[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Advisories Unsafe Dll in Audacity, telegram and Akamai



=====[ Tempest Security Intelligence - ADV-7/2016
]=============================
 
  Unsafe DLL search path in Audacity 2.1.2
 
  Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
    
  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents
]======================================================
 
1. Overview  
2. Detailed description  
3. Further attack scenarios     
4. Timeline of disclosure    
5. Thanks & Acknowledgements  
6. References

=====[ 1. Overview
]============================================================
 
* System affected  : Audacity [1].
* Software Version : 2.1.2 (other versions may also be affected).
* Impact           : A user may be infected by opening an audio file in
                     Audacity, from an untrusted location i.e. usb flash
drive,
                     network file share.

=====[ 2. Detailed description
]================================================

Audacity version 2.1.2 is vulnerable to DLL Hijack, it tries to load
avformat-55.dll without supplying the absolute path, thus relying upon the
presence of such DLL on the system directory. This behavior results in an
exploitable DLL Hijack vulnerability, even if the SafeDllSerchMode flag is
enabled.

The vulnerability report can be found at the following URL:

http://forum.audacityteam.org/viewtopic.php?f=46&t=92698

Audacity neglected the risk associated with the vulnerability [2].

=====[ 3. Further attack scenarios
]============================================

The attacker can place a malicious dll named avformat-55.dll in the same
folder
of an Audacity project file. Upon opening the project file Audacity will
load
and execute the malicious code within its proccess context. The attack
may be
carried out remotely by inducing the victim to open the project file
from an
external storage device or a network file share.

=====[ 4. Timeline of disclosure
]==============================================

08/15/2016 - Reported vulnerability.
08/15/2016 - Audacity neglected the risk.
12/11/2016 - Advisory publication date.

=====[ 5. Thanks & Acknowledgements
]===========================================

- Breno Cunha    < brenodario () gmail.com >
- Felipe Azevedo < felipe3gomes () gmail.com >
- Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ 6. References
]==========================================================

[1] http://www.audacityteam.org

[2] http://forum.audacityteam.org/viewtopic.php?f=46&t=92698

[3] http://www.tempest.com.br

=====[ EOF
]====================================================================







=====[ Tempest Security Intelligence - ADV-6/2016
]=============================
 
  Unsafe DLL search path in Telegram Desktop 0.10.1
 
  Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
 
  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents
]======================================================
 
1. Overview 
2. Detailed description     
3. Timeline of disclosure   
4. Thanks & Acknowledgements 
5. References

=====[ 1. Overview
]============================================================
 
 * System affected  : Telegram Desktop.
 * Platform         : Windows.
 * Software Version : 0.10.1 (other versions may also be affected).
 * Impact           : If a low privileged user is infected, a malware is
capable
                      of injecting code into Telegram process (and steal
                      Telegram messages) without the need of privilege
                      escalation (i.e. ability to write to Program Files
and/or
                      system32).

=====[ 2. Detailed description
]================================================

Telegram Desktop version 0.10.1 is vulnerable to DLL Hijack, it tries to
load
"COMBASE.dll" without supplying the absolute path, thus relying upon the
presence of such DLL on the system directory.

The issue is aggravated on Windows 7 because the DLL is not present,
resulting
in an exploitable DLL Hijack vulnerability, even though the
SafeDllSerchMode
flag is enabled.

=====[ 3. Timeline of disclosure
]==============================================

08/11/2016 - Reported vulnerability [1].
08/14/2016 - Telegram fixed vulnerability [2].
12/11/2016 - Advisory publication date.
16/12/2016 - CVE assigned [3].

=====[ 4. Thanks & Acknowledgements
]===========================================
 
- Breno Cunha    < brenodario () gmail.com >
- Felipe Azevedo < felipe3gomes () gmail.com >
- Tempest Security Intelligence / Tempest's Pentest Team [4]
 
=====[ 5. References
]==========================================================

[1] https://github.com/telegramdesktop/tdesktop/issues/2350

[2]
https://github.com/telegramdesktop/tdesktop/commit/50b10ba0bf61fc5d30f033e239b5a81ac478ec78

[3]
https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/158c10cf11bc7d6ad728c1a8dd213f523ecfca52/DWF/2016/1000276/CVE-2016-1000276.json

[4] http://www.tempest.com.br

=====[ EOF
]====================================================================






=====[ Tempest Security Intelligence - ADV-8/2016
]=============================
  
  Unsafe DLL search path in Akamai NetSession 1.9.3.1

  Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
 
  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents
]======================================================
 
1. Overview 
2. Detailed description   
3. Timeline of disclosure   
4. Thanks & Acknowledgements 
5. References

=====[ 1. Overview
]============================================================
 
* System affected  : Akamai NetSession [1].
* Software Version : 1.9.3.1 (other versions may also be affected).
* Impact           : If a low privileged user is infected, a malware is
capable
                     of injecting code into Akamai NetSession process
without
                     privilege elevation.


=====[ 2. Detailed description
]================================================

Akamai Netsession 1.9.3.1 is vulnerable to DLL Hijack, it tries to load
CSUNSAPI.dll without supplying the complete path. The issue is aggravated
because the mentioned DLL is missing from its installation. Thus making it
possible to hijack the DLL and subsequently inject code within Akamai
NetSession process space.

=====[ 3. Timeline of disclosure 
]=============================================

09/23/2016 - Reported vulnerability to security AT akamai.com.
09/23/2016 - Akamai acknowledges the vulnerability and asks for two
weeks in
             order to fix the vulnerability.
10/07/2016 - Asked if they were able to fix it in the accorded time, but
haven't
             heard back from them.
12/11/2016 - Advisory publication date.

=====[ 4. Thanks & Acknowledgements
]===========================================

- Breno Cunha    < brenodario () gmail.com >
- Felipe Azevedo < felipe3gomes () gmail.com >
- Tempest Security Intelligence / Tempest's Pentest Team [2]

=====[ 5. References
]==========================================================

[1]
https://www.akamai.com/us/en/solutions/products/media-delivery/netsession-
    interface-design.jsp

[2] http://www.tempest.com.br/

=====[ EOF
]====================================================================



Filipe Oliveira.
=====[ Tempest Security Intelligence - ADV-7/2016 ]=============================
 
  Unsafe DLL search path in Audacity 2.1.2
  
  Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
    
  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]======================================================
  
1. Overview  
2. Detailed description  
3. Further attack scenarios     
4. Timeline of disclosure    
5. Thanks & Acknowledgements  
6. References

=====[ 1. Overview ]============================================================
 
* System affected  : Audacity [1].
* Software Version : 2.1.2 (other versions may also be affected).
* Impact           : A user may be infected by opening an audio file in 
                     Audacity, from an untrusted location i.e. usb flash drive, 
                     network file share.

=====[ 2. Detailed description ]================================================

Audacity version 2.1.2 is vulnerable to DLL Hijack, it tries to load 
avformat-55.dll without supplying the absolute path, thus relying upon the 
presence of such DLL on the system directory. This behavior results in an 
exploitable DLL Hijack vulnerability, even if the SafeDllSerchMode flag is 
enabled.

The vulnerability report can be found at the following URL:

http://forum.audacityteam.org/viewtopic.php?f=46&t=92698

Audacity neglected the risk associated with the vulnerability [2].

=====[ 3. Further attack scenarios ]============================================

The attacker can place a malicious dll named avformat-55.dll in the same folder 
of an Audacity project file. Upon opening the project file Audacity will load
and execute the malicious code within its proccess context. The attack may be 
carried out remotely by inducing the victim to open the project file from an 
external storage device or a network file share.

=====[ 4. Timeline of disclosure ]==============================================

08/15/2016 - Reported vulnerability.
08/15/2016 - Audacity neglected the risk.
12/11/2016 - Advisory publication date.

=====[ 5. Thanks & Acknowledgements ]===========================================

- Breno Cunha    < brenodario () gmail.com >
- Felipe Azevedo < felipe3gomes () gmail.com >
- Tempest Security Intelligence / Tempest's Pentest Team [3]

=====[ 6. References ]==========================================================

[1] http://www.audacityteam.org

[2] http://forum.audacityteam.org/viewtopic.php?f=46&t=92698

[3] http://www.tempest.com.br

=====[ EOF ]====================================================================
=====[ Tempest Security Intelligence - ADV-6/2016 ]=============================
 
  Unsafe DLL search path in Telegram Desktop 0.10.1
  
  Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
  
  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]======================================================
  
1. Overview  
2. Detailed description      
3. Timeline of disclosure    
4. Thanks & Acknowledgements  
5. References

=====[ 1. Overview ]============================================================
 
 * System affected  : Telegram Desktop.
 * Platform         : Windows.
 * Software Version : 0.10.1 (other versions may also be affected).
 * Impact           : If a low privileged user is infected, a malware is capable 
                      of injecting code into Telegram process (and steal 
                      Telegram messages) without the need of privilege 
                      escalation (i.e. ability to write to Program Files and/or 
                      system32).

=====[ 2. Detailed description ]================================================

Telegram Desktop version 0.10.1 is vulnerable to DLL Hijack, it tries to load 
"COMBASE.dll" without supplying the absolute path, thus relying upon the 
presence of such DLL on the system directory.

The issue is aggravated on Windows 7 because the DLL is not present, resulting 
in an exploitable DLL Hijack vulnerability, even though the SafeDllSerchMode 
flag is enabled. 

=====[ 3. Timeline of disclosure ]==============================================

08/11/2016 - Reported vulnerability [1].
08/14/2016 - Telegram fixed vulnerability [2].
12/11/2016 - Advisory publication date.
16/12/2016 - CVE assigned [3].

=====[ 4. Thanks & Acknowledgements ]===========================================
 
- Breno Cunha    < brenodario () gmail.com >
- Felipe Azevedo < felipe3gomes () gmail.com >
- Tempest Security Intelligence / Tempest's Pentest Team [4]
 
=====[ 5. References ]==========================================================

[1] https://github.com/telegramdesktop/tdesktop/issues/2350

[2] https://github.com/telegramdesktop/tdesktop/commit/50b10ba0bf61fc5d30f033e239b5a81ac478ec78

[3] https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/158c10cf11bc7d6ad728c1a8dd213f523ecfca52/DWF/2016/1000276/CVE-2016-1000276.json

[4] http://www.tempest.com.br

=====[ EOF ]====================================================================
=====[ Tempest Security Intelligence - ADV-8/2016 ]=============================
   
  Unsafe DLL search path in Akamai NetSession 1.9.3.1

  Author: Felipe Xavier Oliveira < engfilipeoliveira89 () gmail.com >
  
  Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents ]======================================================
  
1. Overview  
2. Detailed description    
3. Timeline of disclosure    
4. Thanks & Acknowledgements  
5. References

=====[ 1. Overview ]============================================================
 
* System affected  : Akamai NetSession [1].
* Software Version : 1.9.3.1 (other versions may also be affected).
* Impact           : If a low privileged user is infected, a malware is capable 
                     of injecting code into Akamai NetSession process without
                     privilege elevation.


=====[ 2. Detailed description ]================================================

Akamai Netsession 1.9.3.1 is vulnerable to DLL Hijack, it tries to load 
CSUNSAPI.dll without supplying the complete path. The issue is aggravated 
because the mentioned DLL is missing from its installation. Thus making it 
possible to hijack the DLL and subsequently inject code within Akamai 
NetSession process space.

=====[ 3. Timeline of disclosure  ]=============================================

09/23/2016 - Reported vulnerability to security AT akamai.com.
09/23/2016 - Akamai acknowledges the vulnerability and asks for two weeks in 
             order to fix the vulnerability.
10/07/2016 - Asked if they were able to fix it in the accorded time, but haven't
             heard back from them.
12/11/2016 - Advisory publication date.

=====[ 4. Thanks & Acknowledgements ]===========================================

- Breno Cunha    < brenodario () gmail.com >
- Felipe Azevedo < felipe3gomes () gmail.com >
- Tempest Security Intelligence / Tempest's Pentest Team [2]

=====[ 5. References ]==========================================================

[1] https://www.akamai.com/us/en/solutions/products/media-delivery/netsession-
    interface-design.jsp

[2] http://www.tempest.com.br/

=====[ EOF ]====================================================================

Attachment: 0x206D715A.asc
Description: application/pgp-keys

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/