Tuesday, December 5, 2017

Flux capacitors charged and back to the future Telspace goes. BSides Cape Town 2017

This past weekend (2 December 2017) a few of our Telspace team members traveled to the annual BSides Cape Town conference.  This year the con was inspired by the classic movie “Back to the Future”.  Kicking off the con was the pre-party Friday evening at the Cape Town Science Centre. 

This was the perfect venue not only to compliment the theme but to also tickle the fancy of all us geeks and nerds attending.  After welcome drinks and exploring the Science Centre with all of its fantastic scientific illustrations it was time for a movie. You guessed it, we watched “Back to the Future”.  And so, we ended off Friday evening.  
From left to right: Charlie Smith, Cobus Mentz, Kenny Matima and Frank Allenby

From left to right: Charlie Smith, Cobus Mentz, Kenny Matima and Frank Allenby

Finally!!!  D-day, the con starts.  Up early Saturday morning we headed off to Observatory.  Full of excitement we got our SWAG-on and headed off to the talks but first, coffee.  This was clearly a mutual feeling as everyone was standing in line to get their cuppa for the morning.  

The con was packed with great talks, loads of challenges such as the CTF, lock picking and a bunch more.  Frank from our team did a great talk on Data Huffing and ways in which we can use data breaches to aid with pentests and information security in general. 


Telspace - Hackers for hire

The CTF from Nclose was also great fun with Charlie and Frank being the only 2 participants (out of about 15) to successfully capture the flag.  Charlie was the overall winner because, through his years of experience breaking Web Apps, he generated the least number of alerts. He actually found a path that not even the CTF creators knew about, he truly hacked the CTF!


Telspace - Hackers for hire


As Telspace regularly does we once again chose a charity to contribute to.  This time around we chose the South African Depression and Anxiety Group (@TheSADAG).  They do fantastic and much-needed work and we are proud to be associated with them.   To spread awareness, we asked delegates to track down our team members, take a selfie with them and post it to Twitter.  As a thanks to the participants, we gave them a special limited edition 15 Year Anniversary Telspace shirt.  Selfies can be found on Twitter by searching for @telspacesystems or #BSidesCPT17. 

Telspace - Hackers for hire

In conclusion, BSides Cape Town 2017 was a huge success and it is great to see how the information security community within South Africa is growing not only in numbers but with the quality of research as well. 

To summarise, the highlights were:
  • Awesome talks
  • CTF Victors 
  • Selfies for charity
  • Great Conference

Wednesday, October 11, 2017

Telspace Systems Security Advisory (TSA-2017-005)

Telspace Systems Security Advisory

TSA-2017-005: Internet Explorer Information Disclosure Vulnerability

CVE number
CVE-2017-11790

Summary
An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploits the vulnerability could obtain information to further compromise the user’s system 

Vendor
Microsoft

Product
Internet Explorer

Version
11.0.15063.540

Vendor URL

Details and crash information
iertutil!CreateUriPriv+0x43:
00007ff8`001be203 66391479 cmp word ptr [rcx+rdi*2],dx ds:0000012f`76037000=????


Vendor response
The vendor has patched the vulnerability and released a new version 

Disclosure Timeline
02-08-2017 – Initial Discovery
14-09-2017 – Vendor Notification
10-10-2017 – Vendor Patch
11-10-2017 – Public Disclosure


Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Monday, September 18, 2017

Telspace Systems Security Advisory (TSA-2017-004)

Telspace Systems Security Advisory

TSA-2017-004: WPS Office Writer out of bounds read vulnerability

CVE number
CVE-2017-12916

Summary
A remote vulnerability exists in the .doc parsing functionality of WPS Writer. A specially crafted .doc file can cause an out of bounds read vulnerability resulting in potential information leak or denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS Writer

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is docreader.dll which causes a crash at a dr_CreateSource function:

(7f8.1c0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=0a9fab15 edx=0bcc03f0 esi=0aa26ad8 edi=019fab15
eip=6bb76604 esp=0019ea24 ebp=0019ea6c iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
docreader!dr_CreateSource3Ex+0x1cff:
6bb76604 0fb607          movzx   eax,byte ptr [edi]         ds:002b:019fab15=??

Vendor response
The vendor has patched the vulnerability and released a new version 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
xx-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Monday, September 11, 2017

Telspace Systems Security Advisory (TSA-2017-003)


Telspace Systems Security Advisory

TSA-2017-003: WPS Office Spreadsheet out of bounds read vulnerability

CVE number
CVE-2017-12918

Summary
A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an out of bounds read vulnerability resulting in potential information leak or code execution. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS spreadsheet

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component causes a crash at a memcpy function:

(1ddc.1fd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\MSVCR100.dll -
(1ddc.1fd0): Access violation - code c0000005 (!!! second chance !!!)
eax=07862b89 ebx=07b500b4 ecx=000066e3 edx=00000000 esi=07848ffd edi=07b52aa4
eip=6f1d1ed7 esp=047df7ec ebp=047df7f4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202

MSVCR100!memcpy+0x57:
6f1d1ed7 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
05-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Wednesday, September 6, 2017

Telspace Systems Security Advisory (TSA-2017-002)


Telspace Systems Security Advisory

TSA-2017-002: WPS Office Spreadsheet invalid pointer read vulnerability

CVE number
CVE-2017-12915

Summary
A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer read vulnerability resulting in a potential information leak or a denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS spreadsheet

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is excelrw.dll library in this function :
excelrw!chart::KETSeriesDataSourceProvider::chartTypeEx


(1e14.560): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\excelrw.dll -

eax=0439f78c ebx=9d953784 ecx=9d953784 edx=07f86948 esi=9d953784 edi=06012490

eip=6b8772bd esp=0439f774 ebp=0439f798 iopl=0 nv up ei pl nz na pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206


excelrw!chart::KETSeriesDataSourceProvider::chartTypeEx+0x461fd:

6b8772bd 8b7e4a mov edi,dword ptr [esi+4Ah] ds:002b:9d9537ce=????????

Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
05-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Monday, September 4, 2017

Telspace Systems Security Advisory (TSA-2017-001)


Telspace Systems Security Advisory


TSA-2017-001: WPS Office Spreadsheet invalid pointer write vulnerability

CVE number
CVE-2017-12914

Summary
A remote vulnerability exists in the .xls parsing functionality of WPS Spreadsheet. A specially crafted .xls file can cause an invalid pointer write vulnerability resulting in potential denial of service. User interaction is required to trigger this vulnerability.

Vendor
Kingsoft

Product
WPS spreadsheet

Versions
10.2.0.5908

Vendor URL
https://www.wps.com

Details and crash information
The affected component is etmain.dll library in this function : etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03

(1154.13d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\User-Pc\AppData\Local\Kingsoft\WPS Office\10.2.0.5908\office6\etmain.dll -
eax=00000000 ebx=06142550 ecx=08255c78 edx=00000000 esi=08255c78 edi=00000000
eip=6701cb50 esp=08f7fc14 ebp=08f7fc1c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246

etmain!EtCommentRevisionShape::InitCmtRevShape+0xd9c03:
6701cb50 ff40fc inc dword ptr [eax-4] ds:002b:fffffffc=????????

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at etmain!EtCommentRevisionShape::InitCmtRevShape+0x00000000000d9c03 (Hash=0x88e5e0e0.0x02d402a9)

Vendor response
The vendor has patched the vulnerability and released a new version - 10.2.0.5934

Disclosure Timeline
09-08-2017 – Initial Discovery
18-08-2017 – Vendor Notification
29-08-2017 – Vendor Patch
04-09-2017 – Public Disclosure

Credit
This vulnerability was discovered by Dmitri Kaslov of Telspace Systems

Monday, February 13, 2017

Who is tracking you online - January 2017

January 2017 was an exciting month for Telspace Systems. A segment titled "Who is tracking you online" was aired by Carte Blanche on the 15th of January. The insightfull piece of investigative journalism took a look at how and why we are being tracked online and what we can do about it. Dino Covotsos and Rob Len took part in the panel discussion while Richard Hocking and Rhet Evans did a live demo compromising an Android smart phone, showcasing how much control an attacker can assume over ones mobile phone. This included GPS tracking, making calls from the device as well as using the device's microphone to eavesdrop on the victims conversations and surroundings. The full clip can be watched here "http://carteblanche.dstv.com/tracking-2/"

January 2017 was a busy month on the cyber security front too. Various patches were released by major vendors in response to the discovery of critical vulnerabilities.

Microsoft released the following:

MS17-001 - Security Update for Microsoft Edge (3214288)
This security update resolves a vulnerability in Microsoft Edge. This vulnerability could allow an elevation of privilege if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited this vulnerability could gain elevated permissions on the namespace directory of a vulnerable system and gain elevated privileges
Result:Elevation of Privilege

MS17-002 - Security Update for Microsoft Office (3214291)
This security update resolves a vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Result: Remote Code Execution

MS17-003 - Security Update for Adobe Flash Player (3214628)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
Result: Remote Code Execution

MS17-004 - Security Update for Local Security Authority Subsystem Service (3216771)
A denial of service vulnerability exists in the way the Local Security Authority Subsystem Service (LSASS) handles authentication requests. An attacker who successfully exploited the vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests.
Result: Denial of Service

Cisco released news that a WebEx Browser Extension Remote Code Execution was discovered. The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system.
The vulnerability is due to a design defect in an API response parser within the plugin. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability.  If successful, the attacker could execute arbitrary code with the privileges of the affected browser.

Cisco has released software updates for Google Chrome, Firefox, and Internet Explorer that address this vulnerability. There are no workarounds that address this vulnerability.

Adobe has released security updates for Adobe Acrobat and Reader for Windows and Mac. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

The following versions are affected:
Acrobat DC - 15.020.20042 and earlier versions Windows and Mac
Acrobat Reader DC - 15.020.20042 and earlier versions Windows and Mac
Acrobat DC - 15.006.30244 and earlier versions Windows and Mac
Acrobat Reader DC - 15.006.30244 and earlier versions Windows and Mac
Acrobat XI - 11.0.18 and earlier versions Windows and Mac
Reader XI - 11.0.18 and earlier versions Windows and Mac