<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OSSP - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/ossp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/ossp/feed.xml" rel="self" type="application/rss+xml"/><item><title>iSelect 1.4.0-2+b1 Local Buffer Overflow Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-iselect-buffer-overflow/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-iselect-buffer-overflow/</guid><description>iSelect 1.4.0-2+b1 contains a local buffer overflow vulnerability, allowing local attackers to execute arbitrary code by supplying an oversized value to the -k/--key parameter and overflowing a 1024-byte stack buffer.</description><content:encoded><![CDATA[<p>iSelect 1.4.0-2+b1 is vulnerable to a local buffer overflow. This vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running the application. The vulnerability occurs when the application processes an overly long value provided to the <code>-k</code> or <code>--key</code> parameter. By crafting a malicious argument, an attacker can overwrite the stack buffer, inject shellcode, and gain control of program execution. Successful exploitation can lead to arbitrary code execution and potentially full system compromise within the user's security context. This vulnerability was reported in 2016, but can still exist in unpatched or older systems where iSelect is deployed.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains local access to a system with iSelect 1.4.0-2+b1 installed.</li>
<li>Attacker crafts a malicious command-line argument for iSelect, specifically targeting the <code>-k</code> or <code>--key</code> parameter.</li>
<li>The crafted argument includes a NOP sled, followed by shellcode, and a return address that points back to the NOP sled or shellcode. The total length of the argument exceeds 1024 bytes.</li>
<li>The attacker executes iSelect with the malicious argument. The overly long input is copied into a 1024-byte stack buffer without proper bounds checking.</li>
<li>The buffer overflow overwrites adjacent memory on the stack, including the return address.</li>
<li>iSelect attempts to return from the vulnerable function, but instead jumps to the attacker-controlled address (NOP sled or shellcode).</li>
<li>The shellcode executes with the privileges of the user running iSelect. This could involve creating new processes, modifying files, or establishing a reverse shell.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability results in arbitrary code execution with the privileges of the user running iSelect. This could allow an attacker to escalate privileges, install malware, steal sensitive data, or disrupt system operations. Due to the local nature of the attack, an attacker must first gain access to the target system. The severity is high because it allows complete compromise of the application and potentially the user's account.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade iSelect to a patched version that addresses the buffer overflow vulnerability, if a patch is available.</li>
<li>Monitor process execution for iSelect being launched with unusually long command-line arguments using the Sigma rule <code>Detect iSelect Buffer Overflow Attempt</code>.</li>
<li>Implement access controls to limit who can execute iSelect on vulnerable systems.</li>
<li>Consider deploying application whitelisting to prevent the execution of unauthorized code within the iSelect process.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2016-20048</category><category>buffer-overflow</category><category>local-privilege-escalation</category></item></channel></rss>