Security Techniques

gethostbyname() GHOST Buffer Overflow

During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its
impact — thoroughly, and named this vulnerability “GHOST”.

https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb

Standard
Security Techniques

Diaphora, a program diffing plugin for IDA Pro

Diaphora, a program diffing plugin for IDA Pro: Some weeks ago I started developing a binary diffing plugin for IDA Pro (in IDA Python) like Zynamics BinDiff, DarunGrim or Turbo Diff. The reasons to create one more (open source) plugin for such task are various, but the following are the main ones:

  • We need an Open Source plugin/tool that is updated, maintained and easy to modify or adapt.
  • The plugin should do much more than what the current ones do. It must offer much more functionality than previously existing ones.
  • The plugin should be as deeply integrated in IDA as possible (because 99% of serious researchers use IDA as the main tool).
  • The plugin must not be subject to big corporation’s desires (i.e., Google).

The plugin or tool I have more used and the one I liked the most was Zynamics BinDiff. However, after Google bought the company, updates to it are either too slow or non existent (you can check this issue and, my favourite, this one, where Google people tells to actually patch the binary and that, may be, they can have a real fix for the next week). Also, nobody can be sure Google is not going to finally kill the product making it exclusively a private tool (i.e., only for Google) or simply killing it because they don’t want to support it for a reason (like it killed GoogleCode or other things before). Due to this reason, because I like no current open source plugins for bindiffing and, also, because they lack most of the features that, on my mind, a decent todays binary diffing tool should have, I decided to create one of mine: Diaphora.

Standard
Security Techniques

wishstudio/flinux

wishstudio/flinux: Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools. There is a comparison over existing projects.

Standard
Security Techniques

Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution

Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution: It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with SQL injection rules.First request: ‘ union select current_user,2# – Netscaler blocks it.

Second request: The same content and an additional HTTP header which is “Content-Type: application/octet-stream”. – It bypasses the WAF but the web server misinterprets it.

Third request: The same content and two additional HTTP headers which are “Content-Type: application/octet-stream” and “Content-Type: text/xml” in that order. The request is able to bypass the WAF and the web server runs it.

Standard
Hacks and Incidents

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last: In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.

It wasn’t the first time the operators—dubbed the “Equation Group” by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group’s extensive library. (Kaspersky settled on the name Equation Group because of members’ strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)

Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.

Standard
Security News

Password cracking experts decipher elusive Equation Group crypto hash

Password cracking experts decipher elusive Equation Group crypto hash: Unraveling a mystery that eluded the researchers analyzing the highly advanced Equation Group the world learned about Monday, password crackers have deciphered a cryptographic hash buried in one of the hacking crew’s exploits. It’s Arabic for “unregistered.”

Researchers for Moscow-based Kaspersky Lab spent more than two weeks trying to crack the MD5 hash using a computer that tried more than 300 billion plaintext guesses every second. After coming up empty-handed, they enlisted the help of password-cracking experts, both privately and on Twitter, in hopes they would do better. Password crackers Jens Steube and Philipp Schmidt spent only a few hours before figuring out the plaintext behind the hash e6d290a03b70cfa5d4451da444bdea39 was غير مسجل, which is Arabic for “unregistered.” The hex-encoded string for the same Arabic word is dbedd120e3d3cce1.

Standard
Hacks and Incidents

USB Killer

USB Killer: It was a usual gloomy winter morning. My colleagues and I were drinking our morning coffee, sharing the news and there were no signs of trouble. But then a friend told about…

(a quote from a chat in Skype):

I read an article about how a dude in the subway fished out a USB flash drive from the outer pocket of some guy’s bag. The USB drive had “128” written on it. He came home, inserted it into his laptop and burnt half of it down. He wrote “129” on the USB drive and now has it in the outer pocket of his bag…

Standard
Security Techniques

Rowhammer: Linux Kernel Privilege Escalation PoC

Rowhammer: Linux Kernel Privilege Escalation PoC:

http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
https://code.google.com/p/google-security-research/issues/detail?id=283

Full PoC: http://www.exploit-db.com/sploits/36310.tar.gz

This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM “rowhammer” problem.  It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs).

For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem.  qemu_runner.py will run the exploit program in test mode in a QEMU VM.  It assumes that “bzImage” (in the current directory) is a Linux kernel image that was
built with /dev/mem enabled (specifically, with the the CONFIG_STRICT_DEVMEM option disabled).

Standard
Hacks and Incidents

Two “WontFix” vulnerabilities in Facebook Connect

Two “WontFix” vulnerabilities in Facebook Connect: TL;DR Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain.

I don’t think these will be fixed, as I’ve heard from the Facebook team that it will break compatibility. I really wish they would fix it though as you can see below, I feel these are serious issues.

Standard