Impact: A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release.ĭescription: A deserialization issue was addressed through improved validation.ĬVE-2021-31010: Citizen Lab and Google Project Zero Impact: A sandboxed process may be able to circumvent sandbox restrictionsĭescription: An access issue was addressed with improved access restrictions.ĬVE-2021-30783: an anonymous researcher, Ron Hass of Perception Point Apple is aware of a report that this issue may have been actively exploited.ĭescription: An integer overflow was addressed with improved input validation. name '*.Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. So what do we do with the encryption? The OfficeScan program directory contains a file called pwd.dll, that might have something to do with these passwords, so let’s disassemble it! Indeed, this library exports functions like PWDDecrypt(), but as it turns out, these are not the functions we are looking for…įind. Actually, the clients can be unloaded or uninstalled only after providing a special password (a SYSTEM level service is responsible for protecting the main processes of the application from killing or debugging), this is what we see encoded in these fields. As you can see, there are two parameters, Uninstall_Pwd and Unload_Pwd which are (seemingly) encrypted, indicating that these params are something to protect. This same answer is retrieved regardless the UID parameter. I started to monitor the network connections of the clients and found some interesting interfaces, one of these looked like this: I assumed that there must be some kind of connection between the server and the clients so the clients can obtain new updates and configuration parameters. I focused my research on the clients as these are widely deployed on a typical network. This publication comes after months of discussion with the vendor in accordance with the disclosure policy of the HP Zero Day Initiative. As such, they are not trivial to fix or even decide if they are in fact vulnerabilities. The issues are logic and/or cryptographic flaws, not standard memory corruption issues. Now I would like to share a series of little issues which can be chained together to achieve remote code execution. The clients install ActiveX controls into Internet ExplorerĪnd there are possibly many other fragile parts of the system.The server component (that provides centralized management for the clients that actually implement the host protection functionality) is mostly implemented through binary CGIs (.EXE and.After installing a trial version (10.6 SP1) I could already tell that this software will worth the effort: Since this software looked quite complex (big attack surface) I decided to take a closer look at it. Earlier this year I stumbled upon the OfficeScan security suite by Trend Micro, a probably lesser known host protection solution (AV) still used at some interesting networks. Analyzing the security of security software is one of my favorite research areas: it is always ironic to see software originally meant to protect your systems open a gaping door for the attackers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |