Cisco Threat Research Blog

• Information Leakage
• Denial Of Service
• Directory Traversal
• Buffer Overflow

libarchive is an open-source library that provides access to a variety of different file archive formats, and it’s used just about everywhere. Cisco Talos has recently worked with the maintainers of libarchive to patch three rather severe bugs in the library. Because of the number of products that include libarchive in their handling of compressed files, Talos urges all users to patch/upgrade related, vulnerable software.

Read More

This post was authored by Warren Mercer.

Patch Tuesday for June 2016 has arrived where Microsoft releases their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release contains 16 bulletins addressing 44 vulnerabilities. Five bulletins resolve critical vulnerabilities found in MS DNS Server, Edge, Internet Explorer, JScript/VBScript, and Office. The remaining bulletins are rated important and address vulnerabilities in Active Directory, Exchange Server, Group Policy, SMB Server, Netlogon, Windows Graphics component, Windows Kernel-mode Drivers, Windows PDF, Window Search Component, and WPAD.

Bulletins Rated Critical

Microsoft bulletins MS16-063 and MS16-068 through MS16-071 are rated as critical in this release.

MS16-063 and MS16-068 are this month’s bulletins for Microsoft Internet Explorer and Edge browsers. The IE security bulletin addresses vulnerabilities in Internet Explorer versions 9, 10, & 11. The IE bulletin covers 10 vulnerabilities in total and resolves eight memory corruption bugs, seven of which are critical, a XSS filter vulnerability, and a WPAD vulnerability. The Edge bulletin addresses eight vulnerabilities, consisting of four memory corruption bugs, two information disclosure, one security feature bypass and a PDF remote code execution vulnerability.

Read More >>

This vulnerability was discovered by Dave McDaniel, Senior Research Engineer.

Summary

iPerf is a network testing application that is typically deployed in a client/server configuration and is used to measure the available network bandwidth between the systems by creating TCP and/or UDP connections. For each connection, iPerf reports maximum bandwidth, loss, and other performance related metrics. It is commonly used to evaluate and quantify the impact of network optimizations and for obtaining baseline metrics related to network performance.

iPerf3, developed by ESnet and Lawrence Berkeley National Laboratory, is a complete redesign of the original iPerf application and uses a forked cJSON library. Cisco Talos recently discovered that the forked version of the cJSON library contains a vulnerability that can lead to Remote Code Execution (RCE) on systems running the iPerf3 server daemon. This vulnerability is related to the way in which the forked cJSON library parses UTF-8/16 strings. There are currently several public iPerf3 servers that are accessible from the internet that may be susceptible to remote exploitation using this vulnerability. While the authors of the underlying cJSON library have since released a patch that resolves this vulnerability, the version of cJSON shipped with iPerf3 3.1-1 is vulnerable. The updated version of the iPerf3 application can be obtained here.

Read More >>

The post was authored by Mariano Graziano.

Executive Summary

Attacks have grown more and more complex over the years. The evolution of the threat landscape has demonstrated this where adversaries have had to modify their tactics to bypass mitigations and compromise systems in response to better mitigations. Code-reuse attacks, such as return-oriented programming (ROP), are part of this evolution and currently present a challenge to defenders as it is an area of research that has not been studied in depth. Today, Talos releases ROPMEMU, a framework to analyze complex code-reuse attacks. In this blog post, we will identify and discuss the challenges and importance of reverse engineering these code-reuse instances. We will also present the techniques and the components of the framework to dissect these attacks and simplify analysis.

Code-reuse attacks are not new or novel. They’ve been around since 1997 when the first ret2libc attack was demonstrated. Since then, adversaries have been moving towards code-reuse attacks as code injection scenarios have gotten much more difficult to successfully leverage due to the increasing number of software and hardware mitigations. Improved defenses have resulted in more complex attacks being developed to bypass them. In recent years, malware writers have also started to adopt return-oriented programming (ROP) paradigms to hide malicious functionality and hinder analysis. For readers who are not familiar with ROP and want to learn more, we invite you to please read Shacham’s formulation.

Unfortunately, the analysis of code reuse attacks, such as ROP, has been completely overlooked. While there are a small number of publicly available examples that demonstrate how complex these attacks can be, the trend is clear that adversaries will continue to leverage these types of attacks in the future. For defenders, the general lack of tooling available to help dissect these threats was one of the primary motivations for developing ROPMEMU.

Read more >>

Talos has continued to observe ongoing attacks leveraging the use of JBoss exploits. Through our research efforts, we have identified an additional 600 or so compromised hosts which contain webshells due to adversaries compromising unpatched JBoss environments. In response to this, Talos has been working to notify victims of these compromised hosts so that appropriate remediation may take place.This blog post outlines the notification process and provides additional indicators which you can use to review your own JBoss environments, such as a list of the 500 most common webshells we have observed in the wild.

Why Did I Get Notified?

After identifying the IP address of the hosts with one or more webshells, we extracted the contact email addresses provided in the WHOIS record of the organizations identified as the owner. The notification email contains a link which you can use to view this information. We are sending notifications via email to all listed email addresses as we have found many organizations where the designated abuse contact email listed is no longer valid. By emailing all available contacts we maximize the chances of successful notification.

Read more >>

7-Zip is an open-source file archiving application which features optional AES-256 encryption, support for large files, and the ability to use “any compression, conversion or encryption method”. Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products.

Read More