Tag Archive for: Root

Known macOS Vulnerabilities Led Researcher to Root Out New Flaws

/in


Sometimes all it takes to root out a new software vulnerability is to study and analyze previous bug reports. That’s how researcher Csaba Fitzl says he sniffed out some new Apple macOS vulnerabilities, one of which was a mirror image of a logic flaw that a group of researchers competing in the 2020 Pwn2Own contest found and executed there.

Fitzl, a content developer for Offensive Security, says he reread and studied the winning six-exploit chain that the researchers used to hack macOS. One of the exploits in that chain weaponized a privilege escalation bug, which Apple later fixed. But there still was a hole, and he found it: “Although Apple fixed it properly, but still there was an extra function … that basically opened up another vulnerability to be utilized a bit differently than the original one,” Fitzl explains.

Apple’s original fix for the flaw allowed an attacker to change ownership of a directory in macOS. But Fitzl discovered that he could create a new directory on the targeted system, which could allow an attacker to escalate their privileges on macOS. “Although you had to use different techniques to get through to the system, but because you could create an arbitrary directory anywhere on the system, you could elevate your privileges to root,” he says.

It was basically the same logic flaw but in a different piece of the code. Apple has since patched the vulnerability Fitzl found as well.

This week at Black Hat Singapore, Fitzl will share technical details of this and two other vulns he found while drilling down on previous vuln research on macOS during a session entitled “macOS Vulnerabilities Hiding in Plain Sight.”

Apple had not responded to a request for comment as of this posting.

‘Something Is Not Right’
Fitzl says he didn’t actually spot traces of the new flaws linked to previous research until after he reread the research papers. “At some point it hit me that there is something not right. It turned out that there is a vulnerability not like the one initially documented,” he explains of his findings. “That eventually led to me to find or identify new vulnerabilities.”

The other two flaws he found include one that built upon research from Mickey Jin, who…

Source…

Microsoft Discovers Nimbuspwn Privilege Escalation Vulnerability on Linux Systems Granting Hackers Root Permissions

/in


Microsoft discovered a privilege escalation vulnerability in Linux environments that could allow an attacker to take over computer systems.

The vulnerabilities collectively referred to as Nimbuspwn could be chained together to gain root privileges, allowing an attacker to create backdoors, deploy malicious payloads, and perform root code execution.

Microsoft says Nimbuspwn vulnerabilities could potentially be leveraged as a vector for ransomware deployment and other sophisticated threats, including nation-state cyber-espionage.

Nimbuspwn Linux privilege escalation vulnerability explained

Microsoft 365 defender research team began by listening to messages on the system bus leading them to review the code for the networkd-dispatcher.

They discovered information leaks via Directory Info Disclosure in Blueman and Directory Info Disclosure in PackageKit (CVE-2022-0987). Further probes led to the discovery of more issues on the networkd-dispatcher whose daemon runs at boot with root privileges.

A review of networkd-dispatcher code led to the discovery of directory traversal, symlink race, and time-of-check-time-of-use race conditions.

Microsoft says the networkd-dispatcher daemon used the “_run_hooks_for_state” method to discover and run scripts depending on the network state.

The method returns executable script files from the “/etc/networkd-dispatcher/.d” owned by the root user and the root group. The daemon then runs each script using the subprocess.Popen process.

Vulnerabilities in the networkd-dispatcher components:

  • The use of symbolic links – Microsoft discovered that the subprocess.Popen follows symbolic links in the discovery and running of scripts in the base directory.
  • Directory traversal vulnerability (CVE-2022-29799) – Microsoft discovered that the control flow fails to sanitize the OperationalState and the AdministrativeState states. Since the states are responsible for creating the executable script paths, an attacker could escape the “/etc/networkd-dispatcher” directory using the “../../” directory traversal patterns.
  • Time-of-check-time-of-use race condition (CVE-2022-29800) – Microsoft discovered a time gap between the discovery and execution of the root…

Source…

Researcher uses Dirty Pipe exploit to fully root a Pixel 6 Pro and Samsung S22

/in


Stylized illustration of a robot holding a smart tablet.

A researcher has successfully used the critical Dirty Pipe vulnerability in Linux to fully root two models of Android phones—a Pixel 6 Pro and Samsung S22—in a hack that demonstrates the power of exploiting the newly discovered OS flaw.

The researcher chose those two handset models for a good reason: They are two of the few—if not the only—devices known to run Android version 5.10.43, the only release of Google’s mobile OS that’s vulnerable to Dirty Pipe. Because the LPE, or local privilege escalation, vulnerability wasn’t introduced until the recently released version 5.8 of the Linux kernel, the universe of exploitable devices—whether mobile, Internet of Things, or servers and desktops—is relatively small.

Behold, a reverse shell with root privileges

But for devices that do package affected Linux kernel versions, Dirty Pipe offers hackers—both benign and malicious—a platform for bypassing normal security controls and gaining full root control. From there, a malicious app could surreptitiously steal authentication credentials, photos, files, messages, and other sensitive data. As I reported last week, Dirty Pipe is among the most serious Linux threats to be disclosed since 2016, the year another high-severity and easy-to-exploit Linux flaw named Dirty Cow came to light.

Android uses security mechanisms such as SELinux and sandboxing, which often make exploits hard, if not impossible. Despite the challenge, the successful Android root shows that Dirty Pipe is a viable attack vector against vulnerable devices.

“It’s exciting because most Linux kernel vulnerabilities are not going to be useful to exploit Android,” Valentina Palmiotti, lead security researcher at security firm Grapl, said in an interview. The exploit “is notable because there have only been a few public Android LPEs in recent years (compare that to iOS where there have been so many). Though because it only works 5.8 kernels and up, it’s limited to the two devices we saw in the demo.”

In a video demonstration published on Twitter, a security researcher who asked to be identified…

Source…

Companies Face Issues as Let’s Encrypt Root Certificate Expires

/in


Many websites experienced issues this week following the expiration of a root certificate provided by Let’s Encrypt, a free and open certificate authority (CA) used by millions of sites.

Let’s Encrypt, which is part of the nonprofit Internet Security Research Group (ISRG), is a massive provider of HTTPS certificates: Last February, it issued its billionth certificate and announced it was serving nearly 192 million websites.

The expiry of IdenTrust DST Root CA X3 happened on Sept. 30; after this, computers, devices, and clients like Web browsers will no longer trust certificates that have been issued by this CA.

“If the root certificate that your certificate chain anchors on is expired then there’s a good chance it’s going to cause things to fail,” writes Scott Helme, founder of Security Header, in a Sept. 20 blog post warning of the issue. This happened last May, he added, when the AddTrust External CA Root expired and caused problems for Roku, Stripe, and other organizations.

“Given the relative size difference between Let’s Encrypt and AddTrust, I have a feeling that the IdenTrust root expiry has the potential to cause more problems,” Helme says.

In most circumstances, a root CA expiration wouldn’t generate a lot of conversation because the transition from an old root certificate to a new one is “completely transparent,” Helme writes. The reason this expiry is causing problems is because clients aren’t regularly updated and if that’s the case, the new CA replacing the old one isn’t downloaded onto the device.

In his blog post, he lists clients that will break after the IdenTrust DST Root CA X3 expires. These include versions of macOS older than 10.12.1, Windows versions older than XP Service Pack 3, iOS versions older than iOS 10, OpenSSL versions less than and including 1.0.2, and Firefox versions older than 50.

Helme said to ZDNet that he had confirmed organizations including Palo Alto, Bluecoat, Cisco Umbrella, Google Cloud Monitoring, Auth0, Shopify, QuickBooks, and Fortinet were among the organizations experiencing issues following the expiration. In a tweet, Let’s Encrypt advises those experiencing errors to check out the fixes in its community forum. It also notes…

Source…