Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Turning Tables on Nigerian Business Email Scammers

Threatpost - 15 Únor, 2017 - 17:45
Researchers from Dell SecureWorks infiltrated a Nigerian business email spoofing and business email compromise operation, shutting down a number of money mule accounts in the process.
Kategorie: Hacking & Security

Google Touts Progress in Android Security in 2016

Threatpost - 15 Únor, 2017 - 16:50
Google's Android security director touts 2016 mobile OS security accomplishments from encryption, improved APIs and new developer testing tools at the RSA Conference.
Kategorie: Hacking & Security

‘World’s eighth-worst spammer sent more than a million emails’

Sophos Naked Security - 15 Únor, 2017 - 16:48
Michael Persaud faces 10 counts of wire fraud, each punishable by up to 20 years in jail

Man sues Uber after privacy flaws ‘led to his divorce’

Sophos Naked Security - 15 Únor, 2017 - 16:18
French plaintiff alleges that a flaw meant his wife was alerted to trips pointing to his affair despite him signing out of his account on a shared smartphone

Man in the Cloud Attacks: Prevention and Containment

InfoSec Institute Resources - 15 Únor, 2017 - 14:00

Over the years, more and more information has been transferred to and stored within the many cloud platforms. Services such as Dropbox, OneDrive, and Google Drive have made this process very easy over the years. With a few clicks of a mouse, a low or no cost synchronization service between a local folder and a […]

The post Man in the Cloud Attacks: Prevention and Containment appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Configuring Kali Linux on AWS for FREE to get the Public IP

InfoSec Institute Resources - 15 Únor, 2017 - 14:00

Kali Linux is the most favorite pentesting distribution. There are thousands of tutorials for Kali Linux are available on the Internet. However, people always complain about not getting the public IP (WAN), or they can only practice it within their local network. This problem can be solved by opening your Linux computer to the internet […]

The post Configuring Kali Linux on AWS for FREE to get the Public IP appeared first on InfoSec Resources.

Kategorie: Hacking & Security

No Firewalls, No Problem for Google

Threatpost - 15 Únor, 2017 - 13:00
Google secures its perimeter with explicit trust in what it knows about users and the devices connecting to its corporate services.
Kategorie: Hacking & Security

RSA 2017: Deconstructing macOS ransomware

Sophos Naked Security - 15 Únor, 2017 - 10:59
Mac users, if you think your machines can't be hit with ransomware, think again: they can. We look at some of the common variants and what you can do to protect yourself

Websites Can Now Track You Online Across Multiple Web Browsers

The Hacker News - 15 Únor, 2017 - 10:52
You might be aware of websites, banks, retailers, and advertisers tracking your online activities using different Web "fingerprinting" techniques even in incognito/private mode, but now sites can track you anywhere online — even if you switch browsers. A team of researchers has recently developed a cross-browser fingerprinting technique — the first reliable technique to accurately track users
Kategorie: Hacking & Security

New ASLR-busting JavaScript is about to make drive-by exploits much nastier

LinuxSecurity.com - 15 Únor, 2017 - 10:43
LinuxSecurity.com: For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.
Kategorie: Hacking & Security

A Chip Flaw Strips Away Hacking Protections for Millions of Devices

LinuxSecurity.com - 15 Únor, 2017 - 10:42
LinuxSecurity.com: For the last decade or so, hackers have faced a daunting challenge when they try to break into a computer: Even when they get malicious code running on a victim's machine, they have to figure out where in the computer's memory that code has ended up.
Kategorie: Hacking & Security

At RSA, doubts abound over US action on cybersecurity

LinuxSecurity.com - 15 Únor, 2017 - 10:39
LinuxSecurity.com: How should the U.S. respond to cyber attacks? That's been a major question at this year's RSA security conference, following Russia's suspected attempt to influence last year's election.
Kategorie: Hacking & Security

Na české uživatele Androidu míří další vlna malwaru. Co nový vir dokáže?

Zive.cz - bezpečnost - 15 Únor, 2017 - 10:21
** Do Česka dorazila další vlna falešných aplikací, tentokrát se vydávají za DHL ** Za cíl mají krádež přihlašovacích údajů do bankovnictví ** Jak se těmto podvodům bránit?
Kategorie: Hacking & Security

Signal Messaging App Rolls Out Encrypted Video Calling

The Hacker News - 15 Únor, 2017 - 08:17
WhatsApp and Facebook have so far the largest end-to-end encrypted video calling network of all, but now another popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden is ready to give them a really tough competition. The Signal app, which is widely considered the most secure of all other encrypted messaging apps, released video calling feature on Tuesday for
Kategorie: Hacking & Security

New ASLR-busting JavaScript is about to make drive-by exploits much nastier

Ars Technica - 15 Únor, 2017 - 07:52

(credit: xxdigipxx)

For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.

Now, researchers have devised an attack that could spell the end of ASLR as the world knows it now. The attack uses simple JavaScript code to identify the memory addresses where system and application components are loaded. When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides. The technique, which exploits what's known as a side channel in the memory cache of all widely used modern CPUs, is described in a research paper published on Wednesday. The researchers have dubbed the technique ASLR Cache or AnC for short.

"Fundamentally insecure"

The researchers said the side channel attack is much more damaging than previous ASLR bypasses, because it exploits a micro-architectural property of the CPU's that's independent of any operating system or application running on it. Whereas heap spraying and other forms of ASLR bypass can often be mitigated by software tweaks, there isn't much that can stop or lessen the effects of the JavaScript, which targets a CPU's MMU, or memory management unit. That's because CPU caching behavior and strong address space randomization are mutually exclusive. (Apple, however, recently hardened its Safari browser to partially mitigate such attacks. It's also possible to prevent JavaScript from running in a browser, but such blocking often severely degrades a site's usability.)

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

DHS Chairman Paints Bleak US Cybersecurity Picture

Threatpost - 15 Únor, 2017 - 02:41
The United States is losing on the cyber-battlefield and face a bleak threat landscape, according to DHS chairman Michael McCaul. But, he says, there is still hope to turn things around.
Kategorie: Hacking & Security

Attacking the Windows NVIDIA Driver

Project Zero - 15 Únor, 2017 - 01:03
Posted by Oliver Chang
Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU (e.g. the Chrome GPU process). In this blog post we’ll take a look at attacking the NVIDIA kernel mode Windows drivers, and a few of the bugs that I found. I did this research as part of a 20% project with Project Zero, during which a total of 16 vulnerabilities were discovered.Kernel WDDM interfacesThe kernel mode component of a graphics driver is referred to as the display miniport driver. Microsoft’s documentation has a nice diagram that summarises the relationship between the various components:

In the DriverEntry() for display miniport drivers, a DRIVER_INITIALIZATION_DATA structure is populated with callbacks to the vendor implementations of functions that actually interact with the hardware, which is passed to dxgkrnl.sys (DirectX subsystem) via DxgkInitialize(). These callbacks can either be called by the DirectX kernel subsystem, or in some cases get called directly from user mode code.DxgkDdiEscapeA well known entry point for potential vulnerabilities here is the DxgkDdiEscape interface. This can be called straight from user mode, and accepts arbitrary data that is parsed and handled in a vendor specific way (essentially an IOCTL). For the rest of this post, we’ll use the term “escape” to denote a particular command that’s supported by the DxgkDdiEscape function.
NVIDIA has a whopping 400~ escapes here at time of writing, so this was where I spent most of my time (the necessity of many of these being in the kernel is questionable):

// (names of these structs are made up by me)
// Represents a group of escape codes
struct NvEscapeRecord {
 DWORD action_num;
 DWORD expected_magic;
 void *handler_func;
 NvEscapeRecordInfo *info;
 _QWORD num_codes;
};

// Information about a specific escape code.
struct NvEscapeCodeInfo {
 DWORD code;
 DWORD unknown;
 _QWORD expected_size;
 WORD unknown_1;
};
NVIDIA implements their private data (pPrivateDriverData in the DXGKARG_ESCAPE struct) for each escape as a header followed by data. The header has the following format:
struct NvEscapeHeader {
 DWORD magic;
 WORD unknown_4;
 WORD unknown_6;
 DWORD size;
 DWORD magic2;
 DWORD code;
 DWORD unknown[7];
};
These escapes are identified by a 32-bit code (first member of the NvEscapeCodeInfo struct above), and are grouped by their most significant byte (from 1 - 9).
There is some validation being done before each escape code is handled. In particular, each NvEscapeCodeInfo contains the expected size of the escape data following the header. This is validated against the size in the NvEscapeHeader, which itself is validated against the PrivateDriverDataSize field given to DxgkDdiEscape. However, it’s possible for the expected size to be 0 (usually when the escape data is expected to be variable sized) which means that the escape handler is responsible for doing its own validation. This has led to some bugs (1, 2).
Most of the vulnerabilities found (13 in total) in escape handlers were very basic mistakes, such as writing to user provided pointers blindly, disclosing uninitialised kernel memory to user mode, and incorrect bounds checking. There were also numerous issues that I noticed (e.g. OOB reads) that I didn’t report because they didn’t seem exploitable.DxgkDdiSubmitBufferVirtualAnother interesting entry point is the DxgkDdiSubmitBufferVirtual function, which is newly introduced in Windows 10 and WDDM 2.0 to support GPU virtual memory (deprecating the old DxgkDdiSubmitBuffer/DxgkDdiRender functions). This function is fairly complicated, and also accepts vendor specific data from the user mode driver for each command submitted. One bug was found here.OthersThere are a few other WDDM functions that accept vendor-specific data, but nothing of interest were found in those after a quick review.Exposed devicesNVIDIA also exposes some additional devices that can be opened by any user:
  • \\.\NvAdminDevice which appears to be used for NVAPI. A lot of the ioctl handlers seem to call into DxgkDdiEscape.
  • \\.\UVMLite{Controller,Process*}, likely related to NVIDIA’s “unified memory”. 1 bug was found here.
  • \\.\NvStreamKms, installed by default as part of GeForce Experience, but you can opt out during installation. It’s not exactly clear why this particular driver is necessary. 1 bug was found here also.
More interesting bugsMost of the bugs I found were by manual reversing and analysis, along with some custom IDA scripts. I also ended up writing a fuzzer, which was surprisingly successful given how simple it was.
While most of the bugs were rather boring (simple cases of missing validation), there were a few that were a bit more interesting.NvStreamKmsThis driver registers a process creation notification callback using the PsSetCreateProcessNotifyRoutineEx function. This callback checks if new processes created on the system match image names that were previously set by sending IOCTLs.
This creation notification routine contained a bug:
(Simplified decompiled output)
wchar_t Dst[BUF_SIZE];

...

if ( cur->image_names_count > 0 ) {
 // info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
 image_filename = info_->ImageFileName;
 buf = image_filename->Buffer;
 if ( buf ) {
   filename_length = 0i64;
   num_chars = image_filename->Length / 2;
   // Look for the filename by scanning for backslash.
   if ( num_chars ) {
     while ( buf[num_chars - filename_length - 1] != '\\' ) {
       ++filename_length;
       if ( filename_length >= num_chars )
         goto DO_COPY;
     }
     buf += num_chars - filename_length;
   }
DO_COPY:
   wcscpy_s(Dst, filename_length, buf);
   Dst[filename_length] = 0;
   wcslwr(Dst);
This routines extracts the image name from the ImageFileName member of PS_CREATE_NOTIFY_INFO by searching backwards for backslash (‘\’). This is then copied to a stack buffer (Dst) using wcscpy_s, but the length passed is the length of the calculated name, and not the length of the destination buffer.
Even though Dst is a fixed size buffer, this isn’t a straightforward overflow. Its size is bigger than 255 wchars, and for most Windows filesystems path components cannot be greater than 255 characters. Scanning for backslash is also valid for most cases because ImageFileName is a canonicalised path.
It is however, possible to pass a UNC path that keeps forward slash (‘/’) as the path separator after being canonicalised (credits to James Forshaw for pointing me to this). This means we can get a filename of the form “aaa/bbb/ccc/...” and cause an overflow.
For example: CreateProcessW(L"\\\\?\\UNC\\127.0.0.1@8000\\DavWWWRoot\\aaaa/bbbb/cccc/blah.exe", …)
Another interesting note is that the wcslwr following the bad copy doesn’t actually limit the contents of the overflow (the only requirement is valid UTF-16). Since the calculated filename_length doesn’t include the null terminator, wcscpy_s will think that the destination is too small and will clear the destination string by writing a null byte at the beginning (after copying the contents up to filename_length bytes first so the overflow still happens). This means that the wcslwr is useless because this wcscpy_s call and part of the code never worked to begin with.
Exploiting this is trivial, as the driver is not compiled with stack cookies (hacking like it’s 1999). A local privilege escalation exploit is attached in the original issue that sets up a fake WebDAV server to exploit the vulnerability (ROP, pivot stack to user buffer, ROP again to allocate rwx mem containing shellcode and jump to it).Incorrect validation in UVMLiteControllerNVIDIA’s driver also exposes a device at \\.\UVMLiteController that can be opened by any user (including from the sandboxed Chrome GPU process). The IOCTL handlers for this device write results directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl (Microsoft’s documentation  says not to do this).The IO control codes specify METHOD_BUFFERED, which means that the Windows kernel checks that the address range provided is writeable by the user before passing it off to the driver.
However, these handlers lacked bounds checking for the output buffer, which means that a user mode context could pass a length of 0 with any arbitrary address (which passes the ProbeForWrite check) to result in a limited write-what-where (the “what” here is limited to some specific values: including 32-bit 0xffff, 32-bit 0x1f, 32-bit 0, and 8-bit 0).
A simple privilege escalation exploit is attached in the original issue. Remote attack vector?Given the quantity of bugs that were discovered, I investigated whether if any of them can be reached from a completely remote context without having to compromise a sandboxed process first (e.g. through WebGL in a browser, or through video acceleration).
Luckily, this didn’t appear to be the case. This wasn’t too surprising, given that the vulnerable APIs here are very low level and only reached after going through many layers (for Chrome, libANGLE -> Direct3D runtime and user mode driver -> kernel mode driver), and generally called with valid arguments constructed in the user mode driver.NVIDIA’s responseThe nature of the bugs found showed that NVIDIA has a lot of work to do. Their drivers contained a lot of code which probably shouldn’t be in the kernel, and most of the bugs discovered were very basic mistakes. One of their drivers (NvStreamKms.sys) also lacks very basic mitigations (stack cookies) even today.
However, their response was mostly quick and positive. Most bugs were fixed well under the deadline, and it seems that they’ve been finding some bugs on their own internally. They also indicated that they’ve been working on re-architecturing their kernel drivers for security, but weren’t ready to share any concrete details.Timeline2016-07-26First bug reported to NVIDIA.2016-09-216 of the bugs reported were fixed silently in the 372.90 release. Discussed patch gap issues with NVIDIA.2016-10-23Patch released that includes fix for rest (all 14) of the bugs that were reported at the time (375.93).2016-10-28Public bulletin released, and P0 bugs derestricted.2016-11-04 Realised that https://bugs.chromium.org/p/project-zero/issues/detail?id=911 wasn’t fixed properly. Notified NVIDIA. 2016-12-14Fix for issue 911 released along with bulletin.2017-02-14Final two bugs fixed.
Patch gapNVIDIA’s first patch, which included fixes to 6 of the bugs I reported, did not include a public bulletin (the release notes mention “security updates”). They had planned to release public details a month after the patch is released. We noticed this, and let them know that we didn’t consider this to be good practice as an attacker can reverse the patch to find the vulnerabilities before the public is made aware of the details given this large window.
While the first 6 bugs fixed did not have details released for more than 30 days, the remaining 8 at the time had a patch released 5 days before the first bulletin was released. It looks like NVIDIA has been trying to reduce this gap, but based on recent bulletins it appears to be inconsistent.ConclusionGiven the large attack surface exposed by graphics drivers in the kernel and the generally lower quality of third party code, it appears to be a very rich target for finding sandbox escapes and EoP vulnerabilities. GPU vendors should try to limit this by moving as much attack surface as they can out of the kernel.
Kategorie: Hacking & Security

Schneier Brings Campaign for IoT Regulation to RSA

Threatpost - 15 Únor, 2017 - 00:36
Citing IoT insecurity, Bruce Schneier called on technologists to get involved with IoT policy at RSA.
Kategorie: Hacking & Security

RSA 2017 – Day 1 – Roving Report [PODCAST]

Sophos Naked Security - 15 Únor, 2017 - 00:06
Join us as we find out from our "roving reporter" Bill Brenner how things are shaping up at this year's RSA Conference in San Francisco...

New Mac malware pinned on same Russian group blamed for election hacks

Ars Technica - 14 Únor, 2017 - 22:40

Enlarge (credit: Sumitcommunicationcyber)

APT28, the Russian hacking group tied to last year's interference in the 2016 presidential election, has long been known for its advanced arsenal of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs.

Like its counterparts for other platforms, the Mac version of Xagent is a modular backdoor that can be customized to meet the objectives of a given intrusion, researchers from antivirus provider Bitdefender reported in a blog post published Tuesday. Capabilities include logging passwords, snapping pictures of screen displays, and stealing iOS backups stored on the compromised Mac.

The discovery builds on the already considerable number of tools attributed to APT28, which other researchers call Sofacy, Sednit, Fancy Bear, and Pawn Storm. According to researchers at CrowdStrike and other security firms, APT28 has been operating since at least 2007 and is closely tied to the Russian government. An analysis Bitdefender published last year determined APT28 members spoke Russian, worked mostly during Russian business hours, and pursued targets located in Ukraine, Spain, Russia, Romania, the US, and Canada.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security
Syndikovat obsah