Thursday, June 26, 2014

Back To The Future: Unix Wildcards Gone Wild

On June, 25th 2014 DefenseCode released a whitepaper regarding a vulnerability
affecting all *nix derivatives:

Basically, this bug allows a user to affect shell commands issued by some other user
by creating files with special filenames. If the other user is a privileged user like
root this would theoretically lead to an elevation of privileges aka "local root" or
"local privilege elevation".

The paper contains some basic examples for different unix commands and their impact
if used in combination with wildcards.

At a first blush, the vulnerability does not seem to be very critical. It looks like
that it would only affect shell scripts badly coded and afterwards executed by some
higher privileged user.

But if you dig a little bit deeper and think about all the different *nix operating
systems, their boot- and shutdown-sequences and their local servers running with high
privileges, one will realize very fast, that this vulnerability has a huge security
impact on most unix like operating systems.

This bug affects Android, iOS, OS X and all the embedded solutions running on Linux.
In addition to this you have Oracle, RedHat and other commercial Linux based systems.

Many of these operating systems have different shell utilities and tools accepting
even more command line options.

A short check on Ubuntu gave us at least 5 commands, besides the ones mentioned in
the whitepaper, vulnerable to this specific problem.

In addition to this you have to imagine Cloud service- or web hosting providers
running cron jobs for backups and similar tasks of their users' data.

This bug has a very high potential when further analyzed.

Since this bug originates from a design problem it will be very interesting on how
operating system vendors address this problem. It is something you cannot fix with a
simple patch. The way on how the system interacts with files has to be completely

Credits for identifying those issues go to Leon Juranic <>

Tuesday, February 18, 2014

SECurity Message Service

Critical vulnerabilities completely compromise ‘Symantec Endpoint Protection’

The award-winning [1] and longtime leader of Gartner report league tables [2]; ‘Symantec Endpoint Protection’, developed by the US-based Symantec Corp. (Nasdaq: SYMC), was shipped without removing several critical security vulnerabilities [3]. The vulnerabilities were discovered in a routine ‘99er’ security crash test by experts of the SEC Consult Vulnerability Lab ( In a 99er security crash test, SEC Consult white-hat experts evaluate the product security for the maximum of 99 working hours to determine if this specific release of a product can be compromised by attackers.

The unremoved vulnerabilities enable state-sponsored or criminal hackers to take full control of the ‘Symantec Endpoint Protection Manager’ server. With the full control of the server the attackers could obliterate the endpoint protection provided by the Symantec solution as they would have full access to the protection features of the endpoints. SEC Consult experts recommend immediately installing the update released by the vendor to counter these vulnerabilities [4].

Since mid-2012 SEC Consult has identified several critical vulnerabilities in other Symantec products during routine security tests. A Support Backdoor was identified in Symantec Messaging Gateway [5] and for the Symantec Web Gateway [6]. The vulnerabilities found enabled attackers to run commands with the privileges of the ‘root’ operating system user and to perform surveillance activities.

SEC Consult strongly advises that customers of Symantec products should demand from the vendor exhaustive security tests by (European) security experts before the implementation of the respective software product.

SEC Consult generally recommends routine security crash tests for standard software products to prevent the procurement of ‘toxic’ (i.e. heavily insecure) software. Toxic Software contains severe security vulnerabilities and poses a severe and highly probable risk to the confidentiality, availability and integrity of its owner.

Further technical information can be found in the SEC Consult Security Advisory [3].

For further information please contact:
Johannes Greil
Head of SEC Consult Vulnerability Lab

Tuesday, September 17, 2013

Federal Office for Information Security (BSI) in Germany and SEC Consult give advice for the development and procurement of web applications

Federal Office for Information Security (BSI) in Germany and SEC Consult give advice for the development and procurement of web applications

Germany is known for its strict regulations regarding data protection and IT security especially in public sector. More and more sensitive data between citizens and public authorities is being transmitted over the internet and processed by web applications. Often this software is developed by third parties and contains severe security vulnerabilities.
The “Bundesamt für Sicherheit in der Informationstechnik” (abbr. BSI, engl. Federal Office for Information Security, is the national security agency in Germany with the goal to promote IT security. The BSI and SEC Consult have developed together new guidelines on how to securely develop software for German public authorities to ensure data protection and information security in general in software products. The guidelines have following aims:
  • Support for procurement of secure web applications for public authorities in Germany
  • Support for vendors and custom software providers to deliver secure web applications for public authorities in Germany
Despite the fact that the guidelines have been developed for German public authorities, they can be used for any other company or organization in and outside of Germany.
The guidelines consider different perspectives, but focus on the same goal – to improve the software security of web applications. 

  • The first guideline „Guideline for the development of secure web applications - recommendations and requirements for contractors“ (in German: „Leitfaden zur Entwicklung sicherer Webanwendungen - Empfehlungen und Anforderungen an die Auftragnehmer”)  gives advice for the software development process and the implementation for contractors developing software for the German government.
  • The second guideline „Guideline for the development of secure web applications - recommendations and requirements for contracting entities in government“ (in German: “Leitfaden zur Entwicklung sicherer Webanwendungen - Empfehlungen und Anforderungen an Auftraggeber aus der öffentlichen Verwaltung”) supports public authorities to check that the applications security requirements for secure web applications. 

The BSI guideline for the development and procurement of secure web applications can be downloaded free from the BSI website (only in German!):