Security Bulletin

Security Bulletin #118 – 1 June 2017

  • Text Hover
2017 / 06 / 01

  • Text Hover
  • Text Hover

A recently discovered Linux flaw could be exploited by Sudo Users to gain Root Privileges

Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems. The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem. The Linux flaw could be exploited by a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root. Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s output, including root-owned files. To exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under “/dev”. If the terminal isn’t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,” The Linux flaw affects all Sudo versions from 1.8.6p7 through 1.8.20, the Sudo 1.8.20p1 fixes it, the issue was rated with a CVSS3 Base Score of 7.8.

  • Text Hover

ESET releases decryptor for AESNI ransomware variants, including XData

Releasing master keys for older ransomware variants has become somewhat of a trend these days. Shortly after the release of the updated Crysis decryptor, master keys for some of the variants of the AES-NI family were published – specifically Win32/Filecoder.AESNI.B and Win32/Filecoder.AESNI.C, also known as XData. Based on this, ESET experts have prepared an AES-NI decryption tool. The tool works for files encrypted by the offline RSA key used by AES-NI variant B, which adds the extensions .aes256, .aes_ni, and .aes_ni_0day to the affected files, as well as files affected by AES-NI variant C (or XData) with the extensions .~xdata~. Victims who still have their encrypted files can now download the decryptor from the utilities page.

Judy may have a sweet name but it doesn’t Love You – Judy Malware may have infected 36 million users

Google is suffering once again from malicious software applications found inside popular apps available on Play store. Judy is designed to infect Android devices and generate false clicks on advertisements. The malware developers first would design and upload a bait program to the Google Play Store. Most of the bait apps used by Judy appear to be games or simulated doll dress designs aimed at children. The bait programs would appear to be innocent to the user and pass the Google checking system since they contained no malicious code. Both the user and Google were unaware that the URL was actually a link to the malicious Command server. Once a user downloaded and started the app, the command server would infect the unknowing user with a silent and invisible web browser using JavaScript. The malware used the JavaScript code to locate and click on banners from Google ads once a targeted series of websites are launched inside the silent web browser. The silent browser would then simulate a computer by clicking on the paying advertisements and banners. Each infected user would then unknowingly be clicking thousands of times a day against advertisements. The fake clicks against the websites generated revenue for the malware developer cheating the paying advertisers. The malicious software packages have all been pulled from the Google Play Store. Several other vendor packages have also been pulled that reportedly contained the same malware code.

CERT-FR Weekly News Alert

Current Alerts   CERTFR-2017-ALE-008           : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017) Link:   CERTFR-2017-ALE-011           : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017) Link:   CERTFR-2017-ALE-010           : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017) Link: