Home Tags Pedro

Tag: Pedro

Netgear plays down router security flaw

Firmware updates on the way Netgear has downplayed the significance of newly discovered flaws in its WNR2000 line of consumer routers. The vulnerabilities could hypothetically allow a remote attacker to execute code and take over the device without authentication, claims Pedro Ribeiro, the security researcher who discovered the bugs. “It is a LAN based attack, but it can also be used over the Internet if remote administration is enabled in the router,“ Ribeiro told El Reg. Ribeiro went public on the flaws earlier this week with an advisory after claiming he'd not received an adequate response from Netgear. In response to queries from El Reg, Netgear acknowledged the flaw while playing down its significance. Netgear is aware of the security issue that can, in very limited instances, allow remote access to a router, including password recovery and command execution.

This vulnerability occurs when an attacker has access to the internal network or when remote management is enabled on the router. Remote management is turned off by default on these routers, which is an advanced feature that the majority of our customers do not use. Netgear added that it plans to release firmware updates that fix the remote access and command execution vulnerability for all affected products - the WNR2000v5, WNR2000v4 and WNR2000v3 - “as quickly as possible”.
In the meantime, the networking equipment manufacturer has published an advisory detailing workarounds. Ribeiro maintains that the flaw is more serious than Netgear’s response implies.
Vulnerable devices are easy to find using an IoT search engine, he claimed. “Also ‘having access to the internal network’ means being connected to the router's WLAN, hence why I question [the] very limited assertion,” he added. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

Turn off remote admin, SOHOpeless D-Link owners

HNAP stack overflow revealed It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right. In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow. “Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack.

The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha”, the advisory states. So far, the advisory says, D-Link hasn't addressed the problem, which affects its DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L and DIR-868L units. The only workaround is to disable remote administration. Agile Information Security's Pedro Ribeiro reported the issue, and has a Metasploit proof-of-concept here. Ribeiro explains that the vulnerable fields accept arbitrarily long string and copies them into the stack.

The processor the vulnerable devices use, Lextra RLX (which Ribeiro describes as “crippled MIPS cores”, can't cope, and crash. There are two ways to crash the stack, Ribeiro writes: the first is to send one of the vulnerable fields a string more than 3096 bytes long; the second is to overrun the stack of the calling function, hnap_main, with 2048+ bytes. If this sounds familiar, it's because you've got a long memory.

For example, six years ago, SourceSec Security Research reported (PDF) bugs in the HNAP implementation. As Ribeiro notes, “D-link has a long history of vulnerabilities in HNAP”, many of them attributed to embedded device hacker Craig Heffner of dev/ttyS0. ® Sponsored: Customer Identity and Access Management

VU#677427: D-Link routers HNAP service contains stack-based buffer overflow

D-Link DIR routers contain a stack-based buffer overflow in the HNAP Login action.

OpenOffice, after years of neglect, could shut down

The latest version of OpenOffice.reader comments 74 Share this story OpenOffice, once the premier open source alternative to Microsoft Office, could be shut down because there aren't enough developers to update the office suite. Project leaders are particularly worried about their ability to fix security problems. An e-mail thread titled, "What would OpenOffice retirement involve?" was started yesterday by Dennis Hamilton, vice president of Apache OpenOffice, a volunteer position that reports to the Apache Software Foundation (ASF) board. "It is my considered opinion that there is no ready supply of developers who have the capacity, capability, and will to supplement the roughly half-dozen volunteers holding the project together," Hamilton wrote. No decisions have been made yet, but Hamilton noted that "retirement of the project is a serious possibility," as the Apache board "wants to know what the project's considerations are with respect to retirement." Few updates and a lingering security hole Many developers have abandoned OpenOffice to work on LibreOffice, a fork that got its first release in January 2011. While LibreOffice issues frequent updates, OpenOffice's most recent version update was 4.1.2 in October 2015. That was the only OpenOffice release in 2015, and there were only two updates in all of 2014. LibreOffice got 14 version updates in 2015 alone. In July, OpenOffice issued an advisory about a security vulnerability that had no fix. The problem could let attackers craft denial-of-service attacks and execute arbitrary code. One of the workarounds suggested by the OpenOffice project was to use LibreOffice or Microsoft Office instead. A patch for that problem that can be applied to existing versions of OpenOffice was released in late August, but concerns about fixing future security problems remain. Though the vulnerability didn't become public until recently, Hamilton wrote that the problem and a proof of concept was reported to the OpenOffice team just as version 4.1.2 was about to be released. Developers figured out a source code fix in March this year, but "we were sitting on the fix because we didn't want to give anyone ideas when they saw it applied to the source code unless there was a release in the works," Hamilton wrote. The person who reported the vulnerability became "concerned about sitting on the disclosure any longer," but OpenOffice worked out a compromise "to create a hotfix instead of attempting to work up a full maintenance release (e.g., a 4.1.3)," Hamilton wrote. "In the case of Apache OpenOffice, needing to disclose security vulnerabilities for which there is no mitigation in an update has become a serious issue," Hamilton wrote. By the time a new version release incorporates the fix, it will likely be "a year since the release of Apache OpenOffice 4.1.2." The ASF board asked the OpenOffice project management committee "to account for this inability and to provide a remedy," and ASF wants monthly updates rather than the usual quarterly ones, Hamilton wrote. How a shutdown would proceed While the board hasn't ordered any specific solution, Hamilton noted that ending the project is one option and described a possible process for retiring OpenOffice. Source code would remain available for anyone interested in using it, but the project would provide no means of committing changes. Installable binaries would be retained in an archive system, but there would be "no further additions." The mechanism for announcing updates to the latest version of OpenOffice would be adjusted to provide "advice to users about investigating still-supported alternatives." Various other components of the project would have to be shut down, including public discussion mailing lists and mailing lists for developers. OpenOffice would shut down its blog and Twitter and Facebook accounts. The project management committee would be disbanded, but Apache would maintain an e-mail address that accepts requests to make use of the OpenOffice brands. While this is still hypothetical, Hamilton said he sketched out the details of the retirement plan because he wants to make sure "any retirement happen[s] gracefully. That means we need to consider it as a contingency.  For contingency plans, no time is a good time, but earlier is always better than later." One response to Hamilton's e-mail came from Jim Jagielski, a software engineer who co-founded and serves as a board member of the Apache Software Foundation. "What is obvious is that the AOO [Apache OpenOffice] project cannot support, at the present time, being an end-user focused effort. I would suggest we focus on not being one, but instead being a framework or library that can be consumed by actual end-user implementations," Jagielski wrote. Despite LibreOffice success, OpenOffice has many users OpenOffice became an open source project in 2000 after Sun Microsystems acquired StarOffice and released the code. The LibreOffice fork was created after Sun was acquired by Oracle in 2010. After the fork, Oracle contributed OpenOffice to the ASF, which renamed it Apache OpenOffice. LibreOffice is maintained by The Document Foundation, whose advisory board includes free software groups such as the Free Software Foundation and GNOME and companies such as Canonical, Google, and Red Hat. The existence of LibreOffice is fortunate because it provides OpenOffice users new features and a likely more secure alternative to switch to. LibreOffice is already the default office suite on major Linux distributions, and it has more than 100 million active users. But OpenOffice still has plenty of users on Windows and Mac in part due to name recognition resulting from its long history. OpenOffice was downloaded more than 29 million times in 2015, for a cumulative total of more than 160 million downloads since May 2012, according to project statistics. Developers want to keep OpenOffice alive There is still support for continuing OpenOffice. Developer Phillip Rhodes wrote that "even broaching this topic is a mistake" because it will become "a '3rd party fulfilling prophecy' as soon as this hits the press." "I know a lot of people prefer to contribute to LO [LibreOffice] and not AOO, and that losing the people IBM was paying was a big hit," Rhodes also wrote. "But I can't help but think there's a way to get more people involved and contributing here. So I'd rather see discussion around 'how do we attract additional contributors (or fix whatever other problems we have)?' than talk about a 'retirement plan.'" Developer Jorg Schmidt argued that OpenOffice is "excellent software" but suffers from "pretty bad public relations," while LibreOffice is "good" software with "excellent public relations." Roberto Galoppini called it "inappropriate at best to discuss anything related to the shutdown at this time." Developer Pedro Giffuni wrote that having a retirement plan is important for users and the Apache Software Foundation, but that "we should focus now on the next release. It is clear to me that even if AOO were to be retired, we still have to push out a new release mainly because we do have stuff that should see the light of a release." It's theoretically possible that OpenOffice could be revitalized by being transferred to an independent entity outside of Apache, but Hamilton argued that the odds are against that happening. "My considered opinion is that the greatest barrier is lack of a meaningful business/operation/funding model," he wrote. "In addition, there is an insufficient supply of developers having the capacity, capability, and will to provide material improvements to Apache OpenOffice. Whatever the pool might be, it is aging and shrinking for many reasons. The affliction that Apache OpenOffice suffers under in that respect also besets any organization set up to support the code, even with paid developers."

Video surveillance recorders RIDDLED with 0-days

Kit from NUUO, Netgear has face-palm grade stoopid There are multiple Web interface vulnerabilities in a network video recorder under Netgear's ReadyNAS brand and various devices by video recording company NUUO. The affected NUUO units are NVRmini 2, NVRsolo, and Crystal. The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected products, ranging from input validation issues to buffer overruns. Under CVE-2016-5674, there's a hidden page in the Web management interface that looks like someone wrote it while the product was under development, and forgot to take it out. An attacker can pass arbitrary “log” parameters to PHP's system(): http://<IP>/__debugging_center_utils___.php?log=something%3b<payload> – and it executes as root.

There's a second hidden page, __nvr_status___.php (assigned CVE-2016-5677), with an information exposure risk.
Since it's accessed via the hard-coded credentials nuuoeng:qwe23622260, it's yet another debugging tool that the engineers forgot to remove.
Slap them head-wise. Under CVE-2016-5675, the handle_daylightsaving.php page does not sanitise the NTPServer parameter, letting attackers run code as root. The cgi system binary in affected units can be called directly by anyone running the Web interface (CVE-2016-5676); CVE-2016-5678 describes yet more hard-coded credentials specific to NUUO devices (not Netgear); while CVE-2016-5679 describes a local operating system command vulnerability (only admins can attack it remotely). If by now the kit hasn't qualified for The Register's “SOHOpeless” tag, there's also a buffer overrun, CVE-2016-5680, yet another arbitrary code execution bug. The bugs were discovered by Pedro Ribeiro of Agile Information Security, and can be read in full at Full Disclosure. Ribeiro explains that in concert with CERT, the disclosure was made because the vendors have turned turtle. ® Sponsored: 2016 Cyberthreat defense report

VU#856152: NUUO and Netgear Network Video Recorder (NVR) products web interfaces...

NUUO NVRmini 2, NVRsolo, and Crystal, and Netgear ReadyNAS Surveillance are Network Video Recording (NVR) systems with Network Attached Storage (NAS) functionality for managing IP cameras.

The web management interfaces of these products are reported to...

Snitches get stitches: Little Snitch bugs were a blessing for malware

Now-patched kernel-level flaw in OS X app firewall will be revealed this week DEF CON Vulnerabilities in popular OS X security tool Little Snitch potentially granted malicious applications extra powers, undermining the protection offered by the software. Little Snitch reports in real-time the network traffic entering and leaving your Apple computer, and can block unauthorized connections.
It is a handy application firewall that reveals the information flowing out your system and the sources of those packets. Unfortunately, it was trivial for a malicious app to bypass Little Snitch's network monitoring mechanisms, says security researcher Patrick Wardle. Wardle is a former NSA staffer who heads up research at infosec biz Synack. He discovered a heap overflow bug in Little Snitch's kernel extension code, which could be exploited by an installed application to gain administrator-level access via the security software. This kernel-mode vulnerability will be the main focus of an upcoming presentation by Wardle on Little Snitch at the DEF CON hacker gathering in Las Vegas this week. He will also demonstrate how programs could silently disable Little Snitch's network filtering, and how an Apple bug fix made this previously unexploitable bug exploitable on OS X 10.11. Little Snitch tricked ...

A slide from Patrick Wardle's forthcoming talk Little Snitch is built by Austrian firm Objective Development Software. Wardle said its developers fixed the kernel-level flaw with the release of Little Snitch 3.6.2 without acknowledging his discovery. Pedro Vilaça aka osxreverser also found low-level bugs in Little Snitch that could be exploited to crash the Mac, or disable or bypass the network filtering: these were fixed in version 3.6.4, which was released last month. Highlighting and pushing for improvements in Apple's malware defenses has been a major focus of Wardle’s research efforts for more than three years – you can find a bunch of his file-system security tools here. ® Sponsored: 2016 Cyberthreat defense report