sb-nz logo
Story image

Xfinity left vulnerable to serious security threats - Swascan

Recently, the Swascan vulnerability team uncovered potential security vulnerabilities and notified Xfinity through their responsible disclosure program.

The vulnerabilities impacted all three pillars of the CIA triad:

  • Confidentiality;
  • Integrity;
  • Availability.

In detail, the vulnerabilities identified belonged to the following CWE categories:

CWE-126 (Buffer Over-read)

This typically occurs when the pointer or its index is incremented to a position beyond the bounds of the buffer or when pointer arithmetic results in a position outside of the valid memory location.

This may result in the exposure of sensitive information or possibly a crash.

Possible impact: By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can be bypass protection mechanisms such as ASLR in order to improve the likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.

CWE-20 (Improper Input Validation)

When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application.

This will lead to parts of the system receiving unintended input, which may result in an altered control flow, arbitrary control of a resource, or arbitrary code execution.

Possible impact: The attack using this class of vulnerabilities could compromise the availability of the target, where an attacker could provide unexpected values and cause a program crash or excessive consumption of resources, such as memory and CPU.

The confidentiality by reading confidential data if they are able to control resource references and all three categories (Integrity, Availability and Confidentiality) by using malicious input to modify data or possibly alter control flow in unexpected ways, including arbitrary command execution.

CWE-416 (Use After Free)

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw.

The simplest way data corruption may occur involves the system’s reuse of the freed memory.

Use-after-free errors have two common and sometimes overlapping causes: error conditions and other exceptional circumstances, or confusion over which part of the program is responsible for freeing the memory.

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed.

The original pointer to the freed memory is used again and points to somewhere within the new allocation.

As the data is changed, it corrupts the validly used memory; this induces undefined behaviour in the process.

If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data.

If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Possible impact: An attack that uses a CWE-416-type vulnerability could have an effect on the integrity of the target system. 

This is because the use of previously freed memory may corrupt valid data if the memory area in question has been allocated and used properly elsewhere.

Availability could also be affected.

If chunk consolidation occurs after the use of previously freed data, the process may crash when invalid data is used as chunk information.

It could also impact all three areas (integrity, availability and confidentiality).

If malicious data is entered before chunk consolidation can take place, it may be possible to take advantage of a write-what-where primitive to execute arbitrary code.