Tag exploit

InfoSec Week 1, 2018

Daniel Shapira from Twistlock wrote a blog about exploiting a Linux kernel vulnerability in the waitid() syscall (CVE-2017-5123) in order to modify the Linux capabilities of a Docker container, gain privileges and escape the container jail.
https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/

There is a critical hardware bug in the Intel chips, which enables a user level process to access kernel address space, thus read other processes memory. Cloud providers and OS makers are preparing software patches, but the performance penalty could be significant. According to the Wired:
"[researchers] confirmed that when Intel processors perform that speculative execution, they don't fully segregate processes that are meant to be low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution."
http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table
https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-for-most-computers/

The guy dumped PlayStation 4 kernel by leaking arbitrary memory into accessible crashdumps.
https://fail0verflow.com/blog/2017/ps4-crashdump-dump/

ACM published article about more than 2 decades old ransomware experiments with the name "Cryptovirology: The Birth, Neglect, and Explosion of Ransomware".
https://cacm.acm.org/magazines/2017/7/218875-cryptovirology/fulltext

Nice write up about exploit development for the arbitrary command execution on a BMC Server Automation remote agent software.
https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/

MacOS-only 0day vulnerability published on a last day of 2017. It is an IOHIDSystem kernel vulnerability that can be exploited by any unprivileged user.
https://siguza.github.io/IOHIDeous/

Edward Snowden’s open source Haven application uses smartphone sensors to detect physical tampering.
https://github.com/guardianproject/haven

PiKarma detects wireless network attacks performed by KARMA module (fake AP). Starts deauthentication attack (for fake access points).
https://github.com/WiPi-Hunter/PiKarma

InfoSec Week 51, 2017

There is a remotely exploitable vulnerability in the Vitek CCTV firmware. Reverse netcat shell included.
http://seclists.org/fulldisclosure/2017/Dec/85

Matthew Green thinks that the recently discovered "Extended Random" extension of the RSA’s BSAFE TLS library found in the older Canon printers could be NSA backdoor.
https://blog.cryptographyengineering.com/2017/12/19/the-strange-story-of-extended-random/

Filippo Valsorda presented the key recovery attack against the carry bug in x86-64 P-256 elliptic curve implementation in the Go library. JSON Web Encryption affected.
https://events.ccc.de/congress/2017/Fahrplan/events/9021.html

Explanation how web trackers exploit browser login managers to track users on the Internet.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

According to the hacker Konstantin Kozlovsky, the creation of WannaCry and Lurk malware was supervised by the Russian FSB agency.
https://www.unian.info/world/2319991-russian-hacker-says-fsb-involved-in-creation-of-wannacry-malware.html

Short blog about the cracking encrypted (40-bit encryption) PDFs using hashcat.
https://blog.didierstevens.com/2017/12/27/cracking-encrypted-pdfs-part-2/

Crooks behind the VenusLocker ransomware to Monero mining. They are executing Monero CPU miner XMRig as a remote thread under the legitimate Windows component wuapp.exe.
https://blog.fortinet.com/2017/12/20/group-behind-venuslocker-switches-from-ransomware-to-monero-mining

Two Romanian hackers infiltrated nearly two-thirds of the outdoor surveillance cameras in Washington, DC, as part of an extortion scheme.
https://lite.cnn.io/en/article/h_910710e71e532e73a80deb1294a2db7c

Proofpoint researchers published paper on largely undocumented LazarusGroup campaigns targeting cryptocurrency individuals and organizations. The research covers implants and tactics not currently covered in the media.
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

InfoSec Week 32, 2017

The lone Nigerian guy is responsible for an attack against at least 4000 gas, oil, banking, infrastructure organizations using phishing and NetWire trojan for remote access.
https://blog.checkpoint.com/2017/08/15/get-rich-die-trying-case-study-real-identity-behind-wave-cyberattacks-energy-mining-infrastructure-companies/

Alert Logic published report about the cloud security. Public cloud is generally more secure than private and on-premises networks. Attack vectors are the same as for most online applications - mostly SQL injection, remote code execution against the web applications.
https://www.alertlogic.com/assets/industry-reports/alertlogic-cloud-security-report-2017.pdf

Oxford University researchers published so called intra-library collusion (ILC) attack against the Android devices. From the research paper: "(intra-library collusion attack) occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data".
https://arxiv.org/pdf/1708.03520.pdf
https://nakedsecurity.sophos.com/2017/08/15/how-shared-android-libraries-could-be-weaponized-for-data-theft/

Four remotely exploitable vulnerabilities were identified in Siemens’ Molecular Imaging products running Microsoft Windows 7 operating system.
https://ics-cert.us-cert.gov/advisories/ICSMA-17-215-02

A recent phishing campaign that is distributing Trickbot is using extremely plausible imitations of financial institutions and government sites.
https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/

WikiLeaks has published CIA tool CouchPotato that allows operators to remotely spy on video streams in real-time.
https://wikileaks.org/vault7/#CouchPotato

InfoSec Week 29, 2017

Microsoft has analyzed EnglishmansDentist exploit used against the Exchange 2003 mail servers on the out-dated Windows Server 2003 OS. Exploit was released by ShadowBrokers back in April 2017.
https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/

ESET researchers have analyzed a Stantinko botnet consisting of almost half a million machines used for ad-related fraud. It uses malicious Chrome extensions, but also creating and managing Facebook profiles and brute-forcing Joomla and WordPress websites.
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/

A buffer overflow in the Source SDK in Valve's Source SDK allows an attacker to remotely execute code on a user's computer machine.
https://www.bleepingcomputer.com/news/security/valve-patches-security-flaw-that-allows-installation-of-malware-via-steam-games/
https://motherboard.vice.com/en_us/article/nevmwd/counter-strike-bug-allowed-hackers-to-completely-own-your-computer-with-a-frag

Secure messaging application Wire is now supporting end-to-end encrypted chats, file sharing and calls to businesses. But it's paid feature.
https://medium.com/@wireapp/wire-at-work-introducing-teams-beta-e50dacf6e9f1

Briar, a secure messaging app for Android, was released for a public beta testing. It's using Tor, or P2P direct messaging over Wifi, Bluetooth. Very interesting project.
https://briarproject.org/news/2017-beta-released-security-audit.html

D. J. Bernstein has published blog about the secure key material erasure: "2017.07.23: Fast-key-erasure random-number generators"
https://blog.cr.yp.to/20170723-random.html

Google Project Zero analyzed the security properties of the two major Trusted Execution Environment present on Android devices - Qualcomm’s QSEE and Trustonic’s Kinibi.
https://googleprojectzero.blogspot.sk/2017/07/trust-issues-exploiting-trustzone-tees.html

Prowler is a tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark.
https://github.com/alfresco/prowler

Hardentools is a utility that disables a number of risky Windows "features" exposed by Windows operating system.
https://github.com/securitywithoutborders/hardentools