Using a Linksys Wi-Fi router? It could be ripe for remote takeover

Some versions of a popular Wi-Fi router sold under the Linksys brand expose users to a variety of exploits that allow remote attackers to take full control of the devices, a security expert said.

The most severe of the vulnerabilities in the "classic firmware" for the Linksys EA2700 Network Manager is a cross-site request forgery weakness in the browser-based administration panel, according to Phil Purviance, an information security specialist at AppSec Consulting. He said routers running the software also don't require the current password to be entered when the passcode is changed. By exploiting the two weaknesses together, attackers can take full control of the router by luring anyone connected to it to a booby-trapped website. Malicious JavaScript in the end-user's browser resets the password and turns on remote management capabilities. The attacker can then gain administrative privileges over the device.

"If you have this router on your network and you browse [a] malicious website, five seconds later your router now has a new password and is available from the Internet," Purviance told Ars. "So [an attacker] can just log into it as if [he] was on your network." From there, an attacker could do anything a normal administrator could do, including installing a version of the device firmware that contains a backdoor and changing settings to use malicious domain name lookup servers. The security consultant documented more of his findings in a recently published blog post.

Read 4 remaining paragraphs | Comments

One-Click Fraud Variant on Google Play in Japan Steals User Data

Last week McAfee Labs reported a series of “one-click fraud” malware on Google Play in Japan. We have been monitoring this fraudulent activity and have found more than 120 additional variants on Google Play since the previous report. The malicious developers upload five or six applications per account using three to five accounts every night, even though almost all of the applications are quickly deleted from Google Play. In some cases the fraudsters upload the applications with few or no modifications to the previous ones, and in other cases they substantially modify images and descriptions. But the final behavior is always the same.

Most of the variants of this malware have the same functionality, with only slight differences in their implementation code. They simply show the fraudulent web pages on the in-application web component or the device’s browser.

McAfee has also found a variant of this family of malware with more dangerous features. This variant retrieves the device user’s Google account name–the email address–as well as the phone number, and sends the information to the attacker’s remote server.

 

Fig.1 Application description page on Google Play

The application description page on Google Play.

 

This application, tv.maniax.p_urapane1, is a 16-piece slider-puzzle game consisting of pornographic images. It also plays movie files when the user completes the game.

Unlike previous variants from this family of fraudulent malware, this application requires several permissions at installation that are usually unnecessary for this type of game:

  • android.permission.READ_PHONE_STATE
  • android.permission.GET_ACCOUNTS

 

Fig.2 List of required permissions

The malware’s list of required permissions.

 

Behind the scenes, the malware retrieves the user’s data using these permissions and sends it to a remote server by opening the URL http://man****app.com/m/users/aftpur/GOOGLE_ACCOUNT_NAME/PHONE_NUMBER. It stores the data in a MySQL database server using the Java Database Connectivity API in a database-driver library in the application.

 

Fig.3  Application screens

Malware application screens.

 

Fig.4 Google account name and phone number data sent on network

Google account name and phone number data sent to the attacker’s server.

 

This application also displays some “advertisement” links at the bottom of the screen. The application’s description page on Google Play says that the developer does not guarantee the safety of these linked advertisements, implying that they are not aware of the contents of the ads. In fact, however, the application simply displays the image files bundled in the application package and invokes the browser with the hard-coded URL http://pr**.*obi/?neosp_nontop_eropne01, which is the fraudulent web page often used in other variants of this one-click-fraud family of malware.

 

Fig.5 Fraudulent Web pages

Fraudulent web pages.

 

The stolen Google account name and phone number are not directly used in the fraudulent page opened from this application. However, we expect the attacker will try to use this information for future malicious activities.

Fortunately, this application was deleted from Google Play within a day after it was added, and so the number of victims should be small. But the appearance of this variant indicates that the attackers are determined to collect personal information from their victims and that they are capable of developing variants with more advanced features than previous ones.

McAfee Mobile Security detects this application as Android/OneClickFraud, and will continue to monitor for more fraudulent activities from this family in Japan.

Microsoft Patch Tuesday – April 2013

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing nine bulletins covering a total of 14 vulnerabilities. Four of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the April releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Apr

The following is a breakdown of the issues being addressed this month:

  1. MS13-028 Cumulative Security Update for Internet Explorer (2817183)

    Internet Explorer Use After Free Vulnerability (CVE-2013-1303) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Use After Free Vulnerability (CVE-2013-1304) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

  2. MS13-029 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)

    RDP ActiveX Control Remote Code Execution Vulnerability (CVE-2013-1296) MS Rating: Critical

    A remote code execution vulnerability exists when the Remote Desktop ActiveX control, mstscax.dll, attempts to access an object in memory that has been deleted. An attacker could exploit the vulnerability by convincing the user to visit a specially crafted webpage. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

  3. MS13-036 Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)

    Win32k Font Parsing Vulnerability (CVE-2013-1291) MS Rating: Moderate

    A denial of service vulnerability exists when Windows fails to handle a specially crafted font file. The vulnerability could cause the computer to stop responding and restart.

    Win32k Race Condition Vulnerability (CVE-2013-1283) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Race Condition Vulnerability (CVE-2013-1292) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    NTFS NULL Pointer Dereference Vulnerability (CVE-2013-1293) MS Rating: Moderate

    An elevation of privilege vulnerability exists when the NTFS kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view, change, or delete data, or create new accounts with full administrative rights.

  4. MS13-031 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)

    Kernel Race Condition Vulnerability (CVE-2013-1294) MS Rating: Critical

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Kernel Race Condition Vulnerability (CVE-2013-1284) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

  5. MS13-032 Vulnerability in Active Directory Could Lead to Denial of Service (2830914)

    Memory Consumption Vulnerability (CVE-2013-1282) MS Rating: Important

    A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding. The vulnerability is caused when the LDAP service fails to handle a specially crafted query.

  6. MS13-033 Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)

    CSRSS Memory Corruption Vulnerability (CVE-2013-1295) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows CSRSS improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the local system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

  7. MS13-034 Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)

    Microsoft Antimalware Improper Pathname Vulnerability (CVE-2013-0078) MS Rating: Important

    This is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

  8. MS13-035 Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818)

    HTML Sanitization Vulnerability (CVE-2013-1289) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks on affected systems and run script in the security context of the current user.

  9. MS13-030 Vulnerability in SharePoint Could Allow Information Disclosure (2827663)

    Incorrect Access Rights Information Disclosure Vulnerability (CVE-2013-1290) MS Rating: Important

    An information disclosure vulnerability exists in the way that SharePoint Server enforces access controls on specific SharePoint Lists.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.