

vmx-stats

822

30496

 

It looks like the aarch64 executables are compiled with the linker flag --export-dynamic/-E, which has exported all non-static functions and global variables into the dynamic symbol table. Let’s do a quick grep for a known attack surface, say the virtual XHCI USB controller recently patched by VMware.

The results are surprisingly good. In case of a virtual device, these function names can help us identify a code block emulating a certain hardware specification. There are also symbols available for many other low-level interfaces such as the PhysMem family of functions mentioned in the patent for Transparent Page Sharing [TPS]. Even if a virtual device has minimal dynamic symbols (UHCI, EHCI, etc.), the presence of symbols for other low-level APIs makes it easier to understand them. 

Once the initial analysis is over, we can port the symbols from ESXi ARM to ESXi x86. Since BinDiff has the ability to compare executables from two different CPU architectures, this is a very realistic use case to try out this feature.   

Figure 5 - Symbols ported to ESXi x86 from ESXi ARM using BinDiff

Figure 5 - Symbols ported to ESXi x86 from ESXi ARM using BinDiff

In fact, the results turned out to be very satisfying. We never had so many symbols for ESXi before, and this provides a good start for side-by-side analysis. Moreover, with the availability of symbols for vmx executable, one can understand its communication with Virtual Machine Monitor (VMM) much better. 

In regards to the VMM, a couple of observations have already been made. An embedded VMM ELF in the vmx executable is loaded by a kernel driver (Hypervisor Framework [PDF]). Also, the embedded ELF has symbols (Wandering through the Shady Corners of VMware Workstation/Fusion). Dumping the VMM is a two-stage process: a loader vmmblob ELF followed by another embedded vmmmods ELF.

Figure 6 - Embedded vmmblob loader code

Figure 6 - Embedded vmmblob loader code

Figure 7 - Embedded vmmmods VMM code

Figure 7 - Embedded vmmmods VMM code

These symbols are not only available in ESXi ARM edition but across ESXi x86 and WS. What I really wanted to check was how much of the code from VMM overlaps with that of vmx. Can symbols in VMM be ported to vmx? Since the ARM edition has symbols for both vmx and VMM, it is an ideal choice to perform this comparison. We are particularly interested in BinDiff matches based on “name hash matching”. Though around 100 entries were found, only few had high similarity. Most other functions differ in their implementations, making it hard to port the symbols from the VMM.

Figure 8 - PhysMem_Get - vmx (left) vs VMM (right)

Figure 8 - PhysMem_Get - vmx (left) vs VMM (right)

Porting the symbols from VMM is not a concern anyway, since the vmx executable in ESXi ARM already has them. Evidently, the time spent on searching and matching the Flings have provided us with useful debug information beyond vmx-debug or the VMM. It also demonstrates how some less significant pieces of software can carry significant amount of information about production code. 

Conclusion

Going forward, Flings can be a great addition for anyone analyzing WS/ESXi or other VMware products. They certainly proved to be helpful in obtaining some of the symbol information stripped from VMware WS or ESXi. Understanding these debug symbols is key to understanding how the program works and where vulnerabilities may be found. Hopefully, Flings will help your research into VMware vulnerabilities as well.

You can find me on Twitter @RenoRobertr, and follow the team for the latest in exploit techniques and security patches.

MindShaRE: Analysis of VMware Workstation and ESXi Using Debug Symbols from Flings

The January 2021 Security Update Review

12 January 2021 at 18:27

Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. 

Adobe Patches for January 2021

This month, Adobe released seven updates addressing eight CVEs in Adobe Campaign Classic, Photoshop, Illustrator, Animate, InCopy, Captivate, and Bridge. Two of these bugs came through the ZDI program. The patch for Campaign Classic fixes a single Server-side request forgery (SSRF) vulnerability. The Photoshop patch fixes a single heap-based buffer overflow. The update for Illustrator corrects a Critical-rated uncontrolled search path element vulnerability. That’s the same story for the Animate and InCopy patches. The update for Captivate also fixes an uncontrolled search path element bug, but this one is only rated Important. The final Adobe patch for January fixes two Out-Of-Bounds (OOB) write bugs in Bridge. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2021

For January, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Seven of these CVEs were submitted through the ZDI program. Of these 83 CVEs, 10 are listed as Critical and 73 are listed as Important in severity. According to Microsoft, one bug is publicly known, and one other bug is known to be actively exploited at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

 -       CVE-2021-1647 - Microsoft Defender Remote Code Execution Vulnerability
This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch. Microsoft does not state how wide-spread the active attacks are.

 -       CVE-2021-1648 - Microsoft splwow64 Elevation of Privilege Vulnerability
This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref. The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.

 -       CVE-2021-1677 - Azure Active Directory Pod Identity Spoofing Vulnerability
This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.

 -       CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible.  

Here’s the full list of CVEs released by Microsoft for January 2021. 

CVE Title Severity Public Exploited Type
CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability Critical No Yes RCE
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability Important Yes No EoP
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability Critical No No RCE
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability Important No No DoS
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability Important No No Spoofing
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability Important No No Info
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1691 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1692 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability Important No No Tampering
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability Important No No Info
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability Important No No DoS
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability Important No No Info
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability Important No No Info
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1669 Windows Remote Desktop Services ActiveX Client Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability Important No No EoP

Of the remaining Critical-rated patches, five involve remote code execution (RCE) bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important. Similarly, there’s a Critical-rated patch for HEVC Video Extensions that is documented the same as the Important-rated patch for HEVC Video Extensions. Either way, you’ll get the update for both through the Microsoft Store. Those who use either the Microsoft Store for Business or the Microsoft Store for Education will be able to get this update through their organizations. Rounding out the Critical-rated patches is an update for Edge and patch for GDI+. 

Moving on to the other patches, the update for the Active Template Library (ATL) stand out. Back in 2009, multiple bulletins and advisories were required to correct a typo. It’s not clear if the situation is that dire with this update, but if you created anything using ATL, you will likely need to apply the patch then recompile your program. That’s also like true for the patch to fix an EoP in the Windows Runtime C++ Template Library.

In looking at the Important-rated bugs that could allow RCE, the SharePoint bug should not be ignored. It does require authentication, but it could allow an authenticated user to take complete control of the system. The patch for Visual Studio also stands out. This update fixes a bug in Cure53 DOMPurify, which is an open-source library used by Visual Studio. The fix for this has been available since September, so you should treat this as though it was publicly disclosed. The remaining code execution bugs cover “Open-and-Own” bugs in Office components. An attacker would need to send a specially crafted file and convince a user to open it with an affected component. That would allow the attacker to execute code of their choice at the level of the logged-on user.

Similar to last month, there are multiple security feature bypasses being fixed this month. In addition to the two already mentioned, there are three impacting the Bluetooth component and one impacting NTLM. CVE-2021-1638 is definitely intriguing as it requires no authentication and no user interaction. The other Bluetooth bugs do require some level of user interaction. The bypass for NTLM requires some level of user interaction but no authentication. Again, without executive summaries, we can only speculate the true severity of these bypasses.

There are a total of 34 EoP bugs getting patches this month. For almost all of these, an attacker would need to log on to a system then execute specially crafted code to elevate their permissions. Most of these are in various Windows, but the ones in Hyper-V and SharePoint stand out. Speaking of SharePoint, this month’s release also includes patches to fix a tampering bug and two spoofing bugs in SharePoint.   

This month includes four patches to correct Denial-of-Service (DoS) bugs. Two of these bugs are in Hyper-V, and one is in .NET Core and Visual Studio. The last of these bugs resides in the Windows CryptoAPI and can be reached remotely. According to the CVSS rating, there is some level of user interaction involved, but no authentication is needed. 

Rounding out this release are 11 patches fixing information disclosure bugs. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, the info leak in Windows Docker is a bit more severe. This vulnerability could allow an attacker to decrypt data that was encrypted by the data protection API (DPAPI). It’s not clear if you need to re-encrypt data after applying this patch, but this has been required for similar bugs in the past. Without specifics on the bug, it’s tough to offer specific guidance. The other info disclosure bug that piques curiosity is the bug impacting the Bot Framework SDK. For this component, we’re just told the information leaked is “sensitive information.” Still, if you use the SDK, make sure you get an unaffected version.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The January 2021 Security Update Review

Looking Back at the Zero Day Initiative in 2020

14 January 2021 at 14:00

As we enter 2021, now is a good time to look back at what the Zero Day Initiative has accomplished during the past year. Although it was a year filled with challenges, 2020 was the busiest year in the history of the program. We began by hosting a completely new edition of Pwn2Own. The inaugural Pwn2Own Miami saw researchers test their exploits against Industrial Control Systems (ICS) and SCADA products. As successful as that event was, it ended up being the only physical contest we held in 2020. With the spread of COVID-19, holding an event in person was no longer an option. Undaunted, we held our first virtual Pwn2Own Vancouver in March. We followed that up with Pwn2Own Tokyo (Live from Toronto) in November, where we streamed the contest live demonstrated some great exploits from researchers around the world.

In 2020, we did a little reflecting on the history of our program as we celebrated 15 years of purchasing vulnerabilities. We’ve gone from buying just a single bug in 2005 to more than 8,000 bugs over that time. Last year we moved into some new vulnerability categories as well. Historically, we do not buy bugs in hardware, but in 2020, we ended up buying 41 bugs in wireless routers. We also expanded our purchasing of local privilege escalation and denial-of-service bugs. In February, we expanded our Targeted Initiative Program (TIP) by creating special incentives for bugs impacting Trend Micro products. 

The quality of the research submitted to the program continues to amaze us. We already listed our Top 5 bugs of 2020, but those just scratch the surface of the submissions in 2020. We could not do what we do without the input and talent of our global community of independent researchers. Their work and submissions are key to our success, and we thank them for their continued trust in our program. Our program also wouldn’t work without vendors generating and releasing fixes for the vulnerabilities we report to them. The ZDI would not be able to sustain this level of advisories – and thus, better protections for Trend Micro customers – without the contributions of researchers and vendors, and we thank them for all they do.

By the Numbers

As of now, the ZDI has published 1,453 advisories for 2020 – the most ever in the history of the program. We usually see some notifications from vendors early in the new year of vulnerabilities patched late in the previous year (but where advisories were not coordinated). Because of this, the actual number of 2020 advisories may eventually increase. We’ll update this blog with the final numbers when we have them. Here’s how that number of advisories stacks up year-over-year.

Figure 1 - Published Advisories Year-Over-Year

Figure 1 - Published Advisories Year-Over-Year

Coordinated disclosure of vulnerabilities continues to be a successful venture. However, 2020 saw our largest percentage of 0-day disclosures ever with 18.6% of all our disclosures published without a fix from the vendor. The sector that has the most difficulty meeting our disclosure timelines continues to be ICS/SCADA vendors, but they were joined by enterprise software vendors like Microsoft and HPE and hardware manufacturers D-Link and NETGEAR. Still, we were able to successfully coordinate 1,138 advisory releases in 2020, which is greater than the total number of advisories released in 2019. 

Figure 2 - 0-day Disclosures Since 2005

Figure 2 - 0-day Disclosures Since 2005

Here’s a breakdown of advisories by vendor. The top vendors really should not be shocking. What is somewhat surprising is the amount of “All Others” once you get past the top 20. That’s up 5% year-over-year and shows we are acquiring vulnerabilities in a wide array of vendors and products.

Figure 3 - Advisories per vendor for 2020

Figure 3 - Advisories per vendor for 2020

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2020, we did just that. A total of 80% of these vulnerabilities were rated Critical or High severity.

Figure 4 - CVSS 3 Scores for 2020

Figure 4 - CVSS 3 Scores for 2020

Here’s how that compares to the previous five years.

Figure 5 - CVSS Scores from 2015 Through 2020

Figure 5 - CVSS Scores from 2015 Through 2020

As you can see, after 2018 we made a conscious effort to ensure we were acquiring vulnerabilities that have the greatest impact to our customers. We expect this trend to continue. 

Looking Ahead

Moving into 2021, we anticipate we will remain as busy as ever. We currently have more than 500 bugs reported to vendors awaiting disclosure. That gets us a third of the way to publishing 1,500 advisories, which is not out of the question. There won’t be a Pwn2Own Miami in 2021, but we will have events in the spring and in the fall. Hopefully one or both can even be in person. Regardless, we’ll be streaming these contests moving forward, so if you ever wanted to attend Pwn2Own but couldn’t, you can now watch them online.

The ZDI vulnerability researchers will continue to be busy, as well. In 2020, roughly 20% of the advisories were cases submitted by ZDI researchers. When they aren’t reviewing submissions, ZDI researchers are usually found hunting their bugs, and they are pretty good at it. One of our big focus areas for research is in virtualization technologies. Over the past year, ZDI researchers have found 44 bugs that impact various virtualization products. This includes four remote code execution bugs in VMware ESXi discovered by ZDI Vulnerability Researcher Lucas Leong. We’ll be publishing more details about these bugs and the exploit he wrote using them once the fixes roll out.

Speaking if blogging, for the second year in a row, we published more than 60 blogs throughout the year, and we hope to keep that pace up moving forward. Expect patch blogs, exploit demonstrations, and more from the MindShaRE series. We’ve already published the first of those. This year, we’ll also be blogging more about what exploits and trends we’re detecting in the wild. In other words, 2021 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter for the latest updates from the ZDI. 

Looking Back at the Zero Day Initiative in 2020

ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier

19 January 2021 at 17:13

In April 2020, the ZDI received a Linux kernel submission that turned out to be an incorrect calculation bug in the extended Berkeley Packet Filter (eBPF) verifier. If you’re not familiar with it, eBPF is a Linux subsystem that is designed to safely execute untrusted, user-defined extensions inside the kernel for purposes such as packet filtering. It relies on static analysis to protect the kernel against problematic extensions. The submission we received from Ryota Shiga (@Ga_ryo_) of Flatt Security bypasses the eBPF verification and can lead to out-of-bounds (OOB) access in the Linux kernel. The eBPF verifier is a well-known source of Linux kernel local privilege escalation vulnerabilities and has been seen in many cases in the past, including being used at Pwn2Own 2020.

This vulnerability affects the current Linux kernel long term version from 4.9 to 4.13. One particular distribution, Debian 9, is currently using an affected kernel version. The ZDI is disclosing this bug publicly as ZDI-20-1440 without a patch in accordance with our 120-day disclosure policy.

The Vulnerability

If you are not familiar with the eBPF verifier, we highly recommend the write-up by Manfred Paul (@_manfp). There are two passes of verifications before executing any BPF programs. The first pass (check_cfg()) ensures the code is loop-free. The second pass (do_check()) attempts to determine if there are any invalid instructions or possible memory violations. Emulation is used to check for possible memory violations. The incorrect calculation described here comes from opcode BPF_RSH during the second pass. The following excerpts are based on 4.9.249.

The BPF_RSH (unsigned right shift) instruction belongs to the BPF_ALU64 class of instructions. When emulating BPF_RSH, do_check calls check_alu_op at (1), which then calls adjust_reg_min_max_vals at (2). At (3) and (4), it tries to update the minimum and maximum value of dst_reg based upon how the shift operation will modify dst_reg. Note that the local variables min_value and max_value contain the known bounds of the operand that specifies the shift distance. There are corresponding fields named min_value and max_value that hold the known bounds of dst_reg.

However, the calculations at (3) and (4) are wrong. For example, to calculate max(a >> b) (the maximum possible value of a when right-shifted by b bits), the correct formula is max(a) >> min(b). (To understand why, consider that a right shift is equivalent to division by a power of two. The largest possible result is produced by choosing the largest possible numerator and the smallest possible denominator.) Instead, the code at (4) calculates max(a) >> max(b). A corresponding mistake is present at (3).

The consequences of bounds miscalculation during eBPF verification are catastrophic. If the attacker later uses dst_reg as the address for a load or store, the verification in (5) below will be bypassed.

Once the eBPF program passes verification, it will execute in the kernel, and the attacker can achieve an out-of-bounds memory access, as seen in (6) below.

The Trigger

Before triggering the bug, we have to first create two bpf maps with bpf_create_map(). A bpf map is a memory region designated to be accessible from within eBPF code. One map is for triggering the bug, while the other is the target for OOB access. The following opcodes perform preliminary work:

The BPF_FUNC_map_lookup_elem function returns a pointer to a location in a bpf map. After execution of the code shown above, BPF_REG_8 and BPF_REG_9 are set to the values from map1[1] and map1[2] respectively. They will be used as operands for BPF_RSH. The final BPF_GET_MAP shown above loads BPF_REG_0 with a pointer to map2[0].

The next step is to get the verifier to recognize that the operands to BPF_RSH will be bounded within a certain range. Here are the opcodes to limit the range of the registers by using branches.

The verifier will correctly deduce that execution cannot fall through past these instructions unless 0 <= REG_8 <= 0x1000 and 0 <= REG_9 <= 1024. (Note that JA means “jump always”, not “jump if above” as in x86.)

It's time to trigger the bug.

After the BPF_RSH instruction, BPF_REG_8 can still have a value as high as 0x1000. But due to the incorrect computation discussed above, the verifier concludes that the maximum possible value of BPF_REG_8 is now 0. On the basis of this, the verifier incorrectly concludes that the memory operation at (B) is guaranteed to be safe.

BPF_STX_MEM at (B) will perform an OOB write on map2 with an arbitrary offset specified by BPF_REG_8.

However, there is one additional precondition. Recall from above that when encountering an instruction that operates on memory, the verifier performs checks in a function named check_mem_access(). When the address of the memory operation is controlled by a register, check_mem_access() additionally ensures that the verifier has already marked the register contents as PTR_TO_MAP_VALUE or PTR_TO_MAP_VALUE_ADJ. The verifier will only set this mark if the allow_ptr_leaks flag is enabled in the environment, and to enable this flag, the caller must have the CAP_SYS_ADMIN capability.

This means CAP_SYS_ADMIN is required to trigger the bug, even if the eBPF program is attached to a socket owned by the attacker.

Conclusion

Although the precondition reduces the impact and risk, it would still be better to apply this mitigation, or even better, upgrade the kernel to an unaffected version. Our team will try to follow up on the patch when it is released. Thanks again to Ryota Shiga of Flatt Security for submitting this bug. He’s submitted a few other reports to the program, and each has been great. We hope to see more from him in the future.

You can find me on Twitter @_wmliang_, and follow the team for the latest in exploit techniques and security patches.

ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier

Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform

This blog post details a few recently patched vulnerabilities in the SolarWinds Orion Platform. When combined, these bugs can be exploited by an unauthenticated attacker to execute arbitrary code as Administrator on an affected system. One of these vulnerabilities, CVE-2020-14005, has been linked to the recent SUNBURST cyberattack on SolarWinds. However, the exact details around how, or if, this specific bug was used in the wild are still unclear.  

In addition to details of vulnerabilities acquired by ZDI, this blog also contains research from our N-day team about an authentication bypass that allows these bugs to be exploited without authentication. We would like to thank the Trend Micro Security Research team for their efforts in analyzing the technical details of this auth bypass. 

Before we get to the details, here’s a quick video showing how CVE-2020-10148 and CVE-2020-14005 can be used in conjunction to achieve remote code execution as Administrator without authentication.

SolarWinds Account Privileges

SolarWinds users can have any one of the following privileges, some of which are more permissive than others: 

Picture1.png

For example, the Alert Management privilege allows a user to modify or create new alerts. An alert is an automated notification that a network event has occurred.

SolarWinds API

Upon installation, the SolarWinds Orion Platform loads a web-based GUI. The SolarWinds REST API can perform the same actions available in this interface.

The ZDI initially learned about this attack surface through an anonymous researcher who was able to show that a user with Alert Management Privileges (henceforth referred to as a non-admin user) can achieve serious side effects on the SolarWinds Orion Platform via the web-based GUI or REST API. 

CVE-2020-14005: Command injection and Execution of Arbitrary VBScript

The product allows a non-admin user to specify a path to a VBS script to be executed when an alert is triggered. There is no restriction on VBS files hosted on a remote SMB share. This lets an attacker specify arbitrary VBS scripts for execution.

Picture2.png

The execution of the VBS script is handled by the following method:

During the analysis of this case, we noticed the interpreter parameter can be controlled by manipulating the JSON body of the API request. Hence, by specifying cmd.exe instead of WScript.exe, this vulnerability can be exploited as a straightforward command injection:

Another feature available to non-admin users allows the execution of external scripts, which can be exploited in a similar fashion:

Picture3.png

The specified script is later executed by the following:

CVE-2020-27869: SQL Injection Privilege Escalation Vulnerability

There is also a SQL injection vulnerability that is reachable by the Configure Action setting (or corresponding API command) by non-admin users.

Picture4.png

These requests are handled by the following code:

As shown, if the “Body to POST” contains the string “${SQL:”, the subsequent string will be evaluated as a SQL statement, which results in a SQL injection. This can allow the takeover of the Administrator account by using the following malicious string:

${SQL: SELECT @@version; UPDATE [dbo].[Accounts] SET PasswordHash = 'Yj505tc0oUwHdI1tgBoOtGWvKlGviV7tGGb276YZwyaADa/iyFhg1JHCJF1RwwNfvYiVGXca1AFFJvrIGgNHdQ==' WHERE AccountID = 'admin'; UPDATE [dbo].[Accounts] SET PasswordSalt= '8M4EuLag9Lpl+d9i0GQKDw==' WHERE AccountID = 'admin'}

CVE-2020-10148: Authentication Bypass

While evaluating the patch introduced by Hotfix 2, our N-day team was analyzing another vulnerability that could be used to bypass authentication altogether. This bug was assigned CVE-2020-10148. The application contains logic to bypass authentication when the client is requesting a resource for which no authentication is necessary, such as JavaScript or Cascading Style Sheets (CSS) files. Specifically, authentication is bypassed if the request URL path contains “Skipi18n” or ends with “i18n.ashx”, “WebResource.axd”, or “ScriptResource.axd”. 

While these individual bugs may not be severe on their own, when they are chained together, they can allow an attacker to gain unauthenticated remote code execution at the highest level. Finding and fixing these types of bugs helps clear the ecosystem of high-impact bugs – hopefully before they are used by an adversary. Applying the fixes from the vendor shores up your defenses and helps prevent unwanted intrusions into your enterprise.

Conclusion

The SolarWinds Orion Platform is a critical piece of infrastructure within an organization. SolarWinds has released patches to address these and other bugs. You should follow this guidance to ensure your system has the latest security updates. We are glad to be able to contribute to the security of this codebase via the ZDI program. Stay tuned for Part 2 of this blog, which will cover vulnerabilities in other components of the SolarWinds Orion Platform with similar effects. 

Until then, you can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.

Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform

Announcing Pwn2Own Vancouver 2021

26 January 2021 at 15:59

Jump to the contest rules (updated as of March 15, 2021)

This year marks the 14th anniversary of Pwn2Own, which has grown from a small, browser-focused event to become one of the most well-known security contests in the industry, with millions of dollars of cash and prizes made available to contestants over the years. Every year the contest changes a bit as we reflect on the changing world around us. As cloud computing grew, we added the Virtualization category. In 2019, we added the Automotive category. For this year’s event, we’re adding the Enterprise Communications category. 

As the workforce moves out of the office and goes remote, the tools needed to support that change become greater targets. That’s one reason we added this new category and teamed up with Zoom to have them in the contest. Microsoft Teams will also be a target. A successful demonstration of an exploit in either of these products will earn the contestant $200,000 – quite the payout for a new category. Tesla returns for this year’s contest but driving off with a brand-new Model 3 will be more of a challenge this year. Of course, that means the rewards are greater as well, with the top prize going for $600,000 (plus the car itself). Also new this year, Adobe joins as a partner for 2021. Their applications have been a frequent target in past contests, so it’s great to see their increased investments into community research.

For 2021, we’ll have a bit of a hybrid contest. Starting on April 6 and running through April 8, 2021, we’ll have ZDI staff in Toronto and Austin running the exploits. Contestants can be anywhere in the world and won’t need to travel. As we did with our fall event, everything will be live-streamed on Twitch, YouTube, and more. All told, more than $1,500,000 USD in cash and prizes are available to contestants, including the Tesla Model 3, in the following categories:

-- Virtualization Category
-- Web Browser Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category

And, of course, Pwn2Own would not be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.

Let's take a look at the details of the rules for this year's contest.

Virtualization Category

Cars aren’t the only thing providing a big payout this year. VMware returns as a Pwn2Own sponsor for 2021, and this year, again we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $75,000 respectively. Microsoft returns as a target for 2021 and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox and Pwn2Own newcomer Parallels Desktop round out this category with a prize of $40,000 for either. Cloud computing relies on virtualization, as do many other critical computing functions. We’ve seen guest-to-host OS escalations in previous Pwn2Own contests. Here’s hoping we see more this year.

Virtualization3.png

Rules updated as of March 15, 2021

For Oracle VirtualBox, VMware Workstation, and Microsoft Hyper-V Client, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop and the host operating system will be running Microsoft Windows 10 20H2 x64. For Parallels Desktop, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop and the host operating system will be running Apple macOS Big Sur. For VMware ESXi, the guest operating system will be running Microsoft Windows 10 20H2 x64 or Ubuntu 20.10 for Desktop. Certain optional components, such as RemoteFX, Legacy Network Adapter (Generation 1), and Fibre Channel Adapter, are not considered default and will be out of scope for the Microsoft Hyper-V Client target.

There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi and Parallels Desktop), they can earn an additional $40,000 and 4 more Master of Pwn points. 

Back to categories

Web Browser Category

Web browsers are the “traditional” Pwn2Own target, but this year, we’re adding a few wrinkles in that category. First, for Google Chrome and Microsoft Edge (Chromium), a successful demonstration no longer requires a sandbox escape. Renderer-only exploits will earn $50,000, but if you have that sandbox escape or Windows kernel privilege escalation, that will earn you $150,000. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $50,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant is able to compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $75,000 and 8 more Master of Pwn points. Full exploits are still required for Apple Safari and Mozilla Firefox.

Browsers.png

Back to categories

Enterprise Application Category

Enterprise applications also return as targets with Adobe Reader and various Office components on the docket. Prizes in this category run from $40,000 for a Reader exploit with a sandbox escape, $50,000 for a Reader exploit with a Windows kernel privilege escalation, and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. There’s a better than average chance that you use one (or more) of these applications in your average day, making this category relevant to nearly everyone with a computer.

Enterprise Apps.png

The Office targets will be running Microsoft Office 365 ProPlus x64 (Monthly Channel) on Windows 10 x64.  Microsoft Office-based targets will have Protected View enabled.  Adobe Reader will have Protected Mode enabled.

Back to categories

Server Category

For 2021, we are expanding the Server category by adding Microsoft Exchange and SharePoint. Both of these servers were targeted by attackers over the last year. We’re also increasing the award for RDP/RDS entries to $200,000 for a full exploit. Attacks that require authentication will not be counted as a full win. As always, attempts in this category must be launched from the contestant’s laptop within the contest network. 

Servers.png

Back to categories

Local Escalation of Privilege Category

This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. This is a common tactic for malware and ransomware, so these bugs are highly relevant. In this category, the entry must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop and Microsoft Windows 10 are the two OSes available as targets in this category. 

EoP.png

Back to categories

Enterprise Communications Category

Our newest category focuses on tools that we have come to rely on as we evolved into a remote workforce. Zoom has become a partner for their inaugural Pwn2Own, and we’re happy to have them on board. A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio call, video conference, or message. Both Zoom and Microsoft Teams have a $200,000 award available, so we’re hoping to see some great research.

Enterprise Communication.png

Back to categories

Automotive Category

We introduced the Automotive category in 2019, and we are excited to have Tesla return as a partner for 2021. Due to the virtualized nature of last year’s contest, we weren’t able to have any attempts, so we’re excited to have the opportunity this year. However, we wanted to raise the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and for 2021, there are three different tiers of awards within the Automotive category that corresponds to some of the different layers of security within a Tesla car, with additional prize options available in certain instances.

Tier 1 earns the top prizes and represents a complete vehicle compromise. Correspondingly, this also has the highest award amounts. To win this level, a contestant will need to pivot through multiple systems in the car, meaning they will need a complex exploit chain to get arbitrary code execution on three different sub-systems in the vehicle. Success here gets a big payout and, of course, a brand-new Tesla Model 3.   

Tesla Tier 1-2.png

In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. This represents the single largest target in Pwn2Own history. If someone is able to do this, it would also mean 70 total Master of Pwn points, which is nearly insurmountable. Here’s some additional info on the optional add-ons.

Tesla AddOn.png

Again, it’s hard to express the difficulty in completing such a demonstration, but we’re certainly hopeful that someone is able to show off their exploit skills.

Tier 2 in this category is not quite as complex but still requires the attacker to pivot through some of the vehicle’s sub-systems. This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge. If you include the optional targets, the largest payout for Tier 2 would be $500,000. A winning entry in Tier 2 would still be a pretty impressive and exciting demonstration and includes driving off with the Model 3.

Tesla Tier 2.png

The targets in Tier 3 could prove to be just as difficult, but you only need to compromise one sub-system for a win here, which is still no easy task. Not every instance within Tier 3 includes winning the car. To drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below.

Tesla Tier 3-2.png

Conclusion

The complete rules for Pwn2Own 2021 are found here. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have a specific configuration or rule-related questions, email us. Questions asked over Twitter or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration closes at 5 p.m. Pacific Time on April 2, 2021.

Update as of March 15: If you have either travel restrictions or travel-safety concerns, you can choose to opt for remote participation. You still need to register before the contest deadline (April 2nd, 2021). You will also need to send the entry, a detailed whitepaper completely explaining your exploit chain, and instructions on how to run the entry by 5:00 p.m. Pacific Time on April 4th, 2021. A member of the ZDI staff will run the exploit for you. All attempts will be filmed and available for viewing by you. If requested, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur.

Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a sweet ride home from this year’s Pwn2Own competition.

 With special thanks to our Pwn2Own 2021 Partners Tesla, Zoom, and Adobe.

Zoom - Blue.png

Adobe_Corporate_Horizontal_Lockup_Red_HEX.png

Thanks also to our Pwn2Own 2021 Sponsor

1000px-Vmware.svg.png

©2021 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.

Announcing Pwn2Own Vancouver 2021

ZDI-CAN-12671: Windows Kernel DoS/Privilege Escalation via a NULL Pointer Deref

28 January 2021 at 16:16

This blog details a NULL pointer dereference in the Windows win32kfull.sys kernel-mode graphics module discovered by ZDI contributor Marcin Wiązowski. It can be used to create a denial-of-service condition. In limited circumstances, it can be used for privilege escalation, though if modern mitigations are present privilege escalation will not be possible. Due to the limited impact, Microsoft has made the decision not to service this bug report. As such, we disclosed the vulnerability as a 0-day according to our policy. This article details the vulnerability, ZDI-CAN-12671, and explains its impact.

The Vulnerability

In win32k, any drawing operation is performed upon an abstracted drawing surface (“surface”) represented in the kernel by a SURFOBJ structure:

Two fields are highlighted above. The field hdev is a handle to a particular device driver. The field flags is partially undocumented, but some of the flags that it can contain are the HOOK_* flags documented here. Each HOOK_* flag indicates that a particular graphics primitive should be delegated to the device driver specified by hdev. For example, HOOK_BITBLT indicates that every BitBlt drawing operation performed on the surface should be delegated to the appropriate DrvBitBlt primitive offered by the device driver.

The bug is found in the function win32kfull.sys!BLTRECORD::bRotate, specifically in the one that takes four parameters. Within this function, it performs a PlgBlt drawing operation on a surface. If HOOK_PLGBLT is set in the flags field of the SURFOBJ, it delegates to the underlying device driver’s DrvPlgBlt, as explained above. The problem, though, is that it fails to check whether the driver specified by hdev actually offers a native DrvPlgBlt. If no such function is offered by the driver, the corresponding entry in the driver’s function table will be NULL, and win32kfull.sys!BLTRECORD::bRotate will attempt to perform a call to the NULL address.

The various HOOK_* flags can be set from user mode by calling gdi32!EngAssociateSurface. There are some additional details involved in preparing a surface for exploiting this bug, but those are secondary to the vulnerability and are beyond the scope of this article.

Exploitation Potential

To exploit this, the first thing needed is a graphics output device driver that does not export a DrvPlgBlt function. One such driver is the multi-monitor driver implemented in win32kfull itself. The exported functions of this driver are recognizable by the Mul prefix in their names, for example, win32kfull!MulBitBlt. Notably for our purposes, there is no win32kfull!MulPlgBlt. This device driver is available on any system with multiple active monitors.

Without further preparation, triggering the vulnerability produces a branch to address 0 in kernel mode, crashing the system.

Is it possible to exploit this bug for greater impact, such as a kernel escalation of privilege? Yes, but there are significant preconditions that drastically restrict when it is possible:

  1. It must be possible to map the NULL page and place executable code there. On currently-supported Windows systems, mapping the NULL page is not possible from an unprivileged user-mode process. There is one known exception, though: The NULL page can still be mapped in a 16-bit process. 16-bit processes can be created only if the NTVDM subsystem is installed. Note that a non-administrator cannot install the NTVDM subsystem, but if this subsystem has already been installed by an administrator, it can be utilized afterward by a non-privileged user. NTVDM is available only on 32-bit installations of Windows.
  2. Even if a user-mode process maps a page of executable memory at address 0, this page will be executable in user mode only but will not be executable in kernel mode. This is due to SMEP [PDF]. Kernel execution at access 0 can be achieved only on processors that do not offer the SMEP mitigation, or by disabling SMEP via processor control register CR4.

In summary, privilege escalation is possible only on a 32-bit installation of Windows, with NTVDM installed, and where the processor does not offer the SMEP mitigation. However, it should be noted that these conditions may be relaxed if the attacker has knowledge of additional vulnerabilities that can be exploited for SMEP bypass or NULL page mapping. In his submission, Marcin did include working proof-of-concept code that demonstrates privilege escalation under a specific set of circumstances. While the risk to users is small, it is not zero. It is our hope Microsoft reconsiders and produces a patch to address this bug in the future.

You can find me on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.

ZDI-CAN-12671: Windows Kernel DoS/Privilege Escalation via a NULL Pointer Deref

The February 2021 Security Update Review

9 February 2021 at 18:26

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2021

For February, Adobe released six patches addressing 50 CVEs in Adobe Dreamweaver, Illustrator, Animate, Photoshop, Magento, and Reader. A total of 14 of these bugs came through the ZDI program. The update for Adobe Reader fixes a total of 23 CVEs, 17 of which are rated Critical, and eight of which were reported through the ZDI program. CVE-2021-21017, a heap-based buffer overflow, is listed as being under “limited” active attacks on Reader for Windows. Definitely prioritize the testing and deployment of this update.

The update for Magento is also significant as it patches 18 bugs, seven of which are rated Critical. In the worst-case scenario, successful exploitation could lead to arbitrary code execution at the level of the current process. The update for Dreamweaver fixes a single, Important-rated info disclosure bug. The patch for Illustrator fixes two Out-Of-Bounds (OOB) write bugs that could lead to code execution. There’s also an OOB write being fixed in the patch for Animate. The patch for Photoshop fixes five Critical-rated bugs that could allow code execution.

Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2021

For February, Microsoft released patches for 56 CVEs covering Microsoft Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender. Seven of these CVEs were submitted through the ZDI program. Of these 56 CVEs, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity. According to Microsoft, one bug is known to be actively exploited and six other bugs are listed as being publicly known at the time of release. This is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs. Microsoft provides no information on where these CVEs were publicly exposed.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-1732 - CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

-       CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

-       CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

-       CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for February 2021.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 Yes No DoS
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability Important 5.5 Yes No DoS
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24111 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 No No Info
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability Important 5.4 No No Spoof
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability Important 8 No No Spoof
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Moderate 6.8 No No EoP
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability Moderate 6.5 No No DoS

You’ll notice we have added the CVSS scores to the table. This is to provide further detail on the severity of the patches since Microsoft is now relying on CVSS scores so heavily. We recommend balancing the Microsoft severity (i.e., Critical, Important, Moderate, etc…) with the CVSS score to help determine prioritization for your enterprise.

Moving on to the remaining Critical-rated patches, two involve codec libraries and were reported by ZDI vulnerability researcher Hossein Lotfi. Both of these bugs are OOB Writes that result from the lack of proper validation of user-supplied data. This can lead to a write past the end of an allocated buffer and allow an attacker to execute code in the context of the current user. There are two Critical-rated bugs impacting the Fax Service, but the Windows Fax and Scan feature needs to be enabled for a system to be affected by this vulnerability. There’s a patch for the Windows graphics component to correct a bug that allows code execution when viewing a specially crafted image. The Windows Spooler service also receives a Critical-rated patch to prevent remote code execution, although the exploit path is not as clear here. The final Critical-rated bug addresses a vulnerability in the .NET Core for Linux. In this case, a .NET application utilizing libgdiplus on a non-Windows system could allow code execution if an attacker sends a specially crafted request.

Shifting our focus to Important-rated updates, there are nine bugs that could result in remote code execution. The most interesting of these are two that impact the SharePoint Server. One of these came from an anonymous contributor to our program and could allow code execution if an authenticated user can trigger through deserialization of untrusted data by tampering with client-side data. There are four patches for Excel – two that came through our program – that would allow code execution when opening a specially crafted file in Excel. Note that the updates for Microsoft Office 2019 for Mac are not currently available. Hopefully, Microsoft gets those out soon.

There are a couple of updates to Visual Studio addressing code execution bugs. In one case, a user would need to clone a malicious repository from inside Visual Studio Code. Once completed, attacker code would execute once the targeted user viewed contents of the repository. That’s not the most likely scenario. The Windows Address Book gets a patch for a bug found by ZDI vulnerability researcher Mat Powell. The bug results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Finally, there’s a significant bug in the Windows package manager that can only be addressed by reconfiguring installation tools and workflows. Microsoft provides several resources with additional information on this vulnerability and how to mitigate it. It is highly recommended to read and heed all information here. Considering the complexity in resolving this issue, this is a bug that could stick with us for a while.

There are only 11 Elevation of Privilege (EoP) bugs addressed in this month’s release, and we’ve already covered the one under active attack. Two are publicly known, and the more interesting of those impacts Sysinternals PsExec. If you’re not familiar with this tool, it’s a lightweight utility that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It’s also often used by red teams when penetrating a network. We’ll likely see this bug end up in different toolkits should an exploit become available. The other publicly known bug impacts Windows Installer, but there’s no additional information about this vulnerability. Other EoP fixes of note include one for PKU2U, which is a peer-to-peer authentication protocol. Although systems not running PKU2U are not affected, Microsoft still recommends installing this update to all potentially impacted OSes.

Two different security feature bypasses receive fixes this month. The first covers a bypass in PowerShell, although no further information on what is bypassed is provided. The second covers a bypass in PFX encryption. When exporting a SID-protected PFX file, keys encrypted using AES are not properly protected. You’ll need to do more than just patch here as well. Any SID-protected PFX files using AES for key encryption should be regenerated and exported after this update is installed and all copies of the original PFX files must be securely destroyed.

There are 10 different patches for information disclosure bugs in this month’s release. The info leak impacting DirectX is another of the publicly known bugs. While most of these cases only lead to leaks consisting of unspecified memory contents, some do yield some interesting data. The bug fixed in the patch for Edge for Android could disclose personally identifiable information (PII) and payment information of a user. The vulnerability in Microsoft Dataverse could expose underlying datasets in Dataverse, which could include PII. This vulnerability in Microsoft Teams iOS exposes the Skype token value in the preview URL for images in the Teams iOS app. The SharePoint bug leaks SQL table columns that would normally be restricted. Finally, the bug in Mobile Device Management could allow an attacker to read from the file system.

There are a handful of notable Denial-of-Service (DoS) bugs patched this month, and the fix for TCP/IP leads the way. Similar to CVE-2021-24094, this bug also involves IPv6 fragmentation, although there’s no patch to code execution here. Disallowing IPv6 UDP fragmentation at the perimeter could have some side effects but implementing the workaround to drop out-of-order packets seems more reasonable. Still, this should be tested before updating production systems. The DoS bugs impacting .NET Core and the Windows Console Driver are listed as publicly known, but Microsoft provides no further details. There’s a patch for a DoS vulnerability in Skype for Business and Lync. If you’re still using either of those messaging tools, definitely look to patch soon.

Speaking of Skype for Business and Lync, these also receive a patch to fix a spoofing bug. Microsoft doesn’t indicate what is spoofed, but they do note user interaction is required. There’s also a spoofing bug in Exchange that dates back to September of 2020. Since the bug was in the Exchange Server installer, it could only be addressed in a complete release as opposed to a cumulative update. Microsoft allowed time for customers to move to the September release before disclosing the vulnerability. The other Exchange spoofing bug comes from Pwn2Own winner Steven Seeley and allows an authenticated attacker to leak a CERT file, which would allow an attacker to forge CSRF tokens. The final spoofing bug for this month fixes a SharePoint bug that could allow an authenticated attacker to manipulate the SharePoint blog sharing functionality to produce a bogus message or link.

The only cross-site scripting (XSS) bug in this month’s release impacts Microsoft Dynamics Business Central. Rounding out this month’s release are Moderate-rated bugs in Azure Kubernetes and the Windows Trust Verification API. Those using the Azure Kubernetes Service should be automatically updated to an unaffected version, but you should still verify your version number to be sure.  

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on March 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The February 2021 Security Update Review

Three More Bugs in Orion’s Belt

In a recent blog post, we showed how certain endpoints in the SolarWinds Orion platform were accessible to low privileged users and could be exploited to achieve remote code execution. We also showed how authentication could be bypassed altogether using CVE-2020-10148. In this blog post, we discuss three other vulnerabilities submitted by an anonymous researcher, which when chained with a privilege escalation bug, could be exploited by a guest user. This will be a brief blog post due to the simplicity of the aforementioned bugs.

Privileges

In the previous blog post, we briefly discussed privileges in the SolarWinds Orion platform. One of the predefined roles is the guest account, which requires no password and has no assigned privileges by default. Although this account is disabled by default, it is fair to assume that some deployments may have the guest account enabled.

Picture1.png

CVE-2020-27870: Directory Traversal leading to arbitrary file read

The endpoint /orion/ExportToPDF.aspx converts HTML to PDF, but it fails to check if the HTML contains references to local files. Furthermore, the guest user account can access this endpoint. By supplying HTML files that contain references to local files, it is possible to read arbitrary files on the server in the context of SYSTEM.

For example, the following request can be used to retrieve the contents of C:\Windows\system32\drivers\etc\hosts:

A PDF contains the disclosed file contents can be retrieved as follows:

CVE-2020-27871: Directory Traversal leading to arbitrary file upload

Orion allows the installation of various modules, with each module capable of performing a specific network monitoring and management function. One such module is the Network Configuration Manager (NCM) module. Where this module is installed, there is an arbitrary file upload vulnerability that could be leveraged for remote code execution. The root cause of this vulnerability is illustrated in the following code snippet:

As shown, the NCM module has a firmware vulnerability management functionality that downloads a ZIP file containing JSON files from an external website. By default, it downloads from https://nvd.nist.gov, but this default can be overridden. It then automatically extracts data from the .zip archive. It does not check the file extensions of the extracted files, nor does it verify the file upload path. Thus it is possible to upload the file anywhere in the file system. Files are extracted and written in the context of SYSTEM.

This flaw can be easily exploited. For example, by issuing the following request, it is possible to upload an arbitrary ASPX file to the www directory:

This vulnerability has one caveat in that it can only be exploited by an Admin user. However, this requirement can be bypassed by the vulnerability we will discuss next.

ZDI-CAN-11903/ZDI-21-192: Privilege escalation

This vulnerability is present when any of the following SolarWinds Orion platform modules are installed:
       - Network Configuration Manager
       - Server Configuration Manager
       - IP Address Manager

When any one of these products are installed, SolarWinds stores account roles in the WebUserSettings table.

Picture2.png

The researcher discovered this table can be modified by a hidden SaveUserSetting endpoint. A guest user can elevate their privileges to Administrator by simply issuing the following request:

Conclusion

This series of blog posts shows that simple bugs and oversights can have severe consequences. Luckily, SolarWinds has addressed all the above vulnerabilities in Orion Platform 2020.2.1 HF2. We highly recommend those running a vulnerable version of this platform to upgrade.

You can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.

Three More Bugs in Orion’s Belt

ZDI-21-171: Getting Information Disclosure in Adobe Reader Through the ID Tag

18 February 2021 at 17:25

Sometimes the only thing between you and a successful exploit is an information leak. While I see my fair share of information disclosure bugs on the job, it’s not every day that I see one that is so clean and elegant. Then again, it’s not every day I get the privilege of looking at some of  Mark Yason's stellar research. This blog covers one such information leak Mark submitted to the program and recently patched by Adobe.

Let’s talk about  ZDI-21-171, but first, here’s a quick video showing the bug in action.

The Vulnerability

The issue exists due to the way Adobe Reader handles the ID tag within the PDF trailer. The problem is that when processing the array values for the ID tag, the application does not anticipate anything over 0x100 bytes.  With this knowledge and some JavaScript in hand, an attacker can leverage this to disclose the base address of Annots.api.

What exactly are we talking about?

If you pop open a PDF document in an editor, chances are that at the bottom, you’ll see a File Trailer that looks something like this:

Figure 1 - Example PDF Trailer

Figure 1 - Example PDF Trailer

According to Adobe’s documentation, the trailer consists of one or more key-value pairs.

Figure 2 - Adobe’s File Trailer documentation

Figure 2 - Adobe’s File Trailer documentation

The key-value pair of interest is ID, which is “an array of two strings constituting a file identifier for the file.” (See section 9.3, “File Identifiers” in the document referenced above.) Our proof of concept is shown below and contains overly long array values:

Figure 3 - Proof of Concept PDF Trailer

Figure 3 - Proof of Concept PDF Trailer

What happens when the application encounters an ID key in a file trailer? During the parsing of the ID key, Reader will call a function that will return the size of the ID array values and uses that value to populate the following structure:

Figure 4 - Trailer ID Structure

Figure 4 - Trailer ID Structure

This is best illustrated by the following pseudocode:

Figure 5 - Pseudocode to retrieve File ID

Figure 5 - Pseudocode to retrieve File ID

The f_AcroDocGetFileID method returns the actual size of the file ID in the PDF even if the passed buffer argument is NULL and the buffer size argument is smaller than the actual size of the file ID. This value is then used to set the originalIDLen and modifiedIDLen properties without any check if the value is greater than 0x100 bytes.

Following this in the debugger, we can see that the parameters on the stack align with what we’re seeing in the debugger.

Figure 6 - A look at the stack and the returned value

Figure 6 - A look at the stack and the returned value

When the function returns, the structure looks like this:

Figure 7 - Returned stack structure

Figure 7 - Returned stack structure

Note the returned size in @eax. The issue here is that the return value was not checked to determine if it is greater than 0x100 before storing the value in this->originalIDLen and this->modifiedIDLen.

At this point, the structure is setup with invalid length values. This comes into play later with a call to Collab.documentToStream(), which invokes a memcpy call. This is shown below:

Figure 8 - This memcpy leads to an out-of-bounds read

Figure 8 - This memcpy leads to an out-of-bounds read

When the application tries to copy the originalID into a heap-based buffer, it uses the new 0x400 bytes size instead of the expected 0x100 bytes and allows a user to leak data from the stack. The result is a stack-based buffer out-of-bounds read can be leveraged to disclose the base address of Annots.api through the Collab.documentToStream() API call.

Figure 9 - Annots.api base address successfully leaked

Figure 9 - Annots.api base address successfully leaked

Wrapping up

Adobe Reader is a common target for attackers since the PDF format is so ubiquitous. While this blog covers an info disclosure bug, Adobe recently patched this along with other vulnerabilities that could allow remote code execution, including one bug that was being actively exploited. Getting code execution on modern applications typically requires multiple steps, and leaking memory addresses is often the first step towards a full exploit chain. Combine this bug with something that allows code execution and a sandbox escape, and you could have a full compromise. You should definitely apply the security patch to all affected systems as soon as possible.

You can find me on Twitter at @mrpowell and be sure to follow the team for the latest in exploit techniques and security patches.

ZDI-21-171: Getting Information Disclosure in Adobe Reader Through the ID Tag

CVE-2020-8625: A Fifteen-Year-Old RCE Bug Returns in ISC BIND Server

25 February 2021 at 17:30

In October 2020, we received a submission from an anonymous researcher targeting the ISC BIND server. The discovery was based upon an earlier vulnerability, CVE-2006-5989, which affected the Apache module mod_auth_kerb and was initially found by an anonymous researcher. The ISC BIND server shared the vulnerable code within the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) component, but ISC did not merge the patch at that time. After 15 years, ISC patched the bug in BIND and assigned it CVE-2020-8625.

This vulnerability affects BIND versions from 9.11 to 9.16. It can be triggered remotely and without authentication. It leads to a 4-byte heap overflow. This submission was close to earning a larger payout through our Targeting Incentive Program, but lacked the full exploit needed to qualify for the full award. Still, it’s a great submission, and the bug is worth looking in greater detail.

The Vulnerability

The heap overflow bug exists in function der_get_oid(), which is in lib/dns/spnego.c.

This function allocates an array buffer at (1). The variable len is used to keep track of the number of available elements remaining in the buffer. The code fills the first 2 elements at (2), but it only decreases len by 1 at (3). As a result, the loop (4) can overflow the buffer by 1 element. The type of data->components is int, so we have a 4-byte heap overflow.

The Trigger

Since the vulnerability exists within the SPNEGO component, TKEY-GSSAPI configuration is necessary in BIND.

The dns.keytab file can be found in bin/tests/system/tsiggss/ns1/, and the example.nil.db file is generated by the script bin/tests/system/tsiggss/setup.sh.

Now the environment is ready. Upon receiving a crafted request, the vulnerability is triggered, producing the following call stack:

Exploitation

The exploitability for this bug is highly dependent on the glibc version. The following explanation is based on Ubuntu 18.04 with glibc 2.27, which enables tcache support.

First, we have to determine what is under control from this overflow bug.

       -- The size and content of the vulnerable buffer, which is allocated in der_get_oid(), is controllable. By the way, the buffer will be freed when the current request is done.
       -- There is a while loop in decode_MechTypeList() to execute der_get_oid() repeatedly. The loop count is controllable.

With these two points in mind, we can manipulate the heap fairly easily. To prepare the heap, we can exhaust tcache bins of any size and refill them after the request is done. Also, the refilled chunks can be contiguous in memory. This makes the memory layout quite conducive to exploitation via a buffer overflow.

Arbitrary write

At this stage, achieving an arbitrary write is straightforward by abusing the tcache freelist.

  1. Trigger a 4-byte overflow to enlarge the next free chunk size.
  2. Allocate the corrupted chunk on the next request. It will be moved to the new tcache bin when the request is ended.
  3. Allocate the corrupted chunk again with the new size. The corrupted chunk overlaps the next free chunk and overwrites its freelist with an arbitrary value.
  4. Allocate from the poisoned tcache freelist. It will return an arbitrary address.

Attempting to leak an address

All Linux mitigations are enabled by default for BIND. We have to struggle with ASLR first, which means we will need to find a way to leak an address from memory. A possible chance for obtaining a leak is in code_NegTokenArg() function. It is used for encoding response messages into a buffer, which will be sent to the client.

buf at (5) is a temporary buffer. Its initial size is 1024 bytes, which is within the range of sizes handled by tcache. outbuf at (6) is the buffer that will be sent to the client. Its size is within range for tcache also. If it is possible to apply a tcache dup attack on these two buffer sizes, the two malloc() calls at (5) and (6) will return the same address. After the free() at (7), a tcache->next pointer will be updated into buf, which is already overlapped with outbuf. This means a heap pointer will leak to the client.

Ideally, buf_len at (6) should be chosen to be large enough to avoid interfering with small tcache bins. Unfortunately, it seems the maximum value is only about 96 bytes. Due to this problem, the process does not survive and crashes very soon after the client gets the leaked heap pointer. More research is needed to find a way to continue the path to a full exploit.

The Patch

The patched versions are BIND 9.16.12 and BIND 9.11.28. To fix BIND 9.16, ISC fixed the buffer allocation size at (1). In BIND 9.11, they applied the patch as well.

Conclusion

This bug shows how vulnerabilities can reside undetected for years, even when the software is open source and in wide use. Software maintainers need to closely monitor all of the external modules they consume to ensure they stay up to date with the latest patches. It also shows how complex this challenge can be. ISC BIND is the most popular DNS server on the internet. The scope of impact is quite large, especially since the vulnerability can be triggered remotely and without authentication. All are advised to update their DNS servers as soon as possible.

For more information about our Targeted Incentive Program, check out this blog. We hope to see more submissions for this program in the future. Until then, you can find me on Twitter @_wmliang_, and follow the team for the latest in exploit techniques and security patches.

CVE-2020-8625: A Fifteen-Year-Old RCE Bug Returns in ISC BIND Server

❌