Vulnerability overview: Wrapping up 2020
The past year has given all of us a lot of extra time at home. Security researchers had taken advantage of this time by working harder on finding 0day vulnerabilities. So with the end of the year approaching, we gathered a few of the top vulnerabilities reported to SSD in 2020.
PHP SplDoublyLinkedList UAF Sandbox Escape
This Use After Free vulnerability was discovered by independent security researcher Charles Fol (@cfreal_) and has been one of the most popular vulnerabilities reported to SSD in 2020. The flaw affects PHP’s SplDoublyLinkedList and allows an attacker to escape disable_functions restrictions.
SplDoublyLinkedList is a doubly-linked list supporting iteration by keeping a pointer to the “current” DLL element. An attacker can then call next() or prev() to make the DLL point to another element.
This will delete the element of the DLL and make PHP remove the element from the DLL. Thus destroying the zval and clearing the “current” ptr.
Even though the zval was destroyed the “current’’ will still be pointing to the associated element, even if it was removed from the list.
This allows for an easy UAF by calling $dll->next() or $dll->prev() in the zval’s destructor and bypassing PHP’s limitations in order to execute code.
CVE-2020–13166 — MyLittleAdmin PreAuth RCE
An anonymous independent researcher reported to SSD that a Remote Command Execution can be made on the web-based management tool, MyLittleAdmin.
MyLittleAdmin is a web-based management tool specially designed for MS SQL Servers. This tool utilizes a hardcoded machineKey for all installations, kept in the file: C:\Program Files (x86)\MyLittleAdmin\web.config.
The researcher discovered that objects can be serialized on a remote server, making the ASP code parse them as if they were MyLittleAdmin’s objects. Thus allowing an attacker to execute commands on the remote server.
Even though MyLittleAdmin seems to be discontinued, there are still numerous active installations present on the web. This vulnerability has yet to be fixed by the vendor and we suspect that this sort of vulnerability can be found on previous versions of MyLittleAdmin as well.
Aegir with Apache Local Privilege Escalation
This vulnerability was reported to SSD by another anonymous researcher that discovered there’s an LPE vulnerability present when installing Aegir using official channels.
Aegir is a free, Unix-based, hosting control panel for Drupal, WordPress and CiviCRM websites. Our researcher discovered that an LPE could be executed during Aegir’s installation process, since the program installs an unsafe sudoer rule that will allow the user Aegir to call /usr/sbin/apache2ctl. By doing this, the user aegir can reload apache2‘s configuration to support new virtual hosts making it possible to execute arbitrary commands as root.
Aegir has since released a statement stating that the user aegir shouldn’t be used by any untrusted user and that customers should migrate to a Nginx setup (which is now the default) to prevent similar attacks in the future.
CVE-2020–3153 — Cisco AnyConnect Privilege Elevation through Path Traversal
Yorick Koster reported this Path Traversal vulnerability to the SSD Secure Disclosure program earlier this year. Yorick discovered that a Path Traversal attack can be done on Cisco AnyConnect Secure Mobility Client by using it’s auto-update function.
This flaw can occur because AnyConnect allows low-privileged users to update AnyConnect by themselves and launch the vpndownloader application. A local user can thus create and run files outside the temporary installer folder via a Path Traversal attack on this application. A successful exploitation of this vulnerability can even lead the user to gain elevated SYSTEM privileges.
SSD notified Cisco that the vulnerability was found and a patch has been released to correct this issue. The patch may be found here.
Looking into 2021
These are just a few of the vulnerabilities that SSD published this year. Every year we expand our range to support new software and hardware items. We also accept items outside our scope, aiming to keep the ecosystem as safe as possible.
We are constantly publishing our findings, intended on educating our global security researcher’s community. You can find more vulnerabilities on our Advisories page.
We aim to see our community growing in 2021 with more vulnerabilities being discovered, perhaps one of these vulnerabilities will be discovered by you. Send us your findings here using our report template.
Until then, have a great new year and happy disclosures!
