Cyber Security Training from QA

Cyber Pulse: Edition 66

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


31 May 2019

Docker contains an unpatched race condition vulnerability

A major security vulnerability has been found in Docker containers. Apparently, a function called FollowSymlinkInScope in Docker is prone to a race condition that can be exploited by attackers to modify resource paths. The flaw was discovered by security researcher Aleksa Sarai, who says that the function can be used to carry out a Time-of-check to time-of-use (TOCTOU) attack. As of now, the vulnerability still remains unpatched and Docker is yet to respond with a fix. All current versions contain this flaw. FollowSymlinkInScope function was found incorrectly resolving resource paths in Docker container. According to Sarai, an attacker adding a symbolic link after the faulty resolution can read and write access to the resource path, leading to a race condition. Sarai also mentions that there are no workarounds except if the Docker is restricted through AppArmor. However, he has submitted a patch to Docker Inc, which is still under review. Sarai also describes two exploit scripts for this vulnerability, which can allow modification of resource paths. “Attacked are two reproducers of the issue. They both include a Docker image which contains a simple binary that does a RENAME_EXCHANGE of a symlink to "/" and an empty directory in a loop, hoping to hit the race condition. In both of the scripts, the user is trying to copy a file to or from a path containing the swapped symlink,” Sarai wrote in an email on the oss-sec mailing list. Docker Inc is expected to release a patch for this flaw anytime soon.

Critical vulnerability in Convert Plus WordPress Plugin lets attacker create admin accounts

Researchers from Defiant uncovered a critical vulnerability in Convert Plus WordPress Plugin that allows an unauthenticated attacker to create accounts with administrator privileges. The vulnerability arises from the lack of filtering issue while processing a new user subscription form supplied by the plugin. Administrators can define the role they want for the new subscribers in the subscription form. In the form, administrator role is not listed as the plugin keeps it off the list available in the drop-down menu. However, the vulnerable versions of the Convert Plus plugin made available the administrator role in a hidden field called "cp_set_user." “Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user,” Defiant researchers described. An attacker can take advantage of this by submitting a submission form and modifying the value of the ‘cp_set_user’ to set it to ‘administrator’ without filtering new subscriptions. This way attackers can create a new user with administrator privileges. The vulnerability has impacted all versions of the Convert Plus Plugin up to v3.4.2. The developer behind Convert Plus Plugin, BrainstormForce, was notified about the vulnerability on May 24, 2019. The developer immediately responded and released the patch on May 29, 2019. The vulnerability has been fixed in Convert Plus Plugin version 3.4.3. Due to the severity of the flaw, the developer has pushed an automatic update for the latest version in WordPress backend. Administrators are advised to enable it as soon as possible.

Remote code execution flaw detected in Microsoft’s Notepad text editor

Microsoft’s Notepad text editor has been found to be vulnerable to a newly discovered remote code execution flaw. In a Twitter post, Google Project Zero researcher Travis Ormandy revealed that he has identified a remote code execution vulnerability in Microsoft’s Notepad text editor. Ormandy has reported the issue to Microsoft. As per Project Zero’s vulnerability disclosure policy, Microsoft has to release a patch within 90 days of the discovery after which the technical details of the flaw will be disclosed to the public. Earlier, Ormandy anticipated that the vulnerability was a memory corruption bug. He even shared an image, demonstrating how to launch a Command Prompt. The expert confirmed that he has already developed a ‘real exploit’ for the issue. Chaouki Bekrar, a founder of zero-day broker Zerodium has explained that such type of issue found by the Google white hat hacker is not uncommon. He noted it is not the only vulnerability that can be used ‘pwn’ Notepad.

UK pub chain Greene King suffers data breach following hack on its gift card website

Major UK pub chain, Greene King, has disclosed a data breach on its card gift website https[:]//www[.]gkgiftcards[.]co[.]uk. The incident has resulted in the compromise of personal details of customers. In a breach notification, the firm revealed that it detected the breach on May 14, 2019. The hackers behind the attack had gained unauthorized access to the website and were able to access customers’ sensitive details. The compromised information includes names, email addresses, user IDs, encrypted passwords, addresses, postcode, and gift card order numbers of customers. However, no bank details or payment information were accessed in the breach. “Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, postcode and gift card order number. Whilst your password was encrypted, it may still be compromised,” said the firm in its notification, Security Boulevard reported. While the number of impacted users is unknown, the firm has begun taking appropriate security measures to secure users’ data. It has also notified Information Commissioner’s Office (ICO) as well as its customers about the breach.

Vulnerability in DuckDuckGo allows attackers to launch URL spoofing attacks

A security researcher named Dhiraj Mishra uncovered a flaw in DuckDuckGo Privacy Browser application 5.26.0 for Android that could allow an attacker to launch URL Spoofing attacks. The flaw tracked as CVE-2019-12329 is an address bar spoofing vulnerability that allows the browser’s omnibar to be spoofed with the help of a specially crafted JavaScript page which makes use of the setInterval function to reload an URL every 10 to 50 ms. “The actual magic happens at `fakefunction()` above-crafted javascript file loads the real www.duckduckgo.com in a loop of every 50 ms whereas the inner HTML can be modified accordingly,” the researcher described in his blog. Attackers can conduct URL spoofing attacks by exploiting the vulnerability and modifying the URL displayed in the address bar (omnibar) of the vulnerable browser. By this way, attackers can trick unsuspicious victims to believe that the website they're currently browsing is controlled by a trusted party, while, the site is actually under the control of bad actors. Upon discovery, Mishra reported the flaw to DuckDuckGo’s security team through their bug bounty program on the HackerOne bug bounty platform on October 31, 2018. The security team concluded that the flaw doesn't need a fix as it 'doesn't seem to be a serious issue' and marked the bug as informative, however, they awarded the researcher a swag on November 13, 2018.

Gnosticplayers hacked Canva website and stole data of over 139 million users

Canva, an Australia-based company that provides a graphic design platform, has been hacked and data for roughly 139 million users have been compromised. The infamous hacker ‘Gnosticplayers’ who had earlier put up stolen data of 932 million users for sale on the dark web, is responsible for this breach. Gnosticplayers contacted ZDNet on May 24, 2019, and said that he breached the company just hours before contacting them. “I download everything up to May 17. They detected my breach and closed their database server,” Gnosticplayers said. ZDNet requested a sample of the hacked data, to verify the hacker's claims. Upon which, Gnosticplayers provided a sample data of 18,816 accounts, including the account details for some of the company’s staff and admins. Of the total 139 million users, 78 million users had their Gmail addresses associated with their Canva account. ZDNet contacted Canva users to verify the validity of the sample data received. Upon verifying, they notified the site's administrators about the breach. “Canva was today made aware of a security breach which enabled access to a number of usernames and email addresses. We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users' credentials have been compromised,” a spokesperson for Canva said. However, the company is recommending its users to reset their passwords as a precaution.

New bitcoin scam installs ransomware or info-stealer malware on victim’s computer

A new bitcoin scam that promises to earn you $15-45 Bitcoin in a day for free and automatically, installs ransomware or info-stealer malware on victim’s computer. An independent malware hunter who goes under the name ‘Frost’ has uncovered the scam which has been promoted via several sites. The scam promise to earn you Ethereum by referring other people to their site. When users click on the site, they will be redirected to another page that promotes a program called ‘Bitcoin Collector’. This program is a Trojan that executes a malicious payload. When users download the program and extract it, it will generate numerous files including an executable called BotCollector.exe. Upon executing the ‘BotCollector.exe’, a malware disguised as a bitcoin generator program dubbed ‘Freebitco.in - Bot’ is launched. Clicking on the ‘Start’ button would cause the ‘Freebitco.in-Bot’ to trigger the malicious payload which is either ransomware or an info-stealer. When Frost initially analyzed this scam, the malicious payload was found to be ‘Marozka Tear’ ransomware. Once on the compromised computer, the ransomware encrypts all files and appends the .Crypted extension to the encrypted files. It then drops a ransom note named ‘HOW TO DECRYPT FILES.txt’. The ransom note urges the victim to contact the attacker at india2lock@gmail.com in order to receive payment instructions. Frost noted that the scam now pushes an info-stealer malware ‘Baldr’ which currently has 32/70 detections at VirusTotal. This info-stealer malware attempts to steal login credentials for all the sites visited, take screenshots, retrieve browser history, steal files and cryptocurrency wallets.

 

Visit cyber.qa.com for more information on how QA can help solve the Cyber Security skills gap and subscribe to Cyber Pulse.

 

Useful links

Cyber Pulse: Edition 65

Cyber Pulse: Edition 64

Cyber Pulse: Edition 63

Cyber Pulse: Edition 62

Cyber Pulse: Edition 61

Cyber Pulse: Edition 60

Cyber Pulse: Edition 59

Cyber Pulse: Edition 58

Cyber Pulse: Edition 57

Cyber Pulse: Edition 56

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.