Month: March 2018

NTP Daemon decodearr Function Buffer Overflow (Mar 23, 2018)

Posted on by Don Hudock

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use. NTP’s has a native application implementation, ntpq, which can be accessed from command line.

A stack overflow vulnerability is reported in ntpq. Because the request parse function decodearr() failed to validate the size of request parameters, an attacker could overwrite the stack content with controllable content. A successful attack could lead to an arbitrary code execution on the target server with the privilege of the service application.

Read More…

Linux Cryptominer Trojan Hiding Within an Image File (Mar 16, 2018)

Posted on by Don Hudock

Because of the cryptocurrency market’s significant growth in the past couple of years, everyone wants a piece of that pie. Ransomare is still the most popular way for cybercriminals to generate that cryptocurrency income, but these days it seems that everything from personal computers to mobile devices and servers are all being targeted as possible hosts for secretly mining cryptocurrency. This week the SonicWall Capture Labs Threat Research Team has received reports of a malware purporting to be an image file but drops a cryptominer for Linux.

Read More…

Red Hat JBoss Data Grid Insecure Deserialization Vulnerability (Mar 9, 2018)

Posted on by Don Hudock

Red Hat JBoss Data Grid is an in-memory datastore solution. The client application of this software has integrated the Infinispan Hot Rod client library.

A deserialization vulnerability exists in the Red Hat JBoss Data Grid. As the Hot Rod client library failed to add proper filtering before deserializing an arbitrary class, an arbitrary object could be serialized by this library. An attacker could inject a malicious serialized object via the cache, and execute arbitrary code with the privilege of the client application.

Object serialization is a feature supported by Java, which allows an object to be loaded via a binary stream, making them portable. This feature also causes security risks as hackers may load malicious object via a controllable object in deserialization. A common practice is enabling a whitelist before the application retrieve the object.

In the Hot Rod client library, however, in the version 7.1.0, the code lacks of necessary whitelisting of the object class. And in 7.1.1, the filtering could still be bypassed by using the River Marshalling Protocol:

Read More…

Trojanized Android Ahmyth RAT spreads via legitimate apps (Mar 06, 2018)

Posted on by Don Hudock

SonicWall Capture Labs Threats Research team observed an Android Remote Administration Tool (RAT) named Ahmyth which is being trojanized into other Android apps and is getting distributed in the wild. Upon infecting an Android device this RAT can send sensitive information present on the device like SMS and call logs as well as perform functions like taking a picture, sending a text message or record audio via the microphone.

After obtaining a couple of malicious RAT samples we investigated further revealing the origins of this RAT. We found a Github repository that hosts the code for this RAT

Asterisk SUBSCRIBE Request Buffer Overflow Vulnerability (Mar 2, 2018)

Posted on by Don Hudock

Asterisk is a software implementation of a telephone private branch exchange (PBX). It allows telephones interfaced with a variety of hardware technologies to make calls to one another, and to connect to telephony services, such as the public switched telephone network (PSTN) and voice over Internet Protocol (VoIP) services.

A memory corruption vulnerability has been reported on Asterisk. Due to improper handling of the SUBSCRIPBE request in the Session Initiation Protocol (SIP) implementation, a buffer overflow vulnerability can be triggered inside the service process memory space, An attacker could send a certain crafted SUBSCRIBE request, and cause Denial-of-Service or even remote code execution on the target server with the privilege of the service process.

SIP is a request-response based application layer protocol. The memory corruption vulnerability is triggered when the Asterisk SIP service parsing the SUBSCRIBE request’s header. During this process, a sequence of C functions will be called:

Read More…

Oracle Remote Diagnostics Agent Command Injection Vulnerability (Feb 23, 2018)

Posted on by Don Hudock

Oracle Remote Diagnostics Agent (RDA) is a command-line diagnostic tool that provides a suite of data collection and diagnostic scripts that aid in the analysis and support of Oracle products. RDA is installed by default for Oracle Fusion Middleware and Weblogic Server.

A command injection vulnerbility exists in RDA. Because the web service class OsUtils doesn’t have proper filtering for the HTTP parameter, causing a command injection vulnerability. An attacker could send a certain crafted HTTP POST request, and execute arbitrary command on the target server with the privelege of the web service.

In order to execute scanning commands for the Oracle products, the RDA implements the scanning applications using native applications, and invoke them via web control panels. There are a set of pre-defined command templates inside several XML configuration files, such as oracle_database.xml, oracle_dbmachine.xml and oracle_si_supercluster.xml. For instance:

Read More…

Olympic Destroyer malware targeted Pyeongchang Games (Feb 23, 2018)

Posted on by Don Hudock

The SonicWall Capture Labs Threat Research Team observed new malware Called OlympicDestroyer [OlympicDestroyer.A].

The Winter Olympics this year is being held in Pyeongchang, South Korea and OlympicDestroyer malware was designed to knock computers offline by deleting critical system files, which would render the machines useless. This Malware was used in an attack on the opening ceremony of the Pyeongchang Winter Games.

Read More…