Domain: defensecode.com
Stories and comments across the archive that link to defensecode.com.
Stories · 5
-
A 100,000-Router Botnet Is Feeding On a 5-Year-Old UPnP Bug In Broadcom Chips (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail. -
Unpatched Magento Zero Day Leaves 200,000 Merchants Vulnerable (threatpost.com)
An anonymous reader quotes ThreatPost: A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk... According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code... The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.
DefenseCode says the exploit can be mitigated by enforcing Magento's "Add Secret Keys To URLS" feature, warning in a paper that the hole otherwise "could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information." Magento has confirmed the exploit, says they're investigating it, and promises they'll address it in their next patch release. -
Remote-Access Router Exploit Finally Revealed (helpnetsecurity.com)
"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable. -
Remote-Access Router Exploit Finally Revealed (helpnetsecurity.com)
"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable. -
Exploiting Wildcards On Linux/Unix
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.