🔒
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

Adding a Beta NAS Device to Pwn2Own Austin

14 October 2021 at 20:26

Today, we are announcing the inclusion of the beta version of the Western Digital 3TB My Cloud Home Personal Cloud in our upcoming Pwn2Own Austin competition. Normally, devices under test are updated to the most recent publicly available patch level. This is still the case. However, our partners over at Western Digital wanted to include their upcoming beta software release in this year’s event. Consequently, we are adding the beta version as an available target in addition to the existing current version of the NAS device.

If a contestant can get code execution on the beta release of the Western Digital 3TB My Cloud Home Personal Cloud, they will earn $45,000 (USD) and 5 Master of Pwn points. There are some significant differences between the released software version and the beta version, so we suggest contestants upgrade their systems to test their exploits prior to the contest. To get the beta version installed on your NAS, you will need to enter your email address and the MAC address of your device in this form. Within a few hours, an automated process to update the NAS will begin. The updates will take you from 7.15.1-101 (current) to 7.16.0-216 and then the beta 8.0.0-301. Please note that not all features and applications included in the current version of the software release are available in the beta version.

Again, registration for the contest closes at 5:00 p.m. Eastern Daylight Time on October 29, 2021. A full copy of the rules – including this new change – is available here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. If you have any questions, please forward them to [email protected].

We believe exploiting the beta version of this software will not be trivial, but we certainly hope some tries. We look forward to seeing all the attempts to learn about the latest exploits and attack techniques on these devices.

Good luck, and we’ll see you in Austin.

Adding a Beta NAS Device to Pwn2Own Austin

CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader

21 October 2021 at 16:12

Over the past few months, Adobe has patched several remote code execution bugs in Adobe Acrobat and Reader that were reported by researcher Mark Vincent Yason (@MarkYason) through our program. Two of these bugs, in particular, CVE-2021-28632 and CVE-2021-39840, are related Use-After-Free bugs even though they were patched months apart. Mark has graciously provided this detailed write-up of these vulnerabilities and their root cause.


This blog post describes two Adobe Reader use-after-free vulnerabilities that I submitted to ZDI: One from the June 2021 patch (CVE-2021-28632) and one from the September 2021 patch (CVE-2021-39840). An interesting aspect about these two bugs is that they are related – the first bug was discovered via fuzzing and the second bug was discovered by reverse engineering and then bypassing the patch for the first bug.

CVE-2021-28632: Understanding Field Locks

One early morning while doing my routine crash analysis, one Adobe Reader crash caught my attention:

After a couple of hours minimizing and cleaning up the fuzzer-generated PDF file, the resulting simplified proof-of-concept (PoC) was as follows:

PDF portion (important parts only):

JavaScript portion:

The crash involved a use-after-free of CPDField objects. CPDField objects are internal AcroForm.api C++ objects that represent text fields, button fields, etc. in interactive forms.

In the PDF portion above, two CPDField objects are created to represent the two text fields named fieldParent and fieldChild. Note that the created objects have the type CTextField, a subclass of CPDField, which is used for text fields. To simplify the discussion, they will be referred to as CPDField objects.

An important component for triggering the bug is that fieldChild should be a descendant of fieldParent by specifying it in the /Kids key of the fieldParent PDF object dictionary (see [A] above) as documented in the PDF file format specification:

img01.jpg

Another important concept relating to the bug is that to prevent a CPDField object from being freed while it is in use, an internal property named LockFieldProp is used. Internal properties of CPDField objects are stored via a C++ map member variable.

If LockFieldProp is not zero, it means that the CPDField object is locked and can't be freed; if it is zero or is not set, it means that the CPDField object is unlocked and can be freed. Below is the visual representation of the two CPDField objects in the PoC before the field locking code (discussed later) is called: fieldParent is unlocked (LockFieldProp is 0) and is in green, and fieldChild is also unlocked (LockFieldProp is not set) and is also in green:

img02.jpg

On the JavaScript portion of the PoC, the code sets up a JavaScript callback so that when the “Format” event is triggered for fieldParent, a custom JavaScript function callback() will be executed [2]. The JavaScript code then triggers a “Format” event by setting the textSize property of fieldParent [3]. Internally, this executes the textSize property setter of JavaScript Field objects in AcroForm.api.

One of the first actions of the textSize property setter in AcroForm.api is to call the following field locking code against fieldParent:

The above code locks the CPDField object passed to it by setting its LockFieldProp property to 1 [AA].

After executing the field locking code, the lock state of fieldParent (locked: in red) and fieldChild (unlocked: in green) are as follows:

img03.jpg

Note that in the later versions of Adobe Reader, the value of LockFieldProp is a pointer to a counter instead of being set with the value 1 or 0.

Next, the textSize property setter in AcroForm.api calls the following recursive CPDField method where the use-after-free occurs:

On the first call to the above method, the this pointer points to the locked fieldParent CPDField object. Because it has no associated widget [aa], the method performs a recursive call [cc] with the this pointer pointing to each of fieldParent's children [bb].

Therefore, on the second call to the above method, the this pointer points to the fieldChild CPDField object, and since it has an associated widget (see [B] in the PDF portion of the PoC), a notification will be triggered [dd] that results in the custom JavaScript callback() function to be executed. As shown in the previous illustration, the locking code only locked fieldParent while fieldChild is left unlocked. Because fieldChild is unlocked, the removeField("fieldChild") call in the custom JavaScript callback() function (see [1] in the JavaScript portion of the PoC) succeeds in freeing the fieldChild CPDField object. This leads to the this pointer in the recursive method to become a dangling pointer after the call in [dd]. The dangling this pointer is later dereferenced resulting in the crash.

This first vulnerability was patched in June 2021 by Adobe and assigned CVE-2021-28632.

CVE-2021-39840: Reversing Patch and Bypassing Locks

I was curious to see how Adobe patched CVE-2021-28632, so after the patch was released, I decided to look at the updated AcroForm.api.

Upon reversing the updated field locking code, I noticed an addition of a call to a method that locks the passed field’s immediate descendants:

With the added code, both fieldParent and fieldChild will be locked and the PoC for the first bug will fail in freeing fieldChild:

img04.jpg

While assessing the updated code and thinking, I arrived at a thought: since the locking code only additionally locks the immediate descendants of the field, what if the field has a non-immediate descendant?... a grandchild field! I quickly modified the PoC for CVE-2021-28632 to the following:

PDF portion (important parts only):

JavaScript portion:

And then loaded the updated PoC in Adobe Reader under a debugger, hit go... and crash!

The patch was bypassed, and Adobe Reader crashed at the same location in the previously discussed recursive method where the use-after-free originally occurred.

Upon further analysis, I confirmed that the illustration below was the state of the field locks when the recursive method was called. Notice that fieldGrandChild is unlocked, and therefore, can be freed:

img05.jpg

The recursive CPDField method started with the this pointer pointing to fieldParent, and then called itself with the this pointer pointing to fieldChild, and then called itself again with the this pointer pointing to fieldGrandChild. Since fieldGrandChild has an attached widget, the JavaScript callback() function that frees fieldGrandChild was executed, effectively making the this pointer a dangling pointer.

This second vulnerability was patched in September 2021 by Adobe and assigned CVE-2021-39840.

Controlling Field Objects

Control of the freed CPDField object is straightforward via JavaScript: after the CPDField object is freed via the removeField() call, the JavaScript code can spray the heap with similarly sized data or an object to replace the contents of the freed CPDField object.

When I submitted my reports to ZDI, I included a second PoC that demonstrates full control of the CPDField object and then dereferences a controlled, virtual function table pointer:

Conclusion

Implementation of object trees, particularly those in applications where the objects can be controlled and destroyed arbitrarily, is prone to use-after-free vulnerabilities. For developers, special attention must be made to the implementation of object reference tracking and object locking. For vulnerability researchers, they represent opportunities for uncovering interesting vulnerabilities.


Thanks again to Mark for providing this thorough write-up. He has contributed many bugs to the ZDI program over the last few years, and we certainly hope to see more submissions from him in the future. Until then, follow the team for the latest in exploit techniques and security patches.

CVE-2021-28632 & CVE-2021-39840: Bypassing Locks in Adobe Reader

Our ICS-Themed Pwn2Own Contest Returns to Miami in 2022

25 October 2021 at 13:14

UPDATE: The S4 Conference has been rescheduled to April 19 through April 21. Consequently, the Pwn2Own Miami competition is also moving to these days. The new deadline for registration is April 14, 2022. We have also clarified the rules around participation as an individual, team, or company and expanded available security policies in the OPC UA Server category. For full details, see the rules.

¡Bienvenidos de nuevo a Miami!

Our inaugural Pwn2Own Miami was held back in January 2020 at the S4 Conference, and we had a fantastic time as we awarded over $280,000 USD in cash and prizes for 24 unique 0-day vulnerabilities. At the time, we couldn’t wait to get back to South Beach for the next contest. Of course, the rest of 2020 happened, so those plans were put on hold. Today, we are excited to announce Pwn2Own Miami returns in person to S4 on January 25-27, 2022 April 19-21, 2022. As of now, we are planning on running the contest in Miami and hope to have contestants in the room with us. However, we know not everyone is ready to hit the road again, so we will also still allow remote participation.

This will be our first “hybrid” event with contestants participating locally (hopefully) and remotely. Even though we will be at the Fillmore, we realize not everyone can be there with us. If you have either travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest registration deadline (January 21, 2022 April 14, 2022) and submit a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry. A member of the ZDI staff in Miami will run your exploit for you. All attempts will be filmed and available for viewing by the contestant and the vendor. As in the past, we will work with remote contestants to monitor the attempt in real-time via a phone call or video chat. Please note that since you are not in person, changes to exploits/scripts/etc. will not be possible, which could lower your chance of winning should something unexpected occur. Otherwise, the contest will run as we have in the past. We will have a random drawing to determine the schedule of attempts on the first day of the contest, and we will proceed from there.

This contest is not possible without the participation and help from our partners within the ICS community, and we would like to especially thank Schneider Electric, OPC Foundation, Inductive Automation, and Triangle Microworks for their expertise and guidance. Their cooperation is essential in ensuring we have the right categories and targets to create a meaningful test of the security of these products and protocols. Pwn2Own Miami seeks to harden these platforms by revealing vulnerabilities and providing that research to the vendors. The goal is always to get these bugs fixed before they’re actively exploited by attackers. These vendors have been instrumental in making that goal a reality.

The 2022 edition of Pwn2Own Miami has four categories:

- Control Server
- OPC Unified Architecture (OPC UA) Server
- Data Gateway
- Human Machine Interface (HMI)

Control Server Category

The Control Server category covers server solutions that provide connectivity, monitoring, and control across disparate Programmable Logic Controller (PLC) and other field systems. An attacker who took over a control server could alter the process in any way they wanted and would only be limited by their engineering and automation skills. The targets in this category include the control servers from Iconics and Inductive Automation.

An attempt in this category must be launched against the target’s exposed network services from the contestant’s laptop within the contest network or by opening a file within the target on the contest laptop. The files that are eligible to be opened must be file types that are handled by default by the target application.  A successful entry in the category must result in arbitrary code execution.

ControlServer.png

OPC UA Server Category

The OPC Unified Architecture (UA) is a platform-independent, service-oriented architecture that integrates all the functionality of the individual OPC Classic specifications into one extensible framework. OPC UA serves as the universal translator protocol in the ICS world. It is used by almost all ICS products to send data between disparate vendor systems. OPC UA was designed to be more secure than the previously used DCOM and is gaining in popularity. This category has four products: the Unified Automation C++ Demo Server, the OPC Foundation OPC UA .NET Standard, the Prosys OPC US SDK for Java, and the Softing Secure Integration Server.

A successful entry in the category must result either in a denial-of-service condition, arbitrary code execution or in a bypass of the trusted application check that occurs after the creation of a secure channel. These types of devices usually restrict who can connect, so bypassing the application check becomes a prime target for attackers.

OPC UA.png

Data Gateway Category

This category focuses on devices that connect other devices of varying protocols. There are two products in this category. The first is the Triangle Microworks SCADA Data Gateway product. Triangle Microworks makes the most widely used DNP3 protocol stack.  The other is the Kepware KEPServerEx server. KEPServerEX is an industry-leading connectivity platform that provides a single source of industrial automation data to multiple applications. 

A successful entry in the category must result in arbitrary code execution.

Data Gateway-b.png

Human Machine Interface (HMI)

If you’re familiar with ICS at all, you’ve likely heard of the Human Machine Interface (HMI) system. The HMI connects the operator of an ICS to the various hardware components of the ICS. Attackers that take over the HMI can also prevent the operator from seeing process issues in the ICS until it is too late. Our HMI category consists of the AVEVA Edge and the Schneider Electric EcoStruxure Operator Terminal Expert. 

A successful entry in this category must result in arbitrary code execution.

HMI.png

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, and Pwn2Own Miami is no exception. Earning the title results in a slick trophy and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2023, which includes a one-time bonus estimated at $25,000).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout.

As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If a contestant decides to withdraw from the registered attempt before the actual attempt, the Master of Pwn points for that attempt will be divided by 2 and deducted from the contestant's point total for the contest. Since Pwn2Own is now often a team competition, along with the initial deduction of points, the same number of Master of Pwn points will also be deducted from all contestant teams from the same company.

The Complete Details

The full set of rules for Pwn2Own Miami 2022 are available here. They may be changed at any time without notice. We encourage entrants to read the rules thoroughly and completely should they choose to participate.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contestant order. Again, this random drawing will not impact awards. Contest registration closes at 5:00 p.m. Eastern Standard Time on January 21st, 2022 April 14, 2022.

The Results

We’ll be live blogging and tweeting results throughout the competition. Be sure to keep an eye on the blog for the latest results. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OMiami hashtag for continuing coverage.

We look forward to seeing everyone again in Miami, and we look forward to seeing what new exploits and attack techniques they bring with them.

Our ICS-Themed Pwn2Own Contest Returns to Miami in 2022

Pwn2Own Austin 2021 - Schedule and Live Results

2 November 2021 at 01:53

Welcome to Pwn2Own Austin 2021! This year’s consumer-focused event is our largest ever with 58 total entries from 22 different contestants. As with all of our contests now, you can follow along live on YouTube and Twitch. With attempts going every 30 minutes, is should be an exciting few days.

As always, we started the contest with a random drawing to determine the order of attempts. You can view the results here. Our schedule is so packed, we’ve extended to contest to a fourth day. The complete schedule for the contest is below (all times Eastern [GMT -4:00]). We will update this schedule with results as they become available.

Note: All times subject to change - You can watch the event live here.

Jump to Day Two Results; Day Three Results; Day Four Results

Tuesday, November 2

For a quick review of Day One, check out our recap video here.

1000 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - Sam used a three-bug chain that included an unsafe redirect and a command injection to get code execution on the Western Digital My Cloud Pro Series PR4100. This successful demonstration earns him $40,000 and 4 Master of Pwn points.

1030 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - Bien Pham leveraged a logic error to compromise the WAN interface of the Cisco RV340 router. He earns $30,000 and 3 Master of Pwn points.

1100 - The Synacktiv (@Synacktiv) team targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The Synacktiv team used a heap overflow to take over the Canon ImageCLASS printer and bring home the first Printer Category win in Pwn2Own history. They earn $20,000 and 2 points towards Master of Pwn.

1130 - trichimtrich and nyancat0131 targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi in the router category

SUCCESS - trichimtrich used an Out-Of-Bounds (OOB) Read to get a root shell via the LAN interface of the TP-Link AC1750 router. This earns him $5,000 and 1 point towards Master of Pwn.

1200 - The THEORI Team (@theori_io) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The THEORI team combined an OOB Read and a stack-based buffer overflow to take over the Western Digital My Cloud Pro Series PR4100 NAS device. They used a unique bug chain, so they earn the full $40,000 and 4 points towards Master of Pwn.

1230 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the Cisco RV340 in the router category

SUCCESS - Bien Phamfrom Team Orca of Sea Security used a three-bug chain, including an auth bypass and a command injection, to take over the LAN interface of the Cisco RV340. This effor earns him $15,000 and 2 more Master of Pwn points.

1300 - Ken Gannon (@yogehi) of F-Secure Labs (@fsecurelabs) targeting the Samsung Galaxy S21 in the Mobile Phone category

FAILURE - Unfortunately, Ken could not get his exploit to work within the time allotted.

1400 - Bugscale targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The exploit chain used by Bugscale included known bugs. They still earn $20,000 and 2 Master of Pwn points.

1430 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The exploit chain used by the CrowdStrike team included some known bugs. They still earn $10,000 and 1.5 Master of Pwn points.

1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The DEVCORE team used a stack-based buffer overflow to take over the Canon ImageCLASS printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.

1530 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

SUCCESS - Bien Pham finishes Day 1 by using an OOB Read bug to take control of the TP-Link AC1750 router via the LAN interface. This earns him another $5,000 and 1 Master of Pwn point.

1630 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Sonos One Speaker in the home automation category

SUCCESS - The DEVCORE team used an integer underflow to gain code execution on the Sonos One Speaker. They earn $60,000 and 6 points towards Master of Pwn.

1700 - Gaurav Baruah (@_gauravb_) targeting the WAN interface of the Cisco RV340 in the router category

COLLISION - A partial collision. One of the bugs used by Gaurav was previously known. He still $22,500 and 2.5 Master of Pwn points.

1730 - The THEORI Team (@theori_io) targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The THEORI Team used a stack-based buffer overflow to get code execution on the 3TB My Cloud Home Personal Cloud from WD. This earns them $40,000 and 4 Master of Pwn points, giving them a 1 day total of $80,000 and 8 points.

1800 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

SUCCESS - The DEVCORE team used a stack-based buffer overflow to gain code execution on the HP Color LaserJet Pro. They earn another $20,000 and 2 Master of Pwn points, bringing their day 1 total to $100,000 and 10 Master of Pwn points.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

— trichimtrich and nyancat0131 targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - trichimtrich leveraged an integer overflow to gain code execution via the LAN interface of the NETGEAR R6700v3 router. They win another $5,000 and 1 more point towards Master of Pwn.

— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, Team Flashback could not get their exploit to work within the time allotted.

— Bugscale targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Bugscale team combined an authorization bypass with a command injection bug to get code execution on the LAN interface of the NETGEAR router. They earn $5,000 and 1 Master of Pwn point.

— crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Mofoffensive Research Team combining a heap overflow and a stack-based buffer overflow to gain code execution on the LAN interface of the NETGEAR R6700 router. Their efforts earn $5,000 and 1 Master of Pwn point.

Wednesday, November 3

For a video overview of the Day Two results, see here.

1000 - NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The NCC Group leveraged a memory corruption bug three different ways (and overcame a timing issue) to get code execution on the Western Digital My Cloud Pro Series PR4100. They earn themselves $40,000 and 4 Master of Pwn points.

1030 - Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - The Flashback team of Pedro and Redek used an impressive stack-based buffer overflow to get code execution on the WAN interface of the Cisco RV340 router. They earn $30,000 and 3 Master of Pwn points.

1100 - Nicolas Devillers (@nikaiw), Jean-Romain Garnier, and Raphael Rigo (@_trou_) targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The team of Nicolas Devillers, Jean-Romain Garnier, and Raphael Rigo obtained code execution on the Canon ImageCLASS printer through a stack-based buffer overflow. This unique bug chain earns them $20,000 and 2 Master of Pwn points.

1130 - crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

FAILURE - Unfortunately, the Mofoffensive Team could not get his exploit to work within the time allotted.

1200 - The Synacktiv (@Synacktiv) team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The Synacktiv team leveraged a configuration error bug to get code execution on the PR411. They earn $40,000 and 4 Master of Pwn points.

1230 - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the LAN interface of the Cisco RV340 in the router category

SUCCESS - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab used 3 unique bugs, incuding an authorization bypass and a commange injection, to get code execution on the Cisco RV340 via the LAN interface. They earn $15,000 and 2 Master of Pwn points.

1300 - The STARLabs Team targeting the Samsung Galaxy S21 in the mobile phone category

COLLISION - The exploit chain used by the STARLabs team included a bug known by the vendor. They still earn $25,000 and 2.5 Master of Pwn points.

1400 - The Synacktiv (@Synacktiv) team targeting the Sonos One Speaker in the home automation category

SUCCESS - The Synacktiv team used a stack-based buffer over to compromise the Sonos One speaker and play us a tune. They earn $60,000 and 6 Master of Pwn points.

1430 - trichimtrich and nyancat0131 targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - trichmitrich used nearly all the time on the clock, but his command injection bug is unique. His takeover of the Cisco RV340 via the WAN interface earns him $30,000 and 3 Master of Pwn points.

1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The DEVCORE team successfully exploited the WD PR411, but the bugs they leveraged had been previously used in the competition. Their work still earns them $20,000 and 2 Master of Pwn points.

1530 - The STARLabs Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

COLLISION - The STARLabs team exploited the LAN interface of the TP-Link AC1750 router, but they used a known bug. This still nets them $2,500 and .5 Master of Pwn points.

1600 - The Synacktiv (@Synacktiv) team targeting the Lexmark MC3224i in the printer category

SUCCESS - The Synacktiv team combined three unique bugs, including an unprivileged access bug and a command injection bug, to get code execution on the Lexmark MC3224i printer. They earn $20,000 and 2 more Master of Pwn points.

1700 - The STARLabs Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) of STARLabs team included bugs previously used in the contest. They still earn $20,000 and 2 Master of Pwn points.

1745 - The Synacktiv (@Synacktiv) team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

COLLISION - The exploit chain used by the Synacktiv team included a bug used earlier in the competition. They still earn $10,000 and 1 Master of Pwn point.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.

— The STARLabs Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) and Phan Thanh Duy (PTDuy) of STARLabs took over the 3TB My Cloud Home Personal Cloud from WD using a bug previously seen in the competition. They still earn $20,000 and 2 Master of Pwn points.

— Diffense Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - In their Pwn2Own debut, the Diffense Team runs into a collision. They were able to exploit the Western Digital My Cloud Pro Series PR4100, but the bug they leveraged was also used on Day 1. They still earn $20,000 and two Master of Pwn points in their debut effort.

— Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Lexmark MC3224i in the printer category

SUCCESS - The DEVCORE team used a code injection bug to take over the Lexmark MC3224i printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.

— NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Lexmark MC3224i in the printer category in the printer category

SUCCESS - The NCC Group again needed multiple attempts, but they successfully exploited the Lexmark MC3224i with a file write bug. The earn $20,000 and 2 Master of Pwn points.

— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, Bien could not get his exploit to work within the time allotted.

— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category

COLLISION - The two-bug exploit chain used by Bien included bugs used earlier in the competition. He still earn $2,500 and .5 Master of Pwn points.

— Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.

— Diffense Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the Diffense Team could not get their exploit to work within the time allotted.

Thursday, November 4

For a quick overview of Day Three results, see the recap video here.

1000 - Martin Rakhmanov (@mrakhmanov) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - Martin used a unique two-bug chain that included a command injection to compormise the NAS device. He earns himself $40,000 and 4 points towards Master of Pwn.

1030 - The Synacktiv (@Synacktiv) team targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The three-bug exploit chain used by the Synacktiv team included some known bugs. They still earn $7,500 and 1 Master of Pwn points.

1100 - Alexander Bolshev (@dark_k3y), Timo Hirvonen (@TimoHirvonen), and Dmitry Janushkevich (@InfoSecDJ) of F-Secure Labs (@fsecurelabs) targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

SUCCESS - The team from F-Secure Labs used a single stack-based buffer overflow to take over the printer and turn it into a jukebox. They earn $20,000 and 2 Master of Pwn points.

1200 - The STARLabs Team targeting the beta version of the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The STARLabs team of Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) combined an OOB Read and a heap-based buffer overflow to exploit the beta version of the 3TB My Cloud Home Personal Cloud from WD. They earn $45,000 and 5 Master of Pwn points.

1230 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The four-bug exploit chain used by the Stephen included some known bugs. His successful demonstration still earns him $10,000 and 1.5 Master of Pwn points.

1300 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Samsung Galaxy S21 in the mobile phone category

SUCCESS - Sam used a three-bug chain to get code execution on the Sumsung Galaxt S21. This successful demonstration earns him $50,000 and 5 Master of Pwn points.

1400 - The Synacktiv (@Synacktiv) team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

COLLISION - The Synacktiv team used a two-bug chain to compromise the 3TB My Cloud Home Personal Cloud, but one of the bugs had been used prior in the contest. Their demonstration still earns them $20,000 and 2 Master of Pwn points.

1500 - Chris Anastasio (@mufinnnnnnn) targeting the Lexmark MC3224i in the printer category

COLLISION - Chris used a four-bug chain to compromise the Lexmark printer, but one of the bugs had been used prior in the contest. His efforts still earns him $17,500 and 1.75 Master of Pwn points.

1600 - The STARLabs Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the STARLabs Team could not get their exploit to work within the time allotted.

1700 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - Stephen used an uninitialized variable to get a root shell via the LAN interface of the NETGEAR R6700v3 router. He earns $5,000 and 1 Master of Pwn point.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

The Synacktiv (@Synacktiv) team targeting the WAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Synactiv team used an improper certificate validation and a stack-based buffer overflow to compromise the NETGEAR router via the WAN interface. They earn $20,000 and 2 critical Master of Pwn points.

— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the LAN interface of the NETGEAR R6700v3 in the router category

COLLISION - Pedro and Radek leveraged 2 bugs to exploit the NETGEAR R6700 router via the LAN interface, but the path traversal they chose was an N-day. This still earns them $3,750 and .75 Master of Pwn points.

Friday, November 5

For a quick overview of Day Four results, see the recap video here.

1000 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The DEVCORE team combined an OOB Read and an OOB Write to sucessfully exploit the 3TB My Cloud Home Personal Cloud from WD. This unique bug chain earned them $40,000 and 4 Master of Pwn points.

1030 - Diffense Team targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The Diffense Team leveraged 4 bugs to exploit the Cisco RV340 router via the LAN interface, but some of the bugs had been seen earlier in the conference. This still earns them $10,000 and 1.5 Master of Pwn points.

1100 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the Lexmark MC3224i in the printer category

COLLISION - The team from CrowdStrike had no problem taking over the Lexmark printer using a three-bug chain, however all of the bused used had been seen earlier in the contest. Their effort wins them $10,000 and 1 Masrer of Pwn point.

1200 - The NullRiver team of Xin’an Zhou, Xiaochen Zou, Zhiyun Qian targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The team used a pair of bugs to execute code via the LAN interface. They earn $5,000 and 1 Master of Pwn point.

1230 - Final wrap-up and the crowning of the Master of Pwn


Congratulations to the Synacktiv team for being crowned Master of Pwn! It was a tight race, but tehir combined efforts held off all challengers.

Thanks again to our partners Western Digital as well as our sponsor Synology. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities reported.

Pwn2Own Austin 2021 - Schedule and Live Results

The November 2021 Security Update Review

9 November 2021 at 18:26

The second Tuesday of the month is upon us, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for November 2021

For November, Adobe released only three patches correcting four CVEs in Creative Cloud Desktop, InCopy, and RoboHelp. The patch for Creative Cloud fixes a single Important-rated denial-of-service (DoS) bug. The InCopy patch fixes two bugs, including a Critical-rated code execution. The release for RoboHelp Server is listed as a security hotfix rather than a security patch, but it’s not clear why there’s a difference in the nomenclature. Either way, a Critical-rated arbitrary code execution bug is being fixed, so if you still use RoboHelp, apply this hotfix.

If this seems especially light, Adobe did release fixes for more than 80 CVEs in late October for critical code execution flaws, privilege escalation, denial-of-service, and memory leaks across multiple products. None of these fixes were listed as under active attack, so it’s unclear why Adobe released so many patches out of band.

None of the patches released today by Adobe are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for November 2021

For November, Microsoft released patches today for 55 new CVEs in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.

Historically speaking, 55 patches in November is a relatively low number. Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors. It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.

Of the CVEs patched today, six are rated Critical and 49 are rated as Important in severity. Four of these bugs came through the ZDI program. Four of these bugs are listed as publicly known and two are listed as under active exploit at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the two bugs listed as under active attack:

-       CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Exchange bug is listed by Microsoft as currently under active attack; however, authentication is listed as a requirement. As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible. Microsoft has also published this blog to aid Exchange administrators with their patch deployment.

-       CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability
This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature. It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users. They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as “proof of concept”.

-       CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
This patch addresses a guest-to-host escape through the virtual machine bus (VMBus). A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host. With a CVSS of 9.0, this is one of the more severe vulnerabilities fixed this month. Based on the CVE number, this has been known to Microsoft for a few months.

-       CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability
While not as severe as a bug in the RDP Server, this bug in the RDP client is still worth prioritizing. If an attacker can lure a user to connect to a malicious RCP server, they could execute code on the connecting RDP client system. Again, this doesn’t reach the level of the Bluekeep bugs, but definitely something to watch.

Here’s the full list of CVEs released by Microsoft for November 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No Yes SFB
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No Yes RCE
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.2 No No RCE
CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.7 No No RCE
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow Critical 9.8 No No RCE
CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability Important 6.7 No No Info
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability Important 2.3 No No Info
CVE-2021-42300 Azure Sphere Tampering Vulnerability Important 6 No No Tampering
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-41373 FSLogix Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode Important 4.3 No No Spoofing
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability Important 4.7 No No EoP
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41356 Windows Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability Important 7.8 No No RCE

Looking at the remaining Critical-rated patches for November, the entries for Chakra and Dynamics (On-Prem) stand out. The Chakra patch fixes a bug that could allow an attacker to execute their own code on affected systems, usually in a browse-and-own or open-and open-and-own scenario. Microsoft doesn’t make it clear how the code execution on Dynamics would occur but considering the types of infrastructure and supply chains managed by Dynamics, this Critical-rated bug should be taken seriously.  The patch for Defender should be of concern for those disconnected from the Internet, but for others will likely not need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. You should still verify the version and manually apply the update if needed. Finally, Microsoft is releasing its update of an OpenSSL patch from August. This is a good reminder that if you ship open-source code, you should always check to ensure you’re shipping the latest, most secure version.

Moving on to the other code execution bugs, two can be found in the 3D Viewer. These were reported by ZDI’s Mat Powell, but Microsoft failed to meet our disclosure timeline. That’s why these are listed as publicly known as we published some details about these bugs back in June and July. The other code execution bugs mostly reside in one of the Office components. In these cases, opening a specially crafted file could lead to code execution. The final code exec bug resides in NTFS, but it’s not clear from Microsoft how this could work. They list no user interaction required, while also listing the vector as local. This removes the open-and-own scenario as well as the browse-to-a-remote-folder vector. This bug came through the THEORI team, who had quite the showing at the recent Pwn2Own Austin. Hopefully, they will release additional details in the near future.

There are 20 elevation of privilege (EoP) bugs patches in this release, with the most severe impacting NTFS, Active Directory Domain Service, and Azure RTOS. The NTFS bugs are confusing as they list no user interaction needed while still being a local vector with low privileges required. Those are the same ratings for the NTFS RCE bug, so it’s not clear how these are different. The patches for ADDS also should not be ignored as bugs here could make lateral movement within an enterprise easier. It’s also not clear how many people are using Azure RTOS, but they have a tough road ahead of them. They can’t just apply a patch. Instead, they will need to recompile their project with updated USBX source code then redeploy the new code. Failure to do so could result in an EoP if an attacker plugged in a malicious USB device. The remaining EoP patches fix more traditional issues where an attacker is required to log on to a system and run their own code to take advantage of an affected component.

There are some heavy-hitting information disclosure bugs being patched this month. First up are three patches for Azure RTOS that could lead to info disclosure, although Microsoft does not state what type of information could be disclosed. Again, a recompile and redeploy is required to stop a malicious USB attack. More disturbingly, there are two publicly known info disclosure bugs in RDP that could allow read access to Windows RDP client passwords by RDP administrators. That could be a game-changer to inside threats since we all know users would NEVER reuse a password – at least that’s what they swear to me (and this time, they mean it).

There’s also an info disclosure bug being fixed in FSLogix. This bug could allow an attacker to disclose user data redirected to the profile or Office container via FSLogix Cloud cache, which includes user profile settings and files. Surprisingly, only one of the 10 info disclosure bugs results in a leak consisting of unspecified memory contents.

Three info disclosure impact Azure Sphere devices, but these devices should receive updates automatically if they are connected to the internet. There’s also a tampering bug being fixed in Azure Sphere, but again, provided you are connected to the internet, there’s no action to take.

Looking at patches for denial-of-service (DoS) bugs, the most important is the one impacting Windows – not a subcomponent – Windows. A remote attacker with no permissions could create a DoS on all supported Windows versions (including Windows 11). It’s not clear if this would result in a system hang or a reboot, but either way, do not bypass this impactful DoS. The other two DoS bugs impact Hyper-V, and one of those requires GRE to be enabled.

Besides the Excel bug already mentioned, there’s only one other Security Feature Bypass (SFB) being fixed in November. This impacts Windows Hello on Windows 10 and Server 2019 systems. No details are provided, but just by the component and impact, it seems there’s a way to access affected systems without using a PIN, facial recognition, or fingerprint. If you use this feature for authentication, you may want to disable it until you are sure all affected systems are patched.

Finally, the November release contains fixes for four spoofing bugs, including one for Exchange that must be obvious when you look for it as eight different researchers are all acknowledged by Microsoft for reporting it. Of course, they provide no info on what sort of spoofing is being fixed by this patch, the other Exchange spoofing bug, or by the Edge (Chrome-based) spoofing bug while on IE Mode. Microsoft does state the fix for the Power BI Report Server addresses a Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability with the template file.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV90001.

Looking Ahead

The next Patch Tuesday falls on December 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The November 2021 Security Update Review

MindShaRE: Using IO Ninja to Analyze NPFS

18 November 2021 at 17:14

In this installment of our MindShaRE series, ZDI vulnerability researcher Michael DePlante describes how he uses the IO Ninja tool for reverse engineering and software analysis. According to its website, IO Ninja provides an “all-in-one terminal emulator, sniffer, and protocol analyzer.” The tool provides many options for researchers but can leave new users confused about where to begin. This blog provides a starting point for some of the most commonly used features. 


Looking at a new target can almost feel like meeting up with someone who’s selling their old car. I’m the type of person who would want to inspect the car for rust, rot, modifications, and other red flags before I waste the owner’s or my own time with a test drive. If the car isn’t super old, having an OBD reader (on-board diagnostics) may save you some time and money. After the initial inspection, a test drive can be critical to your decision. 

Much like checking out a used car, taking software for test drives as a researcher with the right tools is a wonderful way to find issues. In this blog post, I would like to highlight a tool that I have found incredibly handy to have in my lab – IO Ninja.

Lately, I have been interested in antivirus products, mainly looking for local privilege escalation vulnerabilities. After looking at several vendors including Avira, Bitdefender, ESET, Panda Security, Trend Micro, McAfee, and more, I started to notice that almost all of them utilize the Named Pipe Filesystem (NPFS). Furthermore, NPFS is used in many other product categories including virtualization, SCADA, license managers/updaters, etc.

I began doing some research and realized there were not many tools that let you locally sniff and connect to these named pipes easily in Windows. The Sysinternals suite has a tool called Pipelist and it works exactly as advertised. Pipelist can enumerate open pipes at runtime but can leave you in the dark about pipe connections that are opening and closing frequently. Another tool also in the Sysinternals suite called Process Explorer allows you to view open pipes but only shows them when you are actively monitoring a given process. IO Ninja fills the void with two great plugins it offers.

An Introduction to IO Ninja  

When you fire up IO Ninja and start a new session, you’re presented with an expansive list of plugins as shown below. I will be focusing on two of the plugins under the “File Systems” section in this blog: Pipe Monitor and Pipe Server.  

Before starting a new session, you may need to check the “Run as Administrator” box if the pipes you want to interact with require elevated privileges to read or write. You can inspect the permissions on a given pipe with the accesschk tool from the Sysinternals Suite:

The powerful Pipe Monitor plugin in IO Ninja allows you to record communication, as well as apply filters to the log. The Pipe Server plugin allows you to connect to the client side of a pipe. 

IO Ninja: Pipe Monitor

The following screenshot provides a look at the Pipe Monitor plugin that comes by default with IO Ninja.

In the above screenshot, I added a process filter (*chrome*) and started recording before I opened the application. You can also filter on a filename ( name of the pipe), PID, or file ID. After starting Chrome, data started flowing between several pipe instances. This is a terrific way to dynamically gather an understanding of what data is going through each pipe and when those pipes are opened and closed. I found this helpful when interacting with antivirus agents and wanted to know what pipes were being opened or closed based on certain actions from the user, such as performing a system scan or update. It can also be interesting to see the content going across the pipe, especially if it contains sensitive data and the pipe has a weak ACL.

It can also help a developer debug an application and find issues in real-time like unanswered pipe connections or permission issues as shown below. 

Using IO Ninja’s find text/bin feature to search for “cannot find”, I was able to identify several connections in the log below where the client side of a connection could not find the server side. In my experience, many applications make these unanswered connections out of the box.

What made this interesting was that the process updatesrv.exe, running as NT AUTHORITY\SYSTEM, tried to open the client side of a named pipe but failed with ERROR_FILE_NOT_FOUND. We can fill the void by creating our own server with the name it is looking for and then triggering the client connection by initiating an update within the user interface.

As a low privileged user, I am now able to send arbitrary data to a highly privileged process using the Pipe Server plugin. This could potentially result in a privilege escalation vulnerability, depending on how the privileged process handles the data I am sending it.

IO Ninja: Pipe Server

The Pipe Server plugin is powerful as it allows you to send data to specific client connections from the server side of a pipe. The GUI in IO Ninja allows you to select which conversation you’d like to interact with by selecting from a drop-down list of Client IDs. Just like with the Pipe Monitor plugin, you can apply filters to clean up the log. Below you’ll find a visual from the Pipe Server plugin after starting the server end of a pipe and getting a few client connections.  

In the bottom right of the previous image, you can see the handy packet library. Other related IO Ninja features include a built-in hex editor, file- and script-based transmission, and packet templating via the packet template editor.

The packet template editor allows you to create packet fields and script custom actions using the Jancy scripting language. Fields are visualized in the property grid as shown above on the bottom left-hand side of the image, where they can be edited. This feature makes it significantly easier to create and modify packets when compared to just using a hex editor.

Conclusion

This post only scratches the surface of what IO Ninja can do by highlighting just two of the plugins offered. The tool is scriptable and provides an IDE that encourages users to build, extend or modify existing plugins.  The plugins are open source and available in a link listed at the end of the blog. I hope that this post inspires you to take a closer look at NPFS as well as the IO Ninja tool and the other plugins it offers.

Keep an eye out for future blogs where I will go into more detail on vulnerabilities I have found in this area. Until then, you can follow me @izobashi and the team @thezdi on Twitter for the latest in exploit techniques and security patches.

Additional information about IO Ninja can be found on their website. All of IO Ninja’s plugins are open source and available here.

Additional References

If you are interested in learning more you can also check out the following resources which I found helpful.

Microsoft - Documentation: Named Pipes

Gil Cohen - Call the plumber: You have a leak in your named pipe

0xcsandker - Offensive Windows IPC Internals 1: Named Pipes

MindShaRE: Using IO Ninja to Analyze NPFS

Two Birds with One Stone: An Introduction to V8 and JIT Exploitation

7 December 2021 at 17:30

In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 – Google’s open-source high-performance JavaScript and WebAssembly engine – through the lens of a bug used during Pwn2Own Vancouver 2021. The contest submission from Bruno Keith (@bkth_) and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_com) exploited both Google Chrome and Microsoft Edge (Chromium) with the same bug, which earned them $100,000 during the event. This bug was subsequently found in the wild prior to being patched by Google. This blog series provides an introduction to V8, a look at the root cause of the bug, and details on exploitation during the contest and beyond. @bkth_ @_niklasb @dfsec_com


At our Pwn2Own Vancouver contest this year, the web browser category included the Google Chrome and Microsoft Edge (Chromium) browsers as targets. For this year’s event, a successful demonstration no longer required a sandbox escape. There was also a special bonus for exploits that worked against both Chrome and Edge. On Day Two of the event, Bruno Keith and Niklas Baumstark successfully demonstrated their V8 JIT vulnerability on both the Chrome and Microsoft Edge renderers with a single exploit. This earned them $100,000 USD and 10 Master of Pwn points.

In this blog series, we’ll be covering this exploit in three separate entries:

1 - Two Birds with One Stone: An Introduction to V8 and JIT Exploitation

2 - Understanding the Root Cause of CVE-2021-21220 – A Chrome Bug from Pwn2Own 2021

3 - Exploitation of CVE-2021-21220 – From Pwn2Own to Active Exploit

We’ll begin with the basics of V8 and JIT exploitation.

Gathering Information

This vulnerability has been addressed by Google. More information about the bug can be found on the ZDI advisory page as ZDI-21-411, where there is a link to the Google fix:

This provides us with the Chromium bug entry amongst other details. There are some details provided by the researchers and the actual exploit tested on Chrome 89.0.4389.114 and Edge version 89.0.774.63 (which we will cover in-depth in the final blog in this series). You can see the developers fixed this issue in a commit by making changes in just one file. There is also a proof of concept (PoC) for us to review. Great! Now that we have a PoC, we can have a deeper look at the vulnerability, but we need to set up our analysis environment first.

Setting Up the Environment

It was possible to exploit both the Google Chrome and Microsoft Edge (Chromium) renderer processes with one exploit since both are using V8 as the JavaScript and WebAssembly engine. V8 is developed by Google in C++ and runs on Windows 7 or later, macOS 10.12 and newer, and Linux systems that use x64, IA-32, ARM, or MIPS processors.

V8 is an open-source project. This means you can compile it from the source code. Usually, it is easier to compile such projects on Linux. Thus, I am going to use Ubuntu 18.04.5 to compile V8 (see below):

You can use any other supported operating system you want. The official build document is pretty good and provides abundant detail.

To begin, we need to install a package of scripts called depot_tools to manage checkouts and other tasks:

We then add “depot_tools” path to the list of available paths:

It is now time to download the V8 source code, which may take a while based on your internet speed. After the download is complete, there will be a new folder called v8. You will need to navigate to this directory to make it the working directory:

This gives us the latest version of V8. However, for this blog series, we need the vulnerable version of V8. We need to first find the affected version of Google Chrome which was available in the Chromium bug entry: 89.0.4389.114.

Cool. Now that we have an affected version of Google Chrome, we can look up information about that version in a service called omahaproxy. Just enter 89.0.4389.114 in the lookup field and press enter:

It gives us some information, including the affected V8 commit:

Now that we have the affected V8 commit, we can checkout that version. You may want to take a snapshot of the latest version of V8 first:

Now it is time to build V8. You can have a release or a debug build. A release build will give you a clean, optimized build that is faster but provides fewer details when running commands. A debug build is an unoptimized, slower build. However, it provides a lot of debug information that can help us to understand this vulnerability. Thus, we are going to choose the debug build:

If all went well, there will be an executable called “d8” in the “out/x64.debug” directory:

You should see this:

V8 is an astonishing piece of engineering that has tons of documentation and details. We can’t go too much into all these details of course, but some concepts need to be covered as they are relevant to this blog series.

Like many other Linux executables, you can pass “--help” to the compiled “d8” to provide you with a long list of all supported options. For this blog post, we are interested in just two of them:

        1 - allow_natives_syntax: By adding this as an argument when running d8, you can access special runtime functions that can be called from JavaScript using the % prefix. To find all supported runtime functions, just go to the “src/runtime” directory and grep for the string “RUNTIME_FUNCTION”. We are just interested in two of them, both of which are available in the “src/runtime/runtime-test.cc” file:

        PrepareFunctionForOptimization: Prepares a specified JavaScript function for JIT optimization. As we will explain below, JIT optimization has certain prerequisites: the function being optimized must first have been translated to bytecodes, and the engine must have collected data regarding runtime type informtion..

        OptimizeFunctionOnNextCall: This function marks the target function so that the JIT engine will compile the function into an optimized form immediately before the next execution of the target function.

We will detail how these two are used in our next blog. If you do not want to use these two runtime functions, it is usually enough to call the target function many times in a loop.

        2 - trace-turbo-graph: This argument can be used to trace the generated graph (see below) when it goes through various optimizations. We will see this in action in the second blog.

When the V8 engine loads a JavaScript file, it parses the input and builds an Abstract Syntax Tree (AST). The V8 engine interpreter called “Ignition” generates bytecode from this syntax tree. Check the header file “bytecodes.h” (located inside the “src/interpreter” directory) for a complete list of V8 bytecodes. These bytecodes are then executed (interpreted) by Ignition handlers (check src/interpreter/interpreter-generator.cc). The interpreter has little to do with our vulnerability and thus we do not discuss it any further. There are lots of resources available if you want to study this topic more.

If a function is called many times, or optimization is explicitly requested using runtime functions as described above, the V8 engine will optimize (compile) that function. Optimization is heavily dependent upon information that the engine has previously collected during interpreted executions of the function, especially concerning the data types found in variables. Note that variables in JavaScript are not strongly typed, and to achieve meaningful optimizations, the engine needs to speculate that the types that were encountered in variables during interpreted execution will usually be the same as the types encountered in the future.

The optimizing compiler’s first step is to convert the bytecode into an intermediate representation, which has the form of a graph. This step is performed in PipelineImpl::CreateGraph, found within src/compiler/pipeline.cc:

As you can see, the graph creation has 3 main phases:

         1 - GraphBuilderPhase: A graph is generated by visiting bytecodes previously generated.

         2 - InliningPhase: An initial attempt is made to optimize the generated graph by eliminating dead code, reducing calls, inlining, etc.

         3 - EarlyGraphTrimmingPhase: This phase removes dead->live edges from the graph.

More sophisticated optimizations are performed by PipelineImpl::OptimizeGraph, found in src/compiler/pipeline.cc:

Discussing all the optimizations implemented by V8 is out of scope for this blog series. Instead, we’ll just cover some of the ones we will see in the second blog in this series:

1 -   Typer: The nodes in the graph will get a type which covers possible values of that node. For example, a variable that has values like false or true is typed as a Boolean. As another example, a numeric value that is known to always equal 1 will have a type of range(1, 1).

2 -   Simplified lowering: Some operations are lowered (reduced) to a simplified series of nodes. The example below shows how the Math.abs operation is lowered:

3 -  Early Optimization:  Various optimizations are done in this stage, which is clear when looking at the EarlyOptimizationPhase struct:

As you can see, further optimizations are done in this phase including dead code elimination, redundancy elimination, and something called the MachineOperatorReducer. In the next blog, we will detail how the MachineOperatorReducer plays a major role in this vulnerability.

After all optimizations are completed on the graph, the compiler translates the graph to assembler. All future calls to the optimized function will invoke the assembly version and not the interpreted (bytecode) version. As explained above, though, optimization is performed using speculated assumptions. As a result, the assembly version of the function must contain guards to detect all possible situations where an assumption has been violated. In that circumstance, the assembly version falls back to the interpreter again. This is known as a “bailout”.

This way the V8 engine can run any (optimized) function much faster. Please note this blog is a simplification of the process, and the whole procedure is much more complex. The V8 turbofan documentation is a good starting point if you want to explore it any further.

Conclusion of Part One

In this blog, we set up the V8 environment and played a bit with some of its features. In the next blog, we will analyze the vulnerability used at Pwn2Own. Expect to see that blog in just two days from now.

Until then, you can find me on Twitter at @hosselot and follow the team for the latest in exploit techniques and security patches.

Two Birds with One Stone: An Introduction to V8 and JIT Exploitation

Understanding the Root Cause of CVE-2021-21220 – A Chrome Bug from Pwn2Own 2021

9 December 2021 at 16:59

In this second blog in the series, ZDI Vulnerability Researcher Hossein Lotfi looks at the root cause of CVE-2021-21220. This bug was used by Bruno Keith (@bkth_) and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_com) during Pwn2Own Vancouver 2021 to exploit both Chrome and Edge (Chromium) to earn $100,000 at the event. Today’s blog starts with a look at how to trigger the vulnerability and goes on to describe why the bug occurs.


I begin Part 2 of this blog series with a discussion of how to trigger the vulnerability. For clarity, I modified the PoC slightly and came up with the following:

I covered lines 3 through 5 in our first blog. Lines 4 and 6 simply use “console.log” to print data. Let’s see what happens in the first and second line:

Line 1: Constructs a Uint32Array (a typed array that can hold 32-bit unsigned integers). The array contains just one element, having the value 231 (2,147,483,648 in decimal or 0x80000000 in hex). The array is assigned to variable arr.

Line 2: A function called “foo” will take the first element of arr (which is 231), XOR it with a constant integer 0, add a constant integer 1, and return the result.

There are some interesting points in these two lines:

        1 - 0x80000000 has its most significant bit set. This is known as the sign bit when handling signed integers.
        2 - XORing any value with zero will return the original value unchanged. If this XOR does not have any effect, then why was it necessary to include it? We will answer this soon.

Save this PoC as “poc.js” and run it with the following command:

$ ./d8 --allow_natives_syntax '/home/lab/Desktop/poc.js'

It should print the following output:

Interesting! Results of the interpreted and JITted versions are different, which should not happen. JIT supposed to speed up the function but should never change the results.

 Now that we are here, let’s have a look at the patch as it may give us some hints as to why this is happening:

The only change is inside the function InstructionSelector::VisitChangeInt32ToInt64, found within the file src/compiler/backend/x64/instruction-selector-x64.cc. There is also a nice comment, which can provide us an educated guess. As mentioned in the first blog, a JITted function will be compiled to assembly to achieve maximum speed. Before the patch, on the x64 platform, if there was a load of a signed int32 into a 64-bit register, the kX64Movsxlq opcode would be selected. Conversely, when an unsigned int32 was loaded into a 64-bit register, the kX64Movl opcode would be used. This choice between two opcodes is intended to ensure that the upper 32 bits of the destination register are set properly by the load: When loading an unsigned 32-bit value, the upper 32 bits in the destination should be set to all zeros, whereas when loading a signed 32-bit value, the upper 32 bits in the destination should all be set to match the sign bit of the source value. After the patch, the kX64Movsxlq opcode is used in all cases. As the function name denotes, it expects a signed int32 input, so the kX64Movsxlq opcode is always the correct choice.

Apparently, though, the PoC somehow managed to provide an unsigned input to this function! How is this possible? This is what we must investigate next.

Deep Blue Sea of Nodes

To find the root cause of this vulnerability, we can pass the “--trace-turbo-graph” argument to d8 to see generated turbofan graphs:

./d8 --allow_natives_syntax --trace_turbo_graph '/home/lab/Desktop/poc.js'

As this vulnerability has something to do with the type of input, it seems like a good idea to first check how the typer assigned types the nodes. For this purpose, we need to find “Graph after V8.TFTyper” in the graph and check its data:

This is what we see:

LoadTypedElement: This shows loading the element from our typed array. The type is Unsigned32.
SpeculativeNumberBitwiseXor: For the XOR operation. The type is Signed32.
NumberConstant[1]: For the constant number 1.
SpeculativeNumberAdd: For adding 1 to the result of the XOR.

All types make sense. Let’s move on to a later phase called “simplified lowering”:

After the simplified lowering phase this becomes:

LoadTypedElement: Type is still Unsigned32.
Word32Xor: Type is still Signed32.
ChangeInt32ToInt64 (#31:Word32Xor): This node is new. It takes the result of the XOR and converts it to Int64. Remember that the patch fixed this vulnerability by changing the InstructionSelector::VisitChangeInt32ToInt64 function. That means this node will be important in our analysis. For now, it seems OK as this node takes a Word32Xor node that is signed.
Int64Constant[1]: For the constant number 1.
Int64Add: For adding 1 to the result of the XOR.

The “--trace-turbo-graph” output shows how the engine optimizes the graph by performing numerous transformations. During the early optimization phase, the execution flow reaches a function called MachineOperatorReducer::ReduceWordNXor within v8/src/compiler/machine-operator-reducer.cc to deal with the XOR operation in our PoC:

Let’s have a quick look at the XOR in our PoC again. We XOR arr[0] by 0, and we know that XOR by 0 has no effect and returns arr[0]. Now check the highlighted section in the picture above. Here the engine checks if the right operand is provably equal to 0 and, if so, it replaces the XOR operation with the left node (arr[0]). In this way, the engine removes the no-op XOR to achieve better speed. How cool! Unfortunately, there is a small problem: the replaced XOR operation had an output type of Signed32, but arr[0] has a types of Unsigned32. The EarlyOptimization phase output shows this clearly:

The nodes now are:

When you compare this output with output of simplified lowering phase, we can see 2 major changes:

         1 - The Word32Xor node is not available anymore. It has been replaced.
         2 - The ChangeInt32ToInt64 (#31:Word32Xor) node has been changed to ChangeInt32ToInt64 (#45:LoadTypedElement). This is where the vulnerability occurs. ChangeInt32ToInt64 needs a Signed32 node. This was ok before, because Word32Xor was signed, but now it gets a LoadTypedElement node, which is unsigned.

As a side note: Now that we know the root cause of this vulnerability, we can develop some variants. For example, we can replace the XOR with a SAR using the “>>” operand (check the “MachineOperatorReducer::ReduceWord64Sar” function) or a SHL using the “<<” data-preserve-html-node="true" data-preserve-html-node="true" operand (check the “MachineOperatorReducer::ReduceWord64Shl” function).

Later, execution reaches the vulnerable function InstructionSelector::VisitChangeInt32ToInt64:

It checks if it is a signed load, but we changed the type to unsigned, and thus kX64Movl is chosen.

How can this cause a problem? The kX64Movsxlq opcode translates to an Intel movsxd instruction, while the kX64Movl opcode translates to an intel mov instruction. For a 32-bit source value with the most significant bit not set, there are no differences between these two. However, if the source has a 1 as the most significant bit, these deliver two very different results. Recall that the value stored in the array is 0x80000000, which has the most significant bit set. Let’s illustrate the difference between movsxd and mov by doing a small experiment in x64dbg. We will perform a ‘movsxd’ of a 32-bit value 0x80000000 to ‘rbx” and ‘mov’ of the same 32-bit value 0x80000000 to rcx. Here are the registers before the move instructions:

And here are the results after the moves:

As you can see, the value of rbx is very different than rcx. As opposed to the mov instruction, the movsxd instruction sign-extended the value. Now if the engine chooses the wrong instruction, it may load incorrect value into registers causing various problems.

Before finishing this blog, I would like to clarify one more point. Why is it needed to have an “add 1”? In fact, if you remove it, this vulnerability is not triggered anymore, and the PoC does not reach to the vulnerable function! Why is that?

To answer this question, we can remove the “add 1” from the PoC and examine the effect on the graph.

First, the graph if the “add 1” is removed:

When the “add 1” is removed, there is no need for a “ChangeInt32ToInt64” node in the graph anymore. Instead, a “ChangeInt32ToTagged” node is used to directly convert the result of the XOR to a tagged value and return.

Compare with the graph of the PoC including the “add 1”:

By including an “add 1” operation, the result of XOR (which is Signed32) needs to be first converted to int64 using a ChangeInt32ToInt64 node in preparation for the addition. Note that 1 is an Int64Constant. After the add, the result is changed to a tagged value and returned.

Therefore, we conclude that the “add 1” is needed to trigger insertion of a “ChangeInt32ToInt64” node.

Conclusion

In this blog post we identified the root cause of the vulnerability used at Pwn2Own and saw how the contestants chained a series of clever values and operations to trigger an incorrect behavior in the JIT engine. In the final blog in this series, we will explore how this issue was exploited. That blog will be published one week from today.

Until then, you can find me on Twitter at @hosselot and follow the team for the latest in exploit techniques and security patches.

Understanding the Root Cause of CVE-2021-21220 – A Chrome Bug from Pwn2Own 2021

The December 2021 Security Update Review

14 December 2021 at 18:37

The final second Tuesday of the year is here, and this month, it brings much more than just patches from Microsoft and Adobe. Take a break from your holiday preparations and join us we review the details of the latest security patches.

CVE-2021-44228: Log4Shell (Log4j)

Unless you have been hiding under a rock with your eyes closed and your fingers in your ears, you have heard of a recently disclosed vulnerability in the Java logging library known as Apache Log4j. The vulnerability could allow remote code execution on affected applications and servers by logging a certain string. Of course, the biggest issue is just how large the list of affected application is. No one has a good answer other than “a whole lot,” as this library is nearly ubiquitous. Here’s how an infection flow might look:

Affected products are still being identified and range from web services like Apache Struts to games like Minecraft to banking and financial applications. If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability. Trend Micro has published this blog, which details the bug and provides IOCs and guidance to detect attacks. So far, we’re seeing active exploits dropping Mirai variants and Kinsing coin miners on affected servers. Check with all the vendors in your enterprise to see if they are impacted and what patches are available. We’ve also released a tool you can use to scan your enterprise for affected systems. You can access it at https://log4j-tester.trendmicro.com/.

Apple Patches for December 2021

While Apple doesn’t release on a second Tuesday cycle, they did release significant patches yesterday that shouldn’t be ignored. New updates are available for iOS and iPad OS, macOS Monterey, macOS Big Sur, tvOS, and watchOS. There’s also a security update for Catalina. While none of the bugs patched are listed as being under active attack, several of these vulnerabilities were reportedly used during the last Tianfu Cup. Exploits demonstrated at this contest have received a lot of attention in the past, and this bunch will likely receive the same amount of scrutiny from researchers and attackers alike. 

Adobe Patches for December 2021

For December, Adobe released 11 patches addressing 60 CVEs in Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager, and Premiere Rush. At total of 31 of these bugs were reported by ZDI vulnerability researcher Mat Powell. The most severe of these updates impacts Adobe Experience Manager. This patch fixes eight different bugs, including one rated as CVSS 9.8 and several stored cross-site scripting (XSS) issues. The update for Premiere Rush fixes 16 bugs, many of which are rated Critical. However, there are no CVSS scores listed on this one. Considering many of the bugs result in arbitrary code execution, treat them as you would any other high-scoring vuln.

The patch for Premiere Pro fixes only five CVEs, but one of those is a Critical-rated Out-of-Bounds (OOB) write that could allow arbitrary code execution. The specific flaw exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. The update for After Effects covers 10 CVEs, include two that could allow code execution. Most of the update fixes privilege escalation bugs. The Dimension patch also fixes three Critical-rated code execution bugs to along with a few privilege escalations.

The patch for Adobe Audition fixes three Moderate bugs, while the Lightroom fix addresses a single privilege escalation. The patch for Media Encoder fixes five bugs, two of which are rated Critical and could allow remote code execution. Similarly, the patch for Prelude includes a fix for one Critical code execution bug to go along with an Important LPE. The update for Connect addresses a single CSRF bug. The patch for Photoshop fixes two Critical and one Important-rated bug. The Critical bugs could allow code execution if you open a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Google Chrome Patches for December 2021

Google is another vendor that doesn’t follow the patch Tuesday release cycle but still managed to release a significant update yesterday. The Chrome Stable channel has been updated to 96.0.4664.110, and the patch includes five security fixes. One of these bugs, CVE-2021-4102, a use-after-free bug in V8, is listed as having exploits in the wild. Three other High severity and one Critical severity bugs are also addressed. Tis the season to be shopping online. Make sure your browser is up to date as you do so. These bugs are not included in the Edge (Chromium-based) updates discussed below. If you’re interested in other V8 bugs, check out this series of blogs recently published by ZDI vulnerability researcher Hossein Lotfi.

Microsoft Patches for December 2021

For December, Microsoft released patches today for 67 new CVEs in Microsoft Windows and Windows Components, ASP.NET Core and Visual Studio, Azure Bot Framework SDK, Internet Storage Name Service, Defender for IoT, Edge (Chromium-based), Microsoft Office and Office Components, SharePoint Server, PowerShell, Remote Desktop Client, Windows Hyper-V, Windows Mobile Device Management, Windows Remote Access Connection Manager, TCP/IP, and the Windows Update Stack. This is in addition to the 16 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the December total to 83 CVEs.

This brings the total number of CVEs patched by Microsoft this year to 887 – a 29% decrease from 2020. This excludes the CVEs consumed from Chrome for the Edge (Chromium-based) browser. Based on recent reports, the Microsoft bug bounty program received approximately the same number of vulnerability reports. It’s unclear if Microsoft is combining multiple submissions into a single CVE or if there is a significant back log of patches just waiting to be released. It could lead to a rough 2022 for patching. At least there are no Exchange Server patches to worry about over the holidays.  

Of the CVEs patched today, seven are rated Critical and 60 are rated as Important in severity. A total of 10 of these bugs came through the ZDI program. Five of these bugs are listed as publicly known, and one is listed as being publicly exploited at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the 0-day that was patched:

-       CVE-2021-43890 - Windows AppX Installer Spoofing Vulnerability
Emotet is like that holiday guest that just won’t take a hint and leave. This patch fixes a bug in the AppX installer that affects Windows. Microsoft states they have seen the bug used in malware in the Emotet/Trickbot/Bazaloader family. An attacker would need to craft a malicious attachment to be used in phishing campaigns. The attacker would then have to convince the user to open the specially crafted attachment. It seems and code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system. This malware family has been going for some time now. It seems like it will be around for a bit longer.

-       CVE-2021-43215 – iSNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Internet Storage Name Service (iSNS) server that could allow remote code execution if an attacker sends a specially crafted request to an affected server. If you aren’t familiar with it, iSNS is a protocol that enables automated discovery and management of iSCSI devices on a TCP/IP storage network. In other words, if you’re running a SAN in your enterprise, you either have an iSNS server or you configure each of the logical interfaces individually. This bug is one of three CVSS 9.8 bugs fixed this month. If you have a SAN, prioritize testing and deploying this patch. 

-       CVE-2021-43899 – Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability
This update fixes a vulnerability that could allow an unauthenticated attacker to execute their code on an affected device. The attacker would need to be on the same network as the Microsoft 4K Display Adapter. If they are, they could send specially crafted packets to the affected device. Patching this won’t be an easy chore. To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can the use the “Update & Security” section of the app to download the latest firmware to mitigate this bug. This is the second CVSS 9.8 bug being patched this month.

-       CVE-2021-43907 – Visual Studio Code WSL Extension Remote Code Execution Vulnerability
This is the final CVSS 9.8 vulnerability being patched this month. The impacted component lets users use the Windows Subsystem for Linux (WSL) as a full-time development environment from Visual Studio Code. It allows you to develop in a Linux-based environment, use Linux-specific toolchains and utilities, and run and debug Linux-based applications all from within Windows. That sort of cross-platform functionality is used by many in the DevOps community. This patch fixes a remote code execution bug in the extension, but Microsoft doesn’t specify exactly how that code execution could occur. They do list it as unauthenticated and requires no user interaction, so if you use this extension, get this update tested and deployed quickly.

-       CVE-2021-42309 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug reported through the ZDI program. The vulnerability allows a user to elevate and execute code in the context of the service account. An attacker would need “Manage Lists” permissions on a SharePoint site, but by default, any authorized user can create their own new site where they have full permissions. This bug allows an attacker to bypass the restriction against running arbitrary server-side web controls. This is similar to the previously patched CVE-2021-28474. However, in this case, the unsafe control is “smuggled” in a property of an allowed control.

Here’s the full list of CVEs released by Microsoft for December 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-43890 Windows AppX Installer Spoofing Vulnerability Important 7.1 Yes Yes Spoofing
CVE-2021-43240 NTFS Set Short Name Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-43893 Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability Important 7.5 Yes No EoP
CVE-2021-43883 Windows Installer Elevation of Privilege Vulnerability Important 7.1 Yes No EoP
CVE-2021-43880 Windows Mobile Device Management Elevation of Privilege Vulnerability Important 5.5 Yes No EoP
CVE-2021-41333 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-43215 iSNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-43899 Microsoft 4K Wireless Display Adapter Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-42310 Microsoft Defender for IoT Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-43905 Microsoft Office app Remote Code Execution Vulnerability Critical 9.6 No No RCE
CVE-2021-43233 Remote Desktop Client Remote Code Execution Vulnerability Critical 7 No No RCE
CVE-2021-43907 Visual Studio Code WSL Extension Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-43217 Windows Encrypting File System (EFS) Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-43877 ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43225 Bot Framework SDK Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2021-43219 DirectX Graphics Kernel File Denial of Service Vulnerability Important 7.4 No No DoS
CVE-2021-40452 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40453 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41360 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43892 Microsoft BizTalk ESB Toolkit Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2021-42312 Microsoft Defender for IOT Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43888 Microsoft Defender for IoT Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-41365 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42311 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42313 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42314 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42315 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-43882 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2021-43889 Microsoft Defender for IoT Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-43256 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-42293 Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability Important 6.5 No No EoP
CVE-2021-43216 Microsoft Local Security Authority Server (lsasrv) Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-43222 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-43236 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-43875 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43255 Microsoft Office Trust Center Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-43896 Microsoft PowerShell Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-42294 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-42309 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-42320 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2021-43242 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-43227 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43235 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43228 SymCrypt Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-42295 Visual Basic for Applications Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43891 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43908 Visual Studio Code Spoofing Vulnerability Important N/A No No Spoofing
CVE-2021-43243 VP9 Video Extensions Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43214 Web Media Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43207 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43226 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43224 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-43248 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43245 Windows Digital TV Tuner Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43232 Windows Event Tracing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43234 Windows Fax Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-43246 Windows Hyper-V Denial of Service Vulnerability Important 5.6 No No DoS
CVE-2021-43244 Windows Kernel Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-40441 Windows Media Center Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43229 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43230 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43231 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43239 Windows Recovery Environment Agent Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-43223 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43238 Windows Remote Access Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43237 Windows Setup Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-43247 Windows TCP/IP Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
* CVE-2021-4052 Chromium: CVE-2021-4052 Use after free in web apps High N/A No No RCE
* CVE-2021-4053 Chromium: CVE-2021-4053 Use after free in UI High N/A No No RCE
* CVE-2021-4054 Chromium: CVE-2021-4054 Incorrect security UI in autofill High N/A No No RCE
* CVE-2021-4055 Chromium: CVE-2021-4055 Heap buffer overflow in extensions High N/A No No RCE
* CVE-2021-4056 Chromium: CVE-2021-4056: Type Confusion in loader High N/A No No RCE
* CVE-2021-4057 Chromium: CVE-2021-4057 Use after free in file API High N/A No No RCE
* CVE-2021-4058 Chromium: CVE-2021-4058 Heap buffer overflow in ANGLE High N/A No No RCE
* CVE-2021-4059 Chromium: CVE-2021-4059 Insufficient data validation in loader High N/A No No RCE
* CVE-2021-4061 Chromium: CVE-2021-4061 Type Confusion in V8 High N/A No No RCE
* CVE-2021-4062 Chromium: CVE-2021-4062 Heap buffer overflow in BFCache High N/A No No RCE
* CVE-2021-4063 Chromium: CVE-2021-4063 Use after free in developer tools High N/A No No RCE
* CVE-2021-4064 Chromium: CVE-2021-4064 Use after free in screen capture High N/A No No RCE
* CVE-2021-4065 Chromium: CVE-2021-4065 Use after free in autofill High N/A No No RCE
* CVE-2021-4066 Chromium: CVE-2021-4066 Integer underflow in ANGLE High N/A No No RCE
* CVE-2021-4067 Chromium: CVE-2021-4067 Use after free in window manager High N/A No No RCE
* CVE-2021-4068 Chromium: CVE-2021-4068 Insufficient validation of untrusted input in new tab page Low N/A No No Spoofing

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the rest of the release, the 10 patches – one Critical and nine Important – for the Microsoft Defender for IOT stand out. Several of these were reported to the ZDI program by an anonymous researcher. One of the more severe bugs exists in the password reset mechanism. A password reset request consists of a signed JSON document, a signing certificate, and an intermediate certificate that was used to sign the signing certificate. The intermediate certificate is supposed to chain up to a root CA certificate built into the appliance. Due to a flaw in this process, an attacker can reset someone else’s password. Patching these bugs requires a sysadmin to take action on the device itself. Automatic updates are available here.

Moving on to the other Critical-rated bugs, there’s another RDP bug, but this one is in the client instead of the server. There’s a bug in the Microsoft Office app that could allow unauthenticated remote code execution, but it’s not clear how since Microsoft lists user interaction is required. You will likely be automatically updated through the Microsoft Store, but if you have disabled automatic store updates, you’ll need to update manually through the store. The final Critical-rated bug affects the Windows Encrypting File System (EFS). An attacker could cause a buffer overflow that would leading to unauthenticated non-sandboxed code execution, even if the EFS service isn’t running at the time. EFS interfaces can trigger a start of the EFS service if it is not running.

Of the remaining remote code execution bugs, only a few stand out. A few are in the HEVC Video Extensions and equate to either open-and-own or browse-and-own bugs. Similar to the Office app, the update will be delivered through the Windows Store. If you have disabled Store updates or are in a disconnected environment, you’ll need to use either the Microsoft Store for Business or the Microsoft Store for Education. The same goes for the Web Media Extensions. There are a few RCE bugs in Office applications, but those get updates through the normal methods. Same goes for the Windows Fax service, which is a nice reminder that faxes are a thing that some people still use.

There are 21 patches addressing Elevation of Privilege (EoP) bugs, including all five publicly known vulnerabilities. As always, Microsoft does not give any indication on what information about these bugs is public or where the disclosure was made. For the most part, these bugs require an attacker to log on to an affected system and run a specially crafted application to elevate privileges. A couple of other notable EoP bugs were reported to the ZDI by Abdelhamid Naceri. The first occurs in Windows Remote Access and the second occurs in the Windows Update Assistant. By creating a directory junction, an attacker can abuse Windows Update Assistant to change the DACL on an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

The December release includes fixes for 10 information disclosure bugs. For nine of these bugs, the vulnerabilities result in leaks consisting of unspecified memory contents. However, for the info disclosure bug in Microsoft Defender for IoT, an attacker could disclose device security information, which includes things like the security score, any outdated operating systems, and malware infections.

There are three denial-of-service (DoS)-related patches fixing bugs in Hyper-V, SymCrypt, and the DirectX Graphics component. No additional details are provided by Microsoft regarding these bugs.

This month’s release is rounded out by seven patches for spoofing bugs. Of note, the fix for the Microsoft Office Trust Center requires multiple patches to completely address the bug. On the upside, they can be installed in any order. The other spoofing bugs exist in SharePoint and PowerShell, but no additional details are available.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on January 11, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!

The December 2021 Security Update Review

Exploitation of CVE-2021-21220 – From Incorrect JIT Behavior to RCE

16 December 2021 at 14:38

In this third and final blog in the series, ZDI Vulnerability Researcher Hossein Lotfi looks at the method of exploiting CVE-2021-21220 for code execution. This bug was used by Bruno Keith (@bkth_) and Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_com) during Pwn2Own Vancouver 2021 to exploit both Chrome and Edge (Chromium) to earn $100,000 at the event. Today’s blog looks at the exploitation technique used at the contest.

You can find Part One of this series here and Part Two here.


Exploiting Incorrect Numeric Results in JIT

In the second blog in this series, we discussed how CVE-2021-21220 can be used to make the JIT generate code that produces an incorrect numeric result. We now need to explain how this can be leveraged to produce an effect that has a security impact, such as an out-of-bounds memory access.

In the past, turning an incorrect numeric result into an OOB memory access was often accomplished by abusing array bounds check elimination. This method was effective for a long time. Take a look at the following simplified sample:

The length of array arr is 4, and we are returning an element of this array. V8 will perform run-time bounds checking to make sure that the last statement does not access memory outside the bounds of the array. During optimization of such a function, V8 might remove array bounds checking if it concluded that typer_index is always zero (or, in general, if typer_index * 10 is provably always inside the bounds of the array). This saves a few more CPU cycles during execution of the optimized function. In the event that JITted code produces an erroneous numeric result, though, it may be possible fool the V8 engine into thinking typer_index must be zero, while in actuality it will be set to a different (erroneous) value. Then, when the array access is performed, it will trigger an out-of-bounds memory access.

This method was so successful that the V8 developers eventually decided to remove array-bounds-check elimination. See this blog for more information about this exploitation technique, as well as this blog for further discussion.

Since V8 mitigated the array bounds elimination exploitation technique, a new technique is necessary. At Pwn2Own, the contestants used a technique that produces out-of-bounds access via ArrayPrototypePop and ArrayPrototypeShift. I was able to trace this method back to late 2020 by searching the Chromium bug tracking system. It was mitigated a week after the Pwn2Own competition by adding a new CheckBounds node. Here I provide you with a quick analysis of this method:

When a function undergoing optimization has calls to the Array.shift method, the execution flow eventually reaches the function JSCallReducer::ReduceArrayPrototypeShift function (see src/compiler/js-call-reducer.cc). Since a call to the built-in shift JavaScript method is relatively slow, the optimizer replaces the call with a series of operations that can be performed at the assembly level. As you may know, "Array.shift" removes the first element from an array and returns that removed element. After removing that element, the JIT-produced code computes the new array length by subtracting 1 from the original array length:

After subtracting 1, the JIT-produced code stores the result as the new array length. How can this be exploited? Well, it turns out that if we can abuse a JIT vulnerability to fool the engine into thinking that the array length is zero where it is not, it blindly subtracts one from zero. The integer underflow sets the array length to -1, which allows a subsequent OOB memory access to occur (array bounds checks are unsigned). This Chromium bug entry provides more information if you are interested.

Although the two exploitation techniques described above have now both been mitigated, new methods are still coming out using JIT vulnerabilities to cause side effects and achieve out-of-bounds memory access.

From Out-of-Bounds Access to Code Execution

The method of V8 exploitation after obtaining an OOB read/write primitive is well known. Here are the steps:

1 - Trigger the vulnerability and the side effect to get a “relative” out-of-bounds memory access to corrupt the length of one or more arrays sitting next to the original array.

2 - Make addrof/fakeobj primitives. The addrof primitive leaks the address of an arbitrary JavaScript object. The fakeobj primitive performs the reverse action: it injects into the engine an arbitrary value that the engine will interpret as a pointer to a JavaScript object.

3 - Use fakeobj to forge a JavaScript array object whose data buffer field is an arbitrary attacker-specified address. The attacker can then use the forged array to read or write arbitrary memory addresses. (Compare with the OOB access of step 1 above, which only permits access to arbitrary specified offsets past the start of the original array.)

4 - Use the addrof primitive to leak the address of a wasm function. This will be where we copy our shellcode. A wasm function is a good choice because the memory it occupies is marked with RWX (Read-Write-Execute) permissions.

5 - Use the fakeobj primitive to copy shellcode to the RWX page. To make copying the shellcode easier, an ArrayBuffer that has an uncompressed backing_store pointer is often used. This overwrites the wasm function instructions with our shellcode.

6 - Execute the shellcode by calling the wasm function.

Here is how it was actually done at Pwn2Own. The exploit starts by defining some helper functions to convert between floats and integers:

It then triggers the JIT vulnerability:

After triggering the vulnerability, the value of the “bad” variable is huge, and thus it goes into a series of Math.max calls to achieve a smaller value (1). This confused value is then used to create an array, and a shift on this array is used to produce an array having length -1. This allows the exploit to access memory at arbitrary offsets past the end of the array.

Setting up the wasm RWX memory is the next step:

Note that the contents of the wasm function is not important, as its instructions will be replaced with shellcode.

Next, the exploit allocates 3 arrays:

• A PACKED_DOUBLE_ELEMENTS array (after_dbl)
• This is followed in memory by a PACKED_ELEMENTS array (after_obj)
• This is followed in memory by another PACKED_DOUBLE_ELEMENTS (after_dbl2)

Using the out-of-bounds access via the array with length -1, it then increases the length of the after_dbl and after_obj:

After the lengths have been altered, some of the data of after_dbl overlaps with some of the data of after_obj. Similarly, some of the data of after_obj overlaps with some of the data of after_dbl2. This will allow the exploit to perform type confusions.

Now the exploit is all ready to create the addrof and fakeobj primitives, which is done as follows:

• The addrof primitive: To leak the address of an object, it first assigns it into index 0x2f of the after_obj array. As mentioned above, after_obj now partially overlaps with after_dbl2. The exploit then read the pointer from after_dbl. It is returned as a double, allowing the exploit to learn the numeric value of the object’s address.

• The fakeobj primitive: To inject an arbitrary pointer value, the exploit assigns it into after_dbl. In a way similar to the operation of addrof explained above, the data can then be read as a different type by reading it from a different (overlapping) array, in this case after_obj. By fetching it from after_obj, the exploit obtains a reference to a “fake” JavaScript object at the specified address.

From here, all that remains is to copy the shellcode to the leaked address of the wasm function and execute it.

After the shellcode is run, the page is idle and will be subject to garbage collection. This may cause a crash of the renderer process. To handle this, the exploit developers tried to smooth over corruptions as much as possible to prevent a crash:

Here is a demo video:

Conclusion

JIT vulnerabilities tend to be powerful, providing strong primitives and reliable exploitation methods. The inherent complexity of JIT compilation makes it very challenging for engine developers to correctly handle all corner cases, despite their impressive efforts. However, incorrect JIT behavior can impact security only if a technique is available to achieve an effect such as out-of-bounds memory access. This is one area where engine developers can focus by introducing additional hardening.

You can find me on Twitter at @hosselot and follow the team for the latest in exploit techniques and security patches.

Exploitation of CVE-2021-21220 – From Incorrect JIT Behavior to RCE

CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein of the Trend Micro Research Team details a Denial-of-Service (DoS) bug discovered in Apache Log4j. This vulnerability should not be considered a variant of the bug known as “Log4Shell” (CVE-2021-44228), although it does abuse a similar attack vector. They are similar in that this bug also abuses attacker-controlled lookups in logged data. However, in this case, non-JNDI lookups can be abused. The following is a portion of his write-up covering the root cause CVE-2021-45105 with a few minimal modifications.


The Apache Log4j API supports variable substitution in lookups. However, a crafted variable can cause the application to crash due to uncontrolled recursive substitutions. An attacker with control over lookup commands (e.g., via the Thread Context Map) can craft a malicious lookup variable, which results in a Denial-of-Service (DoS) attack. This has been tested and confirmed on Log4j versions up to and including 2.16.0.

The Vulnerability

When a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. However, when the nested variable references the variable being replaced, the recursion is called with the same string. This leads to an infinite recursion and a DoS condition on the server. As an example, if the Pattern Layout contains a Context Lookup of ${ctx.apiversion}, and its assigned value is ${${ctx.apiversion}}, the variable will be recursively substituted with itself.

The Code Flow

The StrSubstitutor.substitute() method is called with the variable to be substituted:

The StrSubstitutor.substitute() method is called with the original variable lookup (i.e., ctx.apiversion):

In this call to StrSubstitutor.substitute(), a call to StrSubstitutor. checkCyclicSubstitution() is made:

Note that the method StrSubstitutor. checkCyclicSubstitution() attempts to detect cyclic substitutions of variables by maintaining a priorVariables list and comparing the current variable to the list:

Later, the variable is resolved to its value (i.e., ${${ctx:apiversion}}) and a recursive call to StrSubstitutor.substitute() is made:

Once again, we detect the variable in the value being parsed. However, the recursive call to StrSubstitutor.substitute() does not include the priorVariables list. Therefore, the StrSubstitutor. checkCyclicSubstitution() method will fail to detect the cyclic substitution and an infinite recursion will occur:

Note too that even if the cyclic substitution is caught by StrSubstitutor. checkCyclicSubstitution(), the exception thrown will only be caught by AppenderControl.TryCallAppender(), resulting in a failed write to the log:

Patch Analysis

In version 2.17.0, two classes were created that inherit from StrSubstitutor: ConfigurationStrSubstitutor, which only parses string substitutions in configuration parameters, and RuntimeStrSubstitutor, which parses strings that may contain user-provided input. With RuntimeStrSubstitutor, no recursive evaluation is allowed. This is enforced by the StrSubstitutor.substitute() method:

In addition, all recursive calls to StrSubstitutor.substitute() maintain the list of priorVariables, allowing to catch cases of cyclic substitutions by the StrSubstitutor.isCyclicSubstitution() method:

Proof of Concept

For demonstration purposes, we created a typical vulnerable application named log4j-vulnerable-app.jar, compiled with log4j version 2.16.0. The application is configured with a custom Pattern Layout, which contains a Context Lookup (${ctx:apiversion}). The application implements an HTTP server and sets the received X-Api-Version header as the value of the apiversion variable in the Thread Context Map. Afterwards, it logs a message.

The vulnerable app can be run as follows on the target server:
          java -jar log4j-vulnerable-app.jar

The poc.py script can be run as follows:
          python poc.py client <host>

where is the host running the vulnerable application.

Upon running the script, an HTTP request with the X-Api-Version header set to a value of ${${ctx:apiversion}} will be sent to the vulnerable application. When attempting to log the message, the vulnerable application will crash with the following stack trace:

Conclusion

 A patch for this bug was released by Apache on December 18, 2021. While Apache does list mitigating factors, we recommend upgrading to the latest version to ensure this vulnerability is completely addressed. This component has received quite a bit of attention this week, so it would not be a surprise to see further bugs disclosed – with or without a patch.

Special thanks to Guy Lederfein of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.

CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor

The Top 5 Bugs Submitted in 2021

6 January 2022 at 17:04

As the new year begins, we thought it would be fun to look back at some of the best bugs submitted during 2021. We had another record-breaking year, with over 1,600 advisories published. In the end, we came up with the following submissions from 2021 that stood out from the pack. Without further ado and presented in no particular order, here are the Top 5 bug submissions for 2021.


Microsoft Exchange Server Remote Code Execution Vulnerability, a.k.a. ProxyShell

 “ProxyShell” is the name given to a devastating vulnerability in Microsoft Exchange Server, discovered by Orange Tsai of DEVCORE Research Team and used in his successful entry at the 2021 Pwn2Own contest. This critical vulnerability in Exchange Server garnered a great deal of attention in 2021, and for good reason. Actually a chain of three security flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), ProxyShell allows an unauthenticated attacker to execute arbitrary code in the context of SYSTEM on an Exchange server. As this is a pre-authentication vulnerability, there is no need for the attacker to start with any credentials to an Exchange account at the target organization. The chain does assume that the attacker knows or can guess a valid email address on the server, but this is a low bar indeed.

Compounding matters, it is frequently possible to conduct a ProxyShell attack from anywhere on the Internet, and not just from within the target organization’s network. The only requirement is that the attacker must be able to access the /autodiscover/autodiscover.json endpoint on the Exchange web server. Typical deployments make this endpoint available to the Internet.

Orange Tsai has graciously provided a wonderful write-up detailing his finding in a guest blog on the Zero Day Initiative website. His research into these and other Exchange vulnerabilities was also the subject of his 2021 presentations at Black Hat USA and DEF CON.

2021 has seen a major uptick in researcher interest in Microsoft Exchange Server as a target. This is definitely an area to watch in the future.

Microsoft SharePoint InfoPath List Deserialization of Untrusted Data Remote Code Execution Vulnerability

Besides Exchange Server, Microsoft SharePoint Server has also been an attractive target for vulnerability research recently. The Zero Day Initiative disclosed 10 SharePoint vulnerabilities in 2021. We’d like to highlight CVE-2021-27076, which was reported to us by an anonymous researcher. I was intrigued by the innovative method that this attack employs to expose a deserialization attack surface that normally is inaccessible. In short, the researcher discovered that by altering identifier values that are handled client-side within the browser, it is possible to cause an arbitrary upload to be fed into an incorrect context where it will be treated as trusted data. This lets any authenticated user (typically, any domain user) execute arbitrary code on the SharePoint server in the context of the web application. If you’re curious to learn more about this technique, I encourage you to read my full write-up, which can be found on the Zero Day Initiative website.

Microsoft Windows Lock Screen Improper Access Control Authentication Bypass Vulnerability

I love a good lock screen bypass, and CVE-2021-26431 by Abdelhamid Naceri (halov) doesn’t disappoint. This research builds upon a prior discovery by Jonas Lyk, who noted that that the Narrator feature can sometimes be used to navigate and interact with UI elements that are improperly launched from the lock screen, though hidden from view. Exploiting CVE-2021-26431 involves attempting to log in to a PC using a Microsoft account. After providing an incorrect PIN, it’s possible to arrive at a dialog containing a hyperlink. Clicking the hyperlink launches an “Open With” dialog. Though this dialog is normally hidden from view, Jonas Lyk’s Narrator technique can then be used to interact with it. See Abdelhamid Naceri’s blog and his YouTube videos here and here to watch how he uses this to completely bypass the lock screen or to get a remote shell.

Don’t try this at home, though. From what we can tell, Microsoft has implemented a server-side fix, so that the HTML containing the vulnerable hyperlink is no longer delivered even on PCs that lack up-to-date patches.

Linux Kernel eBPF Improper Input Validation Privilege Escalation Vulnerability

eBPF (Extended Berkeley Packet Filter) is a technology used for the high-performance classification of streams of data packets. A common use case is user-mode software that needs to select a subset of incoming network data packets. To send all packets from kernel mode to user mode for evaluation is generally too expensive. eBPF provides an alternative: User-mode code sends a filter algorithm in the form of an eBPF bytecode program, which the kernel will compile and execute in the context of the kernel to evaluate each packet. The inherent security risks to this arrangement are unmistakable, though: the kernel’s eBPF compiler must be able to determine that the resulting compiled program is 100% free of memory safety issues, or else the security of the kernel will swiftly be compromised. There is little room for error. Furthermore, the competing needs for extreme optimization and perfect execution safety make the eBPF compiler a likely source of critical kernel vulnerabilities.

The bug we’d like to highlight is CVE-2021-31440, reported to the Zero Day Initiative by Manfred Paul in April of 2021 and fixed in this commit to the Linux kernel. The flaw is in the reasoning used by the eBPF compiler when tracking the upper and lower bounds of the value of the 32-bit subregister of a 64-bit wide register. In other words, when constructing a proof of the program’s memory safety, the compiler keeps track of the maximum and minimum values held in the program’s registers. Given knowledge of the bounds of a 64-bit register, the compiler sometimes needs to derive what the upper and lower bounds will be when the program uses just the register’s lower 32 bits.

The flaw is illustrated as follows: If the 64-bit register has a lower bound that is within the range of values that can be represented in 32 bits, then the compiler would reason that the lower bound of the 32-bit subregister has the same lower bound. For example, if it is known that the 64-bit register has a lower bound of 1, then the compiler would record that the lower bound of the 32-bit subregister is also 1. This is a mistake, though. For example, the 64-bit register’s lower bound could be 1, but its value at runtime might be 0x100000000 (= 2^32). This value is greater than 1, so the lower bound holds true. But in this case, the 32-bit subregister contains a value of 0. This shows that it is not correct to conclude that the lower bound of the 32-bit subregister is also 1.

The correct calculation is as follows: If there is a 64-bit register and both its lower and upper bounds are within the range that can be represented in 32 bits, then both the lower and upper bounds can be applied to the 32-bit subregister as well. Otherwise, neither bound can be inferred.

Failures in bounds checking within eBPF are typically catastrophic to kernel security, and this bug is no exception. An attacker can use this to escalate privileges from a low-privileged user account to code execution in the kernel.

Apple Safari Integer Overflow Remote Code Execution Vulnerability

Returning to Pwn2Own 2021, we have this Safari RCE by Jack Dates of RET2 Systems, Inc. (@ret2systems). Addressed by Apple as CVE-2021-30734, the bug is in WebKit’s implementation of WebAssembly. At the contest, it was paired with an out-of-bounds write in a driver (CVE-2021-30735) to get kernel-mode remote code execution.

WebKit handles WebAssembly via several tiers of execution. The first tier involves translating the WebAssembly to a bytecode format known as LLInt (Low-Level Interpreter). Following this translation, there are two additional tiers of JIT compilation. However, this vulnerability is in the LLIntGenerator tier, which is the conversion to LLInt bytecode.

As LLIntGenerator makes its pass through the code, it keeps track of the stack space required at each point by incrementing and decrementing a field named m_stackSize. Through the use of a clever combination of WebAssembly features, our Pwn2Own contestant succeeded in incrementing m_stackSize to its maximum value of UINT_MAX. After rounding, this produces in a stack allocation zero bytes in size. Reads and writes based at this zero-length allocation give the WebAssembly script read/write access to copious amounts of adjacent memory.

For a thorough write-up of the vulnerability and the techniques used in exploitation, see the researcher’s blog here.


Thanks for joining us as we recapped some of the best bugs submitted to the ZDI program this year. We appreciate all those who submitted to the program over this past year. We can’t do what we do without the input and work of our global community of independent researchers. The program has certainly changed and grown over the years, but our desire to work with independent security researchers from around the globe has never wavered. If you haven’t submitted to the program, we hope you consider doing so in the future.

 Until then, you can follow the ZDI team on Twitter for the latest in exploit techniques and security patches.

The Top 5 Bugs Submitted in 2021

The January 2022 Security Update Review

11 January 2022 at 18:24

The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for January 2022

For January, Adobe released 5 patches addressing 41 CVEs in Acrobat and Reader, Illustrator, Adobe Bridge, InCopy, and InDesign. A total of 22 of these bugs came through the ZDI program. The update for Acrobat and Reader fixes a total of 26 bugs, the worst of which could lead to remote code execution (RCE) if a user opened a specially crafted PDF. Several of these bugs were demonstrated at the Tianfu Cup, so it would not be unexpected to see these used in the wild somewhere down the line. The update for InCopy fixes three Critical-rated RCE bugs and one Important-rated privilege escalation. The patch for InDesign corrects two Critical-rated Out-of-bounds (OOB) Write bugs that could lead to code execution plus a Moderate Use-After-Free privilege escalation. The fix for Adobe Bridge covers six bugs, but only one OOB Write is listed as Critical. The others are a mix of privilege escalations and memory leaks. Finally, the patch for Illustrator covers two OOB Read bugs – neither of which can be used for code execution.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2022

For January, Microsoft released patches today for 96 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP). This is in addition to the 24 CVEs patched by Microsoft Edge (Chromium-based) earlier this month and 2 other CVEs previously fixed in open-source projects. This brings the January total to 122 CVEs.

This is an unusually large update for January. Over the last few years, the average number of patches released in January is about half this volume. We’ll see if this volume continues throughout the year. It’s certainly a change from the smaller releases that ended 2021.

Of the CVEs patched today, nine are rated Critical and 89 are rated Important in severity. A total of five of these bugs came through the ZDI program. Six of these bugs are listed as publicly known at the time of release, but none are listed as under active attack. Update: After the initial release, Microsoft updated CVE-2022-21882 to indicate it is currently under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug in http.sys listed as wormable:

-       CVE-2022-21907 - HTTP Protocol Stack Remote Code Execution Vulnerability
This bug could allow an attacker to gain code execution on an affected system by sending specially crafted packets to a system utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required, and an elevated service add up to a wormable bug. And while this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.

-       CVE-2022-21846 - Microsoft Exchange Server Remote Code Execution Vulnerability
Yet another Exchange RCE bug, and another Exchange bug reported by the National Security Agency. This is one of three Exchange RCEs being fixed this month, but this is the only one marked Critical. All are listed as being network adjacent in the CVSS score, so an attacker would need to be tied to the target network somehow. Still, an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server.

-       CVE-2022-21840 - Microsoft Office Remote Code Execution Vulnerability
Most Office-related RCE bugs are Important severity since they require user interaction and often have warning dialogs, too. However, this bug is listed as Critical. That normally means the Preview Pane is an attack vector, but that’s also not the case here. Instead, this bug is likely Critical due to the lack of warning dialogs when opening a specially crafted file. There are also multiple patches to address this bug, so be sure you apply all available patches. Unfortunately, if you’re running Office 2019 for Mac and Microsoft Office LTSC for Mac 2021, you’re out of luck because there are no patches available for these products. Let’s hope Microsoft makes these patches available soon.

-       CVE-2022-21857 - Active Directory Domain Services Elevation of Privilege Vulnerability
This patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions. Although privilege escalations generally rate an Important severity rating, Microsoft deemed the flaw sufficient enough for a Critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.

Here’s the full list of CVEs released by Microsoft for January 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-22947 * Open Source Curl Remote Code Execution Vulnerability Critical N/A Yes No RCE
CVE-2021-36976 * Libarchive Remote Code Execution Vulnerability Important N/A Yes No RCE
CVE-2022-21836 Windows Certificate Spoofing Vulnerability Important 7.8 Yes No Spoofing
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability Important 6.1 Yes No DoS
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 Yes No EoP
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability Critical 8.8 No No EoP
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability Critical 7.8 No No EoP
CVE-2022-21911 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass Important 5.3 No No SFB
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No XSS
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.3 No No RCE
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21882 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21887 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21876 Win32k Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21860 Windows AppContracts API Server Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21925 Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21838 Windows Cleanup Manager Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability Important 9 No No EoP
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.6 No No SFB
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.6 No No SFB
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.4 No No RCE
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.3 No No RCE
CVE-2022-21863 Windows StateRepository API Server file Elevation of Privilege Vulnerability Important 7 No No RCE
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-0096 * Chromium: CVE-2022-0096 Use after free in Storage Critical N/A No No
CVE-2022-0097 * Chromium: CVE-2022-0097 Inappropriate implementation in DevTools High N/A No No
CVE-2022-0098 * Chromium: CVE-2022-0098 Use after free in Screen Capture High N/A No No
CVE-2022-0099 * Chromium: CVE-2022-0099 Use after free in Sign-in High N/A No No
CVE-2022-0100 * Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API High N/A No No
CVE-2022-0101 * Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks High N/A No No
CVE-2022-0102 * Chromium: CVE-2022-0102 Type Confusion in V8 High N/A No No
CVE-2022-0103 * Chromium: CVE-2022-0103 Use after free in SwiftShader High N/A No No
CVE-2022-0104 * Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE High N/A No No
CVE-2022-0105 * Chromium: CVE-2022-0105 Use after free in PDF High N/A No No
CVE-2022-0106 * Chromium: CVE-2022-0106 Use after free in Autofill High N/A No No
CVE-2022-0107 * Chromium: CVE-2022-0107 Use after free in File Manager API Medium N/A No No
CVE-2022-0108 * Chromium: CVE-2022-0108 Inappropriate implementation in Navigation Medium N/A No No
CVE-2022-0109 * Chromium: CVE-2022-0109 Inappropriate implementation in Autofill Medium N/A No No
CVE-2022-0110 * Chromium: CVE-2022-0110 Incorrect security UI in Autofill Medium N/A No No
CVE-2022-0111 * Chromium: CVE-2022-0111 Inappropriate implementation in Navigation Medium N/A No No
CVE-2022-0112 * Chromium: CVE-2022-0112 Incorrect security UI in Browser UI Medium N/A No No
CVE-2022-0113 * Chromium: CVE-2022-0113 Inappropriate implementation in Blink Medium N/A No No
CVE-2022-0114 * Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial Medium N/A No No
CVE-2022-0115 * Chromium: CVE-2022-0115 Uninitialized Use in File API Medium N/A No No
CVE-2022-0116 * Chromium: CVE-2022-0116 Inappropriate implementation in Compositing Medium N/A No No
CVE-2022-0117 * Chromium: CVE-2022-0117 Policy bypass in Service Workers Low N/A No No
CVE-2022-0118 * Chromium: CVE-2022-0118 Inappropriate implementation in WebShare Low N/A No No
CVE-2022-0120 * Chromium: CVE-2022-0120 Inappropriate implementation in Passwords Low N/A No No

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the remaining Critical-rated patches released this month, two impact DirectX, and one affects HEVC video extensions. Viewing a specially crafted media file could result in code execution. For the HEVC extensions, you’ll need to be connected to the Microsoft Store to receive the update. Otherwise, you’ll need to manually verify the update has been applied. There’s a fix for the Virtual Machine IDE Drive that could allow a privilege escalation, but the complexity is marked high on this bug. Seeing this bug in the wild would likely take quite a bit of work. There’s a patch for the Windows Security Center API. Microsoft doesn’t say how the code execution could occur, and although the is title as remote code execution, they list the attack vector as local. The final Critical-rated bug for January was actually disclosed by HackerOne back in September 2021. This patch includes the latest Curl libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.

Moving on to Important-rated patches, there are over 20 that could lead to remote code execution. Eight of these bugs impact the Windows Resilient File System (ReFS), but these require physical access. Microsoft doesn’t always patch bugs that require physical access but getting code execution by just inserting a USB drive is an exception to that rule. There’s also a patch for the Windows Internet Key Exchange (IKE) protocol extension that rates a CVSS of 9.8. According to Microsoft, this bug could allow a remote attacker to “trigger multiple vulnerabilities without being authenticated,” but they don’t specify what vulnerabilities or provide further details. Only systems the IPSec service running are affected by this bug.

There are some code execution bugs in RDP, but these impact the RDP client. The patch for the RDP protocol requires a user to connect to a malicious RDP server. Fortunately, these aren’t as severe as the previously patched BlueKeep RDP bugs. There are a couple of code execution bugs in Office components and the aforementioned Important-rated Exchange bugs. There is an Edge (Chromium) bug getting fixed, and this is separate from the Chromium fixes integrated earlier this month.

There are a whopping 41 patches to correct Elevation of Privilege (EoP) bugs, however, most of these require an attacker to log on to an affected system a run a specially crafted program. Many different Windows components have these EoP bugs, most notably the kernel and kernel-mode drivers. The EoP fixed on Hyper-V is different. In this case, an attacker on a guest OS could potentially interact with processes of another Hyper-V guest hosted on the same Hyper-V host. While not a full guest-to-host escape, that could still be very useful to an adversary.

Moving on to the nine Security Feature Bypass (SFB) patches, some impacted components stand out. Unfortunately, Microsoft provides no information on what feature is being bypassed or how that impacts the security of an enterprise. We can say some important components, like Local Security Authority, Secure Boot Feature, Windows Defender, and Workstation Service all receive updates. The only exception is the two SFB bugs in Hyper-V. For configurations using router guard, packets that normally would be dropped could get processed. This could allow an attacker to bypass set policy and potentially influence router paths.

There are also nine patches fixing Denial-of-Service (DoS) bugs this month. Most of these bugs are found in the Windows IKE Extension, but only systems with the IPSec service running are affected by these bugs.

This month’s release includes six fixes for information disclosure bugs. Most of these only result in leaks consisting of unspecified memory contents. However, the bug in the Remote Desktop Licensing Diagnoser could allow an attacker to recover cleartext passwords from memory.

The January release is rounded out with two spoofing bugs in the Windows Certificate component and Microsoft Dynamics 365 and a cross-site scripting (XSS) bug in the Dynamics 365 Customer Engagement component. The bug in the Windows Certificate component could allow an attacker to bypass Windows Platform Binary Table (WPBT) binary verification by using a small number of compromised certificates. This is also listed as publicly known, but Microsoft gives no indication where it was publicly posted.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The January 2022 Security Update Review

Pwn2Own Vancouver Returns for the 15th Anniversary of the Contest

12 January 2022 at 13:59

Jump to the contest rules

Starting in 2007, Pwn2Own has grown from a small, browser-focused event to become one of the most well-known security contests in the industry. Back then, a successful exploit earned a MacBook and $10,000 for the winner. This past year, the ZDI awarded over $2.5 million dollars at Pwn2Own competitions around the world (plus a whole bunch of hardware). 2022 marks the 15th anniversary of the contest, and we’ve set out to make it the best competition ever.

To start, we’ll return in person to the Sheraton Wall Center in Vancouver for the CanSecWest conference on May 18-20, 2022. We’ll still allow remote participation in this hybrid event. If you have either travel restrictions or travel safety concerns, you can opt to compete remotely. You will still need to register before the contest registration deadline (May 12, 2022) and submit a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry. A member of the ZDI staff in Vancouver will run your exploit for you.

Next, Tesla returns as a partner, but driving off with a new car will be more of a challenge this year. We’ll have both a Tesla Model 3 and a Tesla Model S available as targets. Of course, with a greater challenge comes a greater reward, with the top prize going for $600,000 (plus the car itself). Other partners this year include Zoom and Microsoft. In last year’s event, Zoom and Teams exploits were highlights, and both return as targets in the Enterprise Communications category. Of course, virtualization exploits are always a contest highlight, and VMware returns as a sponsor with VMware Workstation and ESXi returning as targets.

In addition to the in-person attempts at the conference, we’ll be live-streaming select attempts on Twitch, YouTube, and more. Contestants will be able to participate in almost all categories remotely, but we hope many will join us in Vancouver to demonstrate their exploits.  All told, more than $1,000,000 USD in cash and prizes are available to contestants, including the Tesla Model 3, in the following categories:

-- Virtualization Category
-- Web Browser Category
-- Enterprise Applications Category
-- Server Category
-- Local Escalation of Privilege Category
-- Enterprise Communications Category
-- Automotive Category

Of course, no Pwn2Own competition would not be complete without us crowning a Master of Pwn. Since the order of the contest is decided by a random draw, contestants with an unlucky draw could still demonstrate fantastic research but receive less money since subsequent rounds go down in value. However, the points awarded for each successful entry do not go down. Someone could have a bad draw and still accumulate the most points. The person or team with the most points at the end of the contest will be crowned Master of Pwn, receive 65,000 ZDI reward points (instant Platinum status), a killer trophy, and a pretty snazzy jacket to boot.

Let's take a look at the details of the rules for this year's contest.

Virtualization Category

We’re happy to have VMware returning as a Pwn2Own sponsor for 2022, and this year, again we’ll have VMware ESXi alongside VMware Workstation as a target with awards of $150,000 and $75,000 respectively. VMware has been a sponsor of Pwn2Own for several years, and we’ve seen some great research presented at the contest in years past. Microsoft also returns as a target for 2022 and leads the virtualization category with a $250,000 award for a successful Hyper-V Client guest-to-host escalation. Oracle VirtualBox rounds out this category with a prize of $40,000. We’ve seen some amazing guest-to-host OS escalations demonstrated at previous Pwn2Own contests. Here’s hoping we see more this year.

There’s an add-on bonus in this category as well. If a contestant can escape the guest OS, then escalate privileges on the host OS through a Windows kernel vulnerability (excluding VMware ESXi), they can earn an additional $50,000 and 5 more Master of Pwn points. That could push the payout on a Hyper-V bug to $300,000. Here’s a detailed look at the targets and available payouts in the Virtualization category:

Back to categories

Web Browser Category

While browsers are the “traditional” Pwn2Own target, we’re continuously tweaking the targets in this category to ensure they remain relevant. For this year’s event, a successful demonstration no longer requires a sandbox escape. Renderer-only exploits will earn $50,000, but if you have that Windows kernel privilege escalation or sandbox escape, that will earn you up to $100,000 or $150,000 respectively. If your exploit works on both Chrome and Edge, it will qualify for the “Double Tap” add-on of $25,000. The Windows-based targets will be running in a VMware Workstation virtual machine. Consequently, all browsers (except Safari) are eligible for a VMware escape add-on. If a contestant can compromise the browser in such a way that also executes code on the host operating system by escaping the VMware Workstation virtual machine, they will earn themselves an additional $75,000 and 8 more Master of Pwn points. Here’s a detailed look at the targets and available payouts:

Back to categories

Enterprise Applications Category

Enterprise applications also return as targets with Adobe Reader and various Office components on the target list once again. Prizes in this category run from $50,000 for a Reader exploit with a sandbox escape or a Reader exploit with a Windows kernel privilege escalation and $100,000 for an Office 365 application. Word, Excel, and PowerPoint are all valid targets. Microsoft Office-based targets will have Protected View enabled.  Adobe Reader will have Protected Mode enabled. Here’s a detailed view of the targets and payouts in the Enterprise Application category:

Back to categories

Server Category

Last year, we expanded the Server category by adding Microsoft Exchange and SharePoint. Consequently, we saw some amazing Exchange exploits demonstrated – including ProxyShell. Both targets return for this year’s contest with SharePoint garnering a larger payout. We’ve also added Samba to this year’s event, and we’re excited to see what research may be demonstrated. This category is rounded out by Microsoft Windows RDP/RDS, which also has a payout of $200,000. Here’s a detailed look at the targets and payouts in the Server category:

Back to categories

Local Escalation of Privilege Category

This category is a classic for Pwn2Own and focuses on attacks that originate from a standard user and result in executing code as a high-privileged user. A successful entry in this category must leverage a kernel vulnerability to escalate privileges. Ubuntu Desktop and Microsoft Windows 11 are the two OSes available as targets in this category.

Back to categories

Enterprise Communications Category

We introduced this category last year to reflect the importance of these tools in our modern, remote workforce, and we were thrilled to see both targets compromised during the contest. We’re also excited to have Zoom return as a partner for this year’s Pwn2Own event. A successful attempt in this category must compromise the target application by communicating with the contestant. Example communication requests could be audio calls, video conferences, or messages. Both Zoom and Microsoft Teams have a $150,000 award available, so we’re hoping to see more great research in this category.

Back to categories

Automotive Category

We introduced the Automotive category in 2019, and we are excited to have Tesla return as a partner for 2022. We awarded a Tesla Model 3 in that first contest, but we wanted to raise the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and for this year’s event, there are three different tiers of awards within the Automotive category that corresponds to some of the different layers of security within a Tesla car, with additional prize options available in certain instances. Contestants can register an entry against either a Tesla Model 3 (Intel or Ryzen-based) or the Tesla Model S (Ryzen-based).

Tier 1 earns the top prizes and represents a complete vehicle compromise. Correspondingly, this also has the highest award amounts. To win this level, a contestant will need to pivot through multiple systems in the car, meaning they will need a complex exploit chain to get arbitrary code execution on three different sub-systems in the vehicle. Success here gets a big payout and, of course, a brand-new Tesla.

In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $600,000. This represents the single largest target in Pwn2Own history. If someone can do this, it would also mean 60 total Master of Pwn points, which is nearly insurmountable. Here’s some additional info on the optional add-ons that are included in the various tier levels.

Again, it’s difficult to express the complexity of completing such a demonstration, but we’re certainly hopeful that someone can show off their exploit skills and drive off a winner.

The second tier in this category is not quite as complex but still requires the attacker to pivot through some of the vehicle’s sub-systems. This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge. If you include the optional targets, the largest single payout for Tier 2 would be $400,000. A winning entry in Tier 2 would still be an impressive and exciting demonstration and includes driving off with the Tesla. Tier 2 also includes some of the above add-ons, as detailed below:

The targets in Tier 3 could prove to be just as difficult, but you only need to compromise one sub-system for a win here, which is still no easy task. Not every instance within Tier 3 includes winning the car. This year also introduces the Diagnostic Ethernet as a vector of attack. Some of the Tier 3 targets have add-ons available, but to drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below:

Back to categories

Conclusion

The complete rules for Pwn2Own 2022 are found here. As always, we encourage entrants to read the rules thoroughly if they choose to participate. If you are thinking about participating but have a specific configuration or rule-related questions, email us. Questions asked over Twitter or other means will not be answered. Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at [email protected] to begin the registration process. Registration closes at 5 p.m. Pacific Time on May 12, 2022.

Be sure to stay tuned to this blog and follow us on Twitter for the latest information and updates about the contest. We look forward to seeing everyone wherever they may be, and we hope someone has a sweet ride home from this year’s Pwn2Own competition.

 

With special thanks to our Pwn2Own 2022 Partners Tesla, Zoom, and Microsoft.

Thanks also to our Pwn2Own 2022 Sponsor

Pwn2Own Vancouver Returns for the 15th Anniversary of the Contest

CVE-2022-21661: Exposing Database Info via WordPress SQL Injection

18 January 2022 at 18:15

In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-020). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it. First, here’s a quick video demonstrating the vulnerability:

The Vulnerability

The vulnerability occurs in the WordPress Query (WP_Query) class. The WP_Query object is used to perform custom queries to the WordPress database. This object is used by plugins and themes to create their custom display of posts. 

The vulnerability occurs when a plugin uses the vulnerable class. One such plugin is Elementor Custom Skin. For this post, we tested the vulnerability against WordPress version 5.8.1 and Elementor Custom Skin plugin version 3.1.3.

In this plugin, the vulnerable WP_Query class is utilized in the get_document_data method of ajax-pagination.php:

Figure 1- - wordpress/wp-content/plugins/ele-custom-skin/includes/ajax-pagination.php

The get_document_data method is invoked when a request is sent to wp-admin/admin-ajax.php and the action parameter is ecsload.  

Figure 2 - wordpress/wp-admin/admin-ajax.php

The admin-ajax.php page checks whether the request was made by an authenticated user. If the request came from a non-authenticated user, admin-ajax.php calls a non-authenticated Ajax action. Here, the request is sent without authentication so that the non-authenticated Ajax action is called, which is wp_ajax_nopriv_ecsload.

Searching for the string “wp_ajax_nopriv_ecsload” shows that it is a hook name present in the ajax-pagination.php page:

Figure 3 - wordpress/wp-content/plugins/ele-custom-skin/includes/ajax-pagination.php

The wp_ajax_nopriv_ecsload hook name refers to the get_document_data callback function. This means that the do_action method calls the get_document_data method.

The get_document_data method creates a WP_Query object. The initialization of the WP_Query object calls the following get_posts method:

Figure 4 - wordpress/wp-includes/class-wp-query.php

The get_posts method first parses the user-supplied parameters. Next, it calls the get_sql method which eventually calls get_sql_for_clause to create clauses of the SQL statement from the user-supplied data. get_sql_for_clause calls clean_query to validate the user-supplied string. However, the method fails to validate the terms parameter if the taxonomy parameter is empty and the value of the field parameter is the string “term_taxonomy_id”. The value of the terms parameter is later used in the SQL statement.

Figure 5 - wordpress/wp-includes/class-wp-tax-query.php

Note that the sql variable returned by get_sql() is appended to an SQL SELECT statement and assembled using strings returned from the WP_Tax_Query->get_sql() method. Later, in the get_posts method, this query is executed by $wpdb->get_col() method, where an SQL injection condition occurs.

This vulnerability can be exploited to read the WordPress database:

Figure 6 - PoC output

The Patch

The patch to address CVE-2022-21661 adds some additional checks to the terms parameter to help prevent further SQL injections from occurring.

Figure 7 - The clean_query method of wordpress/wp-includes/class-wp-tax-query.php

Conclusion

Active attacks on WordPress sites often focus on optional plugins rather than the core of WordPress itself. That was the case earlier this year when a bug in the Fancy Product Designer plugin was reported as being under active attack. Similarly, a file upload vulnerability in the Contact Form 7 plugin was also detected as being exploited by Trend Micro sensors. In this case, the bug is exposed through plugins, but exists within WordPress itself. While this is a matter of information disclosure rather than code execution, the data exposed could prove valuable for attackers. It would not surprise us to see this bug in active attacks in the near future. We recommend applying the patch or taking other remedial action as soon as possible. Special thanks to ngocnb and khuyenn from GiaoHangTietKiem JSC for reporting this to the ZDI. You can read their analysis of the bug here.

CVE-2022-21661: Exposing Database Info via WordPress SQL Injection

Looking Back at the Zero Day Initiative in 2021

20 January 2022 at 17:43

Now that we’re almost through the first month of 2022, it’s a good opportunity for us to take a look back at 2021 and the accomplishments of the Zero Day Initiative throughout the year. The past year was certainly a year full of its challenges, but we also celebrated some unique achievements in our busiest year ever. In addition to publishing the highest number of advisories in the history of the program, we hit our first million-dollar Pwn2Own in April. And as if that weren’t enough, we did it again in the fall as Pwn2Own Austin also exceeded the $1,000,000 threshold.

To say these were superlative events is an understatement. In the spring edition, we saw multiple Exchange exploits demonstrated, including ProxyShell. We saw 0-click remote code execution demonstrated on Zoom messenger and a 1-click code execution on Microsoft Teams. That’s on top of the Chrome, Edge, and Safari web browsers all getting compromised, too. The fall event had its own highlights, with the Samsung Galaxy, multiple routers, NAS devices, and printers being exploited. Watching a printer rock out some AC/DC after an exploit was just a bonus.

Of course, that should not detract from the great submissions we received throughout the year. We’ve already listed our Top 5 bugs from 2021, but that barely scratches the surface of the tremendous research disclosed to ZDI this past year. And while we are always impressed with the quality of research submitted to the program, ZDI’s own researchers stepped up this year and account for 31% of all published advisories. Still, we’re super thankful for our global community of independent researchers, and we congratulate the 25 researchers to achieve reward levels in 2021. We had six people reach Platinum status, two reach Gold, 4 Silver, and 13 Bronze. The work and submissions from our community of independent researchers are key to our success, and we thank all of them for their continued trust in our program.

Our program also wouldn’t work without vendors generating and releasing fixes for the vulnerabilities we report to them. The ZDI would not be able to sustain this level of advisories – and thus, better protections for Trend Micro customers – without the contributions of researchers and vendors, and we thank them for all they do.

Let’s take a look at some of the more interesting stats from 2021.

By the Numbers

In 2021, the ZDI has published 1,604 advisories – the most ever in the history of the program. This is the second year in a row where eclipsed our previous all-time total. While it’s unlikely we’ll keep up a record-breaking pace for the third year in a row, it does speak to the overall health of the program. Here’s how that number of advisories stacks up year-over-year.  

Figure 1 - Published Advisories Year-Over-Year

Coordinated disclosure of vulnerabilities continues to be a successful venture. While 2020 saw our largest percentage of 0-day disclosures, the number declined in 2021 to be in line with our “average” number of disclosures from previous years. The 137 0-day disclosures this past year represents 8.5% of our total disclosures – down from 18.6% the year before. This is a positive trend, and we hope it continues moving forward.

Figure 2 - 0-day Disclosures Since 2005

Here’s a breakdown of advisories by vendor. The top vendors here should not be surprising, although it is interesting to see Siemens in the top 5. We purchase quite a few ICS-related bugs throughout the year, and our Pwn2Own Miami competition focuses solely on ICS and SCADA-related bugs. In all, we disclosed 586 ICS-related bugs in 2021 – roughly 36.5% of the total number of advisories published by ZDI. As far as enterprise software goes, it’s no surprise at all to see Microsoft on top of the list again this year. In fact, 19.6% of all bugs addressed by Microsoft in 2021 came through the ZDI program, and we remain a significant source of bugs reported to Adobe, Apple, and others.

Figure 3 - Advisories per vendor for 2021

We’re always looking to acquire impactful bugs and, looking at the CVSS scores for the advisories we published in 2021, we did just that. A total of 74% of these vulnerabilities were rated Critical or High severity.

Figure 4 - CVSS 3.0 Scores for Published Advisories in 2021

Here’s how that compares year-over-year going back to 2015:

Figure 5 - CVSS Scores from 2015 through 2021

As you can see, after 2018 we made a conscious effort to ensure we were acquiring vulnerabilities that have the greatest impact on our customers. We’ll continue to do that in the coming year as well. We continually work with Trend Micro customers to determine which products they have deployed in their enterprise. That helps us shape our purchasing and research directions.

When it comes to the types of bugs we’re buying, here’s a look at the top 10 Common Weakness Enumerations (CWEs) from 2021:

Figure 6 - Top 10 CWEs from 2021 Published Advisories

It’s no surprise to see two CWEs related to out-of-bounds accesses at the top of the list, nor is it surprising to see this followed by use-after-free (UAF) bugs and heap-based buffer overflow issues. In fact, the top seven CWEs are all related to memory corruption somehow. A total of 72% of the advisories we published in 2021 were related to memory corruption bugs. Clearly, we as an industry still have work to do in this area.

Looking Ahead

Moving into the new year, we anticipate staying just as busy. We currently have more than 600 bugs reported to vendors awaiting disclosure. We have Pwn2Own Miami and Pwn2Own Vancouver just on the horizon – and both will (fingers crossed) have participation on location. This year will be the 15th anniversary of Pwn2Own in Vancouver, and we’re planning some very special treats as a way to celebrate. Don’t worry if you can’t come to the contest themselves, as we’ll be streaming the events on YouTube and Twitch as they occur. If you ever wanted to attend Pwn2Own but couldn’t, you have a chance to watch them online.

In the coming year, we’re also looking to expand our program by acquiring bugs with an even bigger impact on our customers and the global community. Expect to see us purchasing more bugs in cloud-native applications, the Linux operating system, and anything else that poses a significant threat to our customer’s networks and resources. We look forward to refining our outreach and acquisition efforts by further aligning with the risks our customers are facing to ensure the bugs we squash have the biggest impact on our customers and the broader ecosystem.

In other words, 2022 is shaping up to be another exciting year with impactful research, great contests, and real information you can use. We hope you come along for the ride. Until then, be well, stay tuned to this blog, subscribe to our YouTube channel, and follow us on Twitter for the latest updates from the ZDI. 

Looking Back at the Zero Day Initiative in 2021

CVE-2021-44790: Code Execution on Apache via an Integer Underflow

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Dusan Stevanovic of the Trend Micro Research Team detail a recent code execution vulnerability in the Apache webserver. The bug was originally discovered and reported by the researcher named Chamal. A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser, which could lead to code execution in the context of the security process. The following is a portion of their write-up covering CVE-2021-44790, with a few minimal modifications.


An integer underflow vulnerability has been reported in the mod_lua module of Apache httpd. The vulnerability is due to improper validation of the request body in the module's multipart parser, called via the r:parsebody() function in Lua scripts. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation could lead to remote code execution under the security context of the server process, while an unsuccessful attack could lead to a denial-of-service condition.

The Vulnerability

The Apache HTTP server is the most popular webserver used on the Internet. The server is capable of being utilized with many different options and configurations. A wide variety of runtime loadable plug-in modules can be used to extend its functionality.

One of the official plug-in modules is the mod_lua module. As with all other modules, it can be compiled as a separate shared library with a “.so” extension. The purpose of this module is to allow the extension of the HTTP server with scripts written in the Lua programming language. If this module is loaded in the HTTP server configuration file, the lua-script handler can be set for files ending in “.lua”. The following demonstrates such a sample configuration:

HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. An HTTP request consists of a request line, various headers, an empty line, and an optional message body:

where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF) and SP represents a space character.Parameters can be passed from the client to the server as name-value pairs in either the Request-URI, or in the message-body, depending on the Method used and Content-Type header. For example, a simple HTTP request passing a parameter named “param” with value “1”, using the GET method might look like this:

A similar request using the POST method might look like:

If there is more than one parameter/value pair, they are encoded as &-delimited name=value pairs:

        var1=value1&var2=value2&var3=value3...

The data in the Body of HTTP POST requests can be encoded using various standardized or proprietary methods. One of the standardized methods is multipart/form-data, defined in RFC 2388. Multipart/form-data is made up of multiple parts, each of which contains a Content-Disposition header. Each part is separated by a string of characters. The string of characters separating the parts is defined by the boundary keyword found on the Content-Type header line. The Content-Type must also be set to multipart/form-data. The Content-Disposition header contains a name parameter describing the form element being returned. Additional header lines may be present in each part; each line is separated by a new line sequence. The header is terminated by two consecutive new lines. The form element's data follows. The filename parameter provides a suggested filename to be used if the entity is detached and stored in a separate file.

One of the built-in functions supported by the mod_lua module is r:parsebody(). This function allows Lua scripts to parse the body of HTTP POST requests sent to the server. The function returns two Lua tables containing the parameter names and values parsed from the body. This function also supports HTTP POST requests encoded using the multipart/form-data content type.

An integer underflow vulnerability exists in the Apache HTTP server. When the mod_lua module is enabled and the r:parsebody() function is called from within a Lua script parsed by the server, the function req_parsebody() is called. This function checks if the HTTP POST request received by the server contains a Content-Type header beginning with the string "multipart/form-data; boundary=", indicating that the request body is encoded using the multipart/form-data content type. If found, the function searches for the boundary string defined in the ContentType header, saved to the multipart variable. After each match of the multipart string, the function searches for the first occurrence of two consecutive CRLF sequences, stored to the CRLF variable. If this match is found, the function searches in the following content for another occurrence of the multipart variable, stored to the end variable, indicating the end of the form element's data.

Later, the size of the form element's data is calculated by taking the end variable, subtracting the CRLF variable, then subtracting 8 (representing the two CRLF sequences before the element's data, and the CRLF and "--" characters at the end of the element's data). However, if the form element is not properly formatted, such that the end boundary string appears within less than 8 characters after the beginning of the two CRLF sequences, this subtraction would result in a negative number. The result of the subtraction is stored in a variable named vlen of type size_t. Therefore, if the subtraction results in a negative number, it will be converted into a large positive number before being stored in the vlen variable, resulting in an integer underflow. Specifically, if the subtraction results in -1, the vlen variable will contain the maximum size of size_t. Later, a buffer named buffer is allocated on the heap with a size of vlen+1. In the case described, this will result in an integer overflow, resulting in the allocation of a buffer of size 0. Later, the memcpy() function is called to copy the element's data into the buffer variable, with a size of vlen, resulting in a buffer overflow.

A remote, unauthenticated attacker could exploit this vulnerability by sending an HTTP POST request with a crafted body, encoded using the multipart/form-data content type, to the target server. Successful exploitation could lead to remote code execution under the security context of the server process, while an unsuccessful attack could lead to a denial-of-service condition.

Detection of Generic Attacks

The detection device must inspect all HTTP POST requests to URLs resolving to Lua scripts hosted on the Apache server. The detection device must then inspect the Content-Type header and check if it is set to “multipart/formdata”. If found, the detection device must inspect all instances of the boundary string from the Content-Type header in the HTTP body. For each instance of the boundary string found, the detection device must search for the first instance of two consecutive CRLF sequences following the found boundary. If found, the detection device must search for the next instance of the boundary string. If found, the detection device must calculate the number of characters between the beginning of the two consecutive CRLF sequences and the following boundary string. If the number of characters is less than 8, the traffic should be considered malicious; an attack exploiting this vulnerability is likely underway.

A sample malicious request, with 7 characters between beginning of the two consecutive CRLF sequences and the end boundary string, follows:

Note that the string matching must be performed in a case-sensitive manner

Conclusion

This bug has been patched by Apache with HTTP Server 2.4.52. They do not list any mitigating factors, so applying the update is the only method to fully address this vulnerability.

Special thanks to Guy Lederfein and Dusan Stevanovic of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.

The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the ZDI team for the latest in exploit techniques and security patches.

CVE-2021-44790: Code Execution on Apache via an Integer Underflow

CVE-2021-44142: Details on a Samba Code Execution Bug Demonstrated at Pwn2Own Austin

Recently, Samba released a patch to address an Out-of-Bounds (OOB) Heap Read/Write vulnerability found in Samba versions prior to 4.13.17. This vulnerability was disclosed at Pwn2Own Austin 2021 by Nguyễn Hoàng Thạch  (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) of STAR Labs. After the event, Lucas Leong of Trend Micro Zero Day Initiative discovered additional variants of the vulnerability which were disclosed to Samba as part of this fix. This bug was also independently reported to Samba by Orange Tsai of DEVCORE.

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samba. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of EA metadata in the Samba server daemon (smbd) when opening a file. An attacker can leverage this vulnerability to execute code in the context of root.

Now that the patch has been made available, let’s take a more detailed look at the bugs involved and the patch released to fix them. Much of this information was derived from the white paper submitted by STARLabs as a part of their Pwn2Own entry.

Background

Within Samba, the server daemon that provides the file sharing service is known as smbd. This analysis was conducted on smbd version 4.9.5, which can be downloaded here. While this isn’t the latest version of Samba, there are still quite a few vendors that incorporate this version or prior versions in their products. This was the case during Pwn2Own Austin 2021. Since Samba provides file sharing between devices, it is often enabled by default. The configuration of smbd is found in /etc/samba/smb.conf. Here’s a portion of an smb.conf file showing how Samba would be configured to support a Time Machine share for Apple devices:

In this section, you can see that guest ok = yes is declared, which allows guest authentication. The vfs objects list contains three modules: catia, fruit, and streams_xattr. The bugs we’re concerned with reside in the fruit module, which provides enhanced compatibility with Apple SMB clients. As stated by the vendor advisory, “The problem in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file. If both options are set to different settings than [sic] the default values, the system is not affected by the security issue.”

The Vulnerability

The fruit module that ships with Samba is designed to provide interoperability between Samba and Netatalk. Netatalk is an open-source implementation of the Apple Filing Protocol (AFP). It allows Unix-like systems to serve as file servers for Apple devices. Once a session is established, smbd allows an unauthenticated user to set extended file attributes of a file via SMB2_SET_INFO. This is done by the set_ea function found in “source3/smbd/trans2.c”. The name of the attribute must not be within the private Samba attribute name list, which includes user.SAMBA_PAI, user.DOSATTRIB, user.SAMBA_STREAMS, and security.NACL. With the exception of these attributes, an attacker can set arbitrary extended attributes.

The fruit module handles requests that access a file with the stream name :AFP_AfpInfo or :AFP_Resource. If using the stream name :AFP_AfpInfo, an attacker can open, read, and write Netatalk metadata of a file. Netatalk metadata is stored in a adouble structure, which is initialized by the ad_get/ad_fget functions.

The Netatalk metadata of a file is stored in the value of the extended attribute identified by the name org.netatalk.Metadata. The metadata will be parsed to fill the adouble (AppleDouble) structure. Since org.netatalk.Metadata isn't in the private Samba attribute name list discussed above, an attacker can set an arbitrary value for this attribute. Therefore, it's possible for an attacker to inject malformed metadata values. This can lead to multiple out-of-bounds memory accesses when the adouble structure is later used.

Let’s take a more detailed look at the bugs used to exploit this vulnerability during the Pwn2Own competition.

ZDI-22-245: Heap Out-Of-Bounds Read

The fruit_pread function reads metadata of a file. Since our file stream is named :AFP_AfpInfo and the file type is ADOUBLE_META, the function chain fruit_pread_meta -> fruit_pread_meta_adouble will be executed.

Consider the following source code:

At line 4279, the ad_fget function creates an adouble structure containing attacker-controlled data.

At line 4285, the call to ad_get_entry returns the pointer to the ADEID_FINDERI entry. Since this is controllable by the attacker, they can make p point to the last byte of the ad->data buffer. This will cause the memcpy call at line 4300 to read past the end of the allocated buffer and dump up to thirty-one bytes of memory from the heap.

ZDI-22-246: Heap Out-Of-Bounds Write

The fruit_pwrite function is used to write metadata to a file. Since we can already control an ADEID_FINDERI entry, we can leverage that to control a memcpy call, which allows us to write up to thirty-one bytes of data to the heap.

Consider the following source code:

At line 4657, the ad_fget function creates the ad adouble structure from metadata. As mentioned before, an attacker could inject malformed metadata here and control the values within.

Later at line 4664, the ad_get_entry returns the pointer to the ADEID_FINDERI entry. Since this is controllable by the attacker, they can set p to point to the last byte of the ad->data buffer. This allows the memcpy call at line 4671 to write past the end of the ad->ad_data buffer. Since ad->ad_data is allocated from heap memory, the attacker can leverage this vulnerability to write up to 31 bytes of data past the end of the heap buffer.

ZDI-22-244: Heap-based Buffer Overflow

When analyzing the bugs used during Pwn2Own, ZDI Vulnerability Researcher Lucas Leong noticed a variant of the vulnerability used at the contest.

In the case of the bugs used during Pwn2Own, Samba fails to validate the ADEID_FINDERI function, which leads to an OOB read and OOB write. Further analysis from Lucas found that Samba does not validate the ADEID_FILEDATESI entry either. This leads to OOB read in ad_getdate and an OOB write in ad_setdate. This leads to an overflow of three bytes, as seen in the code below:

An attacker can possibly leverage this vulnerability to execute code in the context of the smbd daemon.

Patch details

The source code of the patch for CVE-2021-44142 can be found here. The primary change from the vendor was an update to two areas to mitigate this vulnerability.

First, Samba added the function ad_entry_check_size(), which validates the size of each entry when parsing the AppleDouble format.

Second, Samba added the Netatalk extended attribute AFPINFO_EA_NETATALK to the list of the private attribute name list. Since an attacker needs to set the malformed extended attribute on a file at the beginning stage of this exploit, this change effectively blocks any user attempting to set any Netatalk extended attribute. This is a generic mitigation for this attack vector.

Conclusion

Samba patched this and other bugs on January 31, 2022. They assigned CVE-2021-44142 to cover the bugs discussed in this report. In addition to 4.13.17, Samba 4.14.12 and 4.15.5 have been released to address this vulnerability. The vendor does list removing the fruit VFS module from the list of configured VFS in “smb.conf” as a workaround. However, this will severely impact the functionality of any macOS systems attempting to access the Samba server. Because of this, you should focus on testing and deploying the patch to remediate this vulnerability. It’s also recommended to reach out to any third-party vendors with devices on your enterprise to ensure they have consumed the patch and provided updates to their devices as well. It is expected that many different vendors will need to update the version of Samba they ship with their devices, so expect lots of additional patches to address these bugs.

Thanks again to Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) of STAR Labs for participating in Pwn2Own Austin 2021 and demonstrating this bug. At the contest, they won $45,000 from this exploit alone, and a total of $113,500 for the entire event. We certainly hope to see them at future competitions. Until then, follow the team for the latest in exploit techniques and security patches.

CVE-2021-44142: Details on a Samba Code Execution Bug Demonstrated at Pwn2Own Austin

The February 2022 Security Update Review

8 February 2022 at 18:28

It’s the second patch Tuesday of 2022, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2022

For February, Adobe released five bulletins addressing 17 CVEs in Adobe Illustrator, Creative Cloud Desktop, After Effects, Photoshop, and Premiere Rush. Two of these 17 were reported by ZDI Vulnerability Researcher Mat Powell. The update for Illustrator fixes a total of 13 bugs, the most severe of which could allow arbitrary code execution through either a buffer overflow or an Out-Of-Bounds (OOB) Write. The patch for Creative Cloud Desktop also fixes a single, Critical-rated code execution bug.

The theme of Critical-rated code execution bugs continues with the fix for After Effects. This patch addresses an OOB write bug that exists within the parsing of 3GP files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. The final Critical-rated patch from Adobe this month fixes a buffer overflow in Photoshop that could allow code execution.

The only Moderate-rated patch this month is the update for Premiere Rush. This patch fixes a bug that exists within the parsing of JPEG images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2022

For February, Microsoft released 51 new patches addressing CVEs in Microsoft Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code, and Microsoft Teams. A total of five of these bugs came through the ZDI program. This is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs.

This volume is in line with February releases from previous years, which (apart from 2020) tend to be around 50 CVEs. What’s more curious about this release is the complete lack of Critical-rated patches. Of the patches released today, 50 are rated Important and one is rated Moderate in severity. It may have happened before, but I can’t find an example of a monthly release from Microsoft that doesn’t include at least one Critical-rated patch. It certainly hasn’t happened in recent memory. Interestingly, Microsoft has chosen to provide some additional explanations of CVSS ratings in this month’s release, but there are still many details about the bugs themselves that are left obscured.

None of the bugs are listed as under active exploit this month, while one is listed as publicly known at the time of release. Last month, Microsoft also initially listed the release as having no active attacks only to revise CVE-2022-21882 two days post release to indicate “Microsoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.” We’ll update this blog should they change their mind this month as well.

Let’s take a closer look at some of the more interesting updates for this month, starting with a significant bug in the Windows DNS Server:

-       CVE-2022-21984 – Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a remote code execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren’t enabled by default, this doesn’t get a Critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as Critical.

-       CVE-2022-23280 – Microsoft Outlook for Mac Security Feature Bypass Vulnerability
This Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target's IP information. However, it’s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.

-       CVE-2022-21995 – Windows Hyper-V Remote Code Execution Vulnerability
This patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as High here stating an attacker, “must prepare the target environment to improve exploit reliability.” Since this is the case for most exploits, it’s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it’s recommended to treat this as a Critical update.

-       CVE-2022-22005 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need “Manage Lists” permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions. This case came through the ZDI, and we’ll have additional details out about it in the near future.

Here’s the full list of CVEs released by Microsoft for February 2022:

CVE Title Severity CVSS Public Exploited Type
CVE-2022-21989 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2022-21984 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-23280 Microsoft Outlook for Mac Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2022-21995 Windows Hyper-V Remote Code Execution Vulnerability Important 7.9 No No RCE
CVE-2022-22005 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2022-21986 .NET Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-23256 Azure Data Explorer Spoofing Vulnerability Important 8.1 No No Spoofing
CVE-2022-21844 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21926 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21927 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21957 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2022-23271 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 6.5 No No EoP
CVE-2022-23272 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 8.1 No No EoP
CVE-2022-23273 Microsoft Dynamics GP Elevation Of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-23274 Microsoft Dynamics GP Remote Code Execution Vulnerability Important 8.3 No No RCE
CVE-2022-23269 Microsoft Dynamics GP Spoofing Vulnerability Important 6.9 No No Spoofing
CVE-2022-23262 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2022-23263 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2022-22716 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-22004 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-22003 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23252 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21988 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23255 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important 5.9 No No SFB
CVE-2022-23254 Microsoft Power BI Elevation of Privilege Vulnerability Important 4.9 No No EoP
CVE-2022-21968 Microsoft SharePoint Server Security Feature BypassVulnerability Important 4.3 No No SFB
CVE-2022-21987 Microsoft SharePoint Server Spoofing Vulnerability Important 8 No No Spoofing
CVE-2022-21965 Microsoft Teams Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2022-22715 Named Pipe File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21974 Roaming Security Rights Management Services Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-23276 SQL Server for Linux Containers Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21991 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2022-22709 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21996 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22710 Windows Common Log File System Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-21981 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22000 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21998 Windows Common Log File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21994 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22712 Windows Hyper-V Denial of Service Vulnerability Important 5.6 No No DoS
CVE-2022-21992 Windows Mobile Device Management Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21997 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2022-21999 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22717 Windows Print Spooler Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2022-22718 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-22001 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2022-21985 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2022-21971 Windows Runtime Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2022-21993 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2022-22002 Windows User Account Profile Picture Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2022-23261 Microsoft Edge (Chromium-based) Tampering Vulnerability Moderate 5.3 No No Tampering
CVE-2022-0452 * Chromium: CVE-2022-0452 Use after free in Safe Browsing High N/A No No N/A
CVE-2022-0453 * Chromium: CVE-2022-0453 Use after free in Reader Mode High N/A No No N/A
CVE-2022-0454 * Chromium: CVE-2022-0454 Heap buffer overflow in ANGLE High N/A No No N/A
CVE-2022-0455 * Chromium: CVE-2022-0455 Inappropriate implementation in Full Screen Mode High N/A No No N/A
CVE-2022-0456 * Chromium: CVE-2022-0456 Use after free in Web Search High N/A No No N/A
CVE-2022-0457 * Chromium: CVE-2022-0457 Type Confusion in V8 High N/A No No N/A
CVE-2022-0458 * Chromium: CVE-2022-0458 Use after free in Thumbnail Tab Strip High N/A No No N/A
CVE-2022-0459 * Chromium: CVE-2022-0459 Use after free in Screen Capture High N/A No No N/A
CVE-2022-0460 * Chromium: CVE-2022-0460 Use after free in Window Dialog Medium N/A No No N/A
CVE-2022-0461 * Chromium: CVE-2022-0461 Policy bypass in COOP Medium N/A No No N/A
CVE-2022-0462 * Chromium: CVE-2022-0462 Inappropriate implementation in Scroll Medium N/A No No N/A
CVE-2022-0463 * Chromium: CVE-2022-0463 Use after free in Accessibility Medium N/A No No N/A
CVE-2022-0464 * Chromium: CVE-2022-0464 Use after free in Accessibility Medium N/A No No N/A
CVE-2022-0465 * Chromium: CVE-2022-0465 Use after free in Extensions Medium N/A No No N/A
CVE-2022-0466 * Chromium: CVE-2022-0466 Inappropriate implementation in Extensions Platform Medium N/A No No N/A
CVE-2022-0467 * Chromium: CVE-2022-0467 Inappropriate implementation in Pointer Lock Medium N/A No No N/A
CVE-2022-0468 * Chromium: CVE-2022-0468 Use after free in Payments Medium N/A No No N/A
CVE-2022-0469 * Chromium: CVE-2022-0469 Use after free in Cast Medium N/A No No N/A
CVE-2022-0470 * Chromium: CVE-2022-0470 Out of bounds memory access in V8 Low N/A No No N/A

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

Looking at the additional remote code execution bugs in this month’s patch release, the updates for HVEC and VP9 video extensions. Microsoft indicates this requires the exploit to be local. However, they also state viewing a specially crafted image file could result in Windows Explorer crashing. If this is the case, it stands to reason the image file could also be hosted on an SMB share, which would make this a remote exploit vector rather than local. The updates for these extensions can be found in the Microsoft Store, so you really only need to verify you have the updated versions unless you are in a disconnected environment.  

In addition to those already mentioned, there are nine additional remote code execution-related patches this month. There’s an update for Roaming Security Rights Management Services, but Microsoft offers no information on how an attacker could exploit this vulnerability. There are also no details for the Windows Runtime or the Mobile Device Management bug. If you’re using Windows for MDM, definitely take this update seriously. There are also a couple of open-and-own Office bugs getting fixed. The RCE bugs are rounded out by updates for Dynamics 365 (on-prem) and Dynamics GP.

Speaking of Dynamics GP, there are three patches fixing elevation of privilege (EoP) bugs in the component. Those are three of the 18 EoP patches in this month’s release. This includes an update for the Windows Kernel that is listed as publicly known. The remaining patches are mostly in other Windows components and require a logged-on user to execute a specially crafted program. The other EoP updates that stand out fix vulnerabilities in the Windows Print Spooler. Ever since PrintNightmare, the print spooler has been an attractive target for attackers and researchers alike. Pay special attention to CVE-2022-21999 since it was reported during the Tianfu Cup. Other bugs associated with this contest have been used in active attacks.

Moving on to the Security Feature Bypass (SFB) updates, there are two in addition to the previously mentioned one in Outlook for Mac. The bug in OneDrive for Android requires physical access to an unlocked phone but could allow an attacker to access OneDrive files while bypassing authentication. Really, if an attacker has access to your unlocked Android, this bug is probably the least of your concerns. The SFB for SharePoint is more severe since it could allow an attacker to bypass the blocking of HTTP requests based on IP range.

There are five patches fixing Denial-of-Service (DoS) bugs in this month’s release, and the one for Microsoft Teams stands out. While Microsoft provides no details about the exploit, it does indicate all versions of Teams need an update, including iOS and Android versions. The DoS in Hyper-V server should also be noted as successful exploitation could affect functionality of a Hyper-V host. The DoS vulnerability in .NET affects applications using the Kestrel web server. If you aren’t familiar with it, Kestrel is a cross-platform server within ASP.NET Core and is enabled by default. If you’re using Kestrel as an Internet-facing server, definitely apply this patch to prevent a DoS while handling certain HTTP/2 and HTTP/3 requests.

The February release contains three patches for spoofing bugs. There’s a patch for Azure Data Explorer. To receive the update, you will need to restart the Kusto.Explorer application. Dynamics GP receives an update here that could almost be considered code execution. While the vulnerability is in the web server, successful exploitation could allow malicious scripts to execute in the user’s browser on the target machine. And while spoofing bugs in SharePoint usually mean some form, the bug getting patched this month is different. An authenticated attacker could manipulate a SharePoint page they control to trick targeted users into sending attacker-controlled requests to the server under the permissions context of the target.

The lone Moderate-rated patch this month addresses a tampering bug in the Edge (Chromium-based) web browser.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on March 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The February 2022 Security Update Review

❌