A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New vulnerability in many websites: HTTPoxy

• Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
• CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
• To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
• To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
• So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
• This allows your application to know what compression algorithms are supported
• Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
• “httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
• “This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
• “What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
  • Proxy the outgoing HTTP requests made by the web application
• Direct the server to open outgoing connections to an address and port of their choosing
• Tie up server resources by forcing the vulnerable software to use a malicious proxy
• “httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
• So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
• Timeline:
• March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
• April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
• July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
• November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
• February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
• July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
• So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
• Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
• The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
• Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

• From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
• In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
• The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

• Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange * IBM WebSphere Portal – provides enterprise web portals
• Google Search Appliance – search all content in an enterprise through a single search box
• Guidance Encase – forensic investigation software
• Microsoft Exchange – enterprise email and productivity software
• Novell Groupwise – a collaboration tool for large enterprise
• Raytheon SureView – software designed for enterprise visibility and user activity monitoring

• Veritas (Symantec) Enterprise Vault – a program for information governance through archiving

• Talos has not confirmed that each of the third-party products listed above are affected. We have, however, confirmed that some are running vulnerable OIT-related code. For example, if WebReady Document Viewing is enabled for Microsoft Exchange 2013 (& earlier), an attacker could exploit these vulnerabilities by sending a malicious email attachment to a victim who then opens the email using web preview.

• Further, if Data Loss Prevention is enabled, the vulnerability can be triggered simply by sending an email with a malicious attachment outbound from the affected Exchange server. If Avira AntiVir for Exchange (v12.0.2775.0 & earlier) is in place, just sending or receiving a malicious email is sufficient, since this program will scan all inbound and outbound email. Additionally, multiple OIT vulnerabilities could conceivably be exploited in a chained fashion for a more effective approach.

  • PDF /Size Integer Overflow
  • TIFF ExtraSamples Code Execution
  • TIFF Photometric Interpretation Code Execution
  • GIF ImageWidth Code Execution
  • Gem_Text Code Execution
  • PSI Image File Code Execution
  • Word DggInfo Code Execution
  • Mac Works Database VwStreamSection Code Execution
  • Mac Word ContentAccess libvs_word+63AC Code Execution
  • BMP Heap Buffer Overflow & Code Execution
  • Mac Works VwStreamReadRecord Memory Corruption
  • PDF /Kids Information Leakage
  • PDF NULL Pointer Dereference Denial of Service
  • PDF Recursion Stack Overflow Denial of Service
  • PDF /FlateDecode /Colors Denial of Service
  • PDF /Type /Xref Denial of Service
  • PDF Xref Offset Denial of Service
  • Mac Word ContentAccess libvs_word Denial of Service

• Over, and over again we see problems that arise from software using untrusted data as input without proper and necessary validation of that data, and because not all software developers are experts in the multitude of file formats in existence they are forced to rely on SDKs such as Oracle’s OIT.

• However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes.
• This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products.
• In related news: TALOS also found a similar vulnerability in Apple’s OS X
• Additional Coverage
• In other news: Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products
• Includes 4 Java vulnerabilities with CVSS scores of 9.6 out of 10

Krebs: The value of a hacked company

• Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
• “Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
• “If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
• There is a lot of value that an attack can extract from a hacked company:
  • Intellectual Property, like trade secrets, plans, or even just a list of customers
  • Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
  • Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
  • HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
  • Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
  • Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
• “This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
• “In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
• “These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
• “It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
• “Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”

Feedback:

• ZFS Fillin Up

• InfiniBand

• IPSEC VPN server & OS options

Mention: Networking for Information Security/Penetration Testing

Round Up:

• Feds Seize KickassTorrents Domains, Arrest Alleged Owner
• How to many money by abusing 2 Factor Auth — Have Google, Instagram, etc, call your premium rate (900) number to verify your 1000s of accounts
• Apple Has Its Own Stagefright Vulnerability
• PostgreSQL EnterpriseDB first open source database to pass Defense Information Systems Agency (DISA) testing, and publish a Security Technical Implementation Guide (STIG)
• Skype is Transitioning to a More Modern, Mobile-Friendly Architecture
• Microsoft killing off last bits of p2p in skype, and all old clients, in favour of new cloud-server backed infrastructure
• Seagate launches its new line of 10TB Helium drives: BarraCuda (Desktop HDD), FireCuda (Desktop SSHD), BarraCuda Pro (5 year Warrenty), IronWolf (NAS), and SkyHawk (Surveillance).
• Stack Exchange Outage Postmortem – July 20, 2016
• Engineer gets tired of waiting for Telcos, wires up his whole town
• Microsoft ordered to fix ‘excessively intrusive, insecure’ Windows 10
• France’s National Data Protection Commission (CNIL) has ordered Microsoft to “stop collecting excessive data and tracking browsing by users without consent”
• How (and why) FreeDOS keeps DOS alive
• Verizon to disconnect unlimited data customers who use over 100GB/month
• BT Outage the fault of Data Center and Exchange operator Equanix
• Mitsubishi Outlander Flaw Opens Door to Thieves—Literally – Infosecurity Magazine
• The Ubuntu forums have been hacked, IP address, username, and email address of over two million users have been compromised