ATI Update ATI-2020-16

New Protocols & Applications (2)

Name Category Info
GooglePlay Aug20 Mobile Google Play, formerly Android Market, is a digital distribution service operated and developed by Google. It serves as the official app store for devices running on Google certified Android operating system, allowing users to browse and download applications developed with the Android software development kit (SDK) and published through Google.
Kerberos V5 Authentication Kerberos is a computer-network authentication protocol that works using tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily as a client-server model. Kerberos uses mutual authentication: both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. This is a simulation of Kerberos authentication using WSA and wccp setup.

New Super Flows (4)

Name Category Info
ClientSim Radius Access (over TCP) Authentication This simulates a ClientSim RADIUS ACCESS session over TCP with the client using the RADIUS PAP protocol to authenticate to the server.
ClientSim Radius Accounting (over TCP) Authentication This simulates a ClientSim RADIUS ACCOUNTING session over TCP with the client using the RADIUS ACCOUNTING protocol.
GooglePlay Aug20 Mobile Simulates the use of the Google Play Store on Android 9.0. A user opens the Google Play app, searches for an app, views an app and downloads it.
Kerberos V5 Access Website through WSA Authentication This simulates a user accessing a website from the command line using Curl. Between the Client and Server machine there is a WSA (Web Security Appliance) which redirects the user to authenticate through a Kerberos ticket before reaching the server. After authentication, the client sends the request to the server, but the access to the website is blocked by the WSA as it is considered harmful.

New Strikes (2)

CVSS ID References Category Info
7.5 E20-9xp41 CVE-2020-17946CVSSCVSSv3URL Exploits A server-side template injection vulnerability that leads to remote code execution exists in vBulletin due to a logic bug in the patch for CVE-2019-16759. By exploiting it, a remote unauthenticated attacker may execute arbitrary code using server's PHP engine.
6.8 E20-0xgq1 CVE-2019-8762CVSSCVSSv3GOOGLE-1916 Exploits This strike exploits a vulnerability that exists inside Apple Safari Webkit. An attacker can insert frame elements with an empty URL into a node to overflow the subframe counter. When this node is later removed, the subframes won't be detached. The attacker can also make a subframe "survive" a cross-origin page load. It is possible for the new document to inherit the security context of its parent document, which can be an arbitrary cross-origin page, while the contents will be attacker-controlled.

Defects Resolved

Ticket Info
ATIBPS-16856 Fixed Strike E18-0ql21. The client now directly sends the malicious request to the server, instead of server sending the malicious POC to be executed.