Friday, August 26, 2016

Vulnerability Spotlight: Kaspersky Unhandled Windows Messages Denial of Service Vulnerability

Vulnerability discovered by Marcin ‘Icewall’ Noga of Cisco Talos.


Talos is disclosing the presence of TALOS-2016-0175 / CVE-2016-4329, a local denial of service vulnerability within Kaspersky anti-virus. A system user is able to cause a denial of service attack against Kaspersky’s avpui.exe process by executing malicious code on a system. As a result, avpui.exe process protected by Kaspersky Self-Protection dies.

The vulnerability can only be exploited by a user who is already present on the system. Nevertheless, such a vulnerability potentially may be exploited by a malicious user who wished to cause anti-virus scanning to stop informing users about potential malicious activities. This may comprise a step in a longer sequence of malicious activity. Administrators should ensure that the latest version of Kaspersky is installed to remove the vulnerability.
As part of our commitment to responsible disclosure, on discovering the vulnerabilities we notified Kasperksy. We have ensured that a patch to remedy the vulnerabilities was available before publication.


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort rules: 39918,39919

Vulnerability Spotlight: Kernel Information Leak & Multiple DOS Issues Within Kaspersky Internet Security Suite

Vulnerability discovered by Piotr Bania and Marcin ‘Icewall’ Noga of Cisco Talos.


Talos has discovered multiple vulnerabilities in Kaspersky’s Internet Security product which can be used by an attacker to cause a local denial of service attack or to leak memory from any machine running Kaspersky Internet Security software.


To provide anti-virus functionality, Kaspersky’s software hooks into the Windows API via a driver named KLIF. Talos has identified two vulnerabilities in the way that the driver handles intercepted NtUserCreateWindowEx and NtAdjustTokenPrivileges calls. In both cases a malicious application on a machine with Kaspersky’s KLIF driver installed is able to execute a malicious API call using invalid parameters. This can cause an attempt to access inaccessible memory by the driver resulting in a system crash.

A further local denial of service attack is possible through Kaspersky’s KL1 driver. A malicious user can send a specially crafted IOCTL call to the KL1 driver. Under certain conditions, this can causing the driver to read memory outside of an allocated buffer. This may provoke a memory access violation resulting in a system crash.

Monday, August 15, 2016

Vulnerability Spotlight: Multiple Remote Code Execution Vulnerabilities Within Lexmark Perceptive Document Filters.

Vulnerabilities discovered by Tyler Bohan & Marcin Noga of Cisco Talos

Talos are today releasing three new vulnerabilities discovered within the Lexmark Perceptive Document Filters library. TALOS-2016-0172, TALOS-2016-0173 and TALOS-2016-0183 allow for a remote code execution using specifically crafted files.


These vulnerabilities are present in the Lexmark Document filter parsing engine which is used across a wide range of services such as eDiscovery, DLP, big data, content management and others. The library is commonly used across these services to allow for the deep inspection of a multitude of file formats to offer conversion capabilities such as from Microsoft document formats into other formats. Lexmark make this library available to compete against other third party and open source libraries used for such activities.

Document conversion represents an important aspect of many businesses as they attempt to move from an unstructured data solution to a more workable structured data solution in order to improve business efficiency.

The three vulnerabilities disclosed today allow for remote code execution using specifically crafted files such as XLS, Bzip2 & Compound Binary File Format (MS-CFB). This can provide an attacker with the capability to perform remote code execution within your environment and potentially offers the adversary full control of the attacked resource.

Friday, August 12, 2016

Vulnerability Spotlight: Rockwell Automation MicroLogix 1400 SNMP Credentials Vulnerability

This vulnerability was discovered by Patrick DeSantis.


Talos recently discovered a vulnerability in Allen-Bradley Rockwell Automation MicroLogix 1400 Programmable Logic Controllers (PLCs) related to the default configuration that is shipped with devices running affected versions of firmware. This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.

In addition to the default, documented SNMP community string of ‘public’ (read) and ‘private’ (read/write), an undocumented community string of ‘wheel’ (read/write) also exists, which enables attackers to make unauthorized device changes, such as modification of settings or conducting malicious firmware updates. It is possible that this community string allows access to other OIDs, however Talos tested specific use cases.

Wednesday, August 10, 2016

Vulnerability Spotlight: BlueStacks App Player Privilege Escalation

Discovered by Marcin ‘Icewall’ Noga of Cisco Talos

Talos is releasing an advisory for a vulnerability in BlueStacks App Player. (TALOS-2016-0124/CVE-2016-4288). The BlueStacks App Player is designed to enable Android applications to run on Windows PCs and Macintosh computers. It’s commonly used to run popular Android games on these platforms.


A weak registry key permission vulnerability exists in the BlueStacks application. By default the BlueStack installer sets a weak permission to the registry key, which contains InstallDir reg value, this can be used later by the BlueStacks service component. This default configuration gives a malicious user the ability to modify this value, which can lead to privilege escalation.

 Let’s examine the BlueStacks registry key where vulnerable "InstallDir" value is located:

As we can see the "Users" group has full access permissions to this key.

Vulnerability Spotlight: MS Edge/Windows PDF Library Arbitrary Code Execution Vulnerability Identified and Patched

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Yesterday, Microsoft released its monthly set of security bulletins and patches for various flaws within currently supported products. Two of the bulletins in yesterday's release are rated critical and address CVE-2016-3319, a arbitrary code execution vulnerability in Microsoft Edge and in the Windows PDF library. With Microsoft's bulletin release, Talos is disclosing the details of this vulnerability we identified through our research efforts on our Vulnerability Report portal.

CVE-2016-3319 (TALOS-2016-0170)

CVE-2016-3319 is an arbitrary code execution vulnerability which manifests in Microsoft Edge and in the Windows PDF library. A user who opens a specifically crafted PDF file on a vulnerable system could result in the system executing arbitrary code of an attacker's choosing. On Windows 10 systems that are configured to use Microsoft Edge as the default browser, this vulnerability could be triggered by simply browsing to a website hosting a malicious PDF, as Edge will attempt to render the file contents automatically. Note that this vulnerability affects Windows 8.1, Windows Server 2012 (and R2), and Windows 10.

Tuesday, August 9, 2016

Microsoft Patch Tuesday - August 2016

This post was authored by Edmund Brumaghin and Jonah Samost

Today is Patch Tuesday for August 2016, and Microsoft has released several security bulletins and associated patches to resolve security issues across their products. This month’s patch release includes 9 bulletins addressing 28 vulnerabilities. Five of the bulletins Microsoft has released are rated Critical and address vulnerabilities in Internet Explorer, Edge, Windows Graphics Component, Microsoft Office, and the Windows PDF library. The remaining four bulletins are rated Important and address vulnerabilities in Windows Kernel-Mode Drivers, Secure Boot, Windows Authentication Methods, and ActiveSyncProvider.

Bulletins Rated Critical

Microsoft has listed bulletins MS16-095, MS16-096, MS16-097, MS16-099, MS16-102 as critical in this month’s release.

MS16-095 and MS16-096 are this month’s bulletins addressing security vulnerabilities associated with Microsoft Internet Explorer and Edge. The Internet Explorer bulletin addresses a total of nine vulnerabilities, including five memory corruption bugs and four information disclosure vulnerabilities. The Edge bulletin covers a total of eight vulnerabilities, including a remote code execution vulnerability, four memory corruption bugs and three information disclosure vulnerabilities. The Internet Explorer bulletin is rated Critical for affected Windows clients and Moderate for affected Windows Servers.

Thursday, August 4, 2016

Vulnerability Spotlight: Multiple Arbitrary Code Execution Vulnerabilities Identified in Hancom Hangul Office

Vulnerabilities discovered by the Talos Vulnerability Development Team. Blog post authored by Alex Chiu.

Securing your network and environment is a challenging task, especially when organizations need to keep track of various software packages that are used on a daily basis. Productivity suites, such as Hancom Hangul Office, are an example of critical software that organizations need to track and patch amongst other things such as operating systems, browsers, and antivirus. Talos is committed to helping our customers be as secure as possible through a variety of means, such as identifying zero-day vulnerabilities in critical software packages. Today, Hancom is disclosing 8 arbitrary code execution vulnerabilities identified and reported by Talos. Hancom has released a software update that addresses these vulnerabilities and Talos would like to sincerely thank Hancom for their cooperation.

Hancom Office is commonly used in parts of the world and is known to be used in various government organizations, public institutions, and non-governmental organizations in South Korea. In fact, the South Korean government previously made Hancom Office its official productivity suite for use on government systems. By some estimates, Hancom has around 30% of the productivity suite market share in South Korea.

The fact that there is a sizeable installation base of Hancom Office makes it an attractive target for adversaries to leverage and exploit. It's believed that the North Korean government is behind several targeted attacks that exploited vulnerabilities in the Hangul word processor. Other companies have previously documented these incidents in 2013 and 2015. In addition, Hancom is actively looking to expand its market share in South Korea and abroad.

Tuesday, August 2, 2016

Macro Intruders: Sneaking Past Office Defenses

This blog was written by Matthew Molyett with contributions from Martin Lee .


Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.

In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.