Security Newsletter

3 September 2018

Exploit Published for Unpatched Flaw in Windows Task Scheduler

A security researcher has published on Twitter details about a vulnerability in the Windows OS. The vulnerability is a "local privilege escalation" issue that allows an attacker to elevate the access of malicious code from a limited USER role to an all-access SYSTEM account.

Will Dormann, an engineer of CERT/CC, has confirmed the vulnerability and has issued an official CERT/CC alert last night. Dormann says the vulnerability resides in the Windows Task Scheduler, and more precisely in the Advanced Local Procedure Call (ALPC) interface.

The researcher, who goes online by the name of SandboxEscaper, has released proof-of-concept (PoC) code on GitHub for exploiting the ALPC interface to gain SYSTEM access on a Windows system. Malware authors will particularly be interested in this PoC, as it allows benign malware to gain admin access on targeted systems using an exploit more reliable than many existing methods. SandboxEscaper has not notified Microsoft about the vulnerability, meaning there is no official patch for this flaw. Currently, all Windows 64-bit users are vulnerable. The zero-day flaw has been confirmed working on a "fully-patched 64-bit Windows 10 system."

A patch is available for the Windows zero-day, but it’s not from Microsoft. Instead, the fix comes from 0patch, a community project that aims at addressing software vulnerabilities by delivering tiny fixes to users worldwide. The fix for this week’s vulnerability is also very small, at only 13 bytes. It was released within 24 hours after the bug was ousted on Twitter on Monday, and, already validated and verified, it is now rolling out to users.

 

Critical Flaw Fixed in Packagist, PHP's Largest Package Repository

The maintainers of Packagist, the PHP ecosystem's largest package repository, have fixed a critical vulnerability on their official website that could have allowed an attacker to hijack their service. The flaw was discovered and reported by security researcher Max Justicz.

According to Justicz, the "Submit Package" input field for submitting new PHP packages via the Packagist homepage allowed an attacker to run a malicious command in the format of "$(MALICIOUS_COMMANDS)". Justicz discovered that Packagist was improperly escaping inputted characters when performing checks to see if the URL leads to a Perforce or Subversion repository, and was executing the malicious commands.

Packagist is not a package manager, but only a host for PHP packages. It is the default package host behind Composer, the most popular PHP package manager. Packagist is the largest package hosting service in the PHP ecosystem, with over 435 million package installs reported in July 2018 alone.

 

Cutting room floor

 

#Tech and #Tools

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with over 24 million customers across 100 markets. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and as an innovation driven company that builds on trust.