Advertise here
Advertise here

vulnerabilities

now browsing by tag

 
 

Bitcoin Plunge Reveals Possible Vulnerabilities In Crazy Imaginary Internet Money

0d751_hiqpdm242cnlwiqlhdby Bitcoin Plunge Reveals Possible Vulnerabilities In Crazy Imaginary Internet Money

NEW YORK—Saying it may account for the precipitous drop in the digital currency, financial experts on Friday told reporters that the recent plunge in bitcoin value could reveal vulnerabilities in crazy imaginary internet money. “This should serve as a clear indicator of how susceptible weird invisible money that only exists online can be to sudden fluctuations in the market,” said economist Bernard Gregerson, explaining that the 18 percent decline in bitcoin’s value might be a predictor of more drastic fluctuations to come in the price of bizarre make-believe cryptocurrency that has no reality in the physical realm. “This volatility may be connected to the fact that we’re dealing with a pile of ones and zeros with no attachment to any bank or government and calling it legal tender, but we can’t say for certain.” At press time, bitcoin had recouped some of its losses, which experts attributed to the fact that even ghost money best suited for anonymously buying heroin could sometimes rebound.

Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

When we think of Android vulnerabilities we typically picture a zero-day vulnerability that exploits some process to escalate privileges. This can be anything from tricking your smartphone or tablet into connecting to a malicious WiFi network, or allowing code to be executed on a device from a remote location. However, there’s a new type of Android vulnerability that has recently been discovered. It’s being called ParseDroid and it exploits developer tools including Android Studio, IntelliJ IDEA, Eclipse, APKTool, the Cuckoo-Droid service and more.

ParseDroid isn’t isolated to just Android’s developer tools, though, and these vulnerabilities have been found in multiple Java/Android tools that programmers are using these days. It doesn’t matter if you’re using a downloadable developer tool or one that works in the cloud, Check Point Research has found these vulnerabilities in the most common Android and Java development tools. Once exploited, an attacker is then able to access internal files of the developer’s work machine.

Check Point Research first did some digging into the most popular tool for reverse engineering third party Android apps (APKTool) and found that both its decompiling and building APK features are vulnerable to the attack. After looking at the source code, researchers managed to identify an XML External Entity (XXE) vulnerability that is possible because its configured XML parser of APKTool does not disable external entity references when parsing an XML file.

Once exploited, the vulnerability exposes the whole OS file system of APKTool users. In turn, this potentially allows the attacker to retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability. Once that vulnerability was discovered, the researchers then looked at popular Android IDEs and found out that by simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker.

32978_ParseDroid-1024x506 Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

Credits: Check Point Research

Check Point Research also demonstrated an attack scenario potentially affecting a large number of Android developers. It works by injecting a malicious AAR (Android Archive Library) containing an XXE payload into online repositories. If a victim clones the repository, then the attacker would then have access to potentially sensitive company property from the victim’s OS file system.

32978_ParseDroid-1024x506 Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

Credits: Check Point Research

Finally, the authors described a method through which they can execute remote code on a victim’s machine. This is done by exploiting a configuration file in APKTool called “APKTOOL.YAML.” This file has a section called “unknownFiles” where users can specify file locations that will be placed during the rebuilding of an APK. These files are stored on the victim’s machine in an “Unknown” folder. By editing the path where these files are saved, an attacker can inject any file they want on the victim’s file system since APKTool did not validate the path where unknown files are extracted from an APK.

The files that the attacker injects lead to full Remote Code Execution on the victim’s machine, meaning that an attacker can exploit any victim with APKTool installed by crafting a maliciously made APK and having the victim attempt to decode and then rebuild it.

32978_ParseDroid-1024x506 Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

Credits: Check Point Research

Since all of the IDEs and tools mentioned above are cross-platform and generic, the potential for exploiting these vulnerabilities is high. Thankfully, after reaching out to the developers of each of these IDEs and tools, Check Point Research has confirmed that these tools are no longer vulnerable to this kind of attack. If you are running an older version of one of these tools, we recommend you update immediately to secure yourself against a ParseDroid-style attack.


Source: Check Point Research

Beware the IDEs of Android: three biggies have vulnerabilities • The …

Developers using the Android Studio, Eclipse, and IntelliJ IDEA have been advised to update their IDEs against serious and easily-exploitable vulnerabilities.

Check Point Software Technologies went public with the bugs on December 4, but said it made its discoveries in May 2017.

Initially, Check point’s four researchers (Eran Vaknin, Gal Elbaz, Alon Boxiner, and Oded Vanunu) went looking for possible bugs in the APKTool reverse-engineering app, finding an XML External Entity (XXE) bug.

“The configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program”, they wrote, noting the bug affected both its “Build” and “Decompile” functions, attackable using a malicious AndroidManifest.xml file.

Realising the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project.

What makes this capital-B “Bad” is that the parser was also present in the Eclipse, IntelliJ and Android Studio integrated development environments (IDEs).

All the attacker need to is trick the IDE into loading a malicious XML manifest file, the researchers said.

Furthermore, an attacker doesn’t need to hit their victim directly, by “injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories … Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system.”

Youtube Video

But wait, there’s more: another vulnerability in APKTool allowed the researchers to executive malicious code on a victim’s PC, by manipulating a the APKTOOL.YML configuration file.

Check Point noted that the IDEs and tools have since been patched. ®

Beware the IDEs of Android: three biggies have vulnerabilities

Developers using the Android Studio, Eclipse, and IntelliJ IDEA have been advised to update their IDEs against serious and easily-exploitable vulnerabilities.

Check Point Software Technologies went public with the bugs on December 4, but said it made its discoveries in May 2017.

Initially, Check point’s four researchers (Eran Vaknin, Gal Elbaz, Alon Boxiner, and Oded Vanunu) went looking for possible bugs in the APKTool reverse-engineering app, finding an XML External Entity (XXE) bug.

“The configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program”, they wrote, noting the bug affected both its “Build” and “Decompile” functions, attackable using a malicious AndroidManifest.xml file.

Realising the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project.

What makes this capital-B “Bad” is that the parser was also present in the Eclipse, IntelliJ and Android Studio integrated development environments (IDEs).

All the attacker need to is trick the IDE into loading a malicious XML manifest file, the researchers said.

Furthermore, an attacker doesn’t need to hit their victim directly, by “injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories … Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system.”

Youtube Video

But wait, there’s more: another vulnerability in APKTool allowed the researchers to executive malicious code on a victim’s PC, by manipulating a the APKTOOL.YML configuration file.

Check Point noted that the IDEs and tools have since been patched. ®

Google researcher finds 79 Linux USB vulnerabilities – Naked Security

The Linux world learned last week that there is something surprisingly large and flaky at the heart of the platform’s kernel USB drivers.

It turns out they’re choc full of security vulnerabilities. USB drivers might not the first place in Linux that most people would think to look for vulnerabilities (or the coolest), but they turned out to be a rich hunting ground for Google researcher Andrey Konovalov all the same.

How big is the problem? It depends which subset of flaws you start with.

The headline list comprises 14 new flaws Konovalov found using a kernel fuzzing tool called syzkaller created by fellow Google researcher, Dmitry Vyukov.

These 14 flaws have been assigned their own CVE numbers.

Then there are an additional 65 vulnerabilities previously found in the same subsystem (eight of which have been assigned their own CVEs), to make a grand total of 79 reported by the Google man since last December.

As to the harm they could do if exploited in differet versions of the kernel before v4.13.8 (which appeared in mid-October), he said something important of the original 14 that probably applies across the board:

All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.

This sounds reassuring because an attacker would have to be sitting in front of a vulnerable Linux computer, able to plug a USB device into it, with the effect of an exploit being to cause a crash or a denial of service in most cases.

Except an attacker wouldn’t necessarily have to gain access to a target machine themselves, they only need to find a way to fool somebody else into doing it for them. Something that studies suggest users will do voluntarily if an attacker just leaves enough USB sticks lying around.

These flaws aren’t going to bring the Internet to a standstill any time soon (and many were patched some weeks ago), but they’re still a tempting target for a specialist attacker to use as a stepping stone for something more serious, such as attacks on air-gapped systems.

The usual advice to stay on top of your updates applies.

Being the Linux kernel, these flaws affect a lot of devices although how many is difficult to say. There are a profusion of Linux distributions, Google’s Chrome OS, the welter of devices built on Linux that have a USB port, and of course Android (some Android smartphones and tablets use the USB subsystem to enable the ageing USB OTG interface, some don’t).

Seventy-nine vulnerabilities is a lot to find in only one part of the Linux kernel in a year but perhaps we shouldn’t be too hard on Linux itself. Finding bugs is better than not finding them, after all, and when USB support was added in 1999 it supported just two types of device: mice and keyboards. The number has expanded considerably since then.

That’s a lot of software for developers to keep up with. Konovalov’s dogged research into this area suggests they haven’t been.


Google researcher finds 79 Linux USB vulnerabilities – Naked …

The Linux world learned last week that there is something surprisingly large and flaky at the heart of the platform’s kernel USB drivers.

It turns out they’re choc full of security vulnerabilities. USB drivers might not the first place in Linux that most people would think to look for vulnerabilities (or the coolest), but they turned out to be a rich hunting ground for Google researcher Andrey Konovalov all the same.

How big is the problem? It depends which subset of flaws you start with.

The headline list comprises 14 new flaws Konovalov found using a kernel fuzzing tool called syzkaller created by fellow Google researcher, Dmitry Vyukov.

These 14 flaws have been assigned their own CVE numbers.

Then there are an additional 65 vulnerabilities previously found in the same subsystem (eight of which have been assigned their own CVEs), to make a grand total of 79 reported by the Google man since last December.

As to the harm they could do if exploited in differet versions of the kernel before v4.13.8 (which appeared in mid-October), he said something important of the original 14 that probably applies across the board:

All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.

This sounds reassuring because an attacker would have to be sitting in front of a vulnerable Linux computer, able to plug a USB device into it, with the effect of an exploit being to cause a crash or a denial of service in most cases.

Except an attacker wouldn’t necessarily have to gain access to a target machine themselves, they only need to find a way to fool somebody else into doing it for them. Something that studies suggest users will do voluntarily if an attacker just leaves enough USB sticks lying around.

These flaws aren’t going to bring the Internet to a standstill any time soon (and many were patched some weeks ago), but they’re still a tempting target for a specialist attacker to use as a stepping stone for something more serious, such as attacks on air-gapped systems.

The usual advice to stay on top of your updates applies.

Being the Linux kernel, these flaws affect a lot of devices although how many is difficult to say. There are a profusion of Linux distributions, Google’s Chrome OS, the welter of devices built on Linux that have a USB port, and of course Android (some Android smartphones and tablets use the USB subsystem to enable the ageing USB OTG interface, some don’t).

Seventy-nine vulnerabilities is a lot to find in only one part of the Linux kernel in a year but perhaps we shouldn’t be too hard on Linux itself. Finding bugs is better than not finding them, after all, and when USB support was added in 1999 it supported just two types of device: mice and keyboards. The number has expanded considerably since then.

That’s a lot of software for developers to keep up with. Konovalov’s dogged research into this area suggests they haven’t been.


Google researcher discovers 14 Linux USB vulnerabilities

Google researcher finds 14 Linux USB subsystem security vulnerabilities

Google researcher Andrey Konovalov recently discovered 14 Linux USB subsystem security vulnerabilities, all of which can be triggered by a “crafted malicious USB device in case an attacker has physical access to the machine.”

Konovalov found the glitches using a coverage-guided kernel fuzzer Syzkaller, discovering an 11 year old flaw in the Linux kernel with the same tool earlier this year. The process involves throwing large amounts of code at a specific type of software in order to trigger crashes.

The 14 security flaws impact the Linux kernel prior to version 4.13.8. Although the vulnerabilities discovered can be fixed, they are part of a larger group of 79 security flaws impacting the Linux kernel’s USB drivers. Within this group, 22 glitches have been issued a Common Vulnerabilities and Exposures (CEU) number. While many of these vulnerabilities have fixes available, several have been unreported and unpatched.

Konovalov originally reported the 79 vulnerabilities in December 2016 through a Google Groups mailing list. Some of the companies to make the mailing list included Google, Intel and The Linux Foundation. Konovalov continued to notify the mailing list as new results came in throughout the year.

Several of the glitches Konovalov noted in the mailing list were reported last September and October. Some of these glitches were found in release candidates of kernel version 4.14. Linux kernel developers were able to catch the glitches during the development process. Among the most recent glitches that Konovalov reported included 4.14 release candidate (RC) 8.

“Those 14 bugs that I found are triggerable externally by connecting malicious USB devices,” Konovalov told the Register, “so in this case we attack the kernel kind of ‘from the other side.’ In theory it might be possible to exploit a vulnerability in a USB device itself, and then use the compromised device to externally trigger a kernel bug.”

As previously noted, cybercriminals must have physical access to a machine to implement an attack. However, this shouldn’t undermine the extent to which hackers may go to breach a network. Some cybercriminals have attempted to infiltrate businesses by ‘losing’ malware-infected USB sticks in company parking lots. In addition, these types of glitches can be leveraged to infiltrate air-gapped systems that are not connected to the web. In these situations, USBs can be used to infect a device with an exploit code.

Google researcher finds 79 Linux USB vulnerabilities

The Linux world learned last week that there is something surprisingly large and flaky at the heart of the platform’s kernel USB drivers.

It turns out they’re choc full of security vulnerabilities. USB drivers might not the first place in Linux that most people would think to look for vulnerabilities (or the coolest), but they turned out to be a rich hunting ground for Google researcher Andrey Konovalov all the same.

How big is the problem? It depends which subset of flaws you start with.

The headline list comprises 14 new flaws Konovalov found using a kernel fuzzing tool called syzkaller created by fellow Google researcher, Dmitry Vyukov, which have been assigned their own CVE numbers.

Then there are an additional 65 vulnerabilities previously found in the same subsystem (eight of which have been assigned their own CVEs), to make a grand total of 79 reported by the Google man since last December.

As to the harm they could do if exploited in differet versions of the kernel before v4.13.8 (which appeared in mid-October), he said something important of the original 14 that probably applies across the board:

All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine.

This sounds reassuring because an attacker would have to be sitting in front of a vulnerable Linux computer, able to plug a USB device into it, with the effect of an exploit being to cause a crash or a denial of service in most cases.

Except an attacker wouldn’t necessarily have to gain access to a target machine themselves, they only need to find a way to fool somebody else into doing it for them. Something that studies suggest users will do voluntarily if an attacker just leaves enough USB sticks lying around.

These flaws aren’t going to bring the Internet to a standstill any time soon (and many were patched some weeks ago), but they’re still a tempting target for a specialist attacker to use as a stepping stone for something more serious, such as attacks on air-gapped systems.

The usual advice to stay on top of your updates applies.

Being the Linux kernel, these flaws affect a lot of devices although how many is difficult to say. There are a profusion of Linux distributions, Google’s Chrome OS, the welter of devices built on Linux that have a USB port, and of course Android (some Android smartphones and tablets use the USB subsystem to enable the ageing USB OTG interface, some don’t).

Seventy-nine vulnerabilities is a lot to find in only one part of the Linux kernel in a year but perhaps we shouldn’t be too hard on Linux itself. Finding bugs is better than not finding them, after all, and when USB support was added in 1999 it supported just two types of device: mice and keyboards. The number has expanded considerably since then.

That’s a lot of software for developers to keep up with. Konovalov’s dogged research into this area suggests they haven’t been.


Linux has a whole crock of USB vulnerabilities

SECURITY RESEARCHERS have discovered a series of vulnerabilities in the way that USB devices communicate with Linux.

Security expert and Googler Andrey Konovalov reported 14 vulnerabilities in this post on Monday, reports Bleeping Computer.

“All of them can be triggered with a crafted malicious USB device in case an attacker has physical access to the machine,” he explained.

It’s the tip of the iceberg. He’s actually found 79. These are just the ones that he and his colleagues have patched.

Some of them are simple DoS attacks – the sort of thing that will just make the computer freeze up or reboot. But there are others that can be made to run malicious code – which is a posh way of saying malware.

Konovalov found the vulnerabilities using a tool called syzkaller, a Google creation that uses a technique known as “fuzzing” to flag up kernel borkage.

Although this type of flaw would need access to the host system, that doesn’t mean they’re any less dangerous. An actor with the right experience and security access could bring down entire servers or even entire companies with a USB stick.

Even so-called air-gapped systems, which don’t have direct access to the normal interweb can be attacked using these flaws. And if you’re air-gapping, there’s usually a good reason why you don’t want public access.

A good example of an air-gapped system might be a cash machine network for example. See? Bad times.

Although the open source community has a robust approach to creating safe environments, there are so many USB devices out there, not every one can be tested with every machine – we’re in monkey/typewriter territory in reverse – eventually, a combination will flag a vulnerability, but it’s something of a crapshoot.

Fuzzing tools like sykaller and University of London’s POTUS are a great solution as they can detect using possibility, not just a physical connection. µ

<!–

–>

  • <!–

  • Save this article

  • –>




Advertise here