Sep 22 2017

Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805

Apache Struts, an open-source web development framework, is prone to vulnerabilities. We wrote about CVE-2017-9791 in July. The latest is CVE-2017-9805, another remote code execution flaw actively being exploited, according to reports. This vulnerability affects the Struts plug-in Representational State Transfer (REST). Apache has updated Struts with Version 2.5.13 to fix this issue. In this post we offer our analysis of this vulnerability and how the exploitation works.

Analyzing the Fix

The following screenshots show the before (Version 2.5.12, at left) and after (Version 2.5.13) of changes made to REST to fix the vulnerability.

Source: “Fossies,” the Fresh Open Source Software Archive.

As we can see, several changes have been made to fix this issue:

  • In the fixed version “Class XStreamHandler” extends the class “AbstractContentTypeHandler.”
  • The “toObject” and “fromObject” methods expect another argument of the type “ActionInvocation.” (If we check AbstractContentTypeHandler.java, “AbstractContentTypeHandler” implements the “ContentTypeHandler” class and deprecated “toObject” and “fromObject” methods.)
  • The “createXstream” method has been deprecated and a new method with the same name has been defined that expects a parameter of the type “ActionInvocation,” as shown below:

This change clears the existing permission and adds as the default a per-action permission, thus preventing the issue.

Debugging the Code

Exploiting this issue requires sending a post request with specially crafted XML data to a host running Apache Struts with the vulnerable version of the REST plug-in:

Tracing the code, we can see that the request goes to ContentTypeInterceptor.java.

This function identifies the handler for the HTTP request. In this case it is “XStreamHandler,” which later calls “handler.toObject(reader, target);”. Thus control reaches to the method “toObject” in  XStreamHandler.java.

This function calls the method “fromXML,” which deserializes the XML into an object:

The control next calls the method “unmarshal” in “MapConverter.java,” which creates a HashMap and populates it:

“PopulateMap” calls the method “PutCurrentEntryIntoMap,” which in turn calls the method “readItem.” The map elements here are the elements from the specially crafted XML:

The code next calls the method “doUnmarshal” in “AbstractReflectionConverter.java.” We can see that it takes the node names from the reader object and then searches for the class name, in which it was defined or declared. The code also checks whether the field exists in the class:

If the field exists in the class, then the code updates the field in the object. In the following image, the result shows the object “ImageIO$ContainsFilter” and value of its method being modified by the method “reflectionProvider.writeField”:

This process is repeated and finally the value of object becomes something like the following (truncated and reorganized for clarity). All of this came from the specially crafted XML:

The preceding object is returned by the call “readItem” in “PutCurrentEntryIntoMap” and is stored in “Object Key”:

As we see in preceding image, the code calls the method “target.put.” When the method is called, it accesses the key and value. Because they contain the crafted object, the code first calls “Nativestring.hashCode(),” which calls “Base64Data.get(),” as we see in the following call stack:

The code next calls “chooseFirstProvider()” in “Cipher.Java”:

The method serviceIterator.next() returns the object ProcessBuilder, which contains the command we provided. Because all of these objects are chained together, as we have seen, ImageIO$ContainsFilter’s method is set to java.lang.ProcessBuilder.Start(), thus executing the code.

 

Apache Struts is a popular web development framework and its vulnerabilities affect many deployments. We recommend users keep their Struts installations up to date with latest version.

McAfee Network Security Platform customers are protected against this vulnerability through Signature 0x45215200.

The post Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805 appeared first on McAfee Blogs.

Sep 22 2017

BSQLinjector – Blind SQL Injection Tool Download in Ruby

BSQLinjector – Blind SQL Injection Tool Download in Ruby

BSQLinjector is an easy to use Blind SQL Injection tool in Ruby, that uses blind methods to retrieve data from SQL databases. The download is below.

The author recommends using the “--test” switch to clearly see how configured payload looks like before sending it to an application.

What is Blind SQL Injection?

Blind SQL Injection is a type of SQL Injection (SQLi) attack that asks the database true or false questions and determines the answer based on the application’s response.

Read the rest of BSQLinjector – Blind SQL Injection Tool Download in Ruby now! Only available at Darknet.

Sep 21 2017

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

On September 21st, 2017, Daniel Therrien, Canada’s Federal Privacy Commissioner, tabled his annual report to Canada’s Parliament today. The report to Parliament includes results and recommendations with respect to the OPC’s study on consent. In addition, the Commissioner requests Parliament overhaul Canada’s federal private sector legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA).

Consent and Technology

A key issue for regulators and businesses is how to obtain meaningful and valid consent to collect and use personal information in the digital age. Revisiting and enhancing the consent model under PIPEDA is grounded in the Commissioner’s five year strategic privacy priorities. In 2016, the OPC issued a consultation paper regarding the challenges of obtaining meaningful consent in a continuously evolving technological ecosystem where the traditional “privacy policy” may not always be suitable. The OPC received feedback through roundtables, focus groups, surveys and receipt of 51 submissions from organizations, information technology specialists, academics, advocacy groups and other stakeholders.

Four Key Elements in Privacy Policies: The Commissioner stated that the OPC will be issuing an updated version of its consent guidelines that will require businesses and organizations to highlight in a user friendly way the following four key elements in their privacy notices:

  1. What information is being collected
  2. Who is it being shared with, including an enumeration of third parties
  3. The purposes for collecting, using or sharing including an explanation of purposes that are not integral to the service, and
  4. Identify the risk of harm to individuals, if any.

Risk of Harm: The OPC is amending its guidelines to require organizations to consider the risk of harm to individuals when considering the form of consent used. This consideration will be in addition to the sensitivity of the personal information and the reasonable expectations of the individual. We expect to learn more about this in the updated guidelines.

No-Go Zones: Expect new guidance for businesses and no-go zones where the use of information, even with consent, should be prohibited as inappropriate. The guidance will be aimed to provide clarity on what the OPC considers “inappropriate uses” under subsection 5(1) of PIPEDA.

Alternatives to Consent: The Commissioner outlined three potential solutions for enhancing privacy protection where traditional consent models conflict with advances in technology, including:

  1. De-identification: In some circumstances, like big data, de-identification protocols may be the right solution. The OPC will be issuing guidance on de-identification that will help businesses assess their protocols and reduce risk of re-identification to a low level where the information may be used without consent.
  2. Publicly available information: The Commissioner agrees that the categories of publicly available information in PIPEDA’s regulations are out of date, and should be revisited by Parliament. For now these exceptions remain the same, but we may someday see changes to the regulations.
  3. Call for reform of new exceptions: The Commissioner has requested that PIPEDA be amended to include new exceptions to consent (section 7 of PIPEDA) to address social activities not contemplated when PIPEDA was first drafted. The goal is to help organizations use data for new purposes that would benefit individuals and obtaining consent is not practical. For example, a mobile app wishes to now use information collected for geolocation mapping, and the business can demonstrate that the benefit of the new use of information outweighs the privacy incursion. This option would be considered a last resort and require pre-approval by the OPC.

Overhaul of PIPEDA including new Powers

The Commissioner reported that it is time to revisit how Canada’s federal privacy legislation, enacted in 2000, meets the realities of today’s digital world, including advances technology as well the addition of new enforcement powers already used by the OPC’s counterparts in the U.S. and Europe. The Commissioner proposed to Parliament that this overhaul include a new enforcement model that emphasizes proactive powers that are backed up by order-making authorities, including:

  • involuntary audits
  • issuing binding orders, and
  • impose administrative monetary penalties.

The request for reform of PIPEDA is certainly a hot topic as businesses and organizations await how Canada’s status as an adequate country is, or is not affected as a result of Europe’s General Data Protection Regulations.

Expect a more aggressive OPC

However, do not expect the OPC to wait for new powers. The Commissioner ended his report to Parliament adding that, beginning today, we can expect a more proactive and aggressive OPC with respect to enforcement. The OPC is sending a signal that complaints to the OPC will no longer be the primary tool and the OPC will be shifting itself as a proactive regulator ready to initiate investigations. The Commissioner reported that a complaint-driven model has its limits:

People are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information. My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under PIPEDA.

This is an important message. The Commissioner is not waiting for legislative reform and has put businesses and organizations on notice to expect a more active OPC, one that will be on the lookout for “specific issues or chronic problems” that must be addressed – possibly resulting in more Commissioner-initiated investigations.

More information

You can read the OPC’s news release here.

You can read the Commissioner’s remarks and full Annual Report to Parliament here.

Sep 21 2017

If Bill Gates really thinks ctrl-alt-del was a mistake, he should have fixed it himself

An IBM keyboard signed by ctrl-alt-del inventor, David Bradley (credit: Ross Grady)

Once again, Bill Gates has bemoaned the creation of the ctrl-alt-del shortcut. Talking at Bloomberg Global Business Forum, Gates reiterates that he wishes IBM had created a dedicated button for the feature. We're republishing this piece from 2013, because we still think that Gates' telling of the story is a little misleading; for IBM it was a feature, not a flaw, that ctrl-alt-del requires two hands, and if Microsoft really wanted a single button ctrl-alt-del for Windows NT, it was Microsoft, not IBM, with the market dominance to achieve that.

Speaking at Harvard earlier this month, Bill Gates was asked why you have to press ctrl-alt-del before you can enter your password and log in to Windows. After explaining the security rationale, Gates then said that it was a "mistake," and that it was due to IBM refusing to add a single button to take the place of the three finger salute.

It's a nice story, but it doesn't really add up.

Read 28 remaining paragraphs | Comments