01/9/16

Mobile Vulnerability Database (MVD)

 gpmvd

 

Introduction:

The Android operating system is the most widely used operating system for mobile devices. Android has around 82.8% (IDC) market share and is a favourite  target for attackers. One of the latest vulnerabilities, StageFright, allows the attacker to execute arbitrary code on an Android device which takes advantage of a flaw that exists in media library stagefright. Considering other platforms such iOS, Windows, and Blackberry, Varutra is maintaining the vulnerabilities related to mobile operating systems in the Mobile Vulnerability Database (MVD). Varutra has developed the MVD application for the Android platform which identifies vulnerabilities on the Android operating system and provides detailed vulnerability reports, and which is freely available on Playstore for all Android users. The applications for other platforms are under development and will be available very soon for iOS, Windows and Blackberry.

MVD (Mobile Vulnerability Database):

Mobile Vulnerability Database, or MVD, is a unique place to find out about vulnerabilities reported worldwide for Mobile Platforms.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective of MVD is to give a common place for mobile users to get acquainted with the vulnerabilities that might exist on their devices. Users can choose to receive specific vulnerability details as a report via Email.

1. MVD

Platforms covered by MVD

At present MVD covers major mobile smartphone platforms such as Android, Blackberry, iOS and Windows Phone.

2.1 PlatformsMVD Web Application:

MVD is also available in web interface where users can search and gather information related to mobile operating system vulnerabilities by simply searching by the Common Vulnerabilities and Exposures (CVE ID) vulnerability category.

A user can browse through vulnerabilities specific to their mobile platform and the particular version. The objective is to give a common place for mobile users to get acquainted with what vulnerabilities might exist on their devices. Additionally, users can choose to receive specific vulnerability details as a report via Email.

Web Application

For more information: http://varutra.com/mvd/

MVD Platforms:

MVD is developed for mobile operating systems such as Android, iOS, BlackBerry and Windows

3.1 MVD PlatformsTerminologies related to MVD

What is KVID?

KALP Varutra ID (KVID) is a unique number assigned to each reported vulnerability; maintained in the MVD database by the Varutra team.

E.g. KVA01 for Android, KVB01 for Blackberry, KVI01 for iOS and KVW01 for Windows Phone

Note: KALP stands for Knowledge Attained Learn Process. It is a blog for information published on the World Wide Web and consisting of discrete entries (“posts”) typically displayed in reverse chronological order.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”

For more information: https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures

What is CVSS?

Common Vulnerability Scoring System (CVSS) is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization.

For more information:

https://en.wikipedia.org/wiki/CVSS

CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical).

E.g. BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

MVD Feature:

MVD feature How to get the Vulnerability Report on Email?

The user can register with their Name and Email ID on Register for Vulnerability Report and then select the required platform and version to receive the report. A module is being implementing where once a user is registered they will get automatic updates for any new vulnerabilities reported in the platform and version specifically chosen by the user.

4.1 Vulnerability Report

 Users can now access the MVD on their Android Smartphones, Tablets.

The MVD Android application covers major mobile smartphone / tablet platforms such as Android, Blackberry, iOS and Windows Phone. Users can register with their Name and Email ID on “Register for Vulnerability Report” and then select the desired mobile platform and version to receive the report. Users can also download the MVD Android application on your device from Google Play:

https://play.google.com/store/apps/details?id=com.varutra.mobilevulndb&hl=en

 Conclusion: 

MVD very useful for mobile phone users who are interested in knowing the vulnerabilities in their Android phone and want to mitigate the vulnerabilities. Additionally, MVD is useful for security researchers interested in knowing the vulnerabilities present in multiple mobile operating systems.

For more Details reading Pentestmag

Author:

Attack & PenTest Team,

Varutra Consulting

10/24/15

Adobe Flash Player Zero Day Attacks Found In Hacking Team Data Leaked

adobe-addresses-latest-flash-player-zero-day-vulnerability

Hacking Team is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.Its “Remote Control Systems” enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications,  and remotely activate microphones and camera on target computers.Hacking Team states that they have the ability to disable their software if it is used unethically.

The Recent Cyber Attack that exposed 400GB of data belonging to Hacking Team has following  Zero Day vulnerability in Adobe Flash Player in their data.

  • CVE-2015-5119                                                                                                                             
  • CVE-2015-5122
  • CVE-2015-5123                                                                                                                      

Let us see in detail , How these vulnerability affects the adobe flash player.

This Flash-based vulnerability, dubbed the “most beautiful Flash bug for the last four years” in Hacking Team’s internal notes,

Use-after-free vulnerability present in the ByteArray class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

The critical zero-day vulnerability in Adobe Flash is a Use-After-Free() programming flaw (CVE-2015-5122) which is similar to the CVE-2015-5119.

Use-after-free vulnerability present  in the DisplayObject class located  in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property.

Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.

Adobe credited FireEye researcher Dhanesh Kizhakkinan for reporting the vulnerability found  in stolen data leaked from Hacking Team.

The flaw can be exploited by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. As explained by FireEye researchers:

“Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98).

Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100.

This enables the object to change an adjacent Vector object’s length to 0x40000000.

Once exploit achieves this, it follows the same mechanism that was used in CVE-2015-5119 PoC.”

This, in turn, allows for attackers to execute shellcode, which pops up a calculator

Use-after-free vulnerability present  in the BitmapData class located  in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

The vulnerability can be triggered by the following steps:

1)  From a new BitmapData object, prepare 2 Array objects, new 2 MyClass objects, and assign the MyClass object to each Array objects.

2 )  Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the 2 Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.

3)   In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.

Steps to exploit flash zero day vulnerability with metasploit :

Note: This tutorial is for informational purposes only.

  1. First download the exploit code by creating an empty document and name it:

Adobe_Flash_HackingTeam_exploit.rb

image1Figure 1:Download the Exploit                                 

  1. download the payload from here: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/CVE-2015-5122

image2

      Figure 2:Download the Exploit

  1. Add it to the following directory:

/usr/share/metasploit-framework/data/exploits/CVE-2015-5119/msf.swf

 

  1. Now copy the exploit code and paste it into the empty document.

Use the following command to copy the file from the root/desktop to the Metasploit framework modules folder (create the flash folder if it is not here):

mv /root/Desktop/Adobe_Flash_HackingTeam_exploit.rb /usr/share/metasploit-framework/modules/exploits/windows/flash/

image3

 Figure 3: Move the Exploit in exploit-Modules

  1. You can use the following command to check whether the file has been actually copied to the destination folder:

ls  /usr/share/metasploit-framework/modules/exploits/windows/flash/

image4

 Figure 4: Confirm the destination folder

  1. open a new terminal and start Metasploit (and following services if not already started) using the following command(s):

service postgresql start

service metasploit start

msfconsole

                                  

image5

 Figure 5: Start msfconsole

  1. Now we have got Metasploit started and running with our newly imported exploit in it, we can use the following command to search for it:

search hackingteam

After this use the following command to use the newly added exploit module:

use exploit/windows/flash/Adobe_Flash_HackingTeam_Exploit

Let’s check the options for Metasploit CVE-2015-5122 module with the     following command:

show options

image6                                                        Figure 6: Trigger the Exploit                                                            

  1. We will keep the default options and type “exploit” to trigger our exploit:

Exploit

  1. Let’s open the link from a Windows 7 virtual machine with a vulnerable browser (Firefox) and a vulnerable version of Flash Player (< 18.0.0.203) installed.

image7

 Figure 7: Send the Link to the victim

CounterMeasures:

How to avoid getting infected by these exploits…

– Update Flash Player and make sure that  it is up-to-date: https://get.adobe.com/flashplayer/

If you’re unsure whether your browser has Flash installed or what version it is running, you can browse to this link : https://www.adobe.com/software/flash/about/

– Install security patches if any and keep your OS updated.

– Keep your browser updated.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi

https://github.com/hackedteam

https://www.adobe.com/software/flash/about/

http://blog.trendmicro.com/

https://www.fireeye.com

 

Author

Attack & PenTest Team,

Varutra Consulting