UPDATE – Bugzilla Zero-Day could trigger another Internet earthquake

Pierluigi Paganini October 06, 2014

A zero-day in Bugzilla bug-tracking tool allows anyone to view detailed reports about unfixed vulnerabilities in a wide range of vulnerability repositories.

A new vulnerability in Bugzilla is scaring the security industry, it affects the Mozilla’s bug-tracking software, and could have a serious impact. The vulnerability in Bugzilla could be exploited by attackers to view detailed information regarding unfixed vulnerabilities in a wide range of applications.

Bugzilla announced that a fix for this severe weakness will be released as soon as possible, the experts believe that the organization will release it today.

The vulnerability databases are a mine of information for attackers that intend to exploit unfixed flaws in targeted applications, these information could be used by hackers for attacks or sold on the underground market to other threat actors.

The bug resides in Bugzilla account creation processes which allows attackers to create a Bugzilla account that bypasses validation and allows for privilege escalation. The attacker could exploit the flaw to create a new account, even with an administrator profile that belong to the targeted domain.

On the Bugzilla website are listed nearly 150 installations belonging to organization available on the Internet and much more private deployment. The list includes popular organizations like Apache, GNOME, Mozilla, Novell, Project, OpenOffice, Red Hat, Sandia National Laboratories, the Nessus Security Scanner, Wikimedia Foundation and Wireshark.

bugzilla sample

A researcher at Check Point Software Technologies,  Shahar Tal, reported the vulnerability to the Mozilla team explaining that he was able to register as [email protected] to access report on private bugs managed by Mozilla.

“For example, we registered as [email protected], and suddenly we could see every private bug under Firefox and everything else under Mozilla.” “We were able to inject an attacker-controlled string into any database field post-validation, including the ‘login_name’,” Tal said. “I don’t want to get into more details than that at this point in time.” He would not divulge details about the exploit.

Tal explained that the vulnerability was discovered during a vulnerability assessment and he anticipated that further disconcerting results will be revealed at the next Chaos Computer Club (CCC) in Hamburg.

“This vulnerability was discovered during an investigation we are currently running of some Perl issues,” he said. “We have some very interesting results coming up in that research (Bugzilla is a good sample, but not the last one), which we plan to present at the upcoming CCC in Hamburg later this year.”

Security expert Brian Krebs revealed that Sid Stamm, a security and privacy engineer with Mozilla has confirmed that the vulnerability affect Bugzilla application, Stamm said Mozilla is not aware of any breaches caused by the exploitation of to this flaw.

Stay tuned for more info.

Pierluigi Paganini

(Security Affairs – Bugzilla, Mozilla)


Update 2014/10/07:

Bugzilla has issued an update that fix this vulnerability and several others in Bugzilla, it is available at the link here.

Update 2 2014/10/07 from ThreatPost

Yahoo CISO Alex Stamos refuted claims made by a Louisiana security company that a number of Yahoo servers had been compromised by Romanian hackers using Shellshock exploits against the vulnerability in Bash.

Stamos said three Yahoo Sports API servers were infected with malware by hackers looking for webservers vulnerable to the Shellshock vulnerability, but the exploits were not related to Shellshock. Those servers, which provide live game streaming, do not store user data and were isolated upon discovery of malware, Stamos said.

“These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters,” Stamos wrote in a post to Hacker News. “This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.”


you might also like

leave a comment