ATENTIONβΌ New - CVE-2017-8414
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary orthrus in /sbin folder of the device handles all the UPnP connections received by the device. It seems that the binary performs a sprintf operation at address 0x0000A3E4 with the value in the command line parameter "-f" and stores it on the stack. Since there is no length check, this results in corrupting the registers for the function sub_A098 which results in memory corruption.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8413
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device runs a custom daemon on UDP port 5978 which is called "dldps2121" and listens for broadcast packets sent on 255.255.255.255. This daemon handles custom D-Link UDP based protocol that allows D-Link mobile applications and desktop applications to discover D-Link devices on the local network. The binary processes the received UDP packets sent from any device in "main" function. One path in the function traverses towards a block of code that handles commands to be executed on the device. The custom protocol created by D-Link follows the following pattern: Packetlen, Type of packet; M=MAC address of device or broadcast; D=Device Type;C=base64 encoded command string;test=1111. If a packet is received with the packet type being "S" or 0x53 then the string passed in the "C" parameter is base64 decoded and then executed by passing into a System API. We can see at address 0x00009B44 that the string received in packet type subtracts 0x31 or "1" from the packet type and is compared against 0x22 or "double quotes". If that is the case, then the packet is sent towards the block of code that executes a command. Then the value stored in "C" parameter is extracted at address 0x0000A1B0. Finally, the string received is base 64 decoded and passed on to the system API at address 0x0000A2A8 as shown below. The same form of communication can be initiated by any process including an attacker process on the mobile phone or the desktop and this allows a third-party application on the device to execute commands on the device without any authentication by sending just 1 UDP packet with custom base64 encoding.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8412
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The device has a custom binary called mp4ts under the /var/www/video folder. It seems that this binary dumps the HTTP VERB in the system logs. As a part of doing that it retrieves the HTTP VERB sent by the user and uses a vulnerable sprintf function at address 0x0000C3D4 in the function sub_C210 to copy the value into a string and then into a log file. Since there is no bounds check being performed on the environment variable at address 0x0000C360 this results in a stack overflow and overwrites the PC register allowing an attacker to execute buffer overflow or even a command injection attack.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8410
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary performs a memcpy operation at address 0x00011E34 with the value sent in the "Authorization: Basic" RTSP header and stores it on the stack. The number of bytes to be copied are calculated based on the length of the string sent in the RTSP header by the client. As a result, memcpy copies more data then it can hold on stack and this results in corrupting the registers for the caller function sub_F6CC which results in memory corruption. The severity of this attack is enlarged by the fact that the same value is then copied on the stack in the function 0x00011378 and this allows to overflow the buffer allocated and thus control the PC register which will result in arbitrary code execution on the device.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8409
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1130 devices. The device requires that a user logging to the device to provide a username and password. However, the device does not enforce the same restriction on a specific URL thereby allowing any attacker in possession of that to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8406
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1130 devices. The device provides a crossdomain.xml file with no restrictions on who can access the webserver. This allows an hosted flash file on any domain to make calls to the device's webserver and pull any information that is stored on the device. In this case, user's credentials are stored in clear text on the device and can be pulled easily. It also seems that the device does not implement any cross-site scripting forgery protection mechanism which allows an attacker to trick a user who is logged in to the web management interface into executing a cross-site flashing attack on the user's browser and execute any action on the device provided by the web management interface which steals the credentials from tools_admin.cgi file's response and displays it inside a Textfield.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-8405
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The binary rtspd in /sbin folder of the device handles all the rtsp connections received by the device. It seems that the binary loads at address 0x00012CF4 a flag called "Authenticate" that indicates whether a user should be authenticated or not before allowing access to the video feed. By default, the value for this flag is zero and can be set/unset using the HTTP interface and network settings tab as shown below. The device requires that a user logging to the HTTP management interface of the device to provide a valid username and password. However, the device does not enforce the same restriction by default on RTSP URL due to the checkbox unchecked by default, thereby allowing any attacker in possession of external IP address of the camera to view the live video feed. The severity of this attack is enlarged by the fact that there more than 100,000 D-Link devices out there.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-11580
π Read
via "National Vulnerability Database".
Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory corruption that results in Denial of Service. When connected to the "Blip" open wireless connection provided by the device, if a large string is sent as a part of the HTTP request in any part of the HTTP headers, the device could become completely unresponsive. Presumably this happens as the memory footprint provided to this device is very small. According to the specs from Rezolt, the Wi-Fi module only has 256k of memory. As a result, an incorrect string copy operation using either memcpy, strcpy, or any of their other variants could result in filling up the memory space allocated to the function executing and this would result in memory corruption. To test the theory, one can modify the demo application provided by the Cypress WICED SDK and introduce an incorrect "memcpy" operation and use the compiled application on the evaluation board provided by Cypress semiconductors with exactly the same Wi-Fi SOC. The results were identical where the device would completely stop responding to any of the ping or web requests.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-11579
π Read
via "National Vulnerability Database".
In the most recent firmware for Blipcare, the device provides an open Wireless network called "Blip" for communicating with the device. The user connects to this open Wireless network and uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is in vicinity of Wireless signal generated by the Blipcare device to easily sniff the credentials. Also, an attacker can connect to the open wireless network "Blip" exposed by the device and modify the HTTP response presented to the user by the device to execute other attacks such as convincing the user to download and execute a malicious binary that would infect a user's computer or mobile device with malware.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-11578
π Read
via "National Vulnerability Database".
It was discovered as a part of the research on IoT devices in the most recent firmware for Blipcare device that the device allows to connect to web management interface on a non-SSL connection using plain text HTTP protocol. The user uses the web management interface of the device to provide the user's Wi-Fi credentials so that the device can connect to it and have Internet access. This device acts as a Wireless Blood pressure monitor and is used to measure blood pressure levels of a person. This allows an attacker who is connected to the Blipcare's device wireless network to easily sniff these values using a MITM attack.π Read
via "National Vulnerability Database".
π΄ New MacOS Malware Discovered π΄
π Read
via "Dark Reading: ".
A wave of new MacOS malware over the past month includes a zero-day exploit and other attack code.π Read
via "Dark Reading: ".
Darkreading
New MacOS Malware Discovered
A wave of new MacOS malware over the past month includes a zero-day exploit and other attack code.
β Patch Android! July 2019 update fixes 9 critical flaws β
π Read
via "Naked Security".
Depending on when users receive it, this weekβs Androidβs July patch update will fix 33 security vulnerabilities, including 9 marked critical, and 24 marked high.π Read
via "Naked Security".
Naked Security
Patch Android! July 2019 update fixes 9 critical flaws
Depending on when users receive it, this weekβs Androidβs July patch update will fix 33 security vulnerabilities, including 9 marked critical, and 24 marked high.
β Miami police body cam videos up for sale on the darkweb β
π Read
via "Naked Security".
Videos from Miami Police Department body cams were leaked and stored in unprotected, internet-facing databases, then sold on the darkweb.π Read
via "Naked Security".
Naked Security
Miami police body cam videos up for sale on the darkweb
Videos from Miami Police Department body cams were leaked and stored in unprotected, internet-facing databases, then sold on the darkweb.
β Georgiaβs court system hit by ransomware β
π Read
via "Naked Security".
There's a hint that it might involve Ryuk ransomware. If so, it might be the fourth Ryuk attack against state and local agencies since May.π Read
via "Naked Security".
Naked Security
Georgiaβs court system hit by ransomware
Thereβs a hint that it might involve Ryuk ransomware. If so, it might be the fourth Ryuk attack against state and local agencies since May.
β IoT vendor Orvibo gives away treasure trove of user and device data β
π Read
via "Naked Security".
Researchers at web privacy review service vpnMentor discovered the data in an exposed ElasticSearch server online. It contains two billion items of log data from devices sold by Shenzen, China-based smart IoT device manufacturer Orvibo.π Read
via "Naked Security".
Naked Security
IoT vendor Orvibo gives away treasure trove of user and device data
Researchers at web privacy review service vpnMentor discovered the data in an exposed ElasticSearch server online. It contains two billion items of log data from devices sold by Shenzen, China-baseβ¦
π΄ TA505 Group Launches New Targeted Attacks π΄
π Read
via "Dark Reading: ".
Russian-speaking group has sent thousands of emails containing new malware to individuals working at financial institutions in the US, United Arab Emirates, and Singapore.π Read
via "Dark Reading: ".
Darkreading
TA505 Group Launches New Targeted Attacks
Russian-speaking group has sent thousands of emails containing new malware to individuals working at financial institutions in the US, United Arab Emirates, and Singapore.
π΄ Black Hat Q&A: Understanding NSA's Quest to Open Source Ghidra π΄
π Read
via "Dark Reading: ".
National Security Agency researcher Brian Knighton previews his October Black Hat USA talk on the evolution of Ghidra.π Read
via "Dark Reading: ".
Dark Reading
Black Hat Q&A: Understanding NSA's Quest to Open Source Ghidra
National Security Agency researcher Brian Knighton previews his October Black Hat USA talk on the evolution of Ghidra.
π UK Sees Steep Jump in Cyber Attacks on Financial Services Firms π
π Read
via "Subscriber Blog RSS Feed ".
According to a regulator, retail banks in the region took the biggest hit last year.π Read
via "Subscriber Blog RSS Feed ".
Digital Guardian
UK Sees Steep Jump in Cyber Attacks on Financial Services Firms
According to a regulator, retail banks in the region took the biggest hit last year.
π΄ Disarming Employee Weaponization π΄
π Read
via "Dark Reading: ".
Human vulnerability presents a real threat for organizations. But it's also a remarkable opportunity to turn employees into our strongest cyber warriors.π Read
via "Dark Reading: ".
Darkreading
Disarming Employee Weaponization
Human vulnerability presents a real threat for organizations. But it's also a remarkable opportunity to turn employees into our strongest cyber warriors.
π DevOps will fail unless security and developer teams communicate better π
π Read
via "Security on TechRepublic".
DevOps initiatives have become important for 74% of organizations over the past year, but communication must improve for DevOps to be successful, according to Trend Micro.π Read
via "Security on TechRepublic".
TechRepublic
DevOps will fail unless security and developer teams communicate better
DevOps initiatives have become important for 74% of organizations over the past year, but communication must improve for DevOps to be successful, according to Trend Micro.