Archive for the ‘exploits’ Category

Two serious WordPress plugin vulnerabilities are being exploited in the wild

March 22nd, 2019
Close-up photo of police-style caution tape stretched across an out-of-focus background.

Enlarge (credit: Michael Theis / Flickr)

Attackers have been actively exploiting serious vulnerabilities in two widely used WordPress plugins to compromise websites that run the extensions on top of the content management system.

The two affected plugins are Easy WP SMTP with 300,000 active installations and Social Warfare, which has about 70,000 active installations. While developers have released patches for both exploited flaws, download figures indicate many vulnerable websites have yet to install the fixes. Figures for Easy WP SMTP, which was fixed five days ago, show the plugin has just short of 135,000 downloads in the past seven days. Figures for Social Warfare show it has been downloaded fewer than 20,000 times since a patch was published on WordPress on Friday. Sites that use either plugin should disable them immediately and then ensure they have been updated to version 1.3.9.1 of Easy WP SMTP and 3.5.3 of Social Warfare.

Attacks exploiting Easy WP SMTP were first reported by security firm NinTechNet on Sunday, the same day a patch became available. On Wednesday, a different security firm, Defiant, also reported the vulnerability was under active exploit despite the availability of the patch. The exploits allow attackers to create rogue administrative accounts on vulnerable websites.

Read 6 remaining paragraphs | Comments

Posted in Biz & IT, exploits, Plugins, redirects, vulnerabilities, WordPress | Comments (0)

Critical flaw lets hackers control lifesaving devices implanted inside patients

March 21st, 2019
An X-ray showing an cardio defibrillator implanted in a patient.

Enlarge / An X-ray showing an cardio defibrillator implanted in a patient. (credit: Sunzi99~commonswiki)

The federal government on Thursday warned of a serious flaw in Medtronic cardio defibrillators that allows attackers to use radio communications to surreptitiously take full control of the lifesaving devices after they are implanted in a patient.

Defibrillators are small, surgically implanted devices that deliver electrical shocks to treat potentially fatal irregular heart rhythms. In recent decades, doctors have increasingly used radios to monitor and adjust the devices once they're implanted rather than using older, costlier, and more invasive means. An array of implanted cardio defibrillators made by Medtronic rely on two types of radio-based consoles for initial setup, periodic maintenance, and regular monitoring. Doctors use the company's CareLink Programmer in clinics, while patients use the MyCareLink Monitor in homes to regularly ensure the defibrillators are working properly.

No encryption, no authentication, and a raft of other flaws

Researchers from security firm Clever Security discovered that the Conexus Radio Frequency Telemetry Protocol (Medtronic's proprietary means for the monitors to wirelessly connect to implanted devices) provides no encryption to secure communications. That makes it possible for attackers within radio range to eavesdrop on the communications. Even worse, the protocol has no means of authentication for legitimate devices to prove they are authorized to take control of the implanted devices. That lack of authentication, combined with a raft of other vulnerabilities, makes it possible for attackers within radio range to completely rewrite the defibrillator firmware, an exploit that's rarely seen affecting most medical device vulnerabilities to date.

Read 12 remaining paragraphs | Comments

Posted in Biz & IT, defibrillators, exploits, hacking, medtronic, pacemakers, vulnerabilities | Comments (0)

How a wireless keyboard lets hackers take full control of connected computers

March 16th, 2019
Promotional image of wireless keyboard and mouse.

Enlarge (credit: Fujitsu)

There’s a critical vulnerability in a model of Fujitsu wireless keyboard that makes it easy for hackers to take full control of connected computers, security researchers warned on Friday. Anyone using the keyboard model should strongly consider replacing it immediately.

The Fujitsu Wireless Keyboard Set LX901 uses a proprietary 2.4 GHz radio communication protocol called WirelessUSB LP from Cypress Semiconductor. While the keyboard and mouse send input that’s protected with the time-tested Advanced Encryption Standard, the USB dongle that accepts the input accepts unencrypted packets as well, as long as they’re in the proper format.

Researchers with the Germany-based penetration-testing firm SySS developed a proof-of-concept attack that exploits the insecure design. Using a small hardware device, they are able to send commands to vulnerable Fujitsu keyboard receiver dongles that are within range. As the video below demonstrates, the researchers were able to send input of their choice that’s automatically funneled to the connected computer.

Read 7 remaining paragraphs | Comments

Posted in Biz & IT, exploits, Fujitsu, injection, Replay, vulnerabilities, wireless keyboard | Comments (0)

Nasty WinRAR bug is being actively exploited to install hard-to-detect malware

March 15th, 2019
Close-up photo of police-style caution tape stretched across an out-of-focus background.

Enlarge (credit: Michael Theis / Flickr)

Malicious hackers wasted no time exploiting a nasty code-execution vulnerability recently disclosed in WinRAR, a Windows file-compression program with 500 million users worldwide. The in-the-wild attacks install malware that, at the time this post was going live, was undetected by the vast majority of antivirus product.

The flaw, disclosed last month by Check Point Research, garnered instant mass attention because it made it possible for attackers to surreptitiously install persistent malicious applications when a target opened a compressed ZIP file using any version of WinRAR released over the past 19 years. The absolute path traversal made it possible for archive files to extract to the Windows startup folder (or any other folder of the archive creator’s choosing) without generating a warning. From there, malicious payloads would automatically be run the next time the computer rebooted.

On Thursday, a researcher at McAfee reported that the security firm identified “100 unique exploits and counting” in the first week since the vulnerability was disclosed. So far, most of the initial targets were located in the US.

Read 3 remaining paragraphs | Comments

Posted in Biz & IT, code execution, exploits, malware, vulnerabilities, WinRar | Comments (0)

Supermicro hardware weaknesses let researchers backdoor an IBM cloud server

February 26th, 2019
Supermicro hardware weaknesses let researchers backdoor an IBM cloud server

Enlarge (credit: Jeremy Brooks / Flickr)

More than five years have passed since researchers warned of the serious security risks that a widely used administrative tool poses to servers used for some of the most sensitive and mission-critical computing. Now, new research shows how baseboard management controllers, as the embedded hardware is called, threaten premium cloud services from IBM and possibly other providers.

In short, BMCs are motherboard-attached microcontrollers that give extraordinary control over servers inside datacenters. Using the Intelligent Platform Management Interface, admins can reinstall operating systems, install or modify apps, and make configuration changes to large numbers of servers, without physically being on premises and, in many cases, without the servers being turned on. In 2013, researchers warned that BMCs that came preinstalled in servers from Dell, HP, and other name-brand manufacturers were so poorly secured that they gave attackers a stealthy and convenient way to take over entire fleets of servers inside datacenters.

Researchers at security firm Eclypsium on Tuesday plan to publish a paper about how BMC vulnerabilities threaten a premium cloud service provided by IBM and possibly other providers. The premium service is known as bare-metal cloud computing, an option offered to customers who want to store especially sensitive data but don't want it to intermingle on the same servers other customers are using. The premium lets customers buy exclusive access to dedicated physical servers for as long as needed and, when the servers are no longer needed, return them to the cloud provider. The provider, in theory, wipes the servers clean so they can be safely used by another bare-metal customer.

Read 10 remaining paragraphs | Comments

Posted in backdoors, baseboard management controllers, Biz & IT, bmcs, cloud, exploits, ibm softlayer, vulnerabilities | Comments (0)

Millions of websites threatened by highly critical code-execution bug in Drupal

February 22nd, 2019
Millions of websites threatened by highly critical code-execution bug in Drupal

Enlarge (credit: Victorgrigas)

Millions of sites that run the Drupal content management system run the risk of being hijacked until they're patched against a vulnerability that allows hackers to remotely execute malicious code, managers of the open source project warned Wednesday.

CVE-2019-6340, as the flaw is tracked, stems from a failure to sufficiently validate user input, managers said in an advisory. Hackers who exploited the vulnerability could, in some cases, run code of their choice on vulnerable websites. The flaw is rated highly critical.

"Some field types do not properly sanitize data from non-form sources," the advisory stated. "This can lead to arbitrary PHP code execution in some cases."

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, content management systems, Drupal, exploits, vulnerabilities | Comments (0)

Nasty code-execution bug in WinRAR threatened millions of users for 14 years

February 20th, 2019
Evert

Enlarge / Evert (credit: iStock / Getty Images)

WinRAR, a Windows file compression program with 500 million users worldwide, recently fixed a 14-year-old vulnerability that made it possible for attackers to execute malicious code when targets opened a booby-trapped file.

The vulnerability was the result of an absolute path traversal flaw that resided in UNACEV2.DLL, a third-party code library that hasn’t been updated since 2005. The traversal made it possible for archive files to extract to a folder of the archive creator’s choosing, rather than the folder chosen by the person using the program. Because the third-party library doesn’t make use of exploit mitigations such as address space layout randomization, there was little preventing exploits.

Researchers from Check Point Software, the security firm that discovered the vulnerability, initially had trouble figuring out how to exploit the vulnerability in a way that executed code of their choosing. The most obvious path—to have an executable file extracted to the Windows startup folder where it would run on the next reboot—required WinRAR to run with higher privileges or integrity levels than it gets by default.

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, bugs, code execution, exploits, vulnerabilities, WinRar | Comments (0)

Microsoft patches zero-day vulnerabilities in IE and Exchange

February 13th, 2019
The Microsoft logo displayed at Microsoft's booth at a trade show.

Enlarge (credit: Getty Images | Justin Sullivan)

Microsoft’s Patch Tuesday this month had higher-than-usual stakes with fixes for a zero-day Internet Explorer vulnerability under active exploit and an Exchange Server flaw that was disclosed last month with proof-of-concept code.

The IE vulnerability, Microsoft said, allows attackers to test whether one or more files are stored on disks of vulnerable PCs. Attackers first must lure targets to a malicious site. Microsoft, without elaborating, said it has detected active exploits against the vulnerability, which is indexed as CVE-2019-0676 and affects IE version 10 or 11 running on all supported versions of Windows. The flaw was discovered by members of Google’s Project Zero vulnerability research team.

Microsoft also patched Exchange against a vulnerability that allowed remote attackers with little more than an unprivileged mailbox account to gain administrative control over the server. Dubbed PrivExchange, CVE-2019-0686 was publicly disclosed last month, along with proof-of-concept code that exploited it. In Tuesday’s advisory, Microsoft officials said they haven’t seen active exploits yet, but that they were “likely.”

Read 2 remaining paragraphs | Comments

Posted in Biz & IT, Exchange Server, exploits, Internet Explorer, microsoft, vulnerabilities | Comments (0)

LibreOffice and Apache OpenOffice vulnerable to same bug; only one is fixed

February 6th, 2019
A repairman with

Enlarge (credit: Lisa Brewster / Flickr)

LibreOffice, an open source clone of Microsoft Office, has patched a bug that allowed attackers to execute commands of their choosing on vulnerable computers. A similar flaw in Apache OpenOffice remains unfixed.

Austrian researcher Alex Inführ publicly reported the vulnerability on Friday, shortly after it was fixed in LibreOffice. His disclosure included a proof-of-concept exploit that successfully executed commands on computers running what was then a fully patched version of LibreOffice. The only interaction that was required was that the target user hover over an invisible link with a mouse. On Wednesday, researcher John Lambert provided additional PoC samples.

The chief vulnerability exploited is a path traversal that allowed the attack code to move out of its current directory and into one that contained a sample Python script that LibreOffice installed by default. That allowed Inführ to invoke the cmd command on the vulnerable computer. The researcher then exploited a separate weakness that allowed him to pass parameters of his choice to the command.

Read 5 remaining paragraphs | Comments

Posted in apache openoffice, Biz & IT, code execution, exploits, LibreOffice, Microsoft office, vulnerabilities | Comments (0)

Internet watchdog Citizen Lab targeted in comically inept undercover sting

January 26th, 2019
Extreme closeup of fingers holding a spy-sized camcorder lens.

Enlarge (credit: AntanO / Wikimedia)

It was almost like an episode of Spy vs. Spy—a security researcher conceals a camera on his person to record an undercover operative who, under false pretenses and with his own hidden camera, quizzes the researcher about work he did exposing an Israeli exploit seller with highly questionable ethics.

In fact, the counter-sting happened earlier this month, according to an article published Friday by the Associated Press. Researchers at Internet watchdog group Citizen Lab orchestrated the sting after they grew suspicious of a man calling himself Michael Lambert who contacted Citizen Lab researcher John Scott-Railton to request a lunch meeting at a swanky Toronto hotel. The suspicions were fueled by an earlier meeting in December, in which a man masquerading as a socially conscious investor named Gary Bowman grilled a different Citizen Lab researcher about work the watchdog did exposing NSO Group, the Israeli exploit seller.

Scott-Railton agreed to the Toronto meeting and was outfitted with a GoPro action camera and several recording devices. At the lunch, he spotted a tiny camera poking out from a pen Lambert had placed on the table. As the AP reports:

Read 4 remaining paragraphs | Comments

Posted in Biz & IT, Citizen Lab, exploits, NSO Group | Comments (0)