Archive for the ‘Vulnerabilities’ Category

Microsoft warned about zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the Google security team. At this time limited targeted attacks directed at Microsoft Word 2010. According to Microsoft’s security advisory, Microsoft Word is vulnerable to remote code execution vulnerability (CVE-2014-1761) that can be exploited by a specially crafted Rich Text Format (RTF).

An Attacker can simply infect the victim’s system with malware if a user opens a malicious Rich Text Format (RTF), or merely preview the message in Microsoft Outlook. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. Microsoft acknowledged that remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011. Microsoft is working on an official patch, which will be released with the next Patch Tuesday security updates on April 8. But in the meantime, Windows users can use temporary ‘Fix It’ tool to patch this vulnerability and also can install Enhanced Mitigation Experience Toolkit (EMET) tool that can mitigate this vulnerability.

Do not download .RTF files from the suspicious websites, and do not open or preview .RTF email attachments from strangers.



Today almost all household and commercial environments are equipped with Wi-Fi Networks. The heart of such a network is the Wireless access point. When it comes to households and small commercial environments Wireless routers playing a major role than the Wireless Access points. Bootstrap programs and the instructions of these devices located in a special type of memory known as ”Firmware”. Recently researchers found that there is a malware in the wild which focusing on those special memories on ‘Linksys” wireless routers, and it can replicate to similar devices by itself. This happens by exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers. The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and the researches confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices. The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device. Linksys’s parent company has confirmed that HNAP implementation has a security flaw whose exploit code is publicly available on the Internet.

‘To what extent this worm can be dangerous’ is yet a question.

You can use the following command to verify that your device is vulnerable or not.

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080. Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

Source : THN, SANS

The discovery was announced just a few days after Microsoft revealed the Microsoft Zero-day CVE-2013-3906, a Zero-day vulnerability in Microsoft graphics component that is actively exploited in targeted attacks using crafted Word documents sent by email.

Microsoft graphics component zero-day vulnerability allows attackers to install amalware via infected Word documents and target Microsoft Office users running on Windows Vista and Windows Server 2008.

Recently reported new Internet Explorer zero-day vulnerability detected by FireEye affects the English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7, but according the experts it can be easily changed to leverage other languages.

FireEye confirmed that the exploit recently detected leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution, that attackers use the timestamp from the PE headers ofmsvcrt.dll to select the proper exploit.

“The information leak uses a very interesting vulnerability to retrieve the timestamp from the PE headers of msvcrt.dll. The timestamp is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll.” explained the researcher Xiaobo Chen and Dan Caselden in the post published by FireEye.

The analysis conducted by the research team at FireEye revealed this IE zero-day affects IE 7, 8, 9 and 10, and as happened for the Microsoft Zero-day CVE-2013-3906 , it can be mitigated by EMET per Microsoft’s feedback.

Very interesting the shellcode, the exploit implements a multi-stage shellcode payload that upon successful exploitation, it will launch rundll32.exe (with CreateProcess), and inject and execute its second stage (with OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread). The second stage downloads an executable and run it from disk.

Source :

Microsoft has warned that vulnerability in Windows Phone operating systems could allow hackers to access your login credentials.

The vulnerability resides in a Wi-Fi authentication scheme known as PEAP-MS-CHAPv2, which Windows Phones use to access wireless networks protected by version 2 of the Wi-Fi Protected Access protocol.

Cryptographic weaknesses in the technology can allow attackers to gain access to users encrypted domain credentials. These credentials could potentially give the attackers access to sensitive corporate networks.

The bulletin, advisory says:

To exploit this issue, an attacker controlled system could pose as a known Wi-Fi access point, causing the targeted device to automatically attempt to authenticate with the access point, and in turn allowing the attacker to intercept the victim’s encrypted domain credentials. An attacker could then exploit cryptographic weaknesses in the PEAP-MS-CHAPv2 protocol to obtain the victim’s domain credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource.

Microsoft does not intend to patch this vulnerability. Microsoft has not received any reports of this vulnerability being used to steal corporate data, passwords or breach a network to date. Rather, it simply advises users of Windows phones to require a certificate before joining wireless networks, and includes instructions for enforcing this in the phone settings.

Source : THN

Microsoft has announced Patch Tuesday for this July Month, with seven bulletins. Out of that, one is important kernel privilege escalation flaw and six critical Remote Code Execution vulnerabilities.
Patch will address vulnerabilities in Microsoft Windows, .Net Framework, Silverlight and will apply to all versions ofInternet Explorer from IE6 on Windows XP to IE10 on Windows 8.

Often targeted by attackers to perform drive-by malware download attacks, remote code execution flaws allow an attacker to crash an application and launch malware payloads often without any sort of notification or interaction form the user.

The Windows 8 maker is also patching a kernel vulnerability disclosed at the beginning of June by Google researcher Tavis Ormandy. The issue is to do with Windows kernel’s EPATHOBJ::pprFlattenRec function (CVE-2013-3660) and after Ormandy released the exploit code, Metasploit module was developed to exploit the bug.

Q-CERT team found a critical vulnerability that allows the attacker to bypass the two-factor authentication in the most popular file sharing service ‘DropBox’.

Two Factor Authentication is an extra layer of security that is known as “multi factor authentication” that requires not only a password and username but also a unique code that only user can get via SMS or Call.If an attacker already knows the username and password of the victim’s Dropbox account, which is protected by two-factor authentication, it is still possible to hack that Dropbox account using following explained technique.

DropBox does not verify the authenticity of the email addresses used to Sign up a new account, so to exploit this flaw hacker just need to create a new fake account similar to the target’s account and append a dot (.) anywhere in the email address.

In Next step, enable 2-factor authentication for the fake account, and save the emergency code generated at the end of the process. This emergency code feature is provided, in case user lost his phone, then using this backup code user can disable two factor authentication from his account.

Next, logout from the the fake account created by attacker and login into the victim’s account using the real credentials (attacker already have using any keylogger or phishing technique).Because 2-Factor authentication was enabled for victim’s account, so website will ask to enter the OTP code. Leave it, just choose “I Lost My Phone” from the same screen. You will be prompted to use the “Emergency Code”, that can disable the 2-Factor authentication.

That’s it ! Use the emergency code generated from the fake account to disable 2-Factor authentication for the victim’s account and enjoy full access.

Researchers say they have found a cryptographic flaw that could allow almost any Android phone to be hijacked.

The undisclosed vulnerabilities allow attackers to silently turn legitimate applications malicious by modifying the apk code without breaking the app’s cryptographic signature.

Attackers could exploit the flaw to gain full access to an Android device allowing data theft, access to enterprise networks, or the ability to form a botnet from mobile devices.

Baseband modified

Baseband modified


“The [trojan] application then not only has the ability to read arbitrary application data on the device, retrieve all stored account and service passwords, [but] can essentially take over the normal functioning of the phone and control any function thereof,” BlueBox chief technology office Jeff Forristal said.

“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving [and] therefore hard-to-detect nature of these zombie mobile devices to create a botnet.”

Most at risk were devices that ran applications such as Cisco’s AnyConnect VPN which were granted special privileges like access to System UID by device manufacturers.

The bug could affect any Android phone released in the last four years or operating firmware above version 1.6 (Donut), Forristal said, declaring 99 percent of devices vulnerable. Google has activated 900 million phones to date.

Forristal said discrepancies in how Android applications were cryptographically verified and installed meant APK code could be modified without breaking the cryptographic signature that checked the legitimacy of Android apps.

“This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been,” Forristal said.

BlueBox reported the bug to Google in February but it would be left to device manufacturers to push out firmware updates, a feat they were notoriously lax in.

He said enterprises should force users to update their phones connected to the corporate network and should move to focus on deep device integrity checking. Individual users should be “extra cautious” in identifying app publishers.

Source :