Cisco Blogs

Cisco Blog > Threat Research

Vulnerability Spotlight: MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos. Post authored by Earl Carter and William Largent

Talos is disclosing the discovery of an exploitable buffer overflow vulnerability in the the MiniUPnP library TALOS-2015-0035 (CVE-2015-6031). The buffer overflow is present in client-side XML parser functionality in miniupnpc. A specially crafted XML response can lead to a buffer overflow, on the stack, resulting in remote code execution.

This miniupnpc buffer overflow is present in client-side part of the library. The vulnerable code is triggered by an oversized XML element name when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network.

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

When parsing the UPNP replies, the XML parser is initialized and `parsexml()` function is called:


Read More »

Tags: , , , ,

Looking Into a Crystal Ball for the Future of Cybersecurity

Every once in a while you need to take a step back, and think about the future. Where’s a good place to look for high risk, high opportunity ideas in the future of computer security? New Security Paradigms Workshop (NSPW) is a crystal ball view into the future of cybersecurity. NSPW is an invitation only workshop dedicated to in-depth discussions of radical forward thinking in security research. Here are highlights from a handful of presentations that pursue areas that might be evocative or inspirational to the broader Cisco security community.

Milware: Identification and Implications of State Authored Malicious Software is a research effort that starts with looking to establish a technical basis for distinction between mal- and milware. The authors evaluated and reverse engineered sample malicious software to establish an initial set of criteria that consistently distinguishes the samples identified as state or non-state authored. These are:

  • Specificity of (constraints on) propagation method
  • Manner of movement in target network (e.g. lateral, higher value targets)
  • Specificity and severity of exploits (e.g. higher CVSS scores), and
  • Customization of payload (code and tools used).

Read More »

Tags: , ,

Cybersecurity: What Needs to Change Now

October is National Cyber Security Awareness Month in the United States. This year’s campaign emphasizes cybersecurity as part of a deliberate strategy and a shared responsibility, not just a checkbox item.

At Cisco, we believe two key things must change in the security industry. First, we need to acknowledge that security is a strategy, and one that senior leaders in all organizations must embrace and own. Second, IT vendors—and all other vendors that are now embedding information technology in their offerings—must produce products, services and solutions that customers can trust.

Given Cisco’s global security footprint, we see a lot of data on Internet attacks, infected websites, malware, and actor activity. This gives us unique insight into what is affecting businesses, including our own. We’ve had the opportunity to be “on the ground” for every major breach in the last couple of years, with team members of mine on site helping the people who need help. Read More »

Tags: , ,

Down the Rabbit Hole: Botnet Analysis for Non-Reverse Engineers

This post is authored by Earl Carter & Holger Unterbrink.


Talos is often tasked with mapping the backend network for a specific piece of malware. One approach is to first reverse engineer the sample and determine exactly how it operates. But what if there is no time or resources to take the sample apart? This post is going to show how to examine a botnet from the Fareit family, starting with just an IP address. Then, using sandbox communities like Cisco ThreatGRID and open source products like Gephi and VirusTotal, we will track down and visualize the botnet.

Talos recently discovered some activity from the Fareit trojan. This family of malware has a significant history associated with malware distribution. It is mainly an information stealer and malware downloader network which installs other malware on infected machines. In this campaign, it mainly tries to steal Firefox and other credentials. It is possible that this botnet is sold as a pay-per-infection botnet in the underground markets. Pay-per-infection is an underground business model where criminals are paying other criminals to distribute their malware. The analysis below was mainly done in July 2015. Let’s take a walk on the wild side….

AMPs behaviour based detection found suspicious executables that downloaded files by using the following URLs in one of our customer networks.

We began analysing the infrastructure with focus on these two IP addresses and checked what other files they had been distributing. Initial analysis showed that VirusTotal found 25 and 38 files distributed from these two IP addresses. Almost all of the files in VirusTotal had different hashes, but similar or identical filenames. The following list is a sample of some of the files found in VirusTotal.

1197cb2789ef6e29abf83938b8519fd0c56c5f0195fa4cbc7459aa573d9e521b (cclub02.exe)
58f49493aa5d3624dc225ba0a031772805af708b38abd5a620edf79d0d3f7da0 (cclub02.exe)
d1b98b7b0061fbbdfc9c2a5a5f3f3bbb0ad3d03125c5a8ab676df031a9900399 (cclub02.exe)
c054e80e02c923c4314628b5f9e3cb2cad1aa9323cbcd79d34205ad1e3cad6c3 (cclub12.exe)
bd30242996a3689c36008a63d007b982d9de693766d40e43fe13f69d76e61b63 (cclub12.exe)
c609ef45f7ff918cbac24755a3a3becc65d1c06e487acd801b76a1f46e654765 (tarhun1.exe)

Read More »

Tags: , , , ,

Point of Persistence

Several recent cyber attacks have served as great reminders that we need to continue to re-assess how we are protecting our networks and ensure that we make no assumptions of any device being secure in the network.

One example of this is “SYNFul Knock,” a type of persistent malware that allows an attacker to gain control of an affected Cisco device and compromise its integrity with a modified Cisco IOS software image. The attack did not leverage any product vulnerabilities, and was shown to require valid administrative credentials or physical access to the victim’s device. Cisco customers can find more information and resources about SYNful Knock in the SYNful Knock Event Response PageOne can easily say, “Hey, they would need console access and valid credentials in order to successfully upload new firmware.” In the old days we had a saying, “He who owns the console, owns the system.” That used to be true when the consoles were not connected to terminal servers, essentially giving anyone physical access over the network. One thing that can be certain is that for someone to upload firmware into a router, they definitely had a reliable “Point of Persistence.”

Another recent high profile attack, although there have not been any confirmed detailed reports on how the attack occurred, included indications that the attackers may have achieved firm “Point of Persistence” in the network by compromising a printer. When I say persistence in this case, I mean by order of magnitude in duration as indicated by the plethora of information that was leaked. I am intentionally leaving out links and references here and I encourage interested readers to do their research to confirm the “loosely regarded” information. What we do know is that as an industry is that we have known about the risk of printers being compromised in our networks. I just don’t think anybody viewed the risk of printers being used as a pivot point for cyber attackers at the time.

Read More »