Wednesday, 14 September 2016

Microsoft Windows PDF Library Information Disclosure Vulnerability - CVE-2016-3374 (MS16-115)

submit to reddit Vote on Hacker News Share
In the last year, as a personal research project, I started to look more into browsers and decided to fuzz some high-level targets, such as Edge and IE11, together with Steven Seeley (@steventseeley).

I have to admit that it is quite hard nowadays to approach this kind of research, especially with limited time and resources (just few virtual machines running at home…), but nevertheless it became an incredible learning experience.

Given our constraints, the fuzzing focus was to target other things than common targeted components, such as DOM, JavaScript and so on, so we decided to go for the PDF file format.

One of the interesting conditions that we found was the one that has just been patched by Microsoft and detailed in the MS16-115 security bulletin. The vulnerability is an out-of-bounds read which can lead to memory information disclosure.

The technical advisory can be found at Steven Seeley's web site: http://srcincite.io/advisories/src-2016-39/ .

References:

- Microsoft Security Bulletin MS16-115: https://technet.microsoft.com/library/security/MS16-115
- SRC-2016-39 : Microsoft Windows PDF Library PostScript Calculator Out-of-Bounds Read Information Disclosure Vulnerability: http://srcincite.io/advisories/src-2016-39/
- Microsoft Acknowledgments: https://technet.microsoft.com/library/security/mt674627.aspx

Friday, 20 May 2016

TrendMicro ScanMail for Microsoft Exchange (SMEX) predictable session token - CVE-2015-3326

submit to reddit Vote on Hacker News Share
It's time for another advisory (CVE-2015-3326), a simple one, for a vulnerability which can be found quickly and trivially. For those of you who just want to give a glance at the post, I suggest to directly watch the picture which says it all!

The following vulnerability was discovered on TrendMicro SMEX (ScanMail for Microsoft Exchange) 10 SP2 but it affects other versions as well.

While surfing the SMEX web administrative interface using a web proxy, I have noticed something in the HTTP request - the session token itself and its format, a number.

After observing a significant number of logins, the session token was always represented with an number composed of minimum 4 digits and maximum 5 digits, as shown in the screen shot below:

 

Although the observed session tokens were never generated sequentially, the lack of a cryptographically strong PRNG for the session identifier, allows a malicious user to trivially guess the token. This attack can be easily automated.

For example, in Burp proxy, the cool feature of Intruder combined with a "number" payload and even a single thread would suffice to guess a valid session token in a reasonable time.

By targeting a "protected" page of SMEX administrative interface as a baseline request for Intruder and by examining the HTTP response, it is possible to infer whether the session token is valid or not.

Once a valid token is obtained, a malicious user can impersonate another user's session on the system and gain unauthorised access to the SMEX administrative interface.

References:

Trend Micro Reference: http://esupport.trendmicro.com/solution/en-US/1109669.aspx
CVE reference: http://www.cvedetails.com/cve/CVE-2015-3326/
Session Prediction: https://www.owasp.org/index.php/Session_Prediction