Hacking & Security

Facebook Helps Combat Apple XARA Vulnerabilities With Osquery

Threatpost - 23 Červen, 2015 - 22:38
Facebook have added the ability for organizations to detect if their OS X system is being exploited by XARA with their framework osquery.
Kategorie: Hacking & Security

Results of my recent PostScript Charstring security research unveiled

j00ru//vx tech blog - 23 Červen, 2015 - 20:38

Some months ago, I started reverse engineering and investigating the security posture of the Adobe Type Manager Font Driver (ATMFD.DLL) module, which provides support for Type 1 and OpenType fonts in the Windows kernel since Windows NT 4.0, and remains there up to this day in Windows 8.1. Specifically, I focused on the handling of so-called “Charstrings”, which are essentially binary encoded PostScript programs with a dedicated set of instructions and a specific execution environment, responsible for drawing the shape of each glyph at a particular point size. It didn’t take long to notice several important points:

  • The overall code quality of the Charstring interpreter function in ATMFD.DLL was badly low, with some bugs being clearly visible in the code at first glance. This implied that (surprisingly, considering the seemingly large amount of attention received from the security community) I entered a completely unexplored territory that others haven’t delved into, or at least publicly.
  • The kernel module used the same interpreter for both Type 1 (Type 1 fonts) and Type 2 (OpenType/CFF fonts) Charstrings, and supported every single feature that has ever been part of the specification, and plenty of undocumented ones as well – bloating the size of the function to more than 20kB (!) on the x86 platform.
  • As a result of historically strong collaboration between vendors in the early days of digital font development (the 80’s and mostly 90’s), various modern font engines have a common ancestor in Adobe’s implementation of Type 1 / OpenType fonts, including:
    • Windows GDI (i.e. ATMFD.DLL in the Windows kernel),
    • Adobe Reader (i.e. the CoolType library),
    • Microsoft DirectWrite (a library used by Internet Explorer, Google Chrome, Mozilla Firefox etc.),
    • Windows Presentation Foundation.

The above observations led me to believe that the code could be affected by one or more critical vulnerabilities, and that some of those vulnerabilities could be shared across multiple widespread desktop products, additionally elevating the potential impact of any such discovery. After several weeks of reverse engineering and auditing the interpreter for vulnerabilities, I have ended up with multiple low to critical severity issues, with most of the serious ones reproducing in more than one font engine. I subsequently reported all of my discoveries to the respective vendors (Microsoft and Adobe), which fixed the bugs in security bulletins MS15-021 (March), APSB15-10 (May) and  MS15-044 (May). A quick summary of the research results is shown below, with links pointing to the corresponding google-security-research bug tracker entries, containing reports with detailed analysis of the vulnerabilities together with Proof of Concept files, as they were provided to the vendors:

Microsoft Windows (ATMFD) Adobe Reader (CoolType) DirectWrite Windows Presentation Foundation Unlimited Charstring execution CVE-2015-0074 – – – Out-of-bounds reads from the Charstring stream CVE-2015-0087 CVE-2015-3095 – – Off-by-x out-of-bounds reads/writes relative to the operand stack CVE-2015-0088 – – – Memory disclosure via uninitialized transient array CVE-2015-0089 CVE-2015-3049 CVE-2015-1670 CVE-2015-1670 Read/write-what-where in LOAD and STORE operators CVE-2015-0090 – – – Buffer overflow in Counter Control Hints CVE-2015-0091 CVE-2015-3050 – – Buffer underflow due to integer overflow in STOREWV CVE-2015-0092 CVE-2015-3051 – – Unlimited out-of-bounds stack manipulation via BLEND operator CVE-2015-0093 CVE-2015-3052 – –

While many of the above issues had the potential to be usable in the context of remote code execution (Adobe Reader, Windows kernel) or elevation of privileges (Windows kernel) attacks, one particular vulnerability stood out from the others, as it provided a specially crafted font with the ability to operate on any data on the thread’s stack with all instructions available in the Type 1 / Type 2 Charstring instruction set (including arithmetic, logic, conditional, and other instructions). In other words, one could reliably generate a full ROP chain on the stack within the PostScript program, with no external interaction other than loading the font in the first place.

The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far. Considering that 64-bit builds of Windows were not affected by that particular bug, I also devised a x64 way to achieve reliable elevation of privileges using another Charstring vulnerability (CVE-2015-0090) found during the research, which also adheres to the “100% reliability” and “all mitigations bypassed” philosophy. Since the overall exploitation process was also quite challenging and required the use of several interesting tricks, I decided to discuss it at the REcon security conference in Montreal in a talk called “One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation”. As I presented the research two days ago, I am now publishing the corresponding slide deck:

One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation (PDF, 7.78MB)

Below you can see videos showing successful exploitation of Adobe Reader 11.0.10 using the BLEND vulnerability (CVE-2015-3052), accompanied by sandbox escapes via ATMFD.DLL in the Windows Kernel, using again the BLEND vulnerability on x86 builds (CVE-2015-0093) and a “Registry Object” vulnerability on x64 builds (CVE-2015-0090).

If you are interested in font vulnerability research, be sure to keep an eye out on this and the Google Project Zero blogs, as further technical posts and/or whitepapers regarding this effort will be published there in the near future.

Emergency Adobe Flash Patch Fixes Zero Day Under Attack

Threatpost - 23 Červen, 2015 - 19:12
Adobe released an emergency patch for a Flash zero day used in targeted attacks by APT3, the same group behind 2014's Clandestine Fox attacks.
Kategorie: Hacking & Security

FBI Says Cryptowall Cost Victims $18 Million Since 2014

Threatpost - 23 Červen, 2015 - 18:12
In a little more than a year, consumers affected by the Cryptowall ransomware have reported to the FBI more than $18 million in losses related to infections from the malware. Cryptowall is among the group of ransomware families that encrypt the files on victims’ computers and then demands a ransom in order to obtain the […]
Kategorie: Hacking & Security

Emergency Patch for Adobe Flash Zero-Day

Krebs on Security - 23 Červen, 2015 - 17:19

Adobe Systems Inc. today released an emergency update to fix a dangerous security hole in its widely-installed Flash Player browser plugin. The company warned that the vulnerability is already being exploited in targeted attacks, and urged users to update the program as quickly as possible.

In an advisory issued Tuesday morning, Adobe said the latest version of Flash — v. 18.0.0.194 on Windows and Mac OS X — fixes a critical flaw (CVE-2015-3113) that is being actively exploited in “limited, targeted attacks.” The company said systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets of these exploits.

If you’re unsure whether your browser has Flash installed or what version it may be running, browse to this link. Adobe Flash Player installed with Google Chrome, as well as Internet Explorer on Windows 8.x, should automatically update to the latest version. To force the installation of an available update on Chrome, click the triple bar icon to the right of the address bar, select “About Google” Chrome, click the apply update button and restart the browser.

The most recent versions of Flash should be available from the Flash home page, but beware potentially unwanted add-ons, like McAfee Security Scan. To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.)

In lieu of patching Flash Player yet again, it might be worth considering whether you really need to keep Flash Player installed at all. In a happy coincidence, earlier today I published a piece about my experience going a month without having Flash Player installed. The result? I hardly missed it at all.

Kategorie: Hacking & Security

Navy re-ups with Microsoft for more Windows XP support

Ars Technica - 23 Červen, 2015 - 17:09

Despite reaching its official end of life over a year ago, Microsoft's Windows XP is still bringing the company some significant revenue—largely because Department of Defense and government customers can't seem to get rid of it. And the Navy is one of Microsoft's best custom-support customers.

The US Navy's Space and Naval Warfare Systems Command (SPAWAR) has closed a $9.1 million contract extension with Microsoft that the agency originally announced in April to further extend custom support for the venerable Windows XP operating system, as well as the Office 2003 suite and Exchange 2003 e-mail. According to a Navy contracting announcement, "Across the United States Navy, approximately 100,000 workstations currently use these applications. Support for this software can no longer be obtained under existing agreements with Microsoft because the software has reached the end of maintenance period."

The renewal, according to SPAWAR officials, will buy the Navy "time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities." Many of the systems are in shipboard administrative networks that have not been available for extended periods of maintenance; the Navy is also playing catch-up on its land-based network upgrades as the result of the long delays in the service's Next Generation Network (NGEN) contract—the follow-up to the outsourced Navy and Marine Corps Intranet (NMCI).

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Pita bread helps researchers steal encryption keys

Sophos Naked Security - 23 Červen, 2015 - 17:07
Four Tel Aviv University researchers have developed a tiny, low-cost device that can steal encryption keys via radio waves.

TCP Vulnerability Haunts Wind River VxWorks Embedded OS

Threatpost - 23 Červen, 2015 - 16:47
There is a TCP prediction vulnerability in Wind River’s widely deployed VxWorks embedded software that can enable an attacker to disrupt or spoof the TCP connections to and from target devices. VxWorks is an embedded operating system that’s used in a large number of ICS products that are deployed in sectors such as energy, water, […]
Kategorie: Hacking & Security

How to Hack into Computers using Pita Bread and A Radio

The Hacker News - 23 Červen, 2015 - 16:36
There's a new and clever way of hacking into computers, and it can be done cheaply – Using just a radio receiver and a piece of pita bread. Yeah, you heard it right. Security researchers at Tel Aviv University have demonstrated how to extract secret decryption keys from computers by capturing radio emissions of laptop computers. Capturing the radio signals to steal data from a computer
Kategorie: Hacking & Security

RubyGems Patches Serious Redirection Vulnerability

Threatpost - 23 Červen, 2015 - 15:55
RubyGems maintainers patched a vulnerability, reported by Trustwave and OpenDNS, that allows RubyGem clients to be redirected to an attacker-controlled gem server.
Kategorie: Hacking & Security

n00bz CTF Challenge #2: Practical Website Hacking

InfoSec Institute Resources - 23 Červen, 2015 - 15:00

In the second edition of our n00bs CTF Labs, we’ve created 13 small challenges to test your web app hacking skills. The challenges are based on common vulnerabilities (XXS, code injection, inadequate redirect functions ect.) as well as older and less frequently seen vulnerabilities such as Data Validation; Parameter Delimiter. Each level has a bounty of $100, you […]

The post n00bz CTF Challenge #2: Practical Website Hacking appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Facebook aiming for faceless facial recognition

Sophos Naked Security - 23 Červen, 2015 - 14:57
Worried that Facebook can't get your friends right in your selfies when their hair blows around? There might just be an app for that...

A Month Without Adobe Flash Player

Krebs on Security - 23 Červen, 2015 - 14:35

I’ve spent the better part of the last month running a little experiment to see how much I would miss Adobe‘s buggy and insecure Flash Player software if I removed it from my systems altogether. Turns out, not so much.

Browser plugins are favorite targets for malware and miscreants because they are generally full of unpatched or undocumented security holes that cybercrooks can use to seize complete control over vulnerable systems. The Flash Player plugin is a stellar example of this: It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently).

It’s also not uncommon for Adobe to release emergency fixes for the software to patch flaws that bad guys started exploiting before Adobe even knew about the bugs. This happened most recently in February 2015, and twice the month prior. Adobe also shipped out-of-band Flash fixes in December and November 2014.

Update, 11:30 a.m. ET: Oddly enough, Adobe just minutes ago released an out-of-band patch to fix a zero-day flaw in Flash.

Original story:

Time was, Oracle’s Java plugin was the favorite target of exploit kits, software tools made to be stitched into hacked or malicious sites and foist on visiting browsers a kitchen sink of exploits for various plugin vulnerabilities. Lately, however, it seems to pendulum has swung back in favor of exploits for Flash Player. A popular exploit kit known as Angler, for example, bundled a new exploit for a Flash vulnerability just three days after Adobe fixed it in April 2015.

So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin. I tend to (ab)use different browsers for different tasks, and so uninstalling the plugin was almost as simple as uninstalling Flash, except with Chrome, which bundles its own version of Flash Player. Fear not: disabling Flash in Chrome is simple enough. On a Windows, Mac, Linux or Chrome OS installation of Chrome, type “chrome:plugins” into the address bar, and on the Plug-ins page look for the “Flash” listing: To disable Flash, click the disable link (to re-enable it, click “enable”).

In almost 30 days, I only ran into just two instances where I encountered a site hosting a video that I absolutely needed to watch and that required Flash (an instructional video for a home gym that I could find nowhere else, and a live-streamed legislative hearing). For these, I opted to cheat and load the content into a Flash-enabled browser inside of a Linux virtual machine I have running inside of VirtualBox. In hindsight, it probably would have been easier simply to temporarily re-enable Flash in Chrome, and then disable it again until the need arose.

If you decide that removing Flash altogether or disabling it until needed is impractical, there are in-between solutions. Script-blocking applications like Noscript and ScriptSafe are useful in blocking Flash content, but script blockers can be challenging for many users to handle.

Another approach is click-to-play, which is a feature available for most browsers (except IE, sadly) that blocks Flash content from loading by default, replacing the content on Web sites with a blank box. With click-to-play, users who wish to view the blocked content need only click the boxes to enable Flash content inside of them (click-to-play also blocks Java applets from loading by default).

Windows users who decide to keep Flash installed and/or enabled also should take full advantage of the Enhanced Mitigation Experience Toolkit (EMET), a free tool from Microsoft that can help Windows users beef up the security of third-party applications.

Kategorie: Hacking & Security

Moose Malware-Part 1

InfoSec Institute Resources - 23 Červen, 2015 - 14:00

In this article series, we will learn about a famous Linux family of malware known as MOOSE, which is used to steal unencrypted traffic over the wire and infect other devices automatically. This malware steals HTTP cookies and performs non-legitimate “likes,” “views” etc. on social networking sites. In the complete article series, we will learn […]

The post Moose Malware-Part 1 appeared first on InfoSec Institute.

Kategorie: Hacking & Security

Amazon uses artificial intelligence to weed out fake reviews

Sophos Naked Security - 23 Červen, 2015 - 12:26
Given enough time for the new AI system to learn what a helpful review is, fake reviews may sink to the bottom of the reviews ocean.

Google, John Oliver & (hopefully soon) US give revenge porn 3 swift kicks

Sophos Naked Security - 23 Červen, 2015 - 11:55
Google's putting up search result takedown, the US is moving toward criminalisation, and John Oliver calls culprits "malevolent gods".

How Google Is Tracking Your Movie and Event Activities

The Hacker News - 23 Červen, 2015 - 10:33
No doubt, You must be aware that Google tracks you, but what you probably did not realize is how precisely and till what extent it tracks you. Well, Google knows which movies I watched where, when, at what time and with how many of my friends, and knows it so well — even my eyebrows raised slightly in surprise! Yes, you heard right. If you are using your Gmail account like I do,
Kategorie: Hacking & Security

This Radio Bug Can Steal Laptop Crypto Keys, Fits Inside a Pita

LinuxSecurity.com - 23 Červen, 2015 - 10:26
LinuxSecurity.com: The list of paranoia-inducing threats to your computer's security grows daily: Keyloggers, trojans, infected USB sticks, ransomware...and now the rogue falafel sandwich.
Kategorie: Hacking & Security

Polish Planes Grounded After Airline Hit With DDoS Attack

LinuxSecurity.com - 23 Červen, 2015 - 10:25
LinuxSecurity.com: Roughly 1,400 passengers were temporarily stranded at Warsaw's Frederic Chopin airport over the weekend after hackers were purportedly able to modify an entire airline's flight plans via a distributed denial of service (DDoS) attack.
Kategorie: Hacking & Security

7 things to do when your business is hacked

LinuxSecurity.com - 23 Červen, 2015 - 10:23
LinuxSecurity.com: The first thing an IT security executive should do after the corporate network has been breached is fall back on the incident response plan that was put in place well before attackers got through the carefully constructed defenses.
Kategorie: Hacking & Security
Syndikovat obsah