CVE-2016-4655: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
CVE-2016-4656: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
CVE-2016-4657: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
Apple has already provided fixes for these, so install iOS 9.3.5 ASAP.
Httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
- RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
- HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
This means that if you send any requests from your web server to a CGI engine such as PHP (php-fpm, mod_php), you might be at risk of data leakage as an attacher could easily rewrite the http_proxy environment variable used by the CGI application to send an internal connection through a malicious server.
Fortunately this is easy to patch (simply block the Proxy header) on the web server, e.g:
- NGINX: fastcgi_param HTTP_PROXY "";
- Apache: RequestHeader unset Proxy early
If you're running a web server configured to use SSLv2, and particularly one that's running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client to ever make an SSLv2 connection itself, and it isn't a downgrade attack. Instead, it relies on the fact that SSLv2 -- and particularly the legacy "export" ciphersuites it incorporates -- are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.
So this essentially means that if you have any services with SSLv2 enabled (e.g. mail server) that share the same private key as other non-SSLv2 enabled services (e.g. web), that can be used to decrypt your TLS traffic. Time to check all services have SSLv2 disabled (this means not just disabling the ciphers, but fully disabling SSLv2 and SSLv3).
Full remote code execution has been demonstrated by Google, despite the usual battery of post-exploitation mitigations like ASLR, NX, and so on.
Worth noting that many other programming languages and frameworks use the underlying libc functions to resolve domain names (Java, Python, Ruby among others) and are affected by this. Patch now.
First vulnerability is connected with the default configuration (http) which is unsafe and leads to RCE over MITM attack inside untrusted environment.
The second one is the risk of parsing file://, ftp:// and other protocols inside the WebView component. As a result, if there is a security flaw on the server that allows replacing XML file, it can target all people through the affected application. It's possible even without knowing the private DSA key, without modifying application binary on the server and over https. After that, it doesn't require the MITM attack anymore.
Check the post for further details and PoC. The solution for now is to block any updates from apps trying to connect via HTTP to the update server (e.g. via Little Snitch) and update manually whenever needed.
What follows is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538. [...] As detailed in Joshua Drake’s Black Hat and DEFCON presentations, this user has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.
Although this particular exploit does not work on Android 5.0 and later, other exploit developers claim to have successfully managed to bypass ASLR using an information leakage vulnerability in Stagefright.
Labeled as “Certifi-Gate," the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer service—including versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.
Check Point has provided a free scanning application to allow individuals to determine if their Android device was vulnerable, and out of the 30,000 users that had opted to provide anonymous scan results, 58% of the Android devices scanned were vulnerable, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices with the vulnerable plug-in was LG with 72%.
Over 600 million Samsung mobile device users have been affected by a significant security risk on leading Samsung models, including the recently released Galaxy S6. The risk comes from a pre-installed keyboard that allows an attacker to remotely execute code as a privileged (system) user.
If the flaw in the keyboard is exploited, an attacker could remotely: Access sensors and resources like GPS, camera and microphone, secretly install malicious app(s) without the user knowing, tamper with how other apps work or how the phone works, eavesdrop on incoming/outgoing messages or voice calls, attempt to access sensitive personal data like pictures and text messages
This is a major vulnerability, and knowing the Android update cycle, probably 550 out of the 600 million devices will be left unpatched for a very long time...